From 4fdc6eb1feed98df47bc853ef1c12e7cbd89270a Mon Sep 17 00:00:00 2001 From: Boris Stoyanov Date: Fri, 29 Nov 2019 17:16:50 +0200 Subject: [PATCH] introduce support for certificate files in rsa/hs confusion Reworked the way public key files are ingested for the rsa/hs confusion attack, so that passing a .509 certificate works as well. This was done in order to equalise the behaviour with option "8: Verify RSA sifnature against a Public Key", which accepts certificate .pem files. --- jwt_tool.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jwt_tool.py b/jwt_tool.py index ca27c5d..db6c511 100644 --- a/jwt_tool.py +++ b/jwt_tool.py @@ -604,7 +604,7 @@ def checkAlgNone(headDict, tok2): def checkPubKey(headDict, tok2, pubKey): print("\n====================================================================\nThis option takes an available Public Key (the SSL certificate from \na webserver, for example?) and switches the RSA-signed \n(RS256/RS384/RS512) JWT that uses the Public Key as its 'secret'.\n====================================================================") try: - key = open(pubKey).read() + key = RSA.importKey(open(pubKey).read()).exportKey().decode() + "\n" print("File loaded: "+pubKey) except: print("[-] File not found")