Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper handling of the base64-encoded signing key #57

Open
uint opened this issue Feb 9, 2021 · 0 comments
Open

Improper handling of the base64-encoded signing key #57

uint opened this issue Feb 9, 2021 · 0 comments

Comments

@uint
Copy link

uint commented Feb 9, 2021
edited
Loading

Description

Hybrid Connections generate signing keys that are base64 encoded, but then expect the client to grab that base64-encoded string, take the underlying bytes and sign the token with that.

Here's an example of a client that probably works, but is wrong: https://github.com/Azure/azure-relay-dotnet/blob/dev/src/Microsoft.Azure.Relay/Common/TokenProvider.cs#L16

A client that is implemented correctly and first decodes the base64-encoded key fails to authenticate.

I'm no cryptographer, but could this have some impact on the strength of your security?

Here's Azure documentation stating that the keys are base64-encoded: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas#overview-of-sas

Actual Behavior

  1. Send an HTTP request to a Hybrid Connection thingy, passing a token signed with a properly decoded base64 key.
  2. Azure responds with an Invalid Signature error.
  3. Send an HTTP request to a Hybrid Connection thingy, passing a token signed with the bytes of the base64-encoded string.
  4. Authentication succeeds.

Expected Behavior

The reverse of the actual behavior.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@uint