-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
86 lines (73 loc) · 2.1 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
package main
import (
"crypto/ecdsa"
"fmt"
"github.com/dgrijalva/jwt-go"
"io/ioutil"
"log"
"net/http"
"strconv"
)
const (
signingMethod = "ES512"
)
var (
ecdsaPublicKey [2]*ecdsa.PublicKey
ecdsaPrivateKey [2]*ecdsa.PrivateKey
signingMethodInst jwt.SigningMethod
keys = [2]string{"secp521r1-key1", "secp521r1-key2"}
)
func main() {
for i, k := range keys {
// initialize private key
privateKey, err := ioutil.ReadFile(k + ".pem")
if err != nil {
log.Panic("Could not read private key file")
}
publicKey, err := ioutil.ReadFile(k + ".pub")
if err != nil {
log.Panic("Could not read public key file")
}
ecdsaPrivateKey[i], err = jwt.ParseECPrivateKeyFromPEM(privateKey)
if err != nil {
log.Panic("Unable to parse ECDSA private key: %v", err)
}
ecdsaPublicKey[i], err = jwt.ParseECPublicKeyFromPEM(publicKey)
if err != nil {
log.Panic("Unable to parse ECDSA public key: %v", err)
}
}
signingMethodInst := jwt.GetSigningMethod(signingMethod)
http.HandleFunc("/newtoken", func(w http.ResponseWriter, r *http.Request) {
if r.ParseForm() != nil {
log.Panic("Could not parse incoming request!")
}
kId, err := strconv.Atoi(r.Form.Get("kid"))
if err != nil || kId < 1 || kId > 2 {
log.Panic("Invalid Kid")
}
token := jwt.New(signingMethodInst)
token.Claims["access"] = "1" // this only supports string, unfortunately
token.Claims["kid"] = strconv.Itoa(kId)
tokenString, err := token.SignedString(ecdsaPrivateKey[kId-1])
if err != nil {
log.Panic("Sign() failed")
}
fmt.Fprintf(w, tokenString)
})
http.HandleFunc("/secret_data", func(w http.ResponseWriter, r *http.Request) {
token, err := jwt.ParseFromRequest(r, func(token *jwt.Token) (interface{}, error) {
kId, err := strconv.Atoi(token.Claims["kid"].(string))
if err != nil || kId < 1 || kId > 2 {
log.Panic("Invalid Kid")
}
return ecdsaPublicKey[kId-1], nil
})
if err == nil && token.Valid {
fmt.Fprintf(w, "secret data")
} else {
http.Error(w, "Authentication token is missing or incorrect", 401)
}
})
log.Fatal(http.ListenAndServe(":8080", nil))
}