checker/claims: Enabled nbf, exp, iss, aud, sub verification

Signed-off-by: Ben Collins <bcollins@libjwt.io>

Author: benmcollins

include/jwt.h

@@ -253,7 +253,7 @@ typedef enum {
         JWT_CLAIM_EXP           = 0x0010, /**< @rfc_t{7519,4.1.4} ``"exp"`` */
         JWT_CLAIM_NBF           = 0x0020, /**< @rfc_t{7519,4.1.5} ``"nbf"`` */
         JWT_CLAIM_IAT           = 0x0040, /**< @rfc_t{7519,4.1.6} ``"iat"`` */
-        JWT_CLAIM_JTI           = 0x0080, /**< @rfc_t{7519,4.1.7} ``"nbf"`` */
+        JWT_CLAIM_JTI           = 0x0080, /**< @rfc_t{7519,4.1.7} ``"jti"`` */
         JWT_CLAIMS_ENFORCE      = 0x8000, /**< Fail if claim is missing     */
         JWT_CLAIMS_ALL          = 0x80fe, /**< Mask of all claims           */
 } jwt_claims_t;

libjwt/jwt-common.c

@@ -291,6 +291,7 @@ int FUNC(verify)(jwt_common_t *__cmd, const char *token)
 		return 1;
 
 	jwt->key = config.key;
+	jwt->checker = __cmd;
 
 	/* Finish it up */
 	jwt = jwt_verify_complete(jwt, &config, token, payload_len);

libjwt/jwt-private.h

@@ -85,6 +85,10 @@ struct jwt {
 	jwt_alg_t alg;
 	int error;
 	char error_msg[JWT_ERR_LEN];
+	union {
+		struct jwt_checker *checker;
+		struct jwt_builder *builder;
+	};
 };
 
 struct jwk_set {

libjwt/jwt-verify.c

@@ -127,10 +127,94 @@ int jwt_parse(jwt_t *jwt, const char *token, unsigned int *len)
 	return 0;
 }
 
+static int __check_str_claim(jwt_t *jwt, jwt_claims_t claim, char *claim_str)
+{
+	jwt_checker_t *checker = jwt->checker;
+	jwt_value_t jval;
+	const char *str;
+	jwt_value_error_t err;
+	int enforce = checker->c.claims & JWT_CLAIMS_ENFORCE;
+	int ret = 0;
+
+	if (checker->c.claims & claim) {
+		jwt_set_GET_STR(&jval, claim_str);
+		err = jwt_checker_claim_get(checker, &jval);
+		str = jval.str_val;
+
+		if (err == JWT_VALUE_ERR_NONE) {
+			jwt_set_GET_STR(&jval, claim_str);
+			err = jwt_claim_get(jwt, &jval);
+		}
+
+		if (err == JWT_VALUE_ERR_NONE) {
+			if (strcmp(str, jval.str_val))
+				ret = 1;
+		} else if (enforce)
+			ret = 1;
+	}
+
+	return ret;
+}
+
+static jwt_claims_t __verify_claims(jwt_t *jwt)
+{
+	jwt_checker_t *checker = jwt->checker;
+	jwt_value_t jval;
+	time_t now = time(NULL);
+	jwt_value_error_t err;
+	int enforce = checker->c.claims & JWT_CLAIMS_ENFORCE;
+	jwt_claims_t failed = 0;
+
+	/* expiration in past */
+	if (checker->c.claims & JWT_CLAIM_EXP) {
+		jwt_set_GET_INT(&jval, "exp");
+		err = jwt_claim_get(jwt, &jval);
+
+		if (err == JWT_VALUE_ERR_NONE) {
+			if (jval.int_val < now)
+				failed |= JWT_CLAIM_EXP;
+		} else if (enforce)
+			failed |= JWT_CLAIM_EXP;
+	}
+
+	/* not valid before now */
+	if (checker->c.claims & JWT_CLAIM_NBF) {
+		jwt_set_GET_INT(&jval, "nbf");
+		err = jwt_claim_get(jwt, &jval);
+
+		if (err == JWT_VALUE_ERR_NONE) {
+			if (jval.int_val > now)
+				failed |= JWT_CLAIM_NBF;
+		} else if (enforce)
+			failed |= JWT_CLAIM_NBF;
+	}
+
+	/* issuer doesn't match */
+	if (__check_str_claim(jwt, JWT_CLAIM_ISS, "iss"))
+		failed |= JWT_CLAIM_ISS;
+
+	/* subject doesn't match */
+	if (__check_str_claim(jwt, JWT_CLAIM_SUB, "sub"))
+		failed |= JWT_CLAIM_SUB;
+
+	/* audience doesn't match */
+	if (__check_str_claim(jwt, JWT_CLAIM_AUD, "aud"))
+		failed |= JWT_CLAIM_AUD;
+
+	return failed;
+}
+
 /* This is after parsing and possibly a user callback. */
 static int __verify_config_post(jwt_t *jwt, const jwt_config_t *config,
 				unsigned int sig_len)
 {
+	/* Yes, we do this before checking a signature. */
+	if (__verify_claims(jwt)) {
+		/* TODO Pass back the ORd list of claims failed. */
+		jwt_write_error(jwt, "Failed one or more claims");
+		return 1;
+	}
+
 	if (!sig_len) {
 		if (config->key || config->alg != JWT_ALG_NONE ||
 		    jwt->alg != JWT_ALG_NONE) {

tests/jwt_builder.c

@@ -397,8 +397,7 @@ END_TEST
 
 START_TEST(claim_str_addgetdel)
 {
-	const char exp[] = "eyJhbGciOiJub25lIn0.eyJpc3MiOiJka"
-		"XNrLnN3aXNzZGlzay5jb20ifQ.";
+	const char exp[] = "eyJhbGciOiJub25lIn0.eyJzdWIiOiJteS1mcmllbmQifQ.";
 	jwt_builder_auto_t *builder = NULL;
 	char_auto *out = NULL;
 	jwt_value_t jval;
@@ -413,7 +412,7 @@ START_TEST(claim_str_addgetdel)
 	ret = jwt_builder_setclaims(builder, JWT_CLAIM_NONE);
 	ck_assert_int_eq(ret, 0);
 
-	jwt_set_ADD_STR(&jval, "iss", "disk.swissdisk.com");
+	jwt_set_ADD_STR(&jval, "sub", "my-friend");
 	ret = jwt_builder_claim_add(builder, &jval);
 	ck_assert_int_eq(ret, 0);
 

tests/jwt_checker.c

@@ -116,6 +116,7 @@ START_TEST(verify_wcb)
 	const char token[] = "eyJhbGciOiJub25lIn0.eyJpc3MiOiJka"
 		"XNrLnN3aXNzZGlzay5jb20ifQ.";
 	jwt_checker_auto_t *checker = NULL;
+	jwt_value_t jval;
 	int ret;
 
 	SET_OPS();
@@ -124,7 +125,20 @@ START_TEST(verify_wcb)
 	ck_assert_ptr_nonnull(checker);
 	ck_assert_int_eq(jwt_checker_error(checker), 0);
 
-	ret = jwt_checker_setclaims(checker, JWT_CLAIM_NONE);
+	ret = jwt_checker_setclaims(checker, JWT_CLAIM_AUD | JWT_CLAIM_SUB |
+			JWT_CLAIM_ISS | JWT_CLAIM_NBF | JWT_CLAIM_EXP);
+	ck_assert_int_eq(ret, 0);
+
+	jwt_set_ADD_STR(&jval, "sub", "my-friend");
+	ret = jwt_checker_claim_add(checker, &jval);
+        ck_assert_int_eq(ret, 0);
+
+	jwt_set_ADD_STR(&jval, "aud", "public");
+	ret = jwt_checker_claim_add(checker, &jval);
+	ck_assert_int_eq(ret, 0);
+
+	jwt_set_ADD_STR(&jval, "iss", "disk.swissdisk.com");
+	ret = jwt_checker_claim_add(checker, &jval);
 	ck_assert_int_eq(ret, 0);
 
 	ret = jwt_checker_setcb(checker, __verify_wcb, "testing");