fix OIDCOAuthVerifyCertFiles #989; add OIDCProviderVerifyCertFiles #990

- add OIDCProviderVerifyCertFiles option to statically configure ID
token validation keys; see #989; thanks @madsfreek
- fix bug in OIDCOAuthVerifyCertFiles where cert(s) would be cast to
apr_hash_t instead of apr_array_header_t; see #990; thanks @bommo1
- bump to 2.4.12.3rc0

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

AUTHORS

@@ -87,3 +87,4 @@ reporting bugs, providing fixes, suggesting useful features or other:
 	Nikhil Chaudhari <https://github.com/nvchaudhari1991>
 	Quentin Gillet <[email protected]>
 	Brent van Laere <[email protected]>
+	Mads Freek Petersen <https://github.com/madsfreek>

ChangeLog

@@ -1,3 +1,8 @@
+01/20/2023
+- add OIDCProviderVerifyCertFiles option to statically configure ID token validation keys; see #989; thanks @madsfreek
+- fix bug in OIDCOAuthVerifyCertFiles where cert(s) would be cast to apr_hash_t instead of apr_array_header_t; see #990; thanks @bommo1
+- bump to 2.4.12.3rc0
+
 12/28/2022
 - update sample/test Dockerfile to Ubuntu Jammy
 

auth_openidc.conf

@@ -65,6 +65,14 @@
 # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
 #OIDCProviderJwksUri <jwks_url>
 
+# The fully qualified names of the files that contain the X.509 certificates with the RSA public
+# keys that can be used for ID Token verification.
+# NB: this is one or more key tuples where a key tuple consists of:
+#  [<key-identifier>#]<path-to-cert>
+# and the key identifier part is required when the ID Token contains a "kid" in its header.
+# When not defined, ID Token validation key material has to be obtained through OIDCProviderJwksUri or OIDCProviderMetadataURL
+#OIDCProviderVerifyCertFiles ([<kid>#]<filename>)+
+
 # OpenID Connect Provider Token Endpoint URL (e.g. https://localhost:9031/as/token.oauth2)
 # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
 #OIDCProviderTokenEndpoint <token_endpoint>

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.12.2],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.12.3rc0],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/config.c

@@ -173,6 +173,7 @@
 #define OIDCProviderEndSessionEndpoint         "OIDCProviderEndSessionEndpoint"
 #define OIDCProviderBackChannelLogoutSupported "OIDCProviderBackChannelLogoutSupported"
 #define OIDCProviderJwksUri                    "OIDCProviderJwksUri"
+#define OIDCProviderVerifyCertFiles            "OIDCProviderVerifyCertFiles"
 #define OIDCResponseType                       "OIDCResponseType"
 #define OIDCResponseMode                       "OIDCResponseMode"
 #define OIDCPublicKeyFiles                     "OIDCPublicKeyFiles"
@@ -1417,6 +1418,7 @@ void oidc_cfg_provider_init(oidc_provider_t *provider) {
 	provider->check_session_iframe = NULL;
 	provider->end_session_endpoint = NULL;
 	provider->jwks_uri = NULL;
+	provider->verify_public_keys = NULL;
 	provider->backchannel_logout_supported = OIDC_CONFIG_POS_INT_UNSET;
 
 	provider->ssl_validate_server = OIDC_DEFAULT_SSL_VALIDATE_SERVER;
@@ -1633,6 +1635,10 @@ void* oidc_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD) {
 	c->provider.jwks_uri =
 			add->provider.jwks_uri != NULL ?
 					add->provider.jwks_uri : base->provider.jwks_uri;
+	c->provider.verify_public_keys =
+			add->provider.verify_public_keys != NULL ?
+					add->provider.verify_public_keys :
+					base->provider.verify_public_keys;
 	c->provider.client_id =
 			add->provider.client_id != NULL ?
 					add->provider.client_id : base->provider.client_id;
@@ -2677,7 +2683,9 @@ static apr_status_t oidc_cleanup_child(void *data) {
 
 		// can do this even though we haven't got a deep copy
 		// since references within the object will be set to NULL
-		oidc_jwk_list_destroy_hash(sp->process->pool,
+		oidc_jwk_list_destroy(sp->process->pool,
+				cfg->provider.verify_public_keys);
+		oidc_jwk_list_destroy(sp->process->pool,
 				cfg->oauth.verify_public_keys);
 		oidc_jwk_list_destroy_hash(sp->process->pool,
 				cfg->oauth.verify_shared_keys);
@@ -3058,6 +3066,11 @@ const command_rec oidc_config_cmds[] = {
 				(void *)APR_OFFSETOF(oidc_cfg, provider.jwks_uri),
 				RSRC_CONF,
 				"Define the OpenID OP JWKS URL (e.g.: https://localhost:9031/pf/JWKS)"),
+		AP_INIT_ITERATE(OIDCProviderVerifyCertFiles,
+				oidc_set_public_key_files,
+				(void*)APR_OFFSETOF(oidc_cfg, provider.verify_public_keys),
+				RSRC_CONF,
+				"The fully qualified names of the files that contain the X.509 certificates that contains the RSA public keys that can be used for ID token validation."),
 		AP_INIT_TAKE1(OIDCResponseType,
 				oidc_set_response_type,
 				(void *)APR_OFFSETOF(oidc_cfg, provider.response_type),

src/mod_auth_openidc.c

@@ -3024,7 +3024,7 @@ static int oidc_handle_logout_backchannel(request_rec *r, oidc_cfg *cfg) {
 	oidc_jwks_uri_t jwks_uri = { provider->jwks_uri,
 			provider->jwks_refresh_interval, provider->ssl_validate_server };
 	if (oidc_proto_jwt_verify(r, cfg, jwt, &jwks_uri,
-			oidc_util_merge_symmetric_key(r->pool, NULL, jwk),
+			oidc_util_merge_symmetric_key(r->pool, provider->verify_public_keys, jwk),
 			provider->id_token_signed_response_alg) == FALSE) {
 
 		oidc_error(r, "id_token signature could not be validated, aborting");

src/mod_auth_openidc.h

@@ -296,6 +296,7 @@ typedef struct oidc_provider_t {
 	char *check_session_iframe;
 	char *end_session_endpoint;
 	char *jwks_uri;
+	apr_array_header_t *verify_public_keys;
 	char *client_id;
 	char *client_secret;
 	char *token_endpoint_tls_client_key;
@@ -364,7 +365,7 @@ typedef struct oidc_oauth_t {
 	oidc_remote_user_claim_t remote_user_claim;
 	apr_hash_t *verify_shared_keys;
 	char *verify_jwks_uri;
-	apr_hash_t *verify_public_keys;
+	apr_array_header_t *verify_public_keys;
 	int access_token_binding_policy;
 } oidc_oauth_t;
 

src/oauth.c

@@ -612,19 +612,17 @@ static apr_byte_t oidc_oauth_validate_jwt_access_token(request_rec *r,
 	oidc_debug(r,
 			"verify JWT against %d statically configured public keys and %d shared keys, with JWKs URI set to %s",
 			c->oauth.verify_public_keys ?
-					apr_hash_count(c->oauth.verify_public_keys) : 0,
+					c->oauth.verify_public_keys->nelts : 0,
 					c->oauth.verify_shared_keys ?
 							apr_hash_count(c->oauth.verify_shared_keys) : 0,
 							c->oauth.verify_jwks_uri);
 
 	// TODO: we're re-using the OIDC provider JWKs refresh interval here...
 	oidc_jwks_uri_t jwks_uri = { c->oauth.verify_jwks_uri,
 			c->provider.jwks_refresh_interval, c->oauth.ssl_validate_server };
-	if (oidc_proto_jwt_verify(r, c, jwt, &jwks_uri,
-			oidc_util_merge_key_sets_hash(r->pool, c->oauth.verify_public_keys,
-					c->oauth.verify_shared_keys), NULL) == FALSE) {
-		oidc_error(r,
-				"JWT access token signature could not be validated, aborting");
+	if (oidc_proto_jwt_verify(r, c, jwt, &jwks_uri, oidc_util_merge_key_sets(r->pool, c->oauth.verify_shared_keys, c->oauth.verify_public_keys), NULL)
+			== FALSE) {
+		oidc_error(r, "JWT access token signature could not be validated, aborting");
 		oidc_jwt_destroy(jwt);
 		return FALSE;
 	}

src/proto.c

@@ -1668,7 +1668,7 @@ apr_byte_t oidc_proto_parse_idtoken(request_rec *r, oidc_cfg *cfg,
 		oidc_jwks_uri_t jwks_uri = { provider->jwks_uri,
 				provider->jwks_refresh_interval, provider->ssl_validate_server };
 		if (oidc_proto_jwt_verify(r, cfg, *jwt, &jwks_uri,
-				oidc_util_merge_symmetric_key(r->pool, NULL, jwk),
+				oidc_util_merge_symmetric_key(r->pool, provider->verify_public_keys, jwk),
 				provider->id_token_signed_response_alg) == FALSE) {
 
 			oidc_error(r,