x5c is not base64url encoded, see RFC7517 Section 4.7

bodewig · bodewig · commit 6fd9aa345d64 · 2023-01-13T07:01:01.000+01:00
closes #460 Signed-off-by: Stefan Bodewig <stefan.bodewig@innoq.com>
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,8 @@
+01/13/2023
+- when parsing JWKs with an x5c claim the claim was wronly assumed to
+  be base64url encoded instead of base64 encoded;
+  see #460
+
 11/06/2022
 - a new option local_redirect_path can be used is situations where the
   redirect_uri as is visible to lua-resty-openidc is not simply the path
diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
@@ -844,7 +844,7 @@ end
 
 local function openidc_pem_from_x5c(x5c)
   log(DEBUG, "Found x5c, getting PEM public key from x5c entry of json public key")
-  local chunks = split_by_chunk(b64(openidc_base64_url_decode(x5c[1])), 64)
+  local chunks = split_by_chunk(x5c[1], 64)
   local pem = "-----BEGIN CERTIFICATE-----\n" ..
       table.concat(chunks, "\n") ..
       "\n-----END CERTIFICATE-----"
