Unable to use JWKS endpoints using proc ptr

[cgvenu]

@NielsLiisberg I was trying to write a sample for JWKS implementation with below code. anytime I make a PROCPTR call, it seems I am upsetting some pointer values. Do you see any obvious issues with below code. I am quite bad with c, so unable to debug and identify issue myself. I was looking forward to use it soon so any help is appreciated.

**FREE // ILEastic : JWT Token secured route

ctl-opt decEdit('0,') datEdit(YMD.) main(main); ctl-opt debug(yes) bndDir('ILEASTIC'); ctl-opt thread(*CONCURRENT);

/include ./headers/ileastic.rpgle /include ./plugins/jwt/jwt_h.rpgle /include ./plugins/jwt/jwtplugin_h.rpgle

// ----------------------------------------------------------------------------- // Program Entry Point // ----------------------------------------------------------------------------- dcl-proc main; dcl-ds config likeds(il_config);

// The server will listen on port 44000. config.port = 44000; config.host = '*ANY';

// Sets the key which will be used for verifying the JWT token. il_jwt_addVerifyStructFromJWKS(%paddr('IdP_Jwks'));

// Adds the JWT plugin to the chain of plugins il_addPlugin(config : %paddr('il_jwt_filter') : IL_PREREQUEST);

// Adds the secured route. il_addRoute(config : %paddr(getTime) : IL_POST);

// Starts the server. il_listen(config); end-proc;

//- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - // Procedure - IdP_Jwks // Description - routine to retrieve public key from JWKS end point //- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

dcl-proc IdP_Jwks; dcl-pi n extproc(dclcase); jwksDs LikeDS(jwksDs_t) Dim(10); keyCnt Packed(3 :0); end-pi;

//dcl-s JWKS_Uri Char(500);

// This is dummy data to show the issue. jwksDs(1).KeyTp = 'RSA'; jwksDs(1).KeyId = 'abcde_eaa'; jwksDs(1).Usage = 'sig'; jwksDs(1).Alg = 'RS512'; keyCnt = 1; return;

end-proc;

// ----------------------------------------------------------------------------- // Servlet callback implementation // ----------------------------------------------------------------------------- dcl-proc getTime; dcl-pi *n; request likeds(IL_REQUEST); response likeds(IL_RESPONSE); end-pi;

il_responseWrite(response : %char(%time())); end-proc;

=====

40 02/05/23 21:47:11.017414 < 3BadScalar 000230 ILEASTIC ILEASTIC From Program . . . . . . . : Ex3203BadScalar
To module . . . . . . . . . : ILEASTIC
To procedure . . . . . . . : findRoute
Statement . . . . . . . . . : 13
Thread . . . . : 00000011
Message . . . . : Scalar operand contains a value that is not valid.
Cause . . . . . : The length of the invalid scalar operand is 8. The bit
offset to the invalid field is X'0000'. The operand number is 1. The
invalid data is X'0000000004040420'.
40 02/05/23 21:47:11.017584 ILEASTIC ILEASTIC *STMT ILEASTIC ILEASTIC From module . . . . . . . . : ILEASTIC
From procedure . . . . . . : findRoute
Statement . . . . . . . . . : 13
To module . . . . . . . . . : ILEASTIC
To procedure . . . . . . . : findRoute
Statement . . . . . . . . . : 13
Thread . . . . : 00000011
Message . . . . : Space offset X'00000000' or X'0000000004040420' is outside
current limit for object JOB_DETAILS.
Cause . . . . . : A program tried to set a space pointer, tried to use
storage outside a space, or tried to use an unallocated page in teraspace.
The space class is X'07'. The space class designates the type of space:

[cgvenu]

To add bit more details.. When I added an INZ to "dcl-ds jwksDs LikeDS(jwksDs_t) Dim(10);" under "il_jwt_addVerifyStructFromJWKS", I then get error message as "Message . . . . : Space offset X'00000000' or X'0000000002020220' is outside.". Without INZ, that changes to "Message . . . . : Space offset X'00000000' or X'0000000004040420' is outside", which indicate some kind of memory conflict with ccsid(*utf8) portion of DS.

For the time being I managed to sort it out by changing the order of proc call to below

il_addPlugin(config : %paddr('il_jwt_filter') : IL_PREREQUEST);
il_addRoute(config : %paddr(getTime) : IL_POST); il_jwt_addVerifyStructFromJWKS(%paddr('IdP_Jwks')); il_listen(config);

With this order, everything works. The issue happens only when I execute il_jwt_addVerifyStructFromJWKS before il_addRoute.

[NielsLiisberg]

It seems you are not binding the JWT plugin to your application

try:

dcl-s ptemp pointer; ... ptemp = %paddr('il_jwt_filter');

and debug ptemp - my guess it it is *NULL

On Wed, May 3, 2023 at 11:09 AM Venu @.***> wrote:

To add bit more details.. When I added a INZ to "dcl-ds jwksDs LikeDS(jwksDs_t) Dim(10);" under "il_jwt_addVerifyStructFromJWKS", I then get error message as Message . . . . : Space offset X'00000000' or X'0000000002020220' is outside. without INZ that changes to "Message . . . . : Space offset X'00000000' or X' 0000000004040420' is outside", which indicate some kind of memory conflict.

For the time being I manage to sort it out by changing the order of proc call to

il_addPlugin(config : %paddr('il_jwt_filter') : IL_PREREQUEST); il_addRoute(config : %paddr(getTime) : IL_POST); il_jwt_addVerifyStructFromJWKS(%paddr('IdP_Jwks')); il_listen(config);

then everything works. The issue happens only when I execute il_jwt_addVerifyStructFromJWKS before il_addRoute.

— Reply to this email directly, view it on GitHub https://github.com/sitemule/ILEastic/issues/121#issuecomment-1532688078, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAVIPHRIMCDDFSUMTZL2SETXEIOCLANCNFSM6AAAAAAXS6BMBE . You are receiving this because you were mentioned.Message ID: @.***>

[cgvenu]

I got PTEMP = PRP:C5C27FE10A002458 as the value.

failure happens even before reaching plugin code. when I placed a break point on JWT validation routine, program does not even reach there.

Line 142 is where it fails with above said error.

Program: ILEASTIC Library: ILEASTIC Module: ILEASTIC
138 outbytesleft = outlen;
139 totBuf = memAlloc ( 16 + (outlen)); // The Chunk header + the max size which twice the byte size 140 wrkBuf = tempBuf = totBuf + 16; // Make room for the chunk header ( max 16 bytes)
141
142 rc = iconv ( pResponse->pConfig->e2a->Iconv , &input , &inbytesleft, &wrkBuf , &outbytesleft);

As mentioned in the earlier post, same program code, when I re-arrange the proc call, it works. So my guess was it is nothing to do with binding could be some memory related, but I could be wrong.

During the debug, I could see while executing "il_jwt_addVerifyStructFromJWKS(%paddr('Idp_Jwks')):, it did call "Idp_Jwks" and control comes to my code. "verifyStruct" under jwtplugin.rpgle is successfully populated with my keys.

[NielsLiisberg]

Hmm! That was a surprise. Yes - you got the proc pointer, so it is not that obvious what’s going on. Can you please zip your project and send it to me?

Perhaps Mihael has an opinion?

ons. 3. maj 2023 kl. 13.58 skrev Venu @.***>:

I got PTEMP = PRP:C5C27FE10A002458 as the value.

failure happens even before reaching plugin code. when I placed a break point on JWT validation routine, program does not even reach there.

Line 142 is where it fails with above said error.

Program: ILEASTIC Library: ILEASTIC Module: ILEASTIC 138 outbytesleft = outlen; 139 totBuf = memAlloc ( 16 + (outlen)); // The Chunk header + the max size which twice the byte size 140 wrkBuf = tempBuf = totBuf + 16; // Make room for the chunk header ( max 16 bytes) 141 142 rc = iconv ( pResponse->pConfig->e2a->Iconv , &input , &inbytesleft, &wrkBuf , &outbytesleft);

As mentioned in the earlier post, same program code, when I re-arrange the proc call, it works. So my guess was it is nothing to do with binding could be some memory related, but I could be wrong.

— Reply to this email directly, view it on GitHub https://github.com/sitemule/ILEastic/issues/121#issuecomment-1532898381, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAVIPHXGRAVKZTFIWF6T7P3XEJB6VANCNFSM6AAAAAAXS6BMBE . You are receiving this because you were mentioned.Message ID: @.***>

[cgvenu]

Program code from my first post, is the complete sample program that can be compiled to reproduce the error.

"IdP_Jwks" looks bit odd, but do not bother, as long as control reaches il_jwt_filter to make use of that value, then rest all is fine. I am not even reaching there.

I got the latest version of code from github 2 days ago and built it fresh, just to avoid any memory leak issues you would have fixed in last couple of months.

If you want to test X'0000000002020220' vs. X'0000000004040420' error situation, all you have to do is add INZ to line 186 on "jwtplugin.rpgle" (dcl-ds jwksDs LikeDS(jwksDs_t) Dim(10);"), and rebuild plugins.

[m1h43l]

As you provide the verification data yourself you can just add them directly anyway.

We are considering direct JWKS support for ILEastic so you wouldn't have to provide your own procedure.