Skip to content
/ libxjwt Public

Minimal C library for validation of real-world JWTs

License

Apache-2.0 license
2 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ScaleFT/libxjwt

BranchesTags

Repository files navigation

libxjwt: minimal C library for validation of real-world JWTs

Build Status

libxjwt seeks to provide a minimal c89-style library and API surface for validating a compact-form JWT against a set of JWKs. This is not meant to be a general purpose JOSE library. If you are looking for a more general purpose C library, consider cjose.

What's New

1.0.3

  • Improve RPM spec file #15
  • Log Key ID (kid) when we are unable to find the Validating Key #14

1.0.2

  • Add autotools based build (classic ./configure && make && make install) #9
  • Add spec file for RPM Packaging #8

1.0.1

  • Support for API changes in OpenSSL version 1.1 #5

1.0.0

  • Initial open source release.

API

libxjwt exports two primary API surfaces:

  1. Validating a JWT using the xjwt_verify function in xjwt_validator.h
  2. Loading a JWK keyset, using xjwt_keyset_create_from_memory function in xjwt_keyset.h

An example of using these APIs is in test_verify.c

Dependencies

Building

RPM base Distributions

Assuming a proper rpmbuild environment exists on the build host, a pair of rpms (bin and devel), can be built using the included spec file like so:

rpmbuild --undefine=_disable_source_fetch -bb dist/rpm/libxjwt.spec

Others

After Jansson and OpenSSL development headers are available, building libxjwt should just take:

./configure
make
make install

Security Model

ScaleFT takes security seriously. If you discover a security issue, please bring it to our attention right away!

Please DO NOT file a public issue or pull request, instead send your report privately to the ScaleFT Security Team, reachable at [email protected].

libxjwt is commonly used in parsing untrusted data from network sources, as such we have tried to be careful and take this into consideration in design of the library.

  • Compact form JWTs are limited to 16kb maximum size.
  • libxjwt only supports the ES256, ES384 and ES521 algorithm types for signature validation.
  • Before cryptographic verification of a JWT, libxjwt must parse some data:
    • Splitting the compact form into header, payload and signature. This is done by the xjwt__parse_untrusted function in parse.c
    • Decoding the JWT Header. This requires a url-safe base64 decoding. This is currently implemented by using OpenSSL's Base64 BIOs in b64.c.
    • Parsing the JWT Header object. This pases data to the Jansson's json_loads(http://jansson.readthedocs.io/en/2.8/apiref.html#c.json_loads) function in validator.c
    • Parsing the JWT Signature. This is done by xjwt__parse_ec_signature function in parse.c.
    • Validation of the EC Signature for the Header+Payload is done using OpenSSL's EVP API.

License

libxjwt is licensed under the Apache License Version 2.0. See the LICENSE file for details.

About

Minimal C library for validation of real-world JWTs

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

2 stars

Watchers

15 watching

Forks

4 forks
Report repository

Releases 4

v1.0.3 Latest
Apr 12, 2018
+ 3 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages