This repository has been archived by the owner on May 3, 2022. It is now read-only.
forked from envoyproxy/envoy-openssl
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathjwt_verify-make-compatible-with-openssl.patch
132 lines (119 loc) · 3.91 KB
/
jwt_verify-make-compatible-with-openssl.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
From 524cb52b23cd284f9f2c6c7db3b46bb2167cba4b Mon Sep 17 00:00:00 2001
From: Venil Noronha <[email protected]>
Date: Fri, 1 Nov 2019 10:10:10 -0700
Subject: [PATCH] make compatible with openssl
Signed-off-by: Venil Noronha <[email protected]>
---
BUILD | 2 ++
jwt_verify_lib/jwks.h | 4 ++++
src/jwks.cc | 22 +++++++++++++++++-----
src/verify.cc | 13 +++++++++++--
4 files changed, 34 insertions(+), 7 deletions(-)
diff --git a/BUILD b/BUILD
index 532dd5d..8d96da7 100644
--- a/BUILD
+++ b/BUILD
@@ -27,6 +27,8 @@ cc_library(
"//external:abseil_time",
"//external:protobuf",
"//external:ssl",
+ "@envoy_openssl//boringssl_compat:bssl_compat_cbs_lib",
+ "@envoy_openssl//boringssl_compat:bssl_compat_lib",
],
)
diff --git a/jwt_verify_lib/jwks.h b/jwt_verify_lib/jwks.h
index b77478b..f7293d4 100644
--- a/jwt_verify_lib/jwks.h
+++ b/jwt_verify_lib/jwks.h
@@ -23,6 +23,10 @@
#include "openssl/evp.h"
#include "openssl/pem.h"
+#ifndef OPENSSL_IS_BORINGSSL
+#include "boringssl_compat/bssl.h"
+#endif
+
namespace google {
namespace jwt_verify {
diff --git a/src/jwks.cc b/src/jwks.cc
index 1aaecc4..4b5d4c2 100644
--- a/src/jwks.cc
+++ b/src/jwks.cc
@@ -30,6 +30,11 @@
#include "openssl/rsa.h"
#include "openssl/sha.h"
+#ifndef OPENSSL_IS_BORINGSSL
+#include "boringssl_compat/cbs.h"
+using namespace Envoy::Extensions::Common::Cbs;
+#endif
+
namespace google {
namespace jwt_verify {
@@ -96,18 +101,25 @@ class KeyGetter : public WithStatus {
bssl::UniquePtr<RSA> createRsaFromJwk(const std::string& n,
const std::string& e) {
bssl::UniquePtr<RSA> rsa(RSA_new());
- rsa->n = createBigNumFromBase64UrlString(n).release();
- rsa->e = createBigNumFromBase64UrlString(e).release();
- if (rsa->n == nullptr || rsa->e == nullptr) {
+ BIGNUM* n_bn;
+ BIGNUM* e_bn;
+ n_bn = createBigNumFromBase64UrlString(n).release();
+ e_bn = createBigNumFromBase64UrlString(e).release();
+ if (n_bn == nullptr || e_bn == nullptr) {
// RSA public key field is missing or has parse error.
updateStatus(Status::JwksRsaParseError);
return nullptr;
}
- if (BN_cmp_word(rsa->e, 3) != 0 && BN_cmp_word(rsa->e, 65537) != 0) {
+ if (BN_cmp_word(e_bn, 3) != 0 && BN_cmp_word(e_bn, 65537) != 0) {
// non-standard key; reject it early.
updateStatus(Status::JwksRsaParseError);
return nullptr;
}
+ if (!RSA_set0_key(rsa.get(), n_bn, e_bn, NULL)) {
+ // can't set RSA key; reject it early.
+ updateStatus(Status::JwksRsaParseError);
+ return nullptr;
+ }
return rsa;
}
@@ -404,7 +416,7 @@ void Jwks::createFromPemCore(const std::string& pkey_pem) {
}
assert(e.getStatus() == Status::Ok);
- switch (EVP_PKEY_type(evp_pkey->type)) {
+ switch (EVP_PKEY_base_id(evp_pkey.get())) {
case EVP_PKEY_RSA:
key_ptr->rsa_.reset(EVP_PKEY_get1_RSA(evp_pkey.get()));
key_ptr->kty_ = "RSA";
diff --git a/src/verify.cc b/src/verify.cc
index e2fdd7a..70bf556 100644
--- a/src/verify.cc
+++ b/src/verify.cc
@@ -22,7 +22,13 @@
#include "openssl/err.h"
#include "openssl/evp.h"
#include "openssl/hmac.h"
+
+#ifdef OPENSSL_IS_BORINGSSL
#include "openssl/mem.h"
+#else
+#include "openssl/crypto.h"
+#endif
+
#include "openssl/rsa.h"
#include "openssl/sha.h"
@@ -95,9 +101,12 @@ bool verifySignatureEC(EC_KEY* key, const EVP_MD* md, const uint8_t* signature,
return false;
}
- if (BN_bin2bn(signature, signature_len / 2, ecdsa_sig->r) == nullptr ||
+ const BIGNUM* r_bn;
+ const BIGNUM* s_bn;
+ ECDSA_SIG_get0(ecdsa_sig.get(), &r_bn, &s_bn);
+ if (BN_bin2bn(signature, signature_len / 2, const_cast<BIGNUM *>(r_bn)) == nullptr ||
BN_bin2bn(signature + (signature_len / 2), signature_len / 2,
- ecdsa_sig->s) == nullptr) {
+ const_cast<BIGNUM *>(s_bn)) == nullptr) {
return false;
}
--
2.20.1