oic-auth-plugin icon indicating copy to clipboard operation
oic-auth-plugin copied to clipboard
verified publisher icon jenkinsci

Unexpected signing algorithm PS512 after the last updates

Open tuxmaster5000 opened this issue 1 year ago • 6 comments

Jenkins and plugins versions report

Environment 
OS: Linux - 5.14.0-427.35.1.el9_4.x86_64
Java: 21.0.4 - Red Hat, Inc. (OpenJDK 64-Bit Server VM)
---
active-directory:2.36
analysis-model-api:12.7.0
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
apache-httpcomponents-client-5-api:5.4-118.v199115451c4d
asm-api:9.7-33.v4d23ef79fcc8
atlassian-bitbucket-server-integration:4.0.0
authentication-tokens:1.119.v50285141b_7e1
aws-credentials:231.v08a_59f17d742
aws-java-sdk-ec2:1.12.767-467.vb_e93f0c614b_6
aws-java-sdk-minimal:1.12.767-467.vb_e93f0c614b_6
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
branch-api:2.1178.v969d9eb_c728e
build-timeout:1.33
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.1
cloudbees-folder:6.955.v81e2a_35c08d3
command-launcher:115.vd8b_301cc15d0
commons-lang3-api:3.17.0-84.vb_b_938040b_078
commons-text-api:1.12.0-129.v99a_50df237f7
credentials:1380.va_435002fa_924
credentials-binding:681.vf91669a_32e45
data-tables-api:2.1.6-1
display-url-api:2.204.vf6fddd8a_8b_e9
docker-commons:443.v921729d5611d
docker-workflow:580.vc0c340686b_54
durable-task:577.v2a_8a_4b_7c0247
echarts-api:5.5.1-1
eddsa-api:0.3.0-4.v84c6f0f4969e
email-ext:1844.v3ea_a_b_842374a_
external-monitor-job:215.v2e88e894db_f8
favorite:2.221.v19ca_666b_62f5
font-awesome-api:6.6.0-2
forensics-api:2.6.0
git:5.5.1
git-client:6.0.0
git-forensics:2.2.1
git-server:126.v0d945d8d2b_39
gson-api:2.11.0-41.v019fcf6125dc
handy-uri-templates-2-api:2.1.8-30.v7e777411b_148
htmlpublisher:1.36
instance-identity:201.vd2a_b_5a_468a_a_6
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
jdk-tool:80.v8a_dee33ed6f0
jenkins-design-language:1.27.16
joda-time-api:2.13.0-85.vb_64d1c2921f1
jquery3-api:3.7.1-2
jsch:0.2.16-86.v42e010d9484b_
json-api:20240303-41.v94e11e6de726
json-path-api:2.9.0-58.v62e3e85b_a_655
junit:1302.va_b_878c32eb_b_5
ldap:756.v2f20b_801f120
lockable-resources:1315.v4ea_8e5159ec8
mailer:488.v0c9639c1a_eb_3
matrix-auth:3.2.2
matrix-project:838.v4d7b_7b_f9b_d4b_
mina-sshd-api-common:2.13.2-125.v200281b_61d59
mina-sshd-api-core:2.13.2-125.v200281b_61d59
nodelabelparameter:1.12.0
oic-auth:4.354.v321ce67a_1de8
pam-auth:1.11
periodicbackup:2.0
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-groovy-lib:730.ve57b_34648c63
pipeline-input-step:495.ve9c153f6067b_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2214.vb_b_34b_2ea_9b_83
pipeline-model-definition:2.2214.vb_b_34b_2ea_9b_83
pipeline-model-extensions:2.2214.vb_b_34b_2ea_9b_83
pipeline-rest-api:2.34
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2214.vb_b_34b_2ea_9b_83
pipeline-stage-view:2.34
plain-credentials:183.va_de8f1dd5a_2b_
plugin-util-api:5.1.0
prism-api:1.29.0-17
pubsub-light:1.18
pyenv-pipeline:2.1.2
resource-disposer:0.24
role-strategy:743.v142ea_b_d5f1d3
saferestart:0.7
scm-api:696.v778d637b_a_762
script-security:1362.v67dc1f0e1b_b_3
sidebar-update-notification:1.1.0
snakeyaml-api:2.3-123.v13484c65210a_
sse-gateway:1.27
ssh-credentials:343.v884f71d78167
ssh-slaves:2.973.v0fa_8c0dea_f9f
sshd:3.330.vc866a_8389b_58
structs:338.v848422169819
timestamper:1.27
token-macro:400.v35420b_922dcb_
trilead-api:2.147.vb_73cc728a_32e
variant:60.v7290fc0eb_b_cd
warnings-ng:11.9.0
workflow-aggregator:600.vb_57cdd26fdd7
workflow-api:1336.vee415d95c521
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:3969.vdc9d3a_efcc6a_
workflow-durable-task-step:1371.vb_7cec8f3b_95e
workflow-job:1436.vfa_244484591f
workflow-multibranch:795.ve0cb_1f45ca_9a_
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:678.v3ee58b_469476
workflow-support:926.v9f4f9b_b_98c19
ws-cleanup:0.46

What Operating System are you using (both controller, and any agents involved in the problem)?

RedHat 8+9

Reproduction steps

  1. try to log in

Expected Results

working login like before

Actual Results

Stracktrace with: 2024-10-02T13:25:41+0200 jenkins[4112324]: com.google.api.client.auth.openidconnect.IdTokenVerifier$VerificationException: Unexpected signing algorithm PS512: expected either RS256 or ES256
2024-10-02T13:25:41+0200 jenkins[4112324]: at PluginClassLoader for oic-auth//com.google.api.client.auth.openidconnect.IdTokenVerifier.verifySignature(IdTokenVerifier.java:329)
2024-10-02T13:25:41+0200 jenkins[4112324]: at PluginClassLoader for oic-auth//com.google.api.client.auth.openidconnect.IdTokenVerifier.verifyOrThrow(IdTokenVerifier.java:284)
2024-10-02T13:25:41+0200 jenkins[4112324]: at PluginClassLoader for oic-auth//org.jenkinsci.plugins.oic.OicJsonWebTokenVerifier.verifyIdToken(OicJsonWebTokenVerifier.java:71)

Anything else?

Both algorithms has security problems. Only for PS512 are nothing problematic known. The RS suites are potential vulnerable and the ES suites are based on the NIST curves. See https://www.scottbrady91.com/jose/jwts-which-signing-algorithm-should-i-use https://safecurves.cr.yp.to/

Are you interested in contributing a fix?

No response

tuxmaster5000 avatar Oct 02 '24 11:10 tuxmaster5000

Both algorithms has security problems. Only for PS512 are nothing problematic known.

due to the security flow we are using and tokens are coming from TLS protected servers the signature (or lack thereof) should not affect the security.
https://github.com/jenkinsci/oic-auth-plugin/pull/409 may well solve the failure to login (but does not offer a way to set a preferred algorithm)

can you confirm the most recent working version please and if you use manual or auto-configuration?

jtnord avatar Oct 02 '24 14:10 jtnord

I am using the latest version offered. Do you mean automatic/manual? ‘Discovery via well-known endpoint’ is selected and stored as the configuration mode.

tuxmaster5000 avatar Oct 08 '24 04:10 tuxmaster5000

I am using the latest version offered. Do you mean automatic/manual?

I mean which was the last version to not have this error. (does this actually prevent you logging in?)

jtnord avatar Oct 09 '24 16:10 jtnord

the warning (error logigng in?) may be addressed by https://github.com/jenkinsci/oic-auth-plugin/releases/tag/4.388.v4f73328eb_d2c and above.

There is still no UI to be able to select a prefered algorithm though.

jtnord avatar Oct 11 '24 14:10 jtnord

The update of the add-on will fix it. @jtnord There must be no ui settings because like under TLS the client and server must only having an algorithm that known by both. From my side I think, that https://github.com/jenkinsci/oic-auth-plugin/pull/409 has fixed it.

tuxmaster5000 avatar Oct 14 '24 05:10 tuxmaster5000

The update of the add-on will fix it. @jtnord There must be no ui settings because like under TLS the client and server must only having an algorithm that known by both. From my side I think, that #409 has fixed it.

I would disagree that this must not be implemented, and you can solve this multiple ways.

  1. disable (block) certain algorithms (so that they will not be available)
  2. allow only certain algorithms (allowing just one would be a special case)
  3. set a preferred algorithm

If a user wants to restrict the algorithms (using 1 or 2) it would be perfectly valid for them to do so. This is done daily by millions of TLS clients/servers! Just like TLS if the user has said Use X or Y and neither are available things will not work, but that would be an advance option that expects users to actually understand what they are doing

option 3 is just a preference, so makes little point to me, if you can fall back to something else (less secure) and you are happy with that, what is the point saying I want X to begin with, you should just allow multiple things and the order of them should be important).

jtnord avatar Oct 28 '24 10:10 jtnord