123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490 |
- /* vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: */
- /*
- * Copyright 2016 Red Hat, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
- #include <jose/b64.h>
- #include <jose/jwk.h>
- #include "hooks.h"
- #include "misc.h"
- #include "hsh.h"
- #include <stddef.h>
- #include <stdlib.h>
- #include <string.h>
- static bool
- jwk_hook(jose_cfg_t *cfg, json_t *jwk, jose_hook_jwk_kind_t kind, bool dflt)
- {
- for (const jose_hook_jwk_t *j = jose_hook_jwk_list(); j; j = j->next) {
- json_auto_t *upd = NULL;
- const char *key = NULL;
- json_t *val = NULL;
- size_t i = 0;
- if (j->kind != kind)
- continue;
- if (!j->prep.handles(cfg, jwk))
- continue;
- upd = j->prep.execute(cfg, jwk);
- if (!json_is_object(upd))
- return false;
- json_array_foreach(json_object_get(upd, "del"), i, val) {
- if (!json_object_get(jwk, json_string_value(val)))
- continue;
- if (json_object_del(jwk, json_string_value(val)) < 0)
- return false;
- }
- json_object_foreach(json_object_get(upd, "upd"), key, val) {
- json_t *src = json_object_get(jwk, key);
- if (src && !json_equal(src, val))
- return false;
- if (json_object_set(jwk, key, val) < 0)
- return false;
- }
- return true;
- }
- return dflt;
- }
- bool
- jose_jwk_gen(jose_cfg_t *cfg, json_t *jwk)
- {
- const json_t *ko = NULL;
- const char *alg = NULL;
- const char *kty = NULL;
- const char *use = NULL;
- if (!jwk_hook(cfg, jwk, JOSE_HOOK_JWK_KIND_PREP, true))
- return false;
- if (!jwk_hook(cfg, jwk, JOSE_HOOK_JWK_KIND_MAKE, false))
- return false;
- if (json_unpack(jwk, "{s?s,s:s,s?s,s?o}",
- "alg", &alg, "kty", &kty, "use", &use, "key_ops", &ko) < 0)
- return false;
- for (const jose_hook_alg_t *a = jose_hook_alg_list();
- a && alg && !use && !ko; a = a->next) {
- json_auto_t *ops = NULL;
- if (strcmp(alg, a->name) != 0)
- continue;
- ops = json_array();
- if (!ops)
- return false;
- switch (a->kind) {
- case JOSE_HOOK_ALG_KIND_SIGN:
- if (json_array_append_new(ops, json_string("sign")) < 0)
- return false;
- if (json_array_append_new(ops, json_string("verify")) < 0)
- return false;
- break;
- case JOSE_HOOK_ALG_KIND_WRAP:
- if (json_array_append_new(ops, json_string("wrapKey")) < 0)
- return false;
- if (json_array_append_new(ops, json_string("unwrapKey")) < 0)
- return false;
- break;
- case JOSE_HOOK_ALG_KIND_ENCR:
- if (json_array_append_new(ops, json_string("encrypt")) < 0)
- return false;
- if (json_array_append_new(ops, json_string("decrypt")) < 0)
- return false;
- break;
- case JOSE_HOOK_ALG_KIND_EXCH:
- if (json_array_append_new(ops, json_string("deriveKey")) < 0)
- return false;
- break;
- default:
- break;
- }
- if (json_array_size(ops) > 0 &&
- json_object_set(jwk, "key_ops", ops) < 0)
- return false;
- break;
- }
- for (const jose_hook_jwk_t *j = jose_hook_jwk_list(); j; j = j->next) {
- if (j->kind != JOSE_HOOK_JWK_KIND_TYPE)
- continue;
- if (strcmp(j->type.kty, kty) == 0) {
- for (size_t i = 0; j->type.req[i]; i++) {
- if (!json_object_get(jwk, j->type.req[i]))
- return false;
- }
- return true;
- }
- }
- return false;
- }
- static bool
- jwk_clean(jose_cfg_t *cfg, json_t *jwk)
- {
- const jose_hook_jwk_t *type = NULL;
- const char *kty = NULL;
- bool sym = false;
- if (json_unpack(jwk, "{s:s}", "kty", &kty) == -1)
- return false;
- for (type = jose_hook_jwk_list(); type; type = type->next) {
- if (type->kind != JOSE_HOOK_JWK_KIND_TYPE)
- continue;
- if (strcasecmp(kty, type->type.kty) == 0)
- break;
- }
- if (!type)
- return false;
- sym = !type->type.pub || !type->type.pub[0];
- for (size_t i = 0; type->type.prv[i]; i++) {
- if (!json_object_get(jwk, type->type.prv[i]))
- continue;
- if (json_object_del(jwk, type->type.prv[i]) == -1)
- return false;
- }
- for (const jose_hook_jwk_t *o = jose_hook_jwk_list(); o; o = o->next) {
- json_t *arr = NULL;
- if (o->kind != JOSE_HOOK_JWK_KIND_OPER)
- continue;
- if (!o->oper.prv && (!sym || !o->oper.pub))
- continue;
- arr = json_object_get(jwk, "key_ops");
- for (size_t i = 0; i < json_array_size(arr); i++) {
- const char *ko = NULL;
- ko = json_string_value(json_array_get(arr, i));
- if (!ko)
- continue;
- if ((!o->oper.prv || strcmp(o->oper.prv, ko) != 0) &&
- (!sym || !o->oper.pub || strcmp(o->oper.pub, ko) != 0))
- continue;
- if (json_array_remove(arr, i--) == -1)
- return false;
- }
- }
- return true;
- }
- bool
- jose_jwk_pub(jose_cfg_t *cfg, json_t *jwk)
- {
- json_t *keys = NULL;
- if (json_is_array(jwk))
- keys = jwk;
- else if (json_is_array(json_object_get(jwk, "keys")))
- keys = json_object_get(jwk, "keys");
- if (!keys)
- return jwk_clean(cfg, jwk);
- for (size_t i = 0; i < json_array_size(keys); i++) {
- if (!jwk_clean(cfg, json_array_get(keys, i)))
- return false;
- }
- return true;
- }
- bool
- jose_jwk_prm(jose_cfg_t *cfg, const json_t *jwk, bool req, const char *op)
- {
- const char *use = NULL;
- json_t *ko = NULL;
- if (!json_is_object(jwk))
- return true;
- if (!op)
- return false;
- if (json_unpack((json_t *) jwk, "{s?s,s?o}",
- "use", &use, "key_ops", &ko) != 0)
- return false;
- if (!use && !ko)
- return !req;
- for (size_t i = 0; i < json_array_size(ko); i++) {
- json_t *v = json_array_get(ko, i);
- if (json_is_string(v) && strcmp(op, json_string_value(v)) == 0)
- return true;
- }
- for (const jose_hook_jwk_t *o = jose_hook_jwk_list(); use && o; o = o->next) {
- if (o->kind != JOSE_HOOK_JWK_KIND_OPER)
- continue;
- if (!o->oper.use || strcmp(use, o->oper.use) != 0)
- continue;
- if (o->oper.pub && strcmp(op, o->oper.pub) == 0)
- return true;
- if (o->oper.prv && strcmp(op, o->oper.prv) == 0)
- return true;
- }
- return false;
- }
- static const jose_hook_jwk_t *
- find_type(const json_t *jwk)
- {
- const char *kty = NULL;
- if (json_unpack((json_t *) jwk, "{s:s}", "kty", &kty) < 0)
- return NULL;
- for (const jose_hook_jwk_t *t = jose_hook_jwk_list(); t; t = t->next) {
- if (t->kind != JOSE_HOOK_JWK_KIND_TYPE)
- continue;
- if (strcasecmp(kty, t->type.kty) == 0)
- return t;
- }
- return NULL;
- }
- bool
- jose_jwk_eql(jose_cfg_t *cfg, const json_t *a, const json_t *b)
- {
- const jose_hook_jwk_t *type = NULL;
- type = find_type(a);
- if (!type)
- return false;
- if (!json_equal(json_object_get(a, "kty"), json_object_get(b, "kty")))
- return false;
- for (size_t i = 0; type->type.req[i]; i++) {
- json_t *aa = json_object_get(a, type->type.req[i]);
- json_t *bb = json_object_get(b, type->type.req[i]);
- if (!aa || !bb || !json_equal(aa, bb))
- return false;
- }
- return true;
- }
- static char *
- jwk_str(const json_t *jwk)
- {
- const jose_hook_jwk_t *type = NULL;
- json_auto_t *key = NULL;
- type = find_type(jwk);
- if (!type)
- return NULL;
- key = json_object();
- if (!key)
- return NULL;
- if (json_object_set(key, "kty", json_object_get(jwk, "kty")) < 0)
- return NULL;
- for (size_t i = 0; type->type.req[i]; i++) {
- json_t *tmp = NULL;
- tmp = json_object_get(jwk, type->type.req[i]);
- if (!tmp)
- return NULL;
- if (json_object_set(key, type->type.req[i], tmp) < 0)
- return NULL;
- }
- return json_dumps(key, JSON_SORT_KEYS | JSON_COMPACT);
- }
- json_t *
- jose_jwk_thp(jose_cfg_t *cfg, const json_t *jwk, const char *hash)
- {
- json_t *thp = NULL;
- char *str = NULL;
- str = jwk_str(jwk);
- if (!str)
- return NULL;
- thp = hsh(cfg, hash, str, strlen(str));
- zero(str, strlen(str));
- free(str);
- return thp;
- }
- size_t
- jose_jwk_thp_buf(jose_cfg_t *cfg, const json_t *jwk,
- const char *alg, uint8_t *thp, size_t len)
- {
- char *str = NULL;
- if (!thp || len == 0)
- return hsh_buf(cfg, alg, NULL, 0, NULL, 0);
- str = jwk_str(jwk);
- if (!str)
- return SIZE_MAX;
- len = hsh_buf(cfg, alg, str, strlen(str), thp, len);
- zero(str, strlen(str));
- free(str);
- return len;
- }
- json_t *
- jose_jwk_exc(jose_cfg_t *cfg, const json_t *prv, const json_t *pub)
- {
- const char *alga = NULL;
- const char *algb = NULL;
- const char *ktya = NULL;
- const char *ktyb = NULL;
- if (json_unpack((json_t *) prv, "{s:s,s?s}",
- "kty", &ktya, "alg", &alga) < 0) {
- jose_cfg_err(cfg, JOSE_CFG_ERR_JWK_INVALID, "Private JWK is invalid");
- return NULL;
- }
- if (json_unpack((json_t *) pub, "{s:s,s?s}",
- "kty", &ktyb, "alg", &algb) < 0) {
- jose_cfg_err(cfg, JOSE_CFG_ERR_JWK_INVALID, "Public JWK is invalid");
- return NULL;
- }
- if (strcmp(ktya, ktyb) != 0) {
- jose_cfg_err(cfg, JOSE_CFG_ERR_JWK_MISMATCH,
- "Public and private JWKs are different types");
- return NULL;
- }
- if (alga && algb && strcmp(alga, algb) != 0) {
- jose_cfg_err(cfg, JOSE_CFG_ERR_JWK_MISMATCH,
- "Public and private JWKs have different algorithms");
- return NULL;
- }
- for (const jose_hook_alg_t *a = jose_hook_alg_list();
- !alga && !algb && a; a = a->next) {
- if (a->kind != JOSE_HOOK_ALG_KIND_EXCH)
- continue;
- alga = a->exch.sug(a, cfg, prv, pub);
- }
- if (!alga && !algb) {
- jose_cfg_err(cfg, JOSE_CFG_ERR_ALG_NOINFER,
- "Exchange algorithm cannot be inferred");
- return NULL;
- }
- for (const jose_hook_alg_t *a = jose_hook_alg_list(); a; a = a->next) {
- if (a->kind != JOSE_HOOK_ALG_KIND_EXCH)
- continue;
- if (strcmp(alga ? alga : algb, a->name) != 0)
- continue;
- if (!jose_jwk_prm(cfg, prv, false, a->exch.prm)) {
- jose_cfg_err(cfg, JOSE_CFG_ERR_JWK_DENIED,
- "Private JWK cannot be used to derive keys");
- return NULL;
- }
- if (!jose_jwk_prm(cfg, pub, false, a->exch.prm)) {
- jose_cfg_err(cfg, JOSE_CFG_ERR_JWK_DENIED,
- "Public JWK cannot be used to derive keys");
- return NULL;
- }
- return a->exch.exc(a, cfg, prv, pub);
- }
- jose_cfg_err(cfg, JOSE_CFG_ERR_ALG_NOTSUP,
- "Exchange algorithm %s is unsupported", alga ? alga : algb);
- return NULL;
- }
- static void __attribute__((constructor))
- constructor(void)
- {
- static const char *oct_req[] = { "k", NULL };
- static const char *oct_prv[] = { "k", NULL };
- static const char *rsa_req[] = { "e", "n", NULL };
- static const char *rsa_pub[] = { "e", "n", NULL };
- static const char *rsa_prv[] = { "p", "d", "q", "dp", "dq", "qi", "oth", NULL };
- static const char *ec_req[] = { "crv", "x", "y", NULL };
- static const char *ec_pub[] = { "x", "y", NULL };
- static const char *ec_prv[] = { "d", NULL };
- static jose_hook_jwk_t hooks[] = {
- { .kind = JOSE_HOOK_JWK_KIND_TYPE,
- .type = { .kty = "oct", .req = oct_req, .prv = oct_prv } },
- { .kind = JOSE_HOOK_JWK_KIND_TYPE,
- .type = { .kty = "RSA", .req = rsa_req, .pub = rsa_pub, .prv = rsa_prv } },
- { .kind = JOSE_HOOK_JWK_KIND_TYPE,
- .type = { .kty = "EC", .req = ec_req, .pub = ec_pub, .prv = ec_prv } },
- { .kind = JOSE_HOOK_JWK_KIND_OPER,
- .oper = { .pub = "verify", .prv = "sign", .use = "sig" } },
- { .kind = JOSE_HOOK_JWK_KIND_OPER,
- .oper = { .pub = "encrypt", .prv = "decrypt", .use = "enc" } },
- { .kind = JOSE_HOOK_JWK_KIND_OPER,
- .oper = { .pub = "wrapKey", .prv = "unwrapKey", .use = "enc" } },
- { .kind = JOSE_HOOK_JWK_KIND_OPER,
- .oper = { .pub = "deriveKey" } },
- { .kind = JOSE_HOOK_JWK_KIND_OPER,
- .oper = { .pub = "deriveBits" } },
- {}
- };
- for (size_t i = 0; hooks[i].kind != JOSE_HOOK_JWK_KIND_NONE; i++)
- jose_hook_jwk_push(&hooks[i]);
- }
|