see #13 add optional paramter that specifies algorithm to verify function
This commit is contained in:
parent
eb9a202a1d
commit
63f80fb453
2 changed files with 46 additions and 2 deletions
|
@ -49,7 +49,7 @@
|
|||
"Protocol for JonWebSignature"
|
||||
(set-alg [this alg] "Set algorithm name to JWS Header Parameter")
|
||||
(sign [this key] [this alg key] "Set signature to this token")
|
||||
(verify [this] [this key] "Verify this token"))
|
||||
(verify [this] [this key] [this algorithm key] "Verify this token"))
|
||||
|
||||
(extend-protocol JsonWebSignature
|
||||
JWT
|
||||
|
@ -76,7 +76,11 @@
|
|||
data (str (encoded-header this) "." (encoded-claims this))]
|
||||
(verify-fn key data (:signature this)))
|
||||
|
||||
:else (throw (Exception. "Unkown signature")))))))
|
||||
:else (throw (Exception. "Unkown signature")))))
|
||||
([this algorithm key]
|
||||
(if (= algorithm (-> this :header :alg keyword))
|
||||
(verify this key)
|
||||
false))))
|
||||
|
||||
; =jwt
|
||||
(defn jwt [claim] (init (->JWT "" "" "") claim))
|
||||
|
|
40
test/clj_jwt/attack_test.clj
Normal file
40
test/clj_jwt/attack_test.clj
Normal file
|
@ -0,0 +1,40 @@
|
|||
(ns clj-jwt.attack-test
|
||||
(:require
|
||||
[clj-jwt.core :refer :all]
|
||||
[clj-jwt.sign :refer :all]
|
||||
[clj-jwt.key :refer [private-key public-key]]
|
||||
[clojure.string :as str]
|
||||
[clojure.test :refer :all]))
|
||||
|
||||
(def pub-key-path "test/files/rsa/no_pass.pub.key")
|
||||
(def rsa-prv-key (private-key "test/files/rsa/no_pass.key"))
|
||||
(def rsa-pub-key (public-key pub-key-path))
|
||||
|
||||
(deftest test-algorithm->none-attack
|
||||
(let [key "secret"
|
||||
original (-> {:foo "bar"} jwt (sign :HS256 key))
|
||||
attacked (update-in original [:header :alg] (constantly "none"))]
|
||||
(testing "attack"
|
||||
(is (verify original key))
|
||||
(is (not (verify attacked key))))
|
||||
|
||||
(testing "defense"
|
||||
(is (verify original :HS256 key))
|
||||
(is (not (verify original :RS256 key)))
|
||||
(is (not (verify attacked :HS256 key))))))
|
||||
|
||||
(deftest test-rsa->hmac-attack
|
||||
(let [base (jwt {:foo "bar"})
|
||||
original (sign base :RS256 rsa-prv-key)
|
||||
hmac-sign (-> base (sign :HS256 (str/trim (slurp pub-key-path))) :signature)
|
||||
attacked (-> original
|
||||
(update-in [:header :alg] (constantly "HS256"))
|
||||
(update-in [:signature] (constantly hmac-sign)))]
|
||||
(testing "attack"
|
||||
(is (verify original rsa-pub-key))
|
||||
(is (thrown? Exception (verify attacked rsa-pub-key))))
|
||||
|
||||
(testing "defense"
|
||||
(is (verify original :RS256 rsa-pub-key))
|
||||
(is (not (verify original :HS256 rsa-pub-key)))
|
||||
(is (not (verify attacked :RS256 rsa-pub-key))))))
|
Loading…
Reference in a new issue