diff options
| author | Ahmad Fatoum <a.fatoum@pengutronix.de> | 2023-10-23 16:31:22 +0200 |
|---|---|---|
| committer | Sascha Hauer <s.hauer@pengutronix.de> | 2023-11-01 10:10:04 +0100 |
| commit | 23d0325f88a12e0e5bae2590a94dc0ffacd4e5db (patch) | |
| tree | 0f334869ec7fd6a9f7028319ba67ef2aee80f38a /include/crypto | |
| parent | fc609f75f9c89f098a772ed47184c3bdf086c19d (diff) | |
| download | barebox-23d0325f88a12e0e5bae2590a94dc0ffacd4e5db.tar.gz barebox-23d0325f88a12e0e5bae2590a94dc0ffacd4e5db.tar.xz | |
crypto: add JSON Web Token (JWT) support
JSON Web Token is a proposed Internet standard for creating tokens with
optional signature and/or optional encryption whose payload holds JSON that
asserts some number of claims. The tokens are signed either using a private
secret or a public/private key.
In the context of barebox, a JSON Web Token can be used as unlock token
for a system: By default, the system would be locked and only boot
signed payloads, but when a valid unlock token is provided, board code
can selectively allow access to disallowed features, such as booting
unsigned payloads or provide access to the console and shell.
This commit adds first support for JSON Web Tokens on top of the already
existing JSON support. RS256 is the only currently supported format, but
more may be added in future.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.barebox.org/20231023143122.1760217-3-a.fatoum@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'include/crypto')
| -rw-r--r-- | include/crypto/jwt.h | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/include/crypto/jwt.h b/include/crypto/jwt.h new file mode 100644 index 0000000000..4e20b5950e --- /dev/null +++ b/include/crypto/jwt.h @@ -0,0 +1,55 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef __JWT_H_ +#define __JWT_H_ + +#include <linux/types.h> +#include <jsmn.h> + +enum jwt_alg { + JWT_ALG_NONE, + JWT_ALG_HS256, + JWT_ALG_HS384, + JWT_ALG_HS512, + JWT_ALG_PS256, + JWT_ALG_PS384, + JWT_ALG_PS512, + JWT_ALG_RS256, /* supported */ + JWT_ALG_RS384, /* supported */ + JWT_ALG_RS512, /* supported */ + JWT_ALG_ES256, + JWT_ALG_ES256K, + JWT_ALG_ES384, + JWT_ALG_ES512, + JWT_ALG_EDDSA, +}; + +struct jwt_key { + enum jwt_alg alg; + union { + const struct rsa_public_key *rsa_pub; + } material; +}; + +struct jwt_part { + char *content; + int token_count; + jsmntok_t *tokens; +}; + +struct jwt { + struct jwt_part header; + struct jwt_part payload; +}; + +const char *jwt_split(const char *token, + const char **payload, const char **signature, const char **end); + +struct jwt *jwt_decode(const char *token, const struct jwt_key *key); +void jwt_free(struct jwt *jwt); + +const char *jwt_get_payload(const struct jwt *t); + +const jsmntok_t *jwt_get_claim(const struct jwt *t, const char *claim); +char *jwt_get_claim_str(const struct jwt *t, const char *claim); + +#endif |