uri_signing plugin: Fix missing payload validation for the iss field. (…

…#8901) (#8912) Co-authored-by: Damian Meden <damian.meden@gmail.com>
apache · Jun 14, 2022 · bcb4c56 · bcb4c56
1 parent 03fcfd7
commit bcb4c56
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 4 deletions.
diff --git a/plugins/experimental/uri_signing/jwt.c b/plugins/experimental/uri_signing/jwt.c
@@ -106,6 +106,11 @@ jwt_validate(struct jwt *jwt)
     return false;
   }
 
+  if (!jwt->iss) {
+    PluginDebug("Initial JWT Failure: iss is missing, must be present");
+    return false;
+  }
+
   if (jwt->cdniv != 1) { /* Only support the very first version! */
     PluginDebug("Initial JWT Failure: wrong version");
     return false;

diff --git a/plugins/experimental/uri_signing/parse.c b/plugins/experimental/uri_signing/parse.c
@@ -204,17 +204,23 @@ validate_jws(cjose_jws_t *jws, struct config *cfg, const char *uri, size_t uri_c
       PluginDebug("Cannot find key %s for issuer %s for %16p", kid, jwt->iss, jws);
       goto jwt_fail;
     }
-    if (!cjose_jws_verify(jws, jwk, NULL)) {
-      PluginDebug("Key %s for issuer %s for %16p does not validate.", kid, jwt->iss, jws);
+    cjose_err err;
+    memset(&err, 0, sizeof(cjose_err));
+    if (!cjose_jws_verify(jws, jwk, &err)) {
+      PluginDebug("Key %s for issuer %s for %16p does not validate: '%s'", kid, jwt->iss, jws, (err.message ? err.message : ""));
       goto jwt_fail;
     }
     TimerDebug("checking crypto signature for jwt");
   } else {
     PluginDebug("Searching all keys for issuer %s for %16p", jwt->iss, jws);
     cjose_jwk_t **jwks;
     for (jwks = find_keys(cfg, jwt->iss); jwks && *jwks; ++jwks) {
-      if (cjose_jws_verify(jws, *jwks, NULL)) {
+      cjose_err err;
+      memset(&err, 0, sizeof(cjose_err));
+      if (cjose_jws_verify(jws, *jwks, &err)) {
         break;
+      } else {
+        PluginDebug("Key validation failed: '%s'", (err.message ? err.message : ""));
       }
     }
     TimerDebug("checking the crypto signature of all possible keys for jwt");

diff --git a/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py b/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py
@@ -202,11 +202,22 @@
 tr.StillRunningAfter = server
 tr.StillRunningAfter = ts
 
-# 9 - multiple cookies
+# 11 - multiple cookies
 tr = Test.AddTestRun("multiple cookies, expired then good")
 ps = tr.Processes.Default
 ps.Command = curl_and_args + '"http://somehost/someasset.ts" -H "Cookie: URISigningPackage=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJleHAiOjF9.GkdlOPHQc6BqS4Q6x79GeYuVFO2zuGbaPZZsJfD6ir8;URISigningPackage=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJleHAiOjE5MjMwNTYwODR9.zw_wFQ-wvrWmfPLGj3hAUWn-GOHkiJZi2but4KV0paY"'
 ps.ReturnCode = 0
 ps.Streams.stderr = "gold/200.gold"
 tr.StillRunningAfter = server
 tr.StillRunningAfter = ts
+
+
+# 12 - Check missing iss from the payload
+tr = Test.AddTestRun("Missing iss field in the payload")
+ps = tr.Processes.Default
+ps.Command = curl_and_args + '"http://somehost/someasset.ts?URISigningPackage=ewogICJ0eXAiOiAiSldUIiwKICAiYWxnIjogIkhTMjU2Igp9.ewogICJleHAiOiAxOTIzMDU2MDg0Cn0.zw_wFQ-wvrWmfPLGj3hAUWn-GOHkiJZi2but4KV0paY"'
+ps.ReturnCode = 0
+ps.Streams.stderr = "gold/403.gold"
+ts.Streams.stderr = Testers.ContainsExpression("Initial JWT Failure: iss is missing, must be present", "should fail the validation")
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts