From 6acb2e3f360e158d12e61e4b679406c453e65379 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Thu, 5 Dec 2019 11:26:36 -0600
Subject: [PATCH] kdc: Fix JWK key rotation danger

---
 kdc/cjwt_token_validator.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/kdc/cjwt_token_validator.c b/kdc/cjwt_token_validator.c
index 49c481111..7d077f3ba 100644
--- a/kdc/cjwt_token_validator.c
+++ b/kdc/cjwt_token_validator.c
@@ -118,6 +118,10 @@ get_issuer_pubkeys(krb5_context context,
         previous->data = 0;
         previous->length = 0;
     }
+
+    if (previous->data == NULL && current->data == NULL && next->data == NULL)
+        return krb5_set_error_message(context, ENOENT, "No JWKs found"),
+               ENOENT;
     return 0;
 }
 
@@ -233,10 +237,13 @@ validate(void *ctx,
         return ret;
     }
 
-    if ((ret = cjwt_decode(tokstr, 0, &jwt, jwk_current.data,
-                           jwk_current.length)) == -2 &&
-        (ret = cjwt_decode(tokstr, 0, &jwt, jwk_next.data,
-                           jwk_next.length)) == -2)
+    if (jwk_current.length && jwk_current.data)
+        ret = cjwt_decode(tokstr, 0, &jwt, jwk_current.data,
+                          jwk_current.length);
+    if (ret && jwk_next.length && jwk_next.data)
+        ret = cjwt_decode(tokstr, 0, &jwt, jwk_next.data,
+                            jwk_next.length);
+    if (ret && jwk_previous.length && jwk_previous.data)
         ret = cjwt_decode(tokstr, 0, &jwt, jwk_previous.data,
                           jwk_previous.length);
     free(jwk_previous.data);