Skip to content

Commit

Permalink
fix: avoid kid clashing potential
Browse files Browse the repository at this point in the history 
For those JWK's which lack the kid attribute, the logic assigns one.

When parsing pubkey bundle (JWKS, a set of JWK), the previous logic
enables a clash, consider this JWK sequence:

 * {"kid": "2", "kty":"EC", "use":"sig", ... }
 * {"kty":"RS", "use":"sig", ... } -- this saves with kid=1
 * {"kty":"RS", "use":"enc", ... } -- this *overwrites* kid=2
  • Loading branch information
@ulidtko
ulidtko committed Apr 12, 2023
1 parent 33b61c4 commit d851948
Showing 1 changed file with 4 additions and 6 deletions.
10 changes: 4 additions & 6 deletions jwt_tool.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -978,15 +978,13 @@ def parseJWKS(jwksfile):
try:
keyLen = len(jwksDict["keys"])
cprintc("Number of keys: "+str(keyLen), "cyan")
kid_bak = 1
kids_seen = set()
new_kid = lambda: 1 + max([x for x in kids_seen if isinstance(x, int)], default=0)
any1valid = False
for d in jwksDict["keys"]:
cprintc("\n--------", "white")
if 'kid' in d:
kid = str(d["kid"])
else:
kid = kid_bak
kid_bak += 1
kid = d['kid'] if 'kid' in d else new_kid()
kids_seen.add(kid)
cprintc(f"Key kid {kid}", "cyan")
for k, v in d.items():
cprintc(f"[+] {k} = {v}", "green")
Expand Down

0 comments on commit d851948

Please sign in to comment.