forked from go-jose/go-jose
/
cop.go
58 lines (48 loc) · 1.46 KB
/
cop.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
package jose
import "errors"
// VerifyCOP works exactly like Verify but supports OpenBanking crit claims used by CoP
func (obj JSONWebSignature) VerifyCOP(verificationKey interface{}) ([]byte, error) {
err := obj.DetachedVerifyCOP(obj.payload, verificationKey)
if err != nil {
return nil, err
}
return obj.payload, nil
}
// DetachedVerifyCOP works exactly like DetachedVerify but supports OpenBanking crit claims used by CoP
func (obj JSONWebSignature) DetachedVerifyCOP(payload []byte, verificationKey interface{}) error {
key := tryJWKS(verificationKey, obj.headers()...)
verifier, err := newVerifier(key)
if err != nil {
return err
}
if len(obj.Signatures) > 1 {
return errors.New("go-jose/go-jose: too many signatures in payload; expecting only one")
}
signature := obj.Signatures[0]
headers := signature.mergedHeaders()
critical, err := headers.getCritical()
if err != nil {
return err
}
for _, name := range critical {
if !supportedCriticalCOP[name] {
return ErrCryptoFailure
}
}
input, err := obj.computeAuthData(payload, &signature)
if err != nil {
return ErrCryptoFailure
}
alg := headers.getSignatureAlgorithm()
err = verifier.verifyPayload(input, signature.Signature, alg)
if err == nil {
return nil
}
return ErrCryptoFailure
}
var supportedCriticalCOP = map[string]bool{
headerB64: true,
"http://openbanking.org.uk/iat": true,
"http://openbanking.org.uk/iss": true,
"http://openbanking.org.uk/tan": true,
}