From a2b1e662721757802a07c3797c3b40e389c42d1b Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Thu, 2 Jan 2025 11:07:28 +0100 Subject: [PATCH] add a configuration check for public/private keys when using DPoP closes #1293; thanks @ahus1 Signed-off-by: Hans Zandbelt --- ChangeLog | 3 +++ src/mod_auth_openidc.c | 9 +++++++++ src/proto/jwt.c | 1 - 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 4dcdc399..bdce8b43 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +01/02/2025 +- add a configuration check for public/private keys when using DPoP; closes #1293; thanks @ahus1 + 12/17/2024 - code: address SonarQube warnings in src/cache/*.c diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c index 8c917016..0881f009 100644 --- a/src/mod_auth_openidc.c +++ b/src/mod_auth_openidc.c @@ -1470,6 +1470,15 @@ static int oidc_check_config_openid_openidc(server_rec *s, oidc_cfg_t *c) { } } + if (oidc_cfg_provider_dpop_mode_get(oidc_cfg_provider_get(c)) != OIDC_DPOP_MODE_OFF) { + if (oidc_util_key_list_first(oidc_cfg_private_keys_get(c), -1, OIDC_JOSE_JWK_SIG_STR) == NULL) { + oidc_serror(s, + "'" OIDCDPoPMode "' is configured but the required signing keys have not been " + "provided in '" OIDCPrivateKeyFiles "'/'" OIDCPublicKeyFiles "'"); + return HTTP_INTERNAL_SERVER_ERROR; + } + } + return OK; } diff --git a/src/proto/jwt.c b/src/proto/jwt.c index c8556e51..6e056a80 100644 --- a/src/proto/jwt.c +++ b/src/proto/jwt.c @@ -252,7 +252,6 @@ apr_byte_t oidc_proto_jwt_create_from_first_pkey(request_rec *r, oidc_cfg_t *cfg oidc_debug(r, "enter"); *jwk = oidc_util_key_list_first(oidc_cfg_private_keys_get(cfg), -1, OIDC_JOSE_JWK_SIG_STR); - // TODO: detect at config time if (*jwk == NULL) { oidc_error(r, "no RSA/EC private signing keys have been configured (in " OIDCPrivateKeyFiles ")"); goto end;