Skip to content

Commit

Permalink
enforce OIDCIDTokenSignedResponseAlg and OIDCUserInfoSignedResponseAlg
Browse files Browse the repository at this point in the history 
see #435; bump to 2.4.1rc2

Signed-off-by: Hans Zandbelt <[email protected]>
  • Loading branch information
@zandbelt
zandbelt committed Dec 9, 2019
1 parent 6af08ca commit 6e89474
Show file tree
Hide file tree
Showing 7 changed files with 27 additions and 10 deletions.
2 changes: 2 additions & 0 deletions ChangeLog
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
12/09/2019
- fix parsing of values from metadata files when the default is non-NULL (e.g. UNSET)
- enforce OIDCIDTokenSignedResponseAlg and OIDCUserInfoSignedResponseAlg; see #435
- bump to 2.4.1rc2

12/05/2019
- add the possibility to use a public key instead of a certificate for OIDCPublicKeyFiles parameter
Expand Down
2 changes: 1 addition & 1 deletion configure.ac
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
AC_INIT([mod_auth_openidc],[2.4.1rc1],[[email protected]])
AC_INIT([mod_auth_openidc],[2.4.1rc2],[[email protected]])

AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())

Expand Down
2 changes: 1 addition & 1 deletion src/config.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2578,7 +2578,7 @@ const command_rec oidc_config_cmds[] = {
oidc_set_signed_response_alg,
(void *)APR_OFFSETOF(oidc_cfg, provider.id_token_signed_response_alg),
RSRC_CONF,
"The algorithm that the OP should use to sign the id_token (used only in dynamic client registration); must be one of [RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512]"),
"The algorithm that the OP must use to sign the ID token."),
AP_INIT_TAKE1(OIDCIDTokenEncryptedResponseAlg,
oidc_set_encrypted_response_alg,
(void *)APR_OFFSETOF(oidc_cfg, provider.id_token_encrypted_response_alg),
Expand Down
5 changes: 3 additions & 2 deletions src/mod_auth_openidc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -666,7 +666,7 @@ static apr_byte_t oidc_unsolicited_proto_state(request_rec *r, oidc_cfg *c,
oidc_jwks_uri_t jwks_uri = { provider->jwks_uri,
provider->jwks_refresh_interval, provider->ssl_validate_server };
if (oidc_proto_jwt_verify(r, c, jwt, &jwks_uri,
oidc_util_merge_symmetric_key(r->pool, NULL, jwk)) == FALSE) {
oidc_util_merge_symmetric_key(r->pool, NULL, jwk), NULL) == FALSE) {
oidc_error(r, "state JWT could not be validated, aborting");
oidc_jwt_destroy(jwt);
return FALSE;
Expand Down Expand Up @@ -2894,7 +2894,8 @@ static int oidc_handle_logout_backchannel(request_rec *r, oidc_cfg *cfg) {
oidc_jwks_uri_t jwks_uri = { provider->jwks_uri,
provider->jwks_refresh_interval, provider->ssl_validate_server };
if (oidc_proto_jwt_verify(r, cfg, jwt, &jwks_uri,
oidc_util_merge_symmetric_key(r->pool, NULL, jwk)) == FALSE) {
oidc_util_merge_symmetric_key(r->pool, NULL, jwk),
provider->id_token_signed_response_alg) == FALSE) {

oidc_error(r, "id_token signature could not be validated, aborting");
goto out;
Expand Down
2 changes: 1 addition & 1 deletion src/mod_auth_openidc.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -639,7 +639,7 @@ int oidc_proto_javascript_implicit(request_rec *r, oidc_cfg *c);
apr_array_header_t *oidc_proto_supported_flows(apr_pool_t *pool);
apr_byte_t oidc_proto_flow_is_supported(apr_pool_t *pool, const char *flow);
apr_byte_t oidc_proto_validate_authorization_response(request_rec *r, const char *response_type, const char *requested_response_mode, char **code, char **id_token, char **access_token, char **token_type, const char *used_response_mode);
apr_byte_t oidc_proto_jwt_verify(request_rec *r, oidc_cfg *cfg, oidc_jwt_t *jwt, const oidc_jwks_uri_t *jwks_uri, apr_hash_t *symmetric_keys);
apr_byte_t oidc_proto_jwt_verify(request_rec *r, oidc_cfg *cfg, oidc_jwt_t *jwt, const oidc_jwks_uri_t *jwks_uri, apr_hash_t *symmetric_keys, const char *alg);
apr_byte_t oidc_proto_validate_jwt(request_rec *r, oidc_jwt_t *jwt, const char *iss, apr_byte_t exp_is_mandatory, apr_byte_t iat_is_mandatory, int iat_slack, int token_binding_policy);
apr_byte_t oidc_proto_generate_nonce(request_rec *r, char **nonce, int len);
apr_byte_t oidc_proto_validate_aud_and_azp(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, oidc_jwt_payload_t *id_token_payload);
Expand Down
2 changes: 1 addition & 1 deletion src/oauth.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -642,7 +642,7 @@ static apr_byte_t oidc_oauth_validate_jwt_access_token(request_rec *r,
c->provider.jwks_refresh_interval, c->oauth.ssl_validate_server };
if (oidc_proto_jwt_verify(r, c, jwt, &jwks_uri,
oidc_util_merge_key_sets(r->pool, c->oauth.verify_public_keys,
c->oauth.verify_shared_keys)) == FALSE) {
c->oauth.verify_shared_keys), NULL) == FALSE) {
oidc_error(r,
"JWT access token signature could not be validated, aborting");
oidc_jwt_destroy(jwt);
Expand Down
22 changes: 18 additions & 4 deletions src/proto.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1530,10 +1530,22 @@ apr_byte_t oidc_proto_get_keys_from_jwks_uri(request_rec *r, oidc_cfg *cfg,
* verify the signature on a JWT using the dynamically obtained and statically configured keys
*/
apr_byte_t oidc_proto_jwt_verify(request_rec *r, oidc_cfg *cfg, oidc_jwt_t *jwt,
const oidc_jwks_uri_t *jwks_uri, apr_hash_t *static_keys) {
const oidc_jwks_uri_t *jwks_uri, apr_hash_t *static_keys,
const char *alg) {

oidc_jose_error_t err;
apr_hash_t *dynamic_keys = apr_hash_make(r->pool);
apr_hash_t *dynamic_keys = NULL;

if (alg != NULL) {
if (apr_strnatcmp(jwt->header.alg, alg) != 0) {
oidc_error(r,
"JWT was not signed with the expected configured algorithm: %s != %s",
jwt->header.alg, alg);
return FALSE;
}
}

dynamic_keys = apr_hash_make(r->pool);

/* see if we've got a JWKs URI set for signature validation with dynamically obtained asymmetric keys */
if (jwks_uri->url == NULL) {
Expand Down Expand Up @@ -1650,7 +1662,8 @@ apr_byte_t oidc_proto_parse_idtoken(request_rec *r, oidc_cfg *cfg,
oidc_jwks_uri_t jwks_uri = { provider->jwks_uri,
provider->jwks_refresh_interval, provider->ssl_validate_server };
if (oidc_proto_jwt_verify(r, cfg, *jwt, &jwks_uri,
oidc_util_merge_symmetric_key(r->pool, NULL, jwk)) == FALSE) {
oidc_util_merge_symmetric_key(r->pool, NULL, jwk),
provider->id_token_signed_response_alg) == FALSE) {

oidc_error(r,
"id_token signature could not be validated, aborting");
Expand Down Expand Up @@ -2150,7 +2163,8 @@ static apr_byte_t oidc_user_info_response_validate(request_rec *r,
oidc_jwks_uri_t jwks_uri = { provider->jwks_uri,
provider->jwks_refresh_interval, provider->ssl_validate_server };
if (oidc_proto_jwt_verify(r, cfg, jwt, &jwks_uri,
oidc_util_merge_symmetric_key(r->pool, NULL, jwk)) == FALSE) {
oidc_util_merge_symmetric_key(r->pool, NULL, jwk),
provider->userinfo_signed_response_alg) == FALSE) {

oidc_error(r, "JWT signature could not be validated, aborting");
oidc_jwt_destroy(jwt);
Expand Down

0 comments on commit 6e89474

Please sign in to comment.