Update: Support unsecured JWS (IMPORT ONLY)

cisco · Jul 28, 2016 · 8512cf3 · 8512cf3
2 parents 5f40fef + 83afaf2
commit 8512cf3
Show file tree

Hide file tree

Showing 4 changed files with 90 additions and 3 deletions.
diff --git a/include/cjose/header.h b/include/cjose/header.h
@@ -37,6 +37,9 @@ extern const char *CJOSE_HDR_CTY;
 /** The Jose "kid" header attribute. */
 extern const char *CJOSE_HDR_KID;
 
+/** The JWA algorithm attribute value for none. */
+extern const char *CJOSE_HDR_ALG_NONE;
+
 /** The JWE algorithm attribute value for RSA-OAEP. */
 extern const char *CJOSE_HDR_ALG_RSA_OAEP;
 

diff --git a/src/header.c b/src/header.c
@@ -13,6 +13,7 @@
 
 
 const char *CJOSE_HDR_ALG = "alg";
+const char *CJOSE_HDR_ALG_NONE = "none";
 const char *CJOSE_HDR_ALG_RSA_OAEP = "RSA-OAEP";
 const char *CJOSE_HDR_ALG_RSA1_5 = "RSA1_5";
 const char *CJOSE_HDR_ALG_A128KW = "A128KW";

diff --git a/src/jws.c b/src/jws.c
@@ -859,9 +859,20 @@ cjose_jws_t *cjose_jws_import(
     // validate the JSON header segment
     if (!_cjose_jws_validate_hdr(jws, err))
     {
-        CJOSE_ERROR(err, CJOSE_ERR_INVALID_ARG);
-        cjose_jws_release(jws);
-        return NULL;        
+        // make an exception for alg=none so that it will import/parse but not sign/verify
+        json_t *alg_obj = json_object_get(jws->hdr, CJOSE_HDR_ALG);
+        if (NULL == alg_obj)
+        {
+            CJOSE_ERROR(err, CJOSE_ERR_INVALID_ARG);
+            return NULL;
+        }
+        const char *alg = json_string_value(alg_obj);
+        if ((!alg) || (strcmp(alg, CJOSE_HDR_ALG_NONE) != 0))
+        {
+            CJOSE_ERROR(err, CJOSE_ERR_INVALID_ARG);
+            cjose_jws_release(jws);
+            return NULL;
+        }
     }
 
     // copy and b64u decode data segment

diff --git a/test/check_jws.c b/test/check_jws.c
@@ -865,6 +865,77 @@ START_TEST(test_cjose_jws_verify_ec256)
 }
 END_TEST
 
+START_TEST(test_cjose_jws_none)
+{
+    cjose_err err;
+
+    // https://tools.ietf.org/html/rfc7519#section-6.1
+    // Unsecured JWT (alg=none)
+    static const char *JWS =
+            "eyJhbGciOiJub25lIn0"
+            ".eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ"
+            ".";
+
+    cjose_jws_t *jws = cjose_jws_import(JWS, strlen(JWS), &err);
+    ck_assert_msg(NULL != jws, "cjose_jws_import failed: "
+            "%s, file: %s, function: %s, line: %ld",
+            err.message, err.file, err.function, err.line);
+
+    static const char *JWK =
+            "{ \"kty\": \"EC\","
+            "\"kid\": \"h4h93\","
+            "\"use\": \"sig\","
+            "\"x\": \"qcZ8jiBDygzf1XMWNN3jS7qT3DDslHOYvaa6XHMxShw\","
+            "\"y\": \"vMcP1OkZsSNaFN6MHrdApLdtLPWo8RnNflgP3DAbcfY\","
+            "\"crv\": \"P-256\" }";
+
+    // import the key
+    cjose_jwk_t *jwk = cjose_jwk_import(JWK, strlen(JWK), &err);
+    ck_assert_msg(NULL != jwk, "cjose_jwk_import failed: "
+            "%s, file: %s, function: %s, line: %ld",
+            err.message, err.file, err.function, err.line);
+
+    // get the plaintext
+    uint8_t *plain = NULL;
+    size_t plain_len = 0;
+    ck_assert_msg(
+            cjose_jws_get_plaintext(jws, &plain, &plain_len, &err),
+            "cjose_jws_get_plaintext failed: "
+            "%s, file: %s, function: %s, line: %ld",
+            err.message, err.file, err.function, err.line);
+
+    static const char *PLAINTEXT =
+            "{\"iss\":\"joe\",\r\n"
+             " \"exp\":1300819380,\r\n"
+             " \"http://example.com/is_root\":true}";
+
+    // confirm plain == PLAINTEXT
+    ck_assert_msg(
+            plain_len == strlen(PLAINTEXT),
+            "length of verified plaintext does not match length of original, "
+            "expected: %lu, found: %lu", strlen(PLAINTEXT), plain_len);
+    ck_assert_msg(
+            strncmp(PLAINTEXT, plain, plain_len) == 0,
+            "verified plaintext does not match signed plaintext: %s", plain);
+
+    // try to verify the unsecured JWS
+    ck_assert_msg(!cjose_jws_verify(jws, jwk, &err),
+            "cjose_jws_verify succeeded for unsecured JWT");
+
+
+    jws = cjose_jws_import(JWS, strlen(JWS), &err);
+    ck_assert_msg(NULL != jws, "cjose_jws_import failed: "
+            "%s, file: %s, function: %s, line: %ld",
+            err.message, err.file, err.function, err.line);
+
+    // try to sign the unsecured JWS
+    ck_assert_msg(!cjose_jws_sign(jwk, jws->hdr, PLAINTEXT, strlen(PLAINTEXT), &err),
+            "cjose_jws_sign succeeded for unsecured JWT");
+
+    cjose_jwk_release(jwk);
+}
+END_TEST
+
 Suite *cjose_jws_suite()
 {
     Suite *suite = suite_create("jws");
@@ -887,6 +958,7 @@ Suite *cjose_jws_suite()
     tcase_add_test(tc_jws, test_cjose_jws_import_get_plain_before_verify);
     tcase_add_test(tc_jws, test_cjose_jws_import_get_plain_after_verify);
     tcase_add_test(tc_jws, test_cjose_jws_verify_bad_params);
+    tcase_add_test(tc_jws, test_cjose_jws_none);
     suite_add_tcase(suite, tc_jws);
 
     return suite;