updates to TODO/ERR

zandbelt · zandbelt · commit 4505696f700a · 2025-02-10T08:04:40.000+01:00
Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@openidc.com&gt;
diff --git a/src/jose.c b/src/jose.c
@@ -707,17 +707,15 @@ void oauth2_jose_jwk_list_free(oauth2_log_t *log, oauth2_jose_jwk_list_t *keys)
 
 static oauth2_jose_jwk_list_t *
 oauth2_jose_jwks_list_resolve(oauth2_log_t *, oauth2_jose_jwks_provider_t *,
-			      bool *, const cjose_header_t *);
+			      bool *, cjose_header_t *);
 static oauth2_jose_jwk_list_t *
 oauth2_jose_jwks_uri_resolve(oauth2_log_t *, oauth2_jose_jwks_provider_t *,
-			     bool *, const cjose_header_t *);
-static oauth2_jose_jwk_list_t *
-oauth2_jose_jwks_eckey_url_resolve(oauth2_log_t *,
-				   oauth2_jose_jwks_provider_t *, bool *,
-				   const cjose_header_t *);
+			     bool *, cjose_header_t *);
+static oauth2_jose_jwk_list_t *oauth2_jose_jwks_eckey_url_resolve(
+    oauth2_log_t *, oauth2_jose_jwks_provider_t *, bool *, cjose_header_t *);
 static oauth2_jose_jwk_list_t *
 oauth2_jose_jwks_aws_alb_resolve(oauth2_log_t *, oauth2_jose_jwks_provider_t *,
-				 bool *, const cjose_header_t *);
+				 bool *, cjose_header_t *);
 
 static oauth2_jose_jwks_provider_t *
 _oauth2_jose_jwks_provider_init(oauth2_log_t *log,
@@ -1892,7 +1890,7 @@ _OAUTH_CFG_CTX_CALLBACK(oauth2_jose_verify_options_jwk_set_aws_alb)
 static oauth2_jose_jwk_list_t *
 oauth2_jose_jwks_list_resolve(oauth2_log_t *log,
 			      oauth2_jose_jwks_provider_t *provider,
-			      bool *refresh, const cjose_header_t *hdr)
+			      bool *refresh, cjose_header_t *hdr)
 {
 	*refresh = false;
 	return oauth2_jose_jwk_list_clone(log, provider->jwks);
@@ -2219,7 +2217,7 @@ static oauth2_jose_jwk_list_t *_oauth2_jose_jwks_resolve_from_uri(
 static oauth2_jose_jwk_list_t *
 oauth2_jose_jwks_uri_resolve(oauth2_log_t *log,
 			     oauth2_jose_jwks_provider_t *provider,
-			     bool *refresh, const cjose_header_t *hdr)
+			     bool *refresh, cjose_header_t *hdr)
 {
 	return _oauth2_jose_jwks_resolve_from_uri(
 	    log, provider, refresh,
@@ -2229,85 +2227,91 @@ oauth2_jose_jwks_uri_resolve(oauth2_log_t *log,
 static oauth2_jose_jwk_list_t *
 oauth2_jose_jwks_eckey_url_resolve(oauth2_log_t *log,
 				   oauth2_jose_jwks_provider_t *provider,
-				   bool *refresh, const cjose_header_t *hdr)
+				   bool *refresh, cjose_header_t *hdr)
 {
 	return _oauth2_jose_jwks_resolve_from_uri(
 	    log, provider, refresh,
 	    _oauth2_jose_jwks_eckey_url_resolve_response_callback);
 }
 
-static const char *_oauth2_jose_jwks_aws_alb_region(const char *arn) {
-    if (!arn) return NULL;
+static const char *_oauth2_jose_jwks_aws_alb_region(const char *arn)
+{
+	if (!arn)
+		return NULL;
 
-    char *arn_copy = oauth2_strdup(arn);
-    if (!arn_copy) return NULL;
+	char *arn_copy = oauth2_strdup(arn);
+	if (!arn_copy)
+		return NULL;
 
-    char *token = strtok(arn_copy, ":");
-    int count = 0;
-    const char *region = NULL;
+	char *token = strtok(arn_copy, ":");
+	int count = 0;
+	const char *region = NULL;
 
-    while (token) {
-        if (count == 3) {
-            region = oauth2_strdup(token);
-            break;
-        }
-        token = strtok(NULL, ":");
-        count++;
-    }
+	while (token) {
+		if (count == 3) {
+			region = oauth2_strdup(token);
+			break;
+		}
+		token = strtok(NULL, ":");
+		count++;
+	}
 
-    oauth2_mem_free(arn_copy);
-    return region;
+	oauth2_mem_free(arn_copy);
+	return region;
 }
 
 static oauth2_jose_jwk_list_t *
 oauth2_jose_jwks_aws_alb_resolve(oauth2_log_t *log,
 				 oauth2_jose_jwks_provider_t *provider,
-				 bool *refresh, const cjose_header_t *hdr)
+				 bool *refresh, cjose_header_t *hdr)
 {
-    cjose_err err;
-
-    // TODO - error here, issue with const cjose_header_t *hdr
-    const char *signer = cjose_header_get(hdr, "signer", &err);
-    const char *kid = cjose_header_get(hdr, "kid", &err);
-
-    if (!signer || !kid) {
-        oauth2_error(log, "missing 'signer' or 'kid' in JWT header: signer=%s, kid=%s", signer, kid);
-        return NULL;
-    }
-
-    // TODO - determine if theres a better place for this?
-    // TODO - maybe needed? timing safe compare?
-    if (strcmp(signer, provider->alb_arn) != 0) {
-        oauth2_error(log, "signer does not match configured ARN: signer=%s, arn=%s", signer, provider->alb_arn);
-        return NULL;
-    }
-
-    const char *region = _oauth2_jose_jwks_aws_alb_region(provider->alb_arn);
-    if (!region) {
-        oauth2_error(log, "failed to extract region from ARN: arn=%s", provider->alb_arn);
-        return NULL;
-    }
-
-    size_t url_len = strlen("https://public-keys.auth.elb.") + strlen(region) + strlen(".amazonaws.com/") + strlen(kid) + 1;
-    char *url = oauth2_mem_alloc(url_len);
-    if (!url) {
-        oauth2_error(log, "oauth2_mem_alloc failed for JWKS URL");
-        return NULL;
-    }
-
-    oauth2_snprintf(url, url_len, "https://public-keys.auth.elb.%s.amazonaws.com/%s", region, kid);
-    oauth2_debug(log, "constructed JWKS URL: %s", url);
-
-    // TODO - should probably be a copy of provider?
-    oauth2_cfg_endpoint_set_url(provider->jwks_uri->endpoint, url);
-
-    oauth2_jose_jwk_list_t *result = _oauth2_jose_jwks_resolve_from_uri(
-        log, provider, refresh, oauth2_jose_jwks_eckey_url_resolve_response_callback
-    );
-
-    oauth2_mem_free(url);
-
-    return result;
+	cjose_err err;
+
+	const char *signer = cjose_header_get(hdr, "signer", &err);
+	const char *kid = cjose_header_get(hdr, "kid", &err);
+
+	if (!signer || !kid) {
+		oauth2_error(log,
+			     "missing 'signer' or 'kid' in JWT header: "
+			     "signer=%s, kid=%s",
+			     signer, kid);
+		return NULL;
+	}
+
+	// TODO - maybe needed? timing safe compare?
+	if (strcmp(signer, provider->alb_arn) != 0) {
+		oauth2_error(
+		    log,
+		    "signer does not match configured ARN: signer=%s, arn=%s",
+		    signer, provider->alb_arn);
+		return NULL;
+	}
+
+	const char *region =
+	    _oauth2_jose_jwks_aws_alb_region(provider->alb_arn);
+	if (!region) {
+		oauth2_error(log, "failed to extract region from ARN: arn=%s",
+			     provider->alb_arn);
+		return NULL;
+	}
+
+	// TODO: make the base URL configurable
+	char *url = _oauth2_stradd4(NULL, "https://public-keys.auth.elb.",
+				    region, ".amazonaws.com/", kid);
+	oauth2_debug(log, "constructed ALB JWKs URL: %s", url);
+
+	provider->jwks_uri = oauth2_uri_ctx_init(log);
+	oauth2_jose_options_uri_ctx(log, url, NULL, provider->jwks_uri, NULL);
+
+	oauth2_jose_jwk_list_t *result = _oauth2_jose_jwks_resolve_from_uri(
+	    log, provider, refresh,
+	    _oauth2_jose_jwks_eckey_url_resolve_response_callback);
+
+	oauth2_uri_ctx_free(log, provider->jwks_uri);
+	provider->jwks_uri = NULL;
+	oauth2_mem_free(url);
+
+	return result;
 }
 
 /*
diff --git a/src/jose_int.h b/src/jose_int.h
@@ -55,7 +55,7 @@ typedef struct oauth2_jose_jwks_provider_t oauth2_jose_jwks_provider_t;
 typedef oauth2_jose_jwk_list_t *(
     oauth2_jose_jwks_resolve_cb_t)(oauth2_log_t *,
 				   oauth2_jose_jwks_provider_t *, bool *,
-				   const cjose_header_t *hdr);
+				   cjose_header_t *hdr);
 
 typedef struct oauth2_jose_jwks_provider_t {
 	oauth2_jose_jwks_provider_type_t type;
