Thalhammer · prince-chrismc · Dec 26, 2023 · Jul 30, 2023 · Jul 30, 2023 · Jul 31, 2023
diff --git a/include/jwt-cpp/jwt.h b/include/jwt-cpp/jwt.h
@@ -51,6 +51,7 @@
 
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L // 3.0.0
 #define JWT_OPENSSL_3_0
+#include <openssl/param_build.h>
 #elif OPENSSL_VERSION_NUMBER >= 0x10101000L // 1.1.1
 #define JWT_OPENSSL_1_1_1
 #elif OPENSSL_VERSION_NUMBER >= 0x10100000L // 1.1.0
@@ -120,7 +121,9 @@ namespace jwt {
 			load_key_bio_write,
 			load_key_bio_read,
 			create_mem_bio_failed,
-			no_key_provided
+			no_key_provided,
+			set_rsa_failed,
+			create_context_failed
 		};
 		/**
 		 * \brief Error category for RSA errors
@@ -141,6 +144,8 @@ namespace jwt {
 					case rsa_error::load_key_bio_read: return "failed to load key: bio read failed";
 					case rsa_error::create_mem_bio_failed: return "failed to create memory bio";
 					case rsa_error::no_key_provided: return "at least one of public or private key need to be present";
+					case rsa_error::set_rsa_failed: return "set modulus and exponent to RSA failed";
+					case rsa_error::create_context_failed: return "failed to create context";
 					default: return "unknown RSA error";
 					}
 				}
@@ -626,7 +631,6 @@ namespace jwt {
 		 * \brief Convert the certificate provided as DER to PEM.
 		 *
 		 * \param cert_der_str 	String containing the DER certificate
-		 * \param decode 		The function to decode the cert
 		 * \throw				rsa_exception if an error occurred
 		 */
 		inline std::string convert_der_to_pem(const std::string& cert_der_str) {
@@ -804,6 +808,51 @@ namespace jwt {
 			return pkey;
 		}
 
+		/**
+		 * Convert a OpenSSL BIGNUM to a std::string
+		 * \param bn BIGNUM to convert
+		 * \return bignum as string
+		 */
+		inline
+#ifdef JWT_OPENSSL_1_0_0
+			std::string
+			bn2raw(BIGNUM* bn)
+#else
+			std::string
+			bn2raw(const BIGNUM* bn)
+#endif
+		{
+			std::string res(BN_num_bytes(bn), '\0');
+			BN_bn2bin(bn, (unsigned char*)res.data()); // NOLINT(google-readability-casting) requires `const_cast`
+			return res;
+		}
+		/**
+		 * Convert an std::string to a OpenSSL BIGNUM
+		 * \param raw String to convert
+		 * \param ec  error_code for error_detection (gets cleared if no error occurs)
+		 * \return BIGNUM representation
+		 */
+		inline std::unique_ptr<BIGNUM, decltype(&BN_free)> raw2bn(const std::string& raw, std::error_code& ec) {
+			auto bn =
+				BN_bin2bn(reinterpret_cast<const unsigned char*>(raw.data()), static_cast<int>(raw.size()), nullptr);
+			if (!bn) {
+				ec = error::rsa_error::set_rsa_failed;
+				return {nullptr, BN_free};
+			}
+			return {bn, BN_free};
+		}
+		/**
+		 * Convert an std::string to a OpenSSL BIGNUM
+		 * \param raw String to convert
+		 * \return BIGNUM representation
+		 */
+		inline std::unique_ptr<BIGNUM, decltype(&BN_free)> raw2bn(const std::string& raw) {
+			std::error_code ec;
+			auto res = raw2bn(raw, ec);
+			error::throw_if_error(ec);
+			return res;
+		}
+
 		/**
 		 * \brief Load a public key from a string.
 		 *
@@ -846,6 +895,164 @@ namespace jwt {
 			return pkey;
 		}
 
+		/**
+		* \brief create public key from modulus and exponent
+		*
+		* \param modulus	string containing base64 encoded modulus
+		* \param exponent	string containing base64 encoded exponent
+		* \param decode 				The function to decode the certs)
+		* \param ec			error_code for error_detection (gets cleared if no error occur
+		* \return public key in PEM format
+		*/
+		template<typename Decode>
+		std::string create_public_key_from_rsa_components(const std::string& modulus, const std::string& exponent,
+														  Decode decode, std::error_code& ec) {
+			auto decoded_modulus = decode(modulus);
+			auto decoded_exponent = decode(exponent);
+
+			auto n = helper::raw2bn(decoded_modulus);
+			auto e = helper::raw2bn(decoded_exponent);
+
+#if defined(JWT_OPENSSL_3_0)
+			// OpenSSL deprecated mutable keys and there is a new way for making them
+			// https://mta.openssl.org/pipermail/openssl-users/2021-July/013994.html
+			// https://www.openssl.org/docs/man3.1/man3/OSSL_PARAM_BLD_new.html#Example-2
+			std::unique_ptr<OSSL_PARAM_BLD, decltype(&OSSL_PARAM_BLD_free)> param_bld(OSSL_PARAM_BLD_new(),
+																					  OSSL_PARAM_BLD_free);
+			if (!param_bld) {
+				ec = error::rsa_error::create_context_failed;
+				return {};
+			}
+
+			if (OSSL_PARAM_BLD_push_BN(param_bld.get(), "n", n.get()) != 1 ||
+				OSSL_PARAM_BLD_push_BN(param_bld.get(), "e", e.get()) != 1) {
+				ec = error::rsa_error::set_rsa_failed;
+				return {};
+			}
+
+			std::unique_ptr<OSSL_PARAM, decltype(&OSSL_PARAM_free)> params(OSSL_PARAM_BLD_to_param(param_bld.get()),
+																		   OSSL_PARAM_free);
+			if (!params) {
+				ec = error::rsa_error::set_rsa_failed;
+				return {};
+			}
+
+			std::unique_ptr<EVP_PKEY_CTX, decltype(&EVP_PKEY_CTX_free)> ctx(
+				EVP_PKEY_CTX_new_from_name(nullptr, "RSA", nullptr), EVP_PKEY_CTX_free);
+			if (!ctx) {
+				ec = error::rsa_error::create_context_failed;
+				return {};
+			}
+
+			// https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_fromdata.html#EXAMPLES
+			EVP_PKEY* pkey = NULL;
+			if (EVP_PKEY_fromdata_init(ctx.get()) < 0 ||
+				EVP_PKEY_fromdata(ctx.get(), &pkey, EVP_PKEY_KEYPAIR, params.get()) < 0) {
+				// It's unclear if this can fail after allocating but free it anyways
+				// https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_fromdata.html
+				EVP_PKEY_free(pkey);
+
+				ec = error::rsa_error::cert_load_failed;
+				return {};
+			}
+
+			// Transfer ownership so we get ref counter and cleanup
+			evp_pkey_handle rsa(pkey);
+
+#else
+			std::unique_ptr<RSA, decltype(&RSA_free)> rsa(RSA_new(), RSA_free);
+
+			// After this call RSA_free will also free the n and e big numbers
+			// See https://github.com/Thalhammer/jwt-cpp/pull/298#discussion_r1282619186
+#if defined(JWT_OPENSSL_1_1_1) || defined(JWT_OPENSSL_1_1_0)
+			if (RSA_set0_key(rsa.get(), n.release(), e.release(), nullptr) != 1) {
+				ec = error::rsa_error::set_rsa_failed;
+				return {};
+			}
+#elif defined(JWT_OPENSSL_1_0_0)
+			rsa->e = e.release();
+			rsa->n = n.release();
+			rsa->d = nullptr;
+#endif
+#endif
+
+			auto pub_key_bio = make_mem_buf_bio();
+			if (!pub_key_bio) {
+				ec = error::rsa_error::create_mem_bio_failed;
+				return {};
+			}
+
+			auto write_pem_to_bio =
+#if defined(JWT_OPENSSL_3_0)
+				// https://www.openssl.org/docs/man3.1/man3/PEM_write_bio_RSA_PUBKEY.html
+				&PEM_write_bio_PUBKEY;
+#else
+				&PEM_write_bio_RSA_PUBKEY;
+#endif
+			if (write_pem_to_bio(pub_key_bio.get(), rsa.get()) != 1) {
+				ec = error::rsa_error::load_key_bio_write;
+				return {};
+			}
+
+			char* ptr = nullptr;
+			const auto len = BIO_get_mem_data(pub_key_bio.get(), &ptr);
+			if (len <= 0 || ptr == nullptr) {
+				ec = error::rsa_error::convert_to_pem_failed;
+				return {};
+			}
+
+			return std::string{ptr, static_cast<size_t>(len)};
+		}
+
+		/**
+		* \brief create public key from modulus and exponent
+		*
+		* \param modulus	string containing base64 encoded modulus
+		* \param exponent	string containing base64 encoded exponent
+		* \param decode 				The function to decode the certs)
+		* \return public key in PEM format
+		*/
+		template<typename Decode>
+		std::string create_public_key_from_rsa_components(const std::string& modulus, const std::string& exponent,
+														  Decode decode) {
+			std::error_code ec;
+			auto res = create_public_key_from_rsa_components(modulus, exponent, decode, ec);
+			error::throw_if_error(ec);
+			return res;
+		}
+
+#ifndef JWT_DISABLE_BASE64
+		/**
+		* \brief create public key from modulus and exponent
+		*
+		* \param modulus	string containing base64 encoded modulus
+		* \param exponent	string containing base64 encoded exponent
+		* \param ec			error_code for error_detection (gets cleared if no error occur
+		* \return public key in PEM format
+		*/
+		inline std::string create_public_key_from_rsa_components(const std::string& modulus,
+																 const std::string& exponent, std::error_code& ec) {
+			auto decode = [](const std::string& token) {
+				return base::decode<alphabet::base64url>(base::pad<alphabet::base64url>(token));
+			};
+			return create_public_key_from_rsa_components(modulus, exponent, std::move(decode), ec);
+		}
+		/**
+		* \brief create public key from modulus and exponent
+		*
+		* \param modulus	string containing base64 encoded modulus
+		* \param exponent	string containing base64 encoded exponent
+		* \return public key in PEM format
+		*/
+		inline std::string create_public_key_from_rsa_components(const std::string& modulus,
+																 const std::string& exponent) {
+			std::error_code ec;
+			auto res = create_public_key_from_rsa_components(modulus, exponent, ec);
+			error::throw_if_error(ec);
+			return res;
+		}
+#endif
+
 		/**
 		 * \brief Load a private key from a string.
 		 *
@@ -860,35 +1067,6 @@ namespace jwt {
 			error::throw_if_error(ec);
 			return res;
 		}
-
-		/**
-		 * Convert a OpenSSL BIGNUM to a std::string
-		 * \param bn BIGNUM to convert
-		 * \return bignum as string
-		 */
-		inline
-#ifdef JWT_OPENSSL_1_0_0
-			std::string
-			bn2raw(BIGNUM* bn)
-#else
-			std::string
-			bn2raw(const BIGNUM* bn)
-#endif
-		{
-			std::string res(BN_num_bytes(bn), '\0');
-			BN_bn2bin(bn, (unsigned char*)res.data()); // NOLINT(google-readability-casting) requires `const_cast`
-			return res;
-		}
-		/**
-		 * Convert an std::string to a OpenSSL BIGNUM
-		 * \param raw String to convert
-		 * \return BIGNUM representation
-		 */
-		inline std::unique_ptr<BIGNUM, decltype(&BN_free)> raw2bn(const std::string& raw) {
-			return std::unique_ptr<BIGNUM, decltype(&BN_free)>(
-				BN_bin2bn(reinterpret_cast<const unsigned char*>(raw.data()), static_cast<int>(raw.size()), nullptr),
-				BN_free);
-		}
 	} // namespace helper
 
 	/**

diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -18,7 +18,8 @@ set(TEST_SOURCES
     ${CMAKE_CURRENT_SOURCE_DIR}/Keys.cpp ${CMAKE_CURRENT_SOURCE_DIR}/HelperTest.cpp
     ${CMAKE_CURRENT_SOURCE_DIR}/TestMain.cpp ${CMAKE_CURRENT_SOURCE_DIR}/TokenFormatTest.cpp
     ${CMAKE_CURRENT_SOURCE_DIR}/TokenTest.cpp ${CMAKE_CURRENT_SOURCE_DIR}/JwksTest.cpp
-    ${CMAKE_CURRENT_SOURCE_DIR}/OpenSSLErrorTest.cpp ${CMAKE_CURRENT_SOURCE_DIR}/traits/NlohmannTest.cpp)
+    ${CMAKE_CURRENT_SOURCE_DIR}/OpenSSLErrorTest.cpp ${CMAKE_CURRENT_SOURCE_DIR}/traits/NlohmannTest.cpp
+    ${CMAKE_CURRENT_SOURCE_DIR}/PubKeyTest.cpp)
 
 find_package(jsoncons CONFIG)
 if(TARGET jsoncons)
@@ -34,7 +35,7 @@ add_executable(jwt-cpp-test ${TEST_SOURCES})
 
 # NOTE: Don't use space inside a generator expression here, because the function prematurely breaks the expression into
 # multiple lines. https://cmake.org/pipermail/cmake/2018-April/067422.html
-set(JWT_TESTER_GCC_FLAGS -Wall -Wextra -Wpedantic)
+set(JWT_TESTER_GCC_FLAGS -Wall -Wextra -Wpedantic -ggdb)
 set(JWT_TESTER_CLANG_FLAGS -Weverything -Wno-c++98-compat -Wno-global-constructors -Wno-weak-vtables)
 target_compile_options(
   jwt-cpp-test PRIVATE $<$<CXX_COMPILER_ID:MSVC>:/W4> $<$<CXX_COMPILER_ID:GNU>:${JWT_TESTER_GCC_FLAGS}>
@@ -55,7 +56,7 @@ endif()
 target_link_libraries(jwt-cpp-test PRIVATE jwt-cpp nlohmann_json::nlohmann_json
                                            $<$<NOT:$<CXX_COMPILER_ID:MSVC>>:${CMAKE_DL_LIBS}>)
 
-gtest_add_tests(TARGET jwt-cpp-test)
+gtest_discover_tests(jwt-cpp-test)
 
 if(JWT_ENABLE_COVERAGE)
   include("code-coverage")

diff --git a/tests/HelperTest.cpp b/tests/HelperTest.cpp
@@ -52,7 +52,7 @@ TEST(HelperTest, ErrorCodeMessages) {
 			  std::string("token_verification_error"));
 
 	int i = 10;
-	for (i = 10; i < 19; i++) {
+	for (i = 10; i < 21; i++) {
 		ASSERT_NE(std::error_code(static_cast<jwt::error::rsa_error>(i)).message(),
 				  std::error_code(static_cast<jwt::error::rsa_error>(-1)).message());
 	}

diff --git a/tests/PubKeyTest.cpp b/tests/PubKeyTest.cpp
@@ -0,0 +1,24 @@
+#include "jwt-cpp/jwt.h"
+#include <gtest/gtest.h>
+
+std::string pubkey_expected =
+	R"(-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwoB3iVm4RW+6StkR+nut
+x1fQevu2+t0Fu6KBcbvhfyHSXy7w0nJOdTT4jWLjStpRkNQBPZwMwHH35i+21gdn
+JtDe/xfO8IX9McFmyodlBUcqX8CruIzDv9AXf2OjXPBG+4aq+03XKl5/muATl32+
++301Vw1dXoGYNeoWQqLTsHT3WS3tOOf+ehuzNuZ+rj+ephaD3lMBToEArrtC9R91
+KTTN6YSAOK48NxTA8CfOMFK5itxfIqB5+E9OSQTidXyqLyoeA+xxTKMqYfxvypEe
+k1oueAhY9u67NCBdmuavxtfyvwp7+o6Sd+NsewxAhmRKFexw13KOYzDhC+9aMJcu
+JQIDAQAB
+-----END PUBLIC KEY-----
+)";
+
+std::string modulus =
+	R"(AMKAd4lZuEVvukrZEfp7rcdX0Hr7tvrdBbuigXG74X8h0l8u8NJyTnU0-I1i40raUZDUAT2cDMBx9-YvttYHZybQ3v8XzvCF_THBZsqHZQVHKl_Aq7iMw7_QF39jo1zwRvuGqvtN1ypef5rgE5d9vvt9NVcNXV6BmDXqFkKi07B091kt7Tjn_nobszbmfq4_nqYWg95TAU6BAK67QvUfdSk0zemEgDiuPDcUwPAnzjBSuYrcXyKgefhPTkkE4nV8qi8qHgPscUyjKmH8b8qRHpNaLngIWPbuuzQgXZrmr8bX8r8Ke_qOknfjbHsMQIZkShXscNdyjmMw4QvvWjCXLiU)";
+std::string exponent = R"(AQAB)";
+
+TEST(PubKeyTest, RSAFromComponents) {
+	const auto pubkey = jwt::helper::create_public_key_from_rsa_components(modulus, exponent);
+
+	ASSERT_EQ(pubkey, pubkey_expected);
+}
diff --git a/tests/TokenTest.cpp b/tests/TokenTest.cpp
@@ -728,7 +728,7 @@ TEST(TokenTest, VerifyTokenType) {
 }
 
 TEST(TokenTest, GetClaimThrows) {
-	auto token = "eyJhbGciOiJub25lIiwidHlwIjoiSldTIn0.eyJpc3MiOiJhdXRoMCJ9.";
+	const auto* token = "eyJhbGciOiJub25lIiwidHlwIjoiSldTIn0.eyJpc3MiOiJhdXRoMCJ9.";
 	auto decoded_token = jwt::decode(token);
 
 	ASSERT_THROW(decoded_token.get_header_claim("test"), jwt::error::claim_not_present_exception);