Urlencode and base32/base16 signature

Justin Dahmubed · Justin Dahmubed · commit adc920eaa1a5 · 2017-11-29T17:50:07.000-08:00
diff --git a/lib/src/main/java/com/auth0/jwt/algorithms/ECDSAAlgorithm.java b/lib/src/main/java/com/auth0/jwt/algorithms/ECDSAAlgorithm.java
@@ -10,6 +10,7 @@
 import org.apache.commons.codec.binary.Hex;
 import org.apache.commons.codec.binary.StringUtils;
 
+import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
@@ -43,20 +44,20 @@ public void verify(DecodedJWT jwt, EncodeType encodeType) throws Exception {
         byte[] contentBytes = String.format("%s.%s", jwt.getHeader(), jwt.getPayload()).getBytes(StandardCharsets.UTF_8);
         byte[] signatureBytes = null;
         String signature = jwt.getSignature();
+        String urlDecoded = null;
         switch (encodeType) {
             case Base16:
-                signatureBytes = Hex.decodeHex(signature);
+                urlDecoded = URLDecoder.decode(signature, "UTF-8");
+                signatureBytes = Hex.decodeHex(urlDecoded);
                 break;
             case Base32:
                 Base32 base32 = new Base32();
-                signatureBytes = base32.decode(signature);
+                urlDecoded = URLDecoder.decode(signature, "UTF-8");
+                signatureBytes = base32.decode(urlDecoded);
                 break;
             case Base64:
                 signatureBytes = Base64.decodeBase64(signature);
                 break;
-            case JsonEncode:
-                signatureBytes = Base64.decodeBase64(signature);
-                break;
         }
 
         try {
diff --git a/lib/src/main/java/com/auth0/jwt/algorithms/HMACAlgorithm.java b/lib/src/main/java/com/auth0/jwt/algorithms/HMACAlgorithm.java
@@ -54,21 +54,20 @@ public void verify(DecodedJWT jwt, EncodeType encodeType) throws Exception {
         byte[] contentBytes = String.format("%s.%s", jwt.getHeader(), jwt.getPayload()).getBytes(StandardCharsets.UTF_8);
         byte[] signatureBytes = null;
         String signature = jwt.getSignature();
+        String urlDecoded = null;
         switch (encodeType) {
             case Base16:
-                signatureBytes = Hex.decodeHex(signature);
+                urlDecoded = URLDecoder.decode(signature, "UTF-8");
+                signatureBytes = Hex.decodeHex(urlDecoded);
                 break;
             case Base32:
                 Base32 base32 = new Base32();
-                signatureBytes = base32.decode(signature);
+                urlDecoded = URLDecoder.decode(signature, "UTF-8");
+                signatureBytes = base32.decode(urlDecoded);
                 break;
             case Base64:
                 signatureBytes = Base64.decodeBase64(signature);
                 break;
-            case JsonEncode:
-                signatureBytes = Base64.decodeBase64(signature);
-                break;
-
         }
 
         try {
diff --git a/lib/src/main/java/com/auth0/jwt/algorithms/NoneAlgorithm.java b/lib/src/main/java/com/auth0/jwt/algorithms/NoneAlgorithm.java
@@ -8,6 +8,8 @@
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.Hex;
 
+import java.net.URLDecoder;
+
 class NoneAlgorithm extends Algorithm {
 
     NoneAlgorithm() {
@@ -18,20 +20,20 @@ class NoneAlgorithm extends Algorithm {
     public void verify(DecodedJWT jwt, EncodeType encodeType) throws Exception {
         byte[] signatureBytes = null;
         String signature = jwt.getSignature();
+        String urlDecoded = null;
         switch (encodeType) {
             case Base16:
-                signatureBytes = Hex.decodeHex(signature);
+                urlDecoded = URLDecoder.decode(signature, "UTF-8");
+                signatureBytes = Hex.decodeHex(urlDecoded);
                 break;
             case Base32:
                 Base32 base32 = new Base32();
-                signatureBytes = base32.decode(signature);
+                urlDecoded = URLDecoder.decode(signature, "UTF-8");
+                signatureBytes = base32.decode(urlDecoded);
                 break;
             case Base64:
                 signatureBytes = Base64.decodeBase64(signature);
                 break;
-            case JsonEncode:
-                signatureBytes = Base64.decodeBase64(signature);
-                break;
         }
         if (signatureBytes.length > 0) {
             throw new SignatureVerificationException(this);
diff --git a/lib/src/main/java/com/auth0/jwt/algorithms/RSAAlgorithm.java b/lib/src/main/java/com/auth0/jwt/algorithms/RSAAlgorithm.java
@@ -9,6 +9,7 @@
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.Hex;
 
+import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
@@ -40,20 +41,20 @@ public void verify(DecodedJWT jwt, EncodeType encodeType) throws Exception {
         byte[] contentBytes = String.format("%s.%s", jwt.getHeader(), jwt.getPayload()).getBytes(StandardCharsets.UTF_8);
         byte[] signatureBytes = null;
         String signature = jwt.getSignature();
+        String urlDecoded = null;
         switch (encodeType) {
             case Base16:
-                signatureBytes = Hex.decodeHex(signature);
+                urlDecoded = URLDecoder.decode(signature, "UTF-8");
+                signatureBytes = Hex.decodeHex(urlDecoded);
                 break;
             case Base32:
                 Base32 base32 = new Base32();
-                signatureBytes = base32.decode(signature);
+                urlDecoded = URLDecoder.decode(signature, "UTF-8");
+                signatureBytes = base32.decode(urlDecoded);
                 break;
             case Base64:
                 signatureBytes = Base64.decodeBase64(signature);
                 break;
-            case JsonEncode:
-                signatureBytes = Base64.decodeBase64(signature);
-                break;
         }
 
         try {
diff --git a/lib/src/main/java/com/auth0/jwt/creators/JWTCreator.java b/lib/src/main/java/com/auth0/jwt/creators/JWTCreator.java
@@ -398,8 +398,9 @@ private String signBase16Encoding() throws UnsupportedEncodingException {
         String content = String.format("%s.%s", encodedHeader, encodedPayload);
         byte[] signatureBytes = algorithm.sign(content.getBytes(StandardCharsets.UTF_8));
         String signature = Hex.encodeHexString(signatureBytes);
+        String signatureFinal = URLEncoder.encode(signature, "UTF-8");
 
-        return String.format("%s.%s", content, signature);
+        return String.format("%s.%s", content, signatureFinal);
     }
 
     private String signBase32Encoding() throws UnsupportedEncodingException{
@@ -416,8 +417,9 @@ private String signBase32Encoding() throws UnsupportedEncodingException{
         String content = String.format("%s.%s", encodedHeader, encodedPayload);
         byte[] signatureBytes = algorithm.sign(content.getBytes(StandardCharsets.UTF_8));
         String signature = base32.encodeAsString(signatureBytes);
+        String signatureFinal = URLEncoder.encode(signature, "UTF-8");
 
-        return String.format("%s.%s", content, signature);
+        return String.format("%s.%s", content, signatureFinal);
     }
 
     private String defaultSign() throws SignatureGenerationException {
