1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
local s_gsub = string.gsub;
local crypto = require "util.crypto";
local json = require "util.json";
local hashes = require "util.hashes";
local base64_encode = require "util.encodings".base64.encode;
local base64_decode = require "util.encodings".base64.decode;
local secure_equals = require "util.hashes".equals;
local b64url_rep = { ["+"] = "-", ["/"] = "_", ["="] = "", ["-"] = "+", ["_"] = "/" };
local function b64url(data)
return (s_gsub(base64_encode(data), "[+/=]", b64url_rep));
end
local function unb64url(data)
return base64_decode(s_gsub(data, "[-_]", b64url_rep).."==");
end
local jwt_pattern = "^(([A-Za-z0-9-_]+)%.([A-Za-z0-9-_]+))%.([A-Za-z0-9-_]+)$"
local function decode_jwt(blob, expected_alg)
local signed, bheader, bpayload, signature = string.match(blob, jwt_pattern);
if not signed then
return nil, "invalid-encoding";
end
local header = json.decode(unb64url(bheader));
if not header or type(header) ~= "table" then
return nil, "invalid-header";
elseif header.alg ~= expected_alg then
return nil, "unsupported-algorithm";
end
return signed, signature, bpayload;
end
local function new_static_header(algorithm_name)
return b64url('{"alg":"'..algorithm_name..'","typ":"JWT"}') .. '.';
end
local function decode_raw_payload(raw_payload)
local payload, err = json.decode(unb64url(raw_payload));
if err ~= nil then
return nil, "json-decode-error";
elseif type(payload) ~= "table" then
return nil, "invalid-payload-type";
end
return true, payload;
end
-- HS*** family
local function new_hmac_algorithm(name)
local static_header = new_static_header(name);
local hmac = hashes["hmac_sha"..name:sub(-3)];
local function sign(key, payload)
local encoded_payload = json.encode(payload);
local signed = static_header .. b64url(encoded_payload);
local signature = hmac(key, signed);
return signed .. "." .. b64url(signature);
end
local function verify(key, blob)
local signed, signature, raw_payload = decode_jwt(blob, name);
if not signed then return nil, signature; end -- nil, err
if not secure_equals(b64url(hmac(key, signed)), signature) then
return false, "signature-mismatch";
end
return decode_raw_payload(raw_payload);
end
local function load_key(key)
assert(type(key) == "string", "key must be string (long, random, secure)");
return key;
end
return { sign = sign, verify = verify, load_key = load_key };
end
local function new_crypto_algorithm(name, key_type, c_sign, c_verify, sig_encode, sig_decode)
local static_header = new_static_header(name);
return {
sign = function (private_key, payload)
local encoded_payload = json.encode(payload);
local signed = static_header .. b64url(encoded_payload);
local signature = c_sign(private_key, signed);
if sig_encode then
signature = sig_encode(signature);
end
return signed.."."..b64url(signature);
end;
verify = function (public_key, blob)
local signed, signature, raw_payload = decode_jwt(blob, name);
if not signed then return nil, signature; end -- nil, err
signature = unb64url(signature);
if sig_decode and signature then
signature = sig_decode(signature);
end
if not signature then
return false, "signature-mismatch";
end
local verify_ok = c_verify(public_key, signed, signature);
if not verify_ok then
return false, "signature-mismatch";
end
return decode_raw_payload(raw_payload);
end;
load_public_key = function (public_key_pem)
local key = assert(crypto.import_public_pem(public_key_pem));
assert(key:get_type() == key_type, "incorrect key type");
return key;
end;
load_private_key = function (private_key_pem)
local key = assert(crypto.import_private_pem(private_key_pem));
assert(key:get_type() == key_type, "incorrect key type");
return key;
end;
};
end
-- RS***, PS***
local rsa_sign_algos = { RS = "rsassa_pkcs1", PS = "rsassa_pss" };
local function new_rsa_algorithm(name)
local family, digest_bits = name:match("^(..)(...)$");
local c_sign = crypto[rsa_sign_algos[family].."_sha"..digest_bits.."_sign"];
local c_verify = crypto[rsa_sign_algos[family].."_sha"..digest_bits.."_verify"];
return new_crypto_algorithm(name, "rsaEncryption", c_sign, c_verify);
end
-- ES***
local function new_ecdsa_algorithm(name, c_sign, c_verify)
local function encode_ecdsa_sig(der_sig)
local r, s = crypto.parse_ecdsa_signature(der_sig);
return r..s;
end
local function decode_ecdsa_sig(jwk_sig)
return crypto.build_ecdsa_signature(jwk_sig:sub(1, 32), jwk_sig:sub(33, 64));
end
return new_crypto_algorithm(name, "id-ecPublicKey", c_sign, c_verify, encode_ecdsa_sig, decode_ecdsa_sig);
end
local algorithms = {
HS256 = new_hmac_algorithm("HS256"), HS384 = new_hmac_algorithm("HS384"), HS512 = new_hmac_algorithm("HS512");
ES256 = new_ecdsa_algorithm("ES256", crypto.ecdsa_sha256_sign, crypto.ecdsa_sha256_verify);
RS256 = new_rsa_algorithm("RS256"), RS384 = new_rsa_algorithm("RS384"), RS512 = new_rsa_algorithm("RS512");
PS256 = new_rsa_algorithm("PS256"), PS384 = new_rsa_algorithm("PS384"), PS512 = new_rsa_algorithm("PS512");
};
local function new_signer(algorithm, key_input, options)
local impl = assert(algorithms[algorithm], "Unknown JWT algorithm: "..algorithm);
local key = (impl.load_private_key or impl.load_key)(key_input);
local sign = impl.sign;
local default_ttl = (options and options.default_ttl) or 3600;
return function (payload)
local issued_at;
if not payload.iat then
issued_at = os.time();
payload.iat = issued_at;
end
if not payload.exp then
payload.exp = (issued_at or os.time()) + default_ttl;
end
return sign(key, payload);
end
end
local function new_verifier(algorithm, key_input, options)
local impl = assert(algorithms[algorithm], "Unknown JWT algorithm: "..algorithm);
local key = (impl.load_public_key or impl.load_key)(key_input);
local verify = impl.verify;
local check_expiry = not (options and options.accept_expired);
local claim_verifier = options and options.claim_verifier;
return function (token)
local ok, payload = verify(key, token);
if ok then
local expires_at = check_expiry and payload.exp;
if expires_at then
if type(expires_at) ~= "number" then
return nil, "invalid-expiry";
elseif expires_at < os.time() then
return nil, "token-expired";
end
end
if claim_verifier and not claim_verifier(payload) then
return nil, "incorrect-claims";
end
end
return ok, payload;
end
end
local function init(algorithm, private_key, public_key, options)
return new_signer(algorithm, private_key, options), new_verifier(algorithm, public_key or private_key, options);
end
return {
init = init;
new_signer = new_signer;
new_verifier = new_verifier;
-- Exported mainly for tests
_algorithms = algorithms;
-- Deprecated
sign = algorithms.HS256.sign;
verify = algorithms.HS256.verify;
};
|