MINOR: jwe: Disable 'RSA1_5' algorithm by default in jwt_decrypt converters

In RFC8725, section 3.2, they suggest to "Avoid all RSA-PKCS1 v1.5 encryption algorithms" so this algorithm gets disabled by default. Tokens having this "alg" won't be decrypted unless it is explicitly reenabled thanks to 'jwt.decrypt_alg_list' global option. Thanks to Omkhar Arasaratnam for raising our awareness about this!
2026-05-08 06:26:10 +02:00 · 2026-05-07 17:05:17 +02:00 · 2026-05-07 17:05:17 +02:00 · 495eb7b0e0
commit 495eb7b0e0
parent f82a242c8f
3 changed files with 16 additions and 6 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -21930,8 +21930,11 @@ jwt_decrypt_cert(<cert>)
  format (five dot-separated base64-url encoded strings).

  This converter can be used for tokens that have an algorithm ("alg" field of
-  the JOSE header) among the following: RSA1_5, RSA-OAEP, RSA-OAEP-256,
-  ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW.
+  the JOSE header) among the following: RSA-OAEP, RSA-OAEP-256, ECDH-ES,
+  ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW.
+  The RSA1_5 algorithm is implemented but disabled by default following what is
+  suggested in section 3.2 of RFC 8725. It can be reenabled if needed thanks to
+  'jwt.decrypt_alg_list' global option.

  The supported algorithms and encryption algorithms ("alg" and "enc" fields of
  the JOSE header respectively) can be modified thanks to the
@ -21964,9 +21967,12 @@ jwt_decrypt_jwk(<jwk>)
  the provided JWK to be of the 'oct' type.

  This converter also manages tokens that have an algorithm ("alg" field of the
-  JOSE header) in the RSA family (RSA1_5, RSA-OAEP or RSA-OAEP-256) when
-  provided an 'RSA' JWK, or in the ECDH family (ECDH-ES, ECDH-ES+A128KW,
-  ECDH-ES+A192KW or ECDH-ES+A256KW) when provided an 'EC' JWK.
+  JOSE header) in the RSA family (RSA-OAEP or RSA-OAEP-256) when provided an
+  'RSA' JWK, or in the ECDH family (ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or
+  ECDH-ES+A256KW) when provided an 'EC' JWK.
+  The RSA1_5 algorithm is implemented but disabled by default following what is
+  suggested in section 3.2 of RFC 8725. It can be reenabled if needed thanks to
+  'jwt.decrypt_alg_list' global option.

  Please note that the A128KW and A192KW algorithms are not available on AWS-LC
  so the A128KW, A192KW, ECDH-ES+A128KW and ECDH-ES+A192KW algorithms won't
--- a/reg-tests/jwt/jwt_decrypt.vtc
+++ b/reg-tests/jwt/jwt_decrypt.vtc
@ -39,6 +39,8 @@ haproxy h1 -conf {
        crt-base "${testdir}"
        key-base "${testdir}"

+        jwt.decrypt_alg_list ALL
+
    defaults
        mode http
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
--- a/src/jwe.c
+++ b/src/jwe.c
@ -57,7 +57,9 @@ enum {
 };

 struct alg_enc jwe_algs_dflt[] = {
-	{ "RSA1_5",		JWE_ALG_RSA1_5,		ALG_ENC_ENABLED },
+	/* The weak RSA1.5 algorithm gets disabled by default as suggested in
+	 * section 3.2 of RFC 8725 */
+	{ "RSA1_5",		JWE_ALG_RSA1_5,		ALG_ENC_DISABLED },
 	{ "RSA-OAEP",		JWE_ALG_RSA_OAEP,	ALG_ENC_ENABLED },
 	{ "RSA-OAEP-256",	JWE_ALG_RSA_OAEP_256,	ALG_ENC_ENABLED },
 	{ "A128KW",		JWE_ALG_A128KW,		ALG_ENC_ENABLED },