Closed PavelTrushkin closed 6 years ago
PavelTrushkin
commented
6 years ago sorry thats wrong solution, correct is:
after lines
croak "JWT: invalid XXX key (cannot be scalar)" unless ref $key;
in _prepare_XXX_key
add
$key = $key->{ k } if ref($key) eq 'HASH' && exists $key->{ k };
i have tested on google jwt certificates
karel-m
commented
6 years ago Do you have a failing test case?
PavelTrushkin
commented
6 years ago use strict;
use warnings;
use Crypt::JWT qw(decode_jwt);
use JSON::MaybeXS;
use LWP::Simple;
sub get_certs_from_web {
my $google_certs_url = 'https://www.googleapis.com/oauth2/v1/certs';
my $json_certs = get($google_certs_url);
return undef unless defined $json_certs;
my $certs = decode_json($json_certs);
return undef unless defined $certs;
my @keys;
foreach my $kid (keys %{$certs}) {
push @keys, { kid => $kid, kty => 'RSA', k => \$certs->{$kid} };
}
return { keys => \@keys };
}
my $token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjI2YzAxOGIyMzNmZTJlZWY0N2ZlZGJiZGQ5Mzk4MTcwZmM5YjI5ZDgifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJpYXQiOjE1MTY5NTc0MzgsImV4cCI6MTUxNjk2MTAzOCwiYXVkIjoiaHR0cHM6Ly93d3cuZGNtc3lzLmNvbS9hcGkvbGljZW5zZS9nY3AiLCJzdWIiOiIxMDUzOTQxNjM1MDMyNzgxMTA5NzgiLCJhenAiOiIxMDUzOTQxNjM1MDMyNzgxMTA5NzgiLCJlbWFpbCI6IjUyNDMxNDE0MDI0My1jb21wdXRlQGRldmVsb3Blci5nc2VydmljZWFjY291bnQuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImdvb2dsZSI6eyJjb21wdXRlX2VuZ2luZSI6eyJwcm9qZWN0X2lkIjoiZGNtc3lzLWdjcDAxIiwicHJvamVjdF9udW1iZXIiOjUyNDMxNDE0MDI0Mywiem9uZSI6InVzLXdlc3QxLWEiLCJpbnN0YW5jZV9pZCI6IjIyNTY5NTcwMjM2NjM0MTQ0ODgiLCJpbnN0YW5jZV9uYW1lIjoiZGljb20tcm91dGVyLWFuZC1obDctcm91dGVyLWludGVyZmFjZS1lbmdpLTEtdm0iLCJpbnN0YW5jZV9jcmVhdGlvbl90aW1lc3RhbXAiOjE1MTY5MjE5OTB9fX0.PrJdiLZNTBIY1-miT_gHSt7z5i3wMn8c4AN4_Sst9q4bTixe5mzW8ppP_kmAqbncak2viUgH7zDDkt-wAPZK1XcNwm0L4kjsm71BEMEMKlQPbGV744u1z3R1Y9_Z7JSHX9cKmw53LvHPrzjiD8MbQqesOrMw6QYDQljvr-0jrQEx_ysjkroO6MARsHTf_tqim3xvgdDWy2_css_xkyj_d9PbKpEZGpdfjWomcxMu-iBxGJHq_dBJ4eV7Cj2uZqQVI44PjmyIXN7BW3ym_m40R2G2Mf8hMeGDHBcXIRMS-FEo4M101yveeniIkzOLosI9k4FfRqVSt9Xd8RYvTQP_HA';
my $keys = get_certs_from_web;
my $payload = decode_jwt(token => $token, kid_keys => $keys);With the latest master it should work like:
use strict;
use warnings;
use Crypt::JWT qw(decode_jwt);
use LWP::Simple;
my $google_certs = get('https://www.googleapis.com/oauth2/v1/certs');
my $token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjI2YzAxOGIyMzNmZTJlZWY0N2ZlZGJiZGQ5Mzk4MTcwZmM5YjI5ZDgifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJpYXQiOjE1MTY5NTc0MzgsImV4cCI6MTUxNjk2MTAzOCwiYXVkIjoiaHR0cHM6Ly93d3cuZGNtc3lzLmNvbS9hcGkvbGljZW5zZS9nY3AiLCJzdWIiOiIxMDUzOTQxNjM1MDMyNzgxMTA5NzgiLCJhenAiOiIxMDUzOTQxNjM1MDMyNzgxMTA5NzgiLCJlbWFpbCI6IjUyNDMxNDE0MDI0My1jb21wdXRlQGRldmVsb3Blci5nc2VydmljZWFjY291bnQuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImdvb2dsZSI6eyJjb21wdXRlX2VuZ2luZSI6eyJwcm9qZWN0X2lkIjoiZGNtc3lzLWdjcDAxIiwicHJvamVjdF9udW1iZXIiOjUyNDMxNDE0MDI0Mywiem9uZSI6InVzLXdlc3QxLWEiLCJpbnN0YW5jZV9pZCI6IjIyNTY5NTcwMjM2NjM0MTQ0ODgiLCJpbnN0YW5jZV9uYW1lIjoiZGljb20tcm91dGVyLWFuZC1obDctcm91dGVyLWludGVyZmFjZS1lbmdpLTEtdm0iLCJpbnN0YW5jZV9jcmVhdGlvbl90aW1lc3RhbXAiOjE1MTY5MjE5OTB9fX0.PrJdiLZNTBIY1-miT_gHSt7z5i3wMn8c4AN4_Sst9q4bTixe5mzW8ppP_kmAqbncak2viUgH7zDDkt-wAPZK1XcNwm0L4kjsm71BEMEMKlQPbGV744u1z3R1Y9_Z7JSHX9cKmw53LvHPrzjiD8MbQqesOrMw6QYDQljvr-0jrQEx_ysjkroO6MARsHTf_tqim3xvgdDWy2_css_xkyj_d9PbKpEZGpdfjWomcxMu-iBxGJHq_dBJ4eV7Cj2uZqQVI44PjmyIXN7BW3ym_m40R2G2Mf8hMeGDHBcXIRMS-FEo4M101yveeniIkzOLosI9k4FfRqVSt9Xd8RYvTQP_HA';
my $payload = decode_jwt(token => $token, kid_keys => $google_certs);yes it works now, thank you!
imho there is a bug with _kid_lookup usage
my $k = _kid_lookup ..... $key = $k if defined $k;
should be replaced by my $k = _kid_lookup ..... $key = $k->{ k } if ref($k) eq 'HASH' && exists $k->{ k };
or later _prepare_XXX_key constructs Crypt::PK::{RSA,ECC} objects with incorrect key reference (to {kid =>, kty =>, k=> } instead of real key/certificate