diff --git a/provider/github-app-token/github/jwk/jwk.go b/provider/github-app-token/github/jwk/jwk.go index 07249ba5..a31b70a3 100644 --- a/provider/github-app-token/github/jwk/jwk.go +++ b/provider/github-app-token/github/jwk/jwk.go @@ -125,7 +125,7 @@ func (key *commonKey) PublicKey() interface{} { func (key *commonKey) decode() error { // decode the certificates - certs := make([]*x509.Certificate, len(key.X5c)) + certs := make([]*x509.Certificate, 0, len(key.X5c)) for _, der := range key.X5c { cert, err := x509.ParseCertificate(der) if err != nil { diff --git a/provider/github-app-token/github/jwk/jwk_test.go b/provider/github-app-token/github/jwk/jwk_test.go index a995f6d7..4dcbb6fd 100644 --- a/provider/github-app-token/github/jwk/jwk_test.go +++ b/provider/github-app-token/github/jwk/jwk_test.go @@ -207,3 +207,59 @@ func TestKeyAppendixA(t *testing.T) { } }) } + +func TestKeyAppendixB(t *testing.T) { + // RFC7517 Appendix B. Example Use of "x5c" (X.509 Certificate Chain) Parameter + rawKey := ` {"kty":"RSA",` + + `"use":"sig",` + + `"kid":"1b94c",` + + `"n":"vrjOfz9Ccdgx5nQudyhdoR17V-IubWMeOZCwX_jj0hgAsz2J_pqYW08` + + `PLbK_PdiVGKPrqzmDIsLI7sA25VEnHU1uCLNwBuUiCO11_-7dYbsr4iJmG0Q` + + `u2j8DsVyT1azpJC_NG84Ty5KKthuCaPod7iI7w0LK9orSMhBEwwZDCxTWq4a` + + `YWAchc8t-emd9qOvWtVMDC2BXksRngh6X5bUYLy6AyHKvj-nUy1wgzjYQDwH` + + `MTplCoLtU-o-8SNnZ1tmRoGE9uJkBLdh5gFENabWnU5m1ZqZPdwS-qo-meMv` + + `VfJb6jJVWRpl2SUtCnYG2C32qvbWbjZ_jBPD5eunqsIo1vQ",` + + `"e":"AQAB",` + + `"x5c":` + + `["MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJB` + + `gNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYD` + + `VQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1` + + `wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBg` + + `NVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDV` + + `QQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1w` + + `YmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnH` + + `YMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66` + + `s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6` + + `SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpn` + + `fajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPq` + + `PvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVk` + + `aZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BA` + + `QUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL` + + `+9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1` + + `zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL` + + `2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo` + + `4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTq` + + `gawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA=="]` + + `}` + key, err := ParseKey([]byte(rawKey)) + if err != nil { + t.Fatal(err) + } + if key.KeyType() != "RSA" { + t.Errorf("unexpected key type: want %s, got %s", "RSA", key.KeyType()) + } + if len(key.X509CertificateChain()) != 1 { + t.Errorf("unexpected certificate chain length: want 1, got %d", len(key.X509CertificateChain())) + } + + keyPublicKey := key.PublicKey().(*rsa.PublicKey) + cert := key.X509CertificateChain()[0] + certPublicKey := cert.PublicKey.(*rsa.PublicKey) + if !keyPublicKey.Equal(certPublicKey) { + t.Error("public keys are missmatch") + } + issuer := "CN=Brian Campbell,O=Ping Identity Corp.,L=Denver,ST=CO,C=US" + if cert.Issuer.String() != issuer { + t.Errorf("unexpected issuer: want %q, got %q", issuer, cert.Issuer.String()) + } +}