Closed donatello closed 6 years ago
@donatello your approach is fine. One improvement would be to construct a JWKSet
of all the
keys and then perform validation once. (This lets you avoid explicitly checking each JWK to find one that verifies the token).
w.r.t. #62, the main part I'd like to adopt is certToJwk
. Feel free to create a PR. Otherwise I'll tackle this soon. I'd like the type to be:
fromX509Certificate
:: X509.Certificate
-> Maybe JWK
where the Nothing
result absorbs all of the unsupported key types (c.f. your current implementation which has an irrefutable pattern match for an RSA public key). I'd also like the jwkX5c
field to be set.
And finally, you should be able to use the existing fromRSA
function to do some of they heavy lifting.
Closing this. #62 will take care of JWK construction from X.509 cert. Thanks for your contribution @donatello.
I am trying to verify tokens signed by Google's SecureToken service - https://developers.google.com/identity/toolkit/securetoken
Google is using the RS256 algo, and the public key is one of the keys provided at https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
So to verify the tokens generated by Google, we need to parse and convert the keys provided at the above URL, and check if any of them successfully verify the token.
To parse each public key, I am using:
To convert the Certificate value to a JWK value:
I got signature verification working with something like this:
Is this the right way to perform the verification?
If you like I could send part of this as a PR as it could help solve part of https://github.com/frasertweedale/hs-jose/issues/62 - but I would need some help as I am not too familiar with lenses.