MINOR: jwe: Disable 'RSA1_5' algorithm by default in jwt_decrypt converters

In RFC8725, section 3.2, they suggest to "Avoid all RSA-PKCS1 v1.5
encryption algorithms" so this algorithm gets disabled by default.
Tokens having this "alg" won't be decrypted unless it is explicitly
reenabled thanks to 'jwt.decrypt_alg_list' global option.

Thanks to Omkhar Arasaratnam for raising our awareness about this!

diff --git a/doc/configuration.txt b/doc/configuration.txt
index ac94b324ff2385ee8294511d18db8adb245d0525..9a5db46dd36682b444aa7e6e479d9ece596f0514 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -21930,8 +21930,11 @@ jwt_decrypt_cert(<cert>)
   format (five dot-separated base64-url encoded strings).
 
   This converter can be used for tokens that have an algorithm ("alg" field of
-  the JOSE header) among the following: RSA1_5, RSA-OAEP, RSA-OAEP-256,
-  ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW.
+  the JOSE header) among the following: RSA-OAEP, RSA-OAEP-256, ECDH-ES,
+  ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW.
+  The RSA1_5 algorithm is implemented but disabled by default following what is
+  suggested in section 3.2 of RFC 8725. It can be reenabled if needed thanks to
+  'jwt.decrypt_alg_list' global option.
 
   The supported algorithms and encryption algorithms ("alg" and "enc" fields of
   the JOSE header respectively) can be modified thanks to the
@@ -21964,9 +21967,12 @@ jwt_decrypt_jwk(<jwk>)
   the provided JWK to be of the 'oct' type.
 
   This converter also manages tokens that have an algorithm ("alg" field of the
-  JOSE header) in the RSA family (RSA1_5, RSA-OAEP or RSA-OAEP-256) when
-  provided an 'RSA' JWK, or in the ECDH family (ECDH-ES, ECDH-ES+A128KW,
-  ECDH-ES+A192KW or ECDH-ES+A256KW) when provided an 'EC' JWK.
+  JOSE header) in the RSA family (RSA-OAEP or RSA-OAEP-256) when provided an
+  'RSA' JWK, or in the ECDH family (ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or
+  ECDH-ES+A256KW) when provided an 'EC' JWK.
+  The RSA1_5 algorithm is implemented but disabled by default following what is
+  suggested in section 3.2 of RFC 8725. It can be reenabled if needed thanks to
+  'jwt.decrypt_alg_list' global option.
 
   Please note that the A128KW and A192KW algorithms are not available on AWS-LC
   so the A128KW, A192KW, ECDH-ES+A128KW and ECDH-ES+A192KW algorithms won't

diff --git a/reg-tests/jwt/jwt_decrypt.vtc b/reg-tests/jwt/jwt_decrypt.vtc
index 9ccb61d690731a69e4250d9f3101d89ebc883099..e7802d632ffdf55a862dea2fefec53bcaa25add6 100644 (file)
--- a/reg-tests/jwt/jwt_decrypt.vtc
+++ b/reg-tests/jwt/jwt_decrypt.vtc
@@ -39,6 +39,8 @@ haproxy h1 -conf {
         crt-base "${testdir}"
         key-base "${testdir}"
 
+        jwt.decrypt_alg_list ALL
+
     defaults
         mode http
         timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"

diff --git a/src/jwe.c b/src/jwe.c
index a022e33ab339f6c55fa0e4272dc6668e008413a0..d192cfd4c1383e7c1baa947b138577e70ff09a3b 100644 (file)
--- a/src/jwe.c
+++ b/src/jwe.c
@@ -57,7 +57,9 @@ enum {
 };
 
 struct alg_enc jwe_algs_dflt[] = {
-       { "RSA1_5",             JWE_ALG_RSA1_5,         ALG_ENC_ENABLED },
+       /* The weak RSA1.5 algorithm gets disabled by default as suggested in
+        * section 3.2 of RFC 8725 */
+       { "RSA1_5",             JWE_ALG_RSA1_5,         ALG_ENC_DISABLED },
        { "RSA-OAEP",           JWE_ALG_RSA_OAEP,       ALG_ENC_ENABLED },
        { "RSA-OAEP-256",       JWE_ALG_RSA_OAEP_256,   ALG_ENC_ENABLED },
        { "A128KW",             JWE_ALG_A128KW,         ALG_ENC_ENABLED },