(JWT) Allow validating RSA, DSA, and other KeyFactory supported algorithms (sscarduzio#287)

Author: croemmich

core/src/main/java/tech/beshu/ror/acl/blocks/rules/impl/JwtAuthSyncRule.java

@@ -20,6 +20,7 @@
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.JwtParser;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.MalformedJwtException;
 import io.jsonwebtoken.SignatureException;
@@ -34,17 +35,23 @@
 import tech.beshu.ror.settings.rules.JwtAuthRuleSettings;
 
 import java.security.AccessController;
+import java.security.Key;
+import java.security.KeyFactory;
 import java.security.PrivilegedAction;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
 import java.util.Optional;
 
 public class JwtAuthSyncRule extends UserRule implements Authentication {
 
   private final LoggerShim logger;
   private final JwtAuthRuleSettings settings;
+  private final Optional<Key> signingKeyForAlgo;
 
   public JwtAuthSyncRule(JwtAuthRuleSettings settings, ESContext context) {
     this.logger = context.logger(getClass());
     this.settings = settings;
+    this.signingKeyForAlgo = getSigningKeyForAlgo();
   }
 
   private static Optional<String> extractToken(String authHeader) {
@@ -57,6 +64,20 @@ private static Optional<String> extractToken(String authHeader) {
 
   }
 
+  private Optional<Key> getSigningKeyForAlgo() {
+    if (settings.getAlgo().isPresent()) {
+      try {
+        byte[] decoded = Base64.getDecoder().decode(settings.getKey());
+        X509EncodedKeySpec X509publicKey = new X509EncodedKeySpec(decoded);
+        KeyFactory kf = KeyFactory.getInstance(settings.getAlgo().get());
+        return Optional.of(kf.generatePublic(X509publicKey));
+      } catch (Exception e) {
+        logger.error(e.getMessage());
+      }
+    }
+    return Optional.empty();
+  }
+
   @Override
   public RuleExitResult match(RequestContext rc) {
     Optional<String> token = Optional.of(rc.getHeaders())
@@ -70,10 +91,16 @@ public RuleExitResult match(RequestContext rc) {
 
     try {
       Jws<Claims> jws = AccessController.doPrivileged(
-        (PrivilegedAction<Jws<Claims>>) () ->
-          Jwts.parser()
-            .setSigningKey(settings.getKey())
-            .parseClaimsJws(token.get()));
+        (PrivilegedAction<Jws<Claims>>) () -> {
+          JwtParser parser = Jwts.parser();
+          if (signingKeyForAlgo.isPresent()) {
+            parser.setSigningKey(signingKeyForAlgo.get());
+          } else {
+            parser.setSigningKey(settings.getKey());
+          }
+          return parser.parseClaimsJws(token.get());
+        }
+      );
 
       Optional<String> user = settings.getUserClaim().map(claim -> jws.getBody().get(claim, String.class));
       if (settings.getUserClaim().isPresent())

core/src/main/java/tech/beshu/ror/settings/rules/JwtAuthRuleSettings.java

@@ -27,27 +27,31 @@
 public class JwtAuthRuleSettings implements RuleSettings, AuthKeyProviderSettings {
 
   public static final String ATTRIBUTE_NAME = "jwt_auth";
+  public static final String SIGNATURE_ALGO = "signature_algo";
   public static final String SIGNATURE_KEY = "signature_key";
   public static final String USER_CLAIM = "user_claim";
   public static final String HEADER_NAME = "header_name";
   public static final String DEFAULT_HEADER_NAME = "Authorization";
 
   private final byte[] key;
   private final Optional<String> userClaim;
+  private final Optional<String> algo;
   private final String headerName;
 
-  private JwtAuthRuleSettings(String key, Optional<String> userClaim, Optional<String> headerName) {
+  private JwtAuthRuleSettings(String key,  Optional<String> algo, Optional<String> userClaim, Optional<String> headerName) {
     if (Strings.isNullOrEmpty(key))
       throw new SettingsMalformedException(
         "Attribute '" + SIGNATURE_KEY + "' shall not evaluate to an empty string");
     this.key = key.getBytes();
+    this.algo = algo;
     this.userClaim = userClaim;
     this.headerName = headerName.orElse(DEFAULT_HEADER_NAME);
   }
 
   public static JwtAuthRuleSettings from(RawSettings settings) {
     return new JwtAuthRuleSettings(
       evalPrefixedSignatureKey(ensureString(settings, SIGNATURE_KEY)),
+      settings.stringOpt(SIGNATURE_ALGO),
       settings.stringOpt(USER_CLAIM),
       settings.stringOpt(HEADER_NAME)
     );
@@ -72,6 +76,10 @@ public byte[] getKey() {
     return key;
   }
 
+  public Optional<String> getAlgo() {
+   return algo;
+  }
+
   public Optional<String> getUserClaim() {
     return userClaim;
   }

core/src/test/java/tech/beshu/ror/acl/blocks/rules/impl/JwtAuthRuleTests.java

@@ -32,6 +32,11 @@
 import tech.beshu.ror.requestcontext.RequestContext;
 import tech.beshu.ror.settings.rules.JwtAuthRuleSettings;
 
+import java.security.KeyException;
+import java.security.KeyFactory;
+import java.security.PrivateKey;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Base64;
 import java.util.Map.Entry;
 import java.util.Optional;
 
@@ -46,6 +51,7 @@
 public class JwtAuthRuleTests {
 
   private static final String SETTINGS_SIGNATURE_KEY = JwtAuthRuleSettings.SIGNATURE_KEY;
+  private static final String SETTINGS_SIGNATURE_ALGO = JwtAuthRuleSettings.SIGNATURE_ALGO;
   private static final String SETTINGS_USER_CLAIM = JwtAuthRuleSettings.USER_CLAIM;
   private static final String ALGO = "HS256";
   private static final String SECRET = "123456";
@@ -73,6 +79,26 @@ public void shouldAcceptTokenWithValidSignature() {
     assertTrue(res.get().isMatch());
   }
 
+  @Test
+  public void shouldAcceptTokenWithValidRSASignature() throws KeyException {
+    String token = Jwts.builder()
+      .setSubject(SUBJECT)
+      .signWith(SignatureAlgorithm.valueOf("RS256"), getRsaPrivateKey())
+      .compact();
+
+    RawSettings settings = makeSettings(SETTINGS_SIGNATURE_KEY, getRsaPublicKey(), SETTINGS_SIGNATURE_ALGO, "RSA");
+
+    RequestContext rc = getMock(token);
+
+    Optional<SyncRule> rule = makeRule(settings);
+    Optional<RuleExitResult> res = rule.map(r -> r.match(rc));
+    rc.commit();
+
+    assertTrue(rule.isPresent());
+    assertTrue(res.isPresent());
+    assertTrue(res.get().isMatch());
+  }
+
   @Test
   public void shouldRejectTokenWithInvalidSignature() {
     String token = Jwts.builder()
@@ -91,6 +117,26 @@ public void shouldRejectTokenWithInvalidSignature() {
     assertFalse(res.get().isMatch());
   }
 
+  @Test
+  public void shouldRejectRSATokenWithInvalidSignature() throws KeyException {
+    String token = Jwts.builder()
+      .setSubject(SUBJECT)
+      .signWith(SignatureAlgorithm.valueOf("RS256"), getRsaPrivateKey())
+      .compact();
+
+    RawSettings settings = makeSettings(SETTINGS_SIGNATURE_KEY, getInvalidPublicKey(), SETTINGS_SIGNATURE_ALGO, "RSA");
+
+    RequestContext rc = getMock(token);
+
+    Optional<SyncRule> rule = makeRule(settings);
+    Optional<RuleExitResult> res = rule.map(r -> r.match(rc));
+    rc.commit();
+
+    assertTrue(rule.isPresent());
+    assertTrue(res.isPresent());
+    assertFalse(res.get().isMatch());
+  }
+
   @Test
   public void shouldAcceptAUserClaimSetting() {
     RawSettings settings = makeSettings(SETTINGS_SIGNATURE_KEY, SECRET,
@@ -239,4 +285,49 @@ private Optional<SyncRule> makeRule(RawSettings settings) {
       return Optional.empty();
     }
   }
+
+  private PrivateKey getRsaPrivateKey() throws KeyException {
+    try {
+      byte[] decoded = Base64.getMimeDecoder().decode("MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCzBElX1jA8I8K7\n" +
+        "TXvdKV+nkvu+/qJOab50asTpDT/WlRVsL+wZLgi1+R6t5Qu4thWI3SmqEY3E0A9l\n" +
+        "puM4vlICUiqrmPTm+UY41oQFMz4XwoP4cQh/E/g5nBykL3YPqkzYUoJhRknH+lna\n" +
+        "wzEUafupH0N0Kc8eruG+9pM0BkLDweUFrHzXzY3C423LQSm5mYeglMYJlFcmJ9vo\n" +
+        "MnCUmDPY4qTNlFy8U4ksBFBA1+q/ppFqeeOasAlHh7lnLAtR78I/rGLhVDBqAgO0\n" +
+        "W2sOMDMLP584ll0zryYrulA7OEsQGYqQepSmUS9pm0243dl0gwsuGYbc0m5LP24B\n" +
+        "F/RLQ2pJAgMBAAECggEAAPS+54cvTsLqIVHynWXBKwXv7j8x4rVR3RFM5+m4M48s\n" +
+        "RB2lZyUFyuL/tPIKM/xU9RwpQs1BMpHh4ysW/5CUo4qIy83PUQR3yYnrvpNde4cA\n" +
+        "aW1BHFyg8L3SsVXHjaHdMzKNm7NiZX0CydZNBsziGS8fjxlCD+njLr/mXVrDNIRs\n" +
+        "SVQ+rZjnNIjflX7KnIYmLtN6a64mC/UPDobtmmadvyAf8Hc/o7JX1Iqy4wtIuEFb\n" +
+        "qf82+xXPcEJqST0fFfWcMp3WEU0cyWNfFZWlmmqzMrJPqCJaRJMMFwawxHI4GQMW\n" +
+        "W/3OyYT4ySdD/Lt/+rQRkR4BbI8J5h9CfNSrhYryeQKBgQDWlsXVQdgsVsC4pXay\n" +
+        "LxjMf5zbcFxg+Jdp3koHpJS5my8cWTRFcRxyTFf8KDesKb/fEhYVV40CurZv4vKU\n" +
+        "jHJYf+72QjAVWN6Wyjmxa9Ctc6n1OdZ4gHwBdYNnJJHXhihAbzT4kzF8uccFg6Oj\n" +
+        "Es8csXdPnJ4huNN38FWhnfdpQwKBgQDVkCh6WkmjqYSh3F+Zr/sYCc+B42hvhIbt\n" +
+        "OLr3U1PTqgv9DRtCfPcR1oJS0kilUo2Fd+4P3xV6EJTpOJbZdIYTRkxIrl6ORDkF\n" +
+        "0Lp01Vnzv3DVjhpL4oMdWAVTC7BLJCN8inmz+Pf6RndJrBgLz2HQXMN3NCm5b+21\n" +
+        "ojK0iGHvgwKBgFrdl0H5UrdbuNm3Pu6uoLqfYuVMy+FIAp2SwhhAabW6b5V6dHbf\n" +
+        "MaN4jl05DnH5b8TenLlGzHAWbgAswnmCizzMV3yxhDjV29NQKGPneoKoEpTDe/yk\n" +
+        "s13Oy+iWBKeVqF+4d162vWLKK+s61cTMxySoRRRSBmfTIsCL5Ua9ZDGPAoGAcn8X\n" +
+        "NIGzeUspEJ5Vos/2jqyz069YDnG+5O/FTVQfXRuN0d10//B/hdC7jiuvRvM7bJMf\n" +
+        "zuKLYSYCsAbm2S7fsvW9cDoL97ob2EJPtNOtpkC8/cFx171ZDiJiuGNL4P0/CUY0\n" +
+        "eYjBaizdR2I8ghhtGIijQwV0WTbo+rg69w8ncoECgYBmf4xoW03WYtzGkinhN6FQ\n" +
+        "SZt3/ATmJR0iLFzcvMncP+4xGq1J1oL7v0ArUX1mWGfJRS27zgH7k/qJprABnJnI\n" +
+        "0TXjhBObmkicvOm11rYK2he2g+eW5RbZpr7FfrNuiZjMOmJn8dWHuwtboNcuEF3A\n" +
+        "6Mzj9h2krlUiyKMi0IKLHw==");
+      PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
+      KeyFactory kf = KeyFactory.getInstance("RSA");
+      return kf.generatePrivate(spec);
+    } catch (Exception e) {
+      throw new KeyException(e);
+    }
+  }
+
+  private String getRsaPublicKey() {
+    return "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAswRJV9YwPCPCu0173Slfp5L7vv6iTmm+dGrE6Q0/1pUVbC/sGS4ItfkereULuLYViN0pqhGNxNAPZabjOL5SAlIqq5j05vlGONaEBTM+F8KD+HEIfxP4OZwcpC92D6pM2FKCYUZJx/pZ2sMxFGn7qR9DdCnPHq7hvvaTNAZCw8HlBax8182NwuNty0EpuZmHoJTGCZRXJifb6DJwlJgz2OKkzZRcvFOJLARQQNfqv6aRannjmrAJR4e5ZywLUe/CP6xi4VQwagIDtFtrDjAzCz+fOJZdM68mK7pQOzhLEBmKkHqUplEvaZtNuN3ZdIMLLhmG3NJuSz9uARf0S0NqSQIDAQAB";
+  }
+
+  private String getInvalidPublicKey() {
+    return getRsaPublicKey().replace("QAB", "QAC");
+  }
+
 }