Also use JWK[S] to validate JWT signatures

mt-inside · Feb 21, 2024 · 60d104c · 60d104c
1 parent 35a9258
commit 60d104c
Showing 1 changed file with 23 additions and 3 deletions.
diff --git a/cmd/http-log/main.go b/cmd/http-log/main.go
@@ -27,6 +27,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -40,6 +41,8 @@ import (
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
 
+	"github.com/mt-inside/go-jwks"
+
 	"github.com/mt-inside/http-log/internal/build"
 	"github.com/mt-inside/http-log/internal/ctxt"
 	"github.com/mt-inside/http-log/pkg/bios"
@@ -131,7 +134,7 @@ func main() {
 		Key             string `short:"k" long:"key" optional:"yes" description:"Path to TLS server key. Setting this implies serving https"`
 		TLSAlgo         string `short:"K" long:"self-signed-tls" choice:"off" choice:"rsa" choice:"ecdsa" choice:"ed25519" default:"off" optional:"yes" optional-value:"rsa" description:"Generate and present a self-signed TLS certificate? No flag / -k=off: plaintext. -k: TLS with RSA certs. -k=foo TLS with $foo certs"`
 		ClientCA        string `short:"C" long:"ca" optional:"yes" description:"Path to TLS client CA certificate"`
-		JWTValidatePath string `short:"j" long:"jwt-validate-key" description:"Path to a PEM-encoded [rsa,ecdsa,ed25519] public key used to validate JWTs"`
+		JWTValidatePath string `short:"j" long:"jwt-validate-key" description:"Path to a [JWK[S],PEM]-encoded (determined by file extension) [rsa,ecdsa,ed25519] public key used to validate JWTs"`
 
 		/* Output options */
 		Output string `short:"o" long:"output" description:"Log output format" choice:"auto" choice:"pretty" choice:"text" choice:"json" default:"auto"`
@@ -282,8 +285,25 @@ func main() {
 	if opts.JWTValidatePath != "" {
 		bytes, err := os.ReadFile(opts.JWTValidatePath)
 		b.Unwrap(err)
-		srvData.AuthJwtValidateKey, err = codec.ParsePublicKey(bytes)
-		b.Unwrap(err)
+		switch filepath.Ext(opts.JWTValidatePath) {
+		case ".jwks":
+			keys, err := jwks.JWKS2KeysMap(bytes)
+			b.Unwrap(err)
+			for kid, key := range keys {
+				srvData.AuthJwtValidateKey = key
+				if len(keys) > 1 {
+					b.PrintWarn(fmt.Sprintf("JWKS contains >1 key; randomly using key id %s", kid))
+				}
+				break
+			}
+		case ".jwk":
+			key, err := jwks.JWK2Key(bytes)
+			b.Unwrap(err)
+			srvData.AuthJwtValidateKey = key
+		default:
+			srvData.AuthJwtValidateKey, err = codec.ParsePublicKey(bytes)
+			b.Unwrap(err)
+		}
 	}
 
 	loggingMux := handlers.NewLogMiddle(