frasertweedale
commented
7 years ago Hi @duijf. This was reported ages ago (https://github.com/frasertweedale/hs-jose/issues/5). We have never been vulnerable because hs-jose uses proper types, not strings, to represent keys. See https://github.com/frasertweedale/hs-jose/blob/f0aa0c7a5d63a2e63cb1a747a42fa0d64a4dfda2/src/Crypto/JOSE/JWA/JWK.hs#L609-L631.
As of jose-0.6.0.0 we support verifying with a JWKStore, which can hold multiple keys of possibly differing types. In this case, the best an attacker can do by changing the "alg" header is, e.g., to cause an "Oct" key to be used to verify a signature made with a different type of key. But it is not possible to force key material of one kind to verify a signature of a different kind.
If you still think there may be a vulnerability here, please produce a PoC demonstrating the flaw in this library and email me. My GPG key fingerprint is 5848 CE28 186B B469 C295 15E1 4B53 9052 4111 E1E2.
Thanks, Fraser
duijf
The current API for choosing validation settings promotes insecure usage of the library. The default validation settings allow the second attack detailed in this blog post to happen.
Consumers of this library should explicitly set which algorithm they expect a signature to have before validating it. The current defaults seem to trust client input of the 'alg' header
An example attack based on knowledge of the server public key (from the blogpost):
(Disclaimer: I only took a brief look. Sorry if I missed something)