xref: /aosp_15_r20/external/tink/cc/jwt/internal/raw_jwt_ecdsa_verify_key_manager.cc (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1 // Copyright 2021 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 
17 #include "tink/jwt/internal/raw_jwt_ecdsa_verify_key_manager.h"
18 
19 #include <memory>
20 #include <utility>
21 
22 #include "absl/status/status.h"
23 #include "absl/strings/string_view.h"
24 #include "tink/internal/ec_util.h"
25 #include "tink/public_key_verify.h"
26 #include "tink/subtle/ecdsa_verify_boringssl.h"
27 #include "tink/util/enums.h"
28 #include "tink/util/errors.h"
29 #include "tink/util/protobuf_helper.h"
30 #include "tink/util/status.h"
31 #include "tink/util/statusor.h"
32 #include "tink/util/validation.h"
33 #include "proto/jwt_ecdsa.pb.h"
34 
35 namespace crypto {
36 namespace tink {
37 namespace jwt_internal {
38 
39 using crypto::tink::util::Enums;
40 using crypto::tink::util::Status;
41 using crypto::tink::util::StatusOr;
42 using google::crypto::tink::JwtEcdsaAlgorithm;
43 using google::crypto::tink::JwtEcdsaPublicKey;
44 using google::crypto::tink::EllipticCurveType;
45 using google::crypto::tink::HashType;
46 
47 StatusOr<std::unique_ptr<PublicKeyVerify>>
Create(const JwtEcdsaPublicKey & jwt_ecdsa_public_key) const48 RawJwtEcdsaVerifyKeyManager::PublicKeyVerifyFactory::Create(
49       const JwtEcdsaPublicKey& jwt_ecdsa_public_key) const {
50   internal::EcKey ec_key;
51   util::StatusOr<google::crypto::tink::EllipticCurveType> curve =
52       CurveForEcdsaAlgorithm(jwt_ecdsa_public_key.algorithm());
53   if (!curve.ok()) {
54     return curve.status();
55   }
56   ec_key.curve = Enums::ProtoToSubtle(*curve);
57   ec_key.pub_x = jwt_ecdsa_public_key.x();
58   ec_key.pub_y = jwt_ecdsa_public_key.y();
59   util::StatusOr<google::crypto::tink::HashType> hash_type =
60       HashForEcdsaAlgorithm(jwt_ecdsa_public_key.algorithm());
61   if (!hash_type.ok()) {
62     return hash_type.status();
63   }
64   auto result = subtle::EcdsaVerifyBoringSsl::New(
65       ec_key, Enums::ProtoToSubtle(*hash_type),
66       subtle::EcdsaSignatureEncoding::IEEE_P1363);
67   if (!result.ok()) return result.status();
68   return {*std::move(result)};
69 }
70 
71 StatusOr<EllipticCurveType>
CurveForEcdsaAlgorithm(const JwtEcdsaAlgorithm & algorithm)72 RawJwtEcdsaVerifyKeyManager::CurveForEcdsaAlgorithm(
73     const JwtEcdsaAlgorithm& algorithm) {
74   switch (algorithm) {
75     case JwtEcdsaAlgorithm::ES256:
76       return EllipticCurveType::NIST_P256;
77     case JwtEcdsaAlgorithm::ES384:
78       return EllipticCurveType::NIST_P384;
79     case JwtEcdsaAlgorithm::ES512:
80       return EllipticCurveType::NIST_P521;
81     default:
82       return Status(absl::StatusCode::kInvalidArgument,
83                     "Unsupported Ecdsa Algorithm");
84   }
85 }
86 
HashForEcdsaAlgorithm(const JwtEcdsaAlgorithm & algorithm)87 StatusOr<HashType> RawJwtEcdsaVerifyKeyManager::HashForEcdsaAlgorithm(
88     const JwtEcdsaAlgorithm& algorithm) {
89   switch (algorithm) {
90     case JwtEcdsaAlgorithm::ES256:
91       return HashType::SHA256;
92     case JwtEcdsaAlgorithm::ES384:
93       return HashType::SHA384;
94     case JwtEcdsaAlgorithm::ES512:
95       return HashType::SHA512;
96     default:
97       return Status(absl::StatusCode::kInvalidArgument,
98                     "Unsupported Ecdsa Algorithm");
99   }
100 }
101 
ValidateAlgorithm(const JwtEcdsaAlgorithm & algorithm)102 Status RawJwtEcdsaVerifyKeyManager::ValidateAlgorithm(
103     const JwtEcdsaAlgorithm& algorithm) {
104   switch (algorithm) {
105     case JwtEcdsaAlgorithm::ES256:
106     case JwtEcdsaAlgorithm::ES384:
107     case JwtEcdsaAlgorithm::ES512:
108       return util::OkStatus();
109     default:
110       return Status(absl::StatusCode::kInvalidArgument,
111                     "Unsupported Ecdsa Algorithm");
112   }
113   return util::OkStatus();
114 }
115 
ValidateKey(const JwtEcdsaPublicKey & key) const116 Status RawJwtEcdsaVerifyKeyManager::ValidateKey(
117     const JwtEcdsaPublicKey& key) const {
118   Status status = ValidateVersion(key.version(), get_version());
119   if (!status.ok()) return status;
120   return ValidateAlgorithm(key.algorithm());
121 }
122 
123 }  // namespace jwt_internal
124 }  // namespace tink
125 }  // namespace crypto
126