예제 #1
0
/*
 * check the signature on a JWT against the provided keys
 */
static apr_byte_t apr_jws_verify_with_jwk(apr_pool_t *pool, apr_jwt_t *jwt,
        apr_jwk_t *jwk, apr_jwt_error_t *err) {

    apr_byte_t rc = FALSE;

    if (apr_jws_signature_is_hmac(pool, jwt)) {

        rc = (jwk->type == APR_JWK_KEY_OCT)
             && apr_jws_verify_hmac(pool, jwt, jwk, err);

    } else if (apr_jws_signature_is_rsa(pool, jwt)) {

        rc = (jwk->type == APR_JWK_KEY_RSA)
             && apr_jws_verify_rsa(pool, jwt, jwk, err);

#if (OPENSSL_VERSION_NUMBER >= 0x01000000)
    } else if (apr_jws_signature_is_ec(pool, jwt)) {

        rc = (jwk->type == APR_JWK_KEY_EC)
             && apr_jws_verify_ec(pool, jwt, jwk, err);

#endif
    }

    return rc;
}
예제 #2
0
/*
 * verify the signature on an id_token
 */
apr_byte_t oidc_proto_idtoken_verify_signature(request_rec *r, oidc_cfg *cfg,
		oidc_provider_t *provider, apr_jwt_t *jwt, apr_byte_t *refresh) {

	apr_byte_t result = FALSE;

	if (apr_jws_signature_is_hmac(r->pool, jwt)) {

		oidc_debug(r,
				"verifying HMAC signature on id_token: header=%s, message=%s",
				jwt->header.value.str, jwt->message);

		result = apr_jws_verify_hmac(r->pool, jwt, provider->client_secret,
				strlen(provider->client_secret));

	} else if (apr_jws_signature_is_rsa(r->pool, jwt)
#if (OPENSSL_VERSION_NUMBER >= 0x01000000)
			|| apr_jws_signature_is_ec(r->pool, jwt)
#endif
					) {

		/* get the key from the JWKs that corresponds with the key specified in the header */
		apr_jwk_t *jwk = oidc_proto_get_key_from_jwk_uri(r, cfg, provider,
				&jwt->header,
				apr_jws_signature_is_rsa(r->pool, jwt) ? "RSA" : "EC", refresh);

		if (jwk != NULL) {

			oidc_debug(r,
					"verifying RSA/EC signature on id_token: header=%s, message=%s",
					jwt->header.value.str, jwt->message);

			result =
					apr_jws_signature_is_rsa(r->pool, jwt) ?
							apr_jws_verify_rsa(r->pool, jwt, jwk) :
#if (OPENSSL_VERSION_NUMBER >= 0x01000000)
							apr_jws_verify_ec(r->pool, jwt, jwk);
#else
			FALSE;
#endif

		} else {

			oidc_warn(r, "could not find a key in the JSON Web Keys");

			if (*refresh == FALSE) {

				oidc_debug(r, "force refresh of the JWKS");

				/* do it again, forcing a JWKS refresh */
				*refresh = TRUE;
				result = oidc_proto_idtoken_verify_signature(r, cfg, provider,
						jwt, refresh);
			}
		}

	} else {

		oidc_warn(r,
				"cannot verify id_token; unsupported algorithm \"%s\", must be RSA or HMAC",
				jwt->header.alg);

	}

	oidc_debug(r, "verification result of signature with algorithm \"%s\": %s",
			jwt->header.alg, (result == TRUE) ? "TRUE" : "FALSE");

	return result;
}