Skip to content

Commit

Permalink
Merge pull request #1250 from ayeshLK/master
Browse files Browse the repository at this point in the history
Add support to directly provide `crypto:PrivateKey` and `crypto:PublicKey` in JWT signature configurations
  • Loading branch information
ayeshLK authored Aug 2, 2024
2 parents 818a75a + d93e68e commit 61b7fc0
Show file tree
Hide file tree
Showing 9 changed files with 89 additions and 15 deletions.
6 changes: 3 additions & 3 deletions ballerina/Ballerina.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[package]
org = "ballerina"
name = "jwt"
version = "2.12.1"
version = "3.0.0"
authors = ["Ballerina"]
keywords = ["security", "authentication", "jwt", "jwk", "jws"]
repository = "https://github.com/ballerina-platform/module-ballerina-jwt"
Expand All @@ -15,5 +15,5 @@ graalvmCompatible = true
[[platform.java17.dependency]]
groupId = "io.ballerina.stdlib"
artifactId = "jwt-native"
version = "2.12.1"
path = "../native/build/libs/jwt-native-2.12.1.jar"
version = "3.0.0"
path = "../native/build/libs/jwt-native-3.0.0-SNAPSHOT.jar"
6 changes: 5 additions & 1 deletion ballerina/Dependencies.toml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ dependencies = [
{org = "ballerina", name = "jballerina.java"},
{org = "ballerina", name = "lang.value"}
]
modules = [
{org = "ballerina", packageName = "io", moduleName = "io"}
]

[[package]]
org = "ballerina"
Expand All @@ -61,10 +64,11 @@ modules = [
[[package]]
org = "ballerina"
name = "jwt"
version = "2.12.1"
version = "3.0.0"
dependencies = [
{org = "ballerina", name = "cache"},
{org = "ballerina", name = "crypto"},
{org = "ballerina", name = "io"},
{org = "ballerina", name = "jballerina.java"},
{org = "ballerina", name = "lang.int"},
{org = "ballerina", name = "lang.string"},
Expand Down
6 changes: 4 additions & 2 deletions ballerina/jwt_issuer.bal
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ public type IssuerConfig record {|
# Represents JWT signature configurations.
#
# + algorithm - Cryptographic signing algorithm for JWS
# + config - KeyStore configurations, private key configurations or shared key configurations
# + config - KeyStore configurations, private key configurations, `crypto:PrivateKey` or shared key configurations
public type IssuerSignatureConfig record {|
SigningAlgorithm algorithm = RS256;
record {|
Expand All @@ -51,7 +51,7 @@ public type IssuerSignatureConfig record {|
|} | record {|
string keyFile;
string keyPassword?;
|} | string config?;
|} | crypto:PrivateKey | string config?;
|};

# Issues a JWT based on the provided configurations. JWT will be signed (JWS) if `crypto:KeyStore` information is
Expand Down Expand Up @@ -93,6 +93,8 @@ public isolated function issue(IssuerConfig issuerConfig) returns string|Error {
} else {
return prepareError("Failed to decode private key.", privateKey);
}
} else if config is crypto:PrivateKey {
return signJwtAssertion(jwtAssertion, algorithm, config);
} else {
string keyFile = <string> config?.keyFile;
string? keyPassword = config?.keyPassword;
Expand Down
13 changes: 9 additions & 4 deletions ballerina/jwt_validator.bal
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ public type ValidatorConfig record {
# Represents JWT signature configurations.
#
# + jwksConfig - JWKS configurations
# + certFile - Public certificate file path
# + certFile - Public certificate file path or a `crypto:PublicKey`
# + trustStoreConfig - JWT TrustStore configurations
# + secret - HMAC secret configuration
public type ValidatorSignatureConfig record {|
Expand All @@ -57,7 +57,7 @@ public type ValidatorSignatureConfig record {|
cache:CacheConfig cacheConfig?;
ClientConfiguration clientConfig = {};
|} jwksConfig?;
string certFile?;
string|crypto:PublicKey certFile?;
record {|
crypto:TrustStore trustStore;
string certAlias;
Expand Down Expand Up @@ -331,8 +331,13 @@ isolated function validateSignature(string jwt, Header header, Payload payload,
} else {
return prepareError("Key ID (kid) is not provided in JOSE header.");
}
} else if certFile is string {
crypto:PublicKey|crypto:Error publicKey = crypto:decodeRsaPublicKeyFromCertFile(certFile);
} else if certFile !is () {
crypto:PublicKey|crypto:Error publicKey;
if certFile is crypto:PublicKey {
publicKey = certFile;
} else {
publicKey = crypto:decodeRsaPublicKeyFromCertFile(certFile);
}
if publicKey is crypto:PublicKey {
if !validateCertificate(publicKey) {
return prepareError("Public key certificate validity period has passed.");
Expand Down
40 changes: 40 additions & 0 deletions ballerina/tests/jwt_issuer_test.bal
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@

// NOTE: All the tokens/credentials used in this test are dummy tokens/credentials and used only for testing purposes.

import ballerina/crypto;
import ballerina/io;
import ballerina/lang.'string;
import ballerina/test;

Expand Down Expand Up @@ -365,6 +367,44 @@ isolated function testIssueJwtWithEncryptedPrivateKey() returns Error? {
assertDecodedJwt(result, expectedHeader, expectedPayload);
}

@test:Config {}
isolated function testIssueJwtWithCryptoPrivateKey() returns io:Error|crypto:Error|Error? {
byte[] privateKeyContent = check io:fileReadBytes(PRIVATE_KEY_PATH);
crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromContent(privateKeyContent);
IssuerConfig issuerConfig = {
username: "John",
issuer: "wso2",
audience: ["ballerina", "ballerinaSamples"],
expTime: 600,
signatureConfig: {
config: privateKey
}
};
string result = check issue(issuerConfig);
string expectedHeader = "{\"alg\":\"RS256\", \"typ\":\"JWT\"}";
string expectedPayload = "{\"iss\":\"wso2\", \"sub\":\"John\", \"aud\":[\"ballerina\", \"ballerinaSamples\"]";
assertDecodedJwt(result, expectedHeader, expectedPayload);
}

@test:Config {}
isolated function testIssueJwtWithEncryptedCryptoPrivateKey() returns io:Error|crypto:Error|Error? {
byte[] privateKeyContent = check io:fileReadBytes(ENCRYPTED_PRIVATE_KEY_PATH);
crypto:PrivateKey encryptedPrivateKey = check crypto:decodeRsaPrivateKeyFromContent(privateKeyContent, "ballerina");
IssuerConfig issuerConfig = {
username: "John",
issuer: "wso2",
audience: ["ballerina", "ballerinaSamples"],
expTime: 600,
signatureConfig: {
config: encryptedPrivateKey
}
};
string result = check issue(issuerConfig);
string expectedHeader = "{\"alg\":\"RS256\", \"typ\":\"JWT\"}";
string expectedPayload = "{\"iss\":\"wso2\", \"sub\":\"John\", \"aud\":[\"ballerina\", \"ballerinaSamples\"]";
assertDecodedJwt(result, expectedHeader, expectedPayload);
}

isolated function assertDecodedJwt(string jwt, string header, string payload) {
string[] parts = re `\.`.split(jwt);
// check header
Expand Down
18 changes: 18 additions & 0 deletions ballerina/tests/jwt_validator_test.bal
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@

// NOTE: All the tokens/credentials used in this test are dummy tokens/credentials and used only for testing purposes.

import ballerina/crypto;
import ballerina/io;
import ballerina/test;

@test:Config {}
Expand Down Expand Up @@ -693,6 +695,22 @@ isolated function testValidateJwtSignatureWithPublicCert() returns Error? {
test:assertEquals(result?.iss, "wso2");
}

@test:Config {}
isolated function testValidateJwtSignatureWithCryptoPublicKey() returns io:Error|crypto:Error|Error? {
byte[] pubicCertContent = check io:fileReadBytes(PUBLIC_CERT_PATH);
crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromContent(pubicCertContent);
ValidatorConfig validatorConfig = {
issuer: "wso2",
audience: ["ballerina", "ballerinaSamples"],
clockSkew: 60,
signatureConfig: {
certFile: publicKey
}
};
Payload result = check validate(JWT1, validatorConfig);
test:assertEquals(result?.iss, "wso2");
}

@test:Config {}
isolated function testValidateJwtSignatureWithInvalidPublicCert() {
ValidatorConfig validatorConfig = {
Expand Down
5 changes: 5 additions & 0 deletions changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

## Unreleased

### Added
- [Add support to directly provide `crypto:PrivateKey` and `crypto:PublicKey` in JWT signature configurations](https://github.com/ballerina-platform/ballerina-library/issues/6514)

## [2.12.1] - 2024-06-14

## Changed
- [Revert support to directly provide `crypto:PrivateKey` and `crypto:PublicKey` in JWT signature configurations](https://github.com/ballerina-platform/ballerina-library/issues/6628)

Expand Down
8 changes: 4 additions & 4 deletions docs/spec/spec.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
# Specification: Ballerina JWT Library

_Owners_: @ldclakmal @shafreenAnfar
_Authors_: @ldclakmal @shafreenAnfar @ayeshLK
_Reviewers_: @shafreenAnfar
_Created_: 2021/10/01
_Updated_: 2022/02/17
_Updated_: 2024/06/15
_Edition_: Swan Lake

## Introduction
Expand Down Expand Up @@ -104,7 +104,7 @@ public type ValidatorSignatureConfig record {|
cache:CacheConfig cacheConfig?;
ClientConfiguration clientConfig = {};
|} jwksConfig?;
string certFile?;
string|crypto:PublicKey certFile?;
record {|
crypto:TrustStore trustStore;
string certAlias;
Expand Down Expand Up @@ -222,7 +222,7 @@ public type IssuerSignatureConfig record {|
|}|record {|
string keyFile;
string keyPassword?;
|}|string config?;
|}|crypto:PrivateKey|string config?;
|};
public class ClientSelfSignedJwtAuthProvider {
Expand Down
2 changes: 1 addition & 1 deletion gradle.properties
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
org.gradle.caching=true
group=io.ballerina.stdlib
version=2.12.2-SNAPSHOT
version=3.0.0-SNAPSHOT
puppycrawlCheckstyleVersion=10.12.0
ballerinaGradlePluginVersion=2.0.1

Expand Down

0 comments on commit 61b7fc0

Please sign in to comment.