fix(jans-auth-server): corrected jarm isuue #310 (#773)

* fix: none signature algorithm jarm issue 310 Fix to ensure none signature algorithm JARM issue #310 * fix: none signature algorithm jarm issue no 310 fix to ensure rejecting none signature algorithm JARM issue no 310 * fix: none signature algorithm JARM issue no 310 fix to ensure rejection of none signature algorithm for JARM issue no 310
JanssenProject · Feb 7, 2022 · e1cdc19 · e1cdc19
1 parent 57664b0
commit e1cdc19
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/jwe/JweDecrypterImpl.java b/jans-auth-server/model/src/main/java/io/jans/as/model/jwe/JweDecrypterImpl.java
@@ -12,6 +12,7 @@
 import com.nimbusds.jwt.SignedJWT;
 import io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm;
 import io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm;
+import io.jans.as.model.crypto.signature.SignatureAlgorithm;
 import io.jans.as.model.exception.InvalidJweException;
 import io.jans.as.model.exception.InvalidJwtException;
 import io.jans.as.model.jwt.Jwt;
@@ -36,6 +37,14 @@ public class JweDecrypterImpl extends AbstractJweDecrypter {
 
     private PrivateKey privateKey;
     private byte[] sharedSymmetricKey;
+    private boolean fapi;
+
+    public boolean isFapi() {
+        return fapi;
+    }
+    public void setFapi(boolean fapi) {
+        this.fapi = fapi;
+    }
 
     public JweDecrypterImpl(byte[] sharedSymmetricKey) {
         if (sharedSymmetricKey != null) {
@@ -109,6 +118,7 @@ public Jwe decrypt(String encryptedJwe) throws InvalidJweException {
                 jwe.setClaims(jwt.getClaims());
             } else {
                 final String base64encodedPayload = encryptedJwt.getPayload().toString();
+                validateNestedJwt(base64encodedPayload);
                 jwe.setClaims(new JwtClaims(base64encodedPayload));
             }
 
@@ -117,4 +127,11 @@ public Jwe decrypt(String encryptedJwe) throws InvalidJweException {
             throw new InvalidJweException(e);
         }
     }
-}
+
+    private void validateNestedJwt(String base64encodedPayload) throws InvalidJwtException {
+        final Jwt jwt = Jwt.parseSilently(base64encodedPayload);
+        if (jwt != null && jwt.getHeader().getSignatureAlgorithm() == SignatureAlgorithm.NONE && isFapi()) {
+            throw new InvalidJwtException("The None algorithm in nested JWT is not allowed for FAPI");
+        }
+    }
+}
diff --git a/...erver/server/src/main/java/io/jans/as/server/model/authorize/JwtAuthorizationRequest.java b/...erver/server/src/main/java/io/jans/as/server/model/authorize/JwtAuthorizationRequest.java
@@ -144,6 +144,7 @@ public JwtAuthorizationRequest(AppConfiguration appConfiguration, AbstractCrypto
                     ClientService clientService = CdiUtil.bean(ClientService.class);
                     jweDecrypter = new JweDecrypterImpl(clientService.decryptSecret(client.getClientSecret()).getBytes(StandardCharsets.UTF_8));
                 }
+                jweDecrypter.setFapi(appConfiguration.getFapiCompatibility());                
                 jweDecrypter.setKeyEncryptionAlgorithm(keyEncryptionAlgorithm);
                 jweDecrypter.setBlockEncryptionAlgorithm(blockEncryptionAlgorithm);