Merge pull request #17 from genexuslabs/issue#82739

sgrampone · web-flow · commit d1d5c2ab1de3 · 2020-06-01T11:50:05.000-03:00
Add expected algorithm verification to JWTCreator.DoVerify
diff --git a/GeneXusJWT/src/main/java/com/genexus/JWT/JWTCreator.java b/GeneXusJWT/src/main/java/com/genexus/JWT/JWTCreator.java
@@ -85,7 +85,7 @@ public String doCreate(String algorithm, PrivateClaims privateClaims, JWTOptions
 		return signedJwt;
 	}
 
-	public boolean doVerify(String token, PrivateClaims privateClaims, JWTOptions options) {
+	public boolean doVerify(String token, String expectedAlgorithm, PrivateClaims privateClaims, JWTOptions options) {
 		if (options.hasError()) {
 			this.error = options.getError();
 			return false;
@@ -106,6 +106,13 @@ public boolean doVerify(String token, PrivateClaims privateClaims, JWTOptions op
 		if (this.hasError()) {
 			return false;
 		}
+		JWTAlgorithm expectedJWTAlgorithm = JWTAlgorithm.getJWTAlgorithm(expectedAlgorithm, this.error);
+        if(alg.compareTo(expectedJWTAlgorithm) != 0 || this.hasError())
+        {
+            this.error.setError("JW008", "Expected algorithm does not match token algorithm");
+            return false;
+        }
+        
 		Algorithm algorithmType = null;
 		if (JWTAlgorithm.isPrivate(alg)) {
 			CertificateX509 cert = options.getCertificate();
diff --git a/GeneXusJWT/src/main/java/com/genexus/commons/JWTObject.java b/GeneXusJWT/src/main/java/com/genexus/commons/JWTObject.java
@@ -11,7 +11,7 @@ public JWTObject() {
 	}
 	
 	public abstract String doCreate(String algorithm, PrivateClaims privateClaims, JWTOptions options);
-	public abstract boolean doVerify(String token, PrivateClaims privateClaims, JWTOptions options);
+	public abstract boolean doVerify(String token, String expectedAlgorithm, PrivateClaims privateClaims, JWTOptions options);
 	public abstract String getPayload(String token) ;
 	public abstract String getHeader(String token);
 	public abstract String getTokenID(String token);

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ public JWTObject() {`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`public abstract String doCreate(String algorithm, PrivateClaims privateClaims, JWTOptions options);`
`14`		`- public abstract boolean doVerify(String token, PrivateClaims privateClaims, JWTOptions options);`
	`14`	`+ public abstract boolean doVerify(String token, String expectedAlgorithm, PrivateClaims privateClaims, JWTOptions options);`
`15`	`15`	`public abstract String getPayload(String token) ;`
`16`	`16`	`public abstract String getHeader(String token);`
`17`	`17`	`public abstract String getTokenID(String token);`