Fixed bug in openssl token signature verification

alun · alun · commit a3ae2d733922 · 2020-07-13T19:10:15.000+01:00
diff --git a/src/error.rs b/src/error.rs
@@ -11,18 +11,19 @@ use crate::algorithm::AlgorithmType;
 #[derive(Debug)]
 pub enum Error {
     AlgorithmMismatch(AlgorithmType, AlgorithmType),
+    Base64(DecodeError),
+    Format,
+    InvalidSignature,
+    Json(JsonError),
+    NoClaimsComponent,
+    NoHeaderComponent,
     NoKeyId,
     NoKeyWithKeyId(String),
-    NoHeaderComponent,
-    NoClaimsComponent,
     NoSignatureComponent,
-    TooManyComponents,
-    Format,
-    Base64(DecodeError),
-    Json(JsonError),
-    Utf8(FromUtf8Error),
     RustCryptoMac(MacError),
     RustCryptoMacKeyLength(InvalidKeyLength),
+    TooManyComponents,
+    Utf8(FromUtf8Error),
     #[cfg(feature = "openssl")]
     OpenSsl(openssl::error::ErrorStack),
 }
@@ -40,6 +41,7 @@ impl fmt::Display for Error {
             NoSignatureComponent => write!(f, "No signature component found in token string"),
             TooManyComponents => write!(f, "Too many components found in token string"),
             Format => write!(f, "Format"),
+            InvalidSignature => write!(f, "Invalid signature"),
             Base64(ref x) => write!(f, "{}", x),
             Json(ref x) => write!(f, "{}", x),
             Utf8(ref x) => write!(f, "{}", x),
diff --git a/src/token/verified.rs b/src/token/verified.rs
@@ -36,13 +36,15 @@ impl<'a, H: JoseHeader, C> VerifyWithKey<Token<H, C, Verified>> for Token<H, C,
             signature_str,
         } = self.signature;
 
-        key.verify(header_str, claims_str, signature_str)?;
-
-        Ok(Token {
-            header: self.header,
-            claims: self.claims,
-            signature: Verified,
-        })
+        if key.verify(header_str, claims_str, signature_str)? {
+            Ok(Token {
+                header: self.header,
+                claims: self.claims,
+                signature: Verified,
+            })
+        } else {
+            Err(Error::InvalidSignature)
+        }
     }
 }
 
@@ -159,6 +161,43 @@ mod tests {
         name: String,
     }
 
+    #[test]
+    #[cfg(feature = "openssl")]
+    pub fn token_can_not_be_verified_with_a_wrong_key() -> Result<(), Error> {
+        use crate::{token::signed::SignWithKey, AlgorithmType, Header, PKeyWithDigest, Token};
+        use openssl::{hash::MessageDigest, pkey::PKey};
+
+        let private_pem = include_bytes!("../../test/rs256-private.pem");
+        let public_pem = include_bytes!("../../test/rs256-public-2.pem");
+
+        let rs256_private_key = PKeyWithDigest {
+            digest: MessageDigest::sha256(),
+            key: PKey::private_key_from_pem(private_pem).unwrap(),
+        };
+        let rs256_public_key = PKeyWithDigest {
+            digest: MessageDigest::sha256(),
+            key: PKey::public_key_from_pem(public_pem).unwrap(),
+        };
+
+        let header = Header {
+            algorithm: AlgorithmType::Rs256,
+            ..Default::default()
+        };
+        let mut claims = BTreeMap::new();
+        claims.insert("sub", "someone");
+
+        let signed_token = Token::new(header, claims).sign_with_key(&rs256_private_key)?;
+        let token_str = signed_token.as_str();
+        let unverified_token: Token<Header, BTreeMap<String, String>, _> =
+            Token::parse_unverified(token_str)?;
+        let verified_token_result = unverified_token.verify_with_key(&rs256_public_key);
+        assert!(verified_token_result.is_err());
+        match verified_token_result.err().unwrap() {
+            Error::InvalidSignature => Ok(()),
+            other => panic!("Wrong error type: {:?}", other),
+        }
+    }
+
     #[test]
     pub fn component_errors() {
         let key: Hmac<Sha256> = Hmac::new_varkey(b"first").unwrap();
diff --git a/test/rs256-public-2.pem b/test/rs256-public-2.pem
@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3rAEiYZsc3E8FUGiBCt8e4dkt
+qc77U8lnpAfi8DaGSoYu9jelD8/za7XIqFD99EgBA+DXbR01jzSU+ILsfG21jS2B
+pPE39zuJYj5X7sQvKg1wRGVS0pi+DVLNEJUhTP8B3fUf1TD72t4aYJh4t8ZrgD90
+9VQglfyJZ7wuuHYHqQIDAQAB
+-----END PUBLIC KEY-----
