Merge branch 'develop'

175d5ca4 · Sapotille Orange · 867d36bf · 4c34044e · 175d5ca4 · 175d5ca4
Commit 175d5ca4 authored 2 years ago by Sapotille Orange
--- a/src/main/kotlin/fr/gouv/stopc/submissioncode/service/SubmissionCodeService.kt
+++ b/src/main/kotlin/fr/gouv/stopc/submissioncode/service/SubmissionCodeService.kt
 package fr.gouv.stopc.submissioncode.service

+import com.nimbusds.jose.JOSEException
 import com.nimbusds.jose.JWSVerifier
 import com.nimbusds.jwt.SignedJWT
 import fr.gouv.stopc.submissioncode.configuration.SubmissionProperties
@@ -187,9 +188,15 @@ class SubmissionCodeService(
            return false
        }

-        if (!signedJwt.verify(jwtSignatureVerifiers[kid])) {
+        try {
+            if (!signedJwt.verify(jwtSignatureVerifiers[kid])) {
+                metricsService.countCodeUsed(JWT, false)
+                log.info("JWT signature is invalid: $jwt")
+                return false
+            }
+        } catch (e: JOSEException) {
            metricsService.countCodeUsed(JWT, false)
-            log.info("JWT signature is invalid: $jwt")
+            log.info("JWT signature can't be verified: ${e.message}, $jwt")
            return false
        }


--- a/src/test/kotlin/fr/gouv/stopc/submissioncode/controller/VerifyControllerTest.kt
+++ b/src/test/kotlin/fr/gouv/stopc/submissioncode/controller/VerifyControllerTest.kt
@@ -28,6 +28,7 @@ import org.springframework.http.HttpStatus.OK
 import java.time.Instant
 import java.time.temporal.ChronoUnit.DAYS
 import java.time.temporal.ChronoUnit.MINUTES
+import java.util.Base64
 import java.util.UUID
 import java.util.stream.Stream

@@ -389,5 +390,31 @@ class VerifyControllerTest {
            assertThat(output.all)
                .containsPattern("JWT could not be parsed: Invalid JWS header: Invalid JSON: Unexpected token [^ ]+ at position 5., aaaaaaa.aaaaaaa.aaaaaaa")
        }
+
+        @Test
+        fun reject_a_JWT_with_invalid_alg_header_field(output: CapturedOutput) {
+
+            val invalidHeader = """
+                {
+                    "alg": "invalid alg",
+                    "typ": "JWT",
+                    "kid": "TousAntiCovidKID"
+                }
+            """.trimIndent()
+                .toByteArray()
+                .let { Base64.getEncoder().encodeToString(it) }
+
+            val jwtWithInvalidHeader = givenJwt().replaceBefore(".", invalidHeader)
+
+            When()
+                .get("/api/v1/verify?code={jwt}", jwtWithInvalidHeader)
+
+                .then()
+                .statusCode(OK.value())
+                .body("valid", equalTo(false))
+
+            assertThat(output.all)
+                .contains("JWT signature can't be verified: Unsupported JWS algorithm invalid alg, must be ES256, $jwtWithInvalidHeader")
+        }
    }
 }