apache · ezelkow1 · Mar 6, 2019 · Feb 15, 2019
diff --git a/plugins/experimental/uri_signing/config.c b/plugins/experimental/uri_signing/config.c
@@ -45,6 +45,7 @@ struct config {
   char **issuer_names;
   struct signer signer;
   struct auth_directive *auth_directives;
+  char *id;
 };
 
 cjose_jwk_t **
@@ -80,6 +81,12 @@ find_key_by_kid(struct config *cfg, const char *issuer, const char *kid)
   return NULL;
 }
 
+const char *
+config_get_id(struct config *cfg)
+{
+  return cfg->id;
+}
+
 struct config *
 config_new(size_t n)
 {
@@ -105,6 +112,7 @@ config_new(size_t n)
   cfg->signer.alg    = NULL;
 
   cfg->auth_directives = NULL;
+  cfg->id              = NULL;
 
   PluginDebug("New config object created at %p", cfg);
   return cfg;
@@ -117,6 +125,7 @@ config_delete(struct config *cfg)
     return;
   }
   hdestroy_r(cfg->issuers);
+  free(cfg->issuers);
 
   for (cjose_jwk_t ***jwkis = cfg->jwkis; *jwkis; ++jwkis) {
     for (cjose_jwk_t **jwks = *jwkis; *jwks; ++jwks) {
@@ -126,6 +135,10 @@ config_delete(struct config *cfg)
   }
   free(cfg->jwkis);
 
+  if (cfg->id) {
+    free(cfg->id);
+  }
+
   for (char **name = cfg->issuer_names; *name; ++name) {
     free(*name);
   }
@@ -259,6 +272,18 @@ read_config(const char *path)
       renewal_kid = json_string_value(renewal_kid_json);
     }
 
+    json_t *id_json = json_object_get(jwks, "id");
+    const char *id;
+    if (id_json) {
+      id = json_string_value(id_json);
+      if (id) {
+        cfg->id = malloc(strlen(id) + 1);
+        strcpy(cfg->id, id);
+        PluginDebug("Found Id in the config: %s", cfg->id);
+      }
+    }
+    json_decref(id_json);
+
     size_t jwks_ct     = json_array_size(key_ary);
     cjose_jwk_t **jwks = (*jwkis++ = malloc((jwks_ct + 1) * sizeof *jwks));
     PluginDebug("Created table with size %d", cfg->issuers->size);

diff --git a/plugins/experimental/uri_signing/config.h b/plugins/experimental/uri_signing/config.h
@@ -33,3 +33,4 @@ struct signer *config_signer(struct config *);
 struct _cjose_jwk_int **find_keys(struct config *cfg, const char *issuer);
 struct _cjose_jwk_int *find_key_by_kid(struct config *cfg, const char *issuer, const char *kid);
 bool uri_matches_auth_directive(struct config *cfg, const char *uri, size_t uri_ct);
+const char *config_get_id(struct config *cfg);
diff --git a/plugins/experimental/uri_signing/jwt.c b/plugins/experimental/uri_signing/jwt.c
@@ -56,7 +56,7 @@ parse_jwt(json_t *raw)
   jwt->raw        = raw;
   jwt->iss        = json_string_value(json_object_get(raw, "iss"));
   jwt->sub        = json_string_value(json_object_get(raw, "sub"));
-  jwt->aud        = json_string_value(json_object_get(raw, "aud"));
+  jwt->aud        = json_object_get(raw, "aud");
   jwt->exp        = parse_number(json_object_get(raw, "exp"));
   jwt->nbf        = parse_number(json_object_get(raw, "nbf"));
   jwt->iat        = parse_number(json_object_get(raw, "iat"));
@@ -77,6 +77,8 @@ jwt_delete(struct jwt *jwt)
   if (!jwt) {
     return;
   }
+
+  json_decref(jwt->aud);
   json_decref(jwt->raw);
   free(jwt);
 }
@@ -116,11 +118,6 @@ jwt_validate(struct jwt *jwt)
     return false;
   }
 
-  if (!unsupported_string_claim(jwt->aud)) {
-    PluginDebug("Initial JWT Failure: aud unsupported");
-    return false;
-  }
-
   if (now() > jwt->exp) {
     PluginDebug("Initial JWT Failure: expired token");
     return false;
@@ -159,6 +156,43 @@ jwt_validate(struct jwt *jwt)
   return true;
 }
 
+bool
+jwt_check_aud(json_t *aud, const char *id)
+{
+  if (!aud) {
+    return true;
+  }
+  if (!id) {
+    return false;
+  }
+  /* If aud is a string, do a simple string comparison */
+  const char *aud_str = json_string_value(aud);
+  if (aud_str) {
+    PluginDebug("Checking aud %s agaisnt token aud string \"%s\"", id, aud_str);
+    /* Both strings will be null terminated per jansson docs */
+    if (strcmp(aud_str, id) == 0) {
+      return true;
+    }
+    return false;
+  }
+  PluginDebug("Checking aud %s agaisnt token aud array", id);
+  /* If aud is an array, check all items */
+  if (json_is_array(aud)) {
+    size_t index;
+    json_t *aud_item;
+    json_array_foreach(aud, index, aud_item)
+    {
+      aud_str = json_string_value(aud_item);
+      if (aud_str) {
+        if (strcmp(aud_str, id) == 0) {
+          return true;
+        }
+      }
+    }
+  }
+  return false;
+}
+
 bool
 jwt_check_uri(const char *cdniuc, const char *uri)
 {
@@ -219,6 +253,14 @@ renew_copy_string(json_t *new_json, const char *name, const char *old)
   }
 }
 
+void
+renew_copy_raw(json_t *new_json, const char *name, json_t *old_json)
+{
+  if (old_json) {
+    json_object_set_new(new_json, name, old_json);
+  }
+}
+
 void
 renew_copy_real(json_t *new_json, const char *name, double old)
 {
@@ -251,7 +293,7 @@ renew(struct jwt *jwt, const char *iss, cjose_jwk_t *jwk, const char *alg, const
   json_t *new_json = json_object();
   renew_copy_string(new_json, "iss", iss); /* use issuer of new signing key */
   renew_copy_string(new_json, "sub", jwt->sub);
-  renew_copy_string(new_json, "aud", jwt->aud);
+  renew_copy_raw(new_json, "aud", jwt->aud);
   renew_copy_real(new_json, "exp", now() + jwt->cdniets); /* expire ets seconds hence */
   renew_copy_real(new_json, "nbf", jwt->nbf);
   renew_copy_real(new_json, "iat", now()); /* issued now */
@@ -261,6 +303,7 @@ renew(struct jwt *jwt, const char *iss, cjose_jwk_t *jwk, const char *alg, const
   renew_copy_integer(new_json, "cdnistt", jwt->cdnistt);
 
   char *pt = json_dumps(new_json, JSON_COMPACT);
+  json_decref(new_json);
 
   cjose_header_t *hdr = cjose_header_new(NULL);
   if (!hdr) {

diff --git a/plugins/experimental/uri_signing/jwt.h b/plugins/experimental/uri_signing/jwt.h
@@ -23,7 +23,7 @@ struct jwt {
   json_t *raw;
   const char *iss;
   const char *sub;
-  const char *aud;
+  json_t *aud;
   double exp;
   double nbf;
   double iat;
@@ -39,6 +39,7 @@ struct jwt {
 struct jwt *parse_jwt(json_t *raw);
 void jwt_delete(struct jwt *jwt);
 bool jwt_validate(struct jwt *jwt);
+bool jwt_check_aud(json_t *aud, const char *id);
 bool jwt_check_uri(const char *cdniuc, const char *uri);
 
 struct _cjose_jwk_int;

diff --git a/plugins/experimental/uri_signing/parse.c b/plugins/experimental/uri_signing/parse.c
@@ -229,6 +229,11 @@ validate_jws(cjose_jws_t *jws, struct config *cfg, const char *uri, size_t uri_c
     }
   }
 
+  if (!jwt_check_aud(jwt->aud, config_get_id(cfg))) {
+    PluginDebug("Valid key for %16p that does not match aud.", jws);
+    goto jwt_fail;
+  }
+
   if (!jwt_check_uri(jwt->cdniuc, uri)) {
     PluginDebug("Valid key for %16p that does not match uri.", jws);
     goto jwt_fail;

diff --git a/plugins/experimental/uri_signing/unit_tests/testConfig.config b/plugins/experimental/uri_signing/unit_tests/testConfig.config
@@ -0,0 +1,102 @@
+{
+    "Master Issuer": {
+        "renewal_kid": "6",
+        "id": "tester",
+        "auth_directives": [
+            {
+                "auth": "allow",
+                "uri": "regex:invalid"
+            }
+        ],
+        "keys": [
+         {
+          "alg": "HS256",
+          "k": "nxb7fyO5Z2hGz9E3oKm1357ptvC2su5QwQUb4YaIaIc",
+          "kid": "0",
+          "kty": "oct"
+         },
+         {
+          "alg": "HS256",
+          "k": "cXKukBqFvQ0n3WAuRnWfExC14dmHdGoJULoZjGu9tJC",
+          "kid": "1",
+          "kty": "oct"
+         },
+         {
+          "alg": "HS256",
+          "k": "38pJlSXfX87jWL0a03luml9QzUmM4qts1nmfIHA3B7r",
+          "kid": "2",
+          "kty": "oct"
+         },
+         {
+          "alg": "HS256",
+          "k": "zNQPphknDGvzR5kA7IonXIDWKMyB1b8NpGmmDNlpgtM",
+          "kid": "3",
+          "kty": "oct"
+         },
+         {
+          "alg": "HS256",
+          "k": "iB2ogCmQRt7r5hW7pgyP5FqiFcCl53MPQvfXv8wrZAn",
+          "kid": "4",
+          "kty": "oct"
+         },
+         {
+          "alg": "HS256",
+          "k": "GJMCTyZhNoSOZvUOKmmY9MtGSLaONNLHqtKwsC3MWKo",
+          "kid": "5",
+          "kty": "oct"
+         },
+         {
+          "alg": "HS256",
+          "k": "u2LziZKJFBnOfjUQUmvot7C9t91jj7ocJPIU9aDdbUl",
+          "kid": "6",
+          "kty": "oct"
+         },
+         {
+          "alg": "HS256",
+          "k": "DRBKrBh87NYkH3UzfW1tWbiXCYXiYGZUE9w1orZngL0",
+          "kid": "7",
+          "kty": "oct"
+         },
+         {
+          "alg": "HS256",
+          "k": "KNNKFbun8lEs7GbiKlo9mYGNdvpt33tdFzHbNnasDyP",
+          "kid": "8",
+          "kty": "oct"
+         },
+         {
+          "alg": "HS256",
+          "k": "yb6kOddMUdupPRSkWMUdE6jrWT4MqUnVyTjpeJBYIqp",
+          "kid": "9",
+          "kty": "oct"
+         }
+        ]
+    },
+    "Second Issuer": {
+        "keys": [
+         {
+          "alg": "HS256",
+          "k": "testkey1",
+          "kid": "one",
+          "kty": "oct"
+         },
+         {
+          "alg": "HS256",
+          "k": "testkey2",
+          "kid": "two",
+          "kty": "oct"
+         },
+         {
+          "alg": "HS256",
+          "k": "testkey3",
+          "kid": "three",
+          "kty": "oct"
+         },
+         {
+          "alg": "HS256",
+          "k": "testkey4",
+          "kid": "four",
+          "kty": "oct"
+         }
+        ]
+    }
+}