mirror of
https://github.com/oven-sh/bun
synced 2026-02-12 20:09:04 +00:00
35109160ca
* oops * createSecretKey but weird error * use the right prototype, do not add a function called export lol * HMAC JWT export + base64 fix * Fix Equals, Fix Get KeySize, add complete export RSA * fix RSA export * add EC exports * X25519 and ED25519 export + fixes * fix default exports * better asymmetricKeyType * fix private exports * fix symmetricKeySize * createPublicKey validations + refactor * jwt + der fixes * oopsies * add PEM into createPublicKey * cleanup * WIP * bunch of fixes * public from private + private OKP * encrypted keys fixes * oops * fix clear tls error, add some support to jwk and other formats on publicEncrypt/publicDecrypt * more fixes and tests working * more fixes more tests * more clear hmac errors * more tests and fixes * add generateKeyPair * more tests passing, some skips * fix EC key from private * fix OKP JWK * nodejs ignores ext and key_ops on KeyObject.exports * add EC sign verify test * some fixes * add crypto.generateKeyPairSync(type, options) * more fixes and more tests * fix hmac tests * jsonwebtoken tests * oops * oops2 * generated files * revert package.json * vm tests * todos instead of failues * toBunString -> toString * undo simdutf * improvements * unlikely * cleanup * cleanup 2 * oops * move _generateKeyPairSync checks to native
45 lines
1.9 KiB
JavaScript
45 lines
1.9 KiB
JavaScript
import jwt from "jsonwebtoken";
|
|
import { expect, describe, it } from "bun:test";
|
|
import crypto from "crypto";
|
|
|
|
describe("when verifying a malicious token", function () {
|
|
// attacker has access to the public rsa key, but crafts the token as HS256
|
|
// with kid set to the id of the rsa key, instead of the id of the hmac secret.
|
|
// const maliciousToken = jwt.sign(
|
|
// {foo: 'bar'},
|
|
// pubRsaKey,
|
|
// {algorithm: 'HS256', keyid: 'rsaKeyId'}
|
|
// );
|
|
// consumer accepts self signed tokens (HS256) and third party tokens (RS256)
|
|
const options = { algorithms: ["RS256", "HS256"] };
|
|
|
|
const { publicKey: pubRsaKey } = crypto.generateKeyPairSync("rsa", { modulusLength: 2048 });
|
|
|
|
it("should not allow HMAC verification with an RSA key in KeyObject format", function () {
|
|
const maliciousToken =
|
|
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJzYUtleUlkIn0.eyJmb28iOiJiYXIiLCJpYXQiOjE2NTk1MTA2MDh9.cOcHI1TXPbxTMlyVTfjArSWskrmezbrG8iR7uJHwtrQ";
|
|
|
|
expect(() => jwt.verify(maliciousToken, pubRsaKey, options)).toThrow("must be a symmetric key");
|
|
});
|
|
|
|
it("should not allow HMAC verification with an RSA key in PEM format", function () {
|
|
const maliciousToken =
|
|
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InJzYUtleUlkIn0.eyJmb28iOiJiYXIiLCJpYXQiOjE2NTk1MTA2MDh9.cOcHI1TXPbxTMlyVTfjArSWskrmezbrG8iR7uJHwtrQ";
|
|
|
|
expect(() => jwt.verify(maliciousToken, pubRsaKey.export({ type: "spki", format: "pem" }), options)).toThrow(
|
|
"must be a symmetric key",
|
|
);
|
|
});
|
|
|
|
it("should not allow arbitrary execution from malicious Buffers containing objects with overridden toString functions", function () {
|
|
const token = jwt.sign({ "foo": "bar" }, "secret");
|
|
const maliciousBuffer = {
|
|
toString: () => {
|
|
throw new Error("Arbitrary Code Execution");
|
|
},
|
|
};
|
|
|
|
expect(() => jwt.verify(token, maliciousBuffer)).toThrow("not valid key material");
|
|
});
|
|
});
|