XRootD
Loading...
Searching...
No Matches
XrdSecztn.cc
Go to the documentation of this file.
1// Copyright (c) 2015 Erwin Jansen
2//
3// MIT License
4//
5// Permission is hereby granted, free of charge, to any person obtaining
6// a copy of this software and associated documentation files (the
7// "Software"), to deal in the Software without restriction, including
8// without limitation the rights to use, copy, modify, merge, publish,
9// distribute, sublicense, and/or sell copies of the Software, and to
10// permit persons to whom the Software is furnished to do so, subject to
11// the following conditions:
12//
13// The above copyright notice and this permission notice shall be
14// included in all copies or substantial portions of the Software.
15//
16// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
23
24// Note: the code in the anonymous namespace came from Erwin Jansen but was
25// heavily edited to solve this particular problem. For more info see:
26// https://github.com/pokowaka/jwt-cpp
27
28#include <cstdint>
29#include <cstdlib>
30#include <cstring>
31
32#ifndef __FreeBSD__
33#include <alloca.h>
34#endif
35
36#define WHITESPACE 64
37#define EQUALS 65
38#define INVALID 66
39
40/******************************************************************************/
41/* L o c a l F u n c t i o n s */
42/******************************************************************************/
43
44namespace
45{
46 const char b64Table[] = {
47 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
48 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
49 66, 66, 66, 66, 66, 66, 66, 62, 66, 62, 66, 63, 52, 53, 54, 55, 56, 57,
50 58, 59, 60, 61, 66, 66, 66, 66, 66, 66, 66, 0, 1, 2, 3, 4, 5, 6,
51 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24,
52 25, 66, 66, 66, 66, 63, 66, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36,
53 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 66, 66, 66,
54 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
55 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
56 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
57 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
58 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
59 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
60 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
61 66, 66, 66, 66};
62
63/******************************************************************************/
64/* D e c o d e B y t e s N e e d e d */
65/******************************************************************************/
66
73 size_t DecodeBytesNeeded(size_t num_decode) {
74 return 3 + (num_decode / 4) * 3;
75 }
76
77/******************************************************************************/
78/* D e c o d e U r l */
79/******************************************************************************/
80
81int DecodeUrl(const char *decode, size_t num_decode, char *out, size_t &num_out)
82{
83 // No integer overflows please.
84 if ((decode + num_decode) < decode || (out + num_out) < out)
85 return 1;
86
87 if (num_out < DecodeBytesNeeded(num_decode))
88 return 1;
89
90 const char *end = decode + num_decode;
91 const char *out_start = out;
92 char iter = 0;
93 uint32_t buf = 0;
94 uint8_t ch;
95 char c;
96
97 while (decode < end) {
98 ch = *decode++;
99 c = b64Table[ch];
100
101 switch (c) {
102 case INVALID:
103 return 1; // invalid input, return error
104 default:
105 buf = buf << 6 | c;
106 iter++; // increment the number of iteration
107 // If the buffer is full, split it into bytes
108 if (iter == 4) {
109 *(out++) = (buf >> 16) & 0xff;
110 *(out++) = (buf >> 8) & 0xff;
111 *(out++) = buf & 0xff;
112 buf = 0;
113 iter = 0;
114 }
115 }
116 }
117
118 if (iter == 3) {
119 *(out++) = (buf >> 10) & 0xff;
120 *(out++) = (buf >> 2) & 0xff;
121 } else {
122 if (iter == 2) {
123 *(out++) = (buf >> 4) & 0xff;
124 }
125 }
126
127 num_out = (out - out_start); // modify to reflect the actual output size
128 return 0;
129}
130}
131
132/******************************************************************************/
133/* X r d S e c z t n : : i s J W T */
134/******************************************************************************/
135
136namespace XrdSecztn
137{
138bool isJWT(const char *b64data)
139{
140 size_t inBytes, outBytes;
141 const char *dot;
142 char *key, *outData, inData[1024];
143
144// Skip over the header should it exist (sommetime it does sometimes not)
145//
146 if (!strncmp(b64data, "Bearer%20", 9)) b64data += 9;
147
148// We are only interested in the header which must appear first and be
149// separated by a dot from subsequent tokens. If it does not have the
150// dot then we assume it's not returnable. Otherwise truncate it at the dot.
151//
152 if (!(dot = index(b64data, '.'))) return false;
153
154// Copy out the token segment we wish to check. The JWT header can never be
155// more than 1K long and that's being way generous.
156//
157 inBytes = dot - b64data;
158 if (inBytes >= (int)sizeof(inData)) return false;
159 memcpy(inData, b64data, inBytes);
160 inData[inBytes] = 0;
161
162// Allocate a buffer large enough to hold the result. Get it from the stack.
163//
164 outBytes = DecodeBytesNeeded(inBytes);
165 outData = (char *)alloca(outBytes);
166
167// If we can't decode what we have then indicate this is not returnable
168//
169 if (DecodeUrl(inData, inBytes, outData, outBytes)) return false;
170
171// The json object must start/end with a brace and must contain the key:value
172// of '"typ":"JWT"', other elements may change but not this one.
173//
174 if (outBytes <= 0 || *outData != '{' || outData[outBytes-1] != '}')
175 return false;
176
177// Search for the key
178//
179 if (!(key = strstr(outData, "\"typ\""))) return false;
180
181// Subsequently there should be a colon or spaces but nothing more
182//
183 key += 5;
184 while(*key == ' ') key++;
185 if (*key != ':') return false;
186
187// There may be more spaces but anything else must be the expected value
188//
189 key++;
190 while(*key == ' ') key++;
191 return strncmp(key, "\"JWT\"", 5) == 0;
192}
193}
#define INVALID
Definition XrdSecztn.cc:38
bool isJWT(const char *)
Definition XrdSecztn.cc:138