PEM key file support (TeslaGov#56)

penumbra23 · branimirbamfan · web-flow · commit 1653ef1c34a3 · 2021-08-25T12:37:40.000-04:00
* Fix newlines (sry win) in config

* Add reading key file name, minify docker image size

* Add key file path, minor name change

* Fix memory leak

* Fix indentation

* Add RS256 key file documentation

* Fix tests and config

* Fix newlines

* Add private keyfile fields inside ___location config

* Add tests for rsa256 keyfile scenarios

* Update readme

Co-authored-by: Branimir Malesevic &lt;branimir.malesevic@bam.fan&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -19,28 +19,12 @@ RUN echo "enabled=1" >>/etc/yum.repos.d/nginx.repo
 
 RUN yum -y update && \
     yum -y groupinstall 'Development Tools' && \
-    yum -y install pcre-devel pcre zlib-devel openssl-devel wget cmake check-devel check && \
+    yum -y install pcre-devel pcre zlib-devel openssl-devel wget cmake3 check-devel check && \
     yum -y install nginx-$NGINX_VERSION
 
-# for compiling for rh-nginx110
-# yum -y install libxml2 libxslt libxml2-devel libxslt-devel gd gd-devel perl-ExtUtils-Embed
-
 # for compiling for epel7
 RUN yum -y install libxml2 libxslt libxml2-devel libxslt-devel gd gd-devel perl-ExtUtils-Embed geoip geoip-devel google-perftools google-perftools-devel
 
-# Jansson requires new cmake
-RUN yum -y install cmake3 && \
-    alternatives --install /usr/local/bin/cmake cmake /usr/bin/cmake 10 \
---slave /usr/local/bin/ctest ctest /usr/bin/ctest \
---slave /usr/local/bin/cpack cpack /usr/bin/cpack \
---slave /usr/local/bin/ccmake ccmake /usr/bin/ccmake \
---family cmake && \
-    alternatives --install /usr/local/bin/cmake cmake /usr/bin/cmake3 20 \
---slave /usr/local/bin/ctest ctest /usr/bin/ctest3 \
---slave /usr/local/bin/cpack cpack /usr/bin/cpack3 \
---slave /usr/local/bin/ccmake ccmake /usr/bin/ccmake3 \
---family cmake
-
 RUN mkdir -p /root/dl
 WORKDIR /root/dl
 
@@ -50,7 +34,7 @@ RUN wget https://github.com/akheron/jansson/archive/v$JANSSON_VERSION.zip && \
     rm v$JANSSON_VERSION.zip && \
     ln -sf jansson-$JANSSON_VERSION jansson && \
     cd /root/dl/jansson && \
-    cmake . -DJANSSON_BUILD_SHARED_LIBS=1 -DJANSSON_BUILD_DOCS=OFF && \
+    cmake3 . -DJANSSON_BUILD_SHARED_LIBS=1 -DJANSSON_BUILD_DOCS=OFF && \
     make && \
     make check && \
     make install
@@ -99,12 +83,14 @@ RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \
 # Get nginx ready to run
 COPY resources/nginx.conf /etc/nginx/nginx.conf
 COPY resources/test-jwt-nginx.conf /etc/nginx/conf.d/test-jwt-nginx.conf
+COPY resources/rsa_key_2048-pub.pem /etc/nginx/rsa-key.conf
 RUN rm -rf /usr/share/nginx/html
 RUN cp -r /root/dl/nginx/html /usr/share/nginx
 RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure
 RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-rs256
 RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-auth-header
 RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-no-redirect
+RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-rs256-file
 
 ENTRYPOINT ["/usr/sbin/nginx"]
 
diff --git a/README.md b/README.md
@@ -45,11 +45,13 @@ auth_jwt_loginurl "https://yourdomain.com/loginpage";
 auth_jwt_enabled on;
 auth_jwt_algorithm HS256; # or RS256
 auth_jwt_validate_email on;  # or off
+auth_jwt_use_keyfile off; # or on
+auth_jwt_keyfile_path "/app/pub_key";
 ```
 
 The default algorithm is 'HS256', for symmetric key validation.  When using HS256, the value for `auth_jwt_key` should be specified in binhex format.  It is recommended to use at least 256 bits of data (32 pairs of hex characters or 64 characters in total) as in the example above.  Note that using more than 512 bits will not increase the security.  For key guidelines please see NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms, Section 5.3.2 The HMAC Key.
 
-The configuration also supports the `auth_jwt_algorithm` 'RS256', for RSA 256-bit public key validation. If using "auth_jwt_algorithm RS256;", then the `auth_jwt_key` field must be set to your public key.
+The configuration also supports the `auth_jwt_algorithm` 'RS256', for RSA 256-bit public key validation. If using "auth_jwt_algorithm RS256;", then the `auth_jwt_key` field must be set to your public key **OR** `auth_jwt_use_keyfile` should be set to `on` with the `auth_jwt_keyfile_path` set to the public key path (nginx won't start if the `auth_jwt_use_keyfile` is set to `on` without a keyfile).
 That is the public key, rather than a PEM certificate.  I.e.:
 
 ```
@@ -64,6 +66,13 @@ oQIDAQAB
 -----END PUBLIC KEY-----";
 ```
 
+**OR**
+
+```
+auth_jwt_use_keyfile on;
+auth_jwt_keyfile_path "/etc/nginx/pub_key.pem";
+```
+
 A typical use would be to specify the key and loginurl on the main level
 and then only turn on the locations that you want to secure (not the login page).
 Unauthorized requests are given 302 "Moved Temporarily" responses with a ___location of the specified loginurl.
diff --git a/resources/test-jwt-nginx.conf b/resources/test-jwt-nginx.conf
@@ -44,6 +44,17 @@ BwIDAQAB
         index  index.html index.htm;
     }
 
+    ___location ~ ^/secure-rs256-file/ {
+        auth_jwt_enabled on;
+        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_algorithm RS256;
+        auth_jwt_redirect  off;
+        auth_jwt_use_keyfile on;
+        auth_jwt_keyfile_path "/etc/nginx/rsa-key.conf";
+        root  /usr/share/nginx;
+        index  index.html index.htm;
+    }
+
     ___location / {
         root   /usr/share/nginx/html;
         index  index.html index.htm;
diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c
@@ -18,6 +18,8 @@
 #include "ngx_http_auth_jwt_binary_converters.h"
 #include "ngx_http_auth_jwt_string.h"
 
+#include <stdio.h>
+
 typedef struct {
 	ngx_str_t    auth_jwt_loginurl;
 	ngx_str_t    auth_jwt_key;
@@ -26,7 +28,10 @@ typedef struct {
 	ngx_str_t    auth_jwt_validation_type;
 	ngx_str_t    auth_jwt_algorithm;
 	ngx_flag_t   auth_jwt_validate_email;
-
+	ngx_str_t    auth_jwt_keyfile_path;
+	ngx_flag_t   auth_jwt_use_keyfile;
+	// Private field for keyfile data
+	ngx_str_t    _auth_jwt_keyfile;
 } ngx_http_auth_jwt_loc_conf_t;
 
 static ngx_int_t ngx_http_auth_jwt_init(ngx_conf_t *cf);
@@ -86,6 +91,20 @@ static ngx_command_t ngx_http_auth_jwt_commands[] = {
 		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_validate_email),
 		NULL },
 
+	{ ngx_string("auth_jwt_keyfile_path"),
+		NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+		ngx_conf_set_str_slot,
+		NGX_HTTP_LOC_CONF_OFFSET,
+		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_keyfile_path),
+		NULL },
+
+	{ ngx_string("auth_jwt_use_keyfile"),
+		NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+		ngx_conf_set_flag_slot,
+		NGX_HTTP_LOC_CONF_OFFSET,
+		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_use_keyfile),
+		NULL },
+
 	ngx_null_command
 };
 
@@ -129,6 +148,7 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 	char* return_url;
 	ngx_http_auth_jwt_loc_conf_t *jwtcf;
 	u_char *keyBinary;
+	// For clearing it later on
 	jwt_t *jwt = NULL;
 	int jwtParseReturnCode;
 	jwt_alg_t alg;
@@ -177,8 +197,18 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 	else if ( auth_jwt_algorithm.len == sizeof("RS256") - 1 && ngx_strncmp(auth_jwt_algorithm.data, "RS256", sizeof("RS256") - 1) == 0 )
 	{
 		// in this case, 'Binary' is a misnomer, as it is the public key string itself
-		keyBinary = jwtcf->auth_jwt_key.data;
-		keylen = jwtcf->auth_jwt_key.len;
+		if (jwtcf->auth_jwt_use_keyfile == 1)
+		{
+			// Set to global variables
+			// NOTE: check for keyBin == NULL skipped, unnecessary check; nginx should fail to start
+			keyBinary = (u_char*)jwtcf->_auth_jwt_keyfile.data;
+			keylen = jwtcf->_auth_jwt_keyfile.len;
+		}
+		else
+		{
+			keyBinary = jwtcf->auth_jwt_key.data;
+			keylen = jwtcf->auth_jwt_key.len;
+		}
 	}
 	else
 	{
@@ -239,6 +269,7 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 
 	jwt_free(jwt);
 
+	
 	return NGX_OK;
 	
 	redirect:
@@ -358,7 +389,6 @@ static ngx_int_t ngx_http_auth_jwt_init(ngx_conf_t *cf)
 	return NGX_OK;
 }
 
-
 static void *
 ngx_http_auth_jwt_create_loc_conf(ngx_conf_t *cf)
 {
@@ -374,12 +404,43 @@ ngx_http_auth_jwt_create_loc_conf(ngx_conf_t *cf)
 	conf->auth_jwt_enabled = (ngx_flag_t) -1;
 	conf->auth_jwt_redirect = (ngx_flag_t) -1;
 	conf->auth_jwt_validate_email = (ngx_flag_t) -1;
+	conf->auth_jwt_use_keyfile = (ngx_flag_t) -1;
 
 	ngx_conf_log_error(NGX_LOG_DEBUG, cf, 0, "Created Location Configuration");
 	
 	return conf;
 }
 
+// Loads the RSA256 public key into the ___location config struct
+static ngx_int_t
+loadAuthKey(ngx_conf_t *cf, ngx_http_auth_jwt_loc_conf_t* conf) {
+	FILE *keyFile = fopen((const char*)conf->auth_jwt_keyfile_path.data, "rb");
+
+	// Check if file exists or is correctly opened
+	if (keyFile == NULL)
+	{
+		ngx_log_error(NGX_LOG_ERR, cf->log, 0, "failed to open pub key file");
+		return NGX_ERROR;
+	}
+
+	// Read file length
+	fseek(keyFile, 0, SEEK_END);
+	long keySize = ftell(keyFile);
+	fseek(keyFile, 0, SEEK_SET);
+	
+	if (keySize == 0)
+	{
+		ngx_log_error(NGX_LOG_ERR, cf->log, 0, "invalid key file size, check the key file");
+		return NGX_ERROR;
+	}
+
+	conf->_auth_jwt_keyfile.data = ngx_palloc(cf->pool, keySize);
+	fread(conf->_auth_jwt_keyfile.data, 1, keySize, keyFile);
+	conf->_auth_jwt_keyfile.len = (int)keySize;
+
+	fclose(keyFile);
+	return NGX_OK;
+}
 
 static char *
 ngx_http_auth_jwt_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
@@ -391,6 +452,7 @@ ngx_http_auth_jwt_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 	ngx_conf_merge_str_value(conf->auth_jwt_key, prev->auth_jwt_key, "");
 	ngx_conf_merge_str_value(conf->auth_jwt_validation_type, prev->auth_jwt_validation_type, "");
 	ngx_conf_merge_str_value(conf->auth_jwt_algorithm, prev->auth_jwt_algorithm, "HS256");
+	ngx_conf_merge_str_value(conf->auth_jwt_keyfile_path, prev->auth_jwt_keyfile_path, "");
 	ngx_conf_merge_off_value(conf->auth_jwt_validate_email, prev->auth_jwt_validate_email, 1);
 	
 	if (conf->auth_jwt_enabled == ((ngx_flag_t) -1)) 
@@ -403,6 +465,26 @@ ngx_http_auth_jwt_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 		conf->auth_jwt_redirect = (prev->auth_jwt_redirect == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_redirect;
 	}
 
+	if (conf->auth_jwt_use_keyfile == ((ngx_flag_t) -1))
+	{
+		conf->auth_jwt_use_keyfile = (prev->auth_jwt_use_keyfile == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_use_keyfile;
+	}
+
+	// If the usage of the keyfile is specified, check if the key_path is also configured
+	if (conf->auth_jwt_use_keyfile == 1)
+	{
+		if (ngx_strcmp(conf->auth_jwt_keyfile_path.data, "") != 0)
+		{
+			if (loadAuthKey(cf, conf) != NGX_OK)
+				return NGX_CONF_ERROR;
+		}
+		else
+		{
+			ngx_log_error(NGX_LOG_ERR, cf->log, 0, "auth_jwt_keyfile_path not specified");
+			return NGX_CONF_ERROR;
+		}
+	}
+
 	return NGX_CONF_OK;
 }
 
diff --git a/test.sh b/test.sh
@@ -25,6 +25,7 @@ main() {
   local MISSING_SUB_JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmaXJzdE5hbWUiOiJoZWxsbyIsImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwicm9sZXMiOlsidGhpcyIsInRoYXQiLCJ0aGVvdGhlciJdLCJpc3MiOiJpc3N1ZXIiLCJwZXJzb25JZCI6Ijc1YmIzY2M3LWI5MzMtNDRmMC05M2M2LTE0N2IwODJmYWRiNSIsImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.lD6jUsazVtzeGhRTNeP_b2Zs6O798V2FQql11QOEI1Q
   local MISSING_EMAIL_JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwibGFzdE5hbWUiOiJ3b3JsZCIsInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwiaXNzIjoiaXNzdWVyIiwicGVyc29uSWQiOiI3NWJiM2NjNy1iOTMzLTQ0ZjAtOTNjNi0xNDdiMDgyZmFkYjUiLCJleHAiOjE5MDg4MzUyMDAsImlhdCI6MTQ4ODgxOTYwMCwidXNlcm5hbWUiOiJoZWxsby53b3JsZCJ9.tJoAl_pvq95hK7GKqsp5TU462pLTbmSYZc1fAHzcqWM
   local VALID_RS256_JWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.cn5Gb75XL-r7TMsPuqzWoKZ06ZsyF_VZIG0Ohn8uZZFeF8dFUhSrEOYe8WFN6Eon8a8LC0OCI9eNdGiD4m_e9TD1Iz2juqaeos-6yd7SWuODr4YS8KD3cqfXndnLRPzp9PC_UIpATsbqOmxGDrRKvHsQq0TuIXImU3rM_m3kFJFgtoJFHx3KmZUo_Ozkyhhc6Pukikhy6odNAtEyLHP5_tabMXtkeAuIlG8dhjAxef4mJLexYFclG-vl7No5VBU4JrMbfgyxtobcYoE-bDIpmQHywrwo6Li7X0hgHJ17sfS3G2YMHmE-Ij_W2Lf9kf5r2r12DUvg44SLIfM58pCINQ
+  local INVALID_RSA256_JWT=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwibGFzdE5hbWUiOiJ3b3JsZCIsImVtYWlsQWRkcmVzcyI6ImhlbGxvd29ybGRAZXhhbXBsZS5jb20iLCJyb2xlcyI6WyJ0aGlzIiwidGhhdCIsInRoZW90aGVyIl0sImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwiZXhwIjoxOTA4ODM1MjAwLCJpYXQiOjE0ODg4MTk2MDAsInVzZXJuYW1lIjoiaGVsbG8ud29ybGQifQ._aQmIBL4CVBxU1fNMOHp0kkagFaaX2TvAEenizytwd0
 
   test_jwt "Insecure test" "/" "200"
 
@@ -45,6 +46,10 @@ main() {
   test_jwt "Secure test with jwt cookie - with no email" "/secure/" "200" " --cookie \"rampartjwt=${MISSING_EMAIL_JWT}\""
 
   test_jwt "Secure test with rs256 jwt cookie" "/secure-rs256/" "200" " --cookie \"rampartjwt=${VALID_RS256_JWT}\""
+
+  test_jwt "Secure test rsa256 from file with valid jwt" "/secure-rs256-file/" "200" "--header \"Authorization: Bearer ${VALID_RS256_JWT}\""
+
+  test_jwt "Secure test rsa256 from file with invalid jwt" "/secure-rs256-file/" "401" "--header \"Authorization: Bearer ${INVALID_RSA256_JWT}\""
 }
 
 main "$@"
