Skip to content

Add support for IAM #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bbockelm merged 2 commits into from
Sep 13, 2019
Merged

Add support for IAM #14

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
94f1e20
Fix handling of base64 padding.
bbockelm Sep 11, 2019
6f0b88a
Look at the key type to determine the expected algorithm.
bbockelm Sep 11, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 48 additions & 7 deletions src/scitokens_internal.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,10 +189,28 @@ struct local_base64url : public jwt::alphabet::base64url {
};


// Assuming a padding, decode
std::string b64url_decode_nopadding(const std::string &input)
{
std::string result = input;
switch (result.size() % 4) {
case 1:
result += "="; // fallthrough
case 2:
result += "="; // fallthrough
case 3:
result += "="; // fallthrough
default:
break;
}
return jwt::base::decode<local_base64url>(result);
}


std::string
es256_from_coords(const std::string &x_str, const std::string &y_str) {
auto x_decode = jwt::base::decode<local_base64url>(x_str);
auto y_decode = jwt::base::decode<local_base64url>(y_str);
auto x_decode = b64url_decode_nopadding(x_str);
auto y_decode = b64url_decode_nopadding(y_str);

std::unique_ptr<EC_KEY, decltype(&EC_KEY_free)> ec(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1), EC_KEY_free);
if (!ec.get()) {
Expand Down Expand Up @@ -232,8 +250,8 @@ es256_from_coords(const std::string &x_str, const std::string &y_str) {

std::string
rs256_from_coords(const std::string &e_str, const std::string &n_str) {
auto e_decode = jwt::base::decode<local_base64url>(e_str);
auto n_decode = jwt::base::decode<local_base64url>(n_str);
auto e_decode = b64url_decode_nopadding(e_str);
auto n_decode = b64url_decode_nopadding(n_str);
std::unique_ptr<BIGNUM, decltype(&BN_free)> e_bignum(BN_bin2bn(reinterpret_cast<const unsigned char *>(e_decode.c_str()), e_decode.size(), nullptr), BN_free);
std::unique_ptr<BIGNUM, decltype(&BN_free)> n_bignum(BN_bin2bn(reinterpret_cast<const unsigned char *>(n_decode.c_str()), n_decode.size(), nullptr), BN_free);

Expand Down Expand Up @@ -399,10 +417,33 @@ Validator::get_public_key_pem(const std::string &issuer, const std::string &kid,
auto key_obj = find_key_id(keys, kid);

auto iter = key_obj.find("alg");
std::string alg;
if (iter == key_obj.end() || (!iter->second.is<std::string>())) {
throw JsonException("Key is missing algorithm name");
}
auto alg = iter->second.get<std::string>();
auto iter2 = key_obj.find("kty");
if (iter2 == key_obj.end() || !iter2->second.is<std::string>()) {
throw JsonException("Key is missing key type");
} else {
auto kty = iter2->second.get<std::string>();
if (kty == "RSA") {
alg = "RS256";
} else if (kty == "EC") {
auto iter3 = key_obj.find("crv");
if (iter3 == key_obj.end() || !iter3->second.is<std::string>()) {
throw JsonException("EC key is missing curve name");
}
auto crv = iter2->second.get<std::string>();
if (crv == "P-256") {
alg = "EC256";
} else {
throw JsonException("Unsupported EC curve in public key");
}
} else {
throw JsonException("Unknown public key type");
}
}
} else {
alg = iter->second.get<std::string>();
}
if (alg != "RS256" and alg != "ES256") {
throw UnsupportedKeyException("Issuer is using an unsupported algorithm");
}
Expand Down