XRootD
XrdSecztn.cc
Go to the documentation of this file.
1 // Copyright (c) 2015 Erwin Jansen
2 //
3 // MIT License
4 //
5 // Permission is hereby granted, free of charge, to any person obtaining
6 // a copy of this software and associated documentation files (the
7 // "Software"), to deal in the Software without restriction, including
8 // without limitation the rights to use, copy, modify, merge, publish,
9 // distribute, sublicense, and/or sell copies of the Software, and to
10 // permit persons to whom the Software is furnished to do so, subject to
11 // the following conditions:
12 //
13 // The above copyright notice and this permission notice shall be
14 // included in all copies or substantial portions of the Software.
15 //
16 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
23 
24 // Note: the code in the anonymous namespace came from Erwin Jansen but was
25 // heavily edited to solve this particular problem. For more info see:
26 // https://github.com/pokowaka/jwt-cpp
27 
28 #include <cstdint>
29 #include <cstdlib>
30 #include <cstring>
31 
32 #ifndef __FreeBSD__
33 #include <alloca.h>
34 #endif
35 
36 #define WHITESPACE 64
37 #define EQUALS 65
38 #define INVALID 66
39 
40 /******************************************************************************/
41 /* L o c a l F u n c t i o n s */
42 /******************************************************************************/
43 
44 namespace
45 {
46  const char b64Table[] = {
47  66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
48  66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
49  66, 66, 66, 66, 66, 66, 66, 62, 66, 62, 66, 63, 52, 53, 54, 55, 56, 57,
50  58, 59, 60, 61, 66, 66, 66, 66, 66, 66, 66, 0, 1, 2, 3, 4, 5, 6,
51  7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24,
52  25, 66, 66, 66, 66, 63, 66, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36,
53  37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 66, 66, 66,
54  66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
55  66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
56  66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
57  66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
58  66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
59  66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
60  66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
61  66, 66, 66, 66};
62 
63 /******************************************************************************/
64 /* D e c o d e B y t e s N e e d e d */
65 /******************************************************************************/
66 
73  size_t DecodeBytesNeeded(size_t num_decode) {
74  return 3 + (num_decode / 4) * 3;
75  }
76 
77 /******************************************************************************/
78 /* D e c o d e U r l */
79 /******************************************************************************/
80 
81 int DecodeUrl(const char *decode, size_t num_decode, char *out, size_t &num_out)
82 {
83  // No integer overflows please.
84  if ((decode + num_decode) < decode || (out + num_out) < out)
85  return 1;
86 
87  if (num_out < DecodeBytesNeeded(num_decode))
88  return 1;
89 
90  const char *end = decode + num_decode;
91  const char *out_start = out;
92  char iter = 0;
93  uint32_t buf = 0;
94  uint8_t ch;
95  char c;
96 
97  while (decode < end) {
98  ch = *decode++;
99  c = b64Table[ch];
100 
101  switch (c) {
102  case INVALID:
103  return 1; // invalid input, return error
104  default:
105  buf = buf << 6 | c;
106  iter++; // increment the number of iteration
107  // If the buffer is full, split it into bytes
108  if (iter == 4) {
109  *(out++) = (buf >> 16) & 0xff;
110  *(out++) = (buf >> 8) & 0xff;
111  *(out++) = buf & 0xff;
112  buf = 0;
113  iter = 0;
114  }
115  }
116  }
117 
118  if (iter == 3) {
119  *(out++) = (buf >> 10) & 0xff;
120  *(out++) = (buf >> 2) & 0xff;
121  } else {
122  if (iter == 2) {
123  *(out++) = (buf >> 4) & 0xff;
124  }
125  }
126 
127  num_out = (out - out_start); // modify to reflect the actual output size
128  return 0;
129 }
130 }
131 
132 /******************************************************************************/
133 /* X r d S e c z t n : : i s J W T */
134 /******************************************************************************/
135 
136 namespace XrdSecztn
137 {
138 bool isJWT(const char *b64data)
139 {
140  size_t inBytes, outBytes;
141  const char *dot;
142  char *key, *outData, inData[1024];
143 
144 // Skip over the header should it exist (sommetime it does sometimes not)
145 //
146  if (!strncmp(b64data, "Bearer%20", 9)) b64data += 9;
147 
148 // We are only interested in the header which must appear first and be
149 // separated by a dot from subsequent tokens. If it does not have the
150 // dot then we assume it's not returnable. Otherwise truncate it at the dot.
151 //
152  if (!(dot = index(b64data, '.'))) return false;
153 
154 // Copy out the token segment we wish to check. The JWT header can never be
155 // more than 1K long and that's being way generous.
156 //
157  inBytes = dot - b64data;
158  if (inBytes >= (int)sizeof(inData)) return false;
159  memcpy(inData, b64data, inBytes);
160  inData[inBytes] = 0;
161 
162 // Allocate a buffer large enough to hold the result. Get it from the stack.
163 //
164  outBytes = DecodeBytesNeeded(inBytes);
165  outData = (char *)alloca(outBytes);
166 
167 // If we can't decode what we have then indicate this is not returnable
168 //
169  if (DecodeUrl(inData, inBytes, outData, outBytes)) return false;
170 
171 // The json object must start/end with a brace and must contain the key:value
172 // of '"typ":"JWT"', other elements may change but not this one.
173 //
174  if (outBytes <= 0 || *outData != '{' || outData[outBytes-1] != '}')
175  return false;
176 
177 // Search for the key
178 //
179  if (!(key = strstr(outData, "\"typ\""))) return false;
180 
181 // Subsequently there should be a colon or spaces but nothing more
182 //
183  key += 5;
184  while(*key == ' ') key++;
185  if (*key != ':') return false;
186 
187 // There may be more spaces but anything else must be the expected value
188 //
189  key++;
190  while(*key == ' ') key++;
191  return strncmp(key, "\"JWT\"", 5) == 0;
192 }
193 }
#define INVALID
Definition: XrdSecztn.cc:38
bool isJWT(const char *)
Definition: XrdSecztn.cc:138