MINOR: jws: emit the JWK thumbprint

jwk_thumbprint() is a function which is a function which implements RFC7368 and emits a JWK thumbprint using a EVP_PKEY. EVP_PKEY_EC_to_pub_jwk() and EVP_PKEY_RSA_to_pub_jwk() were changed in order to match what is required to emit a thumbprint (ie, no spaces or lines and the lexicographic order of the fields)
2025-03-25 15:21:50 +01:00 · 2025-03-25 15:21:50 +01:00 · f8fe84caca
commit f8fe84caca
parent ed1d4807da
2 changed files with 52 additions and 13 deletions
--- a/include/haproxy/jws.h
+++ b/include/haproxy/jws.h
@ -13,5 +13,6 @@ int jws_b64_payload(char *payload, char *dst, size_t dsize);
 int jws_b64_protected(enum jwt_alg alg, char *kid, char *jwk, char *nonce, char *url, char *dst, size_t dsize);
 int jws_b64_signature(EVP_PKEY *pkey, enum jwt_alg alg, char *b64protected, char *b64payload, char *dst, size_t dsize);
 int jws_flattened(char *protected, char *payload, char *signature, char *dst, size_t dsize);
+int jws_thumbprint(EVP_PKEY *pkey, char *dst, size_t dsize);

 #endif /* ! _HAPROXY_JWK_H_ */
--- a/src/jws.c
+++ b/src/jws.c
@ -148,13 +148,13 @@ static int EVP_PKEY_EC_to_pub_jwk(EVP_PKEY *pkey, char *dst, size_t dsize)
 	if (str_x->data == 0 || str_y->data == 0)
 		goto out;

-	ret = snprintf(dst, dsize, "{\n"
-			"    \"kty\": \"%s\",\n"
-			"    \"crv\": \"%s\",\n"
-			"    \"x\":   \"%s\",\n"
-			"    \"y\":   \"%s\"\n"
-			"}\n",
-			"EC", crv, str_x->area, str_y->area);
+	ret = snprintf(dst, dsize, "{"
+			"\"crv\":\"%s\","
+			"\"kty\":\"%s\","
+			"\"x\":\"%s\","
+			"\"y\":\"%s\""
+			"}",
+			crv, "EC", str_x->area, str_y->area);
 	if (ret >= dsize)
 		ret = 0;

@ -209,12 +209,12 @@ static int EVP_PKEY_RSA_to_pub_jwk(EVP_PKEY *pkey, char *dst, size_t dsize)
 	if (str_n->data == 0 || str_e->data == 0)
 		goto out;

-	ret = snprintf(dst, dsize, "{\n"
-			"    \"kty\": \"%s\",\n"
-			"    \"n\":   \"%s\",\n"
-			"    \"e\":   \"%s\"\n"
-			"}\n",
-			"RSA", str_n->area, str_e->area);
+	ret = snprintf(dst, dsize, "{"
+			"\"e\":\"%s\","
+			"\"kty\":\"%s\","
+			"\"n\":\"%s\""
+			"}",
+			str_e->area, "RSA", str_n->area );
 	if (ret >= dsize)
 		ret = 0;

@ -486,6 +486,44 @@ out:

 }

+/*
+ * Fill a <dst> buffer of <dsize> size with a jwk thumbprint from a pkey
+ *
+ * Return the size of the data or 0
+ */
+int jws_thumbprint(EVP_PKEY *pkey, char *dst, size_t dsize)
+{
+	int ret = 0;
+	struct buffer *jwk = NULL;
+	unsigned char md[EVP_MAX_MD_SIZE];
+	unsigned int size;
+
+	if ((jwk = alloc_trash_chunk()) == NULL)
+		goto out;
+
+	switch (EVP_PKEY_base_id(pkey)) {
+		case EVP_PKEY_RSA:
+			jwk->data = EVP_PKEY_RSA_to_pub_jwk(pkey, jwk->area, jwk->size);
+			break;
+		case EVP_PKEY_EC:
+			jwk->data = EVP_PKEY_EC_to_pub_jwk(pkey, jwk->area, jwk->size);
+			break;
+		default:
+			break;
+	}
+
+
+	if (EVP_Digest(jwk->area, jwk->data, md, &size, EVP_sha256(), NULL) == 0)
+		goto out;
+
+	ret = a2base64url((const char *)md, size, dst, dsize);
+
+out:
+	free_trash_chunk(jwk);
+	return ret;
+}
+
+
 int jws_flattened(char *protected, char *payload, char *signature, char *dst, size_t dsize)
 {
 	int ret = 0;