fix: also reject client jwks/jwks_uri symmetric keys

closes #481
panva · Jun 13, 2019 · df18f62 · df18f62
1 parent 1b6104c
commit df18f62
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 7 deletions.
diff --git a/lib/models/client.js b/lib/models/client.js
@@ -20,7 +20,7 @@ const { LOOPBACKS } = require('../consts/client_attributes');
 
 // intentionally ignore x5t and x5t#S256 so that they are left to be calculated by the jose library
 const KEY_ATTRIBUTES = ['crv', 'e', 'kid', 'kty', 'n', 'use', 'key_ops', 'x', 'y', 'x5c'];
-const KEY_TYPES = new Set(['RSA', 'EC', 'OKP']);
+const KEY_TYPES = new Set(['RSA', 'EC', 'OKP', 'oct']);
 
 const fingerprint = properties => hash(properties, {
   algorithm: 'sha256',
@@ -132,8 +132,8 @@ Object.defineProperties(jose.JWKS.KeyStore.prototype, {
         body.keys
           .filter(jwk => handled(jwk.kty))
           .map((jwk) => {
-            if (jwk.d) { // private RSA, EC or OKP keys
-              throw new Error('jwks_uri must not contain private keys');
+            if (jwk.d || jwk.kty === 'oct') { // private RSA, EC, OKP or symmetric keys
+              throw new Error('jwks_uri must not contain private or symmetric keys');
             }
 
             return _.pick(jwk, KEY_ATTRIBUTES);
@@ -205,8 +205,8 @@ module.exports = function getClient(provider) {
       try {
         client.jwks.keys.filter(key => handled(key.kty))
           .map((jwk) => {
-            if (jwk.d) { // private
-              throw new Error('jwks must not contain private keys');
+            if (jwk.d || jwk.kty === 'oct') { // private RSA, EC, OKP or symmetric keys
+              throw new Error('jwks must not contain private or symmetric keys');
             }
 
             return _.pick(jwk, KEY_ATTRIBUTES);

diff --git a/test/configuration/client_keystore.test.js b/test/configuration/client_keystore.test.js
@@ -71,7 +71,7 @@ describe('client keystore refresh', () => {
       expect(err).to.be.an('error');
       expect(err.message).to.equal('invalid_client_metadata');
       expect(err.error_description).to.match(/jwks_uri could not be refreshed/);
-      expect(err.error_description).to.match(/jwks_uri must not contain private keys/);
+      expect(err.error_description).to.match(/jwks_uri must not contain private or symmetric keys/);
     });
   });
 

diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js
@@ -893,7 +893,7 @@ describe('Client metadata validation', () => {
     rejects(this.title, 1, 'jwks must be a JWK Set');
     rejects(this.title, 0, 'jwks must be a JWK Set');
     rejects(this.title, true, 'jwks must be a JWK Set');
-    rejects(this.title, { keys: [privateKey] }, 'invalid jwks (jwks must not contain private keys)');
+    rejects(this.title, { keys: [privateKey] }, 'invalid jwks (jwks must not contain private or symmetric keys)');
     allows(this.title, { keys: [] }, 'jwks.keys must not be empty');
     ['introspection', 'revocation', 'token'].forEach((endpoint) => {
       rejects(this.title, undefined, 'jwks or jwks_uri is mandatory for this client', {