Fix header parsing in JWT filter (#2291) (#2294)

* Fix header parsing in JWT filter * fix lint
istio · Jun 27, 2019 · 5227c78 · 5227c78
1 parent 7bb4e91
commit 5227c78
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 10 deletions.
diff --git a/src/envoy/http/jwt_auth/jwt.cc b/src/envoy/http/jwt_auth/jwt.cc
@@ -273,13 +273,7 @@ Jwt::Jwt(const std::string &jwt) {
     return;
   }
 
-  // Prepare EVP_MD object.
-  if (alg_ == "RS256") {
-    // may use
-    // EVP_sha384() if alg == "RS384" and
-    // EVP_sha512() if alg == "RS512"
-    md_ = EVP_sha256();
-  } else if (alg_ != "ES256") {
+  if (alg_ != "RS256" && alg_ != "ES256") {
     UpdateStatus(Status::ALG_NOT_IMPLEMENTED);
     return;
   }
@@ -416,7 +410,7 @@ bool Verifier::Verify(const Jwt &jwt, const Pubkeys &pubkeys) {
       // Verification succeeded.
       return true;
     } else if ((pubkey->pem_format_ || pubkey->kty_ == "RSA") &&
-               VerifySignatureRSA(pubkey->evp_pkey_.get(), jwt.md_,
+               VerifySignatureRSA(pubkey->evp_pkey_.get(), EVP_sha256(),
                                   jwt.signature_, signed_data)) {
       // Verification succeeded.
       return true;

diff --git a/src/envoy/http/jwt_auth/jwt.h b/src/envoy/http/jwt_auth/jwt.h
@@ -231,8 +231,6 @@ class Jwt : public WithStatus {
   int64_t Exp();
 
  private:
-  const EVP_MD* md_;
-
   Json::ObjectSharedPtr header_;
   std::string header_str_;
   std::string header_str_base64url_;

diff --git a/src/envoy/http/jwt_auth/jwt_test.cc b/src/envoy/http/jwt_auth/jwt_test.cc
@@ -187,6 +187,21 @@ class DatasetPem {
       "YjAxMGQ4MjYyYmUKM2U1MjMyMTE4MzUxY2U5M2VkNmY1NWJhYTFmNmU5M2NmMzVlZjJiNjRi"
       "MDYxNzU4YWJmYzdkNzUzYzAxMWVhNgo3NTg1N2MwMGY3YTE3Y2E3YWI2NGJlMWIyYjdkNzZl"
       "NWJlMThhZWFmZWY5NDU5MjAxY2RkY2NkZGZiZjczMjQ2";
+
+  /*
+   * jwt with header replaced by
+   * "{"alg":"ES256","typ":"JWT"}"
+   */
+  const std::string kJwtWithES256Alg =
+      "eyJhbGciOiJFUzI1NiIsImtpZCI6IjYyYTkzNTEyYzllZTRjN2Y4MDY3YjVhMjE2ZGFkZTI3"
+      "NjNkMzJhNDciLCJ0eXAiOiJKV1QifQ.eyJleHAiOjE1NzE0MTkyNTIsImZvbyI6ImJsYWJsY"
+      "SIsImlhdCI6MTU2MTQxOTI1MiwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzd"
+      "WIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.JJnYan0ItEmTSPC9sETO5j46Ve0yQkC0"
+      "_4uEyfShbhDzejhVavlUdrL5sE2JEq9W-SYUhwGt2eIPMxKl1E1sQn0a_4f6iU6ZxhXnXU91"
+      "g2SB8-JF6wrc_I3iybrUrj39kxUZQNr-w8MRp1YBDMmKg1har98AeL0xHzdyF_gf3K57u-9_"
+      "yyBoymCjQraMQPWX-MuOI18i7w9MmwfIplxD3sGpnivAma1hSAJWfRFuz_rHst08cZOl_6ZK"
+      "8ineqqYL19lHLLJns3dzYIvVxdOdRs87Z5UwCyYjLlxupiLo6MHFBWNMFNgZ"
+      "is7wsUauWH47D-ga0JjcmVL4MRgyoP43mA";
 };
 
 class DatasetJwk {
@@ -551,6 +566,11 @@ TEST_F(JwtTestPem, InvalidAlg) {
          Status::ALG_NOT_IMPLEMENTED, nullptr);
 }
 
+TEST_F(JwtTestPem, Es256Alg) {
+  DoTest(ds.kJwtWithES256Alg, ds.kPublicKey, "pem", false,
+         Status::JWT_INVALID_SIGNATURE, nullptr);
+}
+
 TEST(JwtSubExtractionTest, NonEmptyJwtSubShouldEqual) {
   DatasetPem ds;
   Jwt jwt(ds.kJwt);