Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: avoid kid clashing potential
Browse files Browse the repository at this point in the history 
For those JWK's which lack the kid attribute, the logic assigns one.

When parsing pubkey bundle (JWKS, a set of JWK), the previous logic
enables a clash, consider this JWK sequence:

 * {"kid": "2", "kty":"EC", "use":"sig", ... }
 * {"kty":"RS", "use":"sig", ... } -- this saves with kid=1
 * {"kty":"RS", "use":"enc", ... } -- this *overwrites* kid=2
@ulidtko
ulidtko committed Jul 8, 2024

Verified

This commit was signed with the committer’s verified signature.
raimund-schluessler Raimund Schlüßler
GPG key ID: 036FA7EB1A599178
Verified
Learn about vigilant mode
1 parent a44528f commit 14d1676
Showing 1 changed file with 4 additions and 6 deletions.
10 changes: 4 additions & 6 deletions jwt_tool.py
View file
Original file line number Diff line number Diff line change
@@ -979,15 +979,13 @@ def parseJWKS(jwksfile):
try:
keyLen = len(jwksDict["keys"])
cprintc("Number of keys: "+str(keyLen), "cyan")
kid_bak = 1
kids_seen = set()
new_kid = lambda: 1 + max([x for x in kids_seen if isinstance(x, int)], default=0)
any1valid = False
for d in jwksDict["keys"]:
cprintc("\n--------", "white")
if 'kid' in d:
kid = str(d["kid"])
else:
kid = kid_bak
kid_bak += 1
kid = d['kid'] if 'kid' in d else new_kid()
kids_seen.add(kid)
cprintc(f"Key kid {kid}", "cyan")
for k, v in d.items():
cprintc(f"[+] {k} = {v}", "green")

0 comments on commit 14d1676

Please sign in to comment.