From 2632a3790d08ecb09494f83a0eeb72f1ef4417d6 Mon Sep 17 00:00:00 2001
From: max ulidtko <ulidtko@gmail.com>
Date: Thu, 17 Mar 2022 18:42:46 +0200
Subject: [PATCH] fix: avoid kid clashing potential

For those JWK's which lack the kid attribute, the logic assigns one.

When parsing pubkey bundle (JWKS, a set of JWK), the previous logic
enables a clash, consider this JWK sequence:

 * {"kid": "2", "kty":"EC", "use":"sig", ... }
 * {"kty":"RS", "use":"sig", ... } -- this saves with kid=1
 * {"kty":"RS", "use":"enc", ... } -- this *overwrites* kid=2
---
 jwt_tool.py | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/jwt_tool.py b/jwt_tool.py
index 9aef3a8..61efd2f 100755
--- a/jwt_tool.py
+++ b/jwt_tool.py
@@ -978,15 +978,13 @@ def parseJWKS(jwksfile):
     try:
         keyLen = len(jwksDict["keys"])
         cprintc("Number of keys: "+str(keyLen), "cyan")
-        kid_bak = 1
+        kids_seen = set()
+        new_kid = lambda: 1 + max([x for x in kids_seen if isinstance(x, int)], default=0)
         any1valid = False
         for d in jwksDict["keys"]:
             cprintc("\n--------", "white")
-            if 'kid' in d:
-                kid = str(d["kid"])
-            else:
-                kid = kid_bak
-                kid_bak += 1
+            kid = d['kid'] if 'kid' in d else new_kid()
+            kids_seen.add(kid)
             cprintc(f"Key kid {kid}", "cyan")
             for k, v in d.items():
                 cprintc(f"[+] {k} = {v}", "green")