From 01d204b6dff0e1d24ea2403aa771b2cdeb010f07 Mon Sep 17 00:00:00 2001 From: TJ Borromeo Date: Thu, 4 May 2017 14:36:58 -0400 Subject: [PATCH 1/4] raise error on undefined secrets Change to SignStream class as it uses DataStream objects to create secret and payload streams. This error should then be caught by jwsSign to adequately fail users downstream instead of failing silently. --- lib/sign-stream.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/sign-stream.js b/lib/sign-stream.js index e24576f..ce22812 100644 --- a/lib/sign-stream.js +++ b/lib/sign-stream.js @@ -26,6 +26,8 @@ function jwsSign(opts) { function SignStream(opts) { var secret = opts.secret||opts.privateKey||opts.key; + // an undefined or null secret should be an error + if (secret == undefined) throw new ReferenceError("secret not defined"); var secretStream = new DataStream(secret); this.readable = true; this.header = opts.header; From 4f8bde3d7f02f769504187355a87638aa93ecf9e Mon Sep 17 00:00:00 2001 From: TJ Borromeo Date: Thu, 4 May 2017 15:05:06 -0400 Subject: [PATCH 2/4] emit error on undefined secrets All tests expect an undefined to be returned on failure, so using a naked return back to jwsSign rather than raising an explicit ReferenceError. --- lib/sign-stream.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/sign-stream.js b/lib/sign-stream.js index ce22812..0851c7f 100644 --- a/lib/sign-stream.js +++ b/lib/sign-stream.js @@ -26,8 +26,7 @@ function jwsSign(opts) { function SignStream(opts) { var secret = opts.secret||opts.privateKey||opts.key; - // an undefined or null secret should be an error - if (secret == undefined) throw new ReferenceError("secret not defined"); + if (secret == undefined) return; var secretStream = new DataStream(secret); this.readable = true; this.header = opts.header; From 0efcc27a085eafa91cda7c584145418ca0c50c8f Mon Sep 17 00:00:00 2001 From: TJ Borromeo Date: Thu, 4 May 2017 17:51:07 -0400 Subject: [PATCH 3/4] Update sign-stream.js --- lib/sign-stream.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/sign-stream.js b/lib/sign-stream.js index 0851c7f..0e732ff 100644 --- a/lib/sign-stream.js +++ b/lib/sign-stream.js @@ -26,12 +26,12 @@ function jwsSign(opts) { function SignStream(opts) { var secret = opts.secret||opts.privateKey||opts.key; - if (secret == undefined) return; var secretStream = new DataStream(secret); this.readable = true; this.header = opts.header; this.encoding = opts.encoding; this.secret = this.privateKey = this.key = secretStream; + if (this.secret == undefined) return; this.payload = new DataStream(opts.payload); this.secret.once('close', function () { if (!this.payload.writable && this.readable) From 20cabb513bf167e13a55bc92a7dfa03467f52d24 Mon Sep 17 00:00:00 2001 From: TJ Borromeo Date: Thu, 4 May 2017 18:00:14 -0400 Subject: [PATCH 4/4] emit error on undefined keys undefined keys should raise no value, so that errors during jws.Sign can emit an error. added tests to ensure the same are check upon HMAC testing --- test/jws.test.js | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/test/jws.test.js b/test/jws.test.js index 7f53d6f..6bfa86a 100644 --- a/test/jws.test.js +++ b/test/jws.test.js @@ -20,6 +20,7 @@ const rsaPrivateKeyEncrypted = readfile('rsa-private-encrypted.pem'); const encryptedPassphrase = readfile('encrypted-key-passphrase'); const rsaPublicKey = readfile('rsa-public.pem'); const rsaWrongPublicKey = readfile('rsa-wrong-public.pem'); +const undefinedKey = undefined; const ecdsaPrivateKey = { '256': readfile('ec256-private.pem'), '384': readfile('ec384-private.pem'), @@ -69,6 +70,24 @@ BITS.forEach(function (bits) { }); }); +BITS.forEach(function (bits) { + test('HMAC using SHA-'+bits+' hash algorithm undefined key test', function (t) { + const alg = 'HS'+bits; + const header = { alg: alg, typ: 'JWT' }; + const secret = undefinedKey; + var parts; + t.throws(function () { + parts = jws.sign({ + header: header, + payload: payload, + secret: secret, + encoding: 'utf8', + }); + }) + t.end(); + }); +}); + BITS.forEach(function (bits) { test('RSASSA using SHA-'+bits+' hash algorithm', function (t) { const alg = 'RS'+bits; @@ -317,7 +336,6 @@ test('jws.verify: missing or invalid algorithm', function (t) { t.end(); }); - test('jws.isValid', function (t) { const valid = jws.sign({ header: { alg: 'hs256' }, payload: 'hi', secret: 'shhh' }); const invalid = (function(){