diff --git a/provider/github-app-token/github/jwk/ecdsa.go b/provider/github-app-token/github/jwk/ecdsa.go index f9f8fbf5..292fe068 100644 --- a/provider/github-app-token/github/jwk/ecdsa.go +++ b/provider/github-app-token/github/jwk/ecdsa.go @@ -5,6 +5,7 @@ import ( "crypto/elliptic" "encoding/base64" "encoding/json" + "errors" "fmt" "math/big" ) @@ -47,6 +48,19 @@ func parseEcdsaPrivateKey(data []byte) (Key, error) { if err := key.decode(); err != nil { return nil, err } + + // sanity check of the certificate + if certs := key.X509CertificateChain(); len(certs) > 0 { + cert := certs[0] + publicKey, ok := cert.PublicKey.(*ecdsa.PublicKey) + if !ok { + return nil, errors.New("jwk: public key types are mismatch") + } + if !key.privateKey.PublicKey.Equal(publicKey) { + return nil, errors.New("jwk: public keys are mismatch") + } + } + return &key, nil } @@ -117,6 +131,19 @@ func parseEcdsaPublicKey(data []byte) (Key, error) { if err := key.decode(); err != nil { return nil, err } + + // sanity check of the certificate + if certs := key.X509CertificateChain(); len(certs) > 0 { + cert := certs[0] + publicKey, ok := cert.PublicKey.(*ecdsa.PublicKey) + if !ok { + return nil, errors.New("jwk: public key types are mismatch") + } + if !key.publicKey.Equal(publicKey) { + return nil, errors.New("jwk: public keys are mismatch") + } + } + return &key, nil } diff --git a/provider/github-app-token/github/jwk/rsa.go b/provider/github-app-token/github/jwk/rsa.go index eabcb767..673b0b20 100644 --- a/provider/github-app-token/github/jwk/rsa.go +++ b/provider/github-app-token/github/jwk/rsa.go @@ -4,6 +4,7 @@ import ( "crypto/rsa" "encoding/base64" "encoding/json" + "errors" "fmt" "math/big" ) @@ -62,6 +63,19 @@ func parseRSAPrivateKey(data []byte) (Key, error) { if err := key.decode(); err != nil { return nil, err } + + // sanity check of the certificate + if certs := key.X509CertificateChain(); len(certs) > 0 { + cert := certs[0] + publicKey, ok := cert.PublicKey.(*rsa.PublicKey) + if !ok { + return nil, errors.New("jwk: public key types are mismatch") + } + if !key.privateKey.PublicKey.Equal(publicKey) { + return nil, errors.New("jwk: public keys are mismatch") + } + } + return &key, nil } @@ -199,6 +213,19 @@ func parseRSAPublicKey(data []byte) (Key, error) { if err := key.decode(); err != nil { return nil, err } + + // sanity check of the certificate + if certs := key.X509CertificateChain(); len(certs) > 0 { + cert := certs[0] + publicKey, ok := cert.PublicKey.(*rsa.PublicKey) + if !ok { + return nil, errors.New("jwk: public key types are mismatch") + } + if !key.publicKey.Equal(publicKey) { + return nil, errors.New("jwk: public keys are mismatch") + } + } + return &key, nil }