mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-23 04:42:28 +00:00
5a8f02ae66
When the JWT token signature is using ECDSA algorithm (ES256 for instance), the signature is a direct concatenation of the R and S parameters instead of OpenSSL's DER format (see section 3.4 of RFC7518). The code that verified the signatures wrongly assumed that they came in OpenSSL's format and it did not actually work. We now have the extra step of converting the signature into a complete ECDSA_SIG that can be fed into OpenSSL's digest verification functions. The ECDSA signatures in the regtest had to be recalculated and it was made via the PyJWT python library so that we don't end up checking signatures that we built ourselves anymore. This patch should fix GitHub issue #2001. It should be backported up to branch 2.5.
23 lines
409 B
Python
Executable File
23 lines
409 B
Python
Executable File
#!/usr/bin/python
|
|
|
|
# JWT package can be installed via 'pip install pyjwt' command
|
|
|
|
import sys
|
|
import jwt
|
|
import json
|
|
|
|
if len(sys.argv) != 4:
|
|
print(sys.argv[0],"<alg> <json_to_sign> <priv_key>")
|
|
quit()
|
|
|
|
|
|
alg=sys.argv[1]
|
|
json_to_sign=sys.argv[2]
|
|
priv_key_file=sys.argv[3]
|
|
|
|
with open(priv_key_file) as file:
|
|
priv_key = file.read()
|
|
|
|
print(jwt.encode(json.loads(json_to_sign),priv_key,algorithm=alg))
|
|
|