Software /
code /
prosody
Comparison
util/jwt.lua @ 12706:108b1758bd8d
util.jwt: Consolidate payload parsing, ensure it's always a valid object
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Mon, 11 Jul 2022 13:42:08 +0100 |
parent | 12705:008a7097fdc5 |
child | 12707:f75235110045 |
comparison
equal
deleted
inserted
replaced
12705:008a7097fdc5 | 12706:108b1758bd8d |
---|---|
31 | 31 |
32 local function new_static_header(algorithm_name) | 32 local function new_static_header(algorithm_name) |
33 return b64url('{"alg":"'..algorithm_name..'","typ":"JWT"}') .. '.'; | 33 return b64url('{"alg":"'..algorithm_name..'","typ":"JWT"}') .. '.'; |
34 end | 34 end |
35 | 35 |
36 local function decode_raw_payload(raw_payload) | |
37 local payload, err = json.decode(unb64url(raw_payload)); | |
38 if err ~= nil then | |
39 return nil, "json-decode-error"; | |
40 elseif type(payload) ~= "table" then | |
41 return nil, "invalid-payload-type"; | |
42 end | |
43 return true, payload; | |
44 end | |
45 | |
36 -- HS*** family | 46 -- HS*** family |
37 local function new_hmac_algorithm(name) | 47 local function new_hmac_algorithm(name) |
38 local static_header = new_static_header(name); | 48 local static_header = new_static_header(name); |
39 | 49 |
40 local hmac = hashes["hmac_sha"..name:sub(-3)]; | 50 local hmac = hashes["hmac_sha"..name:sub(-3)]; |
51 if not signed then return nil, signature; end -- nil, err | 61 if not signed then return nil, signature; end -- nil, err |
52 | 62 |
53 if not secure_equals(b64url(hmac(key, signed)), signature) then | 63 if not secure_equals(b64url(hmac(key, signed)), signature) then |
54 return false, "signature-mismatch"; | 64 return false, "signature-mismatch"; |
55 end | 65 end |
56 local payload, err = json.decode(unb64url(raw_payload)); | 66 |
57 if err ~= nil then | 67 return decode_raw_payload(raw_payload); |
58 return nil, "json-decode-error"; | |
59 end | |
60 return true, payload; | |
61 end | 68 end |
62 | 69 |
63 local function load_key(key) | 70 local function load_key(key) |
64 assert(type(key) == "string", "key must be string (long, random, secure)"); | 71 assert(type(key) == "string", "key must be string (long, random, secure)"); |
65 return key; | 72 return key; |
99 local verify_ok = c_verify(public_key, signed, signature); | 106 local verify_ok = c_verify(public_key, signed, signature); |
100 if not verify_ok then | 107 if not verify_ok then |
101 return false, "signature-mismatch"; | 108 return false, "signature-mismatch"; |
102 end | 109 end |
103 | 110 |
104 local payload, err = json.decode(unb64url(raw_payload)); | 111 return decode_raw_payload(raw_payload); |
105 if err ~= nil then | |
106 return nil, "json-decode-error"; | |
107 end | |
108 | |
109 return true, payload; | |
110 end; | 112 end; |
111 | 113 |
112 load_public_key = function (public_key_pem) | 114 load_public_key = function (public_key_pem) |
113 local key = assert(crypto.import_public_pem(public_key_pem)); | 115 local key = assert(crypto.import_public_pem(public_key_pem)); |
114 assert(key:get_type() == key_type, "incorrect key type"); | 116 assert(key:get_type() == key_type, "incorrect key type"); |