disable support for the RSA PKCS v1.5 JWE encryption algorithm

as it is deemed unsafe due to the Marvin attack and is removed from libcjose as well Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
OpenIDC · Apr 23, 2024 · 7b06f77 · 7b06f77
1 parent a65ff57
commit 7b06f77
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+04/23/2024
+- disable support for the RSA PKCS v1.5 JWE encryption algorithm as it is deemed unsafe
+  due to the Marvin attack and is removed from libcjose as well
+
 04/05/2024
 - add debug printout for OIDCUnAuthAction expression evaluation
 

diff --git a/src/jose.c b/src/jose.c
@@ -228,7 +228,7 @@ static int oidc_alg2kty(const char *alg) {
 	if ((_oidc_strcmp(alg, CJOSE_HDR_ALG_A128KW) == 0) || (_oidc_strcmp(alg, CJOSE_HDR_ALG_A192KW) == 0) ||
 	    (_oidc_strcmp(alg, CJOSE_HDR_ALG_A256KW) == 0))
 		return CJOSE_JWK_KTY_OCT;
-	if ((_oidc_strcmp(alg, CJOSE_HDR_ALG_RSA1_5) == 0) || (_oidc_strcmp(alg, CJOSE_HDR_ALG_RSA_OAEP) == 0))
+	if (_oidc_strcmp(alg, CJOSE_HDR_ALG_RSA_OAEP) == 0)
 		return CJOSE_JWK_KTY_RSA;
 	return -1;
 }
@@ -631,7 +631,6 @@ apr_byte_t oidc_jose_jws_algorithm_is_supported(apr_pool_t *pool, const char *al
  */
 apr_array_header_t *oidc_jose_jwe_supported_algorithms(apr_pool_t *pool) {
 	apr_array_header_t *result = apr_array_make(pool, 4, sizeof(const char *));
-	APR_ARRAY_PUSH(result, const char *) = CJOSE_HDR_ALG_RSA1_5;
 	APR_ARRAY_PUSH(result, const char *) = CJOSE_HDR_ALG_A128KW;
 	APR_ARRAY_PUSH(result, const char *) = CJOSE_HDR_ALG_A192KW;
 	APR_ARRAY_PUSH(result, const char *) = CJOSE_HDR_ALG_A256KW;