[ https://issues.apache.org/jira/browse/OLTU-199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antonio Sanso updated OLTU-199: ------------------------------- Labels: review (was: ) > Extra data permitted in JWT header > ---------------------------------- > > Key: OLTU-199 > URL: https://issues.apache.org/jira/browse/OLTU-199 > Project: Apache Oltu > Issue Type: Bug > Components: JWT > Reporter: Bryan Weber > Labels: review > > I stumbled into this bug when writing a unit test. > I was making sure that signature validation did not pass under the following > conditions: > ``` > header + "x" + "." + payload + "." + signature > header + "." + payload + "x" + "." + signature > header + "." + payload + "." + signature + "x" > ``` > 2 of the 3 correctly failed to validate because the signature was invalid, > however the first case still passed signature validation. This puzzled me so > I read the code to figure out what was going on. > ``` > JWS jws = new JWSReader().read(jwt); > CustomSignatureMethod signatureMethod = new > CustomSignatureMethod(); > CustomPublicKey customPublicKey = new > CustomPublicKey(keyPair.getPublic()); > return jws.validate(signatureMethod, customPublicKey); > ``` > When you look at the JWSReader you will see: > ``` > Builder jwsBuilder = new Builder(); > (new JWSHeaderParser(jwsBuilder)).read(decodedHeader); > return > jwsBuilder.setPayload(decodedBody).setSignature(encodedSignature).build(); > ``` > So clearly the JWSHeaderParser's read implementation isn't reading the entire > contents of decodedHeader (which I confirmed is the entire header). > Inside of the class public abstract class CustomizableEntityReader<E, B > extends CustomizableBuilder<E>> > you would find three places that return early. Two of them look like this: > ``` > case '}': > return; > ``` > So as soon as the closing } in the JSON is read the remaining bytes are not > parsed. > This is bad because it means that signature validation passes when it clearly > should not. > My short term fix conceptually looks like this: > ``` > case '}': > if ( x.more() ) { > throw new RuntimeException("Invalid JWT header"); > } > return; > ``` > I'm not sure that this is exploitable at the moment, but it allows extra data > to be passed in JWTs and it causes many tokens to pass signature validation > instead of just the actually valid token. -- This message was sent by Atlassian JIRA (v6.4.14#64029)