Google Git
Sign in
fuchsia / third_party / tink / 77ea5026740aaedda87a23e0254bd8a1639674b4 / . / cc / jwt / internal / jwt_format.cc
blob: bd876bc14284389f06acbd746aaf2518d37c7db5 [file] [log] [blame]
// Copyright 2021 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
///////////////////////////////////////////////////////////////////////////////
#include "tink/jwt/internal/jwt_format.h"
#include <string>
#include "absl/status/status.h"
#include "absl/strings/escaping.h"
#include "absl/strings/str_split.h"
#include "tink/crypto_format.h"
#include "tink/jwt/internal/json_util.h"
#include "proto/tink.pb.h"
namespace crypto {
namespace tink {
namespace jwt_internal {
using ::google::crypto::tink::OutputPrefixType;
namespace {
bool isValidUrlsafeBase64Char(char c) {
return (((c >= 'a') && (c <= 'z')) || ((c >= 'A') && (c <= 'Z')) ||
((c >= '0') && (c <= '9')) || ((c == '-') || (c == '_')));
}
bool StrictWebSafeBase64Unescape(absl::string_view src, std::string* dest) {
for (char c : src) {
if (!isValidUrlsafeBase64Char(c)) {
return false;
}
}
return absl::WebSafeBase64Unescape(src, dest);
}
util::Status ValidateKidInHeader(const google::protobuf::Value& kid_in_header,
absl::string_view kid) {
if (kid_in_header.kind_case() != google::protobuf::Value::kStringValue) {
return util::Status(absl::StatusCode::kInvalidArgument,
"kid header is not a string");
}
if (kid_in_header.string_value() != kid) {
return util::Status(absl::StatusCode::kInvalidArgument,
"invalid kid header");
}
return util::OkStatus();
}
} // namespace
std::string EncodeHeader(absl::string_view json_header) {
return absl::WebSafeBase64Escape(json_header);
}
bool DecodeHeader(absl::string_view header, std::string* json_header) {
return StrictWebSafeBase64Unescape(header, json_header);
}
absl::optional<std::string> GetKid(uint32_t key_id,
OutputPrefixType output_prefix_type) {
if (output_prefix_type != OutputPrefixType::TINK) {
return absl::nullopt;
}
char buffer[4];
absl::big_endian::Store32(buffer, key_id);
return absl::WebSafeBase64Escape(absl::string_view(buffer, 4));
}
absl::optional<uint32_t> GetKeyId(absl::string_view kid) {
std::string decoded_kid;
if (!StrictWebSafeBase64Unescape(kid, &decoded_kid)) {
return absl::nullopt;
}
if (decoded_kid.size() != 4) {
return absl::nullopt;
}
return absl::big_endian::Load32(decoded_kid.data());
}
util::StatusOr<std::string> CreateHeader(
absl::string_view algorithm, absl::optional<absl::string_view> type_header,
absl::optional<absl::string_view> kid) {
google::protobuf::Struct header;
auto fields = header.mutable_fields();
if (kid.has_value()) {
google::protobuf::Value kid_value;
(*fields)["kid"].set_string_value(std::string(kid.value()));
}
if (type_header.has_value()) {
(*fields)["typ"].set_string_value(std::string(type_header.value()));
}
(*fields)["alg"].set_string_value(std::string(algorithm));
util::StatusOr<std::string> json_header =
jwt_internal::ProtoStructToJsonString(header);
if (!json_header.ok()) {
return json_header.status();
}
return EncodeHeader(*json_header);
}
util::Status ValidateHeader(const google::protobuf::Struct& header,
absl::string_view algorithm,
absl::optional<absl::string_view> tink_kid,
absl::optional<absl::string_view> custom_kid) {
auto fields = header.fields();
auto it = fields.find("alg");
if (it == fields.end()) {
return util::Status(absl::StatusCode::kInvalidArgument,
"header is missing alg");
}
const google::protobuf::Value& alg = it->second;
if (alg.kind_case() != google::protobuf::Value::kStringValue) {
return util::Status(absl::StatusCode::kInvalidArgument,
"alg is not a string");
}
if (alg.string_value() != algorithm) {
return util::Status(absl::StatusCode::kInvalidArgument, "invalid alg");
}
if (fields.find("crit") != fields.end()) {
return util::Status(absl::StatusCode::kInvalidArgument,
"all tokens with crit headers are rejected");
}
if (tink_kid.has_value() && custom_kid.has_value()) {
return util::Status(absl::StatusCode::kInvalidArgument,
"custom_kid can only be set for RAW keys");
}
auto kid_it = fields.find("kid");
bool header_has_kid = (kid_it != fields.end());
if (tink_kid.has_value()) {
if (!header_has_kid) {
// for output prefix type TINK, the kid header is required.
return util::Status(absl::StatusCode::kInvalidArgument,
"missing kid in header");
}
util::Status status = ValidateKidInHeader(kid_it->second, *tink_kid);
if (!status.ok()) {
return status;
}
}
if (custom_kid.has_value() && header_has_kid) {
util::Status status = ValidateKidInHeader(kid_it->second, *custom_kid);
if (!status.ok()) {
return status;
}
}
return util::OkStatus();
}
absl::optional<std::string> GetTypeHeader(
const google::protobuf::Struct& header) {
auto it = header.fields().find("typ");
if (it == header.fields().end()) {
return absl::nullopt;
}
const auto& value = it->second;
if (value.kind_case() != google::protobuf::Value::kStringValue) {
return absl::nullopt;
}
return value.string_value();
}
std::string EncodePayload(absl::string_view json_payload) {
return absl::WebSafeBase64Escape(json_payload);
}
bool DecodePayload(absl::string_view payload, std::string* json_payload) {
return StrictWebSafeBase64Unescape(payload, json_payload);
}
std::string EncodeSignature(absl::string_view signature) {
return absl::WebSafeBase64Escape(signature);
}
bool DecodeSignature(absl::string_view encoded_signature,
std::string* signature) {
return StrictWebSafeBase64Unescape(encoded_signature, signature);
}
util::StatusOr<RawJwt> RawJwtParser::FromJson(
absl::optional<std::string> type_header, absl::string_view json_payload) {
return RawJwt::FromJson(type_header, json_payload);
}
} // namespace jwt_internal
} // namespace tink
} // namespace crypto