aboutsummaryrefslogtreecommitdiffstats
path: root/lacme-accountd
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2021-02-22 20:32:33 +0100
committerGuilhem Moulin <guilhem@fripost.org>2021-02-22 22:36:59 +0100
commit045d169339c5b973f0924269e6ca485e48de3668 (patch)
tree2e159653533e2a4a89360404e7bfa4f59d9d7bee /lacme-accountd
parent87fa9468a26c1902423839473049cd3325098c1a (diff)
lacme-accountd: Refuse to sign JWS with an invalid Protected Header.
“The JWS Protected Header is a JSON object” — RFC 7515 sec. 2. “The JWS Protected Header MUST include the following fields: - "alg" - "nonce" - "url" - either "jwk" or "kid"” — RFC 8555 sec. 6.2.
Diffstat (limited to 'lacme-accountd')
-rwxr-xr-xlacme-accountd13
1 files changed, 13 insertions, 0 deletions
diff --git a/lacme-accountd b/lacme-accountd
index 68d0f39..5478cc2 100755
--- a/lacme-accountd
+++ b/lacme-accountd
@@ -256,6 +256,19 @@ sub conn($$$) {
}
my $req = "header=base64url($header) playload=base64url($payload)";
+
+ eval { $header = JSON::->new->decode($header); };
+ if ($@ or # couldn't decode (parse error)
+ # RFC 7515: not a JSON object
+ !defined($header) or ref($header) ne "HASH" or
+ # RFC 8555 sec. 6.2: the protected Header MUST include all these fields
+ grep !defined, @$header{qw/alg nonce url/} or
+ # RFC 8555 sec. 6.2: the protected header MUST include any of these fields
+ !grep defined, @$header{qw/jwk kid/}) {
+ info("[$id] NOSIGN [invalid JWS Protected Header] ", $req);
+ last;
+ }
+
my $sig = $SIGN->($data) // panic();
logmsg(noquiet => "[$id] SIGNED ", $req);
$out->printflush( encode_base64url($sig), "\r\n" ) or warn "print: $!";