Skip to content

Commit

Permalink
sanity check of the certificate
Browse files Browse the repository at this point in the history
  • Loading branch information
shogo82148 committed Sep 23, 2021
1 parent 33506b3 commit fa331fd
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 0 deletions.
27 changes: 27 additions & 0 deletions provider/github-app-token/github/jwk/ecdsa.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"crypto/elliptic"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"math/big"
)
Expand Down Expand Up @@ -47,6 +48,19 @@ func parseEcdsaPrivateKey(data []byte) (Key, error) {
if err := key.decode(); err != nil {
return nil, err
}

// sanity check of the certificate
if certs := key.X509CertificateChain(); len(certs) > 0 {
cert := certs[0]
publicKey, ok := cert.PublicKey.(*ecdsa.PublicKey)
if !ok {
return nil, errors.New("jwk: public key types are mismatch")
}
if !key.privateKey.PublicKey.Equal(publicKey) {
return nil, errors.New("jwk: public keys are mismatch")
}
}

return &key, nil
}

Expand Down Expand Up @@ -117,6 +131,19 @@ func parseEcdsaPublicKey(data []byte) (Key, error) {
if err := key.decode(); err != nil {
return nil, err
}

// sanity check of the certificate
if certs := key.X509CertificateChain(); len(certs) > 0 {
cert := certs[0]
publicKey, ok := cert.PublicKey.(*ecdsa.PublicKey)
if !ok {
return nil, errors.New("jwk: public key types are mismatch")
}
if !key.publicKey.Equal(publicKey) {
return nil, errors.New("jwk: public keys are mismatch")
}
}

return &key, nil
}

Expand Down
27 changes: 27 additions & 0 deletions provider/github-app-token/github/jwk/rsa.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"crypto/rsa"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"math/big"
)
Expand Down Expand Up @@ -62,6 +63,19 @@ func parseRSAPrivateKey(data []byte) (Key, error) {
if err := key.decode(); err != nil {
return nil, err
}

// sanity check of the certificate
if certs := key.X509CertificateChain(); len(certs) > 0 {
cert := certs[0]
publicKey, ok := cert.PublicKey.(*rsa.PublicKey)
if !ok {
return nil, errors.New("jwk: public key types are mismatch")
}
if !key.privateKey.PublicKey.Equal(publicKey) {
return nil, errors.New("jwk: public keys are mismatch")
}
}

return &key, nil
}

Expand Down Expand Up @@ -199,6 +213,19 @@ func parseRSAPublicKey(data []byte) (Key, error) {
if err := key.decode(); err != nil {
return nil, err
}

// sanity check of the certificate
if certs := key.X509CertificateChain(); len(certs) > 0 {
cert := certs[0]
publicKey, ok := cert.PublicKey.(*rsa.PublicKey)
if !ok {
return nil, errors.New("jwk: public key types are mismatch")
}
if !key.publicKey.Equal(publicKey) {
return nil, errors.New("jwk: public keys are mismatch")
}
}

return &key, nil
}

Expand Down

0 comments on commit fa331fd

Please sign in to comment.