python-jose icon indicating copy to clipboard operation
python-jose copied to clipboard
verified publisher icon mpdavis

[SECURITY] Algorithm Confusion Through kid Header

Open paragonie-security opened this issue 4 years ago • 0 comments

Starting here:

https://github.com/mpdavis/python-jose/blob/be8e914a63e8940cd34ac0f5a066d114f10dad48/jose/jws.py#L250-L258

This correctly rejects invalid alg headers, as JWT implementations MUST to be secure.

https://github.com/mpdavis/python-jose/blob/be8e914a63e8940cd34ac0f5a066d114f10dad48/jose/jws.py#L259-L262

However, the algorithm associated with the key returned from _get_keys() is not validated.

https://github.com/mpdavis/python-jose/blob/be8e914a63e8940cd34ac0f5a066d114f10dad48/jose/jws.py#L217-L247

Which is unfortunate, since the underlying verify method expects a Key object with the alg specified:

https://github.com/mpdavis/python-jose/blob/be8e914a63e8940cd34ac0f5a066d114f10dad48/jose/jws.py#L207-L208

Consequently, it's possible to use a set of keys with mismatching algorithms (i.e. in frameworks that consume this library), which would in turn make those libraries susceptible to algorithm confusion (see also: the HS256/RS256 attack from a few years ago).

This is identical to the problem in https://github.com/firebase/php-jwt/issues/351 https://seclists.org/fulldisclosure/2021/Aug/14

Note: This particular sharp edge isn't covered by the JWT Best Practices RFC.

paragonie-security avatar Aug 20 '21 00:08 paragonie-security