Skip to content

Commit

Permalink
s/oidc: Replaced cryptopp with utility function
Browse files Browse the repository at this point in the history
Signed-off-by: Michael Boquard <michael@redpanda.com>
  • Loading branch information
michael-redpanda committed May 3, 2024
1 parent ddc68cb commit 1a65a02
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 33 deletions.
2 changes: 1 addition & 1 deletion src/v/security/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ v_cc_library(
credential.cc
gssapi_authenticator.cc
gssapi_principal_mapper.cc
jwt.cc
krb5.cc
krb5_configurator.cc
license.cc
Expand All @@ -41,7 +42,6 @@ v_cc_library(
v::rpc
absl::flat_hash_map
absl::flat_hash_set
cryptopp
re2
gssapi_krb5
krb5
Expand Down
23 changes: 23 additions & 0 deletions src/v/security/jwt.cc
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
/*
* Copyright 2024 Redpanda Data, Inc.
*
* Licensed as a Redpanda Enterprise file under the Redpanda Community
* License (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* https://github.com/redpanda-data/redpanda/blob/master/licenses/rcl.md
*/
#include "security/jwt.h"

namespace security::oidc::detail {
bytes base64_url_decode(std::string_view sv) { return base64url_to_bytes(sv); };

std::optional<bytes>
base64_url_decode(json::Value const& v, std::string_view field) {
auto b64 = string_view<>(v, field);
if (!b64.has_value()) {
return std::nullopt;
}
return base64_url_decode(b64.value());
}
} // namespace security::oidc::detail
42 changes: 10 additions & 32 deletions src/v/security/jwt.h
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,14 @@
#include "security/oidc_error.h"
#include "strings/string_switch.h"
#include "strings/utf8.h"
#include "utils/base64.h"

#include <seastar/core/sstring.hh>
#include <seastar/util/variant_utils.hh>

#include <absl/algorithm/container.h>
#include <absl/container/flat_hash_map.h>
#include <boost/algorithm/string/split.hpp>
#include <cryptopp/base64.h>

#include <iosfwd>
#include <optional>
Expand Down Expand Up @@ -95,33 +95,10 @@ time_point(json::Value const& doc, std::string_view field) {
typename Clock::time_point(std::chrono::seconds(it->value.GetInt64()));
}

template<string_viewable StringT = bytes>
auto base64_url_decode(bytes_view sv) {
// TODO: Replace this with non-CryptoPP implementation
// TODO: https://github.com/redpanda-data/core-internal/issues/1132
CryptoPP::Base64URLDecoder decoder;
bytes base64_url_decode(std::string_view sv);

decoder.Put(sv.data(), sv.size());
decoder.MessageEnd();

StringT decoded;
if (auto size = decoder.MaxRetrievable(); size != 0) {
decoded.resize(size);
decoder.Get(
reinterpret_cast<CryptoPP::byte*>(decoded.data()), decoded.size());
}
return decoded;
};

template<string_viewable StringT = bytes>
std::optional<StringT>
base64_url_decode(json::Value const& v, std::string_view field) {
auto b64 = string_view<bytes::value_type>(v, field);
if (!b64.has_value()) {
return std::nullopt;
}
return base64_url_decode(b64.value());
}
std::optional<bytes>
base64_url_decode(json::Value const& v, std::string_view field);

} // namespace detail

Expand Down Expand Up @@ -445,7 +422,7 @@ inline result<verifier> make_rs256_verifier(json::Value const& jwk) {
}
auto key = crypto::key::load_rsa_public_key(n.value(), e.value());
return verifier{rs256_verifier{std::move(key)}};
} catch (CryptoPP::Exception const& ex) {
} catch (base64_url_decoder_exception const&) {
return errc::jwk_invalid;
} catch (crypto::exception const&) {
return errc::jwk_invalid;
Expand Down Expand Up @@ -506,25 +483,26 @@ class verifier {
// Verify the JWS signature and return the JWT
result<jwt> verify(jws const& jws) const {
std::string_view sv(jws._encoded);
std::vector<bytes_view> jose_enc;
std::vector<std::string_view> jose_enc;
jose_enc.reserve(3);
boost::algorithm::split(
jose_enc,
detail::char_view_cast<bytes_view::value_type>(sv),
detail::char_view_cast<std::string_view::value_type>(sv),
[](char c) { return c == '.'; });

if (jose_enc.size() != 3) {
return errc::jws_invalid_parts;
}

constexpr auto make_dom = [](bytes_view bv) -> result<json::Document> {
constexpr auto make_dom =
[](std::string_view bv) -> result<json::Document> {
try {
auto bytes = detail::base64_url_decode(bv);
auto str = detail::char_view_cast<char>(bytes);
json::Document dom;
dom.Parse(str.data(), str.length());
return dom;
} catch (CryptoPP::Exception const& ex) {
} catch (base64_url_decoder_exception const&) {
return errc::jws_invalid_b64;
}
};
Expand Down

0 comments on commit 1a65a02

Please sign in to comment.