Skip to content

Crypto-Key header: illegal format #216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mme42 opened this issue Feb 21, 2025 · 3 comments
Open

Crypto-Key header: illegal format #216

mme42 opened this issue Feb 21, 2025 · 3 comments

Comments

@mme42
Copy link

mme42 commented Feb 21, 2025

This issue exists since the new version 5.1.2.

What I did: Try to send a push message with VAPID, using Chrome 133.

Result: The push-service answered HTTP 403: permission denied: crypto-key header had invalid format. crypto-key header should have the following format: p256ecdsa=base64(publicApplicationServerKey)

Reason: The error disappears when reverting the following change between version 5.1.1 and 5.1.2. in AbstractPushService:
Image
I checked that it can also be solved by replacing Base64.getUrlEncoder().encodeToString(pk) by Base64.getUrlEncoder().withoutPadding().encodeToString(pk).
withoutPadding was simply missed here during the task of replacing Base64Encoder.

By the way: I believe that the constructors of Notification that use Base64.getUrlDecoder() and Utils.loadPublicKey don't work because of the usage of the URL-decoder. The example in https://github.com/web-push-libs/webpush-java/wiki/Usage-Example implements the BASE64-decoding by using Base64.getDecoder() and not Base64.getUrlDecoder().
@mme42 mme42 mentioned this issue Mar 3, 2025
Open
@mme42
Copy link
Author

mme42 commented Mar 11, 2025
edited
Loading

By the way: I believe that the constructors of Notification that use Base64.getUrlDecoder() and Utils.loadPublicKey don't work because of the usage of the URL-decoder. The example in https://github.com/web-push-libs/webpush-java/wiki/Usage-Example implements the BASE64-decoding by using Base64.getDecoder() and not Base64.getUrlDecoder().

Seems to me, after a lot of struggling, that both encodings actually need to be supported at this place: URL and non-URL.

@tyrex1975
Copy link

tyrex1975 commented Apr 22, 2025
edited
Loading

Agreed with all the above. Just implemented this in my app and had lots of problems working out that there was a URL decoding scheme in place. Decided to go with 5.1.1 rather than 5.1.2 as could not get past the crypto-key error described above. Would be good if somebody could submit a PR.

@doener006
Copy link

Switching the encoding to AES128GCM instead of AESGCM does fix the problem. I can see two reasons for that:

  • Firebase Cloud Messaging quietly removed support for the AESGCM-encoding
  • FCM can't parse the Crypto-Key-Header, which for AESGCM-Endcoding looks like dh=%BASE64_DH_KEY%;p256ecdsa=%BASE64_PUBLIC_KEY% instead of just p256ecdsa=%BASE64_PUBLIC_KEY% for AES128GCM.

I can't confirm what really happened, but as per rfc8291 AESGCM is not part of the standard, whilst AES128GCM is. Therefore, i think they dropped the legacy support for AESGCM, which they probably used before the PushAPI was actually standardized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tyrex1975 @doener006 @mme42