Skip to content

Commit 432ea50

Browse files
brockallenbrockallen
committed
rework jwt validation; add rsa jwt validation tests
1 parent d7c5a8e commit 432ea50

File tree

4 files changed

+230
-108
lines changed

4 files changed

+230
-108
lines changed

src/JwtUtil.js

Lines changed: 42 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -27,34 +27,60 @@ export default class JwtUtil {
2727
var token = __global.jws.JWS.parse(jwt);
2828
return {
2929
header: token.headerObj,
30-
payload : token.payloadObj
30+
payload: token.payloadObj
3131
}
3232
}
3333
catch (e) {
3434
Log.error(e);
3535
}
3636
}
37-
38-
static validateJwtRsa(jwt, key) {
39-
Log.info("JwtUtil.validateJwtRsa");
40-
try {
41-
return true;
42-
}
43-
catch (e) {
44-
Log.error(e);
45-
}
46-
}
47-
48-
static validateJwtEc(jwt, key) {
49-
Log.info("JwtUtil.validateJwtEc");
37+
38+
static validateJwt(jwt, key, issuer, audience, now) {
39+
Log.info("JwtUtil.validateJwt");
40+
5041
try {
51-
return true;
42+
if (key.kty === "RSA"){
43+
if (key.e && key.n) {
44+
key = __global.KEYUTIL.getKey(key);
45+
}
46+
else if (key.x5c && key.x5c.length) {
47+
key = __global.KEYUTIL.getKey(__global.X509.getPublicKeyFromCertPEM(key.x5c[0]));
48+
}
49+
else {
50+
Log.error("RSA key missing key material", key);
51+
return false;
52+
}
53+
}
54+
else if (key.kty === "EC"){
55+
if (key.crv && key.x && key.y) {
56+
key = __global.KEYUTIL.getKey(key);
57+
}
58+
else {
59+
Log.error("EC key missing key material", key);
60+
return false;
61+
}
62+
}
63+
else {
64+
Log.error("Unsupported key type", key.kty);
65+
return false;
66+
}
67+
68+
return __global.jws.JWS.verifyJWT(jwt,
69+
key,
70+
{
71+
alg: ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512'],
72+
iss: [issuer],
73+
aud: [audience],
74+
verifyAt : now
75+
});
5276
}
5377
catch (e) {
5478
Log.error(e);
5579
}
80+
81+
return false;
5682
}
57-
83+
5884
static hashString(value, alg) {
5985
Log.info("JwtUtil.hashString", value, alg);
6086
try {

src/ResponseValidator.js

Lines changed: 1 addition & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -224,7 +224,7 @@ export default class ResponseValidator {
224224
return Promise.reject(new Error("No key matching kid found in signing keys"));
225225
}
226226

227-
if (!this.validateJwt(response.id_token, key, issuer, audience)) {
227+
if (!this._jwtUtil.validateJwt(response.id_token, key, issuer, audience)) {
228228
Log.error("Signature failed to validate");
229229
return Promise.reject(new Error("Signature failed to validate"));
230230
}
@@ -235,21 +235,6 @@ export default class ResponseValidator {
235235
});
236236
}
237237

238-
validateJwt(id_token, key, issuer, audience) {
239-
Log.info("ResponseValidator.validateJwt");
240-
241-
if (key.kty === "RSA") {
242-
return this._jwtUtil.validateJwtRsa(id_token, key, issuer, audience);
243-
}
244-
else if (key.kty === "EC") {
245-
return this._jwtUtil.validateJwtEc(id_token, key, issuer, audience);
246-
}
247-
else {
248-
Log.error("Unsupported key type:", key.kty);
249-
return false;
250-
}
251-
}
252-
253238
validateAccessToken(response) {
254239
Log.info("ResponseValidator.validateAccessToken");
255240

test/JwtUtil.spec.js

Lines changed: 142 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,142 @@
1+
import JwtUtil from '../src/JwtUtil';
2+
import Log from '../src/Log';
3+
4+
import chai from 'chai';
5+
chai.should();
6+
let assert = chai.assert;
7+
let expect = chai.expect;
8+
9+
var KJUR = require("jsrsasign");
10+
JwtUtil.init(KJUR);
11+
12+
describe("JwtUtil", function() {
13+
14+
let jwt;
15+
let jwtFromRsa;
16+
let rsaKey;
17+
let ecKey;
18+
19+
const expectedIssuer = "https://localhost:44333/core";
20+
const expectedAudience = "js.tokenmanager";
21+
const expectedNow = 1459129901;
22+
23+
beforeEach(function() {
24+
Log.setLogger(console);
25+
Log.level = Log.NONE;
26+
27+
jwt = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo0NDMzMy9jb3JlIiwiYXVkIjoianMudG9rZW5tYW5hZ2VyIiwiZXhwIjoxNDU5MTMwMjAxLCJuYmYiOjE0NTkxMjk5MDEsIm5vbmNlIjoiNzIyMTAwNTIwOTk3MjM4MiIsImlhdCI6MTQ1OTEyOTkwMSwiYXRfaGFzaCI6IkpnRFVDeW9hdEp5RW1HaWlXYndPaEEiLCJzaWQiOiIwYzVmMDYxZTYzOThiMWVjNmEwYmNlMmM5NDFlZTRjNSIsInN1YiI6Ijg4NDIxMTEzIiwiYXV0aF90aW1lIjoxNDU5MTI5ODk4LCJpZHAiOiJpZHNydiIsImFtciI6WyJwYXNzd29yZCJdfQ.f6S1Fdd0UQScZAFBzXwRiVsUIPQnWZLSe07kdtjANRZDZXf5A7yDtxOftgCx5W0ONQcDFVpLGPgTdhp7agZkPpCFutzmwr0Rr9G7E7mUN4xcIgAABhmRDfzDayFBEu6VM8wEWTChezSWtx2xG_2zmVJxxmNV0jvkaz0bu7iin-C_UZg6T-aI9FZDoKRGXZP9gF65FQ5pQ4bCYQxhKcvjjUfs0xSHGboL7waN6RfDpO4vvVR1Kz-PQhIRyFAJYRuoH4PdMczHYtFCb-k94r-7TxEU0vp61ww4WntbPvVWwUbCUgsEtmDzAZT-NEJVhWztNk1ip9wDPXzZ2hEhDAPJ7A";
28+
29+
jwtFromRsa = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo0NDMzMy9jb3JlIiwiYXVkIjoianMudG9rZW5tYW5hZ2VyIiwiZXhwIjoxNDU5MTMwMjAxLCJuYmYiOjE0NTkxMjk5MDEsIm5vbmNlIjoiNzIyMTAwNTIwOTk3MjM4MiIsImlhdCI6MTQ1OTEyOTkwMSwiYXRfaGFzaCI6IkpnRFVDeW9hdEp5RW1HaWlXYndPaEEiLCJzaWQiOiIwYzVmMDYxZTYzOThiMWVjNmEwYmNlMmM5NDFlZTRjNSIsInN1YiI6Ijg4NDIxMTEzIiwiYXV0aF90aW1lIjoxNDU5MTI5ODk4LCJpZHAiOiJpZHNydiIsImFtciI6WyJwYXNzd29yZCJdfQ.f6S1Fdd0UQScZAFBzXwRiVsUIPQnWZLSe07kdtjANRZDZXf5A7yDtxOftgCx5W0ONQcDFVpLGPgTdhp7agZkPpCFutzmwr0Rr9G7E7mUN4xcIgAABhmRDfzDayFBEu6VM8wEWTChezSWtx2xG_2zmVJxxmNV0jvkaz0bu7iin-C_UZg6T-aI9FZDoKRGXZP9gF65FQ5pQ4bCYQxhKcvjjUfs0xSHGboL7waN6RfDpO4vvVR1Kz-PQhIRyFAJYRuoH4PdMczHYtFCb-k94r-7TxEU0vp61ww4WntbPvVWwUbCUgsEtmDzAZT-NEJVhWztNk1ip9wDPXzZ2hEhDAPJ7A";
30+
31+
rsaKey = {
32+
kty: "RSA",
33+
use: "sig",
34+
kid: "a3rMUgMFv9tPclLa6yF3zAkfquE",
35+
x5t: "a3rMUgMFv9tPclLa6yF3zAkfquE",
36+
e: "AQAB",
37+
n: "qnTksBdxOiOlsmRNd-mMS2M3o1IDpK4uAr0T4_YqO3zYHAGAWTwsq4ms-NWynqY5HaB4EThNxuq2GWC5JKpO1YirOrwS97B5x9LJyHXPsdJcSikEI9BxOkl6WLQ0UzPxHdYTLpR4_O-0ILAlXw8NU4-jB4AP8Sn9YGYJ5w0fLw5YmWioXeWvocz1wHrZdJPxS8XnqHXwMUozVzQj-x6daOv5FmrHU1r9_bbp0a1GLv4BbTtSh4kMyz1hXylho0EvPg5p9YIKStbNAW9eNWvv5R8HN7PPei21AsUqxekK0oW9jnEdHewckToX7x5zULWKwwZIksll0XnVczVgy7fCFw",
38+
x5c: [
39+
"MIIDBTCCAfGgAwIBAgIQNQb+T2ncIrNA6cKvUA1GWTAJBgUrDgMCHQUAMBIxEDAOBgNVBAMTB0RldlJvb3QwHhcNMTAwMTIwMjIwMDAwWhcNMjAwMTIwMjIwMDAwWjAVMRMwEQYDVQQDEwppZHNydjN0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqnTksBdxOiOlsmRNd+mMS2M3o1IDpK4uAr0T4/YqO3zYHAGAWTwsq4ms+NWynqY5HaB4EThNxuq2GWC5JKpO1YirOrwS97B5x9LJyHXPsdJcSikEI9BxOkl6WLQ0UzPxHdYTLpR4/O+0ILAlXw8NU4+jB4AP8Sn9YGYJ5w0fLw5YmWioXeWvocz1wHrZdJPxS8XnqHXwMUozVzQj+x6daOv5FmrHU1r9/bbp0a1GLv4BbTtSh4kMyz1hXylho0EvPg5p9YIKStbNAW9eNWvv5R8HN7PPei21AsUqxekK0oW9jnEdHewckToX7x5zULWKwwZIksll0XnVczVgy7fCFwIDAQABo1wwWjATBgNVHSUEDDAKBggrBgEFBQcDATBDBgNVHQEEPDA6gBDSFgDaV+Q2d2191r6A38tBoRQwEjEQMA4GA1UEAxMHRGV2Um9vdIIQLFk7exPNg41NRNaeNu0I9jAJBgUrDgMCHQUAA4IBAQBUnMSZxY5xosMEW6Mz4WEAjNoNv2QvqNmk23RMZGMgr516ROeWS5D3RlTNyU8FkstNCC4maDM3E0Bi4bbzW3AwrpbluqtcyMN3Pivqdxx+zKWKiORJqqLIvN8CT1fVPxxXb/e9GOdaR8eXSmB0PgNUhM4IjgNkwBbvWC9F/lzvwjlQgciR7d4GfXPYsE1vf8tmdQaY8/PtdAkExmbrb9MihdggSoGXlELrPA91Yce+fiRcKY3rQlNWVd4DOoJ/cPXsXwry8pWjNCo5JD8Q+RQ5yZEy7YPoifwemLhTdsBz3hlZr28oCGJ3kbnpW0xGvQb3VHSTVVbeei0CfXoW6iz1"
40+
]
41+
};
42+
43+
ecKey = {
44+
kty: "EC",
45+
kid: "4",
46+
use: "sig",
47+
alg: "EC",
48+
crv: "P-256",
49+
x: "eZXWiRe0I3TvHPXiGnvO944gjF1o4UmitH2CVwYIrPg",
50+
y: "AKFNss7S35tOsp5iY7-YuLGs2cLrTKFk80JvgVzMPHQ3",
51+
x5c: [
52+
"MIIBpDCCAUoCgYBCs6x21IvwVHFgJxiRegyHdSiEHFur9Wj2qM5oNkv6sFbbC75L849qCgMEzdtqIhCiCnFg6PaQdswHkcclXix+y0sycyIM6l429faY3jz5eQs5SYwXYkENStzTZBsWK6u7bPiV3HvjnIv+r1af8nvO5F0tiH0TC+auDj9FgRmYljAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTEzMDIxMTIxMjQxMVoXDTE0MDIxMTIxMjQxMVowHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHmV1okXtCN07xz14hp7zveOIIxdaOFJorR9glcGCKz4oU2yztLfm06ynmJjv5i4sazZwutMoWTzQm+BXMw8dDcwCgYIKoZIzj0EAwIDSAAwRQIhAI4aRAoTVm3was6UimA1lFL2RId+t/fExaviosXNKg/IAiBpZB4XXcnQISwauSJ1hXNnSEcONXdqvO5gDHu+X7QHLg=="
53+
]
54+
};
55+
});
56+
57+
describe("parseJwt", function() {
58+
59+
it("should parse a jwt", function() {
60+
61+
var result = JwtUtil.parseJwt(jwt);
62+
result.should.be.ok;
63+
result.header.should.be.ok;
64+
result.payload.should.be.ok;
65+
66+
result.header.should.deep.equal({
67+
"typ": "JWT",
68+
"alg": "RS256",
69+
"x5t": "a3rMUgMFv9tPclLa6yF3zAkfquE",
70+
"kid": "a3rMUgMFv9tPclLa6yF3zAkfquE"
71+
});
72+
73+
result.payload.should.deep.equal({
74+
"iss": "https://localhost:44333/core",
75+
"aud": "js.tokenmanager",
76+
"exp": 1459130201,
77+
"nbf": 1459129901,
78+
"nonce": "7221005209972382",
79+
"iat": 1459129901,
80+
"at_hash": "JgDUCyoatJyEmGiiWbwOhA",
81+
"sid": "0c5f061e6398b1ec6a0bce2c941ee4c5",
82+
"sub": "88421113",
83+
"auth_time": 1459129898,
84+
"idp": "idsrv",
85+
"amr": [
86+
"password"
87+
]
88+
});
89+
90+
});
91+
92+
it("should return undefined for an invalid jwt", function() {
93+
94+
var result = JwtUtil.parseJwt("junk");
95+
expect(result).to.be.undefined;
96+
});
97+
98+
});
99+
100+
101+
describe("validateJwt", function() {
102+
103+
it("should validate from RSA X509 key", function() {
104+
105+
delete rsaKey.n;
106+
delete rsaKey.e;
107+
108+
var result = JwtUtil.validateJwt(jwtFromRsa, rsaKey, expectedIssuer, expectedAudience, expectedNow);
109+
result.should.be.true;
110+
111+
});
112+
113+
it("should validate from RSA exponent and modulus", function() {
114+
115+
Log.level = Log.INFO;
116+
117+
delete rsaKey.x5c;
118+
119+
var result = JwtUtil.validateJwt(jwtFromRsa, rsaKey, expectedIssuer, expectedAudience, expectedNow);
120+
result.should.be.true;
121+
122+
});
123+
124+
it("should fail for unsupported key types", function() {
125+
126+
rsaKey.kty = "foo";
127+
128+
var result = JwtUtil.validateJwt(jwtFromRsa, rsaKey, expectedIssuer, expectedAudience, expectedNow);
129+
result.should.be.false;
130+
131+
});
132+
133+
it("should fail for mismatched keys", function() {
134+
135+
var result = JwtUtil.validateJwt(jwtFromRsa, ecKey, expectedIssuer, expectedAudience, expectedNow);
136+
result.should.be.false;
137+
138+
});
139+
140+
});
141+
142+
});

0 commit comments

Comments
 (0)