Commit 159f71fd authored by Clément OUDOT's avatar Clément OUDOT

Verify Request JWT signature (#184)

parent 94f1065e
......@@ -134,7 +134,7 @@ sub extractFormInfo {
if ( $self->{oidcOPMetaDataOptions}->{$op}
->{oidcOPMetaDataOptionsCheckJWTSignature} )
{
unless ( $self->verifyJWTSignature( $op, $id_token ) ) {
unless ( $self->verifyJWTSignature( $id_token, $op ) ) {
$self->lmLog( "JWT signature verification failed", 'error' );
return PE_ERROR;
}
......
......@@ -78,6 +78,7 @@ sub issuerForUnAuthUser {
# Extract request parameter
if ( $oidc_request->{'request'} ) {
my $request = $self->getJWTJSONData( $oidc_request->{'request'} );
# Override OIDC parameters by request content
......@@ -662,6 +663,24 @@ sub issuerForAuthUser {
$self->lmLog( "Client id $client_id match RP $rp", 'debug' );
}
# Check Request JWT signature
if ( $oidc_request->{'request'} ) {
unless (
$self->verifyJWTSignature(
$oidc_request->{'request'},
undef, $rp
)
)
{
$self->lmLog( "Request JWT signature could not be verified",
'error' );
return PE_ERROR;
}
else {
$self->lmLog( "Request JWT signature verified", 'debug' );
}
}
# Check redirect_uri
my $redirect_uri = $oidc_request->{'redirect_uri'};
my $redirect_uris = $self->{oidcRPMetaDataOptions}->{$rp}
......
......@@ -771,13 +771,14 @@ sub extractJWT {
return \@jwt_parts;
}
## @method boolean verifyJWTSignature(String op, String jwt)
## @method boolean verifyJWTSignature(String jwt, String op, String rp)
# Check signature of a JWT
# @param op OpenIP Provider configuration key
# @param jwt JWT raw value
# @param op OpenIP Provider configuration key
# @param rp OpenIP Relying Party configuration key
# @return boolean 1 if signature is verified, 0 else
sub verifyJWTSignature {
my ( $self, $op, $jwt ) = splice @_;
my ( $self, $jwt, $op, $rp ) = splice @_;
$self->lmLog( "Verification of JWT signature: $jwt", 'debug' );
......@@ -812,9 +813,13 @@ sub verifyJWTSignature {
if ( $alg eq "HS256" or $alg eq "HS384" or $alg eq "HS512" ) {
# Check signature with client secret
my $client_secret =
my $client_secret;
$client_secret =
$self->{oidcOPMetaDataOptions}->{$op}
->{oidcOPMetaDataOptionsClientSecret};
->{oidcOPMetaDataOptionsClientSecret} if $op;
$client_secret =
$self->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsClientSecret} if $rp;
my $digest;
......@@ -851,6 +856,11 @@ sub verifyJWTSignature {
if ( $alg eq "RS256" or $alg eq "RS384" or $alg eq "RS512" ) {
if ($rp) {
$self->lmLog( "Algorithm $alg not supported", 'debug' );
return 0;
}
# The public key is needed
unless ( $self->{_oidcOPList}->{$op}->{jwks} ) {
$self->lmLog( "Cannot verify $alg signature: no JWKS data found",
......
......@@ -38,7 +38,7 @@ my $jwt;
$jwt =
"eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWluIjp0cnVlfQ.";
ok(
$p->verifyJWTSignature( "jwtio", $jwt ) == 1,
$p->verifyJWTSignature( $jwt, "jwtio" ) == 1,
'JWT Signature verification - alg: none'
);
......@@ -46,7 +46,7 @@ ok(
$jwt =
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWluIjp0cnVlfQ.eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts";
ok(
$p->verifyJWTSignature( "jwtio", $jwt ) == 1,
$p->verifyJWTSignature( $jwt, "jwtio" ) == 1,
'JWT Signature verification - alg: HS256'
);
......@@ -54,7 +54,7 @@ ok(
$jwt =
"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWluIjp0cnVlfQ.fSCfxDB4cFVvzd6IqiNTuItTYiv-tAp5u5XplJWRDBGNF1rgGn1gyYK9LuHobWWpwqCzI7pEHDlyrbNHaQJmqg";
ok(
$p->verifyJWTSignature( "jwtio", $jwt ) == 1,
$p->verifyJWTSignature( $jwt, "jwtio" ) == 1,
'JWT Signature verification - alg: HS512'
);
......@@ -69,7 +69,7 @@ $p->{_oidcOPList}->{google}->{jwks}->{keys}->[0]->{e} = "AQAB";
$jwt =
"eyJhbGciOiJSUzI1NiIsImtpZCI6IjNkMDA3Njc3ZmVjNjU2YTU2MjgyNmYwMTkxZDBmOWZjYjBlNTk1Y2YifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTE1MzYxMjMwMzU3MzA0NzU0ODQ0IiwiYXpwIjoiMjg2MzA1NzI4NjUyLWxjYW5ubWRnMTdxM2VtdDFjYmtqbmZnOTVzZHM4NjJsLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJjbGVtZW50QG9vZG8ubmV0IiwiYXRfaGFzaCI6ImZRc0FaSHdsUUNPZXctNE84QkFWNWciLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXVkIjoiMjg2MzA1NzI4NjUyLWxjYW5ubWRnMTdxM2VtdDFjYmtqbmZnOTVzZHM4NjJsLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaGQiOiJvb2RvLm5ldCIsImlhdCI6MTQxNjQwNjA0MywiZXhwIjoxNDE2NDA5OTQzfQ.NihX-7P1ogpPCmygD-A-hChIwMg9hJQ_4gzu3zmNEyHnY9rWuwXF6E2K9LF_opMQXWJxkUcI7eyo73L3yk9_51CfQLzD5NbfpR6kyctLBXud9A7wyHzJRBCB_rOU12vU4bMWGajgkGUqOmy-PFnz3akvqVgExbqas0Go4Flg7NI";
ok(
$p->verifyJWTSignature( 'google', $jwt ) == 1,
$p->verifyJWTSignature( $jwt, 'google' ) == 1,
'JWT Signature verification - alg: RS256'
);
......@@ -85,7 +85,7 @@ $jwt =
"eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUlMyNTYifQ.ewogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAsCiAibmFtZSI6ICJKYW5lIERvZSIsCiAiZ2l2ZW5fbmFtZSI6ICJKYW5lIiwKICJmYW1pbHlfbmFtZSI6ICJEb2UiLAogImdlbmRlciI6ICJmZW1hbGUiLAogImJpcnRoZGF0ZSI6ICIwMDAwLTEwLTMxIiwKICJlbWFpbCI6ICJqYW5lZG9lQGV4YW1wbGUuY29tIiwKICJwaWN0dXJlIjogImh0dHA6Ly9leGFtcGxlLmNvbS9qYW5lZG9lL21lLmpwZyIKfQ.rHQjEmBqn9Jre0OLykYNnspA10Qql2rvx4FsD00jwlB0Sym4NzpgvPKsDjn_wMkHxcp6CilPcoKrWHcipR2iAjzLvDNAReF97zoJqq880ZD1bwY82JDauCXELVR9O6_B0w3K-E7yM2macAAgNCUwtik6SjoSUZRcf-O5lygIyLENx882p6MtmwaL1hd6qn5RZOQ0TLrOYu0532g9Exxcm-ChymrB4xLykpDj3lUivJt63eEGGN6DH5K6o33TcxkIjNrCD4XB1CKKumZvCedgHHF3IAK4dVEDSUoGlH9z4pP_eWYNXvqQOjGs-rDaQzUHl6cQQWNiDpWOl_lxXjQEvQ";
ok(
$p->verifyJWTSignature( 'oidccore', $jwt ) == 1,
$p->verifyJWTSignature( $jwt, 'oidccore' ) == 1,
'JWT Signature verification - alg: RS256'
);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment