Why does the existence of a signature algorithm entail a required verification? arun11299#24

arun11299 · arun11299 · commit 87dcef903f48 · 2018-05-31T20:36:07.000+05:30
diff --git a/include/jwt/impl/jwt.ipp b/include/jwt/impl/jwt.ipp
@@ -703,34 +703,34 @@ jwt_object decode(const jwt::string_view enc_str,
     }
 
     if (ec) return obj;
-  }
 
-  //Verify the signature only if some algorithm was used
-  if (obj.header().algo() != algorithm::NONE)
-  {
-    if (!dparams.has_secret) {
-      ec = DecodeErrc::KeyNotPresent;
-      return obj;
-    }
-    jwt_signature jsign{dparams.secret};
+    //Verify the signature only if some algorithm was used
+    if (obj.header().algo() != algorithm::NONE)
+    {
+      if (!dparams.has_secret) {
+        ec = DecodeErrc::KeyNotPresent;
+        return obj;
+      }
+      jwt_signature jsign{dparams.secret};
  
-    // Length of the encoded header and payload only.
-    // Addition of '1' to account for the '.' character.
-    auto l = parts[0].length() + 1 + parts[1].length();
-
-    //MemoryAllocationError is not caught
-    verify_result_t res = jsign.verify(obj.header(), enc_str.substr(0, l), parts[2]);
-    if (res.second) {
-      ec = res.second;
-      return obj;
-    }
+      // Length of the encoded header and payload only.
+      // Addition of '1' to account for the '.' character.
+      auto l = parts[0].length() + 1 + parts[1].length();
+
+      //MemoryAllocationError is not caught
+      verify_result_t res = jsign.verify(obj.header(), enc_str.substr(0, l), parts[2]);
+      if (res.second) {
+        ec = res.second;
+        return obj;
+      }
 
-    if (!res.first) {
-      ec = VerificationErrc::InvalidSignature;
-      return obj;
+      if (!res.first) {
+        ec = VerificationErrc::InvalidSignature;
+        return obj;
+      }
+    } else {
+      ec = AlgorithmErrc::NoneAlgorithmUsed;
     }
-  } else {
-    ec = AlgorithmErrc::NoneAlgorithmUsed;
   }
 
   return obj; 
diff --git a/tests/test_jwt_decode.cc b/tests/test_jwt_decode.cc
@@ -19,10 +19,10 @@ TEST (DecodeTest, DecodeNoneAlgSign)
 {
   using namespace jwt::params;
   const char* enc_str = 
-    "eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0.eyJhdWQiOiJyaWZ0LmlvIiwiZXhwIjoxNTEzODYzMzcxLCJzdWIiOiJub3RoaW5nIG11Y2gifQ.";
+    "eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0.eyJhdWQiOiJyaWZ0LmlvIiwiZXhwIjo0NTEzODYzMzcxLCJzdWIiOiJub3RoaW5nIG11Y2gifQ.";
 
   std::error_code ec;
-  auto obj = jwt::decode(enc_str, algorithms({"none"}), ec, verify(false));
+  auto obj = jwt::decode(enc_str, algorithms({"none"}), ec, verify(true));
   EXPECT_TRUE (ec);
   EXPECT_EQ (ec.value(), static_cast<int>(jwt::AlgorithmErrc::NoneAlgorithmUsed));
 
@@ -34,7 +34,7 @@ TEST (DecodeTest, DecodeNoneAlgSign)
   EXPECT_TRUE (obj.has_claim("aud"));
   EXPECT_TRUE (obj.has_claim("exp"));
 
-  EXPECT_EQ (obj.payload().get_claim_value<uint64_t>("exp"), static_cast<uint64_t>(1513863371));
+  EXPECT_EQ (obj.payload().get_claim_value<uint64_t>("exp"), static_cast<uint64_t>(4513863371));
 }
 
 TEST (DecodeTest, DecodeWrongAlgo)
@@ -111,7 +111,7 @@ TEST (DecodeTest, SecretKeyNotPassed)
     "jk7bRQKTLvs1RcuvMc2B_rt6WBYPoVPirYi_QRBPiuk";
 
   std::error_code ec;
-  auto obj = jwt::decode(enc_str, algorithms({"none", "hs256"}), ec, verify(false));
+  auto obj = jwt::decode(enc_str, algorithms({"none", "hs256"}), ec, verify(true));
 
   ASSERT_TRUE (ec);
   EXPECT_EQ (ec.value(), static_cast<int>(jwt::DecodeErrc::KeyNotPresent));
diff --git a/tests/test_jwt_decode_verifiy_with_exception.cc b/tests/test_jwt_decode_verifiy_with_exception.cc
@@ -160,7 +160,7 @@ TEST (DecodeVerifyExp, KeyNotPresentTest)
     "eyJpYXQiOjE1MTM4NjIzNzEsImlkIjoiYS1iLWMtZC1lLWYtMS0yLTMiLCJpc3MiOiJhcnVuLm11cmFsaWRoYXJhbiIsInN1YiI6ImFkbWluIn0."
     "jk7bRQKTLvs1RcuvMc2B_rt6WBYPoVPirYi_QRBPiuk";
 
-  EXPECT_THROW (jwt::decode(enc_str, algorithms({"none", "hs256"}), verify(false)),
+  EXPECT_THROW (jwt::decode(enc_str, algorithms({"none", "hs256"}), verify(true)),
                 jwt::KeyNotPresentError);
 }
 
diff --git a/tests/test_jwt_encode.cc b/tests/test_jwt_encode.cc
@@ -286,7 +286,7 @@ TEST (EncodeTest, HeaderParamTest)
   std::error_code ec;
   auto enc_str = obj.signature();
 
-  auto dec_obj = jwt::decode(enc_str, algorithms({"none"}), ec, verify(false));
+  auto dec_obj = jwt::decode(enc_str, algorithms({"none"}), ec, verify(true));
   EXPECT_EQ (ec.value(), static_cast<int>(jwt::AlgorithmErrc::NoneAlgorithmUsed));
 
   std::cout << dec_obj.header() << std::endl;

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@ TEST (DecodeVerifyExp, KeyNotPresentTest)`
`160`	`160`	`"eyJpYXQiOjE1MTM4NjIzNzEsImlkIjoiYS1iLWMtZC1lLWYtMS0yLTMiLCJpc3MiOiJhcnVuLm11cmFsaWRoYXJhbiIsInN1YiI6ImFkbWluIn0."`
`161`	`161`	`"jk7bRQKTLvs1RcuvMc2B_rt6WBYPoVPirYi_QRBPiuk";`
`162`	`162`
`163`		`- EXPECT_THROW (jwt::decode(enc_str, algorithms({"none", "hs256"}), verify(false)),`
	`163`	`+ EXPECT_THROW (jwt::decode(enc_str, algorithms({"none", "hs256"}), verify(true)),`
`164`	`164`	`jwt::KeyNotPresentError);`
`165`	`165`	`}`
`166`	`166`