Merge pull request #1 from penumbra23/feature/rs256-key-file

Add loading RS256 key from file

Author: penumbra23

Dockerfile

@@ -15,25 +15,9 @@ RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.n
     yum -y install pcre-devel pcre zlib-devel openssl-devel wget cmake check-devel check && \
     yum -y install nginx-$NGINX_VERSION
 
-# for compiling for rh-nginx110
-# yum -y install libxml2 libxslt libxml2-devel libxslt-devel gd gd-devel perl-ExtUtils-Embed
-
 # for compiling for epel7
 RUN yum -y install libxml2 libxslt libxml2-devel libxslt-devel gd gd-devel perl-ExtUtils-Embed geoip geoip-devel google-perftools google-perftools-devel
 
-# Jansson requires new cmake
-RUN yum -y install cmake3 && \
-    alternatives --install /usr/local/bin/cmake cmake /usr/bin/cmake 10 \
---slave /usr/local/bin/ctest ctest /usr/bin/ctest \
---slave /usr/local/bin/cpack cpack /usr/bin/cpack \
---slave /usr/local/bin/ccmake ccmake /usr/bin/ccmake \
---family cmake && \
-    alternatives --install /usr/local/bin/cmake cmake /usr/bin/cmake3 20 \
---slave /usr/local/bin/ctest ctest /usr/bin/ctest3 \
---slave /usr/local/bin/cpack cpack /usr/bin/cpack3 \
---slave /usr/local/bin/ccmake ccmake /usr/bin/ccmake3 \
---family cmake
-
 RUN mkdir -p /root/dl
 WORKDIR /root/dl
 
@@ -85,19 +69,12 @@ RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \
     rm nginx-$NGINX_VERSION.tar.gz && \
     ln -sf nginx-$NGINX_VERSION nginx && \
     cd /root/dl/nginx && \
-    ./configure --add-dynamic-module=../ngx-http-auth-jwt-module --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu99' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' && \
+    ./configure --add-dynamic-module=../ngx-http-auth-jwt-module --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Werror=unused-variable -Wno-unused-variable -Wno-error=unused-but-set-variable -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu99' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' && \
     make modules && \
     cp /root/dl/nginx/objs/ngx_http_auth_jwt_module.so /usr/lib64/nginx/modules/.
 
 # Get nginx ready to run
 COPY resources/nginx.conf /etc/nginx/nginx.conf
-COPY resources/test-jwt-nginx.conf /etc/nginx/conf.d/test-jwt-nginx.conf
-RUN rm -rf /usr/share/nginx/html
-RUN cp -r /root/dl/nginx/html /usr/share/nginx
-RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure
-RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-rs256
-RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-auth-header
-RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-no-redirect
 
 ENTRYPOINT ["/usr/sbin/nginx"]
 

README.md

@@ -45,11 +45,13 @@ auth_jwt_loginurl "https://yourdomain.com/loginpage";
 auth_jwt_enabled on;
 auth_jwt_algorithm HS256; # or RS256
 auth_jwt_validate_email on;  # or off
+auth_jwt_use_keyfile off; # or on
+auth_jwt_keyfile_path "/app/pub_key";
 ```
 
 The default algorithm is 'HS256', for symmetric key validation.  When using HS256, the value for `auth_jwt_key` should be specified in binhex format.  It is recommended to use at least 256 bits of data (32 pairs of hex characters or 64 characters in total) as in the example above.  Note that using more than 512 bits will not increase the security.  For key guidelines please see NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms, Section 5.3.2 The HMAC Key.
 
-The configuration also supports the `auth_jwt_algorithm` 'RS256', for RSA 256-bit public key validation. If using "auth_jwt_algorithm RS256;", then the `auth_jwt_key` field must be set to your public key.
+The configuration also supports the `auth_jwt_algorithm` 'RS256', for RSA 256-bit public key validation. If using "auth_jwt_algorithm RS256;", then the `auth_jwt_key` field must be set to your public key **OR** `auth_jwt_use_keyfile` should be set to `on` with the `auth_jwt_keyfile_path` set to the public key path (which defaults to `"/app/pub_key"`).
 That is the public key, rather than a PEM certificate.  I.e.:
 
 ```
@@ -64,6 +66,13 @@ oQIDAQAB
 -----END PUBLIC KEY-----";
 ```
 
+**OR**
+
+```
+auth_jwt_use_keyfile on;
+auth_jwt_keyfile_path "/etc/nginx/pub_key.pem";
+```
+
 A typical use would be to specify the key and loginurl on the main level
 and then only turn on the locations that you want to secure (not the login page).
 Unauthorized requests are given 302 "Moved Temporarily" responses with a ___location of the specified loginurl.

config

@@ -1,8 +1,6 @@
 ngx_addon_name=ngx_http_auth_jwt_module
-
 ngx_module_type=HTTP
 ngx_module_name=ngx_http_auth_jwt_module
 ngx_module_srcs="$ngx_addon_dir/src/ngx_http_auth_jwt_binary_converters.c $ngx_addon_dir/src/ngx_http_auth_jwt_header_processing.c $ngx_addon_dir/src/ngx_http_auth_jwt_string.c $ngx_addon_dir/src/ngx_http_auth_jwt_module.c"
 ngx_module_libs="-ljansson -ljwt"
-
-. auto/module
+. auto/module

resources/test-jwt-nginx.conf

@@ -2,7 +2,7 @@ server {
     auth_jwt_key                 "00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF";
     auth_jwt_loginurl            "https://teslagov.com";
     auth_jwt_enabled             off;
-    auth_jwt_redirect            on;
+    auth_jwt_redirect            off;
 
     listen       8000;
     server_name  localhost;
@@ -29,21 +29,30 @@ server {
 
     ___location ~ ^/secure-rs256/ {
         auth_jwt_enabled on;
-        auth_jwt_validation_type COOKIE=rampartjwt;
+        auth_jwt_validation_type AUTHORIZATION;
         auth_jwt_algorithm RS256;
         auth_jwt_key "-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwtpMAM4l1H995oqlqdMh
-uqNuffp4+4aUCwuFE9B5s9MJr63gyf8jW0oDr7Mb1Xb8y9iGkWfhouZqNJbMFry+
-iBs+z2TtJF06vbHQZzajDsdux3XVfXv9v6dDIImyU24MsGNkpNt0GISaaiqv51NM
-ZQX0miOXXWdkQvWTZFXhmsFCmJLE67oQFSar4hzfAaCulaMD+b3Mcsjlh0yvSq7g
-6swiIasEU3qNLKaJAZEzfywroVYr3BwM1IiVbQeKgIkyPS/85M4Y6Ss/T+OWi1Oe
-K49NdYBvFP+hNVEoeZzJz5K/nd6C35IX0t2bN5CVXchUFmaUMYk2iPdhXdsC720t
-BwIDAQAB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoDssqQi9TL79UPYaWqEr
+W11InyFvIUjhOYlTv4N/1AqOBRSCOLyGrm3MI/ngqxD2MEcBYwko7SWX0TR2WJsE
+kFv0V+107lmALMLBBrBzBIkmxUsBUwgwbn5639k8p/zXELsBOqTQ4bdLK+cpsEUE
+ECZU4kNcWm7c/VNEhf0SbgYoco6IGPBR7SrhWfbFSwCbbzdYMQE39kAOExSZgEav
+7oMbjK82ciDWrxtl+adNIPCDAA8tv0//YuxARSDnXXUKybagooYFwLs8RhIH4WRo
+ZhHrF0zHJrYCR/QoHF5Q96iDHJ/gBAUAhB76w+65IrzPQHbsCC/9VJAm+DPmEcZq
+jwIDAQAB
 -----END PUBLIC KEY-----";
         root  /usr/share/nginx;
         index  index.html index.htm;
     }
 
+    ___location ~ ^/secure-rs256-file/ {
+        auth_jwt_enabled on;
+        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_algorithm RS256;
+		auth_jwt_use_keyfile on;
+        root  /usr/share/nginx;
+        index  index.html index.htm;
+    }
+
     ___location / {
         root   /usr/share/nginx/html;
         index  index.html index.htm;

src/ngx_http_auth_jwt_module.c

@@ -18,13 +18,19 @@
 #include "ngx_http_auth_jwt_binary_converters.h"
 #include "ngx_http_auth_jwt_string.h"
 
+#include <stdio.h>
+
+const char* KEY_FILE_PATH = "/app/pub_key";
+
 typedef struct {
 	ngx_str_t    auth_jwt_loginurl;
 	ngx_str_t    auth_jwt_key;
 	ngx_flag_t   auth_jwt_enabled;
 	ngx_flag_t   auth_jwt_redirect;
 	ngx_str_t    auth_jwt_validation_type;
 	ngx_str_t    auth_jwt_algorithm;
+	ngx_flag_t   auth_jwt_use_keyfile;
+	ngx_str_t    auth_jwt_keyfile_path;
 	ngx_flag_t   auth_jwt_validate_email;
 
 } ngx_http_auth_jwt_loc_conf_t;
@@ -58,6 +64,20 @@ static ngx_command_t ngx_http_auth_jwt_commands[] = {
 		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_enabled),
 		NULL },
 
+	{ ngx_string("auth_jwt_use_keyfile"),
+		NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+		ngx_conf_set_flag_slot,
+		NGX_HTTP_LOC_CONF_OFFSET,
+		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_use_keyfile),
+		NULL },
+
+	{ ngx_string("auth_jwt_keyfile_path"),
+		NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+		ngx_conf_set_str_slot,
+		NGX_HTTP_LOC_CONF_OFFSET,
+		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_keyfile_path),
+		NULL },
+
 	{ ngx_string("auth_jwt_redirect"),
 		NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
 		ngx_conf_set_flag_slot,
@@ -129,6 +149,8 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 	char* return_url;
 	ngx_http_auth_jwt_loc_conf_t *jwtcf;
 	u_char *keyBinary;
+	// For clearing it later on
+	char* pub_key = NULL;
 	jwt_t *jwt = NULL;
 	int jwtParseReturnCode;
 	jwt_alg_t alg;
@@ -177,8 +199,45 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 	else if ( auth_jwt_algorithm.len == sizeof("RS256") - 1 && ngx_strncmp(auth_jwt_algorithm.data, "RS256", sizeof("RS256") - 1) == 0 )
 	{
 		// in this case, 'Binary' is a misnomer, as it is the public key string itself
-		keyBinary = jwtcf->auth_jwt_key.data;
-		keylen = jwtcf->auth_jwt_key.len;
+		ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to find a jwt");
+		if (jwtcf->auth_jwt_use_keyfile == 1)
+		{
+			FILE *file = fopen((const char*)jwtcf->auth_jwt_keyfile_path.data, "rb");
+
+			// Check if file exists or is correctly opened
+			if (file == NULL)
+			{
+				char err[100];
+				strcpy(err, "failed to open pub key file: ");
+				strcat(err, KEY_FILE_PATH);
+				ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, err);
+				goto redirect;
+			}
+
+			// Read file length
+			fseek(file, 0, SEEK_END);
+			long key_size = ftell(file);
+			fseek(file, 0, SEEK_SET);
+			
+			if (key_size == 0)
+			{
+				ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "invalid key file size, check the key file");
+				goto redirect;
+			}
+
+			// Read pub key
+			pub_key = malloc(key_size + 1);
+			size_t bytes_read = fread(pub_key, 1, key_size, file);
+			fclose(file);
+
+			keyBinary = (u_char*)pub_key;
+			keylen = (int)key_size;
+		}
+		else
+		{
+			keyBinary = jwtcf->auth_jwt_key.data;
+			keylen = jwtcf->auth_jwt_key.len;
+		}
 	}
 	else
 	{
@@ -239,6 +298,8 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 
 	jwt_free(jwt);
 
+	if (pub_key == NULL) free(pub_key);
+	
 	return NGX_OK;
 
 	redirect:
@@ -374,6 +435,7 @@ ngx_http_auth_jwt_create_loc_conf(ngx_conf_t *cf)
 	conf->auth_jwt_enabled = (ngx_flag_t) -1;
 	conf->auth_jwt_redirect = (ngx_flag_t) -1;
 	conf->auth_jwt_validate_email = (ngx_flag_t) -1;
+	conf->auth_jwt_use_keyfile = (ngx_flag_t) -1;
 
 	ngx_conf_log_error(NGX_LOG_DEBUG, cf, 0, "Created Location Configuration");
 
@@ -391,6 +453,7 @@ ngx_http_auth_jwt_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 	ngx_conf_merge_str_value(conf->auth_jwt_key, prev->auth_jwt_key, "");
 	ngx_conf_merge_str_value(conf->auth_jwt_validation_type, prev->auth_jwt_validation_type, "");
 	ngx_conf_merge_str_value(conf->auth_jwt_algorithm, prev->auth_jwt_algorithm, "HS256");
+	ngx_conf_merge_str_value(conf->auth_jwt_keyfile_path, prev->auth_jwt_keyfile_path, KEY_FILE_PATH);
 	ngx_conf_merge_off_value(conf->auth_jwt_validate_email, prev->auth_jwt_validate_email, 1);
 
 	if (conf->auth_jwt_enabled == ((ngx_flag_t) -1)) 
@@ -403,6 +466,11 @@ ngx_http_auth_jwt_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 		conf->auth_jwt_redirect = (prev->auth_jwt_redirect == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_redirect;
 	}
 
+	if (conf->auth_jwt_use_keyfile == ((ngx_flag_t) -1))
+	{
+		conf->auth_jwt_use_keyfile = (prev->auth_jwt_use_keyfile == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_use_keyfile;
+	}
+
 	return NGX_CONF_OK;
 }