END_TEST
START_TEST(test_cjose_header_set_get)
{
cjose_err err;
bool result;
const char *alg_get, *alg_set = "RSA-OAEP";
const char *enc_get, *enc_set = "A256GCM";
cjose_header_t *header = cjose_header_new(&err);
ck_assert_msg(NULL != header, "cjose_header_new failed");
result = cjose_header_set(header, CJOSE_HDR_ALG, alg_set, &err);
ck_assert_msg(result, "cjose_header_set failed to set ALG");
result = cjose_header_set(header, CJOSE_HDR_ENC, enc_set, &err);
ck_assert_msg(result, "cjose_header_set failed to set ENC");
alg_get = cjose_header_get(header, CJOSE_HDR_ALG, &err);
ck_assert_msg(NULL != alg_get, "cjose_header_get failed to get ALG");
enc_get = cjose_header_get(header, CJOSE_HDR_ENC, &err);
ck_assert_msg(NULL != enc_get, "cjose_header_get failed to get ENC");
ck_assert_msg(!strcmp(alg_set, alg_get), "cjose_header_get failed, "
"expected: %s, found: %s",
((alg_set) ? alg_set : "null"), ((alg_get) ? alg_get : "null"));
ck_assert_msg(!strcmp(enc_set, enc_get), "cjose_header_get failed, "
"expected: %s, found: %s",
((enc_set) ? enc_set : "null"), ((enc_get) ? enc_get : "null"));
cjose_header_release(header);
}
/*
* parse and (optionally) decrypt a JSON Web Token
*/
apr_byte_t oidc_jwt_parse(apr_pool_t *pool, const char *input_json,
oidc_jwt_t **j_jwt, apr_hash_t *keys, oidc_jose_error_t *err) {
cjose_err cjose_err;
char *s_json = NULL;
if (oidc_jwe_decrypt(pool, input_json, keys, &s_json, err, FALSE) == FALSE)
return FALSE;
*j_jwt = oidc_jwt_new(pool, FALSE, FALSE);
oidc_jwt_t *jwt = *j_jwt;
jwt->cjose_jws = cjose_jws_import(s_json, strlen(s_json), &cjose_err);
if (jwt->cjose_jws == NULL) {
oidc_jose_error(err, "cjose_jws_import failed: %s",
oidc_cjose_e2s(pool, cjose_err));
oidc_jwt_destroy(jwt);
*j_jwt = NULL;
return FALSE;
}
cjose_header_t *hdr = cjose_jws_get_protected(jwt->cjose_jws);
jwt->header.value.json = json_deep_copy((json_t *)hdr);
char *str = json_dumps(jwt->header.value.json,
JSON_PRESERVE_ORDER | JSON_COMPACT);
jwt->header.value.str = apr_pstrdup(pool, str);
free(str);
jwt->header.alg = apr_pstrdup(pool,
cjose_header_get(hdr, CJOSE_HDR_ALG, &cjose_err));
jwt->header.enc = apr_pstrdup(pool,
cjose_header_get(hdr, CJOSE_HDR_ENC, &cjose_err));
jwt->header.kid = apr_pstrdup(pool,
cjose_header_get(hdr, CJOSE_HDR_KID, &cjose_err));
uint8_t *plaintext = NULL;
size_t plaintext_len = 0;
if (cjose_jws_get_plaintext(jwt->cjose_jws, &plaintext, &plaintext_len,
&cjose_err) == FALSE) {
oidc_jose_error(err, "cjose_jws_get_plaintext failed: %s",
oidc_cjose_e2s(pool, cjose_err));
return FALSE;
}
if (oidc_jose_parse_payload(pool, (const char *) plaintext, plaintext_len,
&jwt->payload, err) == FALSE) {
oidc_jwt_destroy(jwt);
*j_jwt = NULL;
}
return TRUE;
}
/*
* decrypt a JWT and return the plaintext
*/
static uint8_t *oidc_jwe_decrypt_impl(apr_pool_t *pool, cjose_jwe_t *jwe,
apr_hash_t *keys, size_t *content_len, oidc_jose_error_t *err) {
uint8_t *decrypted = NULL;
oidc_jwk_t *jwk = NULL;
apr_hash_index_t *hi;
cjose_err cjose_err;
cjose_header_t *hdr = cjose_jwe_get_protected(jwe);
const char *kid = cjose_header_get(hdr, CJOSE_HDR_KID, &cjose_err);
const char *alg = cjose_header_get(hdr, CJOSE_HDR_ALG, &cjose_err);
if (kid != NULL) {
jwk = apr_hash_get(keys, kid, APR_HASH_KEY_STRING);
if (jwk != NULL) {
decrypted = cjose_jwe_decrypt(jwe, jwk->cjose_jwk, content_len,
&cjose_err);
if (decrypted == NULL)
oidc_jose_error(err,
"encrypted JWT could not be decrypted with kid %s: %s",
kid, oidc_cjose_e2s(pool, cjose_err));
} else {
oidc_jose_error(err, "could not find key with kid: %s", kid);
}
} else {
for (hi = apr_hash_first(pool, keys); hi; hi = apr_hash_next(hi)) {
apr_hash_this(hi, NULL, NULL, (void **) &jwk);
if (jwk->kty == oidc_alg2kty(alg)) {
decrypted = cjose_jwe_decrypt(jwe, jwk->cjose_jwk, content_len,
&cjose_err);
if (decrypted != NULL)
break;
}
}
if (decrypted == NULL)
oidc_jose_error(err,
"encrypted JWT could not be decrypted with any of the %d keys: error for last tried key is: %s",
apr_hash_count(keys), oidc_cjose_e2s(pool, cjose_err));
}
return decrypted;
}
/*
* get a header value from a JWT
*/
const char *oidc_jwt_hdr_get(oidc_jwt_t *jwt, const char *key) {
cjose_err cjose_err;
cjose_header_t *hdr = cjose_jws_get_protected(jwt->cjose_jws);
return hdr ? cjose_header_get(hdr, key, &cjose_err) : NULL;
}
