haproxy

RepoMirrors/haproxy

Fork 0

mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-03 10:42:07 +00:00

Commit Graph

Author	SHA1	Message	Date
Remi Tricot-Le Breton	5a8f02ae66	BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) When the JWT token signature is using ECDSA algorithm (ES256 for instance), the signature is a direct concatenation of the R and S parameters instead of OpenSSL's DER format (see section 3.4 of RFC7518). The code that verified the signatures wrongly assumed that they came in OpenSSL's format and it did not actually work. We now have the extra step of converting the signature into a complete ECDSA_SIG that can be fed into OpenSSL's digest verification functions. The ECDSA signatures in the regtest had to be recalculated and it was made via the PyJWT python library so that we don't end up checking signatures that we built ourselves anymore. This patch should fix GitHub issue #2001. It should be backported up to branch 2.5.	2023-01-18 16:18:31 +01:00

Author

SHA1

Message

Date

Remi Tricot-Le Breton

5a8f02ae66

BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params)

When the JWT token signature is using ECDSA algorithm (ES256 for
instance), the signature is a direct concatenation of the R and S
parameters instead of OpenSSL's DER format (see section
3.4 of RFC7518).
The code that verified the signatures wrongly assumed that they came in
OpenSSL's format and it did not actually work.
We now have the extra step of converting the signature into a complete
ECDSA_SIG that can be fed into OpenSSL's digest verification functions.

The ECDSA signatures in the regtest had to be recalculated and it was
made via the PyJWT python library so that we don't end up checking
signatures that we built ourselves anymore.

This patch should fix GitHub issue #2001.
It should be backported up to branch 2.5.

2023-01-18 16:18:31 +01:00

1 Commits