[Impala-ASF-CR] IMPALA-12559: Support x5c Parameter for RSA JSON Web Keys

Mon, 13 May 2024 15:27:13 -0700 

Hello Abhishek Rawat, Jason Fehr, Wenzhe Zhou, Impala Public Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/21382

to look at the new patch set (#21).

Change subject: IMPALA-12559: Support x5c Parameter for RSA JSON Web Keys
......................................................................

IMPALA-12559: Support x5c Parameter for RSA JSON
Web Keys

This enables the jwt verification using the x5c
certificate(s) in the RSA jwks keys. The x5c claim can be
part of the jwks either as a string or an array.
This patch only supports a single x5c certificate per
jwk.

If the "x5c" is present and "alg" is not present,
then "alg" is extracted from the "x5c" certificate using the
signature algorithm. However, if "x5c" is not preseent, then
"alg" is a mandatory field on jwk.

Current mapping of signature algorithm string => algorithm:

sha256WithRSAEncryption => rs256
sha384WithRSAEncryption => rs384
sha512WithRSAEncryption => rs512

If "x5c" is present, then it is given priority over other
mandatory fields like "n", "e" to construct the public key.

Testing:
* added unit test VerifyJwtTokenWithx5cCertificate to
verify jwt with x5c certificate.
* added unit test VerifyJwtTokenWithx5cCertificateWithoutAlg
to verify jwt with x5c certificate without "alg".
* added e2e test testJwtAuthWithJwksX5cHttpUrl to verify
jwt with x5c certificate.

Change-Id: I70be6f9f54190544aa005b2644e2ed8db6f6bb74
---
M be/src/util/jwt-util-test.cc
M be/src/util/jwt-util.cc
M fe/src/test/java/org/apache/impala/customcluster/JwtHttpTest.java
A testdata/jwt/jwks_x5c_rs256.json
4 files changed, 356 insertions(+), 15 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/82/21382/21
--
To view, visit http://gerrit.cloudera.org:8080/21382
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I70be6f9f54190544aa005b2644e2ed8db6f6bb74
Gerrit-Change-Number: 21382
Gerrit-PatchSet: 21
Gerrit-Owner: gaurav singh <gsi...@cloudera.com>
Gerrit-Reviewer: Abhishek Rawat <ara...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Jason Fehr <jf...@cloudera.com>
Gerrit-Reviewer: Wenzhe Zhou <wz...@cloudera.com>
Gerrit-Reviewer: gaurav singh <gsi...@cloudera.com>

Reply via email to