Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example validating JWTs with provided x509 certificate bundle #231

Open
drewwells opened this issue Jun 12, 2023 · 0 comments
Open

Example validating JWTs with provided x509 certificate bundle #231

drewwells opened this issue Jun 12, 2023 · 0 comments

Comments

@drewwells
Copy link

drewwells commented Jun 12, 2023
edited

The helm-chart and spiffe-helper applications provide bundles in x509 format. Given a jwt-svid, provide an example validating the jwt with a pem bundle. I want to be able to validate JWTs without relying on a live connection to spire-agent for performance and reliability concerns. Identity systems have highly variable and burstable traffic, so a static bundle approach is a better design for our usage.

-> % kubectl -n spire-server get cm spire-bundle -o yaml                                                                                                                                            
apiVersion: v1
data:
  bundle.crt: |
    -----BEGIN CERTIFICATE-----
    MIIDWDCCAkCgAwIBAgIRAIKUsVv6UEa6LJqbQzWC/PIwDQYJKoZIhvcNAQELBQAw
    NTELMAkGA1UEBhMCTkwxEDAOBgNVBAoTB0V4YW1wbGUxFDASBgNVBAMTC2V4YW1w
    bGUub3JnMB4XDTIzMDYxMjAyMzgxNVoXDTIzMDYxMzAyMzgyNVowNTELMAkGA1UE

    ca, err := x509bundle.Load(trustDomain, "svid_bundle.pem")
    if err != nil {
        return fmt.Errorf("ca bundle: %w", err)
    }

    token := "eyJhbGciOiJFUzI1NiIsImtpZCI6Ijg3R0wza3dFQlBtY1lUYjgzZXI2UndKcDQyMGdLYjVLIiwidHlwIjoiSldUIn0.eyJhdWQiOlsiaWItc3RrIl0sImV4cCI6MTg0MjgwOTg0OSwiaWF0IjoxNjg2MzM0NDAwLCJpc3MiOiJodHRwczovL2F1dGg\
uaW5mb2Jsb3guY29tLyIsInN1YiI6InNwaWZmZTovL2luZm9ibG94LmNvbS90ZXN0c2VydmljZSJ9.7NoCIxsarr2v0MxZXiahYPyzS_2lwzPDsK00j8Ne5FEBCnlHaRddrHnhWhCuOffttWPw7yLISfG7_kkZnVhpHA"

    trustDomain := spiffeid.RequireTrustDomainFromString(domain)


    bundle = ????

    svid, err := jwtsvid.ParseAndValidate(token, bundle, []string{"aud"})
    if err != nil {
        return err
    }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@drewwells