jwt_verify_lib/jwt_verify-make-compatible-with-openssl.patch

From b0e4badb4158934c8ec102dccc26adf3b478e6e5 Mon Sep 17 00:00:00 2001
From: Venil Noronha <veniln@vmware.com>
Date: Fri, 1 Nov 2019 10:10:10 -0700
Subject: [PATCH] make compatible with openssl

Signed-off-by: Venil Noronha <veniln@vmware.com>
---
 BUILD                 |  4 +++-
 jwt_verify_lib/jwks.h |  4 ++++
 src/jwks.cc           | 20 ++++++++++++++++----
 src/verify.cc         | 13 +++++++++++--
 4 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/BUILD b/BUILD
index 60331dc..bd55255 100644
--- a/BUILD
+++ b/BUILD
@@ -27,6 +27,8 @@ cc_library(
         "//external:abseil_time",
         "//external:protobuf",
         "//external:ssl",
+        "@envoy_openssl//boringssl_compat:bssl_compat_cbs_lib",
+        "@envoy_openssl//boringssl_compat:bssl_compat_lib",
     ],
 )
 
diff --git a/jwt_verify_lib/jwks.h b/jwt_verify_lib/jwks.h
index 24a18b7..80676da 100644
--- a/jwt_verify_lib/jwks.h
+++ b/jwt_verify_lib/jwks.h
@@ -22,6 +22,10 @@
 #include "openssl/ec.h"
 #include "openssl/evp.h"
 
+#ifndef OPENSSL_IS_BORINGSSL
+#include "boringssl_compat/bssl.h"
+#endif
+
 namespace google {
 namespace jwt_verify {
 
diff --git a/src/jwks.cc b/src/jwks.cc
index 97b1ae8..9723c82 100644
--- a/src/jwks.cc
+++ b/src/jwks.cc
@@ -27,6 +27,11 @@
 #include "openssl/rsa.h"
 #include "openssl/sha.h"
 
+#ifndef OPENSSL_IS_BORINGSSL
+#include "boringssl_compat/cbs.h"
+using namespace Envoy::Extensions::Common::Cbs;
+#endif
+
 namespace google {
 namespace jwt_verify {
 
@@ -118,18 +123,25 @@ class EvpPkeyGetter : public WithStatus {
   bssl::UniquePtr<RSA> createRsaFromJwk(const std::string& n,
                                         const std::string& e) {
     bssl::UniquePtr<RSA> rsa(RSA_new());
-    rsa->n = createBigNumFromBase64UrlString(n).release();
-    rsa->e = createBigNumFromBase64UrlString(e).release();
-    if (rsa->n == nullptr || rsa->e == nullptr) {
+    BIGNUM* n_bn;
+    BIGNUM* e_bn;
+    n_bn = createBigNumFromBase64UrlString(n).release();
+    e_bn = createBigNumFromBase64UrlString(e).release();
+    if (n_bn == nullptr || e_bn == nullptr) {
       // RSA public key field is missing or has parse error.
       updateStatus(Status::JwksRsaParseError);
       return nullptr;
     }
-    if (BN_cmp_word(rsa->e, 3) != 0 && BN_cmp_word(rsa->e, 65537) != 0) {
+    if (BN_cmp_word(e_bn, 3) != 0 && BN_cmp_word(e_bn, 65537) != 0) {
       // non-standard key; reject it early.
       updateStatus(Status::JwksRsaParseError);
       return nullptr;
     }
+    if (!RSA_set0_key(rsa.get(), n_bn, e_bn, NULL)) {
+      // can't set RSA key; reject it early.
+      updateStatus(Status::JwksRsaParseError);
+      return nullptr;
+    }
     return rsa;
   }
 };
diff --git a/src/verify.cc b/src/verify.cc
index 4d26c25..10fb175 100644
--- a/src/verify.cc
+++ b/src/verify.cc
@@ -22,7 +22,13 @@
 #include "openssl/err.h"
 #include "openssl/evp.h"
 #include "openssl/hmac.h"
+
+#ifdef OPENSSL_IS_BORINGSSL
 #include "openssl/mem.h"
+#else
+#include "openssl/crypto.h"
+#endif
+
 #include "openssl/rsa.h"
 #include "openssl/sha.h"
 
@@ -91,9 +97,12 @@ bool verifySignatureEC(EC_KEY* key, const EVP_MD* md, const uint8_t* signature,
     return false;
   }
 
-  if (BN_bin2bn(signature, signature_len / 2, ecdsa_sig->r) == nullptr ||
+  const BIGNUM* r_bn;
+  const BIGNUM* s_bn;
+  ECDSA_SIG_get0(ecdsa_sig.get(), &r_bn, &s_bn);
+  if (BN_bin2bn(signature, signature_len / 2, const_cast<BIGNUM *>(r_bn)) == nullptr ||
       BN_bin2bn(signature + (signature_len / 2), signature_len / 2,
-                ecdsa_sig->s) == nullptr) {
+                const_cast<BIGNUM *>(s_bn)) == nullptr) {
     return false;
   }
 
-- 
2.14.3 (Apple Git-98)