From bb4928317b43a21288206a181259c3655b51acaf Mon Sep 17 00:00:00 2001 From: michaelpaliy Date: Sat, 15 Apr 2023 17:16:15 +0300 Subject: [PATCH] fix jwk exponent constraint --- src/jwks.cc | 4 +-- .../jwks_rsa_non_standard_exponent.txt | 2 ++ test/fuzz/corpus_format_test.cc | 2 +- test/jwks_test.cc | 36 ++++++++++++++++++- 4 files changed, 40 insertions(+), 4 deletions(-) create mode 100644 test/fuzz/corpus/jwt_verify_lib_fuzz_test/jwks_rsa_non_standard_exponent.txt diff --git a/src/jwks.cc b/src/jwks.cc index a81b576..0a64b8e 100644 --- a/src/jwks.cc +++ b/src/jwks.cc @@ -104,8 +104,8 @@ class KeyGetter : public WithStatus { updateStatus(Status::JwksRsaParseError); return nullptr; } - if (BN_cmp_word(rsa->e, 3) != 0 && BN_cmp_word(rsa->e, 65537) != 0) { - // non-standard key; reject it early. + if (BN_cmp_word(rsa->e, 3) < 0) { + // invalid key exponent; reject it early. updateStatus(Status::JwksRsaParseError); return nullptr; } diff --git a/test/fuzz/corpus/jwt_verify_lib_fuzz_test/jwks_rsa_non_standard_exponent.txt b/test/fuzz/corpus/jwt_verify_lib_fuzz_test/jwks_rsa_non_standard_exponent.txt new file mode 100644 index 0000000..83d5fde --- /dev/null +++ b/test/fuzz/corpus/jwt_verify_lib_fuzz_test/jwks_rsa_non_standard_exponent.txt @@ -0,0 +1,2 @@ +jwt: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.Xi5bFv0m3_5t4tzhjY0AuM_zFrZwAVz0-_x8wIa4Pis8gkYi-5OBo0pPU5rYRTl3auTfS83AtBymBHr0r98vHWuruA07UGlDf_0TvurSAczHRr7Zp4k7K4easqcHecnIqdMXFZVG9-EW0QqVLduezIIPcfNLjwHiz5XyfKisuF8eV5WILWO7HVRTBmn_26W_vRP4QKDtwO5kXujQ60eLZbRzfa9QnUS_LVe9khOWzAQphot5peOs4iLGsc6H4-RJP-tYGxWojTI8LlmN23kj7IcvJWIJmnIicTJfmV-O70SldHmhiFtACXkBvbk32U02Ck0_crPtmIZ4nTxDO5ydKA" +jwks: '{"keys":[{"n":"q2ortveItN3-AseXStq37n9XW4lcWOanOFfSN6F65Pj9Su3Maf4zUuIpaUDrLREvNQTw3ZEVwbYxgjk6RsVbTPkmVOvj9m8U9QcyF9erMoyDx7xAkahpw2bqXz_d6CGnORlflnEudmlgHEVe3t3eFN73LHqDlrkWYV_6TV3iSxLOAeNTNWCC1rrNLLlgFeWVYfG4q_n4evGG3Pm944MFjXySQQdwvynokH6VY0rO-V16LQiEaC9r9mWcpfYFrg_wK4OJxWyr6GPb1H_TvkB089fjQ2fablznfnaZvi-mp1nV1Pl19Bfv4hEcue6QxZvAZBdGXApqUzZjoGFBi637OQ","e":"Iw","kty":"RSA","alg": "RS256","use": "sig","kid":"Z_oCEjzMXWjatoGK3hKZCFzw4AuZEt3SRMdUtuw3WwI"}]}' diff --git a/test/fuzz/corpus_format_test.cc b/test/fuzz/corpus_format_test.cc index 18259f6..6339907 100644 --- a/test/fuzz/corpus_format_test.cc +++ b/test/fuzz/corpus_format_test.cc @@ -40,7 +40,7 @@ std::string ReadTestBaseline(const std::string& input_file_name) { // to be more efficient. // This test verifies the following corpus files satisfy above conditions. TEST(JwksParseTest, FuzzTestJwksCorpusFile) { - std::vector files = {"jwks_ec.txt", "jwks_rsa.txt", + std::vector files = {"jwks_ec.txt", "jwks_rsa.txt", "jwks_rsa_non_standard_exponent.txt", "jwks_hmac.txt", "jwks_okp.txt", "jwks_x509.txt", "jwks_pem.txt"}; for (const auto& file : files) { diff --git a/test/jwks_test.cc b/test/jwks_test.cc index 593b6fb..96d8461 100644 --- a/test/jwks_test.cc +++ b/test/jwks_test.cc @@ -425,7 +425,7 @@ TEST(JwksParseTest, JwksECWrongXY) { EXPECT_EQ(jwks->getStatus(), Status::JwksEcParseError); } -TEST(JwksParseTest, JwksRSAWrongNE) { +TEST(JwksParseTest, ValidLargeExponent) { const std::string jwks_text = R"( { "keys": [ @@ -437,6 +437,40 @@ TEST(JwksParseTest, JwksRSAWrongNE) { } ] } +)"; + auto jwks = Jwks::createFrom(jwks_text, Jwks::JWKS); + EXPECT_EQ(jwks->getStatus(), Status::Ok); +} + +TEST(JwksParseTest, ValidExponentIs3) { + const std::string jwks_text = R"( + { + "keys": [ + { + "kty": "RSA", + "n": "EB54wykhS7YJFD6RYJNnwbW", + "e": "Aw==", + "alg": "RS256" + } + ] + } +)"; + auto jwks = Jwks::createFrom(jwks_text, Jwks::JWKS); + EXPECT_EQ(jwks->getStatus(), Status::Ok); +} + +TEST(JwksParseTest, JwksRSAWrongNE) { + const std::string jwks_text = R"( + { + "keys": [ + { + "kty": "RSA", + "n": "EB54wykhS7YJFD6RYJNnwbW", + "e": "Ag==", + "alg": "RS256" + } + ] + } )"; auto jwks = Jwks::createFrom(jwks_text, Jwks::JWKS); EXPECT_EQ(jwks->getStatus(), Status::JwksRsaParseError);