forked from gravitational/teleport
-
Notifications
You must be signed in to change notification settings - Fork 0
/
jwk.go
99 lines (89 loc) · 3.08 KB
/
jwk.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
/*
* Teleport
* Copyright (C) 2023 Gravitational, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package jwt
import (
"crypto"
"crypto/rsa"
"encoding/base64"
"math/big"
"github.com/gravitational/trace"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/utils"
)
// JWK is a JSON Web Key, described in detail in RFC 7517.
type JWK struct {
// KeyType is the type of asymmetric key used.
KeyType string `json:"kty"`
// Algorithm used to sign.
Algorithm string `json:"alg"`
// N is the modulus of the public key.
N string `json:"n"`
// E is the exponent of the public key.
E string `json:"e"`
// Use identifies the intended use of the public key.
// This field is required for the AWS OIDC Integration.
// https://www.rfc-editor.org/rfc/rfc7517#section-4.2
Use string `json:"use"`
// KeyID identifies the key to use.
// This field is required (even if empty) for the AWS OIDC Integration.
// https://www.rfc-editor.org/rfc/rfc7517#section-4.5
KeyID string `json:"kid"`
}
// MarshalJWK will marshal a supported public key into JWK format.
func MarshalJWK(bytes []byte) (JWK, error) {
// Parse the public key and validate type.
p, err := utils.ParsePublicKey(bytes)
if err != nil {
return JWK{}, trace.Wrap(err)
}
publicKey, ok := p.(*rsa.PublicKey)
if !ok {
return JWK{}, trace.BadParameter("unsupported key format %T", p)
}
// Marshal to JWK.
return JWK{
KeyType: string(defaults.ApplicationTokenKeyType),
Algorithm: string(defaults.ApplicationTokenAlgorithm),
N: base64.RawURLEncoding.EncodeToString(publicKey.N.Bytes()),
E: base64.RawURLEncoding.EncodeToString(big.NewInt(int64(publicKey.E)).Bytes()),
Use: defaults.JWTUse,
KeyID: "",
}, nil
}
// UnmarshalJWK will unmarshal JWK into a crypto.PublicKey that can be used
// to validate signatures.
func UnmarshalJWK(jwk JWK) (crypto.PublicKey, error) {
if jwk.KeyType != string(defaults.ApplicationTokenKeyType) {
return nil, trace.BadParameter("unsupported key type %v", jwk.KeyType)
}
if jwk.Algorithm != string(defaults.ApplicationTokenAlgorithm) {
return nil, trace.BadParameter("unsupported algorithm %v", jwk.Algorithm)
}
n, err := base64.RawURLEncoding.DecodeString(jwk.N)
if err != nil {
return nil, trace.Wrap(err)
}
e, err := base64.RawURLEncoding.DecodeString(jwk.E)
if err != nil {
return nil, trace.Wrap(err)
}
return &rsa.PublicKey{
N: new(big.Int).SetBytes(n),
E: int(new(big.Int).SetBytes(e).Uint64()),
}, nil
}