paweld/fpc
1
0
Fork 0
mirror of https://gitlab.com/freepascal.org/fpc/source.git synced 2025-09-01 04:30:16 +02:00
Code Issues Packages Projects Releases Wiki Activity

fcl-web: fpjwarsa: catch exceptions during verification

Browse Source
This commit is contained in:
mattias 2022-05-03 01:51:56 +02:00
parent 37d107a953
commit 120303576b
1 changed files with 46 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
packages/fcl-web/src/jwt/fpjwarsa.pp
View File

@ -164,23 +164,26 @@ begin
Result:=false; Result:=false;
if aJWT='' then exit; if aJWT='' then exit;
if not GetParts(aJWT,aHeader,theClaims,aSignature) then exit;
if aSignature='' then exit;
aSignInput:=aHeader+'.'+theClaims;
EncryptedHash:=Base64URL.Decode(aSignature);
GetHashFunc(HashFunc);
// verify hash
RSACreate(RSA);
try try
RSAInitFromPublicKeyDER(RSA,aPublicKey.AsBytes); if not GetParts(aJWT,aHeader,theClaims,aSignature) then exit;
if length(EncryptedHash)<>RSA.ModulusLen then if aSignature='' then exit;
exit;
r:=RSASSA_PSS_Verify(RSA,@aSignInput[1],length(aSignInput),@HashFunc,@EncryptedHash[0]); aSignInput:=aHeader+'.'+theClaims;
Result:=r=0; EncryptedHash:=Base64URL.Decode(aSignature);
finally GetHashFunc(HashFunc);
RSAFree(RSA);
// verify hash
RSACreate(RSA);
try
RSAInitFromPublicKeyDER(RSA,aPublicKey.AsBytes);
if length(EncryptedHash)<>RSA.ModulusLen then
exit;
r:=RSASSA_PSS_Verify(RSA,@aSignInput[1],length(aSignInput),@HashFunc,@EncryptedHash[0]);
Result:=r=0;
finally
RSAFree(RSA);
end;
except
end; end;
end; end;
@ -268,32 +271,35 @@ begin
Result:=false; Result:=false;
if aJWT='' then exit; if aJWT='' then exit;
if not GetParts(aJWT,aHeader,theClaims,aSignature) then exit;
if aSignature='' then exit;
EncryptedHash:=Base64URL.Decode(aSignature);
// decrypt hash
RSACreate(RSA);
try try
RSAInitFromPublicKeyDER(RSA,aPublicKey.AsBytes); if not GetParts(aJWT,aHeader,theClaims,aSignature) then exit;
SetLength(DecryptedHash{%H-},length(EncryptedHash)); if aSignature='' then exit;
HashLen:=RSADecryptVerify(RSA,@EncryptedHash[0],@DecryptedHash[0],length(DecryptedHash),true);
if HashLen<=0 then exit; EncryptedHash:=Base64URL.Decode(aSignature);
SetLength(DecryptedHash,HashLen);
finally // decrypt hash
RSAFree(RSA); RSACreate(RSA);
try
RSAInitFromPublicKeyDER(RSA,aPublicKey.AsBytes);
SetLength(DecryptedHash{%H-},length(EncryptedHash));
HashLen:=RSADecryptVerify(RSA,@EncryptedHash[0],@DecryptedHash[0],length(DecryptedHash),true);
if HashLen<=0 then exit;
SetLength(DecryptedHash,HashLen);
finally
RSAFree(RSA);
end;
// hash of header.claims
aInput:=aHeader+'.'+theClaims;
SetLength(InputBytes{%H-},length(aInput));
Move(aInput[1],InputBytes[0],length(aInput));
ActualHash:=ComputeASNHash(InputBytes);
// check decrypted hash and actual hash fit
Result:=(length(DecryptedHash)=length(ActualHash))
and CompareMem(@DecryptedHash[0],@ActualHash[0],length(DecryptedHash));
except
end; end;
// hash of header.claims
aInput:=aHeader+'.'+theClaims;
SetLength(InputBytes{%H-},length(aInput));
Move(aInput[1],InputBytes[0],length(aInput));
ActualHash:=ComputeASNHash(InputBytes);
// check decrypted hash and actual hash fit
Result:=(length(DecryptedHash)=length(ActualHash))
and CompareMem(@DecryptedHash[0],@ActualHash[0],length(DecryptedHash));
end; end;
initialization initialization