bls
commented
10 years ago The call chain for verifying a PS256 JWT is:
jws.verify_compact() -> PSSSigner.verify() -> PKCS1_PSS.verify() It looks like verify_compact() is expecting BadSignature() to be raised; however PSSSigner.verify() does not raise exceptions; it returns the value of Crypto.Signature.PKCS1_PSS.verify(), which is true or false. That's what breaks the following code in jws.py / verify_compact():
try:
# Code below uses return value for error signalling, no
# exception will be raised if the signature is bad.
verifier.verify(_header + '.' + _payload, b64d(str(_sig)),
key.get_key(private=False))
except BadSignature:
pass
else:
self.msg = self._decode(_payload)
return self.msg
raise BadSignature()Thanks & regards, Blair.
jcea
Setup: I generate a signed JWT, then attempt to verify against the wrong RSA key.
Expected behaviour: A BadSignature exception should be raised.
Observed behaviour: It appears as though verification succeeded.
Also, verify_compact() transparently accepts null signatures. This seems likely to cause security problems in client code.
Please see: https://gist.github.com/bls/d99885542a9216287ea3 for a test case.