diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2021-02-22 20:32:33 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2021-02-22 22:36:59 +0100 |
| commit | 045d169339c5b973f0924269e6ca485e48de3668 (patch) | |
| tree | 2e159653533e2a4a89360404e7bfa4f59d9d7bee /lacme-accountd | |
| parent | 87fa9468a26c1902423839473049cd3325098c1a (diff) | |
lacme-accountd: Refuse to sign JWS with an invalid Protected Header.
“The JWS Protected Header is a JSON object” — RFC 7515 sec. 2.
“The JWS Protected Header MUST include the following fields:
- "alg"
- "nonce"
- "url"
- either "jwk" or "kid"”
— RFC 8555 sec. 6.2.
Diffstat (limited to 'lacme-accountd')
| -rwxr-xr-x | lacme-accountd | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/lacme-accountd b/lacme-accountd index 68d0f39..5478cc2 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -256,6 +256,19 @@ sub conn($$$) { } my $req = "header=base64url($header) playload=base64url($payload)"; + + eval { $header = JSON::->new->decode($header); }; + if ($@ or # couldn't decode (parse error) + # RFC 7515: not a JSON object + !defined($header) or ref($header) ne "HASH" or + # RFC 8555 sec. 6.2: the protected Header MUST include all these fields + grep !defined, @$header{qw/alg nonce url/} or + # RFC 8555 sec. 6.2: the protected header MUST include any of these fields + !grep defined, @$header{qw/jwk kid/}) { + info("[$id] NOSIGN [invalid JWS Protected Header] ", $req); + last; + } + my $sig = $SIGN->($data) // panic(); logmsg(noquiet => "[$id] SIGNED ", $req); $out->printflush( encode_base64url($sig), "\r\n" ) or warn "print: $!"; |