validate keyid scheme and hostname

Signed-off-by: Joshua Rubin <jrubin@zvelo.com>

callback/keygetter.go

@@ -3,6 +3,8 @@ package callback
 import (
 	"encoding/json"
 	"net/http"
+	"net/url"
+	"strings"
 
 	"github.com/pkg/errors"
 
@@ -11,6 +13,13 @@ import (
 	"zvelo.io/httpsig"
 )
 
+// KeyGetter validates the scheme and hostname of the KeyID before fetching.
+// Only those that match these values will be considered valid.
+var (
+	KeyIDScheme   = "https"
+	KeyIDHostname = "zvelo.com"
+)
+
 // KeyCache is a simple interface for caching JSON Web Keys
 type KeyCache interface {
 	Get(string) *jose.JSONWebKeySet
@@ -38,15 +47,30 @@ func extractKey(keyset *jose.JSONWebKeySet) (interface{}, error) {
 }
 
 func (g *keyGetter) GetKey(keyID string) (interface{}, error) {
-	// 1. check for key cached in filesystem
+	// 1. validate that the key should be trusted
+
+	u, err := url.Parse(keyID)
+	if err != nil {
+		return nil, err
+	}
+
+	if u.Scheme != KeyIDScheme {
+		return nil, errors.Errorf("keyID (%s) does not have https scheme", keyID)
+	}
+
+	if h := u.Hostname(); h != KeyIDHostname && !strings.HasSuffix(h, "."+KeyIDHostname) {
+		return nil, errors.Errorf("keyID (%s) does not have a zvelo.com hostname", keyID)
+	}
+
+	// 2. check for key cached in filesystem
 
 	if g.cache != nil {
 		if keyset := g.cache.Get(keyID); keyset != nil {
 			return extractKey(keyset)
 		}
 	}
 
-	// 2. fetch the key
+	// 3. fetch the key
 
 	resp, err := http.Get(keyID)
 	if err != nil {
@@ -64,7 +88,7 @@ func (g *keyGetter) GetKey(keyID string) (interface{}, error) {
 		return nil, err
 	}
 
-	// 3. write the json key to the cache file as we decode it
+	// 4. write the json key to the cache file as we decode it
 
 	if g.cache != nil {
 		g.cache.Set(keyID, &keyset)