2014-12-17 06:58:39 +00:00
|
|
|
package token
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto"
|
|
|
|
"crypto/x509"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
2024-05-14 08:21:38 +00:00
|
|
|
"github.com/go-jose/go-jose/v4"
|
|
|
|
"github.com/go-jose/go-jose/v4/jwt"
|
2017-06-23 19:45:04 +00:00
|
|
|
log "github.com/sirupsen/logrus"
|
2014-12-17 06:58:39 +00:00
|
|
|
|
2020-08-24 11:18:39 +00:00
|
|
|
"github.com/distribution/distribution/v3/registry/auth"
|
2014-12-17 06:58:39 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// TokenSeparator is the value which separates the header, claims, and
|
|
|
|
// signature in the compact serialization of a JSON Web Token.
|
|
|
|
TokenSeparator = "."
|
2016-04-28 03:54:36 +00:00
|
|
|
// Leeway is the Duration that will be added to NBF and EXP claim
|
|
|
|
// checks to account for clock skew as per https://tools.ietf.org/html/rfc7519#section-4.1.5
|
|
|
|
Leeway = 60 * time.Second
|
2014-12-17 06:58:39 +00:00
|
|
|
)
|
|
|
|
|
2024-05-14 08:21:38 +00:00
|
|
|
var signingAlgorithms = map[string]jose.SignatureAlgorithm{
|
|
|
|
"EdDSA": jose.EdDSA,
|
|
|
|
"HS256": jose.HS256,
|
|
|
|
"HS384": jose.HS384,
|
|
|
|
"HS512": jose.HS512,
|
|
|
|
"RS256": jose.RS256,
|
|
|
|
"RS384": jose.RS384,
|
|
|
|
"RS512": jose.RS512,
|
|
|
|
"ES256": jose.ES256,
|
|
|
|
"ES384": jose.ES384,
|
|
|
|
"ES512": jose.ES512,
|
|
|
|
"PS256": jose.PS256,
|
|
|
|
"PS384": jose.PS384,
|
|
|
|
"PS512": jose.PS512,
|
|
|
|
}
|
|
|
|
|
|
|
|
var defaultSigningAlgorithms = []jose.SignatureAlgorithm{
|
|
|
|
jose.EdDSA,
|
|
|
|
jose.HS256,
|
|
|
|
jose.HS384,
|
|
|
|
jose.HS512,
|
|
|
|
jose.RS256,
|
|
|
|
jose.RS384,
|
|
|
|
jose.RS512,
|
|
|
|
jose.ES256,
|
|
|
|
jose.ES384,
|
|
|
|
jose.ES512,
|
|
|
|
jose.PS256,
|
|
|
|
jose.PS384,
|
|
|
|
jose.PS512,
|
|
|
|
}
|
|
|
|
|
2014-12-17 06:58:39 +00:00
|
|
|
// Errors used by token parsing and verification.
|
|
|
|
var (
|
|
|
|
ErrMalformedToken = errors.New("malformed token")
|
|
|
|
ErrInvalidToken = errors.New("invalid token")
|
|
|
|
)
|
|
|
|
|
|
|
|
// ResourceActions stores allowed actions on a named and typed resource.
|
|
|
|
type ResourceActions struct {
|
|
|
|
Type string `json:"type"`
|
2016-11-22 00:36:36 +00:00
|
|
|
Class string `json:"class,omitempty"`
|
2014-12-17 06:58:39 +00:00
|
|
|
Name string `json:"name"`
|
|
|
|
Actions []string `json:"actions"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// ClaimSet describes the main section of a JSON Web Token.
|
|
|
|
type ClaimSet struct {
|
|
|
|
// Public claims
|
2022-10-21 09:11:50 +00:00
|
|
|
Issuer string `json:"iss"`
|
|
|
|
Subject string `json:"sub"`
|
|
|
|
Audience AudienceList `json:"aud"`
|
|
|
|
Expiration int64 `json:"exp"`
|
|
|
|
NotBefore int64 `json:"nbf"`
|
|
|
|
IssuedAt int64 `json:"iat"`
|
|
|
|
JWTID string `json:"jti"`
|
2014-12-17 06:58:39 +00:00
|
|
|
|
|
|
|
// Private claims
|
2015-02-04 01:59:24 +00:00
|
|
|
Access []*ResourceActions `json:"access"`
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
// Token is a JSON Web Token.
|
2014-12-17 06:58:39 +00:00
|
|
|
type Token struct {
|
2023-10-08 22:02:45 +00:00
|
|
|
Raw string
|
|
|
|
JWT *jwt.JSONWebToken
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// VerifyOptions is used to specify
|
|
|
|
// options when verifying a JSON Web Token.
|
|
|
|
type VerifyOptions struct {
|
2015-01-06 02:21:03 +00:00
|
|
|
TrustedIssuers []string
|
|
|
|
AcceptedAudiences []string
|
2014-12-17 06:58:39 +00:00
|
|
|
Roots *x509.CertPool
|
2023-10-08 22:02:45 +00:00
|
|
|
TrustedKeys map[string]crypto.PublicKey
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewToken parses the given raw token string
|
|
|
|
// and constructs an unverified JSON Web Token.
|
2024-05-14 08:21:38 +00:00
|
|
|
func NewToken(rawToken string, signingAlgs []jose.SignatureAlgorithm) (*Token, error) {
|
|
|
|
token, err := jwt.ParseSigned(rawToken, signingAlgs)
|
2023-10-08 22:02:45 +00:00
|
|
|
if err != nil {
|
2014-12-17 06:58:39 +00:00
|
|
|
return nil, ErrMalformedToken
|
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
return &Token{
|
|
|
|
Raw: rawToken,
|
|
|
|
JWT: token,
|
|
|
|
}, nil
|
|
|
|
}
|
2014-12-17 06:58:39 +00:00
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
// Verify attempts to verify this token using the given options.
|
|
|
|
// Returns a nil error if the token is valid.
|
|
|
|
func (t *Token) Verify(verifyOpts VerifyOptions) (*ClaimSet, error) {
|
|
|
|
// Verify that the signing key is trusted.
|
|
|
|
signingKey, err := t.VerifySigningKey(verifyOpts)
|
|
|
|
if err != nil {
|
|
|
|
log.Infof("failed to verify token: %v", err)
|
|
|
|
return nil, ErrInvalidToken
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
// NOTE(milosgajdos): Claims both verifies the signature
|
|
|
|
// and returns the claims within the payload
|
|
|
|
var claims ClaimSet
|
|
|
|
err = t.JWT.Claims(signingKey, &claims)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Verify that the Issuer claim is a trusted authority.
|
2023-10-08 22:02:45 +00:00
|
|
|
if !contains(verifyOpts.TrustedIssuers, claims.Issuer) {
|
|
|
|
log.Infof("token from untrusted issuer: %q", claims.Issuer)
|
|
|
|
return nil, ErrInvalidToken
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Verify that the Audience claim is allowed.
|
2023-10-08 22:02:45 +00:00
|
|
|
if !containsAny(verifyOpts.AcceptedAudiences, claims.Audience) {
|
|
|
|
log.Infof("token intended for another audience: %v", claims.Audience)
|
|
|
|
return nil, ErrInvalidToken
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Verify that the token is currently usable and not expired.
|
2016-04-28 03:54:36 +00:00
|
|
|
currentTime := time.Now()
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
ExpWithLeeway := time.Unix(claims.Expiration, 0).Add(Leeway)
|
2016-04-28 03:54:36 +00:00
|
|
|
if currentTime.After(ExpWithLeeway) {
|
2016-09-07 17:45:06 +00:00
|
|
|
log.Infof("token not to be used after %s - currently %s", ExpWithLeeway, currentTime)
|
2023-10-08 22:02:45 +00:00
|
|
|
return nil, ErrInvalidToken
|
2016-04-28 03:54:36 +00:00
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
NotBeforeWithLeeway := time.Unix(claims.NotBefore, 0).Add(-Leeway)
|
2016-04-28 03:54:36 +00:00
|
|
|
if currentTime.Before(NotBeforeWithLeeway) {
|
2016-09-07 17:45:06 +00:00
|
|
|
log.Infof("token not to be used before %s - currently %s", NotBeforeWithLeeway, currentTime)
|
2023-10-08 22:02:45 +00:00
|
|
|
return nil, ErrInvalidToken
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
return &claims, nil
|
|
|
|
}
|
2014-12-17 06:58:39 +00:00
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
// VerifySigningKey attempts to verify and return the signing key which was used to sign the token.
|
|
|
|
func (t *Token) VerifySigningKey(verifyOpts VerifyOptions) (signingKey crypto.PublicKey, err error) {
|
|
|
|
if len(t.JWT.Headers) == 0 {
|
|
|
|
return nil, ErrInvalidToken
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
// NOTE(milosgajdos): docker auth spec does not seem to
|
|
|
|
// support tokens signed by multiple signatures so we are
|
|
|
|
// verifying the first one in the list only at the moment.
|
|
|
|
header := t.JWT.Headers[0]
|
2014-12-17 06:58:39 +00:00
|
|
|
|
2024-05-14 08:21:38 +00:00
|
|
|
signingKey, err = verifyCertChain(header, verifyOpts.Roots)
|
|
|
|
// NOTE(milosgajdos): if the x5c header is missing
|
|
|
|
// the token may have been signed by a JWKS.
|
|
|
|
if err != nil && err != jose.ErrMissingX5cHeader {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2014-12-18 00:10:07 +00:00
|
|
|
switch {
|
2023-10-08 22:02:45 +00:00
|
|
|
case header.JSONWebKey != nil:
|
|
|
|
signingKey, err = verifyJWK(header, verifyOpts)
|
|
|
|
case len(header.KeyID) > 0:
|
|
|
|
signingKey = verifyOpts.TrustedKeys[header.KeyID]
|
2014-12-18 00:10:07 +00:00
|
|
|
if signingKey == nil {
|
2023-10-08 22:02:45 +00:00
|
|
|
err = fmt.Errorf("token signed by untrusted key with ID: %q", header.KeyID)
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
2014-12-18 00:10:07 +00:00
|
|
|
default:
|
2024-05-14 08:21:38 +00:00
|
|
|
err = ErrInvalidToken
|
2014-12-18 00:10:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
func verifyCertChain(header jose.Header, roots *x509.CertPool) (signingKey crypto.PublicKey, err error) {
|
2014-12-17 06:58:39 +00:00
|
|
|
verifyOpts := x509.VerifyOptions{
|
2023-10-08 22:02:45 +00:00
|
|
|
Roots: roots,
|
|
|
|
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// TODO: this call returns certificate chains which we ignore for now, but
|
|
|
|
// we should check them for revocations if we have the ability later.
|
2023-10-08 22:02:45 +00:00
|
|
|
chains, err := header.Certificates(verifyOpts)
|
2014-12-18 00:10:07 +00:00
|
|
|
if err != nil {
|
2023-10-08 22:02:45 +00:00
|
|
|
return nil, err
|
2014-12-18 00:10:07 +00:00
|
|
|
}
|
2023-10-08 22:02:45 +00:00
|
|
|
signingKey = getCertPubKey(chains)
|
2014-12-18 00:10:07 +00:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
func verifyJWK(header jose.Header, verifyOpts VerifyOptions) (signingKey crypto.PublicKey, err error) {
|
|
|
|
jwk := header.JSONWebKey
|
|
|
|
signingKey = jwk.Key
|
2014-12-18 00:10:07 +00:00
|
|
|
|
|
|
|
// Check to see if the key includes a certificate chain.
|
2023-10-08 22:02:45 +00:00
|
|
|
if len(jwk.Certificates) == 0 {
|
2014-12-18 00:10:07 +00:00
|
|
|
// The JWK should be one of the trusted root keys.
|
2023-10-08 22:02:45 +00:00
|
|
|
if _, trusted := verifyOpts.TrustedKeys[jwk.KeyID]; !trusted {
|
2014-12-18 00:10:07 +00:00
|
|
|
return nil, errors.New("untrusted JWK with no certificate chain")
|
|
|
|
}
|
|
|
|
// The JWK is one of the trusted keys.
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
opts := x509.VerifyOptions{
|
|
|
|
Roots: verifyOpts.Roots,
|
|
|
|
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
|
2014-12-18 00:10:07 +00:00
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
leaf := jwk.Certificates[0]
|
|
|
|
if opts.Intermediates == nil {
|
|
|
|
opts.Intermediates = x509.NewCertPool()
|
|
|
|
for _, intermediate := range jwk.Certificates[1:] {
|
|
|
|
opts.Intermediates.AddCert(intermediate)
|
|
|
|
}
|
2014-12-18 00:10:07 +00:00
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
// TODO: this call returns certificate chains which we ignore for now, but
|
|
|
|
// we should check them for revocations if we have the ability later.
|
|
|
|
chains, err := leaf.Verify(opts)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2014-12-18 00:10:07 +00:00
|
|
|
}
|
2023-10-08 22:02:45 +00:00
|
|
|
signingKey = getCertPubKey(chains)
|
2014-12-18 00:10:07 +00:00
|
|
|
|
|
|
|
return
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
func getCertPubKey(chains [][]*x509.Certificate) crypto.PublicKey {
|
|
|
|
// NOTE(milosgajdos): if there are no certificates
|
|
|
|
// header.Certificates call above returns error, so we are
|
|
|
|
// guaranteed to get at least one certificate chain.
|
|
|
|
// We pick the leaf certificate chain.
|
|
|
|
chain := chains[0]
|
|
|
|
|
|
|
|
// NOTE(milosgajdos): header.Certificates call returns the result
|
|
|
|
// of leafCert.Verify which is a call to x509.Certificate.Verify.
|
|
|
|
// If successful, it returns one or more chains where the first
|
|
|
|
// element of the chain is x5c and the last element is from opts.Roots.
|
|
|
|
// See: https://pkg.go.dev/crypto/x509#Certificate.Verify
|
|
|
|
cert := chain[0]
|
|
|
|
|
|
|
|
// NOTE: we dont have to verify that the public key in the leaf cert
|
|
|
|
// *is* the signing key: if it's not the signing then token claims
|
2024-04-19 09:49:51 +00:00
|
|
|
// verification with this key fails
|
2023-10-08 22:02:45 +00:00
|
|
|
return cert.PublicKey.(crypto.PublicKey)
|
|
|
|
}
|
|
|
|
|
2014-12-17 06:58:39 +00:00
|
|
|
// accessSet returns a set of actions available for the resource
|
|
|
|
// actions listed in the `access` section of this token.
|
2023-10-08 22:02:45 +00:00
|
|
|
func (c *ClaimSet) accessSet() accessSet {
|
|
|
|
accessSet := make(accessSet, len(c.Access))
|
2014-12-17 06:58:39 +00:00
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
for _, resourceActions := range c.Access {
|
2014-12-17 06:58:39 +00:00
|
|
|
resource := auth.Resource{
|
|
|
|
Type: resourceActions.Type,
|
|
|
|
Name: resourceActions.Name,
|
|
|
|
}
|
|
|
|
|
2014-12-17 18:57:05 +00:00
|
|
|
set, exists := accessSet[resource]
|
|
|
|
if !exists {
|
|
|
|
set = newActionSet()
|
2014-12-17 06:58:39 +00:00
|
|
|
accessSet[resource] = set
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, action := range resourceActions.Actions {
|
2015-01-06 02:21:03 +00:00
|
|
|
set.add(action)
|
2014-12-17 06:58:39 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return accessSet
|
|
|
|
}
|
|
|
|
|
2023-10-08 22:02:45 +00:00
|
|
|
func (c *ClaimSet) resources() []auth.Resource {
|
2016-11-22 00:36:36 +00:00
|
|
|
resourceSet := map[auth.Resource]struct{}{}
|
2023-10-08 22:02:45 +00:00
|
|
|
|
|
|
|
for _, resourceActions := range c.Access {
|
2016-11-22 00:36:36 +00:00
|
|
|
resource := auth.Resource{
|
|
|
|
Type: resourceActions.Type,
|
|
|
|
Class: resourceActions.Class,
|
|
|
|
Name: resourceActions.Name,
|
|
|
|
}
|
|
|
|
resourceSet[resource] = struct{}{}
|
|
|
|
}
|
|
|
|
|
|
|
|
resources := make([]auth.Resource, 0, len(resourceSet))
|
|
|
|
for resource := range resourceSet {
|
|
|
|
resources = append(resources, resource)
|
|
|
|
}
|
|
|
|
|
|
|
|
return resources
|
|
|
|
}
|