Merge pull request #66 from btoews/bad-curve

Handle unknown curves
MicahParks · Nov 3, 2022 · d64cede · d64cede
2 parents 5a2fb27 + 991e1ab
commit d64cede
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/ecdsa.go b/ecdsa.go
@@ -48,6 +48,8 @@ func (j *jsonWebKey) ECDSA() (publicKey *ecdsa.PublicKey, err error) {
  publicKey.Curve = elliptic.P384()
  case p521:
  publicKey.Curve = elliptic.P521()
+ default:
+ return nil, fmt.Errorf("unknown curve: %s", j.Curve)
  }
 
  // Turn the X coordinate into *big.Int.

diff --git a/ecdsa_test.go b/ecdsa_test.go
@@ -0,0 +1,30 @@
+package keyfunc
+
+import (
+ "encoding/json"
+ "testing"
+
+ "github.com/golang-jwt/jwt/v4"
+)
+
+func TestBadCurve(t *testing.T) {
+ const (
+ badJWKS = `{"keys":[{"kty":"EC","crv":"BAD","x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4","y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM","use":"sig","kid":"1"}]}`
+ someJWT = `eyJhbGciOiJFUzI1NiIsImtpZCI6IjEiLCJ0eXAiOiJKV1QifQ.e30.Q1EeyWUv6XEA0gMLwTFoNhx7Hq1MbVwjI2k9FZPSa-myKW1wYn1X6rHtRyuV-2MEzvimCskFD-afL7UzvdWBQg`
+ )
+
+ jwks, err := NewJSON(json.RawMessage(badJWKS))
+ if err != nil {
+ t.Fatalf("Failed to create JWKS from JSON: %v", err)
+ }
+
+ defer func() {
+ if r := recover(); r != nil {
+ t.Fatalf("panic")
+ }
+ }()
+
+ if _, err = jwt.Parse(someJWT, jwks.Keyfunc); err == nil {
+ t.Fatal("No error for bad curve")
+ }
+}