Skip to content

Commit

Permalink
Rfc7797 prohibit in jwt (#424)
Browse files Browse the repository at this point in the history 
* Do away with draining, discard error if write fails

* Prohibit b64 = false for JWTs
  • Loading branch information
@lestrrat
lestrrat committed Jul 30, 2021
1 parent 52266f3 commit a016461
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 0 deletions.
19 changes: 19 additions & 0 deletions jwt/jwt_test.go
View file
Expand Up @@ -1060,3 +1060,22 @@ func TestNested(t *testing.T) {
}
_ = parsed
}

func TestRFC7797(t *testing.T) {
key, err := jwxtest.GenerateRsaKey()
if !assert.NoError(t, err, `jwxtest.GenerateRsaKey should succeed`) {
return
}

hdrs := jws.NewHeaders()
hdrs.Set("b64", false)
hdrs.Set("crit", "b64")

token := jwt.New()
token.Set(jwt.AudienceKey, `foo`)

_, err = jwt.Sign(token, jwa.RS256, key, jwt.WithJwsHeaders(hdrs))
if !assert.Error(t, err, `jwt.Sign should fail`) {
return
}
}
10 changes: 10 additions & 0 deletions jwt/serialize.go
View file
Expand Up @@ -147,6 +147,16 @@ func (s *jwsSerializer) Serialize(ctx SerializeCtx, v interface{}) (interface{},
if err := setTypeOrCty(ctx, hdrs); err != nil {
return nil, err // this is already wrapped
}

// JWTs MUST NOT use b64 = false
// https://datatracker.ietf.org/doc/html/rfc7797#section-7
if v, ok := hdrs.Get("b64"); ok {
if bval, bok := v.(bool); bok {
if !bval { // b64 = false
return nil, errors.New(`b64 cannot be false for JWTs`)
}
}
}
return jws.Sign(payload, s.alg, s.key, jws.WithHeaders(hdrs))
}

Expand Down

0 comments on commit a016461

Please sign in to comment.