Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 8.2.0-rc0
Affects Version/s: None
Component/s: None
Labels:
- server-security-fy2026q2
- server-security-prioritized-backlog

Assigned Teams:

Server Security
Backport Requested:

v8.1, v8.0, v7.0
Sprint:
Server Security 2025-06-06, Server Security 2025-06-20, Server Security 2025-07-04
Linked BF Score:
200
Confidence Status:
None
Work Order:
3
Size Category:
TBD
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

Right now we support RS256, RS384 and RS512 JWT signing algorithms. This ticket will add support for PS256.

PS256 is similar to RS256 but uses a different padding scheme (PSS - Probabilistic Signature Scheme) instead of PKCS#1 v1.5 padding. This requires different OpenSSL functions to verify and validate tokens signed with it.

Work required:
In `jws_validator_openssl.cpp`:

Add new kPS256 constant and update getHashingAlg() method.
Add new validation path for PSS algorithms using EVP_PKEY_CTX instead of EVP_MD_CTX.
Take into consideration extra algorithms could be added in the future.

In `jws_validated_token_test.cpp`:

Add unit tests for PS256 JWT.

fixes

SERVER-106548 Update custom-key used in jws_validated_token_test to use the actual key

Closed

Assignee:: Kat Cheng
Reporter:: Adam Rayner
Participants:: Adam Rayner, Githook User, Kat Cheng
Votes:: 0 Vote for this issue
Watchers:: 2 Start watching this issue

Created:: May 06 2025 09:08:03 PM UTC
Updated:: Jul 01 2025 01:44:20 PM UTC
Resolved:: Jun 25 2025 03:23:46 PM UTC
Confidence Status Last Update:: 12/Jun/25 3:36 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates