You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2022/06/15 13:27:27 UTC
[trafficserver] 02/04: uri_signing plugin: Fix missing payload validation for the iss field. (#8901)
This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch 9.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit ab8f2f26877321f61da067328d25e1ec20a411f9
Author: Damian Meden <da...@gmail.com>
AuthorDate: Tue Jun 14 13:25:21 2022 +0100
uri_signing plugin: Fix missing payload validation for the iss field. (#8901)
(cherry picked from commit 095ae4ab9f9e18ed1c26d803a0bcdbdecf0b8cf8)
---
plugins/experimental/uri_signing/jwt.c | 5 +++++
plugins/experimental/uri_signing/parse.c | 12 +++++++++---
tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py | 13 ++++++++++++-
3 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/plugins/experimental/uri_signing/jwt.c b/plugins/experimental/uri_signing/jwt.c
index b3b1032ef..ed5da8d67 100644
--- a/plugins/experimental/uri_signing/jwt.c
+++ b/plugins/experimental/uri_signing/jwt.c
@@ -106,6 +106,11 @@ jwt_validate(struct jwt *jwt)
return false;
}
+ if (!jwt->iss) {
+ PluginDebug("Initial JWT Failure: iss is missing, must be present");
+ return false;
+ }
+
if (jwt->cdniv != 1) { /* Only support the very first version! */
PluginDebug("Initial JWT Failure: wrong version");
return false;
diff --git a/plugins/experimental/uri_signing/parse.c b/plugins/experimental/uri_signing/parse.c
index 5636c2755..72d79377a 100644
--- a/plugins/experimental/uri_signing/parse.c
+++ b/plugins/experimental/uri_signing/parse.c
@@ -208,8 +208,10 @@ validate_jws(cjose_jws_t *jws, struct config *cfg, const char *uri, size_t uri_c
PluginDebug("Cannot find key %s for issuer %s for %16p", kid, jwt->iss, jws);
goto jwt_fail;
}
- if (!cjose_jws_verify(jws, jwk, NULL)) {
- PluginDebug("Key %s for issuer %s for %16p does not validate.", kid, jwt->iss, jws);
+ cjose_err err;
+ memset(&err, 0, sizeof(cjose_err));
+ if (!cjose_jws_verify(jws, jwk, &err)) {
+ PluginDebug("Key %s for issuer %s for %16p does not validate: '%s'", kid, jwt->iss, jws, (err.message ? err.message : ""));
goto jwt_fail;
}
TimerDebug("checking crypto signature for jwt");
@@ -217,8 +219,12 @@ validate_jws(cjose_jws_t *jws, struct config *cfg, const char *uri, size_t uri_c
PluginDebug("Searching all keys for issuer %s for %16p", jwt->iss, jws);
cjose_jwk_t **jwks;
for (jwks = find_keys(cfg, jwt->iss); jwks && *jwks; ++jwks) {
- if (cjose_jws_verify(jws, *jwks, NULL)) {
+ cjose_err err;
+ memset(&err, 0, sizeof(cjose_err));
+ if (cjose_jws_verify(jws, *jwks, &err)) {
break;
+ } else {
+ PluginDebug("Key validation failed: '%s'", (err.message ? err.message : ""));
}
}
TimerDebug("checking the crypto signature of all possible keys for jwt");
diff --git a/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py b/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py
index b77a7eae6..b85f98725 100644
--- a/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py
+++ b/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py
@@ -195,7 +195,7 @@ ps.Streams.stderr = "gold/403.gold"
tr.StillRunningAfter = server
tr.StillRunningAfter = ts
-# 9 - multiple cookies
+# 11 - multiple cookies
tr = Test.AddTestRun("multiple cookies, expired then good")
ps = tr.Processes.Default
ps.Command = curl_and_args + '"http://somehost/someasset.ts" -H "Cookie: URISigningPackage=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJleHAiOjF9.GkdlOPHQc6BqS4Q6x79GeYuVFO2zuGbaPZZsJfD6ir8;URISigningPackage=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJleHAiOjE5MjMwNTYwODR9.zw_wFQ-wvrWmfPLGj3hAUWn-GOHkiJZi2but4KV0paY"'
@@ -203,3 +203,14 @@ ps.ReturnCode = 0
ps.Streams.stderr = "gold/200.gold"
tr.StillRunningAfter = server
tr.StillRunningAfter = ts
+
+
+# 12 - Check missing iss from the payload
+tr = Test.AddTestRun("Missing iss field in the payload")
+ps = tr.Processes.Default
+ps.Command = curl_and_args + '"http://somehost/someasset.ts?URISigningPackage=ewogICJ0eXAiOiAiSldUIiwKICAiYWxnIjogIkhTMjU2Igp9.ewogICJleHAiOiAxOTIzMDU2MDg0Cn0.zw_wFQ-wvrWmfPLGj3hAUWn-GOHkiJZi2but4KV0paY"'
+ps.ReturnCode = 0
+ps.Streams.stderr = "gold/403.gold"
+ts.Streams.stderr = Testers.ContainsExpression("Initial JWT Failure: iss is missing, must be present", "should fail the validation")
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts