Skip to content

Commit

Permalink
fix: update envelope.Payload() logic (#44)
Browse files Browse the repository at this point in the history
Payload() returns the raw payload context instead of base64 encoded data

Signed-off-by: Junjie Gao <[email protected]>

Signed-off-by: Junjie Gao <[email protected]>
  • Loading branch information
JeyJeyGao authored Aug 18, 2022
1 parent 52493c5 commit e5da201
Show file tree
Hide file tree
Showing 5 changed files with 56 additions and 29 deletions.
45 changes: 29 additions & 16 deletions signature/jws/envelope.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ func ParseEnvelope(envelopeBytes []byte) (signature.Envelope, error) {
var e jwsEnvelope
err := json.Unmarshal(envelopeBytes, &e)
if err != nil {
return nil, err
return nil, &signature.MalformedSignatureError{Msg: err.Error()}
}
return &base.Envelope{
Envelope: &envelope{internalEnvelope: &e},
Expand All @@ -46,13 +46,8 @@ func ParseEnvelope(envelopeBytes []byte) (signature.Envelope, error) {

// Sign signs the envelope and return the encoded message
func (e *envelope) Sign(req *signature.SignRequest) ([]byte, error) {
ks, err := req.Signer.KeySpec()
if err != nil {
return nil, &signature.MalformedSignRequestError{Msg: err.Error()}
}
alg := ks.SignatureAlgorithm()

signedAttrs, err := getSignedAttrs(req, alg)
// get all attributes ready to be signed
signedAttrs, err := getSignedAttrs(req)
if err != nil {
return nil, err
}
Expand All @@ -70,12 +65,17 @@ func (e *envelope) Sign(req *signature.SignRequest) ([]byte, error) {
}

// generate envelope
e.internalEnvelope, err = generateJWS(compact, req, certs)
env, err := generateJWS(compact, req, certs)
if err != nil {
return nil, err
}

return json.Marshal(e.internalEnvelope)
encoded, err := json.Marshal(env)
if err != nil {
return nil, &signature.MalformedSignatureError{Msg: err.Error()}
}
e.internalEnvelope = env
return encoded, nil
}

// compactJWS converts Flattened JWS JSON Serialization Syntax (section-7.2.2) to
Expand Down Expand Up @@ -129,12 +129,29 @@ func (e *envelope) Payload() (*signature.Payload, error) {
if e.internalEnvelope == nil {
return nil, &signature.MalformedSignatureError{Msg: "missing jws signature envelope"}
}
// parse protected header to get payload context type
protected, err := parseProtectedHeaders(e.internalEnvelope.Protected)
if err != nil {
return nil, err
}

// convert JWS to JWT
tokenString := compactJWS(e.internalEnvelope)

// parse JWT to get payload context
parser := jwt.NewParser(
jwt.WithValidMethods(validMethods),
jwt.WithJSONNumber(),
jwt.WithoutClaimsValidation(),
)
var claims jwtPayload
_, _, err = parser.ParseUnverified(tokenString, &claims)
if err != nil {
return nil, err
}

return &signature.Payload{
Content: []byte(e.internalEnvelope.Payload),
Content: claims,
ContentType: protected.ContentType,
}, nil
}
Expand Down Expand Up @@ -197,11 +214,7 @@ func sign(payload jwtPayload, headers map[string]interface{}, signer signature.S
privateKey = localSigner.PrivateKey()
} else {
// remote signer
var err error
signingMethod, err = newRemoteSigningMethod(signer)
if err != nil {
return "", err
}
signingMethod = newRemoteSigningMethod(signer)
}
// generate token
token := jwt.NewWithClaims(signingMethod, payload)
Expand Down
1 change: 0 additions & 1 deletion signature/jws/envelope_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,6 @@ func Test_envelope_Verify_failed(t *testing.T) {
if err != nil {
t.Fatal(t)
}

// manipulate envelope
encoded[len(encoded)-10] = 'C'

Expand Down
9 changes: 6 additions & 3 deletions signature/jws/jws.go
Original file line number Diff line number Diff line change
Expand Up @@ -176,24 +176,27 @@ func generateJWS(compact string, req *signature.SignRequest, certs []*x509.Certi
}, nil
}

func getSignedAttrs(req *signature.SignRequest, sigAlg signature.Algorithm) (map[string]interface{}, error) {
// getSignerAttrs merge extended signed attributes and protected header to be signed attributes
func getSignedAttrs(req *signature.SignRequest) (map[string]interface{}, error) {
extAttrs := make(map[string]interface{})
crit := []string{headerKeySigningScheme}

// write extended signed attributes to the extAttrs map
for _, elm := range req.ExtendedSignedAttributes {
extAttrs[elm.Key] = elm.Value
if elm.Critical {
crit = append(crit, elm.Key)
}
}

alg, err := convertAlgorithm(sigAlg)
// extract JWT algorithm name from signer
jwtAlgorithm, err := extractJwtAlgorithm(req.Signer)
if err != nil {
return nil, err
}

jwsProtectedHeader := jwsProtectedHeader{
Algorithm: alg,
Algorithm: jwtAlgorithm,
ContentType: req.Payload.ContentType,
SigningScheme: req.SigningScheme,
}
Expand Down
6 changes: 3 additions & 3 deletions signature/jws/jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ type remoteSigningMethod struct {
signer signature.Signer
}

func newRemoteSigningMethod(signer signature.Signer) (jwt.SigningMethod, error) {
return &remoteSigningMethod{signer: signer}, nil
func newRemoteSigningMethod(signer signature.Signer) jwt.SigningMethod {
return &remoteSigningMethod{signer: signer}
}

// Verify doesn't need to be implemented.
Expand Down Expand Up @@ -71,7 +71,7 @@ func verifyJWT(tokenString string, cert *x509.Certificate) error {
signingMethod := jwt.GetSigningMethod(jwsAlg)

parser := jwt.NewParser(
jwt.WithValidMethods([]string{"PS256", "PS384", "PS512", "ES256", "ES384", "ES512"}),
jwt.WithValidMethods(validMethods),
jwt.WithJSONNumber(),
jwt.WithoutClaimsValidation(),
)
Expand Down
24 changes: 18 additions & 6 deletions signature/jws/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package jws
import (
"time"

"github.com/golang-jwt/jwt/v4"
"github.com/notaryproject/notation-core-go/signature"
)

Expand Down Expand Up @@ -80,13 +81,24 @@ type jwsEnvelope struct {
Signature string `json:"signature"`
}

var (
ps256 = jwt.SigningMethodPS256.Name
ps384 = jwt.SigningMethodPS384.Name
ps512 = jwt.SigningMethodPS512.Name
es256 = jwt.SigningMethodES256.Name
es384 = jwt.SigningMethodES384.Name
es512 = jwt.SigningMethodES512.Name
)

var validMethods = []string{ps256, ps384, ps512, es256, es384, es512}

var signatureAlgJWSAlgMap = map[signature.Algorithm]string{
signature.AlgorithmPS256: "PS256",
signature.AlgorithmPS384: "PS384",
signature.AlgorithmPS512: "PS512",
signature.AlgorithmES256: "ES256",
signature.AlgorithmES384: "ES384",
signature.AlgorithmES512: "ES512",
signature.AlgorithmPS256: ps256,
signature.AlgorithmPS384: ps384,
signature.AlgorithmPS512: ps512,
signature.AlgorithmES256: es256,
signature.AlgorithmES384: es384,
signature.AlgorithmES512: es512,
}

var jwsAlgSignatureAlgMap = reverseMap(signatureAlgJWSAlgMap)
Expand Down

0 comments on commit e5da201

Please sign in to comment.