-
-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURITY] Algorithm Confusion Through kid Header #95
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Your JWS implementation correctly rejects invalid algorithms.
json-jwt/lib/json/jws.rb
Line 25 in a2b4c15
However, when a
kid
header is present, it fetches the key after this algorithm check.json-jwt/lib/json/jws.rb
Lines 124 to 140 in a2b4c15
json-jwt/lib/json/jose.rb
Lines 24 to 35 in a2b4c15
When JWKs are used, this algorithm check isn't congruently applied to the keys.
json-jwt/lib/json/jwk.rb
Lines 40 to 51 in a2b4c15
Therefore, if someone initializes a JWK or JWK::Set with different algorithm types, it's possible to swap the
alg
header and get the wrong key for a given algorithm. In extreme cases, this can lead to a cryptographic integrity bypass (reminiscent of the HS256/RS256 issue from years ago).This is identical to the problem in firebase/php-jwt#351 https://seclists.org/fulldisclosure/2021/Aug/14
To fix this issue: Keys MUST be stored, in memory, as both the raw key bytes and the specific algorithm the key is expected to be used with. After fetching a key, this algorithm MUST be validated against the
algorithms
array.Note: This particular sharp edge isn't covered by the JWT Best Practices RFC.
The text was updated successfully, but these errors were encountered: