xref: /aosp_15_r20/external/tink/cc/jwt/internal/jwt_mac_wrapper.cc (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1 // Copyright 2021 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 
17 #include "tink/jwt/internal/jwt_mac_wrapper.h"
18 
19 #include <memory>
20 #include <string>
21 #include <utility>
22 
23 #include "absl/status/status.h"
24 #include "tink/jwt/internal/jwt_format.h"
25 #include "tink/jwt/internal/jwt_mac_internal.h"
26 #include "tink/jwt/jwt_mac.h"
27 #include "tink/primitive_set.h"
28 #include "tink/util/status.h"
29 #include "tink/util/statusor.h"
30 
31 namespace crypto {
32 namespace tink {
33 namespace jwt_internal {
34 
35 using ::google::crypto::tink::OutputPrefixType;
36 
37 namespace {
38 
39 class JwtMacSetWrapper : public JwtMac {
40  public:
JwtMacSetWrapper(std::unique_ptr<PrimitiveSet<JwtMacInternal>> jwt_mac_set)41   explicit JwtMacSetWrapper(
42       std::unique_ptr<PrimitiveSet<JwtMacInternal>> jwt_mac_set)
43       : jwt_mac_set_(std::move(jwt_mac_set)) {}
44 
45   crypto::tink::util::StatusOr<std::string> ComputeMacAndEncode(
46       const crypto::tink::RawJwt& token) const override;
47 
48   crypto::tink::util::StatusOr<crypto::tink::VerifiedJwt> VerifyMacAndDecode(
49       absl::string_view compact,
50       const crypto::tink::JwtValidator& validator) const override;
51 
52   ~JwtMacSetWrapper() override = default;
53 
54  private:
55   std::unique_ptr<PrimitiveSet<JwtMacInternal>> jwt_mac_set_;
56 };
57 
Validate(PrimitiveSet<JwtMacInternal> * jwt_mac_set)58 util::Status Validate(PrimitiveSet<JwtMacInternal>* jwt_mac_set) {
59   if (jwt_mac_set == nullptr) {
60     return util::Status(absl::StatusCode::kInternal,
61                         "jwt_mac_set must be non-NULL");
62   }
63   if (jwt_mac_set->get_primary() == nullptr) {
64     return util::Status(absl::StatusCode::kInvalidArgument,
65                         "jwt_mac_set has no primary");
66   }
67   for (const auto* entry : jwt_mac_set->get_all()) {
68     if ((entry->get_output_prefix_type() != OutputPrefixType::RAW) &&
69         (entry->get_output_prefix_type() != OutputPrefixType::TINK)) {
70       return util::Status(absl::StatusCode::kInvalidArgument,
71                           "all JWT keys must be either RAW or TINK");
72     }
73   }
74   return util::OkStatus();
75 }
76 
ComputeMacAndEncode(const crypto::tink::RawJwt & token) const77 util::StatusOr<std::string> JwtMacSetWrapper::ComputeMacAndEncode(
78     const crypto::tink::RawJwt& token) const {
79   auto primary = jwt_mac_set_->get_primary();
80   absl::optional<std::string> kid =
81       GetKid(primary->get_key_id(), primary->get_output_prefix_type());
82   return primary->get_primitive().ComputeMacAndEncodeWithKid(token, kid);
83 }
84 
VerifyMacAndDecode(absl::string_view compact,const crypto::tink::JwtValidator & validator) const85 util::StatusOr<crypto::tink::VerifiedJwt> JwtMacSetWrapper::VerifyMacAndDecode(
86     absl::string_view compact,
87     const crypto::tink::JwtValidator& validator) const {
88   absl::optional<util::Status> interesting_status;
89   for (const auto* mac_entry : jwt_mac_set_->get_all()) {
90     JwtMacInternal& jwt_mac = mac_entry->get_primitive();
91     absl::optional<std::string> kid =
92         GetKid(mac_entry->get_key_id(), mac_entry->get_output_prefix_type());
93     util::StatusOr<VerifiedJwt> verified_jwt =
94         jwt_mac.VerifyMacAndDecodeWithKid(compact, validator, kid);
95     if (verified_jwt.ok()) {
96       return verified_jwt;
97     } else if (verified_jwt.status().code() !=
98                absl::StatusCode::kUnauthenticated) {
99       // errors that are not the result of a MAC verification
100       interesting_status = verified_jwt.status();
101     }
102   }
103   if (interesting_status.has_value()) {
104     return *interesting_status;
105   }
106   return util::Status(absl::StatusCode::kInvalidArgument,
107                       "verification failed");
108 }
109 
110 }  // namespace
111 
Wrap(std::unique_ptr<PrimitiveSet<JwtMacInternal>> jwt_mac_set) const112 util::StatusOr<std::unique_ptr<JwtMac>> JwtMacWrapper::Wrap(
113     std::unique_ptr<PrimitiveSet<JwtMacInternal>> jwt_mac_set) const {
114   util::Status status = Validate(jwt_mac_set.get());
115   if (!status.ok()) return status;
116   std::unique_ptr<JwtMac> jwt_mac =
117       absl::make_unique<JwtMacSetWrapper>(std::move(jwt_mac_set));
118   return std::move(jwt_mac);
119 }
120 
121 }  // namespace jwt_internal
122 }  // namespace tink
123 }  // namespace crypto
124