diff --git a/doc/configuration.txt b/doc/configuration.txt index ac94b324f..9a5db46dd 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -21930,8 +21930,11 @@ jwt_decrypt_cert() format (five dot-separated base64-url encoded strings). This converter can be used for tokens that have an algorithm ("alg" field of - the JOSE header) among the following: RSA1_5, RSA-OAEP, RSA-OAEP-256, - ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW. + the JOSE header) among the following: RSA-OAEP, RSA-OAEP-256, ECDH-ES, + ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW. + The RSA1_5 algorithm is implemented but disabled by default following what is + suggested in section 3.2 of RFC 8725. It can be reenabled if needed thanks to + 'jwt.decrypt_alg_list' global option. The supported algorithms and encryption algorithms ("alg" and "enc" fields of the JOSE header respectively) can be modified thanks to the @@ -21964,9 +21967,12 @@ jwt_decrypt_jwk() the provided JWK to be of the 'oct' type. This converter also manages tokens that have an algorithm ("alg" field of the - JOSE header) in the RSA family (RSA1_5, RSA-OAEP or RSA-OAEP-256) when - provided an 'RSA' JWK, or in the ECDH family (ECDH-ES, ECDH-ES+A128KW, - ECDH-ES+A192KW or ECDH-ES+A256KW) when provided an 'EC' JWK. + JOSE header) in the RSA family (RSA-OAEP or RSA-OAEP-256) when provided an + 'RSA' JWK, or in the ECDH family (ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or + ECDH-ES+A256KW) when provided an 'EC' JWK. + The RSA1_5 algorithm is implemented but disabled by default following what is + suggested in section 3.2 of RFC 8725. It can be reenabled if needed thanks to + 'jwt.decrypt_alg_list' global option. Please note that the A128KW and A192KW algorithms are not available on AWS-LC so the A128KW, A192KW, ECDH-ES+A128KW and ECDH-ES+A192KW algorithms won't diff --git a/reg-tests/jwt/jwt_decrypt.vtc b/reg-tests/jwt/jwt_decrypt.vtc index 9ccb61d69..e7802d632 100644 --- a/reg-tests/jwt/jwt_decrypt.vtc +++ b/reg-tests/jwt/jwt_decrypt.vtc @@ -39,6 +39,8 @@ haproxy h1 -conf { crt-base "${testdir}" key-base "${testdir}" + jwt.decrypt_alg_list ALL + defaults mode http timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" diff --git a/src/jwe.c b/src/jwe.c index a022e33ab..d192cfd4c 100644 --- a/src/jwe.c +++ b/src/jwe.c @@ -57,7 +57,9 @@ enum { }; struct alg_enc jwe_algs_dflt[] = { - { "RSA1_5", JWE_ALG_RSA1_5, ALG_ENC_ENABLED }, + /* The weak RSA1.5 algorithm gets disabled by default as suggested in + * section 3.2 of RFC 8725 */ + { "RSA1_5", JWE_ALG_RSA1_5, ALG_ENC_DISABLED }, { "RSA-OAEP", JWE_ALG_RSA_OAEP, ALG_ENC_ENABLED }, { "RSA-OAEP-256", JWE_ALG_RSA_OAEP_256, ALG_ENC_ENABLED }, { "A128KW", JWE_ALG_A128KW, ALG_ENC_ENABLED },