corner case: Tokens with no signature block should not pass

That is to say if they have alg!=none Signed-off-by: Ben Collins <[email protected]>
benmcollins · Jan 12, 2025 · d8252ce · d8252ce
1 parent 1b784bd
commit d8252ce
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 2 deletions.
diff --git a/libjwt/jwt-verify.c b/libjwt/jwt-verify.c
@@ -73,9 +73,11 @@ static int jwt_parse_head(jwt_t *jwt, char *head)
 			jwt_write_error(jwt, "Invalid ALG: [%s]", alg);
 			return 1;
 		}
+
+		return 0;
 	}
 
-	return 0;
+	return 1;
 }
 
 int jwt_parse(jwt_t *jwt, const char *token, unsigned int *len)
@@ -130,7 +132,8 @@ static int __verify_config_post(jwt_t *jwt, const jwt_config_t *config,
 				unsigned int sig_len)
 {
 	if (!sig_len) {
-		if (config->key || config->alg != JWT_ALG_NONE) {
+		if (config->key || config->alg != JWT_ALG_NONE ||
+		    jwt->alg != JWT_ALG_NONE) {
 			jwt_write_error(jwt,
 				"Expected a signature, but JWT has none");
 			return 1;
@@ -140,6 +143,11 @@ static int __verify_config_post(jwt_t *jwt, const jwt_config_t *config,
 	}
 
 	/* Signature is known to be present from this point */
+	if (jwt->alg == JWT_ALG_NONE) {
+		jwt_write_error(jwt, "JWT has alg, but no signature block");
+		return 1;
+	}
+
 	if (config->key == NULL) {
 		jwt_write_error(jwt,
 			"JWT has signature, but no key was given");

diff --git a/tests/jwt_checker.c b/tests/jwt_checker.c
@@ -679,6 +679,37 @@ START_TEST(header_str_addgetdel)
 }
 END_TEST
 
+START_TEST(verify_ps256_nosig)
+{
+	jwt_checker_auto_t *checker = NULL;
+	const char token[] = "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI"
+		"6ZmFsc2UsImlhdCI6MTczNjY5NDU5NCwiaXNzIjoiaHR0cHM6Ly9zd2lzc2Rp"
+		"c2suY29tIiwidXNlciI6ImJlbmNvbGxpbnMifQ.";
+	int ret;
+
+	SET_OPS();
+
+	checker = jwt_checker_new();
+	ck_assert_ptr_nonnull(checker);
+	ck_assert_int_eq(jwt_checker_error(checker), 0);
+
+	ret = jwt_checker_setclaims(checker, JWT_CLAIM_NONE);
+	ck_assert_int_eq(ret, 0);
+
+	read_json("rsa_pss_key_2048.json");
+
+	ret = jwt_checker_setkey(NULL, JWT_ALG_PS256, g_item);
+	ck_assert_int_ne(ret, 0);
+
+	ret = jwt_checker_verify(checker, token);
+	ck_assert_int_ne(ret, 0);
+	ck_assert_str_eq(jwt_checker_error_msg(checker),
+			 "Expected a signature, but JWT has none");
+
+	free_key();
+}
+END_TEST
+
 static Suite *libjwt_suite(const char *title)
 {
 	Suite *s;
@@ -723,6 +754,10 @@ static Suite *libjwt_suite(const char *title)
 	tcase_add_loop_test(tc_core, header_str_addgetdel, 0, i);
 	suite_add_tcase(s, tc_core);
 
+	tc_core = tcase_create("Corner cases");
+	tcase_add_loop_test(tc_core, verify_ps256_nosig, 0, i);
+	suite_add_tcase(s, tc_core);
+
 	return s;
 }