subject:"\[jira\] \[Commented\] \(IMPALA\-12559\) Support x5c Parameter in JSON Web Keys \(JWK\)"

[jira] [Commented] (IMPALA-12559) Support x5c Parameter in JSON Web Keys (JWK)

2024-05-16 Thread ASF subversion and git services (Jira)



[ 
https://issues.apache.org/jira/browse/IMPALA-12559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17846970#comment-17846970
 ] 

ASF subversion and git services commented on IMPALA-12559:
--

Commit 7550eb607c2b92b1367dc5cf5667b681d59a8915 in impala's branch 
refs/heads/master from wzhou-code
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=7550eb607 ]

IMPALA-12559 (part 2): Fix build issue for different versions of openssl

Previous patch calls OpenSSL API X509_get0_tbs_sigalg() which is not
available in the version of OpenSSL in ToolChain. It causes build
failures.
This patch fixes the issue by calling X509_get_signature_nid().

Testing:
 - Passed jwt-test unit-test and end-end unit-test.

Change-Id: I62b9f0c00f91c2b13be30c415e3f1ebd0e1bd2bc
Reviewed-on: http://gerrit.cloudera.org:8080/21432
Reviewed-by: gaurav singh 
Tested-by: Impala Public Jenkins 
Reviewed-by: Abhishek Rawat 


> Support x5c Parameter in JSON Web Keys (JWK)
> 
>
> Key: IMPALA-12559
> URL: https://issues.apache.org/jira/browse/IMPALA-12559
> Project: IMPALA
>  Issue Type: Bug
>  Components: be, Security
>Reporter: Jason Fehr
>Assignee: gaurav singh
>Priority: Critical
>  Labels: JWT, jwt, security
>
> The ["x5u"|https://datatracker.ietf.org/doc/html/rfc7517#section-4.6], 
> ["x5c"|https://datatracker.ietf.org/doc/html/rfc7517#section-4.7], 
> ["x5t"|https://datatracker.ietf.org/doc/html/rfc7517#section-4.8], and 
> ["x5t#S256|https://datatracker.ietf.org/doc/html/rfc7517#section-4.9] 
> parameters in JWKs is not supported by Impala.  Implement support for this 
> parameter using the available methods in the [Thalhammer/jwt-cpp 
> library|https://github.com/Thalhammer/jwt-cpp/blob/ce1f9df3a9f861d136d6f0c93a6f811c364d1d3d/example/jwks-verify.cpp].
> Note:  If the "alg" property is specified and so is "x5u" or "x5c", then the 
> value of the "alg" property must match the algorithm on the certificate from 
> the "x5u" or "x5c" property.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

[jira] [Commented] (IMPALA-12559) Support x5c Parameter in JSON Web Keys (JWK)

2024-05-15 Thread ASF subversion and git services (Jira)



[ 
https://issues.apache.org/jira/browse/IMPALA-12559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17846760#comment-17846760
 ] 

ASF subversion and git services commented on IMPALA-12559:
--

Commit 34c084cebb2f52a6ee11d3d93609b3e4e238816f in impala's branch 
refs/heads/master from gaurav1086
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=34c084ceb ]

IMPALA-12559: Support x5c Parameter for RSA JSON
Web Keys

This enables the jwt verification using the x5c
certificate(s) in the RSA jwks keys. The x5c claim can be
part of the jwks either as a string or an array.
This patch only supports a single x5c certificate per
jwk.

If the "x5c" is present and "alg" is not present,
then "alg" is extracted from the "x5c" certificate using the
signature algorithm. However, if "x5c" is not preseent, then
"alg" is a mandatory field on jwk.

Current mapping of signature algorithm string => algorithm:

sha256WithRSAEncryption => rs256
sha384WithRSAEncryption => rs384
sha512WithRSAEncryption => rs512

If "x5c" is present, then it is given priority over other
mandatory fields like "n", "e" to construct the public key.

Testing:
* added unit test VerifyJwtTokenWithx5cCertificate to
verify jwt with x5c certificate.
* added unit test VerifyJwtTokenWithx5cCertificateWithoutAlg
to verify jwt with x5c certificate without "alg".
* added e2e test testJwtAuthWithJwksX5cHttpUrl to verify
jwt with x5c certificate.

Change-Id: I70be6f9f54190544aa005b2644e2ed8db6f6bb74
Reviewed-on: http://gerrit.cloudera.org:8080/21382
Reviewed-by: Jason Fehr 
Reviewed-by: Wenzhe Zhou 
Tested-by: Impala Public Jenkins 


> Support x5c Parameter in JSON Web Keys (JWK)
> 
>
> Key: IMPALA-12559
> URL: https://issues.apache.org/jira/browse/IMPALA-12559
> Project: IMPALA
>  Issue Type: Bug
>  Components: be, Security
>Reporter: Jason Fehr
>Assignee: gaurav singh
>Priority: Critical
>  Labels: JWT, jwt, security
>
> The ["x5u"|https://datatracker.ietf.org/doc/html/rfc7517#section-4.6], 
> ["x5c"|https://datatracker.ietf.org/doc/html/rfc7517#section-4.7], 
> ["x5t"|https://datatracker.ietf.org/doc/html/rfc7517#section-4.8], and 
> ["x5t#S256|https://datatracker.ietf.org/doc/html/rfc7517#section-4.9] 
> parameters in JWKs is not supported by Impala.  Implement support for this 
> parameter using the available methods in the [Thalhammer/jwt-cpp 
> library|https://github.com/Thalhammer/jwt-cpp/blob/ce1f9df3a9f861d136d6f0c93a6f811c364d1d3d/example/jwks-verify.cpp].
> Note:  If the "alg" property is specified and so is "x5u" or "x5c", then the 
> value of the "alg" property must match the algorithm on the certificate from 
> the "x5u" or "x5c" property.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

[jira] [Commented] (IMPALA-12559) Support x5c Parameter in JSON Web Keys (JWK)

[jira] [Commented] (IMPALA-12559) Support x5c Parameter in JSON Web Keys (JWK)

2 matches

Site Navigation

Mail list logo

Footer information