Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: prevent JWT attacks by spoofed keyIDs #4186

Conversation

paullatzelsperger
Copy link
Member

What this PR changes/adds

This PR fixes a security issue, where an attacker would do the following:

  • obtain a legit VC issued to Bob (i.e. Bob's DID is the credentialSubject.id)
  • generate a VP using Bob's DID as iss claim and holder property
  • sign this seemingly legit VP with the attacker's private key
  • put the key-ID of the attacker's key as kid header in the VP-JWT token

This caused the public key resolver to take the (malicious) key-ID "at face value", and resolve the public key from it.

This is a problem, because that would resolve the ATTACKER's public key, instead of the LEGIT HOLDER's public key!

Why it does that

prevent impersonation attacks

Further notes

List other areas of code that have changed but are not necessarily linked to the main feature. This could be method
signature changes, package declarations, bugs that were encountered and were fixed inline, etc.

Linked Issue(s)

Closes # <-- insert Issue number if one exists

Please be sure to take a look at the contributing guidelines and our etiquette for pull requests.

@paullatzelsperger paullatzelsperger added this to the Milestone 15 milestone May 15, 2024
@paullatzelsperger paullatzelsperger added enhancement New feature or request dcp labels May 15, 2024
@codecov-commenter
Copy link

codecov-commenter commented May 15, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 75.05%. Comparing base (7f20ba5) to head (8244efa).
Report is 255 commits behind head on main.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #4186      +/-   ##
==========================================
+ Coverage   71.74%   75.05%   +3.30%     
==========================================
  Files         919     1013      +94     
  Lines       18457    20557    +2100     
  Branches     1037     1161     +124     
==========================================
+ Hits        13242    15429    +2187     
+ Misses       4756     4620     -136     
- Partials      459      508      +49     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@paullatzelsperger paullatzelsperger merged commit f558959 into eclipse-edc:main May 16, 2024
16 checks passed
@paullatzelsperger paullatzelsperger deleted the fix/bind_issuer_to_kid_header branch May 16, 2024 05:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dcp enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants