- edited description
Consider a JWSKeySelector that supports multiple algorithms
It would be nice to have an implementation of JWSKeySelector
that supported multiple algorithms from the same family, like
Map<JWSAlgorithm, JWSKeySelector<>> jwsKeySelectors = // ... only algos from the same JWSAlgorithm.Family
new MappedJWSKeySelector(jwsKeySelectors)
or perhaps something more controlled like
new JWSFamilyVerificationKeySelector(jwsAlgFamily, jwkSource)
Since the algorithm is included in the signature and because there are no known pre-image attacks for SHA-2, this would meet the criteria indicated in RFC 7515:
There are several ways for an application to mitigate algorithm substitution attacks:
o Use only digital signature algorithms that are not vulnerable to
substitution attacks. Substitution attacks are only feasible if
an attacker can compute pre-images for a hash function accepted by
the recipient. All JWA-defined signature algorithms use SHA-2
hashes, for which there are no known pre-image attacks, as of the
time of this writing.
o Require that the "alg" Header Parameter be carried in the JWS
Protected Header. (This is always the case when using the JWS
Compact Serialization...)
I’d certainly want to confirm that the algorithms are in the same family.
If you are agreed, I’d be happy to provide a PR.
Comments (4)
-
reporter -
Thanks. For JWS algs it can make sense. For JWE algs, accepting a whole alg family (e.g. RSA) can be an issue:
https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-06#section-3.2
(this is the current JWT BCP)
-
- changed status to resolved
-
Thanks Josh! The new selector is now part of v7.5.
Edited the matching to also include JWKs with undefined
use
field, which is optional. People sometimes forget it, even in JWK sets containing signing and encryption keys. Not an issue, if the key turns out to be intended for encryption the signature validation will fail anyway.JWKMatcher jwkMatcher = new JWKMatcher.Builder() .publicOnly(true) .keyUses(KeyUse.SIGNATURE, null) // use=sig is optional .keyTypes(KeyType.RSA, KeyType.EC) .build();
- Log in to comment