fix: avoid kid clashing potential

For those JWK's which lack the kid attribute, the logic assigns one. When parsing pubkey bundle (JWKS, a set of JWK), the previous logic enables a clash, consider this JWK sequence: * {"kid": "2", "kty":"EC", "use":"sig", ... } * {"kty":"RS", "use":"sig", ... } -- this saves with kid=1 * {"kty":"RS", "use":"enc", ... } -- this *overwrites* kid=2
ticarpi · Apr 12, 2023 · 2632a37 · 2632a37
1 parent 70109d7
commit 2632a37
Showing 1 changed file with 4 additions and 6 deletions.
diff --git a/jwt_tool.py b/jwt_tool.py
@@ -978,15 +978,13 @@ def parseJWKS(jwksfile):
     try:
         keyLen = len(jwksDict["keys"])
         cprintc("Number of keys: "+str(keyLen), "cyan")
-        kid_bak = 1
+        kids_seen = set()
+        new_kid = lambda: 1 + max([x for x in kids_seen if isinstance(x, int)], default=0)
         any1valid = False
         for d in jwksDict["keys"]:
             cprintc("\n--------", "white")
-            if 'kid' in d:
-                kid = str(d["kid"])
-            else:
-                kid = kid_bak
-                kid_bak += 1
+            kid = d['kid'] if 'kid' in d else new_kid()
+            kids_seen.add(kid)
             cprintc(f"Key kid {kid}", "cyan")
             for k, v in d.items():
                 cprintc(f"[+] {k} = {v}", "green")