rust-spiffe: make sure that the claims returned by the validation operation are as expected #290

hug-dev · 2020-11-26T17:52:27Z

This is an issue for the rust-spiffe repository when the JWT-SVID feature is merged in.

The ValidateJWTSVID operation returns the claims of the JWT-SVID. The validation function should make sure that those are the same than the one contained in the JWT-SVID being validated.

Because the Workload API endpoint is currently trusted, an attacker could return the SPIFFE ID that they want and then access all possible keys.

#289 would fix this as well.

The text was updated successfully, but these errors were encountered:

hug-dev · 2021-06-22T10:00:35Z

Opened here

hug-dev added security Issues related to the security and privacy of the service multitenancy Getting Parsec to provide isolated key stores for multiple clients based on an identity mechanism labels Nov 26, 2020

ionut-arm added the small Effort label label Feb 3, 2021

hug-dev closed this as completed Jun 22, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rust-spiffe: make sure that the claims returned by the validation operation are as expected #290

rust-spiffe: make sure that the claims returned by the validation operation are as expected #290

hug-dev commented Nov 26, 2020

hug-dev commented Jun 22, 2021

rust-spiffe: make sure that the claims returned by the validation operation are as expected #290

rust-spiffe: make sure that the claims returned by the validation operation are as expected #290

Comments

hug-dev commented Nov 26, 2020

hug-dev commented Jun 22, 2021