/ 
Crypt-JWT-0.002
⭐ Starred 54 / Crypt::JWT
Security Advisories (2)
CVE-2019-1010263 (2019-03-20)

Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control. The impact is: allow attackers to bypass authentication by providing a token by crafting with hmac(). The component is: JWT.pm, line 614. The attack vector is: network connectivity. The fixed version is: after commit b98a59b42ded9f9e51b2560410106207c2152d6c.

CVE-2019-1010161 (2019-03-20)

perl-CRYPT-JWT 0.022 and earlier is affected by: Incorrect Access Control. The impact is: bypass authentication. The component is: JWT.pm for JWT security token, line 614 in _decode_jws(). The attack vector is: network connectivity(crafting user-controlled input to bypass authentication). The fixed version is: 0.023.

NAME

Crypt::JWT - JSON Web Token (JWT, JWS, JWE) as defined by RFC7519, RFC7515, RFC7516

SYNOPSIS

# encoding
use Crypt::JWT qw(encode_jwt);
my $jws_token = encode_jwt(payload=>$data, alg=>'HS256', key=>'secret'); 
my $jwe_token = encode_jwt(payload=>$data, alg=>'A192GCMKW', enc=>'A192CBC_HS384', key=>'secret'); 

# decoding
use Crypt::JWT qw(decode_jwt);
my $data1 = decode_jwt(token=>$jws_token, key=>'secret'); 
my $data2 = decode_jwt(token=>$jwe_token, key=>'secret');

DESCRIPTION

BEWARE: experimental, unfinished, unstable, work in progress!!!

Implements JSON Web Token (JWT) - https://tools.ietf.org/html/rfc7519. The implementation covers not only JSON Web Signature (JWS) - https://tools.ietf.org/html/rfc7515, but also JSON Web Encryption (JWE) - https://tools.ietf.org/html/rfc7516.

The module implements all (100%) algorithms defined in https://tools.ietf.org/html/rfc7518 - JSON Web Algorithms (JWA).

Supported JWE (encryption) algorithms:

alg                 enc
------------------  -------------
dir                 A128GCM
A128KW              A192GCM
A192KW              A256GCM
A256KW              A128CBC-HS256
A128GCMKW           A192CBC-HS384
A192GCMKW           A256CBC-HS512
A256GCMKW           
PBES2-HS256+A128KW  
PBES2-HS384+A192KW  
PBES2-HS512+A256KW  
RSA-OAEP            
RSA-OAEP-256        
RSA1_5              
ECDH-ES+A128KW
ECDH-ES+A192KW
ECDH-ES+A256KW
ECDH-ES

Supported JWS (signature) algorithms:

alg        note
---------  ----------------------------------------
none       no integrity (NOTE: disabled by default)
HS256      HMAC integrity
HS384
HS512
RS256      RSA+PKCS1-V1_5 signatures
RS384
RS512
PS256      RSA+PSS signatures
PS384
PS512
ES256      ECDSA signatures
ES384
ES512

FUNCTIONS

decode_jwt

my $data = decode_jwt(%named_args);

Named arguments:

token

XXX-TODO

key

XXX-TODO

allow_none

XXX-TODO

encode_jwt

my $token = encode_jwt(%named_args);

Named arguments:

payload

XXX-TODO

key

XXX-TODO

allow_none

XXX-TODO

auto_iat

XXX-TODO

SEE ALSO

Crypt::Cipher::AES, Crypt::AuthEnc::GCM, Crypt::PK::RSA, Crypt::PK::ECC, Crypt::KeyDerivation, Crypt::KeyWrap