Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

A certificate verification issue in JwtService class #282

Open
thomasaugsten opened this issue Dec 5, 2022 · 1 comment
Open

A certificate verification issue in JwtService class #282

thomasaugsten opened this issue Dec 5, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@thomasaugsten
Copy link
Member

@ascheibal

This issue was reported by @xubowenW in the documentation repo:

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e., cwa-verification-server) from Github, and a security issue detected by our detector are shown in the following. The specific security issues we found are as follows:
(1) Location: Package: app.coronawarn.verification.service; Class: JwtService.class
Security issue: not verify the public key certificate used to validate JWT signature.

We detected that the getPublicKey method get public key from the certificate without any verification. An attacker may use the private key corresponding to a revoked or expired or self-signed public key certificate to forge a JWT. We recommend to verify the validity of certificates and certificate chains to improve system security.

We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forwart to your reply. Thanks.
@thomasaugsten thomasaugsten added the bug Something isn't working label Dec 5, 2022
@ascheibal
Copy link
Contributor

@xubowenW,
thank you very much for pointing this out and also with your prudent disclosure of it.

Context: The JWT is generated by verification-iam on request from the verification portal, which displays the TeleTANs as one way for key submission. The teleTan itself is generated by verification server (API endpoint /tan/teletan) on verification portals request and with a JWT to ensure that the request was issued by an authenticated user (on verification portal).

After analysis we can say that your finding does not produce an attack vector in the environment we use in runtime (RedHat OpenShift) as the endpoints that shall be secured by the JWT have two other mitigation measures:
1.) mTLS communication
2.) They are not public available, only communicate via platform internal private service routes.
This setup is not obvious and actually none where you additionally need to apply a JWT as security measure.

So we decided to make your issue public to point out, that the JWT usage is not fully implemented here and should not be regarded as best practice until there is a rework, which we will link this issue to.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thomasaugsten @ascheibal