From d06da0f2c6e6f25cf2b981cfa10432dc6ec6115e Mon Sep 17 00:00:00 2001
From: Andrew Martinez <andrew.p.martinez@gmail.com>
Date: Mon, 30 Sep 2024 10:03:35 -0400
Subject: [PATCH 1/3] fixes #2455 uses std base64 decoding for x5c property per
 RFC

---
 controller/model/authenticator_mod_ext_jwt.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/controller/model/authenticator_mod_ext_jwt.go b/controller/model/authenticator_mod_ext_jwt.go
index 66636df42..6d99beeac 100644
--- a/controller/model/authenticator_mod_ext_jwt.go
+++ b/controller/model/authenticator_mod_ext_jwt.go
@@ -185,7 +185,9 @@ func (r *signerRecord) Resolve(force bool) error {
 		for _, key := range jwksResponse.Keys {
 			//if we have an x509chain the first must be the signing key
 			if len(key.X509Chain) != 0 {
-				x509Der, err := base64.RawURLEncoding.DecodeString(key.X509Chain[0])
+				// x5c is the only attribute with padding according to
+				// RFC 7517 Section-4.7 "x5c" (X.509 Certificate Chain) Parameter
+				x509Der, err := base64.StdEncoding.DecodeString(key.X509Chain[0])
 
 				if err != nil {
 					return fmt.Errorf("could not parse JWKS keys: %v", err)

From 3120aeb51c5374f75fa0fd0b9317ac0b807c301d Mon Sep 17 00:00:00 2001
From: Andrew Martinez <andrew.p.martinez@gmail.com>
Date: Mon, 30 Sep 2024 11:10:49 -0400
Subject: [PATCH 2/3] update deps

---
 go.mod          | 2 +-
 go.sum          | 4 ++--
 zititest/go.mod | 2 +-
 zititest/go.sum | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index c2fa54e57..4a8e78cd8 100644
--- a/go.mod
+++ b/go.mod
@@ -55,7 +55,7 @@ require (
 	github.com/openziti/edge-api v0.26.30
 	github.com/openziti/foundation/v2 v2.0.49
 	github.com/openziti/identity v1.0.85
-	github.com/openziti/jwks v1.0.5
+	github.com/openziti/jwks v1.0.6
 	github.com/openziti/metrics v1.2.58
 	github.com/openziti/runzmd v1.0.51
 	github.com/openziti/sdk-golang v0.23.42
diff --git a/go.sum b/go.sum
index e6c0f5c37..52d48e973 100644
--- a/go.sum
+++ b/go.sum
@@ -582,8 +582,8 @@ github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/
 github.com/openziti/foundation/v2 v2.0.49/go.mod h1:tFk7wg5WE/nDDur5jSVQTROugKDXQkFvmqRSV4pvWp0=
 github.com/openziti/identity v1.0.85 h1:jphDHrUCXCJGdbVTMBqsdtS0Ei/vhDH337DMNMYzLro=
 github.com/openziti/identity v1.0.85/go.mod h1:beIXWNDImEjZn93XPOorJzyuQCQUYOvKFQ0fWhLN2qM=
-github.com/openziti/jwks v1.0.5 h1:JVoOeccqLEtKBc9GcyJODVZYVk50YwEaDTocm+KgKbI=
-github.com/openziti/jwks v1.0.5/go.mod h1:t4xxq8vlXGsPn29kiQVnZBBDDnEoOFqtJoHibkJunQQ=
+github.com/openziti/jwks v1.0.6 h1:PR+9OVaMO8oHEoVQmHqeUBExWwLWyODEGJQK2DXHaqE=
+github.com/openziti/jwks v1.0.6/go.mod h1:t4xxq8vlXGsPn29kiQVnZBBDDnEoOFqtJoHibkJunQQ=
 github.com/openziti/metrics v1.2.58 h1:AbHSTMKHP/o6r6fh7a08c486Y/5f5xjkZQbcyn3w1tM=
 github.com/openziti/metrics v1.2.58/go.mod h1:zGLMrLvVFOxo9tXUf8svcUsASxsPjhW9foW92FUzmDs=
 github.com/openziti/runzmd v1.0.51 h1:Vz+2nfF9AyKQGyKwBUnpL2DH/4cL+3rOuLWj8lkNDBc=
diff --git a/zititest/go.mod b/zititest/go.mod
index fe3538432..c5c99526a 100644
--- a/zititest/go.mod
+++ b/zititest/go.mod
@@ -141,7 +141,7 @@ require (
 	github.com/openziti-incubator/cf v0.0.3 // indirect
 	github.com/openziti/cobra-to-md v1.0.1 // indirect
 	github.com/openziti/dilithium v0.3.5 // indirect
-	github.com/openziti/jwks v1.0.5 // indirect
+	github.com/openziti/jwks v1.0.6 // indirect
 	github.com/openziti/metrics v1.2.58 // indirect
 	github.com/openziti/runzmd v1.0.51 // indirect
 	github.com/openziti/secretstream v0.1.24 // indirect
diff --git a/zititest/go.sum b/zititest/go.sum
index d1e6ca1e3..8149d2aad 100644
--- a/zititest/go.sum
+++ b/zititest/go.sum
@@ -606,8 +606,8 @@ github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/
 github.com/openziti/foundation/v2 v2.0.49/go.mod h1:tFk7wg5WE/nDDur5jSVQTROugKDXQkFvmqRSV4pvWp0=
 github.com/openziti/identity v1.0.85 h1:jphDHrUCXCJGdbVTMBqsdtS0Ei/vhDH337DMNMYzLro=
 github.com/openziti/identity v1.0.85/go.mod h1:beIXWNDImEjZn93XPOorJzyuQCQUYOvKFQ0fWhLN2qM=
-github.com/openziti/jwks v1.0.5 h1:JVoOeccqLEtKBc9GcyJODVZYVk50YwEaDTocm+KgKbI=
-github.com/openziti/jwks v1.0.5/go.mod h1:t4xxq8vlXGsPn29kiQVnZBBDDnEoOFqtJoHibkJunQQ=
+github.com/openziti/jwks v1.0.6 h1:PR+9OVaMO8oHEoVQmHqeUBExWwLWyODEGJQK2DXHaqE=
+github.com/openziti/jwks v1.0.6/go.mod h1:t4xxq8vlXGsPn29kiQVnZBBDDnEoOFqtJoHibkJunQQ=
 github.com/openziti/metrics v1.2.58 h1:AbHSTMKHP/o6r6fh7a08c486Y/5f5xjkZQbcyn3w1tM=
 github.com/openziti/metrics v1.2.58/go.mod h1:zGLMrLvVFOxo9tXUf8svcUsASxsPjhW9foW92FUzmDs=
 github.com/openziti/runzmd v1.0.51 h1:Vz+2nfF9AyKQGyKwBUnpL2DH/4cL+3rOuLWj8lkNDBc=

From 4cc501eda33de85e815a12f76600642333037fd1 Mon Sep 17 00:00:00 2001
From: Andrew Martinez <andrew.p.martinez@gmail.com>
Date: Mon, 30 Sep 2024 13:20:30 -0400
Subject: [PATCH 3/3] fix encoding in test jwks server

---
 tests/auth_external_jwt_signer_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/auth_external_jwt_signer_test.go b/tests/auth_external_jwt_signer_test.go
index dcc3c0d7e..a37cb257a 100644
--- a/tests/auth_external_jwt_signer_test.go
+++ b/tests/auth_external_jwt_signer_test.go
@@ -125,7 +125,7 @@ func (js *jwksServer) handleJWKS(w http.ResponseWriter, _ *http.Request) {
 	var keys []jsonWebKey
 	for _, cert := range js.certificates {
 
-		certBase64 := base64.RawURLEncoding.EncodeToString(cert.Raw)
+		certBase64 := base64.StdEncoding.EncodeToString(cert.Raw)
 		key := jsonWebKey{
 			Kid: cert.Subject.CommonName,
 			X5C: []string{certBase64},