File jwt_verify-make-compatible-with-openssl.patch of Package jwt_verify_lib
From b0e4badb4158934c8ec102dccc26adf3b478e6e5 Mon Sep 17 00:00:00 2001
From: Venil Noronha <veniln@vmware.com>
Date: Fri, 1 Nov 2019 10:10:10 -0700
Subject: [PATCH] make compatible with openssl
Signed-off-by: Venil Noronha <veniln@vmware.com>
---
BUILD | 4 +++-
jwt_verify_lib/jwks.h | 4 ++++
src/jwks.cc | 20 ++++++++++++++++----
src/verify.cc | 13 +++++++++++--
4 files changed, 34 insertions(+), 7 deletions(-)
diff --git a/BUILD b/BUILD
index 60331dc..bd55255 100644
--- a/BUILD
+++ b/BUILD
@@ -27,6 +27,8 @@ cc_library(
"//external:abseil_time",
"//external:protobuf",
"//external:ssl",
+ "@envoy_openssl//boringssl_compat:bssl_compat_cbs_lib",
+ "@envoy_openssl//boringssl_compat:bssl_compat_lib",
],
)
diff --git a/jwt_verify_lib/jwks.h b/jwt_verify_lib/jwks.h
index 24a18b7..80676da 100644
--- a/jwt_verify_lib/jwks.h
+++ b/jwt_verify_lib/jwks.h
@@ -22,6 +22,10 @@
#include "openssl/ec.h"
#include "openssl/evp.h"
+#ifndef OPENSSL_IS_BORINGSSL
+#include "boringssl_compat/bssl.h"
+#endif
+
namespace google {
namespace jwt_verify {
diff --git a/src/jwks.cc b/src/jwks.cc
index 97b1ae8..9723c82 100644
--- a/src/jwks.cc
+++ b/src/jwks.cc
@@ -27,6 +27,11 @@
#include "openssl/rsa.h"
#include "openssl/sha.h"
+#ifndef OPENSSL_IS_BORINGSSL
+#include "boringssl_compat/cbs.h"
+using namespace Envoy::Extensions::Common::Cbs;
+#endif
+
namespace google {
namespace jwt_verify {
@@ -118,18 +123,25 @@ class EvpPkeyGetter : public WithStatus {
bssl::UniquePtr<RSA> createRsaFromJwk(const std::string& n,
const std::string& e) {
bssl::UniquePtr<RSA> rsa(RSA_new());
- rsa->n = createBigNumFromBase64UrlString(n).release();
- rsa->e = createBigNumFromBase64UrlString(e).release();
- if (rsa->n == nullptr || rsa->e == nullptr) {
+ BIGNUM* n_bn;
+ BIGNUM* e_bn;
+ n_bn = createBigNumFromBase64UrlString(n).release();
+ e_bn = createBigNumFromBase64UrlString(e).release();
+ if (n_bn == nullptr || e_bn == nullptr) {
// RSA public key field is missing or has parse error.
updateStatus(Status::JwksRsaParseError);
return nullptr;
}
- if (BN_cmp_word(rsa->e, 3) != 0 && BN_cmp_word(rsa->e, 65537) != 0) {
+ if (BN_cmp_word(e_bn, 3) != 0 && BN_cmp_word(e_bn, 65537) != 0) {
// non-standard key; reject it early.
updateStatus(Status::JwksRsaParseError);
return nullptr;
}
+ if (!RSA_set0_key(rsa.get(), n_bn, e_bn, NULL)) {
+ // can't set RSA key; reject it early.
+ updateStatus(Status::JwksRsaParseError);
+ return nullptr;
+ }
return rsa;
}
};
diff --git a/src/verify.cc b/src/verify.cc
index 4d26c25..10fb175 100644
--- a/src/verify.cc
+++ b/src/verify.cc
@@ -22,7 +22,13 @@
#include "openssl/err.h"
#include "openssl/evp.h"
#include "openssl/hmac.h"
+
+#ifdef OPENSSL_IS_BORINGSSL
#include "openssl/mem.h"
+#else
+#include "openssl/crypto.h"
+#endif
+
#include "openssl/rsa.h"
#include "openssl/sha.h"
@@ -91,9 +97,12 @@ bool verifySignatureEC(EC_KEY* key, const EVP_MD* md, const uint8_t* signature,
return false;
}
- if (BN_bin2bn(signature, signature_len / 2, ecdsa_sig->r) == nullptr ||
+ const BIGNUM* r_bn;
+ const BIGNUM* s_bn;
+ ECDSA_SIG_get0(ecdsa_sig.get(), &r_bn, &s_bn);
+ if (BN_bin2bn(signature, signature_len / 2, const_cast<BIGNUM *>(r_bn)) == nullptr ||
BN_bin2bn(signature + (signature_len / 2), signature_len / 2,
- ecdsa_sig->s) == nullptr) {
+ const_cast<BIGNUM *>(s_bn)) == nullptr) {
return false;
}
--
2.14.3 (Apple Git-98)
