| // Copyright 2022 Google LLC |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| // |
| //////////////////////////////////////////////////////////////////////////////// |
| |
| package jwt |
| |
| import ( |
| "encoding/base64" |
| "encoding/binary" |
| "fmt" |
| "strings" |
| |
| spb "google.golang.org/protobuf/types/known/structpb" |
| tpb "github.com/google/tink/go/proto/tink_go_proto" |
| ) |
| |
| // keyID returns the keyID in big endian format base64 encoded if the key output prefix is of type Tink or nil otherwise. |
| func keyID(keyID uint32, outPrefixType tpb.OutputPrefixType) *string { |
| if outPrefixType != tpb.OutputPrefixType_TINK { |
| return nil |
| } |
| buf := make([]byte, 4) |
| binary.BigEndian.PutUint32(buf, keyID) |
| s := base64Encode(buf) |
| return &s |
| } |
| |
| // createUnsigned creates an unsigned JWT by created the header/payload, encoding them to a websafe base64 encoded string and concatenating. |
| func createUnsigned(rawJWT *RawJWT, algo string, tinkKID *string, customKID *string) (string, error) { |
| if rawJWT == nil { |
| return "", fmt.Errorf("rawJWT is nil") |
| } |
| var typeHeader *string = nil |
| if rawJWT.HasTypeHeader() { |
| th, err := rawJWT.TypeHeader() |
| if err != nil { |
| return "", err |
| } |
| typeHeader = &th |
| } |
| if customKID != nil && tinkKID != nil { |
| return "", fmt.Errorf("TINK Keys are not allowed to have a kid value set") |
| } |
| if tinkKID != nil { |
| customKID = tinkKID |
| } |
| encodedHeader, err := createHeader(algo, typeHeader, customKID) |
| if err != nil { |
| return "", err |
| } |
| payload, err := rawJWT.JSONPayload() |
| if err != nil { |
| return "", err |
| } |
| return dotConcat(encodedHeader, base64Encode(payload)), nil |
| } |
| |
| // combineUnsignedAndSignature combines the token with the raw signature to provide a signed token. |
| func combineUnsignedAndSignature(unsigned string, signature []byte) string { |
| return dotConcat(unsigned, base64Encode(signature)) |
| } |
| |
| // splitSignedCompact extracts the witness and usigned JWT. |
| func splitSignedCompact(compact string) ([]byte, string, error) { |
| i := strings.LastIndex(compact, ".") |
| if i < 0 { |
| return nil, "", fmt.Errorf("invalid token") |
| } |
| witness, err := base64Decode(compact[i+1:]) |
| if err != nil { |
| return nil, "", fmt.Errorf("%q: %v", compact[i+1:], err) |
| } |
| if len(witness) == 0 { |
| return nil, "", fmt.Errorf("empty signature") |
| } |
| unsigned := compact[0:i] |
| if len(unsigned) == 0 { |
| return nil, "", fmt.Errorf("empty content") |
| } |
| if strings.Count(unsigned, ".") != 1 { |
| return nil, "", fmt.Errorf("only tokens in JWS compact serialization formats are supported") |
| } |
| return witness, unsigned, nil |
| } |
| |
| // decodeUnsignedTokenAndValidateHeader verifies the header on an unsigned JWT and decodes the payload into a RawJWT. |
| // Expects the token to be in compact serialization format. The signature should be verified before calling this function. |
| func decodeUnsignedTokenAndValidateHeader(unsigned, algorithm string, tinkKID, customKID *string) (*RawJWT, error) { |
| parts := strings.Split(unsigned, ".") |
| if len(parts) != 2 { |
| return nil, fmt.Errorf("only tokens in JWS compact serialization formats are supported") |
| } |
| jsonHeader, err := base64Decode(parts[0]) |
| if err != nil { |
| return nil, err |
| } |
| header, err := jsonToStruct(jsonHeader) |
| if err != nil { |
| return nil, err |
| } |
| if err := validateHeader(header, algorithm, tinkKID, customKID); err != nil { |
| return nil, err |
| } |
| typeHeader, err := extractTypeHeader(header) |
| if err != nil { |
| return nil, err |
| } |
| jsonPayload, err := base64Decode(parts[1]) |
| if err != nil { |
| return nil, err |
| } |
| return NewRawJWTFromJSON(typeHeader, jsonPayload) |
| } |
| |
| // base64Encode encodes a byte array into a base64 URL safe string with no padding. |
| func base64Encode(content []byte) string { |
| return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(content) |
| } |
| |
| // base64Decode decodes a URL safe base64 encoded string into a byte array ignoring padding. |
| func base64Decode(content string) ([]byte, error) { |
| for _, c := range content { |
| if !isValidURLsafeBase64Char(c) { |
| return nil, fmt.Errorf("invalid encoding") |
| } |
| } |
| return base64.URLEncoding.WithPadding(base64.NoPadding).DecodeString(content) |
| } |
| |
| func isValidURLsafeBase64Char(c rune) bool { |
| return (((c >= 'a') && (c <= 'z')) || ((c >= 'A') && (c <= 'Z')) || |
| ((c >= '0') && (c <= '9')) || ((c == '-') || (c == '_'))) |
| } |
| |
| func dotConcat(a, b string) string { |
| return fmt.Sprintf("%s.%s", a, b) |
| } |
| |
| func jsonToStruct(jsonPayload []byte) (*spb.Struct, error) { |
| payload := &spb.Struct{} |
| if err := payload.UnmarshalJSON(jsonPayload); err != nil { |
| return nil, err |
| } |
| return payload, nil |
| } |
| |
| func extractTypeHeader(header *spb.Struct) (*string, error) { |
| fields := header.GetFields() |
| if fields == nil { |
| return nil, fmt.Errorf("header contains no fields") |
| } |
| val, ok := fields["typ"] |
| if !ok { |
| return nil, nil |
| } |
| str, ok := val.Kind.(*spb.Value_StringValue) |
| if !ok { |
| return nil, fmt.Errorf("type header isn't a string") |
| } |
| return &str.StringValue, nil |
| } |
| |
| func createHeader(algorithm string, typeHeader, kid *string) (string, error) { |
| header := &spb.Struct{ |
| Fields: map[string]*spb.Value{ |
| "alg": spb.NewStringValue(algorithm), |
| }, |
| } |
| if typeHeader != nil { |
| header.Fields["typ"] = spb.NewStringValue(*typeHeader) |
| } |
| if kid != nil { |
| header.Fields["kid"] = spb.NewStringValue(*kid) |
| } |
| jsonHeader, err := header.MarshalJSON() |
| if err != nil { |
| return "", err |
| } |
| return base64Encode(jsonHeader), nil |
| } |
| |
| func validateHeader(header *spb.Struct, algorithm string, tinkKID, customKID *string) error { |
| fields := header.GetFields() |
| if fields == nil { |
| return fmt.Errorf("header contains no fields") |
| } |
| alg, err := headerStringField(fields, "alg") |
| if err != nil { |
| return err |
| } |
| if alg != algorithm { |
| return fmt.Errorf("invalid alg") |
| } |
| if _, ok := fields["crit"]; ok { |
| return fmt.Errorf("all tokens with crit headers are rejected") |
| } |
| if tinkKID != nil && customKID != nil { |
| return fmt.Errorf("custom_kid can only be set for RAW keys") |
| } |
| _, hasKID := fields["kid"] |
| if tinkKID != nil && !hasKID { |
| return fmt.Errorf("missing kid in header") |
| } |
| if tinkKID != nil { |
| return validateKIDInHeader(fields, tinkKID) |
| } |
| if hasKID && customKID != nil { |
| return validateKIDInHeader(fields, customKID) |
| } |
| return nil |
| } |
| |
| func validateKIDInHeader(fields map[string]*spb.Value, kid *string) error { |
| headerKID, err := headerStringField(fields, "kid") |
| if err != nil { |
| return err |
| } |
| if headerKID != *kid { |
| return fmt.Errorf("invalid kid header") |
| } |
| return nil |
| } |
| |
| func headerStringField(fields map[string]*spb.Value, name string) (string, error) { |
| val, ok := fields[name] |
| if !ok { |
| return "", fmt.Errorf("header is missing %q", name) |
| } |
| str, ok := val.Kind.(*spb.Value_StringValue) |
| if !ok { |
| return "", fmt.Errorf("%q header isn't a string", name) |
| } |
| return str.StringValue, nil |
| } |
