Prevent exception on wrong data types in JSON Web Keys

E.g., with numeric values when urlsafeb64 strings expected. Add test cases for JWK RSA and EC keys.
badkeys · Jan 8, 2025 · f01e7e6 · f01e7e6
1 parent 0085d41
commit f01e7e6
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/keyfinder.py b/keyfinder.py
@@ -211,6 +211,8 @@ def getjwk(kstr):
     except json.decoder.JSONDecodeError:
         return False
     if {"n", "e", "d"} <= j.keys():
+        if not all(isinstance(j[x], str) for x in ["n", "d", "e"]):
+            return False
         try:
             n = ub64toint(j["n"])
             e = ub64toint(j["e"])
@@ -221,6 +223,8 @@ def getjwk(kstr):
     # y value does not exist for all curve types, and
     # we do not need it, so ignore
     if {"x", "d", "crv"} <= j.keys():
+        if not all(isinstance(j[x], str) for x in ["x", "d", "crv"]):
+            return False
         if j["crv"] in ["Ed25519", "X25519", "Ed448", "X448"]:
             try:
                 d = ub64tobin(j["d"])

diff --git a/tests/data/invalid/jwk-broken.txt b/tests/data/invalid/jwk-broken.txt
@@ -55,3 +55,27 @@ ECDSA with empty d
 "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
 "d":""
 }
+
+
+RSA key with numeric e (invalid):
+
+{"kty":"RSA",
+"n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4
+cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMst
+n64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2Q
+vzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbIS
+D08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw
+0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+"e":65537,
+"d":"X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9
+M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqij
+wp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d
+_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBz
+nbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFz
+me1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q"}
+
+
+EC key with numeric d (invalid):
+{"kty":"OKP","crv":"Ed25519",
+"d":71185727259945196030657158393116523760833600269775786460544228200423405551456,
+"x":"11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo"}