modules/md/md_jws.c - httpd - Git at Google

 /* Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <apr_lib.h>
 #include <apr_strings.h>
 #include <apr_tables.h>
 #include <apr_buckets.h>

 #include "md_crypt.h"
 #include "md_json.h"
 #include "md_jws.h"
 #include "md_log.h"
 #include "md_util.h"

 static int header_set(void *data, const char *key, const char *val)
 {
     md_json_sets(val, (md_json_t *)data, key, NULL);
     return 1;
 }

 apr_status_t md_jws_sign(md_json_t **pmsg, apr_pool_t *p,
                          const char *payload, size_t len,
                          struct apr_table_t *protected,
                          struct md_pkey_t *pkey, const char *key_id)
 {
     md_json_t *msg, *jprotected;
     const char *prot64, *pay64, *sign64, *sign, *prot;
     apr_status_t rv = APR_SUCCESS;

     *pmsg = NULL;

     msg = md_json_create(p);

     jprotected = md_json_create(p);
     md_json_sets("RS256", jprotected, "alg", NULL);
     if (key_id) {
         md_json_sets(key_id, jprotected, "kid", NULL);
     }
     else {
         md_json_sets(md_pkey_get_rsa_e64(pkey, p), jprotected, "jwk", "e", NULL);
         md_json_sets("RSA", jprotected, "jwk", "kty", NULL);
         md_json_sets(md_pkey_get_rsa_n64(pkey, p), jprotected, "jwk", "n", NULL);
     }
     apr_table_do(header_set, jprotected, protected, NULL);
     prot = md_json_writep(jprotected, p, MD_JSON_FMT_COMPACT);
     md_log_perror(MD_LOG_MARK, MD_LOG_TRACE4, 0, p, "protected: %s",
                   prot ? prot : "<failed to serialize!>");

     if (!prot) {
         rv = APR_EINVAL;
     }

     if (rv == APR_SUCCESS) {
         prot64 = md_util_base64url_encode(prot, strlen(prot), p);
         md_json_sets(prot64, msg, "protected", NULL);
         pay64 = md_util_base64url_encode(payload, len, p);

         md_json_sets(pay64, msg, "payload", NULL);
         sign = apr_psprintf(p, "%s.%s", prot64, pay64);

         rv = md_crypt_sign64(&sign64, pkey, p, sign, strlen(sign));
     }

     if (rv == APR_SUCCESS) {
         md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, p,
                       "jws pay64=%s\nprot64=%s\nsign64=%s", pay64, prot64, sign64);

         md_json_sets(sign64, msg, "signature", NULL);
     }
     else {
         md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, rv, p, "jwk signed message");
     }

     *pmsg = (APR_SUCCESS == rv)? msg : NULL;
     return rv;
 }

 apr_status_t md_jws_pkey_thumb(const char **pthumb, apr_pool_t *p, struct md_pkey_t *pkey)
 {
     const char *e64, *n64, *s;
     md_data data;
     apr_status_t rv;

     e64 = md_pkey_get_rsa_e64(pkey, p);
     n64 = md_pkey_get_rsa_n64(pkey, p);
     if (!e64 || !n64) {
         return APR_EINVAL;
     }

     /* whitespace and order is relevant, since we hand out a digest of this */
     s = apr_psprintf(p, "{\"e\":\"%s\",\"kty\":\"RSA\",\"n\":\"%s\"}", e64, n64);
     MD_DATA_SET_STR(&data, s);
     rv = md_crypt_sha256_digest64(pthumb, p, &data);
     return rv;
 }
	/* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <apr_lib.h>
	#include <apr_strings.h>
	#include <apr_tables.h>
	#include <apr_buckets.h>

	#include "md_crypt.h"
	#include "md_json.h"
	#include "md_jws.h"
	#include "md_log.h"
	#include "md_util.h"

	static int header_set(void data, const char key, const char *val)
	{
	md_json_sets(val, (md_json_t *)data, key, NULL);
	return 1;
	}

	apr_status_t md_jws_sign(md_json_t *pmsg, apr_pool_t p,
	const char *payload, size_t len,
	struct apr_table_t *protected,
	struct md_pkey_t pkey, const char key_id)
	{
	md_json_t msg, jprotected;
	const char prot64, pay64, sign64, sign, *prot;
	apr_status_t rv = APR_SUCCESS;

	*pmsg = NULL;

	msg = md_json_create(p);

	jprotected = md_json_create(p);
	md_json_sets("RS256", jprotected, "alg", NULL);
	if (key_id) {
	md_json_sets(key_id, jprotected, "kid", NULL);
	}
	else {
	md_json_sets(md_pkey_get_rsa_e64(pkey, p), jprotected, "jwk", "e", NULL);
	md_json_sets("RSA", jprotected, "jwk", "kty", NULL);
	md_json_sets(md_pkey_get_rsa_n64(pkey, p), jprotected, "jwk", "n", NULL);
	}
	apr_table_do(header_set, jprotected, protected, NULL);
	prot = md_json_writep(jprotected, p, MD_JSON_FMT_COMPACT);
	md_log_perror(MD_LOG_MARK, MD_LOG_TRACE4, 0, p, "protected: %s",
	prot ? prot : "<failed to serialize!>");

	if (!prot) {
	rv = APR_EINVAL;
	}

	if (rv == APR_SUCCESS) {
	prot64 = md_util_base64url_encode(prot, strlen(prot), p);
	md_json_sets(prot64, msg, "protected", NULL);
	pay64 = md_util_base64url_encode(payload, len, p);

	md_json_sets(pay64, msg, "payload", NULL);
	sign = apr_psprintf(p, "%s.%s", prot64, pay64);

	rv = md_crypt_sign64(&sign64, pkey, p, sign, strlen(sign));
	}

	if (rv == APR_SUCCESS) {
	md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, p,
	"jws pay64=%s\nprot64=%s\nsign64=%s", pay64, prot64, sign64);

	md_json_sets(sign64, msg, "signature", NULL);
	}
	else {
	md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, rv, p, "jwk signed message");
	}

	*pmsg = (APR_SUCCESS == rv)? msg : NULL;
	return rv;
	}

	apr_status_t md_jws_pkey_thumb(const char *pthumb, apr_pool_t p, struct md_pkey_t *pkey)
	{
	const char e64, n64, *s;
	md_data data;
	apr_status_t rv;

	e64 = md_pkey_get_rsa_e64(pkey, p);
	n64 = md_pkey_get_rsa_n64(pkey, p);
	if (!e64 \|\| !n64) {
	return APR_EINVAL;
	}

	/* whitespace and order is relevant, since we hand out a digest of this */
	s = apr_psprintf(p, "{\"e\":\"%s\",\"kty\":\"RSA\",\"n\":\"%s\"}", e64, n64);
	MD_DATA_SET_STR(&data, s);
	rv = md_crypt_sha256_digest64(pthumb, p, &data);
	return rv;
	}