Skip to content

Commit

Permalink
ensure jwt signature verification happens when decoding claim (#22)
Browse files Browse the repository at this point in the history
  • Loading branch information
mkobaly authored Nov 1, 2024
1 parent b1eefff commit fc68be5
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 8 deletions.
7 changes: 7 additions & 0 deletions NATS.Jwt.Tests/NatsJwtTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -336,4 +336,11 @@ public void TestMultipleExports()
string jsonStr = JsonSerializer.Serialize(json, new JsonSerializerOptions { WriteIndented = true });
output.WriteLine(jsonStr);
}

[Fact]
public void TestDecodeUserClaimWithTamperedJWTThrowsError()
{
var jwt = "eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJPSk9CUkZDQ0NGNEMzU1JWQzRLNEhTVFNYRlBTSVZBSzJPRUxOMlZXNE9GQ0IzQTVMMkNBIiwiaWF0IjoxNzMwMzk3NTU0LCJpc3MiOiJVQklUR0VSQk9JVEZDWkJHNTNUSkk3M1BHTjdBMzdPTVkyWE5YUU82VUZUSlA1TE5VWVFORUpXSSIsIm5hbWUiOiJVWFgiLCJzdWIiOiJVQklUR0VSQk9JVEZDWkJHNTNUSkk3M1BHTjdBMzdPTVkyWE5YUU82VUZUSlA1TE5VWVFORUpXSSIsIm5hdHMiOnsicHViIjp7ImFsbG93IjpbImFsbG93Llx1MDAzRSJdfSwic3ViIjp7ImFsbG93IjpbInN1YnNjcmliZS5cdTAwM0UiXX0sInN1YnMiOi0xLCJkYXRhIjotMSwicGF5bG9hZCI6LTEsInR5cGUiOiJ1c2VyIiwidmVyc2lvbiI6Mn19.SjIBpWWLNCZmgYZwrFHEJSTkm5M9bik0kgQyG-3V9Nn5sTrfO1Llj3hs7z9R7b1rCyGsFm1RkpZAVAnS5ay2BA";
Assert.Throws<NatsJwtException>(() => _natsJwt.DecodeUserClaims(jwt));
}
}
30 changes: 22 additions & 8 deletions NATS.Jwt/NatsJwt.cs
Original file line number Diff line number Diff line change
Expand Up @@ -303,14 +303,15 @@ public T DecodeClaims<T>(string jwt, JsonTypeInfo<T> jsonTypeInfo)
}

// Verify the signature
// var signingInput = $"{parts[0]}.{parts[1]}";
// var signature = Encoding.ASCII.GetBytes(EncodingUtils.FromBase64UrlEncoded(parts[2]));
// var publicKey = KeyPair.FromPublicKey(claims.Issuer.AsSpan());
//
// if (!publicKey.Verify(Encoding.ASCII.GetBytes(signingInput), signature))
// {
// throw new NatsJwtException("JWT signature verification failed");
// }
var signingInput = $"{parts[0]}.{parts[1]}";
var signature = DecodeSignature(parts[2]);
var publicKey = KeyPair.FromPublicKey(claims.Issuer.AsSpan());

if (!publicKey.Verify(Encoding.ASCII.GetBytes(signingInput), signature))
{
throw new NatsJwtException("JWT signature verification failed");
}

return claims;
}

Expand Down Expand Up @@ -447,4 +448,17 @@ private static string Serialize<T>(T data, JsonTypeInfo<T> typeInfo)
JsonSerializer.Serialize(jsonWriter, data, typeInfo);
return EncodingUtils.ToBase64UrlEncoded(writer.WrittenMemory.ToArray());
}

/// <summary>
/// Can't use EncodingUtils.FromBase64UrlEncoded as not backward compatible with golang code.
/// </summary>
/// <param name="signature">JWT signature.</param>
/// <returns>base64 decoded JWT signature.</returns>
private static byte[] DecodeSignature(string signature)
{
signature = signature.Replace('-', '+').Replace('_', '/');
var pd = signature.Length % 4; // ensure length divisible by 4..pad with ==
signature = signature + "====".Substring(0, pd);
return Convert.FromBase64String(signature);
}
}

0 comments on commit fc68be5

Please sign in to comment.