fix: improve JWS and key verification

This commit is contained in:
Livio Amstutz 2021-09-14 08:20:41 +02:00
parent fcad98f4bd
commit 7bb6443cd0
5 changed files with 403 additions and 29 deletions

View file

@ -2,7 +2,7 @@ package op
import (
"context"
"errors"
"fmt"
"net/http"
"time"
@ -280,12 +280,12 @@ type openIDKeySet struct {
func (o *openIDKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) ([]byte, error) {
keySet, err := o.Storage.GetKeySet(ctx)
if err != nil {
return nil, errors.New("error fetching keys")
return nil, fmt.Errorf("error fetching keys: %w", err)
}
keyID, alg := oidc.GetKeyIDAndAlg(jws)
key, ok := oidc.FindKey(keyID, oidc.KeyUseSignature, alg, keySet.Keys...)
if !ok {
return nil, errors.New("invalid kid")
key, err := oidc.FindMatchingKey(keyID, oidc.KeyUseSignature, alg, keySet.Keys...)
if err != nil {
return nil, fmt.Errorf("invalid signature: %w", err)
}
return jws.Verify(&key)
}