upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-04-26 00:27:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11
haproxy/src/jwt.c

679 lines
17 KiB
C
Raw Normal View History

MINOR: jwt: Parse JWT alg field The full list of possible algorithms used to create a JWS signature is defined in section 3.1 of RFC7518. This patch adds a helper function that converts the "alg" strings into an enum member.
2021-10-01 09:36:54 -04:00
/*
* JSON Web Token (JWT) processing
*
* Copyright 2021 HAProxy Technologies
* Remi Tricot-Le Breton <rlebreton@haproxy.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*/
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
#include <sys/stat.h>
MINOR: jwt: Parse JWT alg field The full list of possible algorithms used to create a JWS signature is defined in section 3.1 of RFC7518. This patch adds a helper function that converts the "alg" strings into an enum member.
2021-10-01 09:36:54 -04:00
#include <import/ebmbtree.h>
#include <import/ebsttree.h>
#include <haproxy/api.h>
#include <haproxy/tools.h>
#include <haproxy/openssl-compat.h>
#include <haproxy/base64.h>
#include <haproxy/jwt.h>
BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) When the JWT token signature is using ECDSA algorithm (ES256 for instance), the signature is a direct concatenation of the R and S parameters instead of OpenSSL's DER format (see section 3.4 of RFC7518). The code that verified the signatures wrongly assumed that they came in OpenSSL's format and it did not actually work. We now have the extra step of converting the signature into a complete ECDSA_SIG that can be fed into OpenSSL's digest verification functions. The ECDSA signatures in the regtest had to be recalculated and it was made via the PyJWT python library so that we don't end up checking signatures that we built ourselves anymore. This patch should fix GitHub issue #2001. It should be backported up to branch 2.5.
2023-01-18 09:32:28 -05:00
#include <haproxy/buf.h>
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
#include <haproxy/ssl_ckch.h>
#include <haproxy/ssl_sock.h>
MINOR: jwt: Parse JWT alg field The full list of possible algorithms used to create a JWS signature is defined in section 3.1 of RFC7518. This patch adds a helper function that converts the "alg" strings into an enum member.
2021-10-01 09:36:54 -04:00
#ifdef USE_OPENSSL
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
/* Tree into which the public certificates used to validate JWTs will be stored. */
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
struct eb_root jwt_cert_tree = EB_ROOT_UNIQUE;
__decl_rwlock(jwt_tree_lock);
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
MINOR: jwt: Parse JWT alg field The full list of possible algorithms used to create a JWS signature is defined in section 3.1 of RFC7518. This patch adds a helper function that converts the "alg" strings into an enum member.
2021-10-01 09:36:54 -04:00
/*
* The possible algorithm strings that can be found in a JWS's JOSE header are
* defined in section 3.1 of RFC7518.
*/
enum jwt_alg jwt_parse_alg(const char *alg_str, unsigned int alg_len)
{
enum jwt_alg alg = JWT_ALG_DEFAULT;
/* Algorithms are all 5 characters long apart from "none". */
if (alg_len < sizeof("HS256")-1) {
BUG/MINOR: jwt: Fix jwt_parse_alg incorrectly returning JWS_ALG_NONE jwt_parse_alg would mistakenly return JWT_ALG_NONE for algorithms "", "n", "no" and "non" because of a strncmp misuse. It now sees them as unknown algorithms. No backport needed. Cc: Tim Duesterhus <tim@bastelstu.be>
2021-11-03 07:23:54 -04:00
if (alg_len == sizeof("none")-1 && strcmp("none", alg_str) == 0)
MINOR: jwt: Parse JWT alg field The full list of possible algorithms used to create a JWS signature is defined in section 3.1 of RFC7518. This patch adds a helper function that converts the "alg" strings into an enum member.
2021-10-01 09:36:54 -04:00
alg = JWS_ALG_NONE;
return alg;
}
if (alg == JWT_ALG_DEFAULT) {
switch(*alg_str++) {
case 'H':
if (strncmp(alg_str, "S256", alg_len-1) == 0)
alg = JWS_ALG_HS256;
else if (strncmp(alg_str, "S384", alg_len-1) == 0)
alg = JWS_ALG_HS384;
else if (strncmp(alg_str, "S512", alg_len-1) == 0)
alg = JWS_ALG_HS512;
break;
case 'R':
if (strncmp(alg_str, "S256", alg_len-1) == 0)
alg = JWS_ALG_RS256;
else if (strncmp(alg_str, "S384", alg_len-1) == 0)
alg = JWS_ALG_RS384;
else if (strncmp(alg_str, "S512", alg_len-1) == 0)
alg = JWS_ALG_RS512;
break;
case 'E':
if (strncmp(alg_str, "S256", alg_len-1) == 0)
alg = JWS_ALG_ES256;
else if (strncmp(alg_str, "S384", alg_len-1) == 0)
alg = JWS_ALG_ES384;
else if (strncmp(alg_str, "S512", alg_len-1) == 0)
alg = JWS_ALG_ES512;
break;
case 'P':
if (strncmp(alg_str, "S256", alg_len-1) == 0)
alg = JWS_ALG_PS256;
else if (strncmp(alg_str, "S384", alg_len-1) == 0)
alg = JWS_ALG_PS384;
else if (strncmp(alg_str, "S512", alg_len-1) == 0)
alg = JWS_ALG_PS512;
break;
default:
break;
}
}
return alg;
}
MINOR: jwt: JWT tokenizing helper function This helper function splits a JWT under Compact Serialization format (dot-separated base64-url encoded strings) into its different sub strings. Since we do not want to manage more than JWS for now, which can only have at most three subparts, any JWT that has strictly more than two dots is considered invalid.
2021-10-01 09:36:55 -04:00
/*
* Split a JWT into its separate dot-separated parts.
* Since only JWS following the Compact Serialization format are managed for
* now, we don't need to manage more than three subparts in the tokens.
* See section 3.1 of RFC7515 for more information about JWS Compact
* Serialization.
* Returns 0 in case of success.
*/
int jwt_tokenize(const struct buffer *jwt, struct jwt_item *items, unsigned int *item_num)
{
char *ptr = jwt->area;
char *jwt_end = jwt->area + jwt->data;
unsigned int index = 0;
unsigned int length = 0;
if (index < *item_num) {
items[index].start = ptr;
items[index].length = 0;
}
while (index < *item_num && ptr < jwt_end) {
if (*ptr++ == '.') {
items[index++].length = length;
if (index == *item_num)
return -1;
items[index].start = ptr;
items[index].length = 0;
length = 0;
} else
++length;
}
if (index < *item_num)
items[index].length = length;
*item_num = (index+1);
return (ptr != jwt_end);
}
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
/*
* Parse a public certificate and insert it into the jwt_cert_tree.
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
* This function can only be called during configuration parsing so we do not
* need to lock the jwt certificate tree.
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
* Returns 0 in case of success.
*/
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
int jwt_tree_load_cert(char *path, int pathlen, const char *file, int line, char **err)
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
{
int retval = -1;
struct jwt_cert_tree_entry *entry = NULL;
MINOR: jwt: Rename pkey to pubkey in jwt_cert_tree_entry struct Rename the jwt_cert_tree_entry member pkey to pubkey to avoid any confusion between private and public key.
2025-06-30 10:56:24 -04:00
EVP_PKEY *pubkey = NULL;
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
BIO *bio = NULL;
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
struct stat buf;
struct ebmb_node *eb = NULL;
struct ckch_store *store = NULL;
eb = ebst_lookup(&jwt_cert_tree, path);
if (eb)
return 0; /* Entry already in the tree, nothing to do. */
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
BUG/MINOR: jwt: Memory leak if same key is used in multiple jwt_verify calls If the same filename was specified in multiple calls of the jwt_verify converter, we would have parsed the contents of the file every time it was used instead of checking if the entry already existed in the tree. This lead to memory leaks because we would not insert the duplicated entry and we would not free it (as well as the EVP_PKEY it referenced). We now check the return value of ebst_insert and free the current entry if it is a duplicate of an existing entry. The order in which the tree insert and the pkey parsing happen was also switched in order to avoid parsing key files in case of duplicates. Should be backported to 2.5.
2022-02-04 08:24:15 -05:00
entry = calloc(1, sizeof(*entry) + pathlen + 1);
if (!entry) {
memprintf(err, "%sunable to allocate memory (jwt_cert_tree_entry).\n", err && *err ? *err : "");
return -1;
}
memcpy(entry->path, path, pathlen + 1);
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
entry->type = JWT_ENTRY_DFLT;
BUG/MINOR: jwt: Memory leak if same key is used in multiple jwt_verify calls If the same filename was specified in multiple calls of the jwt_verify converter, we would have parsed the contents of the file every time it was used instead of checking if the entry already existed in the tree. This lead to memory leaks because we would not insert the duplicated entry and we would not free it (as well as the EVP_PKEY it referenced). We now check the return value of ebst_insert and free the current entry if it is a duplicate of an existing entry. The order in which the tree insert and the pkey parsing happen was also switched in order to avoid parsing key files in case of duplicates. Should be backported to 2.5.
2022-02-04 08:24:15 -05:00
if (ebst_insert(&jwt_cert_tree, &entry->node) != &entry->node) {
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
/* Should never happen since we checked if the entry already
* existed previously.
*/
BUG/MINOR: jwt: Memory leak if same key is used in multiple jwt_verify calls If the same filename was specified in multiple calls of the jwt_verify converter, we would have parsed the contents of the file every time it was used instead of checking if the entry already existed in the tree. This lead to memory leaks because we would not insert the duplicated entry and we would not free it (as well as the EVP_PKEY it referenced). We now check the return value of ebst_insert and free the current entry if it is a duplicate of an existing entry. The order in which the tree insert and the pkey parsing happen was also switched in order to avoid parsing key files in case of duplicates. Should be backported to 2.5.
2022-02-04 08:24:15 -05:00
free(entry);
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
return 0;
BUG/MINOR: jwt: Memory leak if same key is used in multiple jwt_verify calls If the same filename was specified in multiple calls of the jwt_verify converter, we would have parsed the contents of the file every time it was used instead of checking if the entry already existed in the tree. This lead to memory leaks because we would not insert the duplicated entry and we would not free it (as well as the EVP_PKEY it referenced). We now check the return value of ebst_insert and free the current entry if it is a duplicate of an existing entry. The order in which the tree insert and the pkey parsing happen was also switched in order to avoid parsing key files in case of duplicates. Should be backported to 2.5.
2022-02-04 08:24:15 -05:00
}
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
if (stat(path, &buf) == 0) {
bio = BIO_new(BIO_s_file());
if (!bio) {
memprintf(err, "%sunable to allocate memory (BIO).\n", err && *err ? *err : "");
goto end;
}
if (BIO_read_filename(bio, path) == 1) {
pubkey = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL);
/* The file might exist but not contain a public key if
* we were given an actual certificate path (or a
* named crt-store).
*/
if (pubkey) {
entry->type = JWT_ENTRY_PKEY;
entry->pubkey = pubkey;
retval = 0;
goto end;
}
}
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
}
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
/* Look for an actual certificate or crt-store with the given name.
* If the path corresponds to an actual certificate that was not loaded
* yet we will create the corresponding ckch_store. */
if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
goto end;
store = ckchs_lookup(path);
if (!store) {
struct ckch_conf conf = {};
int err_code = 0;
/* Create a new store with the given path */
store = ckch_store_new(path);
if (!store) {
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
goto end;
}
conf.crt = path;
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
err_code = ckch_store_load_files(&conf, store, 0, file, line, err);
if (err_code & ERR_FATAL) {
ckch_store_free(store);
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
/* If we are in this case we are in the conf
* parsing phase and this case might happen if
* we were provided an HMAC secret or a variable
* name.
*/
retval = 0;
ha_free(err);
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
goto end;
}
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
if (ebst_insert(&ckchs_tree, &store->node) != &store->node) {
ckch_store_free(store);
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
goto end;
}
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
}
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
retval = 0;
BUG_ON(store->jwt_entry != NULL);
entry->type = JWT_ENTRY_STORE;
entry->ckch_store = store;
entry->pubkey = X509_get_pubkey(store->data->cert);
store->jwt_entry = entry;
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
end:
BUG/MINOR: jwt: Memory leak if same key is used in multiple jwt_verify calls If the same filename was specified in multiple calls of the jwt_verify converter, we would have parsed the contents of the file every time it was used instead of checking if the entry already existed in the tree. This lead to memory leaks because we would not insert the duplicated entry and we would not free it (as well as the EVP_PKEY it referenced). We now check the return value of ebst_insert and free the current entry if it is a duplicate of an existing entry. The order in which the tree insert and the pkey parsing happen was also switched in order to avoid parsing key files in case of duplicates. Should be backported to 2.5.
2022-02-04 08:24:15 -05:00
if (retval) {
MINOR: jwt: Rename pkey to pubkey in jwt_cert_tree_entry struct Rename the jwt_cert_tree_entry member pkey to pubkey to avoid any confusion between private and public key.
2025-06-30 10:56:24 -04:00
/* Some error happened during pubkey parsing, remove the already
BUG/MINOR: jwt: Memory leak if same key is used in multiple jwt_verify calls If the same filename was specified in multiple calls of the jwt_verify converter, we would have parsed the contents of the file every time it was used instead of checking if the entry already existed in the tree. This lead to memory leaks because we would not insert the duplicated entry and we would not free it (as well as the EVP_PKEY it referenced). We now check the return value of ebst_insert and free the current entry if it is a duplicate of an existing entry. The order in which the tree insert and the pkey parsing happen was also switched in order to avoid parsing key files in case of duplicates. Should be backported to 2.5.
2022-02-04 08:24:15 -05:00
* inserted node from the tree and free it.
*/
ebmb_delete(&entry->node);
free(entry);
}
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
BIO_free(bio);
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
MINOR: jwt: Insert public certificates into dedicated JWT tree A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a public certificate to be verified and to ensure it is valid. Those certificates must not be read on disk at runtime so we need a caching mechanism into which those certificates will be loaded during init. This is done through a dedicated ebtree that is filled during configuration parsing. The path to the public certificates will need to be explicitely mentioned in the configuration so that certificates can be loaded as early as possible. This tree is different from the ckch one because ckch entries are much bigger than the public certificates used in JWT validation process.
2021-10-01 09:36:56 -04:00
return retval;
}
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
/* Try to look for an already existing ckch_store in the store tree with the
* path found in the jwt_entry. Keep a reference to its pubkey if it exists.
* Return 0 in case of success.
*/
static int jwt_tree_tryload_store(struct jwt_cert_tree_entry *jwt_entry)
{
struct ckch_store *store = NULL;
int retval = 1;
if (!jwt_entry)
return 1;
/* We might have been given a 'crt-store' name */
if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
return 1;
store = ckchs_lookup(jwt_entry->path);
if (!store || store->jwt_entry)
goto end;
store->jwt_entry = jwt_entry;
BUG_ON(jwt_entry->pubkey != NULL);
jwt_entry->pubkey = X509_get_pubkey(store->data->cert);
retval = 0;
end:
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
return retval;
}
/* Update the ckch_store and public key reference of a jwt_entry. This is only
CLEANUP: assorted typo fixes in the code, commits and doc Corrected various spelling and phrasing errors to improve clarity and consistency.
2025-07-09 15:05:55 -04:00
* useful when updating a certificate from the CLI if it was being used for JWT
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
* validation.
*/
void jwt_replace_ckch_store(struct ckch_store *old_ckchs, struct ckch_store *new_ckchs)
{
struct jwt_cert_tree_entry *entry = old_ckchs->jwt_entry;
HA_RWLOCK_WRLOCK(JWT_LOCK, &jwt_tree_lock);
if (entry == NULL)
goto end;
old_ckchs->jwt_entry->ckch_store = new_ckchs;
new_ckchs->jwt_entry = old_ckchs->jwt_entry;
EVP_PKEY_free(entry->pubkey);
entry->pubkey = X509_get_pubkey(new_ckchs->data->cert);
end:
HA_RWLOCK_WRUNLOCK(JWT_LOCK, &jwt_tree_lock);
}
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
/*
* Calculate the HMAC signature of a specific JWT and check that it matches the
* one included in the token.
* Returns 1 in case of success.
*/
static enum jwt_vrfy_status
jwt_jwsverify_hmac(const struct jwt_ctx *ctx, const struct buffer *decoded_signature)
{
const EVP_MD *evp = NULL;
CLEANUP: jwt: Remove the use of a trash buffer in jwt_jwsverify_hmac() The OpenSSL documentation (https://www.openssl.org/docs/man1.1.0/man3/HMAC.html) specifies: > It places the result in md (which must have space for the output of the hash > function, which is no more than EVP_MAX_MD_SIZE bytes). If md is NULL, the > digest is placed in a static array. The size of the output is placed in > md_len, unless it is NULL. Note: passing a NULL value for md to use the > static array is not thread safe. `EVP_MAX_MD_SIZE` appears to be defined as `64`, so let's simply use a stack buffer to avoid the whole memory management.
2021-10-18 12:40:28 -04:00
unsigned char signature[EVP_MAX_MD_SIZE];
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
unsigned int signature_length = 0;
unsigned char *hmac_res = NULL;
enum jwt_vrfy_status retval = JWT_VRFY_KO;
switch(ctx->alg) {
case JWS_ALG_HS256:
evp = EVP_sha256();
break;
case JWS_ALG_HS384:
evp = EVP_sha384();
break;
case JWS_ALG_HS512:
evp = EVP_sha512();
break;
default: break;
}
hmac_res = HMAC(evp, ctx->key, ctx->key_length, (const unsigned char*)ctx->jose.start,
ctx->jose.length + ctx->claims.length + 1, signature, &signature_length);
if (hmac_res && signature_length == decoded_signature->data &&
BUG/MINOR: jwt: use CRYPTO_memcmp() to compare HMACs As Tim reported in github issue #1414, we ought to use a constant-time memcmp() when comparing hashes to avoid time-based attacks. Let's use CRYPTO_memcmp() since this code already depends on openssl. No backport is needed, this was just merged into 2.5.
2021-10-15 05:52:41 -04:00
(CRYPTO_memcmp(decoded_signature->area, signature, signature_length) == 0))
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
retval = JWT_VRFY_OK;
return retval;
}
BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) When the JWT token signature is using ECDSA algorithm (ES256 for instance), the signature is a direct concatenation of the R and S parameters instead of OpenSSL's DER format (see section 3.4 of RFC7518). The code that verified the signatures wrongly assumed that they came in OpenSSL's format and it did not actually work. We now have the extra step of converting the signature into a complete ECDSA_SIG that can be fed into OpenSSL's digest verification functions. The ECDSA signatures in the regtest had to be recalculated and it was made via the PyJWT python library so that we don't end up checking signatures that we built ourselves anymore. This patch should fix GitHub issue #2001. It should be backported up to branch 2.5.
2023-01-18 09:32:28 -05:00
/*
* Convert a JWT ECDSA signature (R and S parameters concatenatedi, see section
* 3.4 of RFC7518) into an ECDSA_SIG that can be fed back into OpenSSL's digest
* verification functions.
* Returns 0 in case of success.
*/
MINOR: jwt: Remove unused parameter in convert_ecdsa_sig The pubkey parameter in convert_ecdsa_sig was not actually used.
2025-06-30 10:56:25 -04:00
static int convert_ecdsa_sig(const struct jwt_ctx *ctx, struct buffer *signature)
BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) When the JWT token signature is using ECDSA algorithm (ES256 for instance), the signature is a direct concatenation of the R and S parameters instead of OpenSSL's DER format (see section 3.4 of RFC7518). The code that verified the signatures wrongly assumed that they came in OpenSSL's format and it did not actually work. We now have the extra step of converting the signature into a complete ECDSA_SIG that can be fed into OpenSSL's digest verification functions. The ECDSA signatures in the regtest had to be recalculated and it was made via the PyJWT python library so that we don't end up checking signatures that we built ourselves anymore. This patch should fix GitHub issue #2001. It should be backported up to branch 2.5.
2023-01-18 09:32:28 -05:00
{
int retval = 0;
ECDSA_SIG *ecdsa_sig = NULL;
BIGNUM *ec_R = NULL, *ec_S = NULL;
unsigned int bignum_len;
unsigned char *p;
ecdsa_sig = ECDSA_SIG_new();
if (!ecdsa_sig) {
retval = JWT_VRFY_OUT_OF_MEMORY;
goto end;
}
if (b_data(signature) % 2) {
retval = JWT_VRFY_INVALID_TOKEN;
goto end;
}
bignum_len = b_data(signature) / 2;
ec_R = BN_bin2bn((unsigned char*)b_orig(signature), bignum_len, NULL);
ec_S = BN_bin2bn((unsigned char *)(b_orig(signature) + bignum_len), bignum_len, NULL);
if (!ec_R || !ec_S) {
retval = JWT_VRFY_INVALID_TOKEN;
goto end;
}
/* Build ecdsa out of R and S values. */
ECDSA_SIG_set0(ecdsa_sig, ec_R, ec_S);
p = (unsigned char*)signature->area;
signature->data = i2d_ECDSA_SIG(ecdsa_sig, &p);
if (signature->data == 0) {
retval = JWT_VRFY_INVALID_TOKEN;
goto end;
}
end:
ECDSA_SIG_free(ecdsa_sig);
return retval;
}
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
/*
* Check that the signature included in a JWT signed via RSA or ECDSA is valid
* and can be verified thanks to a given public certificate.
* Returns 1 in case of success.
*/
static enum jwt_vrfy_status
BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) When the JWT token signature is using ECDSA algorithm (ES256 for instance), the signature is a direct concatenation of the R and S parameters instead of OpenSSL's DER format (see section 3.4 of RFC7518). The code that verified the signatures wrongly assumed that they came in OpenSSL's format and it did not actually work. We now have the extra step of converting the signature into a complete ECDSA_SIG that can be fed into OpenSSL's digest verification functions. The ECDSA signatures in the regtest had to be recalculated and it was made via the PyJWT python library so that we don't end up checking signatures that we built ourselves anymore. This patch should fix GitHub issue #2001. It should be backported up to branch 2.5.
2023-01-18 09:32:28 -05:00
jwt_jwsverify_rsa_ecdsa(const struct jwt_ctx *ctx, struct buffer *decoded_signature)
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
{
const EVP_MD *evp = NULL;
EVP_MD_CTX *evp_md_ctx;
MINOR: jwt: Add support for RSA-PSS signatures (PS256 algorithm) This patch adds the support for the PS algorithms when verifying JWT signatures (rsa-pss). It was not managed during the first implementation and previously raised an "Unmanaged algorithm" error. The tests use the same rsa signature as the plain rsa tests (RS256 ...) and the implementation simply adds a call to EVP_PKEY_CTX_set_rsa_padding in the function that manages rsa and ecdsa signatures. The signatures in the reg-test were built thanks to the PyJWT python library once again.
2023-03-07 11:43:57 -05:00
EVP_PKEY_CTX *pkey_ctx = NULL;
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
enum jwt_vrfy_status retval = JWT_VRFY_KO;
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
struct ebmb_node *eb = NULL;
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
struct jwt_cert_tree_entry *entry = NULL;
BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) When the JWT token signature is using ECDSA algorithm (ES256 for instance), the signature is a direct concatenation of the R and S parameters instead of OpenSSL's DER format (see section 3.4 of RFC7518). The code that verified the signatures wrongly assumed that they came in OpenSSL's format and it did not actually work. We now have the extra step of converting the signature into a complete ECDSA_SIG that can be fed into OpenSSL's digest verification functions. The ECDSA signatures in the regtest had to be recalculated and it was made via the PyJWT python library so that we don't end up checking signatures that we built ourselves anymore. This patch should fix GitHub issue #2001. It should be backported up to branch 2.5.
2023-01-18 09:32:28 -05:00
int is_ecdsa = 0;
MINOR: jwt: Add support for RSA-PSS signatures (PS256 algorithm) This patch adds the support for the PS algorithms when verifying JWT signatures (rsa-pss). It was not managed during the first implementation and previously raised an "Unmanaged algorithm" error. The tests use the same rsa signature as the plain rsa tests (RS256 ...) and the implementation simply adds a call to EVP_PKEY_CTX_set_rsa_padding in the function that manages rsa and ecdsa signatures. The signatures in the reg-test were built thanks to the PyJWT python library once again.
2023-03-07 11:43:57 -05:00
int padding = RSA_PKCS1_PADDING;
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
EVP_PKEY *pubkey = NULL;
int lock_iswrlock = 0;
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
switch(ctx->alg) {
case JWS_ALG_RS256:
evp = EVP_sha256();
break;
case JWS_ALG_RS384:
evp = EVP_sha384();
break;
case JWS_ALG_RS512:
BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) When the JWT token signature is using ECDSA algorithm (ES256 for instance), the signature is a direct concatenation of the R and S parameters instead of OpenSSL's DER format (see section 3.4 of RFC7518). The code that verified the signatures wrongly assumed that they came in OpenSSL's format and it did not actually work. We now have the extra step of converting the signature into a complete ECDSA_SIG that can be fed into OpenSSL's digest verification functions. The ECDSA signatures in the regtest had to be recalculated and it was made via the PyJWT python library so that we don't end up checking signatures that we built ourselves anymore. This patch should fix GitHub issue #2001. It should be backported up to branch 2.5.
2023-01-18 09:32:28 -05:00
evp = EVP_sha512();
break;
case JWS_ALG_ES256:
evp = EVP_sha256();
is_ecdsa = 1;
break;
case JWS_ALG_ES384:
evp = EVP_sha384();
is_ecdsa = 1;
break;
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
case JWS_ALG_ES512:
evp = EVP_sha512();
BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) When the JWT token signature is using ECDSA algorithm (ES256 for instance), the signature is a direct concatenation of the R and S parameters instead of OpenSSL's DER format (see section 3.4 of RFC7518). The code that verified the signatures wrongly assumed that they came in OpenSSL's format and it did not actually work. We now have the extra step of converting the signature into a complete ECDSA_SIG that can be fed into OpenSSL's digest verification functions. The ECDSA signatures in the regtest had to be recalculated and it was made via the PyJWT python library so that we don't end up checking signatures that we built ourselves anymore. This patch should fix GitHub issue #2001. It should be backported up to branch 2.5.
2023-01-18 09:32:28 -05:00
is_ecdsa = 1;
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
break;
MINOR: jwt: Add support for RSA-PSS signatures (PS256 algorithm) This patch adds the support for the PS algorithms when verifying JWT signatures (rsa-pss). It was not managed during the first implementation and previously raised an "Unmanaged algorithm" error. The tests use the same rsa signature as the plain rsa tests (RS256 ...) and the implementation simply adds a call to EVP_PKEY_CTX_set_rsa_padding in the function that manages rsa and ecdsa signatures. The signatures in the reg-test were built thanks to the PyJWT python library once again.
2023-03-07 11:43:57 -05:00
case JWS_ALG_PS256:
evp = EVP_sha256();
padding = RSA_PKCS1_PSS_PADDING;
break;
case JWS_ALG_PS384:
evp = EVP_sha384();
padding = RSA_PKCS1_PSS_PADDING;
break;
case JWS_ALG_PS512:
evp = EVP_sha512();
padding = RSA_PKCS1_PSS_PADDING;
break;
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
default: break;
}
evp_md_ctx = EVP_MD_CTX_new();
CLEANUP: jwt: Remove the use of a trash buffer in jwt_jwsverify_rsa_ecdsa() `trash` was completely unused within this function.
2021-10-18 12:40:29 -04:00
if (!evp_md_ctx)
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
return JWT_VRFY_OUT_OF_MEMORY;
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
HA_RWLOCK_RDLOCK(JWT_LOCK, &jwt_tree_lock);
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
eb = ebst_lookup(&jwt_cert_tree, ctx->key);
if (!eb) {
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
HA_RWLOCK_RDUNLOCK(JWT_LOCK, &jwt_tree_lock);
/* Create new entry and insert it in the jwt cert tree if we
* could find a corresponding ckch_store.
*/
entry = calloc(1, sizeof(*entry) + ctx->key_length + 1);
if (!entry) {
retval = JWT_VRFY_OUT_OF_MEMORY;
goto end;
}
memcpy(entry->path, ctx->key, ctx->key_length);
/* The ckch_lock will be taken in jwt_tree_tryload_store so we
* can't hold the lock on the jwt_cert_tree here because the lock
* order is different when updating a certificate from the CLI,
* where the ckch_lock is taken first and then the JWT one is
* taken in jwt_replace_ckch_store.
* If no corresponding ckch_store was found, we still try to
* insert the entry in the tree so that next calls to jwt_verify
* with the same 'key' path do not perform the lookup in the
* ckch_store anymore. */
entry->type = (jwt_tree_tryload_store(entry) == 0) ? JWT_ENTRY_STORE : JWT_ENTRY_INVALID;
HA_RWLOCK_WRLOCK(JWT_LOCK, &jwt_tree_lock);
if (ebst_insert(&jwt_cert_tree, &entry->node) != &entry->node) {
/* This rather unlikely case can only happen if the tree was
* modified between the previous read unlock and here.
*/
retval = JWT_VRFY_INTERNAL_ERR;
free(entry);
entry = NULL;
HA_RWLOCK_WRUNLOCK(JWT_LOCK, &jwt_tree_lock);
goto end;
}
lock_iswrlock = 1;
} else {
entry = ebmb_entry(eb, struct jwt_cert_tree_entry, node);
}
/* We tried looking for a ckch_store but could not find it */
switch (entry->type) {
case JWT_ENTRY_PKEY:
case JWT_ENTRY_STORE:
pubkey = entry->pubkey;
if (pubkey)
EVP_PKEY_up_ref(pubkey);
break;
case JWT_ENTRY_DFLT:
case JWT_ENTRY_INVALID:
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
retval = JWT_VRFY_UNKNOWN_CERT;
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
break;
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
}
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
if (lock_iswrlock)
HA_RWLOCK_WRUNLOCK(JWT_LOCK, &jwt_tree_lock);
else
HA_RWLOCK_RDUNLOCK(JWT_LOCK, &jwt_tree_lock);
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
if (!pubkey)
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
goto end;
BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) When the JWT token signature is using ECDSA algorithm (ES256 for instance), the signature is a direct concatenation of the R and S parameters instead of OpenSSL's DER format (see section 3.4 of RFC7518). The code that verified the signatures wrongly assumed that they came in OpenSSL's format and it did not actually work. We now have the extra step of converting the signature into a complete ECDSA_SIG that can be fed into OpenSSL's digest verification functions. The ECDSA signatures in the regtest had to be recalculated and it was made via the PyJWT python library so that we don't end up checking signatures that we built ourselves anymore. This patch should fix GitHub issue #2001. It should be backported up to branch 2.5.
2023-01-18 09:32:28 -05:00
/*
* ECXXX signatures are a direct concatenation of the (R, S) pair and
* need to be converted back to asn.1 in order for verify operations to
* work with OpenSSL.
*/
if (is_ecdsa) {
MINOR: jwt: Remove unused parameter in convert_ecdsa_sig The pubkey parameter in convert_ecdsa_sig was not actually used.
2025-06-30 10:56:25 -04:00
int conv_retval = convert_ecdsa_sig(ctx, decoded_signature);
BUG/MINOR: jwt: Wrong return value checked The wrong return value was checked, resulting in dead code and potential bugs. It should fix GitHub issue #2005. This patch should be backported up to 2.5.
2023-01-20 03:37:26 -05:00
if (conv_retval != 0) {
BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) When the JWT token signature is using ECDSA algorithm (ES256 for instance), the signature is a direct concatenation of the R and S parameters instead of OpenSSL's DER format (see section 3.4 of RFC7518). The code that verified the signatures wrongly assumed that they came in OpenSSL's format and it did not actually work. We now have the extra step of converting the signature into a complete ECDSA_SIG that can be fed into OpenSSL's digest verification functions. The ECDSA signatures in the regtest had to be recalculated and it was made via the PyJWT python library so that we don't end up checking signatures that we built ourselves anymore. This patch should fix GitHub issue #2001. It should be backported up to branch 2.5.
2023-01-18 09:32:28 -05:00
retval = conv_retval;
goto end;
}
}
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
if (EVP_DigestVerifyInit(evp_md_ctx, &pkey_ctx, evp, NULL, pubkey) == 1) {
MINOR: jwt: Add support for RSA-PSS signatures (PS256 algorithm) This patch adds the support for the PS algorithms when verifying JWT signatures (rsa-pss). It was not managed during the first implementation and previously raised an "Unmanaged algorithm" error. The tests use the same rsa signature as the plain rsa tests (RS256 ...) and the implementation simply adds a call to EVP_PKEY_CTX_set_rsa_padding in the function that manages rsa and ecdsa signatures. The signatures in the reg-test were built thanks to the PyJWT python library once again.
2023-03-07 11:43:57 -05:00
if (is_ecdsa || EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, padding) > 0) {
if (EVP_DigestVerifyUpdate(evp_md_ctx, (const unsigned char*)ctx->jose.start,
ctx->jose.length + ctx->claims.length + 1) == 1 &&
EVP_DigestVerifyFinal(evp_md_ctx, (const unsigned char*)decoded_signature->area, decoded_signature->data) == 1) {
retval = JWT_VRFY_OK;
}
}
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
}
end:
EVP_MD_CTX_free(evp_md_ctx);
BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature When the signature included in a JWT is verified, if an error occurred, one or more SSL errors are queued and never cleared. These errors may be then caught by the SSL stack and a fatal SSL error may be erroneously reported during a SSL received or send. So we must take care to clear the SSL error queue when the signature verification failed. This patch should fix issue #2643. It must be backported as far as 2.6.
2024-07-26 10:47:15 -04:00
if (retval != JWT_VRFY_OK) {
/* Don't forget to remove SSL errors to be sure they cannot be
* caught elsewhere. The error queue is cleared because it seems
* at least 2 errors are produced.
*/
ERR_clear_error();
}
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
EVP_PKEY_free(pubkey);
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
return retval;
}
/*
* Check that the <token> that was signed via algorithm <alg> using the <key>
* (either an HMAC secret or the path to a public certificate) has a valid
* signature.
* Returns 1 in case of success.
*/
enum jwt_vrfy_status jwt_verify(const struct buffer *token, const struct buffer *alg,
const struct buffer *key)
{
struct jwt_item items[JWT_ELT_MAX] = { { 0 } };
unsigned int item_num = JWT_ELT_MAX;
struct buffer *decoded_sig = NULL;
struct jwt_ctx ctx = {};
enum jwt_vrfy_status retval = JWT_VRFY_KO;
BUG/MEDIUM: jwt: fix base64 decoding error detection Tim reported that a decoding error from the base64 function wouldn't be matched in case of bad input, and could possibly cause trouble with -1 being passed in decoded_sig->data. In the case of HMAC+SHA it is harmless as the comparison is made using memcmp() after checking for length equality, but in the case of RSA/ECDSA this result is passed as a size_t to EVP_DigetVerifyFinal() and may depend on the lib's mood. The fix simply consists in checking the intermediary result before storing it. That's precisely what happens with one of the regtests which returned 0 instead of 4 on the intentionally defective token, so the regtest was fixed as well. No backport is needed as this is new in this release.
2021-10-15 05:41:16 -04:00
int ret;
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
ctx.alg = jwt_parse_alg(alg->area, alg->data);
if (ctx.alg == JWT_ALG_DEFAULT)
return JWT_VRFY_UNKNOWN_ALG;
if (jwt_tokenize(token, items, &item_num))
return JWT_VRFY_INVALID_TOKEN;
if (item_num != JWT_ELT_MAX)
if (ctx.alg != JWS_ALG_NONE || item_num != JWT_ELT_SIG)
return JWT_VRFY_INVALID_TOKEN;
ctx.jose = items[JWT_ELT_JOSE];
ctx.claims = items[JWT_ELT_CLAIMS];
ctx.signature = items[JWT_ELT_SIG];
/* "alg" is "none", the signature must be empty for the JWS to be valid. */
if (ctx.alg == JWS_ALG_NONE) {
return (ctx.signature.length == 0) ? JWT_VRFY_OK : JWT_VRFY_KO;
}
if (ctx.signature.length == 0)
return JWT_VRFY_INVALID_TOKEN;
decoded_sig = alloc_trash_chunk();
if (!decoded_sig)
return JWT_VRFY_OUT_OF_MEMORY;
BUG/MEDIUM: jwt: fix base64 decoding error detection Tim reported that a decoding error from the base64 function wouldn't be matched in case of bad input, and could possibly cause trouble with -1 being passed in decoded_sig->data. In the case of HMAC+SHA it is harmless as the comparison is made using memcmp() after checking for length equality, but in the case of RSA/ECDSA this result is passed as a size_t to EVP_DigetVerifyFinal() and may depend on the lib's mood. The fix simply consists in checking the intermediary result before storing it. That's precisely what happens with one of the regtests which returned 0 instead of 4 on the intentionally defective token, so the regtest was fixed as well. No backport is needed as this is new in this release.
2021-10-15 05:41:16 -04:00
ret = base64urldec(ctx.signature.start, ctx.signature.length,
decoded_sig->area, decoded_sig->size);
if (ret == -1) {
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
retval = JWT_VRFY_INVALID_TOKEN;
goto end;
}
BUG/MEDIUM: jwt: fix base64 decoding error detection Tim reported that a decoding error from the base64 function wouldn't be matched in case of bad input, and could possibly cause trouble with -1 being passed in decoded_sig->data. In the case of HMAC+SHA it is harmless as the comparison is made using memcmp() after checking for length equality, but in the case of RSA/ECDSA this result is passed as a size_t to EVP_DigetVerifyFinal() and may depend on the lib's mood. The fix simply consists in checking the intermediary result before storing it. That's precisely what happens with one of the regtests which returned 0 instead of 4 on the intentionally defective token, so the regtest was fixed as well. No backport is needed as this is new in this release.
2021-10-15 05:41:16 -04:00
decoded_sig->data = ret;
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
ctx.key = key->area;
ctx.key_length = key->data;
/* We have all three sections, signature calculation can begin. */
MINOR: jwt: Do not rely on enum order anymore Replace the test based on the enum value of the algorithm by an explicit switch statement in case someone reorders it for some reason (while still managing not to break the regtest).
2021-10-18 09:14:48 -04:00
switch(ctx.alg) {
case JWS_ALG_HS256:
case JWS_ALG_HS384:
case JWS_ALG_HS512:
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
/* HMAC + SHA-XXX */
retval = jwt_jwsverify_hmac(&ctx, decoded_sig);
MINOR: jwt: Do not rely on enum order anymore Replace the test based on the enum value of the algorithm by an explicit switch statement in case someone reorders it for some reason (while still managing not to break the regtest).
2021-10-18 09:14:48 -04:00
break;
case JWS_ALG_RS256:
case JWS_ALG_RS384:
case JWS_ALG_RS512:
case JWS_ALG_ES256:
case JWS_ALG_ES384:
case JWS_ALG_ES512:
MINOR: jwt: Add support for RSA-PSS signatures (PS256 algorithm) This patch adds the support for the PS algorithms when verifying JWT signatures (rsa-pss). It was not managed during the first implementation and previously raised an "Unmanaged algorithm" error. The tests use the same rsa signature as the plain rsa tests (RS256 ...) and the implementation simply adds a call to EVP_PKEY_CTX_set_rsa_padding in the function that manages rsa and ecdsa signatures. The signatures in the reg-test were built thanks to the PyJWT python library once again.
2023-03-07 11:43:57 -05:00
case JWS_ALG_PS256:
case JWS_ALG_PS384:
case JWS_ALG_PS512:
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
/* RSASSA-PKCS1-v1_5 + SHA-XXX */
/* ECDSA using P-XXX and SHA-XXX */
MINOR: jwt: Add support for RSA-PSS signatures (PS256 algorithm) This patch adds the support for the PS algorithms when verifying JWT signatures (rsa-pss). It was not managed during the first implementation and previously raised an "Unmanaged algorithm" error. The tests use the same rsa signature as the plain rsa tests (RS256 ...) and the implementation simply adds a call to EVP_PKEY_CTX_set_rsa_padding in the function that manages rsa and ecdsa signatures. The signatures in the reg-test were built thanks to the PyJWT python library once again.
2023-03-07 11:43:57 -05:00
/* RSASSA-PSS using SHA-XXX and MGF1 with SHA-XXX */
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
retval = jwt_jwsverify_rsa_ecdsa(&ctx, decoded_sig);
MINOR: jwt: Do not rely on enum order anymore Replace the test based on the enum value of the algorithm by an explicit switch statement in case someone reorders it for some reason (while still managing not to break the regtest).
2021-10-18 09:14:48 -04:00
break;
default:
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
/* Not managed yet */
retval = JWT_VRFY_UNMANAGED_ALG;
MINOR: jwt: Do not rely on enum order anymore Replace the test based on the enum value of the algorithm by an explicit switch statement in case someone reorders it for some reason (while still managing not to break the regtest).
2021-10-18 09:14:48 -04:00
break;
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity This new converter takes a JSON Web Token, an algorithm (among the ones specified for JWS tokens in RFC 7518) and a public key or a secret, and it returns a verdict about the signature contained in the token. It does not simply return a boolean because some specific error cases cas be specified by returning an integer instead, such as unmanaged algorithms or invalid tokens. This enables to distinguich malformed tokens from tampered ones, that would be valid format-wise but would have a bad signature. This converter does not perform a full JWT validation as decribed in section 7.2 of RFC 7519. For instance it does not ensure that the header and payload parts of the token are completely valid JSON objects because it would need a complete JSON parser. It only focuses on the signature and checks that it matches the token's contents.
2021-10-01 09:36:58 -04:00
}
end:
free_trash_chunk(decoded_sig);
return retval;
}
MINOR: jwt: Empty the certificate tree during deinit The tree in which the JWT certificates are stored was not emptied. It is now done during deinit.
2021-10-18 09:14:47 -04:00
static void jwt_deinit(void)
{
struct ebmb_node *node = NULL;
struct jwt_cert_tree_entry *entry = NULL;
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
HA_RWLOCK_WRLOCK(JWT_LOCK, &jwt_tree_lock);
MINOR: jwt: Empty the certificate tree during deinit The tree in which the JWT certificates are stored was not emptied. It is now done during deinit.
2021-10-18 09:14:47 -04:00
node = ebmb_first(&jwt_cert_tree);
while (node) {
entry = ebmb_entry(node, struct jwt_cert_tree_entry, node);
BUG/MINOR: jwt: Double free in deinit function The node pointer was not moving properly along the jwt_cert_tree during the deinit which ended in a double free during cleanup (or when checking a configuration that used the jwt_verify converter with an explicit certificate specified). This patch fixes GitHub issue #1533. It should be backported to 2.5.
2022-02-04 08:06:34 -05:00
ebmb_delete(node);
MINOR: jwt: Rename pkey to pubkey in jwt_cert_tree_entry struct Rename the jwt_cert_tree_entry member pkey to pubkey to avoid any confusion between private and public key.
2025-06-30 10:56:24 -04:00
EVP_PKEY_free(entry->pubkey);
MINOR: jwt: Empty the certificate tree during deinit The tree in which the JWT certificates are stored was not emptied. It is now done during deinit.
2021-10-18 09:14:47 -04:00
ha_free(&entry);
node = ebmb_first(&jwt_cert_tree);
}
MAJOR: jwt: Allow certificate instead of public key in jwt_verify converter The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
2025-06-30 10:56:26 -04:00
HA_RWLOCK_WRUNLOCK(JWT_LOCK, &jwt_tree_lock);
MINOR: jwt: Empty the certificate tree during deinit The tree in which the JWT certificates are stored was not emptied. It is now done during deinit.
2021-10-18 09:14:47 -04:00
}
REGISTER_POST_DEINIT(jwt_deinit);
MINOR: jwt: Parse JWT alg field The full list of possible algorithms used to create a JWS signature is defined in section 3.1 of RFC7518. This patch adds a helper function that converts the "alg" strings into an enum member.
2021-10-01 09:36:54 -04:00
#endif /* USE_OPENSSL */
Reference in a new issue Copy permalink