From d07210c4d14d712c07ac0ccbe2fbcbbe62b13c58 Mon Sep 17 00:00:00 2001 From: Shane Kilkelly Date: Sat, 13 Sep 2014 17:23:53 +0100 Subject: [PATCH 1/2] Validating an unsigned token with a key should be false. If the token supplied to the `verify` function is has a signature which is an empty-string, the key is ignored, presuming that the token is unsigned and that the calling code is not interested in ensuring the token has been signed. If the calling code is trying to verify that the token was signed with their secret key, it is possible for a completely unsigned token to be accepted as valid. This patch adds a check to ensure that if the token is unsigned, but a non-empty key was supplied to `validate`, then the token is considered to not be valid. --- src/clj_jwt/core.clj | 4 +++- test/clj_jwt/core_test.clj | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/clj_jwt/core.clj b/src/clj_jwt/core.clj index 68ec02b..03227dc 100644 --- a/src/clj_jwt/core.clj +++ b/src/clj_jwt/core.clj @@ -68,6 +68,9 @@ ([this key] (let [alg (-> this :header :alg keyword)] (cond + (and (= :none alg) (not (= "" key))) + false + (= :none alg) (= "" (:signature this)) (supported-algorithm? alg) @@ -87,4 +90,3 @@ (->JWT (encoded-json->map header) (encoded-json->map claims) (or signature "")))) - diff --git a/test/clj_jwt/core_test.clj b/test/clj_jwt/core_test.clj index 9664f60..59ed51e 100644 --- a/test/clj_jwt/core_test.clj +++ b/test/clj_jwt/core_test.clj @@ -98,16 +98,19 @@ (fact "HS256 signed JWT should be verified." (-> claim jwt (sign "foo") (verify "foo")) => true (-> claim jwt (sign "foo") to-str str->jwt (verify "foo")) => true + (-> claim jwt to-str str->jwt (verify "foo")) => false (-> claim jwt (sign "foo") (verify "bar")) => false) (fact "HS384 signed JWT should be verified." (-> claim jwt (sign :HS384 "foo") (verify "foo")) => true (-> claim jwt (sign :HS384 "foo") to-str str->jwt (verify "foo")) => true + (-> claim jwt to-str str->jwt (verify "foo")) => false (-> claim jwt (sign :HS384 "foo") (verify "bar")) => false) (fact "HS512 signed JWT should be verified." (-> claim jwt (sign :HS512 "foo") (verify "foo")) => true (-> claim jwt (sign :HS512 "foo") to-str str->jwt (verify "foo")) => true + (-> claim jwt to-str str->jwt (verify "foo")) => false (-> claim jwt (sign :HS512 "foo") (verify "bar")) => false) (fact "RS256 signed JWT should be verified." From 63244e43301aa0f500edc8c30ebc9792d349e501 Mon Sep 17 00:00:00 2001 From: liquidz Date: Mon, 15 Sep 2014 23:22:48 +0900 Subject: [PATCH 2/2] see #9 code refinement --- src/clj_jwt/core.clj | 5 +---- test/clj_jwt/core_test.clj | 4 +--- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/src/clj_jwt/core.clj b/src/clj_jwt/core.clj index 8e0956e..9c28971 100644 --- a/src/clj_jwt/core.clj +++ b/src/clj_jwt/core.clj @@ -69,10 +69,7 @@ ([this key] (let [alg (-> this :header :alg keyword)] (cond - (and (= :none alg) (not (= "" key))) - false - - (= :none alg) (= "" (:signature this)) + (= :none alg) (= "" key (:signature this)) (supported-algorithm? alg) (let [verify-fn (get-verify-fn alg) diff --git a/test/clj_jwt/core_test.clj b/test/clj_jwt/core_test.clj index a558d4c..1457e12 100644 --- a/test/clj_jwt/core_test.clj +++ b/test/clj_jwt/core_test.clj @@ -93,24 +93,22 @@ (fact "Plain JWT should be verified." (-> claim jwt verify) => true (-> claim jwt to-str str->jwt verify) => true + (-> claim jwt to-str str->jwt (verify "foo")) => false (-> claim jwt (assoc :signature "foo") verify) => false) (fact "HS256 signed JWT should be verified." (-> claim jwt (sign "foo") (verify "foo")) => true (-> claim jwt (sign "foo") to-str str->jwt (verify "foo")) => true - (-> claim jwt to-str str->jwt (verify "foo")) => false (-> claim jwt (sign "foo") (verify "bar")) => false) (fact "HS384 signed JWT should be verified." (-> claim jwt (sign :HS384 "foo") (verify "foo")) => true (-> claim jwt (sign :HS384 "foo") to-str str->jwt (verify "foo")) => true - (-> claim jwt to-str str->jwt (verify "foo")) => false (-> claim jwt (sign :HS384 "foo") (verify "bar")) => false) (fact "HS512 signed JWT should be verified." (-> claim jwt (sign :HS512 "foo") (verify "foo")) => true (-> claim jwt (sign :HS512 "foo") to-str str->jwt (verify "foo")) => true - (-> claim jwt to-str str->jwt (verify "foo")) => false (-> claim jwt (sign :HS512 "foo") (verify "bar")) => false) (fact "RS256 signed JWT should be verified."