Comparison

util/jwt.lua @ 12706:108b1758bd8d

util.jwt: Consolidate payload parsing, ensure it's always a valid object
author Matthew Wild <mwild1@gmail.com>
date Mon, 11 Jul 2022 13:42:08 +0100
parent 12705:008a7097fdc5
child 12707:f75235110045
comparison
equal deleted inserted replaced
12705:008a7097fdc5 12706:108b1758bd8d
31 31
32 local function new_static_header(algorithm_name) 32 local function new_static_header(algorithm_name)
33 return b64url('{"alg":"'..algorithm_name..'","typ":"JWT"}') .. '.'; 33 return b64url('{"alg":"'..algorithm_name..'","typ":"JWT"}') .. '.';
34 end 34 end
35 35
36 local function decode_raw_payload(raw_payload)
37 local payload, err = json.decode(unb64url(raw_payload));
38 if err ~= nil then
39 return nil, "json-decode-error";
40 elseif type(payload) ~= "table" then
41 return nil, "invalid-payload-type";
42 end
43 return true, payload;
44 end
45
36 -- HS*** family 46 -- HS*** family
37 local function new_hmac_algorithm(name) 47 local function new_hmac_algorithm(name)
38 local static_header = new_static_header(name); 48 local static_header = new_static_header(name);
39 49
40 local hmac = hashes["hmac_sha"..name:sub(-3)]; 50 local hmac = hashes["hmac_sha"..name:sub(-3)];
51 if not signed then return nil, signature; end -- nil, err 61 if not signed then return nil, signature; end -- nil, err
52 62
53 if not secure_equals(b64url(hmac(key, signed)), signature) then 63 if not secure_equals(b64url(hmac(key, signed)), signature) then
54 return false, "signature-mismatch"; 64 return false, "signature-mismatch";
55 end 65 end
56 local payload, err = json.decode(unb64url(raw_payload)); 66
57 if err ~= nil then 67 return decode_raw_payload(raw_payload);
58 return nil, "json-decode-error";
59 end
60 return true, payload;
61 end 68 end
62 69
63 local function load_key(key) 70 local function load_key(key)
64 assert(type(key) == "string", "key must be string (long, random, secure)"); 71 assert(type(key) == "string", "key must be string (long, random, secure)");
65 return key; 72 return key;
99 local verify_ok = c_verify(public_key, signed, signature); 106 local verify_ok = c_verify(public_key, signed, signature);
100 if not verify_ok then 107 if not verify_ok then
101 return false, "signature-mismatch"; 108 return false, "signature-mismatch";
102 end 109 end
103 110
104 local payload, err = json.decode(unb64url(raw_payload)); 111 return decode_raw_payload(raw_payload);
105 if err ~= nil then
106 return nil, "json-decode-error";
107 end
108
109 return true, payload;
110 end; 112 end;
111 113
112 load_public_key = function (public_key_pem) 114 load_public_key = function (public_key_pem)
113 local key = assert(crypto.import_public_pem(public_key_pem)); 115 local key = assert(crypto.import_public_pem(public_key_pem));
114 assert(key:get_type() == key_type, "incorrect key type"); 116 assert(key:get_type() == key_type, "incorrect key type");