From 87c1c7e1794567b04635185997b3ec92bea60c31 Mon Sep 17 00:00:00 2001 From: d036670 Date: Fri, 26 Apr 2024 09:15:22 +0200 Subject: [PATCH] Repair and simplify private key JWT generation Still only for RSA, however it is for testing and operations --- cmd/openid-client.go | 4 ++-- go.mod | 3 ++- go.sum | 3 +++ pkg/client/client.go | 9 +++------ 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/cmd/openid-client.go b/cmd/openid-client.go index 6ed6f8d..2fa8a7e 100644 --- a/cmd/openid-client.go +++ b/cmd/openid-client.go @@ -13,8 +13,8 @@ import ( oidc "github.com/coreos/go-oidc" "github.com/strehle/cmdline-openid-client/pkg/client" - "golang.org/x/crypto/pkcs12" "golang.org/x/net/context" + "software.sslmate.com/src/go-pkcs12" ) func main() { @@ -114,7 +114,7 @@ func main() { if err != nil { log.Fatal(err) } - privateKeyJwt, err = client.CreatePrivateKeyJwt(*clientID, *cert0, claims.TokenEndPoint, pemData) + privateKeyJwt, err = client.CreatePrivateKeyJwt(*clientID, *cert0, claims.TokenEndPoint, cert.PrivateKey) if err != nil { log.Fatal(err) } diff --git a/go.mod b/go.mod index 2e4451f..63687cf 100644 --- a/go.mod +++ b/go.mod @@ -7,12 +7,13 @@ require ( github.com/coreos/go-oidc v2.2.1+incompatible github.com/golang-jwt/jwt/v5 v5.2.1 github.com/google/uuid v1.6.0 - golang.org/x/crypto v0.22.0 golang.org/x/net v0.24.0 golang.org/x/oauth2 v0.19.0 ) require ( github.com/pquerna/cachecontrol v0.1.0 // indirect + golang.org/x/crypto v0.22.0 // indirect gopkg.in/square/go-jose.v2 v2.5.1 // indirect + software.sslmate.com/src/go-pkcs12 v0.4.0 ) diff --git a/go.sum b/go.sum index a1e406e..f8ff495 100644 --- a/go.sum +++ b/go.sum @@ -8,6 +8,7 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -30,3 +31,5 @@ gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k= +software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI= diff --git a/pkg/client/client.go b/pkg/client/client.go index c502b9f..637f308 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -2,6 +2,7 @@ package client import ( "context" + "crypto" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -303,11 +304,7 @@ func HandleRefreshFlow(clientID string, clientSecret string, existingRefresh str return refreshToken } -func CreatePrivateKeyJwt(clientID string, x509Cert x509.Certificate, tokenEndpoint string, pemData []byte) (string, error) { - key, err := jwt.ParseRSAPrivateKeyFromPEM(pemData) - if err != nil { - return "", fmt.Errorf("create: parse key: %w", err) - } +func CreatePrivateKeyJwt(clientID string, x509Cert x509.Certificate, tokenEndpoint string, privateKey crypto.PrivateKey) (string, error) { certSum := sha1.Sum(x509Cert.Raw) sha1Sum := base64.RawURLEncoding.EncodeToString(certSum[:]) now := time.Now().UTC() @@ -323,7 +320,7 @@ func CreatePrivateKeyJwt(clientID string, x509Cert x509.Certificate, tokenEndpoi token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims) // .SignedString(key) token.Header["kid"] = sha1Sum token.Header["x5t"] = sha1Sum - tokenString, err := token.SignedString(key) + tokenString, err := token.SignedString(privateKey) if err != nil { return "", fmt.Errorf("create: sign token: %w", err) }