From 78456fceb81d34ce9b7dbcdbf5f55a876ce36cc7 Mon Sep 17 00:00:00 2001 From: Miles Lyon Date: Fri, 24 Jun 2022 15:23:30 -0400 Subject: [PATCH] Added 'alg' check. --- .../oneedtech/inspect/vc/probe/SignatureVerifierProbe.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/inspector-vc/src/main/java/org/oneedtech/inspect/vc/probe/SignatureVerifierProbe.java b/inspector-vc/src/main/java/org/oneedtech/inspect/vc/probe/SignatureVerifierProbe.java index 08ad567..91f4f64 100644 --- a/inspector-vc/src/main/java/org/oneedtech/inspect/vc/probe/SignatureVerifierProbe.java +++ b/inspector-vc/src/main/java/org/oneedtech/inspect/vc/probe/SignatureVerifierProbe.java @@ -61,6 +61,10 @@ public class SignatureVerifierProbe extends Probe { JsonNode headerObj = mapper.readTree(joseHeader); //MUST be "RS256" + JsonNode alg = headerObj.get("alg"); + if(alg == null || !alg.textValue().equals("RS256")) { throw new Exception("alg must be present and must be 'RS256'"); } + + //TODO: decoded jwt will check timestamps, but shall we explicitly break these out? //Option 1, fetch directly from header JsonNode jwk = headerObj.get("jwk"); @@ -68,7 +72,7 @@ public class SignatureVerifierProbe extends Probe { //Option 2, fetch from a hosting url JsonNode kid = headerObj.get("kid"); - if(jwk == null && kid == null) { throw new Exception("asdf"); } + if(jwk == null && kid == null) { throw new Exception("Key must present in either jwk or kid value."); } if(kid != null){ //TODO @Miles load jwk JsonNode from url and do the rest the same below. Need to set up testing. String kidUrl = kid.textValue();