/*
* sign JWT
*/
apr_byte_t oidc_jwt_sign(apr_pool_t *pool, oidc_jwt_t *jwt, oidc_jwk_t *jwk,
oidc_jose_error_t *err) {
cjose_header_t *hdr = (cjose_header_t *)jwt->header.value.json;
if (jwt->header.alg)
oidc_jwt_hdr_set(jwt, CJOSE_HDR_ALG, jwt->header.alg);
if (jwt->header.kid)
oidc_jwt_hdr_set(jwt, CJOSE_HDR_KID, jwt->header.kid);
if (jwt->header.enc)
oidc_jwt_hdr_set(jwt, CJOSE_HDR_ENC, jwt->header.enc);
if (jwt->cjose_jws)
cjose_jws_release(jwt->cjose_jws);
cjose_err cjose_err;
char *s_payload = json_dumps(jwt->payload.value.json,
JSON_PRESERVE_ORDER | JSON_COMPACT);
jwt->payload.value.str = apr_pstrdup(pool, s_payload);
jwt->cjose_jws = cjose_jws_sign(jwk->cjose_jwk, hdr,
(const uint8_t *) s_payload, strlen(s_payload), &cjose_err);
free(s_payload);
if (jwt->cjose_jws == NULL) {
oidc_jose_error(err, "cjose_jws_sign failed: %s",
oidc_cjose_e2s(pool, cjose_err));
return FALSE;
}
return TRUE;
}
END_TEST
START_TEST(test_cjose_jws_sign_with_bad_content)
{
cjose_err err;
cjose_header_t *hdr = NULL;
cjose_jws_t *jws = NULL;
static const char *JWK
= "{ \"kty\": \"RSA\", "
"\"e\": \"AQAB\", "
"\"n\": "
"\"0a5nKJLjaB1xdebYWfhvlhYhgfzkw49HAUIjyvb6fNPKhwlBQMoAS5jM3kI17_OMGrHxL7ZP00OE-24__"
"VWDCAhOQsSvlgCvw2XOOCtSWWLpb03dTrCMFeemqS4S9jrKd3NbUk3UJ2dVb_EIbQEC_BVjZStr_"
"HcCrKsj4AluaQUn09H7TuK0yZFBzZMhJ1J8Yi3nAPkxzdGah0XuWhLObMAvANSVmHzRXwnTDw9Dh_"
"bJ4G1xd1DE7W94uoUlcSDx59aSdzTpQzJh1l3lXc6JRUrXTESYgHpMv0O1n0gbIxX8X1ityBlMiccDjfZIKLnwz6hQObvRtRIpxEdq4SYS-w\", "
"\"kid\": \"9ebf9edb-3a24-48b4-b2cb-21f0cf747ea7\", "
"\"d\": "
"\"B1vTivz8th6yaKzdUusBH4dPTbyOWr6gg07K6siYKeFU7kBI5fkw4XZPWk2AjxdBB37PNBl127g25owL-"
"twRaSrBdF5quxzzDix4fEgo77Ik9x8IcUaI5AvpMW7Ig5O0n1SRE-"
"ZfV7KssO0Imqq6bBZkEpzfgVC760tmSuqJ0W2on8eWzi36zuKru9qA5uo7L8w9I5rzqY7XEaak0PYFi5zB1BkpI83tN2bBP2jPsym9lMP4fbf-"
"duHgu0s9H4mDeQFyb7OuI_P7AyH3V3qhUAvk37w-HNL-17g7OBYsZK5jMwa7LobO8Tw0ZdPk5u6dWKdmiWOUUScQVAqtaDjRIQ\" }";
// import the key
cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
ck_assert_msg(NULL != jwk, "cjose_jwk_import failed: "
"%s, file: %s, function: %s, line: %ld",
err.message, err.file, err.function, err.line);
// set header for JWS
hdr = cjose_header_new(&err);
ck_assert_msg(cjose_header_set(hdr, CJOSE_HDR_ALG, CJOSE_HDR_ALG_PS256, &err), "cjose_header_set failed");
jws = cjose_jws_sign(jwk, hdr, NULL, 1024, &err);
ck_assert_msg(NULL == jws, "cjose_jws_sign created with NULL plaintext");
ck_assert_msg(err.code == CJOSE_ERR_INVALID_ARG, "cjose_jws_sign returned bad err.code (%zu:%s)", err.code, err.message);
jws = cjose_jws_sign(jwk, hdr, NULL, 0, &err);
ck_assert_msg(NULL == jws, "cjose_jws_sign created with NULL plaintext");
ck_assert_msg(err.code == CJOSE_ERR_INVALID_ARG, "cjose_jws_sign returned bad err.code (%zu:%s)", err.code, err.message);
cjose_jwk_release(jwk);
cjose_header_release(hdr);
}
END_TEST
START_TEST(test_cjose_jws_sign_with_bad_header)
{
cjose_err err;
cjose_header_t *hdr = NULL;
cjose_jws_t *jws = NULL;
static const char *plain = "The mind is everything. What you think you become.";
size_t plain_len = strlen(plain);
static const char *JWK
= "{ \"kty\": \"RSA\", "
"\"kid\": \"9ebf9edb-3a24-48b4-b2cb-21f0cf747ea7\", "
"\"e\": \"AQAB\", "
"\"n\": "
"\"0a5nKJLjaB1xdebYWfhvlhYhgfzkw49HAUIjyvb6fNPKhwlBQMoAS5jM3kI17_OMGrHxL7ZP00OE-24__"
"VWDCAhOQsSvlgCvw2XOOCtSWWLpb03dTrCMFeemqS4S9jrKd3NbUk3UJ2dVb_EIbQEC_BVjZStr_"
"HcCrKsj4AluaQUn09H7TuK0yZFBzZMhJ1J8Yi3nAPkxzdGah0XuWhLObMAvANSVmHzRXwnTDw9Dh_"
"bJ4G1xd1DE7W94uoUlcSDx59aSdzTpQzJh1l3lXc6JRUrXTESYgHpMv0O1n0gbIxX8X1ityBlMiccDjfZIKLnwz6hQObvRtRIpxEdq4SYS-w\" }";
cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
ck_assert_msg(NULL != jwk, "cjose_jwk_import failed: "
"%s, file: %s, function: %s, line: %ld",
err.message, err.file, err.function, err.line);
// set header for JWS with bad alg
hdr = cjose_header_new(&err);
ck_assert_msg(cjose_header_set(hdr, CJOSE_HDR_ALG, "Cayley-Purser", &err), "cjose_header_set failed: "
"%s, file: %s, function: %s, line: %ld",
err.message, err.file, err.function, err.line);
// create a JWS
jws = cjose_jws_sign(jwk, hdr, plain, plain_len, &err);
ck_assert_msg(NULL == jws, "cjose_jws_sign created with bad header");
ck_assert_msg(err.code == CJOSE_ERR_INVALID_ARG, "cjose_jws_sign returned bad err.code (%zu:%s)", err.code, err.message);
cjose_header_release(hdr);
cjose_jwk_release(jwk);
}
END_TEST
START_TEST(test_cjose_jws_none)
{
cjose_err err;
// https://tools.ietf.org/html/rfc7519#section-6.1
// Unsecured JWT (alg=none)
static const char *JWS = "eyJhbGciOiJub25lIn0"
".eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ"
".";
cjose_jws_t *jws = cjose_jws_import(JWS, strlen(JWS), &err);
ck_assert_msg(NULL != jws, "cjose_jws_import failed: "
"%s, file: %s, function: %s, line: %ld",
err.message, err.file, err.function, err.line);
static const char *JWK = "{ \"kty\": \"EC\","
"\"kid\": \"h4h93\","
"\"use\": \"sig\","
"\"x\": \"qcZ8jiBDygzf1XMWNN3jS7qT3DDslHOYvaa6XHMxShw\","
"\"y\": \"vMcP1OkZsSNaFN6MHrdApLdtLPWo8RnNflgP3DAbcfY\","
"\"crv\": \"P-256\" }";
// import the key
cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
ck_assert_msg(NULL != jwk, "cjose_jwk_import failed: "
"%s, file: %s, function: %s, line: %ld",
err.message, err.file, err.function, err.line);
// get the plaintext
uint8_t *plain = NULL;
size_t plain_len = 0;
ck_assert_msg(cjose_jws_get_plaintext(jws, &plain, &plain_len, &err), "cjose_jws_get_plaintext failed: "
"%s, file: %s, function: %s, line: %ld",
err.message, err.file, err.function, err.line);
static const char *PLAINTEXT = "{\"iss\":\"joe\",\r\n"
" \"exp\":1300819380,\r\n"
" \"http://example.com/is_root\":true}";
// confirm plain == PLAINTEXT
ck_assert_msg(plain_len == strlen(PLAINTEXT), "length of verified plaintext does not match length of original, "
"expected: %lu, found: %lu",
strlen(PLAINTEXT), plain_len);
ck_assert_msg(strncmp(PLAINTEXT, plain, plain_len) == 0, "verified plaintext does not match signed plaintext: %s", plain);
// try to verify the unsecured JWS
ck_assert_msg(!cjose_jws_verify(jws, jwk, &err), "cjose_jws_verify succeeded for unsecured JWT");
cjose_jws_release(jws);
jws = cjose_jws_import(JWS, strlen(JWS), &err);
ck_assert_msg(NULL != jws, "cjose_jws_import failed: "
"%s, file: %s, function: %s, line: %ld",
err.message, err.file, err.function, err.line);
// try to sign the unsecured JWS
ck_assert_msg(!cjose_jws_sign(jwk, (cjose_header_t *)jws->hdr, PLAINTEXT, strlen(PLAINTEXT), &err),
"cjose_jws_sign succeeded for unsecured JWT");
cjose_jws_release(jws);
cjose_jwk_release(jwk);
}
static void _self_sign_self_verify(const char *plain1, const char *alg, cjose_err *err)
{
const char *s_jwk = _self_get_jwk_by_alg(alg);
cjose_jwk_t *jwk = cjose_jwk_import(s_jwk, strlen(s_jwk), err);
ck_assert_msg(NULL != jwk, "cjose_jwk_import failed: "
"%s, file: %s, function: %s, line: %ld",
err->message, err->file, err->function, err->line);
// set header for JWS
cjose_header_t *hdr = cjose_header_new(err);
ck_assert_msg(cjose_header_set(hdr, CJOSE_HDR_ALG, alg, err), "cjose_header_set failed: "
"%s, file: %s, function: %s, line: %ld",
err->message, err->file, err->function, err->line);
// create the JWS
size_t plain1_len = strlen(plain1);
cjose_jws_t *jws1 = cjose_jws_sign(jwk, hdr, plain1, plain1_len, err);
ck_assert_msg(NULL != jws1, "cjose_jws_sign failed: "
"%s, file: %s, function: %s, line: %ld",
err->message, err->file, err->function, err->line);
ck_assert(hdr == cjose_jws_get_protected(jws1));
// get the compact serialization of JWS
const char *compact = NULL;
ck_assert_msg(cjose_jws_export(jws1, &compact, err), "cjose_jws_export failed: "
"%s, file: %s, function: %s, line: %ld",
err->message, err->file, err->function, err->line);
// deserialize the compact representation to a new JWS
cjose_jws_t *jws2 = cjose_jws_import(compact, strlen(compact), err);
ck_assert_msg(NULL != jws2, "cjose_jws_import failed: "
"%s, file: %s, function: %s, line: %ld",
err->message, err->file, err->function, err->line);
// verify the deserialized JWS
ck_assert_msg(cjose_jws_verify(jws2, jwk, err), "cjose_jws_verify failed: "
"%s, file: %s, function: %s, line: %ld",
err->message, err->file, err->function, err->line);
// get the verified plaintext
uint8_t *plain2 = NULL;
size_t plain2_len = 0;
ck_assert_msg(cjose_jws_get_plaintext(jws2, &plain2, &plain2_len, err), "cjose_jws_get_plaintext failed: "
"%s, file: %s, function: %s, line: %ld",
err->message, err->file, err->function, err->line);
// confirm equal headers
ck_assert(json_equal((json_t *)cjose_jws_get_protected(jws1), (json_t *)cjose_jws_get_protected(jws2)));
// confirm plain2 == plain1
ck_assert_msg(plain2_len == strlen(plain1), "length of verified plaintext does not match length of original, "
"expected: %lu, found: %lu",
strlen(plain1), plain2_len);
ck_assert_msg(strncmp(plain1, plain2, plain2_len) == 0, "verified plaintext does not match signed plaintext");
cjose_header_release(hdr);
cjose_jws_release(jws1);
cjose_jws_release(jws2);
cjose_jwk_release(jwk);
}
END_TEST
START_TEST(test_cjose_jws_sign_with_bad_key)
{
cjose_err err;
cjose_header_t *hdr = NULL;
cjose_jws_t *jws = NULL;
static const char *plain = "The mind is everything. What you think you become.";
size_t plain_len = strlen(plain);
// some bad keys to test with
static const char *JWK_BAD[] = {
// missing private part 'd' needed for signing
"{ \"kty\": \"RSA\", "
"\"kid\": \"9ebf9edb-3a24-48b4-b2cb-21f0cf747ea7\", "
"\"e\": \"AQAB\", "
"\"n\": "
"\"0a5nKJLjaB1xdebYWfhvlhYhgfzkw49HAUIjyvb6fNPKhwlBQMoAS5jM3kI17_OMGrHxL7ZP00OE-24__"
"VWDCAhOQsSvlgCvw2XOOCtSWWLpb03dTrCMFeemqS4S9jrKd3NbUk3UJ2dVb_EIbQEC_BVjZStr_"
"HcCrKsj4AluaQUn09H7TuK0yZFBzZMhJ1J8Yi3nAPkxzdGah0XuWhLObMAvANSVmHzRXwnTDw9Dh_"
"bJ4G1xd1DE7W94uoUlcSDx59aSdzTpQzJh1l3lXc6JRUrXTESYgHpMv0O1n0gbIxX8X1ityBlMiccDjfZIKLnwz6hQObvRtRIpxEdq4SYS-w\" }",
// currently unsupported key type (EC)
"{ \"kty\": \"EC\", \"crv\": \"P-256\", "
"\"x\": \"VoFkf6Wk5kDQ1ob6csBmiMPHU8jALwdtaap35Fsj20M\", "
"\"y\": \"XymwN6u2PmsKbIPy5iij6qZ-mIyej5dvZWB_75lnRgQ\", "
"\"kid\": \"4E34BAFD-E5D9-479C-964D-009C419C38DB\" }",
NULL
};
// set header for JWS
hdr = cjose_header_new(&err);
ck_assert_msg(cjose_header_set(hdr, CJOSE_HDR_ALG, CJOSE_HDR_ALG_PS256, &err), "cjose_header_set failed: "
"%s, file: %s, function: %s, line: %ld",
err.message, err.file, err.function, err.line);
// attempt signion with each bad key
for (int i = 0; NULL != JWK_BAD[i]; ++i)
{
cjose_jwk_t *jwk = cjose_jwk_import(JWK_BAD[i], strlen(JWK_BAD[i]), &err);
ck_assert_msg(NULL != jwk, "cjose_jwk_import failed: "
"%s, file: %s, function: %s, line: %ld",
err.message, err.file, err.function, err.line);
jws = cjose_jws_sign(jwk, hdr, plain, plain_len, &err);
ck_assert_msg(NULL == jws, "cjose_jws_sign created with bad key");
ck_assert_msg(err.code == CJOSE_ERR_INVALID_ARG, "%d cjose_jws_sign returned bad err.code (%zu:%s)", i, err.code,
err.message);
cjose_jwk_release(jwk);
}
jws = cjose_jws_sign(NULL, hdr, plain, plain_len, &err);
ck_assert_msg(NULL == jws, "cjose_jws_sign created with bad key");
ck_assert_msg(err.code == CJOSE_ERR_INVALID_ARG, "cjose_jws_sign returned bad err.code (%zu:%s)", err.code, err.message);
cjose_header_release(hdr);
}