| /* Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include <apr_lib.h> |
| #include <apr_strings.h> |
| #include <apr_tables.h> |
| #include <apr_buckets.h> |
| |
| #include "md_crypt.h" |
| #include "md_json.h" |
| #include "md_jws.h" |
| #include "md_log.h" |
| #include "md_util.h" |
| |
| static int header_set(void *data, const char *key, const char *val) |
| { |
| md_json_sets(val, (md_json_t *)data, key, NULL); |
| return 1; |
| } |
| |
| apr_status_t md_jws_sign(md_json_t **pmsg, apr_pool_t *p, |
| const char *payload, size_t len, |
| struct apr_table_t *protected, |
| struct md_pkey_t *pkey, const char *key_id) |
| { |
| md_json_t *msg, *jprotected; |
| const char *prot64, *pay64, *sign64, *sign, *prot; |
| apr_status_t rv = APR_SUCCESS; |
| |
| *pmsg = NULL; |
| |
| msg = md_json_create(p); |
| |
| jprotected = md_json_create(p); |
| md_json_sets("RS256", jprotected, "alg", NULL); |
| if (key_id) { |
| md_json_sets(key_id, jprotected, "kid", NULL); |
| } |
| else { |
| md_json_sets(md_pkey_get_rsa_e64(pkey, p), jprotected, "jwk", "e", NULL); |
| md_json_sets("RSA", jprotected, "jwk", "kty", NULL); |
| md_json_sets(md_pkey_get_rsa_n64(pkey, p), jprotected, "jwk", "n", NULL); |
| } |
| apr_table_do(header_set, jprotected, protected, NULL); |
| prot = md_json_writep(jprotected, p, MD_JSON_FMT_COMPACT); |
| md_log_perror(MD_LOG_MARK, MD_LOG_TRACE4, 0, p, "protected: %s", |
| prot ? prot : "<failed to serialize!>"); |
| |
| if (!prot) { |
| rv = APR_EINVAL; |
| } |
| |
| if (rv == APR_SUCCESS) { |
| prot64 = md_util_base64url_encode(prot, strlen(prot), p); |
| md_json_sets(prot64, msg, "protected", NULL); |
| pay64 = md_util_base64url_encode(payload, len, p); |
| |
| md_json_sets(pay64, msg, "payload", NULL); |
| sign = apr_psprintf(p, "%s.%s", prot64, pay64); |
| |
| rv = md_crypt_sign64(&sign64, pkey, p, sign, strlen(sign)); |
| } |
| |
| if (rv == APR_SUCCESS) { |
| md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, p, |
| "jws pay64=%s\nprot64=%s\nsign64=%s", pay64, prot64, sign64); |
| |
| md_json_sets(sign64, msg, "signature", NULL); |
| } |
| else { |
| md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, rv, p, "jwk signed message"); |
| } |
| |
| *pmsg = (APR_SUCCESS == rv)? msg : NULL; |
| return rv; |
| } |
| |
| apr_status_t md_jws_pkey_thumb(const char **pthumb, apr_pool_t *p, struct md_pkey_t *pkey) |
| { |
| const char *e64, *n64, *s; |
| md_data data; |
| apr_status_t rv; |
| |
| e64 = md_pkey_get_rsa_e64(pkey, p); |
| n64 = md_pkey_get_rsa_n64(pkey, p); |
| if (!e64 || !n64) { |
| return APR_EINVAL; |
| } |
| |
| /* whitespace and order is relevant, since we hand out a digest of this */ |
| s = apr_psprintf(p, "{\"e\":\"%s\",\"kty\":\"RSA\",\"n\":\"%s\"}", e64, n64); |
| MD_DATA_SET_STR(&data, s); |
| rv = md_crypt_sha256_digest64(pthumb, p, &data); |
| return rv; |
| } |