Support x509 Certificates for JWT verification.

If an attempt to parse the pubkey as PKIX fails, try again as
x509.Certificate. Some vendors are starting to use these to sign JWTs.
Example: https://www.googleapis.com/oauth2/v1/certs
This commit is contained in:
Dan Morrill 2012-12-21 23:27:41 -08:00
parent 32c540957a
commit 924b188e65
1 changed files with 7 additions and 2 deletions

View File

@ -29,13 +29,18 @@ func (m *SigningMethodRS256) Verify(signingString, signature string, key []byte)
var block *pem.Block var block *pem.Block
if block, _ = pem.Decode(key); block != nil { if block, _ = pem.Decode(key); block != nil {
var parsedKey interface{} var parsedKey interface{}
if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err == nil { if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
parsedKey, err = x509.ParseCertificate(block.Bytes)
}
if err == nil {
if rsaKey, ok := parsedKey.(*rsa.PublicKey); ok { if rsaKey, ok := parsedKey.(*rsa.PublicKey); ok {
hasher := sha256.New() hasher := sha256.New()
hasher.Write([]byte(signingString)) hasher.Write([]byte(signingString))
err = rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, hasher.Sum(nil), sig) err = rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, hasher.Sum(nil), sig)
} else { } else if cert, ok := parsedKey.(*x509.Certificate); ok {
err = cert.CheckSignature(x509.SHA256WithRSA, []byte(signingString), sig)
} else {
err = errors.New("Key is not a valid RSA public key") err = errors.New("Key is not a valid RSA public key")
} }
} }