From e0d3c0008690b9fa076172d8c31bf0e1d383cd55 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Fri, 1 Oct 2021 15:36:55 +0200 Subject: [PATCH] MINOR: jwt: JWT tokenizing helper function This helper function splits a JWT under Compact Serialization format (dot-separated base64-url encoded strings) into its different sub strings. Since we do not want to manage more than JWS for now, which can only have at most three subparts, any JWT that has strictly more than two dots is considered invalid. --- include/haproxy/jwt-t.h | 21 ++++++++++++++++++++ include/haproxy/jwt.h | 1 + src/jwt.c | 43 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 65 insertions(+) diff --git a/include/haproxy/jwt-t.h b/include/haproxy/jwt-t.h index ecd05f509..6ac68b166 100644 --- a/include/haproxy/jwt-t.h +++ b/include/haproxy/jwt-t.h @@ -40,6 +40,27 @@ enum jwt_alg { JWS_ALG_PS384, JWS_ALG_PS512, }; + +struct jwt_item { + char *start; + size_t length; +}; + +struct jwt_ctx { + enum jwt_alg alg; + struct jwt_item jose; + struct jwt_item claims; + struct jwt_item signature; + char *key; + unsigned int key_length; +}; + +enum jwt_elt { + JWT_ELT_JOSE = 0, + JWT_ELT_CLAIMS, + JWT_ELT_SIG, + JWT_ELT_MAX +}; #endif /* USE_OPENSSL */ diff --git a/include/haproxy/jwt.h b/include/haproxy/jwt.h index e1abdb5e5..b24cc28cf 100644 --- a/include/haproxy/jwt.h +++ b/include/haproxy/jwt.h @@ -27,6 +27,7 @@ #ifdef USE_OPENSSL enum jwt_alg jwt_parse_alg(const char *alg_str, unsigned int alg_len); +int jwt_tokenize(const struct buffer *jwt, struct jwt_item *items, unsigned int *item_num); #endif /* USE_OPENSSL */ #endif /* _HAPROXY_JWT_H */ diff --git a/src/jwt.c b/src/jwt.c index 3d7536852..9f39a89fe 100644 --- a/src/jwt.c +++ b/src/jwt.c @@ -77,4 +77,47 @@ enum jwt_alg jwt_parse_alg(const char *alg_str, unsigned int alg_len) return alg; } + + +/* + * Split a JWT into its separate dot-separated parts. + * Since only JWS following the Compact Serialization format are managed for + * now, we don't need to manage more than three subparts in the tokens. + * See section 3.1 of RFC7515 for more information about JWS Compact + * Serialization. + * Returns 0 in case of success. + */ +int jwt_tokenize(const struct buffer *jwt, struct jwt_item *items, unsigned int *item_num) +{ + char *ptr = jwt->area; + char *jwt_end = jwt->area + jwt->data; + unsigned int index = 0; + unsigned int length = 0; + + if (index < *item_num) { + items[index].start = ptr; + items[index].length = 0; + } + + while (index < *item_num && ptr < jwt_end) { + if (*ptr++ == '.') { + items[index++].length = length; + + if (index == *item_num) + return -1; + items[index].start = ptr; + items[index].length = 0; + length = 0; + } else + ++length; + } + + if (index < *item_num) + items[index].length = length; + + *item_num = (index+1); + + return (ptr != jwt_end); +} + #endif /* USE_OPENSSL */