coolaj86/keyfetch.js-ARCHIVED
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: coolaj86:v1.1.6
Branches Tags
coolaj86:master
coolaj86:v1.2.1
coolaj86:v1.2.0
coolaj86:v1.1.10
coolaj86:v1.1.9
coolaj86:v1.1.8
coolaj86:v1.1.6
coolaj86:v1.1.2
..
compare: coolaj86:master
Branches Tags
coolaj86:master
coolaj86:v1.2.1
coolaj86:v1.2.0
coolaj86:v1.1.10
coolaj86:v1.1.9
coolaj86:v1.1.8
coolaj86:v1.1.6
coolaj86:v1.1.2

9 Commits
v1.1.6 ... master

Author SHA1 Message Date
AJ ONeal
aba70bf0ff make Prettier 2020-04-08 16:01:06 -04:00
AJ ONeal
a32b942861 typo fix: ecdsaAsn1SigToJwtSig => ecdsaJoseSigToAsn1Sig 2019-05-06 03:06:49 -06:00
AJ ONeal
e274e5368a v1.2.1: better trusted issuer normalization 2019-03-15 13:59:55 -06:00
AJ ONeal
e6de23532b add a few more tests 2019-03-15 13:53:49 -06:00
AJ ONeal
5060c505b6 v1.2.0: add code to check issuers and claims 2019-03-15 13:45:27 -06:00
AJ ONeal
9b77939455 v1.1.10: update package.json and LICENSE 2019-03-13 17:32:35 -06:00
AJ ONeal
029bc13fe8 v1.1.9: bump deps 2019-03-12 09:43:24 -06:00
AJ ONeal
5fef6a7430 v1.1.8: cleanup and support forced keys for verification 2019-03-09 02:50:14 -07:00
AJ ONeal
448b977963 v1.1.7: bugfix ecdsa signature padding 2019-03-08 19:15:24 -07:00
8 changed files with 724 additions and 367 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
node_modules

7
.prettierrc Normal file
View File

@ -0,0 +1,7 @@
{
"bracketSpacing": true,
"printWidth": 120,
"tabWidth": 4,
"trailingComma": "none",
"useTabs": false
}

41
LICENSE Normal file
View File

@ -0,0 +1,41 @@
Copyright 2019 AJ ONeal
This is open source software; you can redistribute it and/or modify it under the
terms of either:
a) the "MIT License"
b) the "Apache-2.0 License"
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Apache-2.0 License Summary
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

152
README.md
View File

@ -9,17 +9,17 @@ Fetches JSON native JWKs and exposes them as PEMs that can be consumed by the `j
Works great for
* [x] `jsonwebtoken` (Auth0)
* [x] OIDC (OpenID Connect)
* [x] .well-known/jwks.json (Auth0)
* [x] Other JWKs URLs
- [x] `jsonwebtoken` (Auth0)
- [x] OIDC (OpenID Connect)
- [x] .well-known/jwks.json (Auth0)
- [x] Other JWKs URLs
Crypto Support
* [x] JWT verification
* [x] RSA (all variants)
* [x] EC / ECDSA (NIST variants P-256, P-384)
* [ ] esoteric variants (excluded to keep the code featherweight and secure)
- [x] JWT verification
- [x] RSA (all variants)
- [x] EC / ECDSA (NIST variants P-256, P-384)
- [ ] esoteric variants (excluded to keep the code featherweight and secure)
# Install
@ -32,7 +32,7 @@ npm install --save keyfetch
Retrieve a key list of keys:
```js
var keyfetch = require('keyfetch');
var keyfetch = require("keyfetch");
keyfetch.oidcJwks("https://example.com/").then(function (results) {
results.forEach(function (result) {
@ -43,13 +43,22 @@ keyfetch.oidcJwks("https://example.com/").then(function (results) {
});
```
Quick JWT verification:
Quick JWT verification (for authentication):
```js
var keyfetch = require('keyfetch');
var jwt = '...';
var keyfetch = require("keyfetch");
var jwt = "...";
keyfetch.verify({ jwt: jwt }).then(function (decoded) {
keyfetch.jwt.verify(jwt).then(function (decoded) {
console.log(decoded);
});
```
JWT verification (for authorization):
```js
var options = { issuers: ["https://example.com/"], claims: { role: "admin" } };
keyfetch.jwt.verify(jwt, options).then(function (decoded) {
console.log(decoded);
});
```
@ -57,39 +66,37 @@ keyfetch.verify({ jwt: jwt }).then(function (decoded) {
Verify a JWT with `jsonwebtoken`:
```js
var keyfetch = require('keyfetch');
var jwt = require('jsonwebtoken');
var keyfetch = require("keyfetch");
var jwt = require("jsonwebtoken");
var auth = "..."; // some JWT
var token = jwt.decode(auth, { json: true, complete: true })
var token = jwt.decode(auth, { json: true, complete: true });
if (!isTrustedIssuer(token.payload.iss)) {
throw new Error("untrusted issuer");
}
keyfetch.oidcJwk(
token.header.kid
, token.payload.iss
).then(function (result) {
keyfetch.oidcJwk(token.header.kid, token.payload.iss).then(function (result) {
console.log(result.jwk);
console.log(result.thumprint);
console.log(result.pem);
jwt.verify(jwt, pem);
jwt.jwt.verify(jwt, { jwk: result.jwk });
});
```
*Note*: You might implement `isTrustedIssuer` one of these:
_Note_: You might implement `isTrustedIssuer` one of these:
```js
function isTrustedIssuer(iss) {
return -1 !== [ 'https://partner.com/', 'https://auth0.com/'].indexOf(iss);
return -1 !== ["https://partner.com/", "https://auth0.com/"].indexOf(iss);
}
```
```js
function isTrustedIssuer(iss) {
return /^https:/.test(iss) && // must be a secure domain
/(\.|^)example\.com$/.test(iss); // can be example.com or any subdomain
return (
/^https:/.test(iss) && /(\.|^)example\.com$/.test(iss) // must be a secure domain
); // can be example.com or any subdomain
}
```
@ -106,12 +113,12 @@ Retrieves keys from a URL such as `https://example.com/jwks/` with the format `{
and returns the array of keys (as well as thumbprint and jwk-to-pem).
```js
keyfetch.jwks(jwksUrl)
keyfetch.jwks(jwksUrl);
// Promises [ { jwk, thumbprint, pem } ] or fails
```
```js
keyfetch.jwk(id, jwksUrl)
keyfetch.jwk(id, jwksUrl);
// Promises { jwk, thumbprint, pem } or fails
```
@ -121,12 +128,12 @@ If `https://example.com/` is used as `issuerUrl` it will resolve to
`https://example.com/.well-known/jwks.json` and return the keys.
```js
keyfetch.wellKnownJwks(issuerUrl)
keyfetch.wellKnownJwks(issuerUrl);
// Promises [ { jwk, thumbprint, pem } ] or fails
```
```js
keyfetch.wellKnownJwk(id, issuerUrl)
keyfetch.wellKnownJwk(id, issuerUrl);
// Promises { jwk, thumbprint, pem } or fails
```
@ -136,37 +143,106 @@ If `https://example.com/` is used as `issuerUrl` then it will first resolve to
`https://example.com/.well-known/openid-configuration` and then follow `jwks_uri` to return the keys.
```js
keyfetch.oidcJwks(issuerUrl)
keyfetch.oidcJwks(issuerUrl);
// Promises [ { jwk, thumbprint, pem } ] or fails
```
```js
keyfetch.oidcJwk(id, issuerUrl)
keyfetch.oidcJwk(id, issuerUrl);
// Promises { jwk, thumbprint, pem } or fails
```
### Verify JWT
This can accept a _JWT string_ (compact JWS) or a _decoded JWT object_ (JWS).
This can be used purely for verifying pure authentication tokens, as well as authorization tokens.
```js
keyfetch.verify({ jwt: jwk, strategy: 'oidc' })
// Promises a decoded JWT { headers, payload, signature } or fails
keyfetch.jwt.verify(jwt, { strategy: "oidc" }).then(function (verified) {
/*
{ protected: '...' // base64 header
, payload: '...' // base64 payload
, signature: '...' // base64 signature
, header: {...} // decoded header
, claims: {...} // decoded payload
}
*/
});
```
* `strategy` may be `oidc` (default) , `auth0`, or a direct JWKs url.
When used for authorization, it's important to specify which `issuers` are allowed
(otherwise anyone can create a valid token with whatever any claims they want).
If your authorization `claims` can be expressed as exact string matches, you can specify those too.
```js
keyfetch.jwt.verify(jwt, {
strategy: 'oidc'
, issuers: [ 'https://example.com/' ]
, claims: { role: 'admin', sub: 'abc', group: 'xyz' }
}).then(function (verified) {
```
- `strategy` may be `oidc` (default) , `auth0`, or a direct JWKs url.
- `issuers` must be a list of https urls (though http is allowed for things like Docker swarm)
- `claims` is an object with arbitrary keys (i.e. everything except for the standard `iat`, `exp`, `jti`, etc)
- `exp` may be set to `false` if you're validating on your own (i.e. allowing time drift leeway)
- `jwks` can be used to specify a list of allowed public key rather than fetching them (i.e. for offline unit tests)
- `jwk` same as above, but a single key rather than a list
### Decode JWT
```jwt
try {
console.log( keyfetch.jwt.decode(jwt) );
} catch(e) {
console.error(e);
}
```
```js
{ protected: '...' // base64 header
, payload: '...' // base64 payload
, signature: '...' // base64 signature
, header: {...} // decoded header
, claims: {...} // decoded payload
```
It's easier just to show the code than to explain the example.
```js
keyfetch.jwt.decode = function (jwt) {
// Unpack JWS from "compact" form
var parts = jwt.split(".");
var obj = {
protected: parts[0],
payload: parts[1],
signature: parts[2]
};
// Decode JWT properties from JWS as unordered objects
obj.header = JSON.parse(Buffer.from(obj.protected, "base64"));
obj.claims = JSON.parse(Buffer.from(obj.payload, "base64"));
return obj;
};
```
### Cache Settings
```js
keyfetch.init({
// set all keys at least 1 hour (regardless of jwk.exp)
mincache: 1 * 60 * 60
mincache: 1 * 60 * 60,
// expire each key after 3 days (regardless of jwk.exp)
, maxcache: 3 * 24 * 60 * 60
maxcache: 3 * 24 * 60 * 60,
// re-fetch a key up to 15 minutes before it expires (only if used)
, staletime: 15 * 60
})
staletime: 15 * 60
});
```
There is no background task to cleanup expired keys as of yet.

152
keyfetch-test.js
View File

@ -1,24 +1,156 @@
'use strict';
"use strict";
var keyfetch = require('./keyfetch.js');
var testUrl = "https://example.auth0.com";
var keyfetch = require("./keyfetch.js");
var testIss = "https://example.auth0.com";
keyfetch.init({});
keyfetch.oidcJwks().then(function (jwks) {
keyfetch
.oidcJwks(testIss)
.then(function (hits) {
keyfetch._clear();
console.log(jwks);
return keyfetch.oidcJwk(jwks[0].thumbprint, "https://example.auth0.com").then(function () {
return keyfetch.oidcJwk(jwks[0].thumbprint, "https://example.auth0.com").then(function (jwk) {
console.log(jwk);
//console.log(hits);
return keyfetch.oidcJwk(hits[0].thumbprint, testIss).then(function () {
return keyfetch.oidcJwk(hits[0].thumbprint, testIss).then(function (/*jwk*/) {
//console.log(jwk);
});
});
}).catch(function (err) {
})
.then(function () {
console.log("Fetching PASSES");
})
.catch(function (err) {
console.error("NONE SHALL PASS!");
console.error(err);
});
process.exit(1);
});
/*global Promise*/
var keypairs = require("keypairs.js");
keypairs.generate().then(function (pair) {
return Promise.all([
keypairs
.signJwt({
jwk: pair.private,
iss: "https://example.com/",
sub: "mikey",
exp: "1h"
})
.then(function (jwt) {
return Promise.all([
keyfetch.jwt.verify(jwt, { jwk: pair.public }).then(function (verified) {
if (!(verified.claims && verified.claims.exp)) {
throw new Error("malformed decoded token");
}
}),
keyfetch.jwt.verify(keyfetch.jwt.decode(jwt), { jwk: pair.public }).then(function (verified) {
if (!(verified.claims && verified.claims.exp)) {
throw new Error("malformed decoded token");
}
}),
keyfetch.jwt.verify(jwt, { jwks: [pair.public] }),
keyfetch.jwt.verify(jwt, {
jwk: pair.public,
issuers: ["https://example.com/"]
}),
keyfetch.jwt.verify(jwt, {
jwk: pair.public,
issuers: ["https://example.com"]
}),
keyfetch.jwt.verify(jwt, {
jwk: pair.public,
issuers: ["example.com"]
}),
keyfetch.jwt.verify(jwt, {
jwk: pair.public,
issuers: ["example.com/"]
}),
keyfetch.jwt.verify(jwt, {
jwk: pair.public,
issuers: ["*"]
}),
keyfetch.jwt
.verify(jwt, {
jwk: pair.public,
issuers: ["http://example.com"]
})
.then(e("bad scheme"))
.catch(throwIfNotExpected),
keyfetch.jwt
.verify(jwt, {
jwk: pair.public,
issuers: ["https://www.example.com"]
})
.then(e("bad prefix"))
.catch(throwIfNotExpected),
keyfetch.jwt
.verify(jwt, {
jwk: pair.public,
issuers: ["https://wexample.com"]
})
.then(e("bad sld"))
.catch(throwIfNotExpected),
keyfetch.jwt
.verify(jwt, {
jwk: pair.public,
issuers: ["https://example.comm"]
})
.then(e("bad tld"))
.catch(throwIfNotExpected),
keyfetch.jwt.verify(jwt, {
jwk: pair.public,
claims: { iss: "https://example.com/" }
}),
keyfetch.jwt
.verify(jwt, {
jwk: pair.public,
claims: { iss: "https://example.com" }
})
.then(e("inexact claim"))
.catch(throwIfNotExpected)
]);
}),
keypairs
.signJwt({
jwk: pair.private,
iss: false,
sub: "mikey",
exp: "1h"
})
.then(function (jwt) {
return Promise.all([
keyfetch.jwt.verify(jwt, { jwk: pair.public }),
keyfetch.jwt.verify(jwt).then(e("should have an issuer")).catch(throwIfNotExpected),
keyfetch.jwt
.verify(jwt, {
jwk: pair.public,
issuers: ["https://example.com/"]
})
.then(e("fail when issuer specified and doesn't exist"))
.catch(throwIfNotExpected)
]);
})
])
.then(function () {
console.log("JWT PASSES");
})
.catch(function (err) {
console.error("NONE SHALL PASS!");
console.error(err);
process.exit(1);
});
});
/*
var jwt = '...';
keyfetch.verify({ jwt: jwt }).catch(function (err) {
console.log(err);
});
*/
function e(msg) {
return new Error("ETEST: " + msg);
}
function throwIfNotExpected(err) {
if ("ETEST" === err.message.slice(0, 5)) {
throw err;
}
}

333
keyfetch.js
View File

@ -1,11 +1,11 @@
'use strict';
"use strict";
var keyfetch = module.exports;
var promisify = require('util').promisify;
var requestAsync = promisify(require('@coolaj86/urequest'));
var Rasha = require('rasha');
var Eckles = require('eckles');
var promisify = require("util").promisify;
var requestAsync = promisify(require("@coolaj86/urequest"));
var Rasha = require("rasha");
var Eckles = require("eckles");
var mincache = 1 * 60 * 60;
var maxcache = 3 * 24 * 60 * 60;
var staletime = 15 * 60;
@ -14,7 +14,9 @@ var keyCache = {};
/*global Promise*/
function checkMinDefaultMax(opts, key, n, d, x) {
var i = opts[key];
if (!i && 0 !== i) { return d; }
if (!i && 0 !== i) {
return d;
}
if (i >= n && i >= x) {
return parseInt(i, 10);
} else {
@ -26,27 +28,15 @@ keyfetch._clear = function () {
keyCache = {};
};
keyfetch.init = function (opts) {
mincache = checkMinDefaultMax(opts, 'mincache',
1 * 60,
mincache,
31 * 24 * 60 * 60
);
maxcache = checkMinDefaultMax(opts, 'maxcache',
1 * 60 * 60,
maxcache,
31 * 24 * 60 * 60
);
staletime = checkMinDefaultMax(opts, 'staletime',
1 * 60,
staletime,
31 * 24 * 60 * 60
);
mincache = checkMinDefaultMax(opts, "mincache", 1 * 60, mincache, 31 * 24 * 60 * 60);
maxcache = checkMinDefaultMax(opts, "maxcache", 1 * 60 * 60, maxcache, 31 * 24 * 60 * 60);
staletime = checkMinDefaultMax(opts, "staletime", 1 * 60, staletime, 31 * 24 * 60 * 60);
};
keyfetch._oidc = function (iss) {
return Promise.resolve().then(function () {
return requestAsync({
url: normalizeIss(iss) + '/.well-known/openid-configuration'
, json: true
url: normalizeIss(iss) + "/.well-known/openid-configuration",
json: true
}).then(function (resp) {
var oidcConf = resp.body;
if (!oidcConf.jwks_uri) {
@ -58,33 +48,37 @@ keyfetch._oidc = function (iss) {
};
keyfetch._wellKnownJwks = function (iss) {
return Promise.resolve().then(function () {
return keyfetch._jwks(normalizeIss(iss) + '/.well-known/jwks.json');
return keyfetch._jwks(normalizeIss(iss) + "/.well-known/jwks.json");
});
};
keyfetch._jwks = function (iss) {
return requestAsync({ url: iss, json: true }).then(function (resp) {
return Promise.all(resp.body.keys.map(function (jwk) {
return Promise.all(
resp.body.keys.map(function (jwk) {
// EC keys have an x values, whereas RSA keys do not
var Keypairs = jwk.x ? Eckles : Rasha;
return Keypairs.thumbprint({ jwk: jwk }).then(function (thumbprint) {
return Keypairs.export({ jwk: jwk }).then(function (pem) {
var cacheable = {
jwk: jwk
, thumbprint: thumbprint
, pem: pem
jwk: jwk,
thumbprint: thumbprint,
pem: pem
};
return cacheable;
});
});
}));
})
);
});
};
keyfetch.jwks = function (jwkUrl) {
// TODO DRY up a bit
return keyfetch._jwks(jwkUrl).then(function (results) {
return Promise.all(results.map(function (result) {
return Promise.all(
results.map(function (result) {
return keyfetch._setCache(result.jwk.iss || jwkUrl, result);
})).then(function () {
})
).then(function () {
// cacheable -> hit (keep original externally immutable)
return JSON.parse(JSON.stringify(results));
});
@ -93,9 +87,11 @@ keyfetch.jwks = function (jwkUrl) {
keyfetch.wellKnownJwks = function (iss) {
// TODO DRY up a bit
return keyfetch._wellKnownJwks(iss).then(function (results) {
return Promise.all(results.map(function (result) {
return Promise.all(
results.map(function (result) {
return keyfetch._setCache(result.jwk.iss || iss, result);
})).then(function () {
})
).then(function () {
// result -> hit (keep original externally immutable)
return JSON.parse(JSON.stringify(results));
});
@ -105,9 +101,11 @@ keyfetch.oidcJwks = function (iss) {
return keyfetch._oidc(iss).then(function (oidcConf) {
// TODO DRY up a bit
return keyfetch._jwks(oidcConf.jwks_uri).then(function (results) {
return Promise.all(results.map(function (result) {
return Promise.all(
results.map(function (result) {
return keyfetch._setCache(result.jwk.iss || iss, result);
})).then(function () {
})
).then(function () {
// result -> hit (keep original externally immutable)
return JSON.parse(JSON.stringify(results));
});
@ -129,19 +127,25 @@ function checkId(id) {
}
keyfetch.oidcJwk = function (id, iss) {
return keyfetch._checkCache(id, iss).then(function (hit) {
if (hit) { return hit; }
if (hit) {
return hit;
}
return keyfetch.oidcJwks(iss).then(checkId(id));
});
};
keyfetch.wellKnownJwk = function (id, iss) {
return keyfetch._checkCache(id, iss).then(function (hit) {
if (hit) { return hit; }
if (hit) {
return hit;
}
return keyfetch.wellKnownJwks(iss).then(checkId(id));
});
};
keyfetch.jwk = function (id, jwksUrl) {
return keyfetch._checkCache(id, jwksUrl).then(function (hit) {
if (hit) { return hit; }
if (hit) {
return hit;
}
return keyfetch.jwks(jwksUrl).then(checkId(id));
});
};
@ -151,7 +155,7 @@ keyfetch._checkCache = function (id, iss) {
// so it's safe to check without appending the issuer
var hit = keyCache[id];
if (!hit) {
hit = keyCache[id + '@' + normalizeIss(iss)];
hit = keyCache[id + "@" + normalizeIss(iss)];
}
if (!hit) {
return null;
@ -189,7 +193,7 @@ keyfetch._setCache = function (iss, cacheable) {
cacheable.createdAt = now;
cacheable.expiresAt = expiresAt;
keyCache[cacheable.thumbprint] = cacheable;
keyCache[cacheable.jwk.kid + '@' + normalizeIss(iss)] = cacheable;
keyCache[cacheable.jwk.kid + "@" + normalizeIss(iss)] = cacheable;
};
function normalizeIss(iss) {
@ -198,54 +202,91 @@ function normalizeIss(iss) {
// We also don't want to allow insecure issuers
if (/^http:/.test(iss) && !process.env.KEYFETCH_ALLOW_INSECURE_HTTP) {
// note, we wrap some things in promises just so we can throw here
throw new Error("'" + iss + "' is NOT secure. Set env 'KEYFETCH_ALLOW_INSECURE_HTTP=true' to allow for testing.");
throw new Error(
"'" + iss + "' is NOT secure. Set env 'KEYFETCH_ALLOW_INSECURE_HTTP=true' to allow for testing."
);
}
return iss.replace(/\/$/, '');
return iss.replace(/\/$/, "");
}
keyfetch._decode = function (jwt) {
var parts = jwt.split('.');
return {
header: JSON.parse(Buffer.from(parts[0], 'base64'))
, payload: JSON.parse(Buffer.from(parts[1], 'base64'))
, signature: parts[2] //Buffer.from(parts[2], 'base64')
keyfetch.jwt = {};
keyfetch.jwt.decode = function (jwt) {
var parts = jwt.split(".");
// JWS
var obj = {
protected: parts[0],
payload: parts[1],
signature: parts[2]
};
// JWT
obj.header = JSON.parse(Buffer.from(obj.protected, "base64"));
obj.claims = JSON.parse(Buffer.from(obj.payload, "base64"));
return obj;
};
keyfetch.verify = function (opts) {
var jwt = opts.jwt;
keyfetch.jwt.verify = function (jwt, opts) {
if (!opts) {
opts = {};
}
return Promise.resolve().then(function () {
var decoded;
var exp;
var nbf;
var valid;
var active;
var issuers = opts.issuers || ["*"];
var claims = opts.claims || {};
if (!jwt || "string" === typeof jwt) {
try {
decoded = keyfetch._decode(jwt);
exp = decoded.payload.exp;
nbf = decoded.payload.nbf;
decoded = keyfetch.jwt.decode(jwt);
} catch (e) {
throw new Error("could not parse opts.jwt: '" + jwt + "'");
throw new Error("could not parse jwt: '" + jwt + "'");
}
if (exp) {
valid = (parseInt(exp, 10) - (Date.now()/1000) > 0);
if (!valid) {
} else {
decoded = jwt;
}
exp = decoded.claims.exp;
nbf = decoded.claims.nbf;
if (!issuers.some(isTrustedIssuer(decoded.claims.iss))) {
throw new Error("token was issued by an untrusted issuer: '" + decoded.claims.iss + "'");
}
// TODO verify claims also?
if (
!Object.keys(claims).every(function (key) {
if (claims[key] === decoded.claims[key]) {
return true;
}
})
) {
throw new Error("token did not match on one or more authorization claims: '" + Object.keys(claims) + "'");
}
active = (opts.exp || 0) + parseInt(exp, 10) - Date.now() / 1000 > 0;
if (!active) {
// expiration was on the token or, if not, such a token is not allowed
if (exp || false !== opts.exp) {
throw new Error("token's 'exp' has passed or could not parsed: '" + exp + "'");
}
}
if (nbf) {
valid = (parseInt(nbf, 10) - (Date.now()/1000) <= 0);
if (!valid) {
active = parseInt(nbf, 10) - Date.now() / 1000 <= 0;
if (!active) {
throw new Error("token's 'nbf' has not been reached or could not parsed: '" + nbf + "'");
}
}
if (opts.jwks || opts.jwk) {
return overrideLookup(opts.jwks || [opts.jwk]);
}
var kid = decoded.header.kid;
var iss;
var fetcher;
var fetchOne;
if (!opts.strategy || 'oidc' === opts.strategy) {
iss = decoded.payload.iss;
if (!opts.strategy || "oidc" === opts.strategy) {
iss = decoded.claims.iss;
fetcher = keyfetch.oidcJwks;
fetchOne = keyfetch.oidcJwk;
} else if ('auth0' === opts.strategy || 'well-known' === opts.strategy) {
iss = decoded.payload.iss;
} else if ("auth0" === opts.strategy || "well-known" === opts.strategy) {
iss = decoded.claims.iss;
fetcher = keyfetch.wellKnownJwks;
fetchOne = keyfetch.wellKnownJwk;
} else {
@ -254,77 +295,133 @@ keyfetch.verify = function (opts) {
fetchOne = keyfetch.jwk;
}
function verify(jwk, payload) {
var alg = 'SHA' + decoded.header.alg.replace(/[^\d]+/i, '');
var sig = convertIfEcdsa(decoded.header, decoded.signature);
return require('crypto')
.createVerify(alg)
.update(jwt.split('.')[0] + '.' + payload)
.verify(jwk.pem, sig, 'base64');
var p;
if (kid) {
p = fetchOne(kid, iss).then(verifyOne); //.catch(fetchAny);
} else {
p = fetcher(iss).then(verifyAny);
}
return p;
function verifyOne(hit) {
if (true === keyfetch.jws.verify(decoded, hit)) {
return decoded;
}
throw new Error("token signature verification was unsuccessful");
}
function convertIfEcdsa(header, b64sig) {
function verifyAny(hits) {
if (
hits.some(function (hit) {
if (kid) {
if (kid !== hit.jwk.kid && kid !== hit.thumbprint) {
return;
}
if (true === keyfetch.jws.verify(decoded, hit)) {
return true;
}
throw new Error("token signature verification was unsuccessful");
} else {
if (true === keyfetch.jws.verify(decoded, hit)) {
return true;
}
}
})
) {
return decoded;
}
throw new Error("Retrieved a list of keys, but none of them matched the 'kid' (key id) of the token.");
}
function overrideLookup(jwks) {
return Promise.all(
jwks.map(function (jwk) {
var Keypairs = jwk.x ? Eckles : Rasha;
return Keypairs.export({ jwk: jwk }).then(function (pem) {
return Keypairs.thumbprint({ jwk: jwk }).then(function (thumb) {
return { jwk: jwk, pem: pem, thumbprint: thumb };
});
});
})
).then(verifyAny);
}
});
};
keyfetch.jws = {};
keyfetch.jws.verify = function (jws, pub) {
var alg = "SHA" + jws.header.alg.replace(/[^\d]+/i, "");
var sig = ecdsaJoseSigToAsn1Sig(jws.header, jws.signature);
return require("crypto")
.createVerify(alg)
.update(jws.protected + "." + jws.payload)
.verify(pub.pem, sig, "base64");
};
// old, gotta make sure nothing else uses this
keyfetch._decode = function (jwt) {
var obj = keyfetch.jwt.decode(jwt);
return { header: obj.header, payload: obj.claims, signature: obj.signature };
};
keyfetch.verify = function (opts) {
var jwt = opts.jwt;
return keyfetch.jwt.verify(jwt, opts).then(function (obj) {
return { header: obj.header, payload: obj.claims, signature: obj.signature };
});
};
function ecdsaJoseSigToAsn1Sig(header, b64sig) {
// ECDSA JWT signatures differ from "normal" ECDSA signatures
// https://tools.ietf.org/html/rfc7518#section-3.4
if (!/^ES/i.test(header.alg)) { return b64sig; }
if (!/^ES/i.test(header.alg)) {
return b64sig;
}
var bufsig = Buffer.from(b64sig, 'base64');
var bufsig = Buffer.from(b64sig, "base64");
var hlen = bufsig.byteLength / 2; // should be even
var r = bufsig.slice(0, hlen);
var s = bufsig.slice(hlen);
// pad ambiguously non-negative BigInts
if (0x80 & r[0]) { r = Buffer.concat([Buffer.from([0]), r]); }
if (0x80 & s[0]) { s = Buffer.concat([Buffer.from([0]), s]); }
// unpad positive ints less than 32 bytes wide
while (!r[0]) {
r = r.slice(1);
}
while (!s[0]) {
s = s.slice(1);
}
// pad (or re-pad) ambiguously non-negative BigInts to 33 bytes wide
if (0x80 & r[0]) {
r = Buffer.concat([Buffer.from([0]), r]);
}
if (0x80 & s[0]) {
s = Buffer.concat([Buffer.from([0]), s]);
}
var len = 2 + r.byteLength + 2 + s.byteLength;
var head = [0x30];
// hard code 0x80 + 1 because it won't be longer than
// two SHA512 plus two pad bytes (130 bytes <= 256)
if (len >= 0x80) { head.push(0x81); }
if (len >= 0x80) {
head.push(0x81);
}
head.push(len);
var buf = Buffer.concat([
Buffer.from(head)
, Buffer.from([0x02, r.byteLength]), r
, Buffer.from([0x02, r.byteLength]), s
Buffer.from(head),
Buffer.from([0x02, r.byteLength]),
r,
Buffer.from([0x02, s.byteLength]),
s
]);
return buf.toString('base64')
.replace(/-/g, '+')
.replace(/_/g, '/')
.replace(/=/g, '')
;
}
return buf.toString("base64").replace(/-/g, "+").replace(/_/g, "/").replace(/=/g, "");
}
var payload = jwt.split('.')[1]; // as string, as it was signed
if (kid) {
return fetchOne(kid, iss).then(verifyOne); //.catch(fetchAny);
} else {
return fetchAny();
function isTrustedIssuer(issuer) {
return function (trusted) {
if ("*" === trusted) {
return true;
}
function verifyOne(jwk) {
if (verify(jwk, payload)) {
return decoded;
}
throw new Error('token signature verification was unsuccessful');
}
function fetchAny() {
return fetcher(iss).then(function (jwks) {
if (jwks.some(function (jwk) {
if (kid) {
if (kid !== jwk.kid && kid !== jwk.thumbprint) { return; }
if (verify(jwk, payload)) { return true; }
throw new Error('token signature verification was unsuccessful');
} else {
if (verify(jwk, payload)) { return true; }
}
})) {
return decoded;
}
throw new Error("Retrieved a list of keys, but none of them matched the 'kid' (key id) of the token.");
});
}
});
};
// TODO account for '*.example.com'
trusted = /^http(s?):\/\//.test(trusted) ? trusted : "https://" + trusted;
return issuer.replace(/\/$/, "") === trusted.replace(/\/$/, "") && trusted;
};
}

20
package-lock.json generated
View File

@ -1,23 +1,23 @@
{
"name": "keyfetch",
"version": "1.1.0",
"version": "1.1.8",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
"@coolaj86/urequest": {
"version": "1.3.6",
"resolved": "https://registry.npmjs.org/@coolaj86/urequest/-/urequest-1.3.6.tgz",
"integrity": "sha512-9rBXLFSb5D19opGeXdD/WuiFJsA4Pk2r8VUGEAeUZUxB1a2zB47K85BKAx3Gy9i4nZwg22ejlJA+q9DVrpQlbA=="
"version": "1.3.7",
"resolved": "https://registry.npmjs.org/@coolaj86/urequest/-/urequest-1.3.7.tgz",
"integrity": "sha512-PPrVYra9aWvZjSCKl/x1pJ9ZpXda1652oJrPBYy5rQumJJMkmTBN3ux+sK2xAUwVvv2wnewDlaQaHLxLwSHnIA=="
},
"eckles": {
"version": "1.4.0",
"resolved": "https://registry.npmjs.org/eckles/-/eckles-1.4.0.tgz",
"integrity": "sha512-Bm5dpwhsBuoCHvKCY3gAvP8XFyXH7im8uAu3szykpVNbFBdC+lOuV8vLC8fvTYRZBfFqB+k/P6ud/ZPVO2V2tA=="
"version": "1.4.1",
"resolved": "https://registry.npmjs.org/eckles/-/eckles-1.4.1.tgz",
"integrity": "sha512-auWyk/k8oSkVHaD4RxkPadKsLUcIwKgr/h8F7UZEueFDBO7BsE4y+H6IMUDbfqKIFPg/9MxV6KcBdJCmVVcxSA=="
},
"rasha": {
"version": "1.2.1",
"resolved": "https://registry.npmjs.org/rasha/-/rasha-1.2.1.tgz",
"integrity": "sha512-cs4Hu/rVF3/Qucq+V7lxSz449VfHNMVXJaeajAHno9H5FC1PWlmS4NM6IAX5jPKFF0IC2rOdHdf7iNxQuIWZag=="
"version": "1.2.4",
"resolved": "https://registry.npmjs.org/rasha/-/rasha-1.2.4.tgz",
"integrity": "sha512-GsIwKv+hYSumJyK9wkTDaERLwvWaGYh1WuI7JMTBISfYt13TkKFU/HFzlY4n72p8VfXZRUYm0AqaYhkZVxOC3Q=="
}
}
}

39
package.json
View File

@ -1,16 +1,23 @@
{ "author": {
"name": "AJ ONeal",
"email": "solderjs@gmail.com"
},
"bundleDependencies": false,
"dependencies": {
"@coolaj86/urequest": "^1.3.6",
"eckles": "^1.4.0",
"rasha": "^1.2.1"
},
"deprecated": false,
{
"name": "keyfetch",
"version": "1.2.1",
"description": "Lightweight support for fetching JWKs.",
"homepage": "https://git.coolaj86.com/coolaj86/keyfetch.js",
"main": "keyfetch.js",
"files": [],
"dependencies": {
"@coolaj86/urequest": "^1.3.7",
"eckles": "^1.4.1",
"rasha": "^1.2.4"
},
"devDependencies": {},
"scripts": {
"test": "node keyfetch-test.js"
},
"repository": {
"type": "git",
"url": "https://git.coolaj86.com/coolaj86/keyfetch.js.git"
},
"keywords": [
"jwks",
"jwk",
@ -23,11 +30,7 @@
"OIDC",
"well-known"
],
"license": "MPL-2.0",
"main": "keyfetch.js",
"name": "keyfetch",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"version": "1.1.6"
"author": "AJ ONeal <solderjs@gmail.com> (https://coolaj86.com/)",
"license": "MPL-2.0"
}