Fix ES256 and ES512 support

Author: calderonth

lib/resty/evp.lua

@@ -77,6 +77,35 @@ EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e,
 void EVP_PKEY_free(EVP_PKEY *key);
 int i2d_RSA(RSA *a, unsigned char **out);
 
+// Additional typedef of ECC operations (DER/RAW sig conversion)
+typedef struct bignum_st BIGNUM;
+BIGNUM *BN_new(void);
+void BN_free(BIGNUM *a);
+int BN_num_bits(const BIGNUM *a);
+int BN_bn2bin(const BIGNUM *a, unsigned char *to);
+BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
+char *BN_bn2hex(const BIGNUM *a);
+
+
+typedef struct ECDSA_SIG_st {
+    BIGNUM *r;
+    BIGNUM *s;} ECDSA_SIG;
+ECDSA_SIG*     ECDSA_SIG_new(void);
+int            i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp);
+ECDSA_SIG*     d2i_ECDSA_SIG(ECDSA_SIG **sig, unsigned char **pp,
+long len);
+void           ECDSA_SIG_free(ECDSA_SIG *sig);
+
+typedef struct ecgroup_st EC_GROUP;
+typedef struct eckey_st EC_KEY;
+
+void EC_GROUP_free(EC_GROUP *group);
+EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
+void EC_KEY_free(EC_KEY *key);
+EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
+int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, void *ctx);
+
+
 // PUBKEY
 EVP_PKEY *PEM_read_bio_PUBKEY(BIO *bp, EVP_PKEY **x,
                               pem_password_cb *cb, void *u);
@@ -365,6 +394,47 @@ function ECSigner.sign(self, message, digest_name)
     return RSASigner.sign(self, message, digest_name)
 end
 
+--- Converts a ASN.1 DER signature to RAW r,s
+-- @param signature The ASN.1 DER signature
+-- @returns signature, error_string
+function ECSigner.get_raw_sig(self, signature)
+    if not signature then
+        return nil, "Must pass a signature to convert"
+    end
+    local sig_ptr = ffi_new("unsigned char *[1]")
+    local sig_bin = ffi_new("unsigned char [?]", #signature)
+    ffi_copy(sig_bin, signature, #signature)
+
+    sig_ptr[0] = sig_bin
+    local sig = _C.d2i_ECDSA_SIG(nil, sig_ptr, #signature)
+    ffi_gc(sig, _C.ECDSA_SIG_free)
+
+    local rbytes = math.floor((_C.BN_num_bits(sig.r)+7)/8)
+    local sbytes = math.floor((_C.BN_num_bits(sig.s)+7)/8)
+
+    -- Ensure we copy the BN in a padded form
+    local ec = _C.EVP_PKEY_get0_EC_KEY(self.evp_pkey)
+    local ecgroup = _C.EC_KEY_get0_group(ec)
+
+    local order =  _C.BN_new()
+    ffi_gc(order, _C.BN_free)
+
+    -- res is an int, if 0, curve not found
+    local res = _C.EC_GROUP_get_order(ecgroup, order, nil)
+
+    -- BN_num_bytes is a #define, so have to use BN_num_bits
+    local order_size_bytes = math.floor((_C.BN_num_bits(order)+7)/8)
+    local resbuf_len = order_size_bytes *2
+    local resbuf = ffi_new("unsigned char[?]", resbuf_len)
+
+    -- Let's whilst preserving MSB
+    _C.BN_bn2bin(sig.r, resbuf + order_size_bytes - rbytes)
+    _C.BN_bn2bin(sig.s, resbuf + (order_size_bytes*2) - sbytes)
+
+    local raw = ffi_string(resbuf, resbuf_len)
+    return raw, nil
+end
+
 local RSAVerifier = {}
 _M.RSAVerifier = RSAVerifier
 
@@ -418,6 +488,56 @@ function RSAVerifier.verify(self, message, sig, digest_name)
     end
 end
 
+--- Converts a RAW r,s signature to ASN.1 DER signature (ECDSA)
+-- @param signature The raw signature
+-- @returns signature, error_string
+function RSAVerifier.get_der_sig(self, signature)
+    -- TODO: should be declared in a new class rather than RSAVerifier
+    if not signature then
+        return nil, "Must pass a signature to convert"
+    end
+    -- inspired from https://bit.ly/2yZxzxJ
+    local ec = _C.EVP_PKEY_get0_EC_KEY(self.evp_pkey)
+    local ecgroup = _C.EC_KEY_get0_group(ec)
+
+    local order =  _C.BN_new()
+    ffi_gc(order, _C.BN_free)
+
+    -- res is an int, if 0, curve not found
+    local res = _C.EC_GROUP_get_order(ecgroup, order, nil)
+
+    -- BN_num_bytes is a #define, so have to use BN_num_bits
+    local order_size_bytes = math.floor((_C.BN_num_bits(order)+7)/8)
+
+    if #signature ~= 2 * order_size_bytes then
+        return nil, "signature length != 2 * order length"
+    end
+
+    local sig_bytes = ffi_new("unsigned char [?]", #signature)
+    ffi_copy(sig_bytes, signature, #signature)
+    local ecdsa = _C.ECDSA_SIG_new()
+    ffi_gc(ecdsa, _C.ECDSA_SIG_free)
+
+    local r = _C.BN_bin2bn(sig_bytes, order_size_bytes, nil)
+    local s = _C.BN_bin2bn(sig_bytes + order_size_bytes, order_size_bytes, nil)
+    ffi_gc(r, _C.BN_free)
+    ffi_gc(s, _C.BN_free)
+
+    ecdsa.r = r
+    ecdsa.s = s
+
+    -- Gives us the buffer size to allocate
+    local der_len = _C.i2d_ECDSA_SIG(ecdsa, nil)
+
+    local der_sig_ptr = ffi_new("unsigned char *[1]")
+    local der_sig_bin = ffi_new("unsigned char [?]", der_len)
+    der_sig_ptr[0] = der_sig_bin
+    der_len = _C.i2d_ECDSA_SIG(ecdsa, der_sig_ptr)
+
+    local der_str = ffi_string(der_sig_bin, der_len)
+    return der_str, nil
+end
+
 
 local Cert = {}
 _M.Cert = Cert

lib/resty/jwt.lua

@@ -5,6 +5,9 @@ local evp = require "resty.evp"
 local hmac = require "resty.hmac"
 local resty_random = require "resty.random"
 
+local ngx = ngx
+
+
 local _M = {_VERSION="0.2.2"}
 
 local mt = {
@@ -60,6 +63,7 @@ local str_const = {
   HS512 = "HS512",
   RS256 = "RS256",
   ES256 = "ES256",
+  ES512 = "ES512",
   RS512 = "RS512",
   A128CBC_HS256 = "A128CBC-HS256",
   A256CBC_HS512 = "A256CBC-HS512",
@@ -529,7 +533,6 @@ function _M.sign(self, secret_key, jwt_obj)
   local raw_header = get_raw_part(str_const.header, jwt_obj)
   local raw_payload = get_raw_part(str_const.payload, jwt_obj)
   local message = string_format(str_const.regex_join_msg, raw_header, raw_payload)
-
   local alg = jwt_obj[str_const.header][str_const.alg]
   local signature = ""
   if alg == str_const.HS256 then
@@ -544,12 +547,25 @@ function _M.sign(self, secret_key, jwt_obj)
       error({reason="signer error: " .. err})
     end
     signature = signer:sign(message, evp.CONST.SHA256_DIGEST)
-  elseif alg == str_const.ES256 then
+  elseif alg == str_const.ES256 or alg == str_const.ES512 then
     local signer, err = evp.ECSigner:new(secret_key)
     if not signer then
       error({reason="signer error: " .. err})
     end
-    signature = signer:sign(message, evp.CONST.SHA256_DIGEST)
+    if alg == str_const.ES256 then
+      -- OpenSSL will generate a DER encoded signature that needs to be converted
+      local der_signature = signer:sign(message, evp.CONST.SHA256_DIGEST)
+      signature, err = signer:get_raw_sig(der_signature)
+      if not signature then
+        error({reason="signature error: " .. err})
+      end
+    elseif alg == str_const.ES512 then
+      local der_signature = signer:sign(message, evp.CONST.SHA512_DIGEST)
+      signature, err = signer:get_raw_sig(der_signature)
+      if not signature then
+        error({reason="signature error: " .. err})
+      end
+    end
   else
     error({reason="unsupported alg: " .. alg})
   end
@@ -803,7 +819,7 @@ function _M.verify_jwt_obj(self, secret, jwt_obj, ...)
       -- signature check
       jwt_obj[str_const.reason] = "signature mismatch: " .. jwt_obj[str_const.signature]
     end
-  elseif alg == str_const.RS256 or alg == str_const.RS512 or alg == str_const.ES256 then
+  elseif alg == str_const.RS256 or alg == str_const.RS512 or alg == str_const.ES256 or alg == str_const.ES512 then
     local cert, err
     if self.trusted_certs_file ~= nil then
       local cert_str = extract_certificate(jwt_obj, self.x5u_content_retriever)
@@ -857,10 +873,22 @@ function _M.verify_jwt_obj(self, secret, jwt_obj, ...)
     local verified = false
     err = "verify error: reason unknown"
 
-    if alg == str_const.RS256 or alg == str_const.ES256 then
+    if alg == str_const.RS256 then
       verified, err = verifier:verify(message, sig, evp.CONST.SHA256_DIGEST)
+    elseif alg == str_const.ES256 then
+      local der_sig = ""
+      der_sig, err = verifier:get_der_sig(sig)
+      if der_sig then
+        verified, err = verifier:verify(message, der_sig, evp.CONST.SHA256_DIGEST)
+      end
     elseif alg == str_const.RS512 then
       verified, err = verifier:verify(message, sig, evp.CONST.SHA512_DIGEST)
+    elseif alg == str_const.ES512 then
+      local der_sig = ""
+      der_sig, err = verifier:get_der_sig(sig)
+      if der_sig then
+        verified, err = verifier:verify(message, der_sig, evp.CONST.SHA512_DIGEST)
+      end
     end
     if not verified then
       jwt_obj[str_const.reason] = err

t/load-verify.t

@@ -10,6 +10,9 @@ our $HttpConfig = <<'_EOC_';
     lua_package_path 'lib/?.lua;;';
 _EOC_
 
+log_level('debug');
+
+
 no_long_string();
 
 run_tests();
@@ -659,4 +662,36 @@ true
 everything is awesome~ :p
 bar
 --- no_error_log
+[error]
+
+=== TEST 22: Verify valid ES256 signed jwt using a EC public key
+--- http_config eval: $::HttpConfig
+--- config
+    location /t {
+        content_by_lua '
+            local jwt = require "resty.jwt"
+
+            local public_key = [[
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEm9ehYHp34sZPfZoxJlotxG/LF02e
+ZPmM51hCYIL1jn50e30i8KqEL6y6wl06z6P4co0uew5CzD7JlOQlLB+Ryg==
+-----END PUBLIC KEY-----
+                ]]
+
+            jwt:set_alg_whitelist({ ES256 = 1 })
+            local jwt_token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJ0ZXN0IiwiaWF0IjoxNDYxOTE0MDE3fQ.U38g80dOEKrGQG08KDRY_XWXvolBAhz6G16QZqgePFQljooqsZXw9sIyH6hXFpsAxQbupQBqgUAw6IwUqbAXzg"
+
+            local jwt_obj = jwt:verify(public_key, jwt_token)
+            ngx.say(jwt_obj["verified"])
+            ngx.say(jwt_obj["reason"])
+            ngx.say(jwt_obj["payload"]["iss"])
+        ';
+    }
+--- request
+GET /t
+--- response_body
+true
+everything is awesome~ :p
+test
+--- no_error_log
 [error]

t/sign-verify.t

@@ -448,4 +448,47 @@ GET /t
 false
 Verification failed
 --- no_error_log
-[error] 
+[error] 
+
+=== TEST 14: JWT sign and verify ES512
+--- http_config eval: $::HttpConfig
+--- config
+    location /t {
+        content_by_lua '
+            local jwt = require "resty.jwt"
+            local function get_testcert(name)
+                local f = io.open("/lua-resty-jwt/testcerts/" .. name)
+                local contents = f:read("*all")
+                f:close()
+                return contents
+            end
+            -- x5c wants a base64 encoded der, not pem.. aka, the pem minus the header+footer
+            local pubkey_pem = get_testcert("ec_cert_p521.pem")
+            local ssl = require "ngx.ssl"
+            local der, err = ssl.cert_pem_to_der(pubkey_pem)
+            local jwt_token = jwt:sign(
+                get_testcert("ec_cert_p521-key.pem"),
+                {
+                    header={
+                        typ="JWT",
+                        alg="ES512",
+                        x5c={
+                            ngx.encode_base64(der),
+                        } },
+                    payload={foo="bar", exp=9999999999}
+                }
+            )
+            local jwt_obj = jwt:verify(get_testcert("ec_cert_p521.pem"), jwt_token)
+            ngx.say(jwt_obj["verified"])
+            ngx.say(jwt_obj["reason"])
+            ngx.say(jwt_obj["payload"]["foo"])
+        ';
+    }
+--- request
+GET /t
+--- response_body
+true
+everything is awesome~ :p
+bar
+--- no_error_log
+[error]

testcerts/ec_cert_p521-key.pem

@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIB4lFSZyyNtFjANtO9ERz4g/vt+EGruo9Y342NHHoN/uGnq8d9zP7/
+mufPqeo6qEg6EKV74d/IJR6AcjYDfMKG0OSgBwYFK4EEACOhgYkDgYYABADMTquc
+1h+hiwxhSyfHNUsGJuKRzAgCrlUXqwLgE+nu3utlL1Nfv76oDzHkSLurKYqQMUDs
+UZQDsTZ3ZEvj+GmRJgABNPqrFls6PtC3jlnwCeJX3V2C/mUOORr7nHgGsvr0SLRX
+hxGW2bHkNIIQKARln/8EEi4RqDrhYCRbj1TqO1cFRQ==
+-----END EC PRIVATE KEY-----

testcerts/ec_cert_p521.csr

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICDjCCAW8CAQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
+EDAOBgNVBAcTB1NlYXR0bGUxDDAKBgNVBAoTA0pXVDEWMBQGA1UECxMNTm90IFdv
+cmxkd2lkZTEeMBwGA1UEAxMVdGVzdGluZy5qd3Qud29ybGR3aWRlMIGbMBAGByqG
+SM49AgEGBSuBBAAjA4GGAAQAzE6rnNYfoYsMYUsnxzVLBibikcwIAq5VF6sC4BPp
+7t7rZS9TX7++qA8x5Ei7qymKkDFA7FGUA7E2d2RL4/hpkSYAATT6qxZbOj7Qt45Z
+8AniV91dgv5lDjka+5x4BrL69Ei0V4cRltmx5DSCECgEZZ//BBIuEag64WAkW49U
+6jtXBUWgUDBOBgkqhkiG9w0BCQ4xQTA/MD0GA1UdEQQ2MDSCFXRlc3Rpbmcuand0
+Lndvcmxkd2lkZYIbbG9jYWwudGVzdGluZy5qd3Qud29ybGR3aWRlMAoGCCqGSM49
+BAMEA4GMADCBiAJCAVhjl+K7NCW0g/Az3qovrCK6UC+kD7lzzAYm5L5vsnJVlcIk
+sspNqH2Ea/z9XIlGfqZFUXo81ZmQ5qHyhYsLTg4aAkIB1sDRBeGEtmh17I33HN/1
+vuLR6BVk18hf+L5VoYSD5NG0jO2JDpHYA/cMsW1Ohsz5hzoRQ7KpkpW7K5aKPmNP
+Ur4=
+-----END CERTIFICATE REQUEST-----

testcerts/ec_cert_p521.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDrTCCApWgAwIBAgIUenHXNHWN90RdaeTIqIoCvLQGfQUwDQYJKoZIhvcNAQEL
+BQAwdzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQHEwhO
+ZXcgWW9yazEMMAoGA1UEChMDSldUMRIwEAYDVQQLEwlXT1JMRFdJREUxIDAeBgNV
+BAMTF29wZW5yZXN0eS1qd3QtdGVzdC1jZXJ0MB4XDTIwMDUxNTE1MjYwMFoXDTMw
+MDUxMzE1MjYwMFowejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
+EDAOBgNVBAcTB1NlYXR0bGUxDDAKBgNVBAoTA0pXVDEWMBQGA1UECxMNTm90IFdv
+cmxkd2lkZTEeMBwGA1UEAxMVdGVzdGluZy5qd3Qud29ybGR3aWRlMIGbMBAGByqG
+SM49AgEGBSuBBAAjA4GGAAQAzE6rnNYfoYsMYUsnxzVLBibikcwIAq5VF6sC4BPp
+7t7rZS9TX7++qA8x5Ei7qymKkDFA7FGUA7E2d2RL4/hpkSYAATT6qxZbOj7Qt45Z
+8AniV91dgv5lDjka+5x4BrL69Ei0V4cRltmx5DSCECgEZZ//BBIuEag64WAkW49U
+6jtXBUWjgbUwgbIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMC
+MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMvQqOcuqxWuCqeyhPgebt/fx2XKMB8G
+A1UdIwQYMBaAFKsUt/gHRBzTx08L6IE1kkvxYmANMD0GA1UdEQQ2MDSCFXRlc3Rp
+bmcuand0Lndvcmxkd2lkZYIbbG9jYWwudGVzdGluZy5qd3Qud29ybGR3aWRlMA0G
+CSqGSIb3DQEBCwUAA4IBAQAu4co5CHaRwnn30YiDKgakLBiEHhyRfjPekzoDiUBr
+Vvj6Hub6e79UtyFsip+5SwJ40br1pIb242jQqIqAAP6dN+At5D5KCZzijz0UnDMs
+890aV+UE5Cp6OoWGuWMF8E5iDWsUAD5oZ1qQNuo5G0lGuauMUDp44GtW+kQZCCcF
+Yorsl5NZwIA2LN55icOGqLq4cm/KzqsMJqUX3XBNuJpuFx6FfDrTQWa/cPw/nhHX
+ddzAQFkF+1bWcRMEX1uA4ega2Mmt8H+GPAgAPX1WEP7J3SBT4hEjqd3eRv9Qu2tM
+YKMXx2+T7trqM1BK31RfMLxbJKaKViUy7QXsamCLusiC
+-----END CERTIFICATE-----

testcerts/ec_cert_p521_pubkey.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAzE6rnNYfoYsMYUsnxzVLBibikcwI
+Aq5VF6sC4BPp7t7rZS9TX7++qA8x5Ei7qymKkDFA7FGUA7E2d2RL4/hpkSYAATT6
+qxZbOj7Qt45Z8AniV91dgv5lDjka+5x4BrL69Ei0V4cRltmx5DSCECgEZZ//BBIu
+Eag64WAkW49U6jtXBUU=
+-----END PUBLIC KEY-----