Skip to content

Commit

Permalink
verify x5c claim in JWK actually holds an array
Browse files Browse the repository at this point in the history 
see #459

Signed-off-by: Stefan Bodewig <[email protected]>
  • Loading branch information
@bodewig
bodewig committed Jan 11, 2023
1 parent 6f0f1e0 commit a488e08
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 0 deletions.
4 changes: 4 additions & 0 deletions lib/resty/openidc.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -908,6 +908,10 @@ local function openidc_pem_from_jwk(opts, kid)
end

local x5c = jwk.x5c
if x5c and type(x5c) ~= 'table' then
log(WARN, "Found invalid JWK with x5c claim not being an array but a " .. type(x5c))
x5c = nil
end
if x5c and #(jwk.x5c) == 0 then
log(WARN, "Found invalid JWK with empty x5c array, ignoring x5c claim")
x5c = nil
Expand Down
24 changes: 24 additions & 0 deletions tests/spec/bearer_token_verification_spec.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,30 @@ describe("when the JWK specifies a kid and the JWKS does not contain a key with

end)

describe("when the JWKS contains a broken x5c which is not an array", function()
test_support.start_server({
verify_opts = {
discovery = {
jwks_uri = "http://127.0.0.1/jwk",
}
},
jwk = test_support.load("/spec/rsa_key_jwk_with_broken_x5c.json"),
})
teardown(test_support.stop_server)
local jwt = test_support.trim(http.request("http://127.0.0.1/jwt"))
local _, status = http.request({
url = "http://127.0.0.1/verify_bearer_token",
headers = { authorization = "Bearer " .. jwt }
})
it("the token is invalid", function()
assert.are.equals(401, status)
end)
it("an error is logged", function()
assert.error_log_contains("Found invalid JWK with x5c claim not being an array but a string")
end)

end)

describe("when the JWK specifies no kid and the JWKS contains multiple keys", function()
test_support.start_server({
verify_opts = {
Expand Down
10 changes: 10 additions & 0 deletions tests/spec/rsa_key_jwk_with_broken_x5c.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "abcd",
"x5c": "MIIC+zCCAeOgAwIBAgIJAOlUwkUgtiAjMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMMCTEyNy4wLjAuMTAeFw0xNzEwMjAwODAyMzBaFw0yNzEwMTgwODAyMzBaMBQxEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMLGOeOLW3uZr6jbrkE4i+Cp9LcvfWhOcff8D68qmcWTwfYSDWTGKPbME83EuFwrpVzBZqIV2VaR7L5uX3+5MZij2DeG52Gdv+QnP0JlyHAxRWnNWSYu+ZURlwhDBi7g+rxTq/3/8DeFZQJtf6/pcWxLidwe6fQpQK0XkbRfxi3os0+YAEDedSyVzsIP9buz2KkjtHJ+RWxTGC61J/vJY7ruSVBDkPLBbMHFkTRUqATZ76B/DDtn5lyctbTUZKUUGljiwvu8zK2thp5CjMnP8DcCP0e8ZT5IUBN73VYksvf3Die8+axKUuFAyYRjv8mKbWXRFwJyUelC72R6pvcTBzcCAwEAAaNQME4wHQYDVR0OBBYEFEp61+QOEp6ZR/GpTood068poIf3MB8GA1UdIwQYMBaAFEp61+QOEp6ZR/GpTood068poIf3MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADqM/3yygJOF+k8AXPk2AGOfF7EMtm8GYVETUBwunYqgPHMoZj/+/IfHYg0BNx4T5Uh7yABvICO8KCpIrog0boopCNBlrkKs1L8WGnK9L8EQinA2JM+rL1UBAuPVFLGdT9LEjhwoJsRrRet9Pt79+iHP4kS2priuwKHOzsGwmj7Ptstx4lf6dOwElgGlxNDI8YnG4a4NlOQ0HMGtaS/bvB8hMPGRb8uCmnlrPVOQFOkUCwTTA5D1DjWmXg+aCwGf313MyH8y0TQ8aNkxJkcHHGTZELXmS+t9BnYvpNm+sQkqfVkwxgnP/R8wPH36rnID6QSH6/mFhz6S21qK5p3vVys="
}
]
}

0 comments on commit a488e08

Please sign in to comment.