xref: /aosp_15_r20/external/tink/cc/jwt/internal/raw_jwt_rsa_ssa_pkcs1_verify_key_manager.cc (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1 // Copyright 2021 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 
17 #include "tink/jwt/internal/raw_jwt_rsa_ssa_pkcs1_verify_key_manager.h"
18 
19 #include <memory>
20 #include <utility>
21 
22 #include "absl/status/status.h"
23 #include "absl/strings/str_cat.h"
24 #include "absl/strings/string_view.h"
25 #include "tink/internal/bn_util.h"
26 #include "tink/internal/rsa_util.h"
27 #include "tink/internal/ssl_unique_ptr.h"
28 #include "tink/public_key_verify.h"
29 #include "tink/subtle/rsa_ssa_pkcs1_verify_boringssl.h"
30 #include "tink/util/enums.h"
31 #include "tink/util/errors.h"
32 #include "tink/util/protobuf_helper.h"
33 #include "tink/util/status.h"
34 #include "tink/util/statusor.h"
35 #include "tink/util/validation.h"
36 #include "proto/jwt_rsa_ssa_pkcs1.pb.h"
37 
38 namespace crypto {
39 namespace tink {
40 
41 using crypto::tink::util::Enums;
42 using crypto::tink::util::Status;
43 using crypto::tink::util::StatusOr;
44 using google::crypto::tink::HashType;
45 using google::crypto::tink::JwtRsaSsaPkcs1Algorithm;
46 using google::crypto::tink::JwtRsaSsaPkcs1PublicKey;
47 
48 StatusOr<std::unique_ptr<PublicKeyVerify>>
Create(const JwtRsaSsaPkcs1PublicKey & jwt_rsa_ssa_pkcs1_public_key) const49 RawJwtRsaSsaPkcs1VerifyKeyManager::PublicKeyVerifyFactory::Create(
50     const JwtRsaSsaPkcs1PublicKey& jwt_rsa_ssa_pkcs1_public_key) const {
51   internal::RsaPublicKey rsa_pub_key;
52   rsa_pub_key.n = jwt_rsa_ssa_pkcs1_public_key.n();
53   rsa_pub_key.e = jwt_rsa_ssa_pkcs1_public_key.e();
54 
55   util::StatusOr<google::crypto::tink::HashType> hash =
56       RawJwtRsaSsaPkcs1VerifyKeyManager::HashForPkcs1Algorithm(
57           jwt_rsa_ssa_pkcs1_public_key.algorithm());
58   if (!hash.ok()) {
59     return hash.status();
60   }
61   internal::RsaSsaPkcs1Params params;
62   params.hash_type = Enums::ProtoToSubtle(*hash);
63 
64   util::StatusOr<std::unique_ptr<subtle::RsaSsaPkcs1VerifyBoringSsl>> verify =
65       subtle::RsaSsaPkcs1VerifyBoringSsl::New(rsa_pub_key, params);
66   if (!verify.ok()) return verify.status();
67   return {std::move(*verify)};
68 }
69 
ValidateKey(const JwtRsaSsaPkcs1PublicKey & key) const70 Status RawJwtRsaSsaPkcs1VerifyKeyManager::ValidateKey(
71     const JwtRsaSsaPkcs1PublicKey& key) const {
72   Status status = ValidateVersion(key.version(), get_version());
73   if (!status.ok()) return status;
74   StatusOr<internal::SslUniquePtr<BIGNUM>> n =
75       internal::StringToBignum(key.n());
76   if (!n.ok()) {
77     return n.status();
78   }
79   Status modulus_status =
80       internal::ValidateRsaModulusSize(BN_num_bits(n->get()));
81   if (!modulus_status.ok()) {
82     return modulus_status;
83   }
84   Status exponent_status = internal::ValidateRsaPublicExponent(key.e());
85   if (!exponent_status.ok()) {
86     return exponent_status;
87   }
88   return ValidateAlgorithm(key.algorithm());
89 }
90 
ValidateAlgorithm(const JwtRsaSsaPkcs1Algorithm & algorithm)91 Status RawJwtRsaSsaPkcs1VerifyKeyManager::ValidateAlgorithm(
92     const JwtRsaSsaPkcs1Algorithm& algorithm) {
93   switch (algorithm) {
94     case JwtRsaSsaPkcs1Algorithm::RS256:
95     case JwtRsaSsaPkcs1Algorithm::RS384:
96     case JwtRsaSsaPkcs1Algorithm::RS512:
97       return util::OkStatus();
98     default:
99       return Status(absl::StatusCode::kInvalidArgument,
100                     "Unsupported RSA SSA PKCS1 Algorithm");
101   }
102   return util::OkStatus();
103 }
104 
HashForPkcs1Algorithm(const JwtRsaSsaPkcs1Algorithm & algorithm)105 StatusOr<HashType> RawJwtRsaSsaPkcs1VerifyKeyManager::HashForPkcs1Algorithm(
106     const JwtRsaSsaPkcs1Algorithm& algorithm) {
107   switch (algorithm) {
108     case JwtRsaSsaPkcs1Algorithm::RS256:
109       return HashType::SHA256;
110     case JwtRsaSsaPkcs1Algorithm::RS384:
111       return HashType::SHA384;
112     case JwtRsaSsaPkcs1Algorithm::RS512:
113       return HashType::SHA512;
114     default:
115       return Status(absl::StatusCode::kInvalidArgument,
116                     "Unsupported RSA SSA PKCS1 Algorithm");
117   }
118 }
119 
120 }  // namespace tink
121 }  // namespace crypto
122