forked from mirror/jwt
Support x509 Certificates for JWT verification.
If an attempt to parse the pubkey as PKIX fails, try again as x509.Certificate. Some vendors are starting to use these to sign JWTs. Example: https://www.googleapis.com/oauth2/v1/certs
This commit is contained in:
parent
32c540957a
commit
924b188e65
9
rs256.go
9
rs256.go
|
@ -29,13 +29,18 @@ func (m *SigningMethodRS256) Verify(signingString, signature string, key []byte)
|
||||||
var block *pem.Block
|
var block *pem.Block
|
||||||
if block, _ = pem.Decode(key); block != nil {
|
if block, _ = pem.Decode(key); block != nil {
|
||||||
var parsedKey interface{}
|
var parsedKey interface{}
|
||||||
if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err == nil {
|
if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
|
||||||
|
parsedKey, err = x509.ParseCertificate(block.Bytes)
|
||||||
|
}
|
||||||
|
if err == nil {
|
||||||
if rsaKey, ok := parsedKey.(*rsa.PublicKey); ok {
|
if rsaKey, ok := parsedKey.(*rsa.PublicKey); ok {
|
||||||
hasher := sha256.New()
|
hasher := sha256.New()
|
||||||
hasher.Write([]byte(signingString))
|
hasher.Write([]byte(signingString))
|
||||||
|
|
||||||
err = rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, hasher.Sum(nil), sig)
|
err = rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, hasher.Sum(nil), sig)
|
||||||
} else {
|
} else if cert, ok := parsedKey.(*x509.Certificate); ok {
|
||||||
|
err = cert.CheckSignature(x509.SHA256WithRSA, []byte(signingString), sig)
|
||||||
|
} else {
|
||||||
err = errors.New("Key is not a valid RSA public key")
|
err = errors.New("Key is not a valid RSA public key")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue