From 6fd9aa345d64f4145eaed067b8ebc648e5d9e32c Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <stefan.bodewig@innoq.com>
Date: Fri, 13 Jan 2023 07:00:07 +0100
Subject: [PATCH] x5c is not base64url encoded, see RFC7517 Section 4.7

closes #460

Signed-off-by: Stefan Bodewig <stefan.bodewig@innoq.com>
---
 ChangeLog             | 5 +++++
 lib/resty/openidc.lua | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index b413072..23abbe1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+01/13/2023
+- when parsing JWKs with an x5c claim the claim was wronly assumed to
+  be base64url encoded instead of base64 encoded;
+  see #460
+
 11/06/2022
 - a new option local_redirect_path can be used is situations where the
   redirect_uri as is visible to lua-resty-openidc is not simply the path
diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
index a73b714..0ab9745 100644
--- a/lib/resty/openidc.lua
+++ b/lib/resty/openidc.lua
@@ -844,7 +844,7 @@ end
 
 local function openidc_pem_from_x5c(x5c)
   log(DEBUG, "Found x5c, getting PEM public key from x5c entry of json public key")
-  local chunks = split_by_chunk(b64(openidc_base64_url_decode(x5c[1])), 64)
+  local chunks = split_by_chunk(x5c[1], 64)
   local pem = "-----BEGIN CERTIFICATE-----\n" ..
       table.concat(chunks, "\n") ..
       "\n-----END CERTIFICATE-----"