The library doesn't rescue from OpenSSL::Cipher::CipherError errors raised by OpenSSL when PKCS7 padding is invalid. The library also attempts to decrypt the ciphertext before verifying the signature. Other decryption failures result in sublcasses of JSON::JWT::Exception being raised, meaning that consumers of this library are quite likely only attempting to handle those errors.
The result is that a consuming application could quite easily fall into the trap of handling PKCS7 padding errors in a way that is observably different from how signature validation errors are handled. This would enable an exploitable padding-oracle attack against the consuming application. Cryptography libraries should attempt to be misuse-resistant and not leave it up to the consumer to worry about subtle crypto bugs.
This PR rescues from OpenSSL::OpenSSLError errors during decryption and raises an exception that is identical to those raised for invalid signatures. It also moves the signature checking to before decryption is attempted.
This bug was disclosed to the author via email on 9/9/22. On 10/4/22 the author responded, saying that consuming applications should handle this.
The library doesn't rescue from
OpenSSL::Cipher::CipherErrorerrors raised by OpenSSL when PKCS7 padding is invalid. The library also attempts to decrypt the ciphertext before verifying the signature. Other decryption failures result in sublcasses ofJSON::JWT::Exceptionbeing raised, meaning that consumers of this library are quite likely only attempting to handle those errors.The result is that a consuming application could quite easily fall into the trap of handling PKCS7 padding errors in a way that is observably different from how signature validation errors are handled. This would enable an exploitable padding-oracle attack against the consuming application. Cryptography libraries should attempt to be misuse-resistant and not leave it up to the consumer to worry about subtle crypto bugs.
This PR rescues from
OpenSSL::OpenSSLErrorerrors during decryption and raises an exception that is identical to those raised for invalid signatures. It also moves the signature checking to before decryption is attempted.This bug was disclosed to the author via email on 9/9/22. On 10/4/22 the author responded, saying that consuming applications should handle this.