read rsa public key from JWK

kleinmrk · kleinmrk · commit 0cadf3d8dc7c · 2022-10-02T17:27:37.000+02:00
diff --git a/include/jwt-cpp/jwt.h b/include/jwt-cpp/jwt.h
@@ -73,6 +73,10 @@
 #define JWT_CLAIM_EXPLICIT explicit
 #endif
 
+#ifdef JWT_OPENSSL_3_0
+#include <openssl/param_build.h>
+#endif
+
 /**
  * \brief JSON Web Token
  *
@@ -976,6 +980,9 @@ namespace jwt {
 				} else
 					throw rsa_exception(error::rsa_error::no_key_provided);
 			}
+
+			rsa(helper::evp_pkey_handle pkey, const EVP_MD* (*md)(), std::string name)
+				: pkey(pkey), md(md), alg_name(std::move(name)) {}
 			/**
 			 * Sign jwt data
 			 * \param data The data to sign
@@ -3134,10 +3141,28 @@ namespace jwt {
 
 	public:
 		JWT_CLAIM_EXPLICIT jwk(const typename json_traits::string_type& str)
-			: jwk_claims(details::map_of_claims<json_traits>::parse_claims(str)) {}
+			: jwk(details::map_of_claims<json_traits>::parse_claims(str)) {}
+
+		JWT_CLAIM_EXPLICIT jwk(const typename json_traits::value_type& json) : jwk(json_traits::as_object(json)) {}
+
+		JWT_CLAIM_EXPLICIT jwk(const typename json_traits::object_type& json)
+			: jwk_claims(json), key(build_key(jwk_claims)) {
+			// https://datatracker.ietf.org/doc/html/rfc7518#section-6.1
+			// * indicate required params
+			// "kty"* : "EC", "RSA", "oct"
 
-		JWT_CLAIM_EXPLICIT jwk(const typename json_traits::value_type& json)
-			: jwk_claims(json_traits::as_object(json)) {}
+			// if "EC", then "crv"*, then "x"*. if "crv" is any of "P-256", "P-384", "P-521", then "y"*
+			// if "EC" and private key, then "d"*
+
+			// if "RSA", then "n"*, "e"*
+			// if "RSA" and private, then "d"*
+			// if "RSA" and any of the following is present, then all must be present
+			//   "p", "q", "dp", "dq", "qi"
+			// "oth" - array of objects consisting of "r"*, "d"*, "t"*
+
+			// if "oct", then "k"*
+			// if "oct", then SHOULD contain "alg"
+		}
 
 		/**
 		 * Get key type claim
@@ -3316,6 +3341,109 @@ namespace jwt {
 		}
 
 		bool empty() const noexcept { return jwk_claims.empty(); }
+
+		helper::evp_pkey_handle get_pkey() const { return key.get_asymmetric_key(); }
+
+		std::string get_oct_key() const { return key.get_symmetric_key(); }
+
+	private:
+		class key {
+		public:
+			static key symmetric(const std::string& bytes) { return key(bytes); }
+
+			static key asymmetric(helper::evp_pkey_handle pkey) { return key(pkey); }
+
+			std::string get_symmetric_key() const {
+				if (!is_symmetric) { throw std::logic_error("not a symmetric key"); }
+
+				return oct_key;
+			}
+
+			helper::evp_pkey_handle get_asymmetric_key() const {
+				if (is_symmetric) { throw std::logic_error("not an asymmetric key"); }
+
+				return pkey;
+			}
+
+		private:
+			key(const std::string& key) {
+				is_symmetric = true;
+				oct_key = key;
+			}
+
+			key(helper::evp_pkey_handle key) {
+				is_symmetric = false;
+				pkey = key;
+			}
+
+			bool is_symmetric;
+			helper::evp_pkey_handle pkey;
+			std::string oct_key;
+		};
+
+		static helper::evp_pkey_handle build_rsa_key(const details::map_of_claims<json_traits>& claims) {
+			EVP_PKEY* evp_key = nullptr;
+			auto n = jwt::helper::raw2bn(
+				base::decode<alphabet::base64url>(base::pad<alphabet::base64url>(claims.get_claim("n").as_string())));
+			auto e = jwt::helper::raw2bn(
+				base::decode<alphabet::base64url>(base::pad<alphabet::base64url>(claims.get_claim("e").as_string())));
+#ifdef JWT_OPENSSL_3_0
+			// https://www.openssl.org/docs/manmaster/man7/EVP_PKEY-RSA.html
+			// see https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_fromdata.html
+			// and https://stackoverflow.com/questions/68465716/how-to-properly-create-an-rsa-key-from-raw-data-in-openssl-3-0-in-c-language
+			std::unique_ptr<EVP_PKEY_CTX, decltype(&EVP_PKEY_CTX_free)> ctx(
+				EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL), EVP_PKEY_CTX_free);
+			if (!ctx) { throw std::runtime_error("EVP_PKEY_CTX_new_from_name failed"); }
+
+			std::unique_ptr<OSSL_PARAM_BLD, decltype(&OSSL_PARAM_BLD_free)> params_build(OSSL_PARAM_BLD_new(),
+																						 OSSL_PARAM_BLD_free);
+			OSSL_PARAM_BLD_push_BN(params_build.get(), "n", n.get());
+			OSSL_PARAM_BLD_push_BN(params_build.get(), "e", e.get());
+
+			std::unique_ptr<OSSL_PARAM, decltype(&OSSL_PARAM_free)> params(OSSL_PARAM_BLD_to_param(params_build.get()),
+																		   OSSL_PARAM_free);
+			EVP_PKEY_fromdata_init(ctx.get());
+			EVP_PKEY_fromdata(ctx.get(), &evp_key, EVP_PKEY_PUBLIC_KEY, params.get());
+			return helper::evp_pkey_handle(evp_key);
+#else
+			RSA* rsa = RSA_new();
+			evp_key = EVP_PKEY_new();
+#if defined(JWT_OPENSSL_1_0_0) && !defined(LIBWOLFSSL_VERSION_HEX)
+			rsa->e = e.release();
+			rsa->n = n.release();
+#else
+			RSA_set0_key(rsa, n.release(), e.release(), nullptr);
+#endif
+			EVP_PKEY_assign_RSA(evp_key, rsa);
+			return helper::evp_pkey_handle(evp_key);
+#endif
+		}
+
+		static key build_key(const details::map_of_claims<json_traits>& claims) {
+			if (!claims.has_claim("kty")) {
+				// TODO: custom exception or error code
+				throw std::runtime_error("missing required claim \"kty\"");
+			}
+
+			if (claims.get_claim("kty").get_type() != json::type::string) {
+				// TODO: custom exception or error code
+				throw std::runtime_error("\"kty\" claim must be of type 'string'");
+			}
+
+			if (claims.get_claim("kty").as_string() == "RSA") {
+				return key::asymmetric(build_rsa_key(claims));
+			} else if (claims.get_claim("kty").as_string() == "EC") {
+				// TODO: build EC key
+				throw std::runtime_error("not implemented");
+			} else if (claims.get_claim("kty").as_string() == "oct") {
+				return key::symmetric(base::decode<alphabet::base64url>(claims.get_claim("k").as_string()));
+			} else {
+				// TODO: do not build error messages like this
+				throw std::runtime_error("unknown key type (\"kty\"):" + claims.get_claim("kty").as_string());
+			}
+		}
+
+		key key;
 	};
 
 	/**
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -18,7 +18,8 @@ set(TEST_SOURCES
     ${CMAKE_CURRENT_SOURCE_DIR}/Keys.cpp ${CMAKE_CURRENT_SOURCE_DIR}/HelperTest.cpp
     ${CMAKE_CURRENT_SOURCE_DIR}/TestMain.cpp ${CMAKE_CURRENT_SOURCE_DIR}/TokenFormatTest.cpp
     ${CMAKE_CURRENT_SOURCE_DIR}/TokenTest.cpp ${CMAKE_CURRENT_SOURCE_DIR}/JwksTest.cpp
-    ${CMAKE_CURRENT_SOURCE_DIR}/OpenSSLErrorTest.cpp ${CMAKE_CURRENT_SOURCE_DIR}/traits/NlohmannTest.cpp)
+    ${CMAKE_CURRENT_SOURCE_DIR}/OpenSSLErrorTest.cpp ${CMAKE_CURRENT_SOURCE_DIR}/traits/NlohmannTest.cpp
+    ${CMAKE_CURRENT_SOURCE_DIR}/JwkTest.cpp)
 
 find_package(jsoncons CONFIG)
 if(TARGET jsoncons)
diff --git a/tests/JwkTest.cpp b/tests/JwkTest.cpp
@@ -0,0 +1,63 @@
+#include "jwt-cpp/jwt.h"
+#include <gtest/gtest.h>
+
+/*
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA2KvGTTxorqX2rvLOASWcBOqevGo5eIFFUVSlQIWe8x/a19mT
+XbYz6l3FYZ0s2W172nBpzJggi6PLK3397JsjjrzXb1pgXCVjIjM4hs5HDNtoWmC3
+/+O1jWknfrUHS95KWJkKg77B3ShGO1n8drfXCL4lWdo8F3UtVjHgfYEHI1xLSv3n
+v8QfGpOnWh4MAdmXhcankZQNuip6pwKlF+3y2WfukHN3rAmMx1MyID77srgPW7A3
+f0FTiGUz5gfUdp+5MMSQbhSZTM9fXu0buU4cmL35W9GoExjfjXlixpl70HWdyeLY
+SNyZKaw/Tqjwq769xf5sJZBe5UP6hL/dbLYhvQIDAQABAoIBACtorsAGnEpxQazn
+RFKCgHGTt92zwnPcIlEbDkiQ/Llk5mlcU+PwfxIzWzolTTj6cFfhMbElwU94r1m1
+Ukw3ALa2KstKZgfQDb5qWKbZaO6wfoWs3vBLZLJCIQGHr0CJ9octkie27gwq53c4
+nhYC2vgLcFxCFsv0U/Ly5zD9yrpQgv3DElKbc2zal/Z+kBt9MAN+2S4Fh2LaEUUl
+8QXjxdxbe3PHvX4nO5TWM3ztcfANzPDAWFJDeOgciUK6wEqTxkmgjh4uMaDG5X3V
+5xQRLBnFVXYzdwAVjzJVk9RvIDSQnEgYyHLBX6d190F85G8zQMVEwvs2VD1qJO+0
+BppwloECgYEA7T2xC7xGtxn/Tg9lhItZzE371mTffZDNbhL2YDQt6jBHq40cmmBi
+MzAYhV0Z7nky3bVHQUdaDLnJYIsqIrqqxGUZjcnkajhsSd1YGBwTHAv1njr+BX9a
+zY15u/pNb+OYY6naFHuTmen/NKSha+s+kHmQGCEKzErhfZ4yXhrPETECgYEA6c2y
+3iojU/P73RyUcoWQnDdOuQ8YNMAqoGwh/FzkG9futAiyhB3mGPmn7nw79rIO02Og
+Rjk7t1qSSL5DX1oAP3Fq/G1HE9epgM4j82Sa9vpUZpoLBefD2wUDjD4QmzKcFuYv
+M/Wl6dMLURllL24IdsEctR1p76Y7Spm251k/1k0CgYBpMxMAFjPxW6jXb4JfvP9L
+1kTXNBHad0xxBB2WWW0GzPPrAX7ugdDpy+kDsl4eXkYNBCadrssim3vNwMglcErr
+Hb2wHxeXdn+mXW2D+2cJ58+5o4Ui4O9d+N9DWOHfvLfFcfsPXCD+fkG5kUs3NLCg
+lhcsa/KC1q2Y636ANjkd8QKBgQCP882AilNMGnnljvY7eM8rz8XRnWCbAgJ82Xcn
+aY4tMotPH9fCDqKgl/50kNterg0AzGNfOVfyMXrF/ReAOurSJSPpHeNYbT15B/MM
+pdHf5QtYTNoinatyS6j+jSwuUj/WvY0sob+wsvdRzKAHTuk5LPde8ChMnH3/FZuO
+3921NQKBgQCSJf1kVFuxoWtdxqII0QJv6jSMaftK5xNkWCiLpmdttDpOdLRnMrYb
+XXkgbME3NheApU1oXIehLyXG46DmFXCNKME98NuJ5ENvLVkOsGyPhZDtQtQT099J
+z8gE19JF3RSmwvcaNpsLRg24BId/GmrZKgz9TEQMm+5wt93XcKtj6w==
+-----END RSA PRIVATE KEY-----
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2KvGTTxorqX2rvLOASWc
+BOqevGo5eIFFUVSlQIWe8x/a19mTXbYz6l3FYZ0s2W172nBpzJggi6PLK3397Jsj
+jrzXb1pgXCVjIjM4hs5HDNtoWmC3/+O1jWknfrUHS95KWJkKg77B3ShGO1n8drfX
+CL4lWdo8F3UtVjHgfYEHI1xLSv3nv8QfGpOnWh4MAdmXhcankZQNuip6pwKlF+3y
+2WfukHN3rAmMx1MyID77srgPW7A3f0FTiGUz5gfUdp+5MMSQbhSZTM9fXu0buU4c
+mL35W9GoExjfjXlixpl70HWdyeLYSNyZKaw/Tqjwq769xf5sJZBe5UP6hL/dbLYh
+vQIDAQAB
+-----END PUBLIC KEY-----
+*/
+
+TEST(JwkTest, ParseKey) {
+	std::string token =
+		"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.IzM0dgbhU1CsRbjmwyPHXkc8LagqFtsZD6p1ls_"
+		"WBugkEKNfFmZmhOM1YYiFg59xId_KtzNdp4puzGIafut15U06DL2ZGH_H4xE7ONy6WLA_i5z5H8gPxD3ui2W4nHEEf-mvqKSn-"
+		"bU8YPUydrwK3dVRfP5JA9XJT0KhssSCnty99y853xvuTh0484atxMjIk2LvnIWlYXFgoggC8TMY-4AtAJDfF8aVJXT0m-"
+		"90oNevJbxMsuf5XFKo30TWxlnRw-y-QsYr9pxj2sA0BdwqRKVRRg5KF-"
+		"p6rIEbAv3A6UuzLORvtixp5AASS7nrBlZ1BB8q2hYFCPtOv6UETIIkaQ";
+	std::string public_key = R"({
+		"kty": "RSA",
+		"n": "2KvGTTxorqX2rvLOASWcBOqevGo5eIFFUVSlQIWe8x_a19mTXbYz6l3FYZ0s2W172nBpzJggi6PLK3397JsjjrzXb1pgXCVjIjM4hs5HDNtoWmC3_-O1jWknfrUHS95KWJkKg77B3ShGO1n8drfXCL4lWdo8F3UtVjHgfYEHI1xLSv3nv8QfGpOnWh4MAdmXhcankZQNuip6pwKlF-3y2WfukHN3rAmMx1MyID77srgPW7A3f0FTiGUz5gfUdp-5MMSQbhSZTM9fXu0buU4cmL35W9GoExjfjXlixpl70HWdyeLYSNyZKaw_Tqjwq769xf5sJZBe5UP6hL_dbLYhvQ",
+		"e": "AQAB"
+	})";
+
+	auto jwk = jwt::parse_jwk(public_key);
+	ASSERT_EQ("RSA", jwk.get_key_type());
+	auto alg = jwt::algorithm::rsa(jwk.get_pkey(), EVP_sha256, "RS256");
+	auto verify = jwt::verify();
+	auto decoded_token = jwt::decode(token);
+
+	ASSERT_NO_THROW(verify.do_verify(jwk, decoded_token));
+}
