From 31f7a040c289e7fd389a0083803f2998bf62b660 Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Thu, 7 Nov 2019 17:43:33 +0100 Subject: [PATCH] fix: use sha512 for Ed25519 and shake256 for Ed448 ID Token _hash claims --- lib/client.js | 48 +++++++++++++++++++++++++----------------------- package.json | 2 +- 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/lib/client.js b/lib/client.js index 06c28355..3b652ec9 100644 --- a/lib/client.js +++ b/lib/client.js @@ -791,6 +791,18 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base }); } + let key; + + if (header.alg.startsWith('HS')) { + key = await this.joseSecret(); + } else if (header.alg !== 'none') { + key = await this.issuer.key(header); + } + + if (header.alg !== 'none' && !key) { + throw new RPError('could not find a key to validate the signature with'); + } + if (returnedBy === 'authorization') { if (!payload.at_hash && tokenSet.access_token) { throw new RPError({ @@ -809,30 +821,28 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base if (!state) { throw new TypeError('cannot verify s_hash, "checks.state" property not provided'); } - if (!tokenHash(payload.s_hash, state, header.alg)) { - throw new RPError({ - printf: ['s_hash mismatch, expected %s, got: %s', tokenHash.generate(state, header.alg), payload.s_hash], - jwt: idToken, - }); + + try { + tokenHash.validate({ claim: 's_hash', source: 'state' }, payload.s_hash, state, header.alg, key && key.crv); + } catch (err) { + throw new RPError({ message: err.message, jwt: idToken }); } } } if (tokenSet.access_token && payload.at_hash !== undefined) { - if (!tokenHash(payload.at_hash, tokenSet.access_token, header.alg)) { - throw new RPError({ - printf: ['at_hash mismatch, expected %s, got: %s', tokenHash.generate(tokenSet.access_token, header.alg), payload.at_hash], - jwt: idToken, - }); + try { + tokenHash.validate({ claim: 'at_hash', source: 'access_token' }, payload.at_hash, tokenSet.access_token, header.alg, key && key.crv); + } catch (err) { + throw new RPError({ message: err.message, jwt: idToken }); } } if (tokenSet.code && payload.c_hash !== undefined) { - if (!tokenHash(payload.c_hash, tokenSet.code, header.alg)) { - throw new RPError({ - printf: ['c_hash mismatch, expected %s, got: %s', tokenHash.generate(tokenSet.code, header.alg), payload.c_hash], - jwt: idToken, - }); + try { + tokenHash.validate({ claim: 'c_hash', source: 'code' }, payload.c_hash, tokenSet.code, header.alg, key && key.crv); + } catch (err) { + throw new RPError({ message: err.message, jwt: idToken }); } } @@ -840,14 +850,6 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base return tokenSet; } - let key; - - if (header.alg.startsWith('HS')) { - key = await this.joseSecret(); - } else { - key = await this.issuer.key(header); - } - try { jose.JWS.verify(idToken, key); } catch (err) { diff --git a/package.json b/package.json index 48230d26..5a7bdbad 100644 --- a/package.json +++ b/package.json @@ -46,7 +46,7 @@ "lru-cache": "^5.1.1", "make-error": "^1.3.5", "object-hash": "^2.0.0", - "oidc-token-hash": "^3.0.2", + "oidc-token-hash": "^4.0.0", "p-any": "^2.1.0" }, "devDependencies": {