diff options
| author | Matthew Miller <matthew@millerti.me> | 2023-06-04 22:06:55 -0700 |
|---|---|---|
| committer | Matthew Miller <matthew@millerti.me> | 2023-06-04 22:06:55 -0700 |
| commit | 6031210dd0d2a1b37108fe124edfd8748d12e8e9 (patch) | |
| tree | b7b2408b9846d34a57eeb57c95594a519e71025b /packages/server/src | |
| parent | 8f01d3135b716e5794ffa793b8233a715ac2037d (diff) | |
Support use of RSA for JWT signatures
Diffstat (limited to 'packages/server/src')
| -rw-r--r-- | packages/server/src/metadata/verifyJWT.ts | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/packages/server/src/metadata/verifyJWT.ts b/packages/server/src/metadata/verifyJWT.ts index d7e64ec..d9c933a 100644 --- a/packages/server/src/metadata/verifyJWT.ts +++ b/packages/server/src/metadata/verifyJWT.ts @@ -1,13 +1,13 @@ import { convertX509PublicKeyToCOSE } from '../helpers/convertX509PublicKeyToCOSE'; import { isoBase64URL, isoUint8Array } from '../helpers/iso'; -import { COSEALG, COSEKEYS, isCOSEPublicKeyEC2 } from '../helpers/cose'; +import { COSEALG, COSEKEYS, isCOSEPublicKeyEC2, isCOSEPublicKeyRSA } from '../helpers/cose'; import { verifyEC2 } from '../helpers/iso/isoCrypto/verifyEC2'; +import { verifyRSA } from '../helpers/iso/isoCrypto/verifyRSA'; /** - * Lightweight verification for FIDO MDS JWTs. + * Lightweight verification for FIDO MDS JWTs. Supports use of EC2 and RSA. * - * Currently assumes `"alg": "ES256"` in the JWT header, it's what FIDO MDS uses. If this ever - * needs to support more JWS algorithms, here's the list of them: + * If this ever needs to support more JWS algorithms, here's the list of them: * * https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1 * @@ -17,14 +17,22 @@ export async function verifyJWT(jwt: string, leafCert: Uint8Array): Promise<bool const [header, payload, signature] = jwt.split('.'); const certCOSE = convertX509PublicKeyToCOSE(leafCert); + const data = isoUint8Array.fromUTF8String(`${header}.${payload}`); + const signatureBytes = isoBase64URL.toBuffer(signature); if (isCOSEPublicKeyEC2(certCOSE)) { return verifyEC2({ - data: isoUint8Array.fromUTF8String(`${header}.${payload}`), - signature: isoBase64URL.toBuffer(signature), + data, + signature: signatureBytes, cosePublicKey: certCOSE, shaHashOverride: COSEALG.ES256, }); + } else if (isCOSEPublicKeyRSA(certCOSE)) { + return verifyRSA({ + data, + signature: signatureBytes, + cosePublicKey: certCOSE, + }) } const kty = certCOSE.get(COSEKEYS.kty); |