[jira] [Commented] (CXF-9033) getSignatureAlgorithm ignores alg value set within JWS header

Wed, 07 Aug 2024 00:42:03 -0700 


    [ 
https://issues.apache.org/jira/browse/CXF-9033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17871564#comment-17871564
 ] 

Jan Bernhardt commented on CXF-9033:
------------------------------------

Hi [~coheigea], your linked article is convincing. Setting the expected 
algorithm on the receiver side, seems to be the most secure way. It is less 
convenient, but convenience and security usually don't match in most cases 
anyway.

The JWS spec expects us to handle the alg header as it "MUST be understood and 
processed by implementations." 
[https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.1]

But the spec also warns us about the risks with a freely definable alg header: 
[https://datatracker.ietf.org/doc/html/rfc7515#section-10.7]

So in the end, the solution (as it is now) seems like a good choice. Even thou 
a whitelisting of allowed algorithms should also be a safe option, providing 
more flexibility.

> getSignatureAlgorithm ignores alg value set within JWS header
> -------------------------------------------------------------
>
>                 Key: CXF-9033
>                 URL: https://issues.apache.org/jira/browse/CXF-9033
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.5.8, 3.6.3, 4.0.4
>            Reporter: Jan Bernhardt
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>
> The `getSignatureAlgorithm` method from the 
> [JwsUtils|https://github.com/apache/cxf/blob/cxf-3.6.3/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java]
>  ignore any value set within the "alg" JWS header, instead the code looks for 
> a static JAX-RS property (rs.security.signature.algorithm) or tries to detect 
> the algorithm based on the selected alias in a keystore file. This makes it 
> more complicated to configure a CXF provider and limits the token validation 
> to a single specified algorythm. Using the header value instead would avoid 
> such additional configuration properties and make the solution more dynamic.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to