From 7b06f77f7580fc4ad27cd63c6660bdddc4217cc4 Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Tue, 23 Apr 2024 18:07:27 +0200 Subject: [PATCH] disable support for the RSA PKCS v1.5 JWE encryption algorithm as it is deemed unsafe due to the Marvin attack and is removed from libcjose as well Signed-off-by: Hans Zandbelt --- ChangeLog | 4 ++++ src/jose.c | 3 +-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e965ac28..eb9544a7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +04/23/2024 +- disable support for the RSA PKCS v1.5 JWE encryption algorithm as it is deemed unsafe + due to the Marvin attack and is removed from libcjose as well + 04/05/2024 - add debug printout for OIDCUnAuthAction expression evaluation diff --git a/src/jose.c b/src/jose.c index b34250a7..76b93b6d 100644 --- a/src/jose.c +++ b/src/jose.c @@ -228,7 +228,7 @@ static int oidc_alg2kty(const char *alg) { if ((_oidc_strcmp(alg, CJOSE_HDR_ALG_A128KW) == 0) || (_oidc_strcmp(alg, CJOSE_HDR_ALG_A192KW) == 0) || (_oidc_strcmp(alg, CJOSE_HDR_ALG_A256KW) == 0)) return CJOSE_JWK_KTY_OCT; - if ((_oidc_strcmp(alg, CJOSE_HDR_ALG_RSA1_5) == 0) || (_oidc_strcmp(alg, CJOSE_HDR_ALG_RSA_OAEP) == 0)) + if (_oidc_strcmp(alg, CJOSE_HDR_ALG_RSA_OAEP) == 0) return CJOSE_JWK_KTY_RSA; return -1; } @@ -631,7 +631,6 @@ apr_byte_t oidc_jose_jws_algorithm_is_supported(apr_pool_t *pool, const char *al */ apr_array_header_t *oidc_jose_jwe_supported_algorithms(apr_pool_t *pool) { apr_array_header_t *result = apr_array_make(pool, 4, sizeof(const char *)); - APR_ARRAY_PUSH(result, const char *) = CJOSE_HDR_ALG_RSA1_5; APR_ARRAY_PUSH(result, const char *) = CJOSE_HDR_ALG_A128KW; APR_ARRAY_PUSH(result, const char *) = CJOSE_HDR_ALG_A192KW; APR_ARRAY_PUSH(result, const char *) = CJOSE_HDR_ALG_A256KW;