Skip to content

[fix] Bound issuer key caching#392

Merged
St4NNi merged 10 commits into
mainfrom
fix/issuer-key-cache
Jul 11, 2026
Merged

[fix] Bound issuer key caching#392
St4NNi merged 10 commits into
mainfrom
fix/issuer-key-cache

Conversation

@St4NNi

@St4NNi St4NNi commented Jul 11, 2026

Copy link
Copy Markdown
Member

Closes #345

Unverified JWT claims selected the issuer key, which was parsed and inserted into an unbounded process-lifetime cache before any trust check — an unauthenticated memory-exhaustion vector.

  • A trust gate runs before caching: only a trusted realm (with a valid delegation signature over the issuer pubkey) reaches the cached path; untrusted issuers decode with an ephemeral, never-cached key.
  • Both caches (API ServerState and the metadata validator) are replaced by one bounded IssuerKeyCache (LRU 1024 entries + 1h TTL).

@St4NNi St4NNi force-pushed the fix/issuer-key-cache branch from 938f7d7 to 8e35e21 Compare July 11, 2026 13:49
@St4NNi St4NNi force-pushed the fix/issuer-key-cache branch from e40af5d to f896076 Compare July 11, 2026 16:29
@St4NNi St4NNi merged commit be4eaf5 into main Jul 11, 2026
6 checks passed
@St4NNi St4NNi deleted the fix/issuer-key-cache branch July 11, 2026 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[fix] Bound issuer key caching

1 participant