fix: access token verification in DPoP challenge. Was previously verifying 'cnf.kid' against backend key whereas it must be against client's key

pull/1671/head
beltram 11 months ago committed by Herman Slatman
parent 5fdf036a4d
commit ed2bce9a3c
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F

@ -463,6 +463,15 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
return NewErrorISE("missing provisioner")
}
jwk, ok = ctx.Value("jwk").(*jose.JSONWebKey)
if !ok || jwk == nil {
return storeError(ctx, db, ch, false, NewError(ErrorServerInternalType, "failed fetching the client JWK from context"))
}
kid, thumbprintErr := jwk.Thumbprint(crypto.SHA256)
if thumbprintErr != nil {
return storeError(ctx, db, ch, false, WrapError(ErrorServerInternalType, thumbprintErr, "failed to compute JWK thumbprint"))
}
dpopOptions := provisioner.GetOptions().GetDPOPOptions()
key := dpopOptions.GetSigningKey()
@ -522,7 +531,9 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
"--issuer",
issuer,
"--hash-algorithm",
`"SHA-256"`,
`SHA-256`,
"--kid",
string(kid),
"--key",
file.Name(),
)

Loading…
Cancel
Save