From 5d7e53303b012662a8589e4af159949c48f813b2 Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Tue, 6 Feb 2024 21:54:29 +0100
Subject: [PATCH] Add validation of `name` in DPoP token

---
 acme/challenge.go           |  8 ++++++++
 acme/challenge_test.go      |  2 ++
 acme/challenge_wire_test.go | 10 ++++++++++
 3 files changed, 20 insertions(+)

diff --git a/acme/challenge.go b/acme/challenge.go
index 794fa3ba1..b087e83cd 100644
--- a/acme/challenge.go
+++ b/acme/challenge.go
@@ -723,6 +723,14 @@ func parseAndVerifyWireAccessToken(v wireVerifyParams) (*wireAccessToken, *wireD
 		return nil, nil, fmt.Errorf("invalid Wire client handle %q", handle)
 	}
 
+	name, ok := dpopToken["name"].(string)
+	if !ok {
+		return nil, nil, fmt.Errorf("invalid display name in Wire DPoP token")
+	}
+	if name == "" || name != v.wireID.Name {
+		return nil, nil, fmt.Errorf("invalid Wire client display name %q", handle)
+	}
+
 	return &accessToken, &dpopToken, nil
 }
 
diff --git a/acme/challenge_test.go b/acme/challenge_test.go
index 35d943765..4f09535dc 100644
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@@ -1008,6 +1008,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@@ -1017,6 +1018,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
diff --git a/acme/challenge_wire_test.go b/acme/challenge_wire_test.go
index 99f3ff759..1ac381ce3 100644
--- a/acme/challenge_wire_test.go
+++ b/acme/challenge_wire_test.go
@@ -306,6 +306,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@@ -315,6 +316,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
@@ -450,6 +452,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@@ -459,6 +462,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
@@ -598,6 +602,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@@ -607,6 +612,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
@@ -746,6 +752,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@@ -755,6 +762,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
@@ -901,6 +909,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@@ -910,6 +919,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)