← nischoy.ai

minio Verification

SMT2 formal verification of security-critical code paths

1 FAILED
Overall
1
Properties Checked
0
Verified
1
Failed

OIDC JWT Verification Must Be Asymmetric-Only

FAILED

Function: Validate · Z3 solved in 2.0ms

CVE-2026-33322 class: OIDC token verifiers must reject HS* signatures when verifier key material can include client secrets. This catches sibling JWT algorithm-confusion variants where key selection by kid and permissive alg allow attacker-forged HMAC tokens to impersonate arbitrary identities.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun oidc_asymmetric_jwt_only () Int)
(assert
 (<= oidc_asymmetric_jwt_only 0))
(assert
 (>= oidc_asymmetric_jwt_only 0))
(assert
 (and (distinct oidc_asymmetric_jwt_only 1) true))
(check-sat)

Last verified: 2026-03-26 18:04:34 UTC · Solver: Z3 4.16.0