From c1c02df86d39e8f6583fbdd32c4a0438862ff19d Mon Sep 17 00:00:00 2001
From: "Koelbel, Martin (096)" <martin.koelbel@mercedes-benz.com>
Date: Tue, 12 Mar 2024 08:52:40 +0100
Subject: [PATCH 1/2] Add missing pkey sanity check and harmonize pkey:verify
 usage.

---
 kong/plugins/jwt/jwt_parser.lua | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/kong/plugins/jwt/jwt_parser.lua b/kong/plugins/jwt/jwt_parser.lua
index a4d1d5501e87..d8994b5facdc 100644
--- a/kong/plugins/jwt/jwt_parser.lua
+++ b/kong/plugins/jwt/jwt_parser.lua
@@ -111,23 +111,17 @@ local alg_verify = {
   RS256 = function(data, signature, key)
     local pkey, _ = openssl_pkey.new(key)
     assert(pkey, "Consumer Public Key is Invalid")
-    local digest = openssl_digest.new("sha256")
-    assert(digest:update(data))
-    return pkey:verify(signature, digest)
+    return pkey:verify(signature, data, "sha256")
   end,
   RS384 = function(data, signature, key)
     local pkey, _ = openssl_pkey.new(key)
     assert(pkey, "Consumer Public Key is Invalid")
-    local digest = openssl_digest.new("sha384")
-    assert(digest:update(data))
-    return pkey:verify(signature, digest)
+    return pkey:verify(signature, data, "sha384")
   end,
   RS512 = function(data, signature, key)
     local pkey, _ = openssl_pkey.new(key)
     assert(pkey, "Consumer Public Key is Invalid")
-    local digest = openssl_digest.new("sha512")
-    assert(digest:update(data))
-    return pkey:verify(signature, digest)
+    return pkey:verify(signature, data, "sha512")
   end,
   -- https://www.rfc-editor.org/rfc/rfc7518#section-3.4
   ES256 = function(data, signature, key)
@@ -150,6 +144,7 @@ local alg_verify = {
     --  ECDSA P-521 SHA-512, R and S will be 521 bits each, resulting in a
     --  132-octet sequence.
     local pkey, _ = openssl_pkey.new(key)
+    assert(pkey, "Consumer Public Key is Invalid")
     assert(#signature == 96, "Signature must be 96 bytes.")
     return pkey:verify(signature, data, "sha384", nil, { ecdsa_use_raw = true })
   end,
@@ -163,6 +158,7 @@ local alg_verify = {
     --  ECDSA P-521 SHA-512, R and S will be 521 bits each, resulting in a
     --  132-octet sequence.
     local pkey, _ = openssl_pkey.new(key)
+    assert(pkey, "Consumer Public Key is Invalid")
     assert(#signature == 132, "Signature must be 132 bytes.")
     return pkey:verify(signature, data, "sha512", nil, { ecdsa_use_raw = true })
   end,

From 36f56dd175f2a16b384721672d9f17a95dafdacd Mon Sep 17 00:00:00 2001
From: "Koelbel, Martin (096)" <martin.koelbel@mercedes-benz.com>
Date: Tue, 12 Mar 2024 09:47:57 +0100
Subject: [PATCH 2/2] add changelog

---
 changelog/unreleased/kong/fix-jwt-plugin-check.yml | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/unreleased/kong/fix-jwt-plugin-check.yml

diff --git a/changelog/unreleased/kong/fix-jwt-plugin-check.yml b/changelog/unreleased/kong/fix-jwt-plugin-check.yml
new file mode 100644
index 000000000000..bbf3ed71b848
--- /dev/null
+++ b/changelog/unreleased/kong/fix-jwt-plugin-check.yml
@@ -0,0 +1,3 @@
+message: "**Jwt**: fix an issue where the plugin would fail when using invalid public keys for ES384 and ES512 algorithms."
+type: bugfix
+scope: Plugin