code: refactor util.c: factor out util/key.c

zandbelt · zandbelt · commit c784a3e134ca · 2025-05-17T20:57:09.000+02:00
Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@openidc.com&gt;
diff --git a/Makefile.am b/Makefile.am
@@ -49,6 +49,7 @@ libauth_openidc_la_SOURCES = \
 	src/util/jq.c \
 	src/util/json.c \
 	src/util/jwt.c \
+	src/util/key.c \
 	src/util/pcre_subst.c \
 	src/util/random.c \
 	src/util/url.c \
diff --git a/src/handle/logout.c b/src/handle/logout.c
@@ -307,7 +307,7 @@ static int oidc_logout_backchannel(request_rec *r, oidc_cfg_t *cfg) {
 	// TODO: jwk symmetric key based on provider
 
 	if (oidc_jwt_parse(r->pool, logout_token, &jwt,
-			   oidc_util_merge_symmetric_key(r->pool, oidc_cfg_private_keys_get(cfg), NULL), FALSE,
+			   oidc_util_key_symmetric_merge(r->pool, oidc_cfg_private_keys_get(cfg), NULL), FALSE,
 			   &err) == FALSE) {
 		oidc_error(r, "oidc_jwt_parse failed: %s", oidc_jose_e2s(r->pool, err));
 		goto out;
@@ -334,14 +334,14 @@ static int oidc_logout_backchannel(request_rec *r, oidc_cfg_t *cfg) {
 	// TODO: destroy the JWK used for decryption
 
 	jwk = NULL;
-	if (oidc_util_create_symmetric_key(r, oidc_cfg_provider_client_secret_get(provider), 0, NULL, TRUE, &jwk) ==
+	if (oidc_util_key_symmetric_create(r, oidc_cfg_provider_client_secret_get(provider), 0, NULL, TRUE, &jwk) ==
 	    FALSE)
 		return FALSE;
 
 	if (oidc_proto_jwt_verify(
 		r, cfg, jwt, oidc_cfg_provider_jwks_uri_get(provider),
 		oidc_cfg_provider_ssl_validate_server_get(provider),
-		oidc_util_merge_symmetric_key(r->pool, oidc_cfg_provider_verify_public_keys_get(provider), jwk),
+		oidc_util_key_symmetric_merge(r->pool, oidc_cfg_provider_verify_public_keys_get(provider), jwk),
 		oidc_cfg_provider_id_token_signed_response_alg_get(provider)) == FALSE) {
 
 		oidc_error(r, "id_token signature could not be validated, aborting");
diff --git a/src/oauth.c b/src/oauth.c
@@ -561,13 +561,13 @@ static apr_byte_t oidc_oauth_validate_jwt_access_token(request_rec *r, oidc_cfg_
 	oidc_jwk_t *jwk = NULL;
 
 	// TODO: replace this OIDC client secret with OIDCOAuthDecryptSharedKeys
-	if (oidc_util_create_symmetric_key(r, oidc_cfg_provider_client_secret_get(oidc_cfg_provider_get(c)), 0, NULL,
+	if (oidc_util_key_symmetric_create(r, oidc_cfg_provider_client_secret_get(oidc_cfg_provider_get(c)), 0, NULL,
 					   TRUE, &jwk) == FALSE)
 		return FALSE;
 
 	oidc_jwt_t *jwt = NULL;
 	if (oidc_jwt_parse(r->pool, access_token, &jwt,
-			   oidc_util_merge_symmetric_key(r->pool, oidc_cfg_private_keys_get(c), jwk), FALSE,
+			   oidc_util_key_symmetric_merge(r->pool, oidc_cfg_private_keys_get(c), jwk), FALSE,
 			   &err) == FALSE) {
 		oidc_error(r, "could not parse JWT from access_token: %s", oidc_jose_e2s(r->pool, err));
 		oidc_jwk_destroy(jwk);
@@ -597,7 +597,7 @@ static apr_byte_t oidc_oauth_validate_jwt_access_token(request_rec *r, oidc_cfg_
 				    oidc_cfg_provider_userinfo_refresh_interval_get(oidc_cfg_provider_get(c)), NULL,
 				    NULL};
 	if (oidc_proto_jwt_verify(r, c, jwt, &jwks_uri, oidc_cfg_oauth_ssl_validate_server_get(c),
-				  oidc_util_merge_key_sets(r->pool, oidc_cfg_oauth_verify_shared_keys_get(c),
+				  oidc_util_key_sets_merge(r->pool, oidc_cfg_oauth_verify_shared_keys_get(c),
 							   oidc_cfg_oauth_verify_public_keys_get(c)),
 				  NULL) == FALSE) {
 		oidc_error(r, "JWT access token signature could not be validated, aborting");
diff --git a/src/proto/id_token.c b/src/proto/id_token.c
@@ -391,14 +391,14 @@ apr_byte_t oidc_proto_idtoken_parse(request_rec *r, oidc_cfg_t *cfg, oidc_provid
 	char buf[APR_RFC822_DATE_LEN + 1];
 	oidc_jose_error_t err;
 	oidc_jwk_t *jwk = NULL;
-	if (oidc_util_create_symmetric_key(r, oidc_cfg_provider_client_secret_get(provider), oidc_alg2keysize(alg),
+	if (oidc_util_key_symmetric_create(r, oidc_cfg_provider_client_secret_get(provider), oidc_alg2keysize(alg),
 					   OIDC_JOSE_ALG_SHA256, TRUE, &jwk) == FALSE)
 		return FALSE;
 
-	decryption_keys = oidc_util_merge_symmetric_key(r->pool, oidc_cfg_private_keys_get(cfg), jwk);
+	decryption_keys = oidc_util_key_symmetric_merge(r->pool, oidc_cfg_private_keys_get(cfg), jwk);
 	if (oidc_cfg_provider_client_keys_get(provider))
 		decryption_keys =
-		    oidc_util_merge_key_sets(r->pool, decryption_keys, oidc_cfg_provider_client_keys_get(provider));
+		    oidc_util_key_sets_merge(r->pool, decryption_keys, oidc_cfg_provider_client_keys_get(provider));
 
 	if (oidc_jwt_parse(r->pool, id_token, jwt, decryption_keys, FALSE, &err) == FALSE) {
 		oidc_error(r, "oidc_jwt_parse failed: %s", oidc_jose_e2s(r->pool, err));
@@ -415,7 +415,7 @@ apr_byte_t oidc_proto_idtoken_parse(request_rec *r, oidc_cfg_t *cfg, oidc_provid
 	if (is_code_flow == FALSE || _oidc_strcmp((*jwt)->header.alg, "none") != 0) {
 
 		jwk = NULL;
-		if (oidc_util_create_symmetric_key(r, oidc_cfg_provider_client_secret_get(provider), 0, NULL, TRUE,
+		if (oidc_util_key_symmetric_create(r, oidc_cfg_provider_client_secret_get(provider), 0, NULL, TRUE,
 						   &jwk) == FALSE) {
 			oidc_jwt_destroy(*jwt);
 			*jwt = NULL;
@@ -425,7 +425,7 @@ apr_byte_t oidc_proto_idtoken_parse(request_rec *r, oidc_cfg_t *cfg, oidc_provid
 		if (oidc_proto_jwt_verify(
 			r, cfg, *jwt, oidc_cfg_provider_jwks_uri_get(provider),
 			oidc_cfg_provider_ssl_validate_server_get(provider),
-			oidc_util_merge_symmetric_key(r->pool, oidc_cfg_provider_verify_public_keys_get(provider), jwk),
+			oidc_util_key_symmetric_merge(r->pool, oidc_cfg_provider_verify_public_keys_get(provider), jwk),
 			oidc_cfg_provider_id_token_signed_response_alg_get(provider)) == FALSE) {
 
 			oidc_error(r, "id_token signature could not be validated, aborting");
diff --git a/src/proto/jwt.c b/src/proto/jwt.c
@@ -187,7 +187,7 @@ apr_byte_t oidc_proto_jwt_verify(request_rec *r, oidc_cfg_t *cfg, oidc_jwt_t *jw
 
 	/* do the actual JWS verification with the locally and remotely provided key material */
 	// TODO: now static keys "win" if the same `kid` was used in both local and remote key sets
-	rv = oidc_jwt_verify(r->pool, jwt, oidc_util_merge_key_sets_hash(r->pool, static_keys, dynamic_keys), &err);
+	rv = oidc_jwt_verify(r->pool, jwt, oidc_util_key_sets_hash_merge(r->pool, static_keys, dynamic_keys), &err);
 
 	/* if no kid was provided we may have used stale keys from the cache, so we'll refresh it */
 	if ((rv == FALSE) && (jwt->header.kid == NULL)) {
@@ -198,7 +198,7 @@ apr_byte_t oidc_proto_jwt_verify(request_rec *r, oidc_cfg_t *cfg, oidc_jwt_t *jw
 		/* destroy the list to avoid memory leaks when keys with the same kid are retrieved */
 		oidc_jwk_list_destroy_hash(dynamic_keys);
 		oidc_proto_jwks_uri_keys(r, cfg, jwt, jwks_uri, ssl_validate_server, dynamic_keys, &force_refresh);
-		rv = oidc_jwt_verify(r->pool, jwt, oidc_util_merge_key_sets_hash(r->pool, static_keys, dynamic_keys),
+		rv = oidc_jwt_verify(r->pool, jwt, oidc_util_key_sets_hash_merge(r->pool, static_keys, dynamic_keys),
 				     &err);
 	}
 
diff --git a/src/proto/request.c b/src/proto/request.c
@@ -399,7 +399,7 @@ static char *oidc_request_uri_request_object(request_rec *r, struct oidc_provide
 			}
 			break;
 		case CJOSE_JWK_KTY_OCT:
-			oidc_util_create_symmetric_key(r, oidc_cfg_provider_client_secret_get(provider), 0, NULL, FALSE,
+			oidc_util_key_symmetric_create(r, oidc_cfg_provider_client_secret_get(provider), 0, NULL, FALSE,
 						       &sjwk);
 			jwk_needs_destroy = 1;
 			break;
@@ -452,7 +452,7 @@ static char *oidc_request_uri_request_object(request_rec *r, struct oidc_provide
 			oidc_request_uri_encryption_jwk_by_type(r, cfg, provider, oidc_jwt_alg2kty(jwe), &ejwk);
 			break;
 		case CJOSE_JWK_KTY_OCT:
-			oidc_util_create_symmetric_key(r, oidc_cfg_provider_client_secret_get(provider),
+			oidc_util_key_symmetric_create(r, oidc_cfg_provider_client_secret_get(provider),
 						       oidc_alg2keysize(jwe->header.alg), OIDC_JOSE_ALG_SHA256, FALSE,
 						       &ejwk);
 			break;
diff --git a/src/proto/userinfo.c b/src/proto/userinfo.c
@@ -71,13 +71,13 @@ static apr_byte_t oidc_proto_userinfo_response_jwt_parse(request_rec *r, oidc_cf
 		   oidc_cfg_provider_userinfo_encrypted_response_alg_get(provider),
 		   oidc_cfg_provider_userinfo_encrypted_response_enc_get(provider));
 
-	if (oidc_util_create_symmetric_key(r, oidc_cfg_provider_client_secret_get(provider), oidc_alg2keysize(alg),
+	if (oidc_util_key_symmetric_create(r, oidc_cfg_provider_client_secret_get(provider), oidc_alg2keysize(alg),
 					   OIDC_JOSE_ALG_SHA256, TRUE, &jwk) == FALSE)
 		goto end;
 
 	if (oidc_cfg_provider_userinfo_encrypted_response_alg_get(provider) != NULL) {
 		if (oidc_jwe_decrypt(r->pool, *response,
-				     oidc_util_merge_symmetric_key(r->pool, oidc_cfg_private_keys_get(cfg), jwk),
+				     oidc_util_key_symmetric_merge(r->pool, oidc_cfg_private_keys_get(cfg), jwk),
 				     &payload, NULL, &err, TRUE) == FALSE) {
 			oidc_error(r, "oidc_jwe_decrypt failed: %s", oidc_jose_e2s(r->pool, err));
 			goto end;
@@ -93,7 +93,7 @@ static apr_byte_t oidc_proto_userinfo_response_jwt_parse(request_rec *r, oidc_cf
 	}
 
 	if (oidc_jwt_parse(r->pool, *response, &jwt,
-			   oidc_util_merge_symmetric_key(r->pool, oidc_cfg_private_keys_get(cfg), jwk), FALSE,
+			   oidc_util_key_symmetric_merge(r->pool, oidc_cfg_private_keys_get(cfg), jwk), FALSE,
 			   &err) == FALSE) {
 		oidc_error(r, "oidc_jwt_parse failed: %s", oidc_jose_e2s(r->pool, err));
 		goto end;
@@ -105,13 +105,13 @@ static apr_byte_t oidc_proto_userinfo_response_jwt_parse(request_rec *r, oidc_cf
 	oidc_jwk_destroy(jwk);
 	jwk = NULL;
 
-	if (oidc_util_create_symmetric_key(r, oidc_cfg_provider_client_secret_get(provider), 0, NULL, TRUE, &jwk) ==
+	if (oidc_util_key_symmetric_create(r, oidc_cfg_provider_client_secret_get(provider), 0, NULL, TRUE, &jwk) ==
 	    FALSE)
 		goto end;
 
 	if (oidc_proto_jwt_verify(r, cfg, jwt, oidc_cfg_provider_jwks_uri_get(provider),
 				  oidc_cfg_provider_ssl_validate_server_get(provider),
-				  oidc_util_merge_symmetric_key(r->pool, NULL, jwk),
+				  oidc_util_key_symmetric_merge(r->pool, NULL, jwk),
 				  oidc_cfg_provider_userinfo_signed_response_alg_get(provider)) == FALSE) {
 
 		oidc_error(r, "JWT signature could not be validated, aborting");
@@ -193,7 +193,7 @@ static apr_byte_t oidc_proto_userinfo_request_composite_claims(request_rec *r, o
 				oidc_jwt_t *jwt = NULL;
 				if (oidc_jwt_parse(
 					r->pool, s_json, &jwt,
-					oidc_util_merge_symmetric_key(r->pool, oidc_cfg_private_keys_get(cfg), jwk),
+					oidc_util_key_symmetric_merge(r->pool, oidc_cfg_private_keys_get(cfg), jwk),
 					FALSE, &err) == FALSE) {
 					oidc_error(r, "could not parse JWT from aggregated claim \"%s\": %s", key,
 						   oidc_jose_e2s(r->pool, err));
diff --git a/src/util/jwt.c b/src/util/jwt.c
@@ -122,7 +122,7 @@ apr_byte_t oidc_util_jwt_create(request_rec *r, const oidc_crypto_passphrase_t *
 		goto end;
 	}
 
-	if (oidc_util_create_symmetric_key(r, passphrase->secret1, 0, OIDC_JOSE_ALG_SHA256, FALSE, &jwk) == FALSE)
+	if (oidc_util_key_symmetric_create(r, passphrase->secret1, 0, OIDC_JOSE_ALG_SHA256, FALSE, &jwk) == FALSE)
 		goto end;
 
 	if (oidc_util_jwt_internal_compress(r)) {
@@ -197,11 +197,11 @@ apr_byte_t oidc_util_jwt_verify(request_rec *r, const oidc_crypto_passphrase_t *
 	keys = apr_hash_make(r->pool);
 
 	if ((passphrase->secret2 != NULL) && (kid == NULL)) {
-		if (oidc_util_create_symmetric_key(r, passphrase->secret2, 0, OIDC_JOSE_ALG_SHA256, FALSE, &jwk) ==
+		if (oidc_util_key_symmetric_create(r, passphrase->secret2, 0, OIDC_JOSE_ALG_SHA256, FALSE, &jwk) ==
 		    FALSE)
 			goto end;
 	} else {
-		if (oidc_util_create_symmetric_key(r, passphrase->secret1, 0, OIDC_JOSE_ALG_SHA256, FALSE, &jwk) ==
+		if (oidc_util_key_symmetric_create(r, passphrase->secret1, 0, OIDC_JOSE_ALG_SHA256, FALSE, &jwk) ==
 		    FALSE)
 			goto end;
 	}
diff --git a/src/util/key.c b/src/util/key.c
@@ -0,0 +1,148 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/***************************************************************************
+ * Copyright (C) 2017-2025 ZmartZone Holding BV
+ * All rights reserved.
+ *
+ * DISCLAIMER OF WARRANTIES:
+ *
+ * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
+ * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING,
+ * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT,
+ * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  NOR ARE THERE ANY
+ * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE
+ * USAGE.  FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET
+ * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE
+ * WILL BE UNINTERRUPTED.  IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @Author: Hans Zandbelt - hans.zandbelt@openidc.com
+ */
+
+#include "util/util.h"
+
+/*
+ * create a symmetric key from a client_secret
+ */
+apr_byte_t oidc_util_key_symmetric_create(request_rec *r, const char *client_secret, unsigned int r_key_len,
+					  const char *hash_algo, apr_byte_t set_kid, oidc_jwk_t **jwk) {
+	oidc_jose_error_t err = {{'\0'}, 0, {'\0'}, {'\0'}};
+	unsigned char *key = NULL;
+	unsigned int key_len;
+
+	if ((client_secret != NULL) && (_oidc_strlen(client_secret) > 0)) {
+
+		if (hash_algo == NULL) {
+			key = (unsigned char *)client_secret;
+			key_len = _oidc_strlen(client_secret);
+		} else {
+			/* hash the client_secret first, this is OpenID Connect specific */
+			oidc_jose_hash_bytes(r->pool, hash_algo, (const unsigned char *)client_secret,
+					     _oidc_strlen(client_secret), &key, &key_len, &err);
+		}
+
+		if ((key != NULL) && (key_len > 0)) {
+			if ((r_key_len != 0) && (key_len >= r_key_len))
+				key_len = r_key_len;
+			oidc_debug(r, "key_len=%d", key_len);
+			*jwk = oidc_jwk_create_symmetric_key(r->pool, NULL, key, key_len, set_kid, &err);
+		}
+
+		if (*jwk == NULL) {
+			oidc_error(r, "could not create JWK from the provided secret: %s", oidc_jose_e2s(r->pool, err));
+			return FALSE;
+		}
+	}
+
+	return TRUE;
+}
+
+/*
+ * merge provided keys and client secret in to a single hashtable
+ */
+apr_hash_t *oidc_util_key_symmetric_merge(apr_pool_t *pool, const apr_array_header_t *keys, oidc_jwk_t *jwk) {
+	apr_hash_t *result = apr_hash_make(pool);
+	const oidc_jwk_t *elem = NULL;
+	int i = 0;
+	if (keys != NULL) {
+		for (i = 0; i < keys->nelts; i++) {
+			elem = APR_ARRAY_IDX(keys, i, oidc_jwk_t *);
+			apr_hash_set(result, elem->kid, APR_HASH_KEY_STRING, elem);
+		}
+	}
+	if (jwk != NULL) {
+		apr_hash_set(result, jwk->kid, APR_HASH_KEY_STRING, jwk);
+	}
+	return result;
+}
+
+/*
+ * merge the provided array of keys (k2) into a hash table of keys (k1)
+ */
+apr_hash_t *oidc_util_key_sets_merge(apr_pool_t *pool, apr_hash_t *k1, const apr_array_header_t *k2) {
+	apr_hash_t *rv = k1 ? apr_hash_copy(pool, k1) : apr_hash_make(pool);
+	const oidc_jwk_t *jwk = NULL;
+	int i = 0;
+	if (k2 != NULL) {
+		for (i = 0; i < k2->nelts; i++) {
+			jwk = APR_ARRAY_IDX(k2, i, oidc_jwk_t *);
+			apr_hash_set(rv, jwk->kid, APR_HASH_KEY_STRING, jwk);
+		}
+	}
+	return rv;
+}
+
+/*
+ * merge two hash tables with key sets
+ */
+apr_hash_t *oidc_util_key_sets_hash_merge(apr_pool_t *pool, apr_hash_t *k1, apr_hash_t *k2) {
+	if (k1 == NULL) {
+		if (k2 == NULL)
+			return apr_hash_make(pool);
+		return k2;
+	}
+	if (k2 == NULL)
+		return k1;
+	return apr_hash_overlay(pool, k1, k2);
+}
+
+/*
+ * return the first JWK that matches a provided key type and use from an array of JWKs
+ */
+oidc_jwk_t *oidc_util_key_list_first(const apr_array_header_t *key_list, int kty, const char *use) {
+	oidc_jwk_t *rv = NULL;
+	int i = 0;
+	oidc_jwk_t *jwk = NULL;
+	for (i = 0; (key_list) && (i < key_list->nelts); i++) {
+		jwk = APR_ARRAY_IDX(key_list, i, oidc_jwk_t *);
+		if ((kty != -1) && (jwk->kty != kty))
+			continue;
+		if (((use == NULL) || (jwk->use == NULL) || (_oidc_strncmp(jwk->use, use, _oidc_strlen(use)) == 0))) {
+			rv = jwk;
+			break;
+		}
+	}
+	return rv;
+}
+
diff --git a/src/util/util.c b/src/util/util.c
diff --git a/src/util/util.h b/src/util/util.h
diff --git a/test/test-cmd.c b/test/test-cmd.c
diff --git a/test/test.c b/test/test.c
