search

SkyLothar / lua-resty-jwt

JWT For The Great Openresty
Apache License 2.0
513 stars 179 forks source link

Pem from JWKS #66

Closed venkatmarepalli closed 7 years ago

venkatmarepalli commented 7 years ago

Can you add this piece of code to this library. This gets PEM key from JWT token using n and e. It also supports pem Generation using x5c.

Refer: https://github.com/pingidentity/lua-resty-openidc/issues/71

Code: https://github.com/pingidentity/lua-resty-openidc/pull/82/files

taylorking commented 7 years ago

:+1: :+1: :+1: They had me time crunched at work so I ended up making this to call straight into cjose and perform proper jws / jwk validation

taylorking commented 7 years ago

One alternate avenue is using something like this in aws lambda to transform the key so I could use it with this library 

var jwkToPem = require('jwk-to-pem');
var request = require ('request');
var Promise = require('bluebird');
var openssl = require('openssl-wrapper');
const opensslAsync = Promise.promisify(openssl.exec);
const fs = require('fs');
exports.main = (params) => {
  const url = KEYURL;
  return new Promise((resolve, reject) => {
    request.get(url, (err, res, body) => {
      var key = JSON.parse(body);
      key.use = 'sig';                                                                                                                                                                                        
      if (err)
        reject(err);
      fs.writeFileSync('./key.pem', jwkToPem(key));
      return opensslAsync('rsa', {inform: 'pem', in: './key.pem', pubout: true, RSAPublicKey_in: true})
      .then((data) => {
        resolve({msg: data.toString()});
      })  
      .catch((err) => {
        reject({err: err});
      })  
    })  
  })  
}

Recognize how difficult it may be to do a full implementation of JOSE in lua.. without luajit ffi and cjose wouldn't have made this deliverable

venkatmarepalli commented 7 years ago

Many Thanks. I will look into it, which library are you using for jwkToPem(key). Can you point me to this function's source?

taylorking commented 7 years ago

You can just use my lua-resty-cjose.. cisco/cjose can handle keys in plain jwk format as long as they are converted to a c string (which my library does).. That way you can do it inside of openresty.. If you look at how I built it into our apigateway here I use lua code to call into the library after grabbing the jwk and do all the proper validation / introspection.. you do need libcjose on the LD_LIBRARY_PATH though

venkatmarepalli commented 7 years ago

This has been included in https://github.com/pingidentity/lua-resty-openidc