Add validation of `name` in DPoP token

4 months ago · 5d7e53303b
parent 2e78301189
commit 5d7e53303b
3 changed files with 20 additions and 0 deletions
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -723,6 +723,14 @@ func parseAndVerifyWireAccessToken(v wireVerifyParams) (*wireAccessToken, *wireD
 		return nil, nil, fmt.Errorf("invalid Wire client handle %q", handle)
 	}

+	name, ok := dpopToken["name"].(string)
+	if !ok {
+		return nil, nil, fmt.Errorf("invalid display name in Wire DPoP token")
+	}
+	if name == "" || name != v.wireID.Name {
+		return nil, nil, fmt.Errorf("invalid Wire client display name %q", handle)
+	}
+
 	return &accessToken, &dpopToken, nil
 }

--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@ -1008,6 +1008,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@ -1017,6 +1018,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
--- a/acme/challenge_wire_test.go
+++ b/acme/challenge_wire_test.go
@ -306,6 +306,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@ -315,6 +316,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
@ -450,6 +452,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@ -459,6 +462,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
@ -598,6 +602,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@ -607,6 +612,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
@ -746,6 +752,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@ -755,6 +762,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)
@ -901,6 +909,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle    string `json:"handle,omitempty"`
 				Nonce     string `json:"nonce,omitempty"`
 				HTU       string `json:"htu,omitempty"`
+				Name      string `json:"name,omitempty"`
 			}{
 				Claims: jose.Claims{
 					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
@ -910,6 +919,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				Handle:    "wireapp://%40alice_wire@wire.com",
 				Nonce:     "nonce",
 				HTU:       "http://issuer.example.com",
+				Name:      "Alice Smith",
 			})
 			require.NoError(t, err)
 			dpop, err := dpopSigner.Sign(dpopBytes)