Skip to content

ScaleFT/libxjwt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits

dist/rpm

dist/rpm

 
 

include/xjwt

include/xjwt

 
 

m4

m4

 
 

src

src

 
 

tests

tests

 
 

vendor/cmockery

vendor/cmockery

 
 

.clang-format

.clang-format

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE

LICENSE

 
 

Makefile.am

Makefile.am

 
 

Makefile.in

Makefile.in

 
 

NOTICE

NOTICE

 
 

README.md

README.md

 
 

aclocal.m4

aclocal.m4

 
 

buildconf.sh

buildconf.sh

 
 

compile

compile

 
 

config.guess

config.guess

 
 

config.sub

config.sub

 
 

configure

configure

 
 

configure.ac

configure.ac

 
 

depcomp

depcomp

 
 

install-sh

install-sh

 
 

ltmain.sh

ltmain.sh

 
 

missing

missing

 
 

Repository files navigation

libxjwt: minimal C library for validation of real-world JWTs

Build Status

libxjwt seeks to provide a minimal c89-style library and API surface for validating a compact-form JWT against a set of JWKs. This is not meant to be a general purpose JOSE library. If you are looking for a more general purpose C library, consider cjose.

What's New

1.0.3

  • Improve RPM spec file #15
  • Log Key ID (kid) when we are unable to find the Validating Key #14

1.0.2

  • Add autotools based build (classic ./configure && make && make install) #9
  • Add spec file for RPM Packaging #8

1.0.1

  • Support for API changes in OpenSSL version 1.1 #5

1.0.0

  • Initial open source release.

API

libxjwt exports two primary API surfaces:

  1. Validating a JWT using the xjwt_verify function in xjwt_validator.h
  2. Loading a JWK keyset, using xjwt_keyset_create_from_memory function in xjwt_keyset.h

An example of using these APIs is in test_verify.c

Dependencies

Building

RPM base Distributions

Assuming a proper rpmbuild environment exists on the build host, a pair of rpms (bin and devel), can be built using the included spec file like so:

rpmbuild --undefine=_disable_source_fetch -bb dist/rpm/libxjwt.spec

Others

After Jansson and OpenSSL development headers are available, building libxjwt should just take:

./configure
make
make install

Security Model

ScaleFT takes security seriously. If you discover a security issue, please bring it to our attention right away!

Please DO NOT file a public issue or pull request, instead send your report privately to the ScaleFT Security Team, reachable at security@scaleft.com.

libxjwt is commonly used in parsing untrusted data from network sources, as such we have tried to be careful and take this into consideration in design of the library.

  • Compact form JWTs are limited to 16kb maximum size.
  • libxjwt only supports the ES256, ES384 and ES521 algorithm types for signature validation.
  • Before cryptographic verification of a JWT, libxjwt must parse some data:
    • Splitting the compact form into header, payload and signature. This is done by the xjwt__parse_untrusted function in parse.c
    • Decoding the JWT Header. This requires a url-safe base64 decoding. This is currently implemented by using OpenSSL's Base64 BIOs in b64.c.
    • Parsing the JWT Header object. This pases data to the Jansson's json_loads(http://jansson.readthedocs.io/en/2.8/apiref.html#c.json_loads) function in validator.c
    • Parsing the JWT Signature. This is done by xjwt__parse_ec_signature function in parse.c.
    • Validation of the EC Signature for the Header+Payload is done using OpenSSL's EVP API.

License

libxjwt is licensed under the Apache License Version 2.0. See the LICENSE file for details.

About

Minimal C library for validation of real-world JWTs

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

2 stars

Watchers

16 watching

Forks

4 forks
Report repository

Releases 4

v1.0.3 Latest
Apr 12, 2018
+ 3 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages