Add validation of name in DPoP token

smallstep · Feb 6, 2024 · 5d7e533 · 5d7e533
1 parent 2e78301
commit 5d7e533
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/acme/challenge.go b/acme/challenge.go
@@ -723,6 +723,14 @@ func parseAndVerifyWireAccessToken(v wireVerifyParams) (*wireAccessToken, *wireD
 		return nil, nil, fmt.Errorf("invalid Wire client handle %q", handle)
 	}
 
+	name, ok := dpopToken["name"].(string)
+	if !ok {
+		return nil, nil, fmt.Errorf("invalid display name in Wire DPoP token")
+	}
+	if name == "" || name != v.wireID.Name {
+		return nil, nil, fmt.Errorf("invalid Wire client display name %q", handle)
+	}
+
 	return &accessToken, &dpopToken, nil
 }
 

diff --git a/acme/challenge_test.go b/acme/challenge_test.go
@@ -1008,6 +1008,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@@ -1017,6 +1018,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)

diff --git a/acme/challenge_wire_test.go b/acme/challenge_wire_test.go
@@ -306,6 +306,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@@ -315,6 +316,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
@@ -450,6 +452,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@@ -459,6 +462,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
@@ -598,6 +602,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@@ -607,6 +612,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
@@ -746,6 +752,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@@ -755,6 +762,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
@@ -901,6 +909,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@@ -910,6 +919,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)