all repos — litestore @ f4eb0151a1fb5bb3c80d919175c0aba757f77a7b

A minimalist nosql document store. 

Made signature verification non fatal if there are problems retrieving the public key.
h3rald h3rald@h3rald.com
Sat, 30 Dec 2023 15:32:48 +0100
commit

f4eb0151a1fb5bb3c80d919175c0aba757f77a7b

parent

b887fd05e067845886d4ff5389f6fdb0386ad758

3 files changed, 16 insertions(+), 7 deletions(-)

jump to
M src/litestorepkg/lib/jwt.nimsrc/litestorepkg/lib/jwt.nim 
@@ -27,6 +27,10 @@ proc raiseJwtError(msg: string) =
     let err = getLastError()
     raise newException(EJwtValidationError, msg&"\n"&err)
 
+proc raiseX509Error(msg: string) =
+    let err = getLastError()
+    raise newException(EX509Error, msg&"\n"&err)
+
 proc getX5c*(token: JWT): string =
     let file = getCurrentDir() / "jwks.json"
     if not file.fileExists:

@@ -92,19 +96,19 @@ 
     ### Validate Signature (Only RS256 supported)
     x509 = d2i_X509(cert)
     if x509.isNil:
-        raiseJwtError("Invalid X509 certificate")
+        raiseX509Error("Invalid X509 certificate")
 
     pubkey = X509_get_pubkey(x509)
     if pubkey.isNil:
-        raiseJwtError("An error occurred while retrieving the public key")
+        raiseX509Error("An error occurred while retrieving the public key")
 
     var mdctx = EVP_MD_CTX_create()
     if mdctx.isNil:
-        raiseJwtError("Unable to initialize MD CTX")
+        raiseX509Error("Unable to initialize MD CTX")
 
     var pkeyctx = EVP_PKEY_CTX_new(pubkey, nil)
     if pkeyctx.isNil:
-        raiseJwtError("Unable to initialize PKEY CTX")
+        raiseX509Error("Unable to initialize PKEY CTX")
 
     if EVP_DigestVerifyInit(mdctx, addr pkeyctx, alg, nil, pubkey) != 1:
         raiseJwtError("Unable to initialize digest verification")
M src/litestorepkg/lib/server.nimsrc/litestorepkg/lib/server.nim 
@@ -59,7 +59,11 @@ x5c = LS.config["signature"].getStr
       LOG.debug("Verifying algorithm...")
       jwt.verifyAlgorithm()
       LOG.debug("Verifying signature...")
-      jwt.verifySignature(x5c)
+      try:
+        jwt.verifySignature(x5c)
+      except EX509Error:
+        LOG.warn getCurrentExceptionMsg()
+        writeStackTrace()
       LOG.debug("Verifying claims...")
       jwt.verifyTimeClaims()
       let scope = cfg[reqMethod].mapIt(it.getStr)

@@ -67,11 +71,11 @@ LOG.debug("Verifying scope...")
       jwt.verifyScope(scope)
       LOG.debug("Authorization successful")
     except EUnauthorizedError:
-      echo getCurrentExceptionMsg()
+      LOG.warn getCurrentExceptionMsg()
       writeStackTrace()
       return resError(Http403, "Forbidden - You are not permitted to access this resource")
     except CatchableError:
-      echo getCurrentExceptionMsg()
+      LOG.warn getCurrentExceptionMsg()
       writeStackTrace()
       return resError(Http401, "Unauthorized - Invalid token")
M src/litestorepkg/lib/types.nimsrc/litestorepkg/lib/types.nim 
@@ -24,6 +24,7 @@ EFileExists* = object of CatchableError
   EInvalidRequest* = object of CatchableError
   EJwtValidationError* = object of CatchableError
   EUnauthorizedError* = object of CatchableError
+  EX509Error* = object of CatchableError
   ConfigFiles* = object
     auth*: string
     config*: string