From 5fa9e498b56c2b16f1a2b40bd0155a1861cf08c5 Mon Sep 17 00:00:00 2001 From: Pavel Borzenkov Date: Wed, 23 Nov 2016 20:01:04 +0300 Subject: [PATCH 1/3] *: update go-oidc to include base64 padding fixes Update to pull the fixes done by https://github.com/coreos/go-oidc/pull/115 Signed-off-by: Pavel Borzenkov --- glide.lock | 8 ++++---- glide.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/glide.lock b/glide.lock index 80945c7b..d628c6e8 100644 --- a/glide.lock +++ b/glide.lock @@ -1,10 +1,10 @@ -hash: a453b9008bef3edc06f6df648bc40048ab387bf03a3e9127cdccb817569d518e -updated: 2016-08-27T08:50:06.025458672-07:00 +hash: 5007c2ed2a8d71321949be6b1a525bdb7b827e7b7a5db711a308ade97e79a942 +updated: 2016-11-23T19:49:41.488352648+03:00 imports: - name: github.com/andybalholm/cascadia version: 6122e68c2642b7b75c538a63b15168c6c80fb757 - name: github.com/coreos/go-oidc - version: 9fae754a41cbdc3be9cb97a180eb323b625db614 + version: d3e23e1446a65c7de3d36ed8b6dda1eb224c9194 subpackages: - http - jose @@ -61,8 +61,8 @@ imports: - name: golang.org/x/net version: dfe268fd2bb5c793f4c083803609fce9806c6f80 subpackages: - - html - context + - html - html/atom - name: google.golang.org/api version: d3edb0282bde692467788c50070a9211afe75cf3 diff --git a/glide.yaml b/glide.yaml index 93efdb10..59f6a975 100644 --- a/glide.yaml +++ b/glide.yaml @@ -5,7 +5,7 @@ import: - package: github.com/andybalholm/cascadia version: 6122e68c2642b7b75c538a63b15168c6c80fb757 - package: github.com/coreos/go-oidc - version: 9fae754a41cbdc3be9cb97a180eb323b625db614 + version: d3e23e1446a65c7de3d36ed8b6dda1eb224c9194 subpackages: - http - jose From abd6805f1c0a516cae88ebb45efa5001661c2803 Mon Sep 17 00:00:00 2001 From: Pavel Borzenkov Date: Wed, 23 Nov 2016 20:02:09 +0300 Subject: [PATCH 2/3] *: revendor Signed-off-by: Pavel Borzenkov --- vendor/github.com/coreos/go-oidc/.travis.yml | 9 +- vendor/github.com/coreos/go-oidc/README.md | 71 ++- vendor/github.com/coreos/go-oidc/build | 9 - .../coreos/go-oidc/example/README.md | 21 + .../coreos/go-oidc/example/app/main.go | 162 ------- .../coreos/go-oidc/example/cli/main.go | 83 ---- .../coreos/go-oidc/example/idtoken/app.go | 89 ++++ .../coreos/go-oidc/example/nonce/app.go | 104 +++++ .../coreos/go-oidc/example/userinfo/app.go | 76 ++++ vendor/github.com/coreos/go-oidc/gen.go | 150 +++++++ vendor/github.com/coreos/go-oidc/http/doc.go | 2 + vendor/github.com/coreos/go-oidc/jose.go | 20 + vendor/github.com/coreos/go-oidc/jose/doc.go | 2 + vendor/github.com/coreos/go-oidc/jose/jwk.go | 4 +- .../coreos/go-oidc/jose/jwt_test.go | 2 +- .../coreos/go-oidc/jose/sig_hmac.go | 68 --- .../coreos/go-oidc/jose/sig_hmac_test.go | 85 ---- vendor/github.com/coreos/go-oidc/jose_test.go | 405 ++++++++++++++++++ vendor/github.com/coreos/go-oidc/jwks.go | 199 +++++++++ vendor/github.com/coreos/go-oidc/jwks_test.go | 99 +++++ vendor/github.com/coreos/go-oidc/key/doc.go | 2 + .../github.com/coreos/go-oidc/oauth2/doc.go | 2 + vendor/github.com/coreos/go-oidc/oidc.go | 286 +++++++++++++ vendor/github.com/coreos/go-oidc/oidc/doc.go | 2 + .../coreos/go-oidc/oidc/provider.go | 4 +- vendor/github.com/coreos/go-oidc/oidc_test.go | 21 + vendor/github.com/coreos/go-oidc/test | 71 +-- vendor/github.com/coreos/go-oidc/verify.go | 263 ++++++++++++ .../github.com/coreos/go-oidc/verify_test.go | 265 ++++++++++++ 29 files changed, 2093 insertions(+), 483 deletions(-) delete mode 100755 vendor/github.com/coreos/go-oidc/build create mode 100644 vendor/github.com/coreos/go-oidc/example/README.md delete mode 100644 vendor/github.com/coreos/go-oidc/example/app/main.go delete mode 100644 vendor/github.com/coreos/go-oidc/example/cli/main.go create mode 100644 vendor/github.com/coreos/go-oidc/example/idtoken/app.go create mode 100644 vendor/github.com/coreos/go-oidc/example/nonce/app.go create mode 100644 vendor/github.com/coreos/go-oidc/example/userinfo/app.go create mode 100644 vendor/github.com/coreos/go-oidc/gen.go create mode 100644 vendor/github.com/coreos/go-oidc/http/doc.go create mode 100644 vendor/github.com/coreos/go-oidc/jose.go create mode 100644 vendor/github.com/coreos/go-oidc/jose/doc.go delete mode 100644 vendor/github.com/coreos/go-oidc/jose/sig_hmac.go delete mode 100644 vendor/github.com/coreos/go-oidc/jose/sig_hmac_test.go create mode 100644 vendor/github.com/coreos/go-oidc/jose_test.go create mode 100644 vendor/github.com/coreos/go-oidc/jwks.go create mode 100644 vendor/github.com/coreos/go-oidc/jwks_test.go create mode 100644 vendor/github.com/coreos/go-oidc/key/doc.go create mode 100644 vendor/github.com/coreos/go-oidc/oauth2/doc.go create mode 100644 vendor/github.com/coreos/go-oidc/oidc.go create mode 100644 vendor/github.com/coreos/go-oidc/oidc/doc.go create mode 100644 vendor/github.com/coreos/go-oidc/oidc_test.go create mode 100644 vendor/github.com/coreos/go-oidc/verify.go create mode 100644 vendor/github.com/coreos/go-oidc/verify_test.go diff --git a/vendor/github.com/coreos/go-oidc/.travis.yml b/vendor/github.com/coreos/go-oidc/.travis.yml index 6d488ac6..fb89294c 100644 --- a/vendor/github.com/coreos/go-oidc/.travis.yml +++ b/vendor/github.com/coreos/go-oidc/.travis.yml @@ -1,14 +1,13 @@ language: go go: - - 1.4.3 - - 1.5.4 - - 1.6.1 - - 1.7 + - 1.7.3 + - 1.6.3 install: - - go get -v -t ./... + - go get -v -t github.com/coreos/go-oidc - go get golang.org/x/tools/cmd/cover + - go get github.com/golang/lint/golint script: - ./test diff --git a/vendor/github.com/coreos/go-oidc/README.md b/vendor/github.com/coreos/go-oidc/README.md index ebffc8c1..2a5c13e5 100644 --- a/vendor/github.com/coreos/go-oidc/README.md +++ b/vendor/github.com/coreos/go-oidc/README.md @@ -3,13 +3,70 @@ [![GoDoc](https://godoc.org/github.com/coreos/go-oidc?status.svg)](https://godoc.org/github.com/coreos/go-oidc) [![Build Status](https://travis-ci.org/coreos/go-oidc.png?branch=master)](https://travis-ci.org/coreos/go-oidc) -go-oidc provides a comprehensive collection of golang libraries for other projects to implement [OpenID Connect (OIDC)][oidc] server and client components. +## OpenID Connect support for Go -[oidc]: http://openid.net/connect +This package enables OpenID Connect support for the [golang.org/x/oauth2](https://godoc.org/golang.org/x/oauth2) package. -## package documentation +```go +provider, err := oidc.NewProvider(ctx, "https://accounts.google.com") +if err != nil { + // handle error +} -- [github.com/coreos/go-oidc/oidc](http://godoc.org/github.com/coreos/go-oidc/oidc) - OIDC client- and server-related components -- [github.com/coreos/go-oidc/oauth2](http://godoc.org/github.com/coreos/go-oidc/oauth2) - OAuth2-specific code needed by the OIDC components -- [github.com/coreos/go-oidc/jose](http://godoc.org/github.com/coreos/go-oidc/jose) - Javascript Object Signing and Encryption (JOSE) object ([JWS](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41), [JWK](https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41)) generation, validation and serialization -- [github.com/coreos/go-oidc/key](http://godoc.org/github.com/coreos/go-oidc/key) - RSA key management for OIDC components +// Configure an OpenID Connect aware OAuth2 client. +oauth2Config := oauth2.Config{ + ClientID: clientID, + ClientSecret: clientSecret, + RedirectURL: redirectURL, + + // Discovery returns the OAuth2 endpoints. + Endpoint: provider.Endpoint(), + + // "openid" is a required scope for OpenID Connect flows. + Scopes: []string{oidc.ScopeOpenID, "profile", "email"}, +} +``` + +OAuth2 redirects are unchanged. + +```go +func handleRedirect(w http.ResponseWriter, r *http.Request) { + http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusFound) +} +``` + +The on responses, the provider can be used to verify ID Tokens. + +```go +var verifier = provider.Verifier() + +func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) { + // Verify state and errors. + + oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code")) + if err != nil { + // handle error + } + + // Extract the ID Token from OAuth2 token. + rawIDToken, ok := oauth2Token.Extra("id_token").(string) + if !ok { + // handle missing token + } + + // Parse and verify ID Token payload. + idToken, err := verifier.Verify(ctx, rawIDToken) + if err != nil { + // handle error + } + + // Extract custom claims + var claims struct { + Email string `json:"email"` + Verified bool `json:"email_verified"` + } + if err := idToken.Claims(&claims); err != nil { + // handle error + } +} +``` diff --git a/vendor/github.com/coreos/go-oidc/build b/vendor/github.com/coreos/go-oidc/build deleted file mode 100755 index 6f9f2d7d..00000000 --- a/vendor/github.com/coreos/go-oidc/build +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash -e - -GOBUILD="go build -a -installsuffix netgo -ldflags '-s'" - -echo "building bin/oidc-example-app..." -${GOBUILD} -o bin/oidc-example-app github.com/coreos/go-oidc/example/app -echo "building bin/oidc-example-cli..." -${GOBUILD} -o bin/oidc-example-cli github.com/coreos/go-oidc/example/cli -echo "done" diff --git a/vendor/github.com/coreos/go-oidc/example/README.md b/vendor/github.com/coreos/go-oidc/example/README.md new file mode 100644 index 00000000..765a4ea0 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/example/README.md @@ -0,0 +1,21 @@ +# Examples + +These are example uses of the oidc package. Each requires a Google account and the client ID and secret of a registered OAuth2 application. To create one: + +1. Visit your [Google Developer Console][google-developer-console]. +2. Click "Credentials" on the left column. +3. Click the "Create credentials" button followed by "OAuth client ID". +4. Select "Web application" and add "http://127.0.0.1:5556/auth/google/callback" as an authorized redirect URI. +5. Click create and add the printed client ID and secret to your environment using the following variables: + +``` +GOOGLE_OAUTH2_CLIENT_ID +GOOGLE_OAUTH2_CLIENT_SECRET +``` + +Finally run the examples using the Go tool and navigate to http://127.0.0.1:5556. + +``` +go run ./examples/idtoken/app.go +``` +[google-developer-console]: https://console.developers.google.com/apis/dashboard diff --git a/vendor/github.com/coreos/go-oidc/example/app/main.go b/vendor/github.com/coreos/go-oidc/example/app/main.go deleted file mode 100644 index 9e382d96..00000000 --- a/vendor/github.com/coreos/go-oidc/example/app/main.go +++ /dev/null @@ -1,162 +0,0 @@ -package main - -import ( - "encoding/json" - "flag" - "fmt" - "log" - "net" - "net/http" - "net/url" - "os" - "time" - - "github.com/coreos/go-oidc/oidc" -) - -var ( - pathCallback = "/oauth2callback" - defaultListenHost = "127.0.0.1:5555" -) - -func main() { - log.SetOutput(os.Stderr) - - fs := flag.NewFlagSet("oidc-example-app", flag.ExitOnError) - listen := fs.String("listen", defaultListenHost, "serve traffic on this address (:)") - redirectURL := fs.String("redirect-url", fmt.Sprintf("http://%s%s", defaultListenHost, pathCallback), "") - clientID := fs.String("client-id", "", "") - clientSecret := fs.String("client-secret", "", "") - discovery := fs.String("discovery", "https://accounts.google.com", "") - - if err := fs.Parse(os.Args[1:]); err != nil { - log.Fatalf("failed parsing flags: %v", err) - } - - if *clientID == "" { - log.Fatal("--client-id must be set") - } - - if *clientSecret == "" { - log.Fatal("--client-secret must be set") - } - - _, _, err := net.SplitHostPort(*listen) - if err != nil { - log.Fatalf("unable to parse host:port from --listen flag: %v", err) - } - - cc := oidc.ClientCredentials{ - ID: *clientID, - Secret: *clientSecret, - } - - log.Printf("fetching provider config from %s...", *discovery) - - var cfg oidc.ProviderConfig - for { - cfg, err = oidc.FetchProviderConfig(http.DefaultClient, *discovery) - if err == nil { - break - } - - sleep := 3 * time.Second - log.Printf("failed fetching provider config, trying again in %v: %v", sleep, err) - time.Sleep(sleep) - } - - log.Printf("fetched provider config from %s: %#v", *discovery, cfg) - - ccfg := oidc.ClientConfig{ - ProviderConfig: cfg, - Credentials: cc, - RedirectURL: *redirectURL, - } - - client, err := oidc.NewClient(ccfg) - if err != nil { - log.Fatalf("unable to create Client: %v", err) - } - - client.SyncProviderConfig(*discovery) - - redirectURLParsed, err := url.Parse(*redirectURL) - if err != nil { - log.Fatalf("unable to parse url from --redirect-url flag: %v", err) - } - hdlr := NewClientHandler(client, *redirectURLParsed) - httpsrv := &http.Server{ - Addr: fmt.Sprintf(*listen), - Handler: hdlr, - } - - log.Printf("binding to %s...", httpsrv.Addr) - log.Fatal(httpsrv.ListenAndServe()) -} - -func NewClientHandler(c *oidc.Client, cbURL url.URL) http.Handler { - mux := http.NewServeMux() - mux.HandleFunc("/", handleIndex) - mux.HandleFunc("/login", handleLoginFunc(c)) - mux.HandleFunc(pathCallback, handleCallbackFunc(c)) - return mux -} - -func handleIndex(w http.ResponseWriter, r *http.Request) { - w.Write([]byte("login")) -} - -func handleLoginFunc(c *oidc.Client) http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { - oac, err := c.OAuthClient() - if err != nil { - panic("unable to proceed") - } - - u, err := url.Parse(oac.AuthCodeURL("", "", "")) - if err != nil { - panic("unable to proceed") - } - http.Redirect(w, r, u.String(), http.StatusFound) - } -} - -func handleCallbackFunc(c *oidc.Client) http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { - code := r.URL.Query().Get("code") - if code == "" { - writeError(w, http.StatusBadRequest, "code query param must be set") - return - } - - tok, err := c.ExchangeAuthCode(code) - if err != nil { - writeError(w, http.StatusBadRequest, fmt.Sprintf("unable to verify auth code with issuer: %v", err)) - return - } - - claims, err := tok.Claims() - if err != nil { - writeError(w, http.StatusBadRequest, fmt.Sprintf("unable to construct claims: %v", err)) - return - } - - s := fmt.Sprintf("claims: %v", claims) - w.Write([]byte(s)) - } -} - -func writeError(w http.ResponseWriter, code int, msg string) { - e := struct { - Error string `json:"error"` - }{ - Error: msg, - } - b, err := json.Marshal(e) - if err != nil { - log.Printf("Failed marshaling %#v to JSON: %v", e, err) - } - w.Header().Set("Content-Type", "application/json") - w.WriteHeader(code) - w.Write(b) -} diff --git a/vendor/github.com/coreos/go-oidc/example/cli/main.go b/vendor/github.com/coreos/go-oidc/example/cli/main.go deleted file mode 100644 index 2b6f330f..00000000 --- a/vendor/github.com/coreos/go-oidc/example/cli/main.go +++ /dev/null @@ -1,83 +0,0 @@ -package main - -import ( - "flag" - "fmt" - "net/http" - "os" - "time" - - "github.com/coreos/go-oidc/oidc" -) - -func main() { - fs := flag.NewFlagSet("oidc-example-cli", flag.ExitOnError) - clientID := fs.String("client-id", "", "") - clientSecret := fs.String("client-secret", "", "") - discovery := fs.String("discovery", "https://accounts.google.com", "") - - if err := fs.Parse(os.Args[1:]); err != nil { - fmt.Fprintln(os.Stderr, err.Error()) - os.Exit(1) - } - - if *clientID == "" { - fmt.Println("--client-id must be set") - os.Exit(2) - } - - if *clientSecret == "" { - fmt.Println("--client-secret must be set") - os.Exit(2) - } - - cc := oidc.ClientCredentials{ - ID: *clientID, - Secret: *clientSecret, - } - - fmt.Printf("fetching provider config from %s...", *discovery) - - // NOTE: A real CLI would cache this config, or provide it via flags/config file. - var cfg oidc.ProviderConfig - var err error - for { - cfg, err = oidc.FetchProviderConfig(http.DefaultClient, *discovery) - if err == nil { - break - } - - sleep := 1 * time.Second - fmt.Printf("failed fetching provider config, trying again in %v: %v\n", sleep, err) - time.Sleep(sleep) - } - - fmt.Printf("fetched provider config from %s: %#v\n\n", *discovery, cfg) - - ccfg := oidc.ClientConfig{ - ProviderConfig: cfg, - Credentials: cc, - } - - client, err := oidc.NewClient(ccfg) - if err != nil { - fmt.Printf("unable to create Client: %v\n", err) - os.Exit(1) - } - - tok, err := client.ClientCredsToken([]string{"openid"}) - if err != nil { - fmt.Printf("unable to verify auth code with issuer: %v\n", err) - os.Exit(1) - } - - fmt.Printf("got jwt: %v\n\n", tok.Encode()) - - claims, err := tok.Claims() - if err != nil { - fmt.Printf("unable to construct claims: %v\n", err) - os.Exit(1) - } - - fmt.Printf("got claims %#v...\n", claims) -} diff --git a/vendor/github.com/coreos/go-oidc/example/idtoken/app.go b/vendor/github.com/coreos/go-oidc/example/idtoken/app.go new file mode 100644 index 00000000..fe5859e9 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/example/idtoken/app.go @@ -0,0 +1,89 @@ +/* +This is an example application to demonstrate parsing an ID Token. +*/ +package main + +import ( + "encoding/json" + "log" + "net/http" + "os" + + oidc "github.com/coreos/go-oidc" + + "golang.org/x/net/context" + "golang.org/x/oauth2" +) + +var ( + clientID = os.Getenv("GOOGLE_OAUTH2_CLIENT_ID") + clientSecret = os.Getenv("GOOGLE_OAUTH2_CLIENT_SECRET") +) + +func main() { + ctx := context.Background() + + provider, err := oidc.NewProvider(ctx, "https://accounts.google.com") + if err != nil { + log.Fatal(err) + } + verifier := provider.Verifier() + + config := oauth2.Config{ + ClientID: clientID, + ClientSecret: clientSecret, + Endpoint: provider.Endpoint(), + RedirectURL: "http://127.0.0.1:5556/auth/google/callback", + Scopes: []string{oidc.ScopeOpenID, "profile", "email"}, + } + + state := "foobar" // Don't do this in production. + + http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + http.Redirect(w, r, config.AuthCodeURL(state), http.StatusFound) + }) + + http.HandleFunc("/auth/google/callback", func(w http.ResponseWriter, r *http.Request) { + if r.URL.Query().Get("state") != state { + http.Error(w, "state did not match", http.StatusBadRequest) + return + } + + oauth2Token, err := config.Exchange(ctx, r.URL.Query().Get("code")) + if err != nil { + http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError) + return + } + rawIDToken, ok := oauth2Token.Extra("id_token").(string) + if !ok { + http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError) + return + } + idToken, err := verifier.Verify(ctx, rawIDToken) + if err != nil { + http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError) + return + } + + oauth2Token.AccessToken = "*REDACTED*" + + resp := struct { + OAuth2Token *oauth2.Token + IDTokenClaims *json.RawMessage // ID Token payload is just JSON. + }{oauth2Token, new(json.RawMessage)} + + if err := idToken.Claims(&resp.IDTokenClaims); err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + data, err := json.MarshalIndent(resp, "", " ") + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + w.Write(data) + }) + + log.Printf("listening on http://%s/", "127.0.0.1:5556") + log.Fatal(http.ListenAndServe("127.0.0.1:5556", nil)) +} diff --git a/vendor/github.com/coreos/go-oidc/example/nonce/app.go b/vendor/github.com/coreos/go-oidc/example/nonce/app.go new file mode 100644 index 00000000..8a78db9f --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/example/nonce/app.go @@ -0,0 +1,104 @@ +/* +This is an example application to demonstrate verifying an ID Token with a nonce. +*/ +package main + +import ( + "encoding/json" + "errors" + "log" + "net/http" + "os" + + oidc "github.com/coreos/go-oidc" + + "golang.org/x/net/context" + "golang.org/x/oauth2" +) + +var ( + clientID = os.Getenv("GOOGLE_OAUTH2_CLIENT_ID") + clientSecret = os.Getenv("GOOGLE_OAUTH2_CLIENT_SECRET") +) + +const appNonce = "a super secret nonce" + +// Create a nonce source. +type nonceSource struct{} + +func (n nonceSource) ClaimNonce(nonce string) error { + if nonce != appNonce { + return errors.New("unregonized nonce") + } + return nil +} + +func main() { + ctx := context.Background() + + provider, err := oidc.NewProvider(ctx, "https://accounts.google.com") + if err != nil { + log.Fatal(err) + } + + // Use the nonce source to create a custom ID Token verifier. + nonceEnabledVerifier := provider.Verifier(oidc.VerifyNonce(nonceSource{})) + + config := oauth2.Config{ + ClientID: clientID, + ClientSecret: clientSecret, + Endpoint: provider.Endpoint(), + RedirectURL: "http://127.0.0.1:5556/auth/google/callback", + Scopes: []string{oidc.ScopeOpenID, "profile", "email"}, + } + + state := "foobar" // Don't do this in production. + + http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + http.Redirect(w, r, config.AuthCodeURL(state, oidc.Nonce(appNonce)), http.StatusFound) + }) + + http.HandleFunc("/auth/google/callback", func(w http.ResponseWriter, r *http.Request) { + if r.URL.Query().Get("state") != state { + http.Error(w, "state did not match", http.StatusBadRequest) + return + } + + oauth2Token, err := config.Exchange(ctx, r.URL.Query().Get("code")) + if err != nil { + http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError) + return + } + + rawIDToken, ok := oauth2Token.Extra("id_token").(string) + if !ok { + http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError) + return + } + // Verify the ID Token signature and nonce. + idToken, err := nonceEnabledVerifier.Verify(ctx, rawIDToken) + if err != nil { + http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError) + return + } + + resp := struct { + OAuth2Token *oauth2.Token + IDTokenClaims *json.RawMessage // ID Token payload is just JSON. + }{oauth2Token, new(json.RawMessage)} + + if err := idToken.Claims(&resp.IDTokenClaims); err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + data, err := json.MarshalIndent(resp, "", " ") + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + w.Write(data) + }) + + log.Printf("listening on http://%s/", "127.0.0.1:5556") + log.Fatal(http.ListenAndServe("127.0.0.1:5556", nil)) +} diff --git a/vendor/github.com/coreos/go-oidc/example/userinfo/app.go b/vendor/github.com/coreos/go-oidc/example/userinfo/app.go new file mode 100644 index 00000000..0039088e --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/example/userinfo/app.go @@ -0,0 +1,76 @@ +/* +This is an example application to demonstrate querying the user info endpoint. +*/ +package main + +import ( + "encoding/json" + "log" + "net/http" + "os" + + oidc "github.com/coreos/go-oidc" + + "golang.org/x/net/context" + "golang.org/x/oauth2" +) + +var ( + clientID = os.Getenv("GOOGLE_OAUTH2_CLIENT_ID") + clientSecret = os.Getenv("GOOGLE_OAUTH2_CLIENT_SECRET") +) + +func main() { + ctx := context.Background() + + provider, err := oidc.NewProvider(ctx, "https://accounts.google.com") + if err != nil { + log.Fatal(err) + } + config := oauth2.Config{ + ClientID: clientID, + ClientSecret: clientSecret, + Endpoint: provider.Endpoint(), + RedirectURL: "http://127.0.0.1:5556/auth/google/callback", + Scopes: []string{oidc.ScopeOpenID, "profile", "email"}, + } + + state := "foobar" // Don't do this in production. + + http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + http.Redirect(w, r, config.AuthCodeURL(state), http.StatusFound) + }) + + http.HandleFunc("/auth/google/callback", func(w http.ResponseWriter, r *http.Request) { + if r.URL.Query().Get("state") != state { + http.Error(w, "state did not match", http.StatusBadRequest) + return + } + + oauth2Token, err := config.Exchange(ctx, r.URL.Query().Get("code")) + if err != nil { + http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError) + return + } + + userInfo, err := provider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token)) + if err != nil { + http.Error(w, "Failed to get userinfo: "+err.Error(), http.StatusInternalServerError) + return + } + + resp := struct { + OAuth2Token *oauth2.Token + UserInfo *oidc.UserInfo + }{oauth2Token, userInfo} + data, err := json.MarshalIndent(resp, "", " ") + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + w.Write(data) + }) + + log.Printf("listening on http://%s/", "127.0.0.1:5556") + log.Fatal(http.ListenAndServe("127.0.0.1:5556", nil)) +} diff --git a/vendor/github.com/coreos/go-oidc/gen.go b/vendor/github.com/coreos/go-oidc/gen.go new file mode 100644 index 00000000..0c798f67 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/gen.go @@ -0,0 +1,150 @@ +// +build ignore + +// This file is used to generate keys for tests. + +package main + +import ( + "bytes" + "crypto" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "encoding/hex" + "encoding/json" + "fmt" + "io/ioutil" + "log" + "text/template" + + jose "gopkg.in/square/go-jose.v2" +) + +type key struct { + name string + new func() (crypto.Signer, error) +} + +var keys = []key{ + { + "ECDSA_256", func() (crypto.Signer, error) { + return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + }, + }, + { + "ECDSA_384", func() (crypto.Signer, error) { + return ecdsa.GenerateKey(elliptic.P384(), rand.Reader) + }, + }, + { + "ECDSA_521", func() (crypto.Signer, error) { + return ecdsa.GenerateKey(elliptic.P521(), rand.Reader) + }, + }, + { + "RSA_1024", func() (crypto.Signer, error) { + return rsa.GenerateKey(rand.Reader, 1024) + }, + }, + { + "RSA_2048", func() (crypto.Signer, error) { + return rsa.GenerateKey(rand.Reader, 2048) + }, + }, + { + "RSA_4096", func() (crypto.Signer, error) { + return rsa.GenerateKey(rand.Reader, 4096) + }, + }, +} + +func newJWK(k key, prefix, ident string) (privBytes, pubBytes []byte, err error) { + priv, err := k.new() + if err != nil { + return nil, nil, fmt.Errorf("generate %s: %v", k.name, err) + } + pub := priv.Public() + + privKey := &jose.JSONWebKey{Key: priv} + thumbprint, err := privKey.Thumbprint(crypto.SHA256) + if err != nil { + return nil, nil, fmt.Errorf("computing thumbprint: %v", err) + } + + keyID := hex.EncodeToString(thumbprint) + privKey.KeyID = keyID + pubKey := &jose.JSONWebKey{Key: pub, KeyID: keyID} + + privBytes, err = json.MarshalIndent(privKey, prefix, ident) + if err != nil { + return + } + pubBytes, err = json.MarshalIndent(pubKey, prefix, ident) + return +} + +type keyData struct { + Name string + Priv string + Pub string +} + +var tmpl = template.Must(template.New("").Parse(`// +build !golint + +// This file contains statically created JWKs for tests created by gen.go + +package oidc + +import ( + "encoding/json" + + jose "gopkg.in/square/go-jose.v2" +) + +func mustLoadJWK(s string) jose.JSONWebKey { + var jwk jose.JSONWebKey + if err := json.Unmarshal([]byte(s), &jwk); err != nil { + panic(err) + } + return jwk +} + +var ( +{{- range $i, $key := .Keys }} + testKey{{ $key.Name }} = mustLoadJWK(` + "`" + `{{ $key.Pub }}` + "`" + `) + testKey{{ $key.Name }}_Priv = mustLoadJWK(` + "`" + `{{ $key.Priv }}` + "`" + `) +{{ end -}} +) +`)) + +func main() { + var tmplData struct { + Keys []keyData + } + for _, k := range keys { + for i := 0; i < 4; i++ { + log.Printf("generating %s", k.name) + priv, pub, err := newJWK(k, "\t", "\t") + if err != nil { + log.Fatal(err) + } + name := fmt.Sprintf("%s_%d", k.name, i) + + tmplData.Keys = append(tmplData.Keys, keyData{ + Name: name, + Priv: string(priv), + Pub: string(pub), + }) + } + } + + buff := new(bytes.Buffer) + if err := tmpl.Execute(buff, tmplData); err != nil { + log.Fatalf("excuting template: %v", err) + } + + if err := ioutil.WriteFile("jose_test.go", buff.Bytes(), 0644); err != nil { + log.Fatal(err) + } +} diff --git a/vendor/github.com/coreos/go-oidc/http/doc.go b/vendor/github.com/coreos/go-oidc/http/doc.go new file mode 100644 index 00000000..5687e8b8 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/http/doc.go @@ -0,0 +1,2 @@ +// Package http is DEPRECATED. Use net/http instead. +package http diff --git a/vendor/github.com/coreos/go-oidc/jose.go b/vendor/github.com/coreos/go-oidc/jose.go new file mode 100644 index 00000000..f2e6bf43 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/jose.go @@ -0,0 +1,20 @@ +// +build !golint + +// Don't lint this file. We don't want to have to add a comment to each constant. + +package oidc + +const ( + // JOSE asymmetric signing algorithm values as defined by RFC 7518 + // + // see: https://tools.ietf.org/html/rfc7518#section-3.1 + RS256 = "RS256" // RSASSA-PKCS-v1.5 using SHA-256 + RS384 = "RS384" // RSASSA-PKCS-v1.5 using SHA-384 + RS512 = "RS512" // RSASSA-PKCS-v1.5 using SHA-512 + ES256 = "ES256" // ECDSA using P-256 and SHA-256 + ES384 = "ES384" // ECDSA using P-384 and SHA-384 + ES512 = "ES512" // ECDSA using P-521 and SHA-512 + PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256 + PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384 + PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512 +) diff --git a/vendor/github.com/coreos/go-oidc/jose/doc.go b/vendor/github.com/coreos/go-oidc/jose/doc.go new file mode 100644 index 00000000..b5e13217 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/jose/doc.go @@ -0,0 +1,2 @@ +// Package jose is DEPRECATED. Use gopkg.in/square/go-jose.v2 instead. +package jose diff --git a/vendor/github.com/coreos/go-oidc/jose/jwk.go b/vendor/github.com/coreos/go-oidc/jose/jwk.go index b7a8e235..119f073f 100644 --- a/vendor/github.com/coreos/go-oidc/jose/jwk.go +++ b/vendor/github.com/coreos/go-oidc/jose/jwk.go @@ -104,7 +104,7 @@ func encodeExponent(e int) string { break } } - return base64.URLEncoding.EncodeToString(b[idx:]) + return base64.RawURLEncoding.EncodeToString(b[idx:]) } // Turns a URL encoded modulus of a key into a big int. @@ -119,7 +119,7 @@ func decodeModulus(n string) (*big.Int, error) { } func encodeModulus(n *big.Int) string { - return base64.URLEncoding.EncodeToString(n.Bytes()) + return base64.RawURLEncoding.EncodeToString(n.Bytes()) } // decodeBase64URLPaddingOptional decodes Base64 whether there is padding or not. diff --git a/vendor/github.com/coreos/go-oidc/jose/jwt_test.go b/vendor/github.com/coreos/go-oidc/jose/jwt_test.go index 3a1cd9ae..74691769 100644 --- a/vendor/github.com/coreos/go-oidc/jose/jwt_test.go +++ b/vendor/github.com/coreos/go-oidc/jose/jwt_test.go @@ -53,7 +53,7 @@ func TestParseJWT(t *testing.T) { } } -func TestNewJWTHeaderTyp(t *testing.T) { +func TestNewJWTHeaderType(t *testing.T) { jwt, err := NewJWT(JOSEHeader{}, Claims{}) if err != nil { t.Fatalf("Unexpected error: %v", err) diff --git a/vendor/github.com/coreos/go-oidc/jose/sig_hmac.go b/vendor/github.com/coreos/go-oidc/jose/sig_hmac.go deleted file mode 100644 index 34cd0e6c..00000000 --- a/vendor/github.com/coreos/go-oidc/jose/sig_hmac.go +++ /dev/null @@ -1,68 +0,0 @@ -package jose - -import ( - "crypto" - "crypto/hmac" - _ "crypto/sha256" - "errors" - "fmt" -) - -type VerifierHMAC struct { - KeyID string - Hash crypto.Hash - Secret []byte -} - -type SignerHMAC struct { - VerifierHMAC -} - -func NewVerifierHMAC(jwk JWK) (*VerifierHMAC, error) { - if jwk.Alg != "" && jwk.Alg != "HS256" { - return nil, fmt.Errorf("unsupported key algorithm %q", jwk.Alg) - } - - v := VerifierHMAC{ - KeyID: jwk.ID, - Secret: jwk.Secret, - Hash: crypto.SHA256, - } - - return &v, nil -} - -func (v *VerifierHMAC) ID() string { - return v.KeyID -} - -func (v *VerifierHMAC) Alg() string { - return "HS256" -} - -func (v *VerifierHMAC) Verify(sig []byte, data []byte) error { - h := hmac.New(v.Hash.New, v.Secret) - h.Write(data) - // hmac.Equal compares two hmacs but does it in constant time to mitigating time - // based attacks. See #98 - if !hmac.Equal(sig, h.Sum(nil)) { - return errors.New("invalid hmac signature") - } - return nil -} - -func NewSignerHMAC(kid string, secret []byte) *SignerHMAC { - return &SignerHMAC{ - VerifierHMAC: VerifierHMAC{ - KeyID: kid, - Secret: secret, - Hash: crypto.SHA256, - }, - } -} - -func (s *SignerHMAC) Sign(data []byte) ([]byte, error) { - h := hmac.New(s.Hash.New, s.Secret) - h.Write(data) - return h.Sum(nil), nil -} diff --git a/vendor/github.com/coreos/go-oidc/jose/sig_hmac_test.go b/vendor/github.com/coreos/go-oidc/jose/sig_hmac_test.go deleted file mode 100644 index 76c6722f..00000000 --- a/vendor/github.com/coreos/go-oidc/jose/sig_hmac_test.go +++ /dev/null @@ -1,85 +0,0 @@ -package jose - -import ( - "bytes" - "encoding/base64" - "testing" -) - -var hmacTestCases = []struct { - data string - sig string - jwk JWK - valid bool - desc string -}{ - { - "test", - "Aymga2LNFrM-tnkr6MYLFY2Jou46h2_Omogeu0iMCRQ=", - JWK{ - ID: "fake-key", - Alg: "HS256", - Secret: []byte("secret"), - }, - true, - "valid case", - }, - { - "test", - "Aymga2LNFrM-tnkr6MYLFY2Jou46h2_Omogeu0iMCRQ=", - JWK{ - ID: "different-key", - Alg: "HS256", - Secret: []byte("secret"), - }, - true, - "invalid: different key, should not match", - }, - { - "test sig and non-matching data", - "Aymga2LNFrM-tnkr6MYLFY2Jou46h2_Omogeu0iMCRQ=", - JWK{ - ID: "fake-key", - Alg: "HS256", - Secret: []byte("secret"), - }, - false, - "invalid: sig and data should not match", - }, -} - -func TestVerify(t *testing.T) { - for _, tt := range hmacTestCases { - v, err := NewVerifierHMAC(tt.jwk) - if err != nil { - t.Errorf("should construct hmac verifier. test: %s. err=%v", tt.desc, err) - } - - decSig, _ := base64.URLEncoding.DecodeString(tt.sig) - err = v.Verify(decSig, []byte(tt.data)) - if err == nil && !tt.valid { - t.Errorf("verify failure. test: %s. expected: invalid, actual: valid.", tt.desc) - } - if err != nil && tt.valid { - t.Errorf("verify failure. test: %s. expected: valid, actual: invalid. err=%v", tt.desc, err) - } - } -} - -func TestSign(t *testing.T) { - for _, tt := range hmacTestCases { - s := NewSignerHMAC("test", tt.jwk.Secret) - sig, err := s.Sign([]byte(tt.data)) - if err != nil { - t.Errorf("sign failure. test: %s. err=%v", tt.desc, err) - } - - expSig, _ := base64.URLEncoding.DecodeString(tt.sig) - if tt.valid && !bytes.Equal(sig, expSig) { - t.Errorf("sign failure. test: %s. expected: %s, actual: %s.", tt.desc, tt.sig, base64.URLEncoding.EncodeToString(sig)) - } - if !tt.valid && bytes.Equal(sig, expSig) { - t.Errorf("sign failure. test: %s. expected: invalid signature.", tt.desc) - } - } -} diff --git a/vendor/github.com/coreos/go-oidc/jose_test.go b/vendor/github.com/coreos/go-oidc/jose_test.go new file mode 100644 index 00000000..ae5ca0e5 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/jose_test.go @@ -0,0 +1,405 @@ +// +build !golint + +// This file contains statically created JWKs for tests created by gen.go + +package oidc + +import ( + "encoding/json" + + jose "gopkg.in/square/go-jose.v2" +) + +func mustLoadJWK(s string) jose.JSONWebKey { + var jwk jose.JSONWebKey + if err := json.Unmarshal([]byte(s), &jwk); err != nil { + panic(err) + } + return jwk +} + +var ( + testKeyECDSA_256_0 = mustLoadJWK(`{ + "kty": "EC", + "kid": "bd06f3e11f523e310f8c2c8b20a892727fb558e0e23602312568b20a41e11188", + "crv": "P-256", + "x": "xK5N69f0-SAgWbjw2otcQeCGs3qqYMyqOWk4Os5Z_Xc", + "y": "AXSaOPcMklJY9UKZhkGzVevqhAIUEzE3cfZ8o-ML5xE" + }`) + testKeyECDSA_256_0_Priv = mustLoadJWK(`{ + "kty": "EC", + "kid": "bd06f3e11f523e310f8c2c8b20a892727fb558e0e23602312568b20a41e11188", + "crv": "P-256", + "x": "xK5N69f0-SAgWbjw2otcQeCGs3qqYMyqOWk4Os5Z_Xc", + "y": "AXSaOPcMklJY9UKZhkGzVevqhAIUEzE3cfZ8o-ML5xE", + "d": "L7jynYt-fMRPqw1e9vgXCGTg4yhGU4tlLxiFyNVimG4" + }`) + + testKeyECDSA_256_1 = mustLoadJWK(`{ + "kty": "EC", + "kid": "27ebd2f5bf6723e4de06caaab03703be458a37bf28a9fa748576a0826acb6ec2", + "crv": "P-256", + "x": "KZisP6wLCph4q6056jr7BH_asiX9RcLcS3HrNjdCpkw", + "y": "5DrW-kEge0sePHlKmh1d2kqd10r32JEW6eyyewy18j8" + }`) + testKeyECDSA_256_1_Priv = mustLoadJWK(`{ + "kty": "EC", + "kid": "27ebd2f5bf6723e4de06caaab03703be458a37bf28a9fa748576a0826acb6ec2", + "crv": "P-256", + "x": "KZisP6wLCph4q6056jr7BH_asiX9RcLcS3HrNjdCpkw", + "y": "5DrW-kEge0sePHlKmh1d2kqd10r32JEW6eyyewy18j8", + "d": "r6CiIpv0icIq5U4LYO39nBDVhCHCLObDFYC5IG9Y8Hk" + }`) + + testKeyECDSA_256_2 = mustLoadJWK(`{ + "kty": "EC", + "kid": "2c7d179db6006c90ece4d91f554791ff35156693c693102c00f66f473d15df17", + "crv": "P-256", + "x": "oDwcKp7SqgeRvycK5GgYjrlW4fbHn2Ybfd5iG7kDiPc", + "y": "qazib9UwdUdbHSFzdy_HN10xZEItLvufPw0v7nIJOWA" + }`) + testKeyECDSA_256_2_Priv = mustLoadJWK(`{ + "kty": "EC", + "kid": "2c7d179db6006c90ece4d91f554791ff35156693c693102c00f66f473d15df17", + "crv": "P-256", + "x": "oDwcKp7SqgeRvycK5GgYjrlW4fbHn2Ybfd5iG7kDiPc", + "y": "qazib9UwdUdbHSFzdy_HN10xZEItLvufPw0v7nIJOWA", + "d": "p79U6biKrOyrKzg-i3C7FVJiqzlqBhYQqmyOiZ9bhVM" + }`) + + testKeyECDSA_256_3 = mustLoadJWK(`{ + "kty": "EC", + "kid": "aba0a256999af470c8b2449103ae75b257d907da4d1cbfc73c1d45ab1098f544", + "crv": "P-256", + "x": "CKRYWVt1R7FzuJ43vEprfIzgB-KgIhRDhxLmd5ixiXY", + "y": "QCxTVmK31ee710OYkNqdqEgHH3rqRQNQj3Wyq0xtYq0" + }`) + testKeyECDSA_256_3_Priv = mustLoadJWK(`{ + "kty": "EC", + "kid": "aba0a256999af470c8b2449103ae75b257d907da4d1cbfc73c1d45ab1098f544", + "crv": "P-256", + "x": "CKRYWVt1R7FzuJ43vEprfIzgB-KgIhRDhxLmd5ixiXY", + "y": "QCxTVmK31ee710OYkNqdqEgHH3rqRQNQj3Wyq0xtYq0", + "d": "c_WflwwUxT_B5izk4iET49qoob0RH5hccnEScfBS9Qk" + }`) + + testKeyECDSA_384_0 = mustLoadJWK(`{ + "kty": "EC", + "kid": "bc271d0a68251171e0c5edfd384b32d154e1717af27c5089bda8fb598a474b7b", + "crv": "P-384", + "x": "FZEhxw06oB86xCAZCtKTfX3ze9tgxkdN199g-cWrpQTWF-2m6Blg1MN5D60Z9KoX", + "y": "EyWjZ46gLlqfoU08iv0zcDWut1nbfoUoTd-7La2VY4PqQeDSFrxPCOyplxFMGJIW" + }`) + testKeyECDSA_384_0_Priv = mustLoadJWK(`{ + "kty": "EC", + "kid": "bc271d0a68251171e0c5edfd384b32d154e1717af27c5089bda8fb598a474b7b", + "crv": "P-384", + "x": "FZEhxw06oB86xCAZCtKTfX3ze9tgxkdN199g-cWrpQTWF-2m6Blg1MN5D60Z9KoX", + "y": "EyWjZ46gLlqfoU08iv0zcDWut1nbfoUoTd-7La2VY4PqQeDSFrxPCOyplxFMGJIW", + "d": "t6oJHJBH2rvH3uyQkK_JwoUEwE1QHjwTnGLSDMZbNEDrEaR8BBiAo3s0p8rzGz5-" + }`) + + testKeyECDSA_384_1 = mustLoadJWK(`{ + "kty": "EC", + "kid": "58ef375d6e63cedc637fed59f4012a779cd749a83373237cf3972bba74ebd738", + "crv": "P-384", + "x": "Gj3zkiRR4RCJb0Tke3lD2spG2jzuXgX50fEwDZTRjlQIzz3Rc96Fw32FCSDectxQ", + "y": "6alqN7ilqJAmqCU1BFrJJeivJiM0s1-RqBewRoNkTQinOLLbaiZlBAQxS4iq2dRv" + }`) + testKeyECDSA_384_1_Priv = mustLoadJWK(`{ + "kty": "EC", + "kid": "58ef375d6e63cedc637fed59f4012a779cd749a83373237cf3972bba74ebd738", + "crv": "P-384", + "x": "Gj3zkiRR4RCJb0Tke3lD2spG2jzuXgX50fEwDZTRjlQIzz3Rc96Fw32FCSDectxQ", + "y": "6alqN7ilqJAmqCU1BFrJJeivJiM0s1-RqBewRoNkTQinOLLbaiZlBAQxS4iq2dRv", + "d": "-4eaoElyb_YANRownMtId_-glX2o45oc4_L_vgo3YOW5hxCq3KIBIdrhvBx1nw8B" + }`) + + testKeyECDSA_384_2 = mustLoadJWK(`{ + "kty": "EC", + "kid": "a8bab6f438b6cd2080711404549c978d1c00dd77a3c532bba12c964c4883b2ec", + "crv": "P-384", + "x": "CBKwYgZFLdTBBFnWD20q2YNUnRnOsDgTxG3y-dzCUrb65kOKm0ZFaZQPe5ZPjvDS", + "y": "WlubxLv2qH-Aw-LsESKXAwm4HF3l4H1rVn3DZRpqcac6p-QSrXmfKCtxJVHDaTNi" + }`) + testKeyECDSA_384_2_Priv = mustLoadJWK(`{ + "kty": "EC", + "kid": "a8bab6f438b6cd2080711404549c978d1c00dd77a3c532bba12c964c4883b2ec", + "crv": "P-384", + "x": "CBKwYgZFLdTBBFnWD20q2YNUnRnOsDgTxG3y-dzCUrb65kOKm0ZFaZQPe5ZPjvDS", + "y": "WlubxLv2qH-Aw-LsESKXAwm4HF3l4H1rVn3DZRpqcac6p-QSrXmfKCtxJVHDaTNi", + "d": "XfoOcxV3yfoAcRquJ9eaBvcY-H71B0XzXwx2eidolHDKLK7GHygEt9ToYSY_DvxO" + }`) + + testKeyECDSA_384_3 = mustLoadJWK(`{ + "kty": "EC", + "kid": "32f0cfc686455840530d727fb029002b9757ffff15272f98f53be9f77560718a", + "crv": "P-384", + "x": "xxED1z8EUCOUQ_jwS9nuVUDVzxs-U1rl19y8jMWrv4TdPeGHTRTgNUE57-YAL3ly", + "y": "OsCN6-HmM-LP1itE5eW15WsSQoe3dZBX7AoHyKJUKtjzWKCJNUcyu3Np07xta1Cr" + }`) + testKeyECDSA_384_3_Priv = mustLoadJWK(`{ + "kty": "EC", + "kid": "32f0cfc686455840530d727fb029002b9757ffff15272f98f53be9f77560718a", + "crv": "P-384", + "x": "xxED1z8EUCOUQ_jwS9nuVUDVzxs-U1rl19y8jMWrv4TdPeGHTRTgNUE57-YAL3ly", + "y": "OsCN6-HmM-LP1itE5eW15WsSQoe3dZBX7AoHyKJUKtjzWKCJNUcyu3Np07xta1Cr", + "d": "gfQA6wn4brWVT3OkeGiaCXGsQyTybZB9SdqTULsiSg8n6FS2T8hvK0doPwMTT5Gw" + }`) + + testKeyECDSA_521_0 = mustLoadJWK(`{ + "kty": "EC", + "kid": "f7b325c848a6c9fc5b72f131f179d2f37296837262797983c632597a4927726e", + "crv": "P-521", + "x": "AUaLqCAMEWPqiYgd-D_6F5kxpOgqnbQnjIHZ-NhjRnKKYuij9Iz7bq9pZU4F79wsODFpWxMFfISrveUfgEGt4Hy2", + "y": "AeAKfmFsfcFttwQqv2B-fUfgLhw837YoGoNWh5qNE_LqTBxbYKRUkbSLxVRHEcVNnU1t3z9yMMdYXtuMlfJ0bhjr" + }`) + testKeyECDSA_521_0_Priv = mustLoadJWK(`{ + "kty": "EC", + "kid": "f7b325c848a6c9fc5b72f131f179d2f37296837262797983c632597a4927726e", + "crv": "P-521", + "x": "AUaLqCAMEWPqiYgd-D_6F5kxpOgqnbQnjIHZ-NhjRnKKYuij9Iz7bq9pZU4F79wsODFpWxMFfISrveUfgEGt4Hy2", + "y": "AeAKfmFsfcFttwQqv2B-fUfgLhw837YoGoNWh5qNE_LqTBxbYKRUkbSLxVRHEcVNnU1t3z9yMMdYXtuMlfJ0bhjr", + "d": "AbD3guIvlVd8CZD0xUNuebgnQkE24XJnxCQ69P5VL3etEMmdr4HPJLPMQfMs10Gz8RTmrGKo-bdsU-cjS3d7dKIC" + }`) + + testKeyECDSA_521_1 = mustLoadJWK(`{ + "kty": "EC", + "kid": "4ea260ba2c9ed5fe9d6adeb998bb68b3edbab839d8bfd2be09fa628680793b90", + "crv": "P-521", + "x": "AE8-53o64GiywneanVZAHb96NcPbq0Ml6zynIcgLdKUiHGVs2te7SABq_9keFZJC6wooACeNWWT7VDK3kY77fjdh", + "y": "AAnrIu0-D7JEd3-mqTR8Rdz53kw7DLAIypv0-_u4rqn0glwTZCkMpQ17wFH71bMInXaTi2Z_uq67NuVxFvUCaTvS" + }`) + testKeyECDSA_521_1_Priv = mustLoadJWK(`{ + "kty": "EC", + "kid": "4ea260ba2c9ed5fe9d6adeb998bb68b3edbab839d8bfd2be09fa628680793b90", + "crv": "P-521", + "x": "AE8-53o64GiywneanVZAHb96NcPbq0Ml6zynIcgLdKUiHGVs2te7SABq_9keFZJC6wooACeNWWT7VDK3kY77fjdh", + "y": "AAnrIu0-D7JEd3-mqTR8Rdz53kw7DLAIypv0-_u4rqn0glwTZCkMpQ17wFH71bMInXaTi2Z_uq67NuVxFvUCaTvS", + "d": "AVVL9TIWcJCYH5r3QUhHXtsbkVXhLQSpp4sL1ta_H2_3bpRb9ZdVv10YOA-xN7Yz2wa-FMhIhj1ULe9z18ZM8dDF" + }`) + + testKeyECDSA_521_2 = mustLoadJWK(`{ + "kty": "EC", + "kid": "d69caddc821807ea63a46519b538a7d2f3135dbdda1ba628781f8567a47893d8", + "crv": "P-521", + "x": "AO618rH8GP78-mi9Z5FaPGqpyc_OVMK-BajZK-pwL89ZQdOvFa0fY0ENpB_KaRf5ELw9IP17lQh3T-O9O7jePDFj", + "y": "AT1x9pCMbY-BXqAJPQDQxp6j8Gca7IpdxL8OS4td_XPiwXtX4JKcj_VKxtOw6k64yr_VuFYCs6wImOc72jNRBjA7" + }`) + testKeyECDSA_521_2_Priv = mustLoadJWK(`{ + "kty": "EC", + "kid": "d69caddc821807ea63a46519b538a7d2f3135dbdda1ba628781f8567a47893d8", + "crv": "P-521", + "x": "AO618rH8GP78-mi9Z5FaPGqpyc_OVMK-BajZK-pwL89ZQdOvFa0fY0ENpB_KaRf5ELw9IP17lQh3T-O9O7jePDFj", + "y": "AT1x9pCMbY-BXqAJPQDQxp6j8Gca7IpdxL8OS4td_XPiwXtX4JKcj_VKxtOw6k64yr_VuFYCs6wImOc72jNRBjA7", + "d": "AYmtaW9ojb0Gb8zSqrlRnEKzRVIBIM5dsb1qWkd3mfr4Wl5tbPuiEctGLN9s6LDtY0JOL3nukOVoDbrmS4qCW64" + }`) + + testKeyECDSA_521_3 = mustLoadJWK(`{ + "kty": "EC", + "kid": "7193cba4fd9c72153133ce5cffc423857517ab8eb176a827e1a002eb5621edca", + "crv": "P-521", + "x": "AQfpLehZCER3ZTw1V1pN0RsX8-4WEW4IDxFDSGwrULQ79YHiLNmubrOSlSxiOSv2S-tHq-hxgma1PZlQRghJfemx", + "y": "AAF41XT7jptLsy8FAaVRnex2WcSfdebcjjXMGO4rn6IlD3u9qnvrpR8MBp1gz5G1C5S7_NVgIeLSIYbdfd_wjVkd" + }`) + testKeyECDSA_521_3_Priv = mustLoadJWK(`{ + "kty": "EC", + "kid": "7193cba4fd9c72153133ce5cffc423857517ab8eb176a827e1a002eb5621edca", + "crv": "P-521", + "x": "AQfpLehZCER3ZTw1V1pN0RsX8-4WEW4IDxFDSGwrULQ79YHiLNmubrOSlSxiOSv2S-tHq-hxgma1PZlQRghJfemx", + "y": "AAF41XT7jptLsy8FAaVRnex2WcSfdebcjjXMGO4rn6IlD3u9qnvrpR8MBp1gz5G1C5S7_NVgIeLSIYbdfd_wjVkd", + "d": "hzh0loqrhYFUik86SYBv3CC_GKNYankLMK95-Cfr1gLBD1l0M6W-7gn3XlyaQEInz0TBIbaQ1fL78HHjbVsNLrY" + }`) + + testKeyRSA_1024_0 = mustLoadJWK(`{ + "kty": "RSA", + "kid": "979d62e7114052027b11bcb51282d8228790134ef34e746f6372fa5aadaa9bf2", + "n": "6zxmGE5X74SUBWfDEo8Tl-YxrkVfvxljQG9vKmNPQ2RhEmJ8eplZpKn9_nlxVDHGLzfJMqqUBS19EarIfDnOqyFBRkyKRbsQdUVU9XLjDIXqImJ8aN-UmShAYoeOClJVDsBJuxBGgS3pdgG7u3YQpvTV_hGuMoJr7UYgIrqb0qc", + "e": "AQAB" + }`) + testKeyRSA_1024_0_Priv = mustLoadJWK(`{ + "kty": "RSA", + "kid": "979d62e7114052027b11bcb51282d8228790134ef34e746f6372fa5aadaa9bf2", + "n": "6zxmGE5X74SUBWfDEo8Tl-YxrkVfvxljQG9vKmNPQ2RhEmJ8eplZpKn9_nlxVDHGLzfJMqqUBS19EarIfDnOqyFBRkyKRbsQdUVU9XLjDIXqImJ8aN-UmShAYoeOClJVDsBJuxBGgS3pdgG7u3YQpvTV_hGuMoJr7UYgIrqb0qc", + "e": "AQAB", + "d": "IARggP5oyZjp7LJqwqPmrs4OBQI8Pe5eq-5-2u4ZY7rN24q8FpO4t8jLYU92NVdw-gxFvjepXesLEtSD5SSZFD7s-5rqmX9tW_t5t1a1sBY6IKz_YBSf2p2LtdTyrqgo4nRD0nYH3sMvGtOKCTV4K_vwfWPD3elXq752trG-HwE", + "p": "9tgo12L3earNNrJfyIIDD2dqgKuNfWhQzhbe-Ju17dF37uGF6xnLqR0WXU-agGpUdYTMOd7IQi_bX_xkjQBYlw", + "q": "8_YDvufPdccjGM2rAXs-2LbeP_LrzLUk1uGNpEjIt2lXEm6sQKjIfNLcAfVKh9zsqwqroveL2iI1ijsDgNAIcQ" + }`) + + testKeyRSA_1024_1 = mustLoadJWK(`{ + "kty": "RSA", + "kid": "4a3a37dc10aec5f427509e4014683102a0fafa32bec2ff9921ff19e1a55c79e8", + "n": "sn7sU7dBEkU1RBIz_LKgrswSS7-68vTlOe7n-lanAqAlczm01_6IWrvcIC7lPv1iHQqWngusskANZirCZGTv6kK8kJLHBVRSROB9VkPTPNFYnSB6dacyPa0ty0otsaYOVM2RFvcCX7lBKKat2Tmst8vITdpvnoEzTgT_eGOKGAs", + "e": "AQAB" + }`) + testKeyRSA_1024_1_Priv = mustLoadJWK(`{ + "kty": "RSA", + "kid": "4a3a37dc10aec5f427509e4014683102a0fafa32bec2ff9921ff19e1a55c79e8", + "n": "sn7sU7dBEkU1RBIz_LKgrswSS7-68vTlOe7n-lanAqAlczm01_6IWrvcIC7lPv1iHQqWngusskANZirCZGTv6kK8kJLHBVRSROB9VkPTPNFYnSB6dacyPa0ty0otsaYOVM2RFvcCX7lBKKat2Tmst8vITdpvnoEzTgT_eGOKGAs", + "e": "AQAB", + "d": "KTXqpE1sBaba7HNzc0Vemdzd4IVMyWlHPz_saTz2ZEHLQ7YwDapjmudCpF-PaCKiM2hNbAHwBluJfGwk4372cPHcJyri3Gs4GGj-cOlbXJh9aUp5o8fqn904B1UcPxMZ2DrZAKjseuLj3zyJgCsSJOGU1kJFRAkM8UN4a9cE8sE", + "p": "3ntHMGDJEXwqldLNR-DucKGp32aJVAaKnn4j9qy1Tj6KhH70o3HyFVO_TKYxGg-pG3zTV-VzyMqmeh9hDdnyKw", + "q": "zWMxEjyxvp-P-mNxhWQe1pJXZi6iPpcnt0SZLfweT3AtAzEaoSs4-4D1jT911LD4xDI8_a7-gYHgD8ME62PhoQ" + }`) + + testKeyRSA_1024_2 = mustLoadJWK(`{ + "kty": "RSA", + "kid": "d1c32aaea6c9527038e589dd94a546ca1beedb90f90e073228986cc258cf1fda", + "n": "3mZrDaB5-7e29zok9XkGuu6FXYB00FqFgnGTJAGCMpql5uHz1h9p0DljZL4vsGkkYOZUMvqFS1pCEuzdSsupPNClf0NKMRux6yLv6iIR9C4pE9RBKPUrinzJuYs634rq5JOEP4IpP_fJfKxMw4Na85otd9KposKwP14cCkOibYM", + "e": "AQAB" + }`) + testKeyRSA_1024_2_Priv = mustLoadJWK(`{ + "kty": "RSA", + "kid": "d1c32aaea6c9527038e589dd94a546ca1beedb90f90e073228986cc258cf1fda", + "n": "3mZrDaB5-7e29zok9XkGuu6FXYB00FqFgnGTJAGCMpql5uHz1h9p0DljZL4vsGkkYOZUMvqFS1pCEuzdSsupPNClf0NKMRux6yLv6iIR9C4pE9RBKPUrinzJuYs634rq5JOEP4IpP_fJfKxMw4Na85otd9KposKwP14cCkOibYM", + "e": "AQAB", + "d": "Ft2M0B_ZqsmepBh0SFCjIoD3cT-NwwYrh9fJewA0tKM1v2EnwrIEHQZpc6giGw8UUGod6gfbwH2NIYj8z33U7lyrKWPR7F8gJRm1KR5NLCBCnAnz0ukhsg24ktB25LZLZRCStRRhtCev95Vvmew0ip5081hv730Z2T_PsEyOU6E", + "p": "8moFzLKJSQuhaIYTo1qNX0w8o4NBFb1atOlthHmq6Y6rdYTm_nyM9Q3mrNBolPS7LHTiBXtCEJ_m4V5hWDuGKw", + "q": "6t0_mZKOoZ5NAE--MxkuOCcRhuqNo9VoacfPEH39CeoKAam4v5k56R7aQcb_raQK396pgV-evM2dpfdUaasiCQ" + }`) + + testKeyRSA_1024_3 = mustLoadJWK(`{ + "kty": "RSA", + "kid": "838742d0e3195b19f974fa30352db79070fa19aaaeb678ec95c499de7bd48d52", + "n": "17Uc89-QvCjqBLXDJSCWxUoohjwFPI63Gub8g-lH1GSK3flXqiohz33KfKhqrdKsLrpRjskGTMg3Vo0IcLBnMYdp1i1nceORghtYLQsDNS7tqlHiKx725fLmWldGgiuP_0Ak0Knisw-j_q7Jx3OVAJnuS1o3vPLfJxJdyq6yV1k", + "e": "AQAB" + }`) + testKeyRSA_1024_3_Priv = mustLoadJWK(`{ + "kty": "RSA", + "kid": "838742d0e3195b19f974fa30352db79070fa19aaaeb678ec95c499de7bd48d52", + "n": "17Uc89-QvCjqBLXDJSCWxUoohjwFPI63Gub8g-lH1GSK3flXqiohz33KfKhqrdKsLrpRjskGTMg3Vo0IcLBnMYdp1i1nceORghtYLQsDNS7tqlHiKx725fLmWldGgiuP_0Ak0Knisw-j_q7Jx3OVAJnuS1o3vPLfJxJdyq6yV1k", + "e": "AQAB", + "d": "B8cM-zIVauNixLa1CZKqPQTWfziMy8ktivfHJQ51O5BAfY5u_cC1JWEYuvPrnMba1Hh9VlOjOYOCk0lUg5OotMx5hxym6M5y_2rIrW90a8r3gGttPlZmyHQnFIgj2QZHlEyZGU1SIPTOtoECW5RGk7cYpA1s1_zfz8uyG-MiCPE", + "p": "2dwia5iWWLZwFcCVylPh_7QDr3Wxt3kW_TmHIbaRT10Rborj1lAwltyEx7aVpHq-aNfvrYIEBbOXWwUU8PDUrQ", + "q": "_XiDT55hn-Txi2C_peMVSDgXozf01qHKvdLirXM2uT_CI8kruYZYjWYn6_cSUptJ60eioM3WNTxjrSxWRS923Q" + }`) + + testKeyRSA_2048_0 = mustLoadJWK(`{ + "kty": "RSA", + "kid": "13b668c7b4f5d46d53de65e4b9f9c522fad4870e4d1656e459c88de6e90984d6", + "n": "1j-CxBxkn20C_M24t6ueLp02T4MMAiPLXf5yaDcj7EcsXGbnsGEhrAUwCZwdEJAxeZ0PolmlE0XBOhQfRtsCVJmwu918aknptToyDbOUBr6WtPIK_c_BuGVanLCx3SnczV4jle9Bz7tGfpj2vAXytSBrfnZhdCHNEFeefQTQMnavfMhfWf_njiTa76BRyAHjb-XZIJHKovwBu0y3glmzhSKYNsUrW11RsWx6DbueWEbE3FpsHTiEdnJipcP3UKl3Z2z6t6n9ZYtFWkx4zCVVBQu-RWUQwjr2XnR1LFwXgL9xQocDBmS1O-wMTHqL3_oosNUdV3vuMPdxs_SEoys2rQ", + "e": "AQAB" + }`) + testKeyRSA_2048_0_Priv = mustLoadJWK(`{ + "kty": "RSA", + "kid": "13b668c7b4f5d46d53de65e4b9f9c522fad4870e4d1656e459c88de6e90984d6", + "n": "1j-CxBxkn20C_M24t6ueLp02T4MMAiPLXf5yaDcj7EcsXGbnsGEhrAUwCZwdEJAxeZ0PolmlE0XBOhQfRtsCVJmwu918aknptToyDbOUBr6WtPIK_c_BuGVanLCx3SnczV4jle9Bz7tGfpj2vAXytSBrfnZhdCHNEFeefQTQMnavfMhfWf_njiTa76BRyAHjb-XZIJHKovwBu0y3glmzhSKYNsUrW11RsWx6DbueWEbE3FpsHTiEdnJipcP3UKl3Z2z6t6n9ZYtFWkx4zCVVBQu-RWUQwjr2XnR1LFwXgL9xQocDBmS1O-wMTHqL3_oosNUdV3vuMPdxs_SEoys2rQ", + "e": "AQAB", + "d": "C8F4X2Jfcw_8Nfrjw9A64bvmmv5JzmRAaGvpwyYjZneRS5Cp7demjVXLiPtz7NC8pjuj-_iHQkN1ksY_4RdrTVERjX1dskdT94m17WKJIMWcZ1lQmRSpQIDvM-HOIKCHaQ1dToDOT6Oq_o9OGosJAj9BJrNALasdIWRtYda9xcb7roLl_U3AtOlK9RiFygtt5uVBIPh1rsxaT0Y1MvMk4EMbFnv7NXXk65UM_3p2leSoPpO7LvlYs3WoRRX9ABH7zI-ppwLGEDuxfnwKzAOaRBe9oUh5rTYdazaY9XqofvekBc9Xqa2HpjkYX-L4Zy3oj04u-u5zX8KTh25jFC2a0Q", + "p": "6L6icXqV7jLSXHrhMyLpW-tdFFp2XRQ_uKk972jmUJ-sEeh1YYSx_JpK6oaUnYshGbRLfEAOLy03iweAL4uMZJcASOR44TwSnn_qJZ72PkwhD42uKhE0eJRpxVht6jf5qhsynaMNUWc_FIW5ESpQIf6j4rqFV5WrKHAt0ypChTc", + "q": "66fAza4rLvyjqQAIGQ07RiRYW4no1h4cK8RH_CDUgI3CCFQSuqTB8ZqM38r2u0tZoKzCNgHcnde6Jk07X6-LSQW2kypMXt3idbgaeVSYSbdZndgG_jTibJvoybxSjo6HfLpPvCrfsihXo7O5M13LE7VqBLbGTLI5iubOxcrfFTs" + }`) + + testKeyRSA_2048_1 = mustLoadJWK(`{ + "kty": "RSA", + "kid": "6d2b0efff0011bbbbf694de684b5b97cf454fd4086fa53b9af92545f3fa65459", + "n": "1CmSBUbxU1jjnmaBG0r0cLLmyZgCOMbfpG6Z3HwfVDgCK6P-rU3F6QQazrOgGJJ0sz6vP50VK5u7BR6vSrPBBX5CicJPM2iNdz2JuV9ODEIkDQBLeI6TfIGhNOls-14tXKOPExY8b6JdyDMP31Hwo_0pF1FaunZ7yY1bgoKCtDV5-RKGd2EgylDGNPu0Ilr92MqCsAntBC8eQSkO4CcTcti4t9cX45VY5nPtwQRmp5zIgUHnU4LV3QVTLJnU-uidaAxRVQbS1pVql5xR6nYZHYvFk1IU-wTY6gGk5WvGWWQ440UTTaMAfnJP6VFDggUXeGSlKfKkDcz7JLT2Ma2KXQ", + "e": "AQAB" + }`) + testKeyRSA_2048_1_Priv = mustLoadJWK(`{ + "kty": "RSA", + "kid": "6d2b0efff0011bbbbf694de684b5b97cf454fd4086fa53b9af92545f3fa65459", + "n": "1CmSBUbxU1jjnmaBG0r0cLLmyZgCOMbfpG6Z3HwfVDgCK6P-rU3F6QQazrOgGJJ0sz6vP50VK5u7BR6vSrPBBX5CicJPM2iNdz2JuV9ODEIkDQBLeI6TfIGhNOls-14tXKOPExY8b6JdyDMP31Hwo_0pF1FaunZ7yY1bgoKCtDV5-RKGd2EgylDGNPu0Ilr92MqCsAntBC8eQSkO4CcTcti4t9cX45VY5nPtwQRmp5zIgUHnU4LV3QVTLJnU-uidaAxRVQbS1pVql5xR6nYZHYvFk1IU-wTY6gGk5WvGWWQ440UTTaMAfnJP6VFDggUXeGSlKfKkDcz7JLT2Ma2KXQ", + "e": "AQAB", + "d": "DYJcHuPmh-UYEUT7oY5DRE3P7jQ0qALZyLGWMHji0c0DLl4x4D0chfrR7il33zisH6G1LPrGl1FCNlA-3yXU-5GPkRADVQWqRFZxx5Du-k7X1tAW_iUt9PaYGjNm0hasEsMDYDbBQGZ5TD8cGp8wEHEVRbvTaB4VQb8zfXrr8ad8XCFdtYQF5Sw_VuvUBcn-50kdl7S0MmQiwLx5xkisJHkVdVsrWbq-JJPMYrjYzPGo07kt8pQH2ecxrQD2waTzkLiAg-nytPBkAyMIFQ-XCulWCNiI-V_HJ0pqNctgVpdaSihlPCYhfllxUSU8yg4UvcfFEAN2S5yjvPyrJeJLAQ", + "p": "4db4J-vxAyb_3otKidzYISIo8NuPxPXuYeImbvVbY6CWHdAYAkPgbwADh592D1vM6kwqZLot4VQ4XUVtX7Vf8tCaq5BAzcVAslK0rhK86kSmzuvtpS1ruzm1DGwJcQWOl_9qYnaAov8Ny0NG8fTm8iwvWJH7rVa3XNtPL0t_fx0", + "q": "8H7_sX4kY3_4t90HbA8IvVkTf3-OGaIjtcDn2J3HLq1wMKAtdxwsbMtjhLYP70PPBe_FBNpcWhE7p-tOVhH1i0N0wwFqwlRQy-3Z4oiLeSsy0Npl29cfP7teO5UTrbrqfmHB0j2u_nEqA4n4iDF5QhPr_9yzxSR4Pg56z4PgFEE" + }`) + + testKeyRSA_2048_2 = mustLoadJWK(`{ + "kty": "RSA", + "kid": "7988e9dea9647281b04d094e4dc5737eaf739a412a570aa4d6deed7ee5640c30", + "n": "wWOFgHHiJ54ZjQEKxvfqYDuhYymbfvYxvreroqx7E-cAuU4QBsOvKV3HNnH_vDRQE1AlqihNWmPFLptp7wxdMrLEtDnRFqTxyTXJ7wLCaaaB6Wwx1dhpr9QEG5-8rxLGFYv2w5i0-o76JPHG0tuqf0YNmHp9oWcv524XnDBuji4-u6km1KynT1EQKHYgy57JWgUpukgJGImBEvf0hC2Y5s5mHvVby3xAD9-cFa2o9Vj3G-SBYFsrRIVR8GcVNwo88oj8F7-2nGD_wOOu_qT_5I3vfToUYGj5-2rAK1ja0bZpXFibrkPrW4w9paG-3F7I0sPeL3e_BDC_rQ8TgL03uQ", + "e": "AQAB" + }`) + testKeyRSA_2048_2_Priv = mustLoadJWK(`{ + "kty": "RSA", + "kid": "7988e9dea9647281b04d094e4dc5737eaf739a412a570aa4d6deed7ee5640c30", + "n": "wWOFgHHiJ54ZjQEKxvfqYDuhYymbfvYxvreroqx7E-cAuU4QBsOvKV3HNnH_vDRQE1AlqihNWmPFLptp7wxdMrLEtDnRFqTxyTXJ7wLCaaaB6Wwx1dhpr9QEG5-8rxLGFYv2w5i0-o76JPHG0tuqf0YNmHp9oWcv524XnDBuji4-u6km1KynT1EQKHYgy57JWgUpukgJGImBEvf0hC2Y5s5mHvVby3xAD9-cFa2o9Vj3G-SBYFsrRIVR8GcVNwo88oj8F7-2nGD_wOOu_qT_5I3vfToUYGj5-2rAK1ja0bZpXFibrkPrW4w9paG-3F7I0sPeL3e_BDC_rQ8TgL03uQ", + "e": "AQAB", + "d": "RPC4j-CJUbw_uY-Miv-oMuQvFU2o3Crh8u5BJn28ZozsKiMU_YRW9jUzJkqfczVm8muY8b7qTHXSvlmy-v_6XW9zRhhyXFMyypr9QNJIAifUmiTy4xwCGSdIy5w3RGY57UZ3EqVmpwe_TtpOGa8rabHMePX5wUcqwaLykcCGOPLOFKfPF93GqZYi2StS1IaiijLi2IAMhxQGqS6Ct3dA7yacQwegPiDzjb4Is3V9UQ9k_aS3I1w56tz5qspVmfDEuuWToc-2Qyk-eMKWl1tTDJuGTCiS5IFtMPerRpPq9GCpycV0csIW-6AnW79b038DxWjDAUsNnDPnX0y1dQ1G3Q", + "p": "yh2KH_JqU29L2SLG5-ul1EBbaSbt3F5UUZbCvm_MIsiH1TzafVyBd8FeG1d-pMR8bgGjaDSA-DNkOEDAeAlLx-UCTl2Uk2ySoMnZr5JjVLW2DTuF7e8ySKrKQSSLe63aQyKuIZh9P1RNrwrmFwvJgXdzudVjirmdTwxAN0lijE8", + "q": "9PJitAE_kk6SoKvJisXbDb7Xursj26xiYIdWuzlzQ1CbwYcJ1oORDpo0bEpy0BfIbZDiJJ79Xrh5Lo1BVysQ-IZJCXK7mavqiSa8g3B8rmqLXmAtjDbwLGsJOayCpYnsGgOLT7XIUYXCFH7C-tSSydhJ1j8JAbsJveMiBPKnUXc" + }`) + + testKeyRSA_2048_3 = mustLoadJWK(`{ + "kty": "RSA", + "kid": "d214aea9b78d15dd2667f5d19c36df6647fa50023140fd4f5866d285718b897c", + "n": "qFnqWpBOZ_5jnIr_XkXnonmHII5gKzxPhUBfvWBhGN2eH8nmnGh6aUnKyKuCLP_qfYLU7cf9bah-e00451iGite8Tg9ZMYAPFX4NM5j0rGWNv9Z6lSn1xXezJv-FU9VUwXm0DG5eVcB8OV99JWxHivQUSBzY0Q3DUlgrD7FhMd7BrrcmTUO07KnW6SxN3oTbT7fNMxfJSTRxmvU-t-6sLhYP4Wbg39zEUgI8M7b7tvHp34klSqOn2DibVBhvWGF1-IgNT7ng6pS5iAZN7Cz7NjPc9ZM_IWyngPKZV49Tf-ikX2O8uiCb4ccgRur6znwkE7MPrDTXSMHALn10sUcO_w", + "e": "AQAB" + }`) + testKeyRSA_2048_3_Priv = mustLoadJWK(`{ + "kty": "RSA", + "kid": "d214aea9b78d15dd2667f5d19c36df6647fa50023140fd4f5866d285718b897c", + "n": "qFnqWpBOZ_5jnIr_XkXnonmHII5gKzxPhUBfvWBhGN2eH8nmnGh6aUnKyKuCLP_qfYLU7cf9bah-e00451iGite8Tg9ZMYAPFX4NM5j0rGWNv9Z6lSn1xXezJv-FU9VUwXm0DG5eVcB8OV99JWxHivQUSBzY0Q3DUlgrD7FhMd7BrrcmTUO07KnW6SxN3oTbT7fNMxfJSTRxmvU-t-6sLhYP4Wbg39zEUgI8M7b7tvHp34klSqOn2DibVBhvWGF1-IgNT7ng6pS5iAZN7Cz7NjPc9ZM_IWyngPKZV49Tf-ikX2O8uiCb4ccgRur6znwkE7MPrDTXSMHALn10sUcO_w", + "e": "AQAB", + "d": "cCIT2uarktD6gFaE6cIeGzZfLuwmWiX9wX-zRWxgwDM9E2dj12IvxtmD3E2Ak4CSK69tLEQ9JUFJnc89y7pHQ0uW_VdzzWjCo0omeOu0bO_njpPJanlcXn7wMVWY9NHvdj8eEfmhk_R1ybE0piyNKpyQtcehEv3bz4kyhW1ck936zafn5GWxCEWKIF-7OcotxtOl6z1GrJ7WqglMk8ooLucnAXzaPtcvD6seUhVH0vG60yI2AEInI_jMHR-mfDxrebG2xPPJLsqH3GChqTsxG5vjuaq71sNBiY_TbaUDbmWZxV66zdjhN93Rw-lc3vCPwG5vmuA2igWH7SKsHmQOAQ", + "p": "xvTQi8nCJGyZQm3fr7HU23FkSUYkKFUN1FRDWqjyz7kFj5rJxq5dSsNrrgVBvIBNY4TwDDcYia4rvx7KSRRwfV_rsU2-TCOxBebqVlbeV0HI7xMcVZXsv61Eugz-dznUU4wqmP_rCQ8vyNcVvCBbBLBW92n-IRQXsfuSUfuHnT8", + "q": "2J64YbgvH62PB4h-0iYuaykgUzWVSrXENg3_GaF8877AMTe98gjcH7HzTDW1fOhIcNZtmYTwlA2SgFudLsIJLoOn0-kmHzZjZJTWcsZsfTVwKhHD8Lzic7QkrrlbTIZlVu4mfT2f0kvaQiZp6zDCke3SLvVjlD-ebqTFCDIlXkE" + }`) + + testKeyRSA_4096_0 = mustLoadJWK(`{ + "kty": "RSA", + "kid": "4941c1e95df518587e54ddde3510c084fedf92098473537fb3fe022eaece9b42", + "n": "ypJYaH9_PLdEgGN3WFPL1V9qhC2BRXr24f1kGocaQe7wORFlZGX6gRpOCQ1lLmziLafERoSqZuBWF4vSGLeanCRQ7UKObYalMRR_rTJk6D_VD95LNOmtR4DrucdZvjQrAuLXhM5dNLGVoSq_zQowLDMeLWDUBB_TK4WlofoxI0RVoUOt4UXnSev8M_6yIYASpOAk8gG4FAqRfmU-3JhgkZOQCD0BhKYZVw_kEhRBrS3aik-1pQkan9hYIxWwc4KKtrLHNls7--vk5xDk2Vod5sZYRLlimbqHavN2IBeAeJGJqt1grXOVlnagKqmyq2MoPKufwptJBiVrVsTplyUB9FZe9FxUfxrkkxYJHufwP-3wXhaXpPFdL86TCUuOz-jTfng1rsTpwzmwm3RqFzz01yMc1RhaeWininQqj42bhW4bgFGVRP2QqSFbCbRZ4WMW3qWr3aR2QpJ7b8ac7JUhAJoh7-UtMmyGx9UJP0gjA8Wm-O81UENoDjMMdNUaVTfpSUKB7xZppg244jNZDIm1ptq4QyvvWkr0brp9Ymxpu0e3g2HyywyPjbeyNrIelb4E2tU5vCR4Fs_zGFG71AieruJGfzPTXE7ZaiLhP8n1652NCzIH76Y7OGz4ap2D55-RKpUkSI3KqWxUKxkM0tuZ7LS2F-1wEVs8P01K6RuQpxE", + "e": "AQAB" + }`) + testKeyRSA_4096_0_Priv = mustLoadJWK(`{ + "kty": "RSA", + "kid": "4941c1e95df518587e54ddde3510c084fedf92098473537fb3fe022eaece9b42", + "n": "ypJYaH9_PLdEgGN3WFPL1V9qhC2BRXr24f1kGocaQe7wORFlZGX6gRpOCQ1lLmziLafERoSqZuBWF4vSGLeanCRQ7UKObYalMRR_rTJk6D_VD95LNOmtR4DrucdZvjQrAuLXhM5dNLGVoSq_zQowLDMeLWDUBB_TK4WlofoxI0RVoUOt4UXnSev8M_6yIYASpOAk8gG4FAqRfmU-3JhgkZOQCD0BhKYZVw_kEhRBrS3aik-1pQkan9hYIxWwc4KKtrLHNls7--vk5xDk2Vod5sZYRLlimbqHavN2IBeAeJGJqt1grXOVlnagKqmyq2MoPKufwptJBiVrVsTplyUB9FZe9FxUfxrkkxYJHufwP-3wXhaXpPFdL86TCUuOz-jTfng1rsTpwzmwm3RqFzz01yMc1RhaeWininQqj42bhW4bgFGVRP2QqSFbCbRZ4WMW3qWr3aR2QpJ7b8ac7JUhAJoh7-UtMmyGx9UJP0gjA8Wm-O81UENoDjMMdNUaVTfpSUKB7xZppg244jNZDIm1ptq4QyvvWkr0brp9Ymxpu0e3g2HyywyPjbeyNrIelb4E2tU5vCR4Fs_zGFG71AieruJGfzPTXE7ZaiLhP8n1652NCzIH76Y7OGz4ap2D55-RKpUkSI3KqWxUKxkM0tuZ7LS2F-1wEVs8P01K6RuQpxE", + "e": "AQAB", + "d": "VQagPRxm16FFC260hUqG4ASwvNIs1HEMd0bYYZobl1knU4zNthpnzxCveHU65wWk2ez1IXRF4fB_slpp0R4fszI7FZs-FRLS-4rTHGtul11TnNl9T7RVmxGt38ihDojvFMMKGyBTVu7DE2bSIsoH9kVugTWHSEPjav0pzJcrUNY56vpxXYDt18VJkrlxI0aSjMnYOAwoq6DT-O2eORFsVy5M4mhY3sipEjYFUOFXv8zjUfKrF55-omE4fWF5MsK0XoMjwtkAkHkvFx2sMN72dgsCubXmgQgeFvIhvs6eifzsf99z2NoPC5y3FbEs4Ws5VF3lLNXpDL9gEoeMVHigHKNoztIzbJnFLjzEag4wOBqbig4nWIlYEcLwd5-E0oQ8GHAhWtJn5AJQKOwTcasRWiUnRAulCcI8f9R2ATTSjAGU-juFUfhProp4w3ZlnUbO6U3tbh90KdFSJa-Bapts6ijPgEp6MHubVCHIxh1KGmod_CuGGjze1GuISEwI_4Yh0SrFlp4Wy6ecg7mKNnXvkBMd6h90LJaTzubnts33cCs-5UzCtYqmWHwXrMA6dRJuicY6su3NXxStuZn2bxU_Dn8LrS1vx_lhDU__NqMNbYj5ZvHkPvZiJNBI6Z1R5SY3pQzpH6vh9W2KRKF8cKOkushIaHNnHo7W5o4eZ9HjJFE", + "p": "7Bxd2wTrXfeSZAEGZEnfoJaMh6hKFG-fx0wLmF9U-Myq1fCIQ-gdl_Atqy0xQxYtQl2lOPUWfySegJSxpdRF8pwvLq9Yt7xFQDrV0B8d5-FjYJ_Mk2bbyHv_PhNmnfcYHqE_VdADeSaU-MRV1iknvjdbxSxYUF-U2C6llfJhn-ZbGPmZJyz8fTWHSh8aKLPJkuYV84wcNL04hpFPJq7Bhy7HAFhRYNpxXyDO3I36DCU94uvUCY758VKLl8IYMMSqjh-thluKJSkWibo85ZOJR38XFksMr70pH-DkT0WMv3PpLtNu6ac6Ry4CEkZexSWmbVk-pduRooo0On1CMsrsLw", + "q": "26K4gFJ0Ygqr4KaJ4QcRGN29XcjDpX5XTlHy3hCs_wEWc5wedydVgIH4tadiZcu0WinTtl0I6FYewWNpI8nFh8XJXsLOLepdKKR798zW8kEhzxdYdP1MTtGfy12KUCMeS2RQRsBJlmNdgrI0_m0JvW2LlGeK0EqvrqeS06L8bKGXkfY2aFGHl6ipSfUd5OpuSUqgfrj4-HgB8zywm-yAvn7UK-ySyQrP3K4PuOiY5QZmcPDxl8yqDAjorStrjPieYrlMqREHMsyq2FtAXhx4FzpKN7OljbE3EpgyFKkFN-wDTWRGxu3au0hQJx0-XthZ9i5r8zGcEbArQ5jZH7CQvw" + }`) + + testKeyRSA_4096_1 = mustLoadJWK(`{ + "kty": "RSA", + "kid": "d01929d205e83facdc5080a0a4ade80853978298a5c73780e863c035d32127c9", + "n": "ve_rSTi1vwfV2Oj7YNu1kv8Xz2ImAEqf7qo2RehTYW4FJpbj0wkMBVGmAulm4dz-1knnaPdpbrrIwkEYr1XR6kSIeB8aXkCZqDGZATxLSRqGEzu2J8Xt9z_qTQLWYD-NuMEf9H3B1CiP3Q2RnoWUlGvOr_KI5h6anzeqgZxlQLgqQujXscwqWpX7MVh3sheZ5SbyTkDcFWvQS_NEPaBGso-Au9X-yhZsHU1Ky02Nd_DPOrrRzl7uymE07hy3bIbxmrh4ZeEz6P2ixsHHYbd15GNMRlr1cWbg91RBB-akSxX0VYoLjjuqwo33UHk1hBbSATbobfpOKRruuZPZ_xOiPi-m0tUdD1Pj-h6xRcA5sZ1d55IdL8IY_9kgLc_WyU2RWFTXV6zA2SDDdE6EdEB_8q6U0oLU5T-YRxd-V2qOTqW1388qUaL5BalSvqM0g8kVfBYIM3uwLqQI_hCer4CL7_0DGlUtheye3qcoyqWVJd9iqfcWC-1S8NljAJwM9sehx6kOSM85UuUTH89VM35oAVp0rSPcLy20dPzEVQ0LAcy_iRHTkqy9nZ1z6mo-IWQE2ZyPCuESEfG7nFJ3YlUfwBJ5uZnk0N1FVYX5zgEKdkP322vShrv1blB_JtUedpbCcuS-qCaywpwjL0pzTDKpJMEqHds0-DFT7AbULcujw_U", + "e": "AQAB" + }`) + testKeyRSA_4096_1_Priv = mustLoadJWK(`{ + "kty": "RSA", + "kid": "d01929d205e83facdc5080a0a4ade80853978298a5c73780e863c035d32127c9", + "n": "ve_rSTi1vwfV2Oj7YNu1kv8Xz2ImAEqf7qo2RehTYW4FJpbj0wkMBVGmAulm4dz-1knnaPdpbrrIwkEYr1XR6kSIeB8aXkCZqDGZATxLSRqGEzu2J8Xt9z_qTQLWYD-NuMEf9H3B1CiP3Q2RnoWUlGvOr_KI5h6anzeqgZxlQLgqQujXscwqWpX7MVh3sheZ5SbyTkDcFWvQS_NEPaBGso-Au9X-yhZsHU1Ky02Nd_DPOrrRzl7uymE07hy3bIbxmrh4ZeEz6P2ixsHHYbd15GNMRlr1cWbg91RBB-akSxX0VYoLjjuqwo33UHk1hBbSATbobfpOKRruuZPZ_xOiPi-m0tUdD1Pj-h6xRcA5sZ1d55IdL8IY_9kgLc_WyU2RWFTXV6zA2SDDdE6EdEB_8q6U0oLU5T-YRxd-V2qOTqW1388qUaL5BalSvqM0g8kVfBYIM3uwLqQI_hCer4CL7_0DGlUtheye3qcoyqWVJd9iqfcWC-1S8NljAJwM9sehx6kOSM85UuUTH89VM35oAVp0rSPcLy20dPzEVQ0LAcy_iRHTkqy9nZ1z6mo-IWQE2ZyPCuESEfG7nFJ3YlUfwBJ5uZnk0N1FVYX5zgEKdkP322vShrv1blB_JtUedpbCcuS-qCaywpwjL0pzTDKpJMEqHds0-DFT7AbULcujw_U", + "e": "AQAB", + "d": "mCjZ3wDVaMJIKMsMhx28KpS9aGACfX1K_pHRhNOH6KeQ7Mc4oFnBDYnJas-8ofi_FsCB6G88QX7VUfmAYwZncjuQ8FpKb3NlJX8GSh0ZWukqu8G8PcSszMShWSyKvPRs_rOIe_87BlGwXrB-FfaBfx2WqRGtZlziFecsa0T1QJHJGW0bTs52p7c7Ut7ClSOfIBrBRrtjFK4YYp_x7US3HlkkElZvFUo9NoQzBQeN66Y4_Z2ocqFOv0Z8drz-nKzGZOKfYU62nVKD0qJurfOhOGPsOPipZD28v6b5qfC1cYmXAefjNgDK3a2JkShpHPaDKoHoViKN9xQiZvzxSQ1bjQCgB6xQWk61YwmiB44gFLshXvXkx_wcccO2XC4m-Pk0r-Uj9Ugvgizk8HYp1H9eqnp8A6sqU44mrmdt14vM68SGzEqYpLoUkcxPttHvNoORAzgQfuK3SOIFyuwFqKTMBupR4A42XvxLj_PuKEKFekS2JEK8fON2t_LuUDVemjMxwXD0gjljHSKD9HnguihI5IEd6Kgr-HlTwiiDQfzcmWQdoFUs_Je4tVCSbGRrJYju01gLouDu7gzN14pZcEyoBLPkj-_MDiiymvlBLOBU2s5nQRZCaC_0IKgHLaT_rzQaXwmVhU-OURdwdoViMVc_cdXtle4TqU1g41nNE_0tiwE", + "p": "2h_9HZCOpf3S9qpAkNS2ncMsRjBlWCpRltoCs-XBF_IgOJlCkJ-42k_V1zaf6YrgMy00XD4Ij5MMiUOharvc3w_WKJF-AwGu9JEpi38Wzj1nkY86sdB1ZPu4ihSRZm81jIjuLZ2siILqkupXaY0S_0CeNLKPoVpvfPWCb3psCWuLVRDhYECPCx9FYg2tzisbFpVAPPqNCFswMYNvhyJ2NQ0hzueKDc1uHBUanCSG6gIbeY1bQvYYFGySYkWZcQg98RSeDbLysHalCSQCgPjss3likTT9OjWLv23vpXURFhgywv6Phx4He0yWB8ZRrnskfW0S76kZ325SPUlnOhf31Q", + "q": "3urwELOa7TDpwLMeMEOf2aspz1gkMjoN-V4SMzRGxIoPy93-bQ62Z8nPduma1gK0zHOIs0gU8dDqjy8P8Z7vudJqRFJIrzjD-RnDqQDz7KM_6x0kbEN4GLQiNGVAckRhoEmYjDXXkG3teD2ST5NqlYwxGvFmCvw5RCJZG7eNjXY3KnJQrDyx61NIFEvSm3sBlJkOVhSanuqHBL6T-efaBkUcQ7mY7_iYtCt7cjMG8qQtF0KovVsMF6BUc9KDobpUvDsvPrSTAzsYJvVNkzGJtF8Strr-61VA6qZnRcDW3ukYvmJp_SdAcv3KzSkWwEmJEaAtaiOh2jWkRG9QpV_LoQ" + }`) + + testKeyRSA_4096_2 = mustLoadJWK(`{ + "kty": "RSA", + "kid": "822512e8098b9fa56c9152a56d2607bda912c89f6f4fe1b6ccf41627bf06de29", + "n": "3bcg0diA0TPvK283P02o5UT8cBf5q48uUsfuCkIbLqNFtskGuoft8OJLmik7c7pLNSK3Jad_-xRlfsrcV1fDBs8EJDFnoY-4r_xk_-GQl-OsHzuz7HMvjVYUSYeVZMtzPAfCIFJxSIaiIW9MEwCwYyrtRefedfKUV7Ax6hjOUXtyRZ5DRHj2FnNl6MjE8mTSJ8OQI9ETErg0wF448fJb6hYCidVHfeBSCOceljXMg8a9iDYHVnzsUb9ETl7xlRZDvUpIoG0jU-aC3oZdM0YgXspvw4FcXg1-ad-TbgRjEm_iJ-4KUhAYso6-Y6eimDT_TMhbKBLGE86pUjRPIXVNl6odjkXmcmh7bz9v0-gIfHB9zVbrqE8i8iIwkux-Uhq_VMiIFikjtjmDo5W-7qA_cjvq1dA1QqOJ54ijbdvglUtneuA5CnwfGHAvf94lEPebgP5eCMZjz_Dtl0FTX0u5lOVBs4qeyEfV1XANOq_h1gHmwJDlspGZVuPfSk4-YMCeBy5Ua_gNDqOIQo3EQbmjyN5yD9byFh3WDSQJN1kKT3BZSou-Q8-KT2lu9KT_CpTfVMaNXnPpXJ_H0S9Q7sbUzA6dF1h0Q_mu_bOlWTRlH3vXfZ3_3Vikjk-jhQdaRv8yjTdhX33wAVHk7omKlo76G3QJdnvjysJ6aagFPZ3qhmc", + "e": "AQAB" + }`) + testKeyRSA_4096_2_Priv = mustLoadJWK(`{ + "kty": "RSA", + "kid": "822512e8098b9fa56c9152a56d2607bda912c89f6f4fe1b6ccf41627bf06de29", + "n": "3bcg0diA0TPvK283P02o5UT8cBf5q48uUsfuCkIbLqNFtskGuoft8OJLmik7c7pLNSK3Jad_-xRlfsrcV1fDBs8EJDFnoY-4r_xk_-GQl-OsHzuz7HMvjVYUSYeVZMtzPAfCIFJxSIaiIW9MEwCwYyrtRefedfKUV7Ax6hjOUXtyRZ5DRHj2FnNl6MjE8mTSJ8OQI9ETErg0wF448fJb6hYCidVHfeBSCOceljXMg8a9iDYHVnzsUb9ETl7xlRZDvUpIoG0jU-aC3oZdM0YgXspvw4FcXg1-ad-TbgRjEm_iJ-4KUhAYso6-Y6eimDT_TMhbKBLGE86pUjRPIXVNl6odjkXmcmh7bz9v0-gIfHB9zVbrqE8i8iIwkux-Uhq_VMiIFikjtjmDo5W-7qA_cjvq1dA1QqOJ54ijbdvglUtneuA5CnwfGHAvf94lEPebgP5eCMZjz_Dtl0FTX0u5lOVBs4qeyEfV1XANOq_h1gHmwJDlspGZVuPfSk4-YMCeBy5Ua_gNDqOIQo3EQbmjyN5yD9byFh3WDSQJN1kKT3BZSou-Q8-KT2lu9KT_CpTfVMaNXnPpXJ_H0S9Q7sbUzA6dF1h0Q_mu_bOlWTRlH3vXfZ3_3Vikjk-jhQdaRv8yjTdhX33wAVHk7omKlo76G3QJdnvjysJ6aagFPZ3qhmc", + "e": "AQAB", + "d": "wcO4mAxJUAu-OsxgkR9SusPWhjQ9y5Q_XLNDso1hahng5ES9b6k55mouvlTIk3Q9I_vp6auAKrMBnJS3ilG1rK6hJOxUcBrFwm-m6QV9s3CSzV0E-mEULsYKxtQKWOOBGvaAznSeck7PRL8a0gSpIpGyeYSRo6zTverLRJZXQVjMXlFY4m-ASdCiQJWtoVVBYOUFhHfE3nhECdaOl8xCTcrcfw75AuZXa1ZpIcd0q7m1jGQDd6-HbE3m6UMKiEvD-ZsA68tVs45h0w3ER_pCcfUjRc45Ji1OzEJLezu0RbmoAVOEi4FrxCkB9N_dNn4inD0BhX0axNa4nZH_kfMNUh06081FaBiBq5bNBPQF7lWIYxAhtd2VgsUTZtNxMfHDTllt5fvbCogYngU5-Wj3UM33R_es_aakt_CFndJPmyenP0J7KEBmf4qnlrbxun-jQNV_cbEzgQA_Pt5RIhB5jgofYzT72Ib-lViZUolXpxg8mFQ5BPghqriuaX8eSc85y5rbu-nEvheDkIC7xjTtDBShXMvKKokx6t4d-x_W4sWDuLKsVNn3Veg6mbbl3O74Fr-joEM9unMg-9KCapAuBKmMv4GejOVOIj43i0lm8dsuMslNKsThWpjApE50-VBuySi1f0jD2HNEzjMTt5ZrlNi9bRFzAht46kdc_g4TWLE", + "p": "7cl5QebQldiOrfe2Z7E2aP4d1GIuX4b3u-kXUDa73HI4S2u9TooJF8lfsbrtzJIG60iIzio9Pej8R4ss2_1TPC_F7gQS67ST5yY2zuwUH6jwpt8KtVO3NKd9SNfVJse_mZLp7eAeH8CMq4bqkDig8ZI_Sp1LQtWXvhvhju40i0h1ef-MD36wbc26BE1L6tQMAoJIU-pMDawmWMGG3Q5_LxKHb1cxvV8gVfFgsJbAHMPXxcmpCdp1FqeqpvRs3bch3AMxHwjy1SFRK6lhvliS2ZvD7fdupA09PGJ-cNO3S9iHdCvsnyOHg9pMbxxcYW8Io_t1ihk6JYFvZlDIYvukXw", + "q": "7rKFf6190MlunvlLSdMvN_E2Xuow35_EThaxQ9e_7FS32LKPy847vFreXzVivVW1IVXrRSDgU8VIEyBQzftliLSriefKYdx2jtd_A84baha4p6CAK9SwfZcVEcIuU2Ul8XcUpbg53_bxUWDv4mYewZW_AqaZ0ZR1Ug14gCGHELvjs7MmWkCkJB6lEenRQZvzwcmA8tWzZ6Dlqb_RyLtxcVPbeSuc3t6YxbB1-pquwXoQLB9-XvgR_4L6vuGZrp1D-C0lzboUPoftkC_hKYb_xY6LPJTsL8LUypATcTrAnD0TBrqj5-Oy_4dMin6OcsXrfdxflxaJqkh7B-kz20oa-Q" + }`) + + testKeyRSA_4096_3 = mustLoadJWK(`{ + "kty": "RSA", + "kid": "ad60df152305985e6bdd8cb1d1f496f766aed097b7464b8b821a09b27f054dcb", + "n": "q8mHub9-A7LH2ykklO52CRQ9KYeM9FlHaoLJCMokmwdb8FF8cAMOPDQ4lx7rB107vwX5oHS6T4uhOUH6ppgZnvB083-f5cBfvZPSwvKg1csOPI3Llp-hIO3vnu7v4M-dXRJevmNdTAoHINXP8mJ1KfGL6BuxckxLEOoIX0suSmyudAE_lc6ioMAfwehkH7qTWwllIuReGwxHHYapM0AFIYysJ0z96l-WNkO3ssLm6Q7txpumM_b0d58OkdezBLujEfn0t5H8hsml_LUSE4TfWcGwm3oDBB2q5tsI2_QmVwdV6BcP43Sm8R7EbJvTQq3YXKLlC-Et4-3CDGaMV6z1eFmHBs_FMGzto-kg9MUFockOe0vkfjHj6AafNw7AFyBJRvV3EdMM-O1ysiC5cs45aowbfQIz_9H9RVbR9iMiEjq6nM34bhgfu-FvOmAcliCOJnDlBy2wWe2XyXTLQVkmn1C_w2mitcQAkP-LiktypUwSIbyDqfBai1_imO1SIVzomRLvzSju5qGrcm0ROV6o9zKXCVc546g9la9FUTTPZsI0_s3hcVRVMaF3fa122hE848serjCqNJ0Nb3CYOlVCc6JrkUdeuCj0Y-on6V6aeCFAQxFb1z_p88STsNJkrcNZp87f1JUaSB4POF01dLNQ2HTe7xJCMRmK-fpNuDCOzNM", + "e": "AQAB" + }`) + testKeyRSA_4096_3_Priv = mustLoadJWK(`{ + "kty": "RSA", + "kid": "ad60df152305985e6bdd8cb1d1f496f766aed097b7464b8b821a09b27f054dcb", + "n": "q8mHub9-A7LH2ykklO52CRQ9KYeM9FlHaoLJCMokmwdb8FF8cAMOPDQ4lx7rB107vwX5oHS6T4uhOUH6ppgZnvB083-f5cBfvZPSwvKg1csOPI3Llp-hIO3vnu7v4M-dXRJevmNdTAoHINXP8mJ1KfGL6BuxckxLEOoIX0suSmyudAE_lc6ioMAfwehkH7qTWwllIuReGwxHHYapM0AFIYysJ0z96l-WNkO3ssLm6Q7txpumM_b0d58OkdezBLujEfn0t5H8hsml_LUSE4TfWcGwm3oDBB2q5tsI2_QmVwdV6BcP43Sm8R7EbJvTQq3YXKLlC-Et4-3CDGaMV6z1eFmHBs_FMGzto-kg9MUFockOe0vkfjHj6AafNw7AFyBJRvV3EdMM-O1ysiC5cs45aowbfQIz_9H9RVbR9iMiEjq6nM34bhgfu-FvOmAcliCOJnDlBy2wWe2XyXTLQVkmn1C_w2mitcQAkP-LiktypUwSIbyDqfBai1_imO1SIVzomRLvzSju5qGrcm0ROV6o9zKXCVc546g9la9FUTTPZsI0_s3hcVRVMaF3fa122hE848serjCqNJ0Nb3CYOlVCc6JrkUdeuCj0Y-on6V6aeCFAQxFb1z_p88STsNJkrcNZp87f1JUaSB4POF01dLNQ2HTe7xJCMRmK-fpNuDCOzNM", + "e": "AQAB", + "d": "QFcw8I8aQYRaemlEfEt8BhaAeed9EZ_GscveQ96CK1ZsRuweMU3TrRTaBS_dU1rGH9u7DS_rABQKBIoDuRXKss7Y3sJ0Pvb4ZObSz5VUS_7LjD6HfBi5nr2_O8W-LnNUOyHAPoq0zOAMn221ftEFlPoVLpAAvBB7JRCiph5gbhuak3RMPm2wV4jd3CCQL5oPys8QBCuIW5UTpalkAf_-a_xmFiouB_RZLGXcjaWWGsAuqm5tp5TdJ1h5eoJRWHp2ryrxTzfsXwdzldyzsn_Xr6Rt4y2lp4r9EY4EGW2uVnY25MCOgOCWDkU5yHvselLmcHvKUdK6_11zinV2Jvhuz1FaW10P6lRXxhjuuT4bT7XmY6WkJCUvWf8w_NYrGwDbRvQa6YZcZZWKZ1l2Enkgd_P4qwtrnROQSCe0dJdNG3lSq90lrAwuvb8AhKhpQ8nJSaSQc_h2pa4NJZ-R__9m0_7CRUuEEg9k47AtgdIe09KLSpcACc3W5cBXEw2pL8ihqcf9AVgM0TFQQVrUdIst3YjUiB6r2zLVCRx8KjtT8Pmz6YtMQwDIFTrUopwwai5PEP3QEdxdNF39W1iwkqjA8uw4IlXgZAr4-9s3x617XUL0BQ4TgMpTsEghpV1U8U2HQfYGUKBcAlSqIlAi0MU4QRwcsAJrcoTIi-e34NFMbHE", + "p": "xvZ1BKzaRfrmQT2mmbK1MzKdr4amHrx4EJ_4fRsCRBj8MqB92y4Bp0iuO8rZ3iK_yOOgQQTcr4UP5UEACLOqGDPNa92UUpHu1U5XR3MiIY0kGcdovpkkGU8fq78VRpyofc1b9kvZsy4eL0e7W7jApjGu479D_evnpT7lqSOGRl1Z0QHdI3ctKmKw48-AmQWL4BibXTyaXOfRgTHm4AtbrvFshwCZ43QgzrCrwbhZlOfiIIW9wXa_OqqOhV11BLF72qTglecfTgUOxY0W5GWgbwXCVZ8Lwr6cxYKGrKjmny9UNOIjABGsJjZm5egwDNUhhoaEeXXyzXbCKynvUCDxZw", + "q": "3Qi1bRzj3TYW3Iw9KSDCuuHWBJRO_3Ke-JLB7PHEXc1hsPwF_XDqXPaBbIUtgKaqNzUehYAQbtHHhJVGqZadTKjsNkO4sO_r5nRoxUpFuGgUEmKNN0QeJa_llHzAZ9JpvUrtoyzVZX-2Em_3aAhtV5pZ6t22YToPDjZIBgqL96MQRCyKsv2FS_dbpoYKdXlG6phzkzKPn3oaWkh-VwmgAsFg7uXdiquQEsXYcOq3-77Umiuke6SBbaHLryLflTzOV7YvY7Kw3s3NycS9MDBESKYXqqX3YKvS25ZFFjYbrVOx5AluLiwajZu2biIPZb9rNbSXE77Hll3tAbmA5syJtQ" + }`) +) diff --git a/vendor/github.com/coreos/go-oidc/jwks.go b/vendor/github.com/coreos/go-oidc/jwks.go new file mode 100644 index 00000000..4ec6c3f1 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/jwks.go @@ -0,0 +1,199 @@ +package oidc + +import ( + "encoding/json" + "fmt" + "io/ioutil" + "net/http" + "sync" + "time" + + "github.com/pquerna/cachecontrol" + "golang.org/x/net/context" + "golang.org/x/net/context/ctxhttp" + jose "gopkg.in/square/go-jose.v2" +) + +// keysExpiryDelta is the allowed clock skew between a client and the OpenID Connect +// server. +// +// When keys expire, they are valid for this amount of time after. +// +// If the keys have not expired, and an ID Token claims it was signed by a key not in +// the cache, if and only if the keys expire in this amount of time, the keys will be +// updated. +const keysExpiryDelta = 30 * time.Second + +func newRemoteKeySet(ctx context.Context, jwksURL string, now func() time.Time) *remoteKeySet { + if now == nil { + now = time.Now + } + return &remoteKeySet{jwksURL: jwksURL, ctx: ctx, now: now} +} + +type remoteKeySet struct { + jwksURL string + ctx context.Context + now func() time.Time + + // guard all other fields + mu sync.Mutex + + // inflightCtx is the context of the current HTTP request to update the keys. + // Its Err() method returns any errors encountered during that attempt. + // + // If nil, there is no inflight request. + inflightCtx context.Context + + // A set of cached keys and their expiry. + cachedKeys []jose.JSONWebKey + expiry time.Time +} + +// errContext is a context with a customizable Err() return value. +type errContext struct { + context.Context + + cf context.CancelFunc + err error +} + +func newErrContext(parent context.Context) *errContext { + ctx, cancel := context.WithCancel(parent) + return &errContext{ctx, cancel, nil} +} + +func (e errContext) Err() error { + return e.err +} + +// cancel cancels the errContext causing listeners on Done() to return. +func (e errContext) cancel(err error) { + e.err = err + e.cf() +} + +func (r *remoteKeySet) keysWithIDFromCache(keyIDs []string) ([]jose.JSONWebKey, bool) { + r.mu.Lock() + keys, expiry := r.cachedKeys, r.expiry + r.mu.Unlock() + + // Have the keys expired? + if expiry.Add(keysExpiryDelta).Before(r.now()) { + return nil, false + } + + var signingKeys []jose.JSONWebKey + for _, key := range keys { + if contains(keyIDs, key.KeyID) { + signingKeys = append(signingKeys, key) + } + } + + if len(signingKeys) == 0 { + // Are the keys about to expire? + if r.now().Add(keysExpiryDelta).After(expiry) { + return nil, false + } + } + + return signingKeys, true +} +func (r *remoteKeySet) keysWithID(ctx context.Context, keyIDs []string) ([]jose.JSONWebKey, error) { + keys, ok := r.keysWithIDFromCache(keyIDs) + if ok { + return keys, nil + } + + var inflightCtx context.Context + func() { + r.mu.Lock() + defer r.mu.Unlock() + + // If there's not a current inflight request, create one. + if r.inflightCtx == nil { + // Use the remoteKeySet's context instead of the requests context + // because a re-sync is unique to the keys set and will span multiple + // requests. + errCtx := newErrContext(r.ctx) + r.inflightCtx = errCtx + + go func() { + // TODO(ericchiang): Upstream Kubernetes request that we recover every time + // we spawn a goroutine, because panics in a goroutine will bring down the + // entire program. There's no way to recover from another goroutine's panic. + // + // Most users actually want to let the panic propagate and bring down the + // program because it implies some unrecoverable state. + // + // Add a context key to allow the recover behavior. + // + // See: https://github.com/coreos/go-oidc/issues/89 + + // Sync keys and close inflightCtx when that's done. + errCtx.cancel(r.updateKeys(r.inflightCtx)) + + r.mu.Lock() + defer r.mu.Unlock() + r.inflightCtx = nil + }() + } + + inflightCtx = r.inflightCtx + }() + + select { + case <-ctx.Done(): + return nil, ctx.Err() + case <-inflightCtx.Done(): + if err := inflightCtx.Err(); err != nil { + return nil, err + } + } + + // Since we've just updated keys, we don't care about the cache miss. + keys, _ = r.keysWithIDFromCache(keyIDs) + return keys, nil +} + +func (r *remoteKeySet) updateKeys(ctx context.Context) error { + req, err := http.NewRequest("GET", r.jwksURL, nil) + if err != nil { + return fmt.Errorf("oidc: can't create request: %v", err) + } + + resp, err := ctxhttp.Do(ctx, clientFromContext(ctx), req) + if err != nil { + return fmt.Errorf("oidc: get keys failed %v", err) + } + defer resp.Body.Close() + + body, err := ioutil.ReadAll(resp.Body) + if err != nil { + return fmt.Errorf("oidc: read response body: %v", err) + } + if resp.StatusCode != http.StatusOK { + return fmt.Errorf("oidc: get keys failed: %s %s", resp.Status, body) + } + + var keySet jose.JSONWebKeySet + if err := json.Unmarshal(body, &keySet); err != nil { + return fmt.Errorf("oidc: failed to decode keys: %v %s", err, body) + } + + // If the server doesn't provide cache control headers, assume the + // keys expire immediately. + expiry := r.now() + + _, e, err := cachecontrol.CachableResponse(req, resp, cachecontrol.Options{}) + if err == nil && e.After(expiry) { + expiry = e + } + + r.mu.Lock() + defer r.mu.Unlock() + r.cachedKeys = keySet.Keys + r.expiry = expiry + + return nil +} diff --git a/vendor/github.com/coreos/go-oidc/jwks_test.go b/vendor/github.com/coreos/go-oidc/jwks_test.go new file mode 100644 index 00000000..d9735b2d --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/jwks_test.go @@ -0,0 +1,99 @@ +package oidc + +import ( + "encoding/json" + "net/http" + "net/http/httptest" + "reflect" + "testing" + "time" + + "golang.org/x/net/context" + jose "gopkg.in/square/go-jose.v2" +) + +type keyServer struct { + keys jose.JSONWebKeySet +} + +func newKeyServer(keys ...jose.JSONWebKey) keyServer { + return keyServer{ + keys: jose.JSONWebKeySet{Keys: keys}, + } +} + +func (k keyServer) ServeHTTP(w http.ResponseWriter, r *http.Request) { + if err := json.NewEncoder(w).Encode(k.keys); err != nil { + panic(err) + } +} + +func TestKeysFormID(t *testing.T) { + tests := []struct { + name string + keys []jose.JSONWebKey + keyIDs []string + wantKeys []jose.JSONWebKey + }{ + { + name: "single key", + keys: []jose.JSONWebKey{ + testKeyRSA_2048_0, + testKeyECDSA_256_0, + }, + keyIDs: []string{ + testKeyRSA_2048_0.KeyID, + }, + wantKeys: []jose.JSONWebKey{ + testKeyRSA_2048_0, + }, + }, + { + name: "one key id matches", + keys: []jose.JSONWebKey{ + testKeyRSA_2048_0, + testKeyECDSA_256_0, + }, + keyIDs: []string{ + testKeyRSA_2048_0.KeyID, + testKeyRSA_2048_1.KeyID, + }, + wantKeys: []jose.JSONWebKey{ + testKeyRSA_2048_0, + }, + }, + { + name: "no valid keys", + keys: []jose.JSONWebKey{ + testKeyRSA_2048_1, + testKeyECDSA_256_0, + }, + keyIDs: []string{ + testKeyRSA_2048_0.KeyID, + }, + }, + } + + t0 := time.Now() + now := func() time.Time { return t0 } + + for _, test := range tests { + func() { + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + server := httptest.NewServer(newKeyServer(test.keys...)) + defer server.Close() + + keySet := newRemoteKeySet(ctx, server.URL, now) + gotKeys, err := keySet.keysWithID(ctx, test.keyIDs) + if err != nil { + t.Errorf("%s: %v", test.name, err) + return + } + if !reflect.DeepEqual(gotKeys, test.wantKeys) { + t.Errorf("%s: expected keys=%#v, got=%#v", test.name, test.wantKeys, gotKeys) + } + }() + } +} diff --git a/vendor/github.com/coreos/go-oidc/key/doc.go b/vendor/github.com/coreos/go-oidc/key/doc.go new file mode 100644 index 00000000..936eec74 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/key/doc.go @@ -0,0 +1,2 @@ +// Package key is DEPRECATED. Use github.com/coreos/go-oidc instead. +package key diff --git a/vendor/github.com/coreos/go-oidc/oauth2/doc.go b/vendor/github.com/coreos/go-oidc/oauth2/doc.go new file mode 100644 index 00000000..52eb3085 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/oauth2/doc.go @@ -0,0 +1,2 @@ +// Package oauth2 is DEPRECATED. Use golang.org/x/oauth instead. +package oauth2 diff --git a/vendor/github.com/coreos/go-oidc/oidc.go b/vendor/github.com/coreos/go-oidc/oidc.go new file mode 100644 index 00000000..378f8f64 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/oidc.go @@ -0,0 +1,286 @@ +// Package oidc implements OpenID Connect client logic for the golang.org/x/oauth2 package. +package oidc + +import ( + "encoding/json" + "errors" + "fmt" + "io/ioutil" + "net/http" + "strings" + "time" + + "golang.org/x/net/context" + "golang.org/x/oauth2" + jose "gopkg.in/square/go-jose.v2" +) + +const ( + // ScopeOpenID is the mandatory scope for all OpenID Connect OAuth2 requests. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is an optional scope defined by OpenID Connect for requesting + // OAuth2 refresh tokens. + // + // Support for this scope differs between OpenID Connect providers. For instance + // Google rejects it, favoring appending "access_type=offline" as part of the + // authorization request instead. + // + // See: https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess + ScopeOfflineAccess = "offline_access" +) + +// ClientContext returns a new Context that carries the provided HTTP client. +// +// This method sets the same context key used by the golang.org/x/oauth2 package, +// so the returned context works for that package too. +// +// myClient := &http.Client{} +// ctx := oidc.ClientContext(parentContext, myClient) +// +// // This will use the custom client +// provider, err := oidc.NewProvider(ctx, "https://accounts.example.com") +// +func ClientContext(ctx context.Context, client *http.Client) context.Context { + return context.WithValue(ctx, oauth2.HTTPClient, client) +} + +func clientFromContext(ctx context.Context) *http.Client { + if client, ok := ctx.Value(oauth2.HTTPClient).(*http.Client); ok { + return client + } + return http.DefaultClient +} + +// Provider represents an OpenID Connect server's configuration. +type Provider struct { + issuer string + authURL string + tokenURL string + userInfoURL string + + // Raw claims returned by the server. + rawClaims []byte + + remoteKeySet *remoteKeySet +} + +type cachedKeys struct { + keys []jose.JSONWebKey + expiry time.Time +} + +type providerJSON struct { + Issuer string `json:"issuer"` + AuthURL string `json:"authorization_endpoint"` + TokenURL string `json:"token_endpoint"` + JWKSURL string `json:"jwks_uri"` + UserInfoURL string `json:"userinfo_endpoint"` +} + +// NewProvider uses the OpenID Connect discovery mechanism to construct a Provider. +// +// The issuer is the URL identifier for the service. For example: "https://accounts.google.com" +// or "https://login.salesforce.com". +func NewProvider(ctx context.Context, issuer string) (*Provider, error) { + wellKnown := strings.TrimSuffix(issuer, "/") + "/.well-known/openid-configuration" + resp, err := clientFromContext(ctx).Get(wellKnown) + if err != nil { + return nil, err + } + body, err := ioutil.ReadAll(resp.Body) + if err != nil { + return nil, err + } + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("%s: %s", resp.Status, body) + } + defer resp.Body.Close() + var p providerJSON + if err := json.Unmarshal(body, &p); err != nil { + return nil, fmt.Errorf("oidc: failed to decode provider discovery object: %v", err) + } + if p.Issuer != issuer { + return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuer, p.Issuer) + } + return &Provider{ + issuer: p.Issuer, + authURL: p.AuthURL, + tokenURL: p.TokenURL, + userInfoURL: p.UserInfoURL, + rawClaims: body, + remoteKeySet: newRemoteKeySet(ctx, p.JWKSURL, time.Now), + }, nil +} + +// Claims unmarshals raw fields returned by the server during discovery. +// +// var claims struct { +// ScopesSupported []string `json:"scopes_supported"` +// ClaimsSupported []string `json:"claims_supported"` +// } +// +// if err := provider.Claims(&claims); err != nil { +// // handle unmarshaling error +// } +// +// For a list of fields defined by the OpenID Connect spec see: +// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata +func (p *Provider) Claims(v interface{}) error { + if p.rawClaims == nil { + return errors.New("oidc: claims not set") + } + return json.Unmarshal(p.rawClaims, v) +} + +// Endpoint returns the OAuth2 auth and token endpoints for the given provider. +func (p *Provider) Endpoint() oauth2.Endpoint { + return oauth2.Endpoint{AuthURL: p.authURL, TokenURL: p.tokenURL} +} + +// UserInfo represents the OpenID Connect userinfo claims. +type UserInfo struct { + Subject string `json:"sub"` + Profile string `json:"profile"` + Email string `json:"email"` + EmailVerified bool `json:"email_verified"` + + claims []byte +} + +// Claims unmarshals the raw JSON object claims into the provided object. +func (u *UserInfo) Claims(v interface{}) error { + if u.claims == nil { + return errors.New("oidc: claims not set") + } + return json.Unmarshal(u.claims, v) +} + +// UserInfo uses the token source to query the provider's user info endpoint. +func (p *Provider) UserInfo(ctx context.Context, tokenSource oauth2.TokenSource) (*UserInfo, error) { + if p.userInfoURL == "" { + return nil, errors.New("oidc: user info endpoint is not supported by this provider") + } + resp, err := clientFromContext(ctx).Get(p.userInfoURL) + if err != nil { + return nil, err + } + defer resp.Body.Close() + body, err := ioutil.ReadAll(resp.Body) + if err != nil { + return nil, err + } + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("%s: %s", resp.Status, body) + } + + var userInfo UserInfo + if err := json.Unmarshal(body, &userInfo); err != nil { + return nil, fmt.Errorf("oidc: failed to decode userinfo: %v", err) + } + userInfo.claims = body + return &userInfo, nil +} + +// IDToken is an OpenID Connect extension that provides a predictable representation +// of an authorization event. +// +// The ID Token only holds fields OpenID Connect requires. To access additional +// claims returned by the server, use the Claims method. +type IDToken struct { + // The URL of the server which issued this token. This will always be the same + // as the URL used for initial discovery. + Issuer string + + // The client, or set of clients, that this token is issued for. + Audience []string + + // A unique string which identifies the end user. + Subject string + + IssuedAt time.Time + Expiry time.Time + Nonce string + + // Raw payload of the id_token. + claims []byte +} + +// Claims unmarshals the raw JSON payload of the ID Token into a provided struct. +// +// idToken, err := idTokenVerifier.Verify(rawIDToken) +// if err != nil { +// // handle error +// } +// var claims struct { +// Email string `json:"email"` +// EmailVerified bool `json:"email_verified"` +// } +// if err := idToken.Claims(&claims); err != nil { +// // handle error +// } +// +func (i *IDToken) Claims(v interface{}) error { + if i.claims == nil { + return errors.New("oidc: claims not set") + } + return json.Unmarshal(i.claims, v) +} + +type idToken struct { + Issuer string `json:"iss"` + Subject string `json:"sub"` + Audience audience `json:"aud"` + Expiry jsonTime `json:"exp"` + IssuedAt jsonTime `json:"iat"` + Nonce string `json:"nonce"` +} + +type audience []string + +func (a *audience) UnmarshalJSON(b []byte) error { + var s string + if json.Unmarshal(b, &s) == nil { + *a = audience{s} + return nil + } + var auds []string + if err := json.Unmarshal(b, &auds); err != nil { + return err + } + *a = audience(auds) + return nil +} + +func (a audience) MarshalJSON() ([]byte, error) { + if len(a) == 1 { + return json.Marshal(a[0]) + } + return json.Marshal([]string(a)) +} + +type jsonTime time.Time + +func (j *jsonTime) UnmarshalJSON(b []byte) error { + var n json.Number + if err := json.Unmarshal(b, &n); err != nil { + return err + } + var unix int64 + + if t, err := n.Int64(); err == nil { + unix = t + } else { + f, err := n.Float64() + if err != nil { + return err + } + unix = int64(f) + } + *j = jsonTime(time.Unix(unix, 0)) + return nil +} + +func (j jsonTime) MarshalJSON() ([]byte, error) { + return json.Marshal(time.Time(j).Unix()) +} diff --git a/vendor/github.com/coreos/go-oidc/oidc/doc.go b/vendor/github.com/coreos/go-oidc/oidc/doc.go new file mode 100644 index 00000000..196611ec --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/oidc/doc.go @@ -0,0 +1,2 @@ +// Package oidc is DEPRECATED. Use github.com/coreos/go-oidc instead. +package oidc diff --git a/vendor/github.com/coreos/go-oidc/oidc/provider.go b/vendor/github.com/coreos/go-oidc/oidc/provider.go index ca283844..42197ff1 100644 --- a/vendor/github.com/coreos/go-oidc/oidc/provider.go +++ b/vendor/github.com/coreos/go-oidc/oidc/provider.go @@ -567,7 +567,7 @@ func (n *pcsStepNext) step(fn pcsStepFunc) (next pcsStepper) { next = &pcsStepNext{aft: ttl} } else { next = &pcsStepRetry{aft: time.Second} - log.Printf("go-oidc: provider config sync falied, retyring in %v: %v", next.after(), err) + log.Printf("go-oidc: provider config sync failed, retrying in %v: %v", next.after(), err) } return } @@ -586,7 +586,7 @@ func (r *pcsStepRetry) step(fn pcsStepFunc) (next pcsStepper) { next = &pcsStepNext{aft: ttl} } else { next = &pcsStepRetry{aft: timeutil.ExpBackoff(r.aft, time.Minute)} - log.Printf("go-oidc: provider config sync falied, retyring in %v: %v", next.after(), err) + log.Printf("go-oidc: provider config sync failed, retrying in %v: %v", next.after(), err) } return } diff --git a/vendor/github.com/coreos/go-oidc/oidc_test.go b/vendor/github.com/coreos/go-oidc/oidc_test.go new file mode 100644 index 00000000..7307a8f5 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/oidc_test.go @@ -0,0 +1,21 @@ +package oidc + +import ( + "net/http" + "testing" + + "golang.org/x/net/context" +) + +func TestClientContext(t *testing.T) { + myClient := &http.Client{} + + ctx := ClientContext(context.Background(), myClient) + + gotClient := clientFromContext(ctx) + + // Compare pointer values. + if gotClient != myClient { + t.Fatal("clientFromContext did not return the value set by ClientContext") + } +} diff --git a/vendor/github.com/coreos/go-oidc/test b/vendor/github.com/coreos/go-oidc/test index 9dd60672..4b2e39f8 100755 --- a/vendor/github.com/coreos/go-oidc/test +++ b/vendor/github.com/coreos/go-oidc/test @@ -1,62 +1,15 @@ -#!/bin/bash -e -# -# Run all tests (not including functional) -# ./test -# ./test -v -# -# Run tests for one package -# PKG=./unit ./test -# PKG=ssh ./test -# +#!/bin/bash -# Invoke ./cover for HTML output -COVER=${COVER:-"-cover"} +set -e -RACE=${RACE:-"-race"} +# Filter out any files with a !golint build tag. +LINTABLE=$( go list -tags=golint -f ' + {{- range $i, $file := .GoFiles -}} + {{ $file }} {{ end }} + {{ range $i, $file := .TestGoFiles -}} + {{ $file }} {{ end }}' github.com/coreos/go-oidc ) -source ./build - -TESTABLE="http jose key oauth2 oidc" -FORMATTABLE="$TESTABLE" - -# user has not provided PKG override -if [ -z "$PKG" ]; then - TEST=$TESTABLE - FMT=$FORMATTABLE - -# user has provided PKG override -else - # strip out slashes and dots from PKG=./foo/ - TEST=${PKG//\//} - TEST=${TEST//./} - - # only run gofmt on packages provided by user - FMT="$TEST" -fi - -# split TEST into an array and prepend repo path to each local package -split=(${TEST// / }) -TEST=${split[@]/#/github.com/coreos/go-oidc/} - -echo "Running tests..." -go test $RACE ${COVER} $@ ${TEST} - -echo "Checking gofmt..." -fmtRes=$(gofmt -l $FMT) -if [ -n "${fmtRes}" ]; then - echo -e "gofmt checking failed:\n${fmtRes}" - exit 255 -fi - -if [[ -z "$TRAVIS_GO_VERSION" || "$TRAVIS_GO_VERSION" != "1.4.3" ]]; then - echo "Checking govet..." - vetRes=$(go vet $TEST) - if [ -n "${vetRes}" ]; then - echo -e "govet checking failed:\n${vetRes}" - exit 255 - fi -else - echo "Skipping govet (Go 1.4)" -fi - -echo "Success" +go test -v -i -race github.com/coreos/go-oidc +go test -v -race github.com/coreos/go-oidc +golint $LINTABLE +go vet github.com/coreos/go-oidc diff --git a/vendor/github.com/coreos/go-oidc/verify.go b/vendor/github.com/coreos/go-oidc/verify.go new file mode 100644 index 00000000..13c0f934 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/verify.go @@ -0,0 +1,263 @@ +package oidc + +import ( + "bytes" + "encoding/base64" + "encoding/json" + "errors" + "fmt" + "strings" + "time" + + "golang.org/x/net/context" + "golang.org/x/oauth2" + jose "gopkg.in/square/go-jose.v2" +) + +// IDTokenVerifier provides verification for ID Tokens. +type IDTokenVerifier struct { + keySet *remoteKeySet + config *verificationConfig +} + +// verificationConfig is the unexported configuration for an IDTokenVerifier. +// +// Users interact with this struct using a VerificationOption. +type verificationConfig struct { + issuer string + // If provided, this value must be in the ID Token audiences. + audience string + // If not nil, check the expiry of the id token. + checkExpiry func() time.Time + // If specified, only these sets of algorithms may be used to sign the JWT. + requiredAlgs []string + // If not nil, don't verify nonce. + nonceSource NonceSource +} + +// VerificationOption provides additional checks on ID Tokens. +type VerificationOption interface { + // Unexport this method so other packages can't implement this interface. + updateConfig(c *verificationConfig) +} + +// Verifier returns an IDTokenVerifier that uses the provider's key set to verify JWTs. +// +// The returned IDTokenVerifier is tied to the Provider's context and its behavior is +// undefined once the Provider's context is canceled. +func (p *Provider) Verifier(options ...VerificationOption) *IDTokenVerifier { + config := &verificationConfig{issuer: p.issuer} + for _, option := range options { + option.updateConfig(config) + } + + return newVerifier(p.remoteKeySet, config) +} + +func newVerifier(keySet *remoteKeySet, config *verificationConfig) *IDTokenVerifier { + // As discussed in the godocs for VerifrySigningAlg, because almost all providers + // only support RS256, default to only allowing it. + if len(config.requiredAlgs) == 0 { + config.requiredAlgs = []string{RS256} + } + + return &IDTokenVerifier{ + keySet: keySet, + config: config, + } +} + +func parseJWT(p string) ([]byte, error) { + parts := strings.Split(p, ".") + if len(parts) < 2 { + return nil, fmt.Errorf("oidc: malformed jwt, expected 3 parts got %d", len(parts)) + } + payload, err := base64.RawURLEncoding.DecodeString(parts[1]) + if err != nil { + return nil, fmt.Errorf("oidc: malformed jwt payload: %v", err) + } + return payload, nil +} + +func contains(sli []string, ele string) bool { + for _, s := range sli { + if s == ele { + return true + } + } + return false +} + +// Verify parses a raw ID Token, verifies it's been signed by the provider, preforms +// any additional checks passed as VerifictionOptions, and returns the payload. +// +// See: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation +// +// oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code")) +// if err != nil { +// // handle error +// } +// +// // Extract the ID Token from oauth2 token. +// rawIDToken, ok := oauth2Token.Extra("id_token").(string) +// if !ok { +// // handle error +// } +// +// token, err := verifier.Verify(ctx, rawIDToken) +// +func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDToken, error) { + jws, err := jose.ParseSigned(rawIDToken) + if err != nil { + return nil, fmt.Errorf("oidc: mallformed jwt: %v", err) + } + + // Throw out tokens with invalid claims before trying to verify the token. This lets + // us do cheap checks before possibly re-syncing keys. + payload, err := parseJWT(rawIDToken) + if err != nil { + return nil, fmt.Errorf("oidc: malformed jwt: %v", err) + } + var token idToken + if err := json.Unmarshal(payload, &token); err != nil { + return nil, fmt.Errorf("oidc: failed to unmarshal claims: %v", err) + } + + t := &IDToken{ + Issuer: token.Issuer, + Subject: token.Subject, + Audience: []string(token.Audience), + Expiry: time.Time(token.Expiry), + IssuedAt: time.Time(token.IssuedAt), + Nonce: token.Nonce, + claims: payload, + } + + // Check issuer. + if t.Issuer != v.config.issuer { + return nil, fmt.Errorf("oidc: id token issued by a different provider, expected %q got %q", v.config.issuer, t.Issuer) + } + + // If a client ID has been provided, make sure it's part of the audience. + if v.config.audience != "" { + if !contains(t.Audience, v.config.audience) { + return nil, fmt.Errorf("oidc: expected audience %q got %q", v.config.audience, t.Audience) + } + } + + // If a set of required algorithms has been provided, ensure that the signatures use those. + var keyIDs, gotAlgs []string + for _, sig := range jws.Signatures { + if len(v.config.requiredAlgs) == 0 || contains(v.config.requiredAlgs, sig.Header.Algorithm) { + keyIDs = append(keyIDs, sig.Header.KeyID) + } else { + gotAlgs = append(gotAlgs, sig.Header.Algorithm) + } + } + if len(keyIDs) == 0 { + return nil, fmt.Errorf("oidc: no signatures use a require algorithm, expected %q got %q", v.config.requiredAlgs, gotAlgs) + } + + // Get keys from the remote key set. This may trigger a re-sync. + keys, err := v.keySet.keysWithID(ctx, keyIDs) + if err != nil { + return nil, fmt.Errorf("oidc: get keys for id token: %v", err) + } + if len(keys) == 0 { + return nil, fmt.Errorf("oidc: no keys match signature ID(s) %q", keyIDs) + } + + // Try to use a key to validate the signature. + var gotPayload []byte + for _, key := range keys { + if p, err := jws.Verify(&key); err == nil { + gotPayload = p + } + } + if len(gotPayload) == 0 { + return nil, fmt.Errorf("oidc: failed to verify id token") + } + + // Ensure that the payload returned by the square actually matches the payload parsed earlier. + if !bytes.Equal(gotPayload, payload) { + return nil, errors.New("oidc: internal error, payload parsed did not match previous payload") + } + + // Check the nonce after we've verified the token. We don't want to allow unverified + // payloads to trigger a nonce lookup. + if v.config.nonceSource != nil { + if err := v.config.nonceSource.ClaimNonce(t.Nonce); err != nil { + return nil, err + } + } + + return t, nil +} + +// VerifyAudience ensures that an ID Token was issued for the specific client. +// +// Note that a verified token may be valid for other clients, as OpenID Connect allows a token to have +// multiple audiences. +func VerifyAudience(clientID string) VerificationOption { + return clientVerifier{clientID} +} + +type clientVerifier struct { + clientID string +} + +func (v clientVerifier) updateConfig(c *verificationConfig) { + c.audience = v.clientID +} + +// VerifyExpiry ensures that an ID Token has not expired. +func VerifyExpiry() VerificationOption { + return expiryVerifier{} +} + +type expiryVerifier struct{} + +func (v expiryVerifier) updateConfig(c *verificationConfig) { + c.checkExpiry = time.Now +} + +// VerifySigningAlg enforces that an ID Token is signed by a specific signing algorithm. +// +// Because so many providers only support RS256, if this verifiction option isn't used, +// the IDTokenVerifier defaults to only allowing RS256. +func VerifySigningAlg(allowedAlgs ...string) VerificationOption { + return algVerifier{allowedAlgs} +} + +type algVerifier struct { + algs []string +} + +func (v algVerifier) updateConfig(c *verificationConfig) { + c.requiredAlgs = v.algs +} + +// Nonce returns an auth code option which requires the ID Token created by the +// OpenID Connect provider to contain the specified nonce. +func Nonce(nonce string) oauth2.AuthCodeOption { + return oauth2.SetAuthURLParam("nonce", nonce) +} + +// NonceSource represents a source which can verify a nonce is valid and has not +// been claimed before. +type NonceSource interface { + ClaimNonce(nonce string) error +} + +// VerifyNonce ensures that the ID Token contains a nonce which can be claimed by the nonce source. +func VerifyNonce(source NonceSource) VerificationOption { + return nonceVerifier{source} +} + +type nonceVerifier struct { + nonceSource NonceSource +} + +func (n nonceVerifier) updateConfig(c *verificationConfig) { + c.nonceSource = n.nonceSource +} diff --git a/vendor/github.com/coreos/go-oidc/verify_test.go b/vendor/github.com/coreos/go-oidc/verify_test.go new file mode 100644 index 00000000..872f75c3 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/verify_test.go @@ -0,0 +1,265 @@ +package oidc + +import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rsa" + "encoding/json" + "net/http/httptest" + "testing" + "time" + + "golang.org/x/net/context" + jose "gopkg.in/square/go-jose.v2" +) + +func TestVerify(t *testing.T) { + tests := []verificationTest{ + { + name: "good token", + idToken: idToken{ + Issuer: "https://foo", + }, + config: verificationConfig{ + issuer: "https://foo", + }, + signKey: testKeyRSA_2048_0_Priv, + pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0}, + }, + { + name: "invalid signature", + idToken: idToken{ + Issuer: "https://foo", + }, + config: verificationConfig{ + issuer: "https://foo", + }, + signKey: testKeyRSA_2048_0_Priv, + pubKeys: []jose.JSONWebKey{testKeyRSA_2048_1}, + wantErr: true, + }, + { + name: "invalid issuer", + idToken: idToken{ + Issuer: "https://foo", + }, + config: verificationConfig{ + issuer: "https://bar", + }, + signKey: testKeyRSA_2048_0_Priv, + pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0}, + wantErr: true, + }, + } + for _, test := range tests { + test.run(t) + } +} + +func TestVerifyAudience(t *testing.T) { + tests := []verificationTest{ + { + name: "good audience", + idToken: idToken{ + Issuer: "https://foo", + Audience: []string{"client1"}, + }, + config: verificationConfig{ + issuer: "https://foo", + audience: "client1", + }, + signKey: testKeyRSA_2048_0_Priv, + pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0}, + }, + { + name: "mismatched audience", + idToken: idToken{ + Issuer: "https://foo", + Audience: []string{"client2"}, + }, + config: verificationConfig{ + issuer: "https://foo", + audience: "client1", + }, + signKey: testKeyRSA_2048_0_Priv, + pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0}, + wantErr: true, + }, + { + name: "multiple audiences, one matches", + idToken: idToken{ + Issuer: "https://foo", + Audience: []string{"client2", "client1"}, + }, + config: verificationConfig{ + issuer: "https://foo", + audience: "client1", + }, + signKey: testKeyRSA_2048_0_Priv, + pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0}, + }, + } + for _, test := range tests { + test.run(t) + } +} + +func TestVerifySigningAlg(t *testing.T) { + tests := []verificationTest{ + { + name: "default signing alg", + idToken: idToken{ + Issuer: "https://foo", + }, + config: verificationConfig{ + issuer: "https://foo", + }, + signKey: testKeyRSA_2048_0_Priv, + signAlg: RS256, // By default we only support RS256. + pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0}, + }, + { + name: "bad signing alg", + idToken: idToken{ + Issuer: "https://foo", + }, + config: verificationConfig{ + issuer: "https://foo", + }, + signKey: testKeyRSA_2048_0_Priv, + signAlg: RS512, + pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0}, + wantErr: true, + }, + { + name: "ecdsa signing", + idToken: idToken{ + Issuer: "https://foo", + }, + config: verificationConfig{ + issuer: "https://foo", + requiredAlgs: []string{ES384}, + }, + signAlg: ES384, + signKey: testKeyECDSA_384_0_Priv, + pubKeys: []jose.JSONWebKey{testKeyECDSA_384_0}, + }, + { + name: "one of many supported", + idToken: idToken{ + Issuer: "https://foo", + }, + config: verificationConfig{ + issuer: "https://foo", + requiredAlgs: []string{RS256, ES384}, + }, + signAlg: ES384, + signKey: testKeyECDSA_384_0_Priv, + pubKeys: []jose.JSONWebKey{testKeyECDSA_384_0}, + }, + { + name: "not in requiredAlgs", + idToken: idToken{ + Issuer: "https://foo", + }, + config: verificationConfig{ + issuer: "https://foo", + requiredAlgs: []string{RS256, ES512}, + }, + signAlg: ES384, + signKey: testKeyECDSA_384_0_Priv, + pubKeys: []jose.JSONWebKey{testKeyECDSA_384_0}, + wantErr: true, + }, + } + for _, test := range tests { + test.run(t) + } +} + +type verificationTest struct { + name string + + // ID token claims and a signing key to create the JWT. + idToken idToken + signKey jose.JSONWebKey + // If supplied use this signing algorithm. If not, guess + // from the signingKey. + signAlg string + + config verificationConfig + pubKeys []jose.JSONWebKey + + wantErr bool +} + +func algForKey(t *testing.T, k jose.JSONWebKey) string { + switch key := k.Key.(type) { + case *rsa.PrivateKey: + return RS256 + case *ecdsa.PrivateKey: + name := key.PublicKey.Params().Name + switch name { + case elliptic.P256().Params().Name: + return ES256 + case elliptic.P384().Params().Name: + return ES384 + case elliptic.P521().Params().Name: + return ES512 + } + t.Fatalf("unsupported ecdsa curve: %s", name) + default: + t.Fatalf("unsupported key type %T", key) + } + return "" +} + +func (v verificationTest) run(t *testing.T) { + payload, err := json.Marshal(v.idToken) + if err != nil { + t.Fatal(err) + } + signingAlg := v.signAlg + if signingAlg == "" { + signingAlg = algForKey(t, v.signKey) + } + + signer, err := jose.NewSigner(jose.SigningKey{ + Algorithm: jose.SignatureAlgorithm(signingAlg), + Key: &v.signKey, + }, nil) + if err != nil { + t.Fatal(err) + } + + jws, err := signer.Sign(payload) + if err != nil { + t.Fatal(err) + } + + token, err := jws.CompactSerialize() + if err != nil { + t.Fatal(err) + } + + t0 := time.Now() + now := func() time.Time { return t0 } + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + server := httptest.NewServer(newKeyServer(v.pubKeys...)) + defer server.Close() + + verifier := newVerifier(newRemoteKeySet(ctx, server.URL, now), &v.config) + + if _, err := verifier.Verify(ctx, token); err != nil { + if !v.wantErr { + t.Errorf("%s: verify %v", v.name, err) + } + } else { + if v.wantErr { + t.Errorf("%s: expected error", v.name) + } + } +} From f76c43ec4fa45868b3aee8432deb902038eedd6e Mon Sep 17 00:00:00 2001 From: Pavel Borzenkov Date: Wed, 23 Nov 2016 20:02:19 +0300 Subject: [PATCH 3/3] server: fix tests to expect unpadded base64 messages Signed-off-by: Pavel Borzenkov --- server/http_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/http_test.go b/server/http_test.go index fc5b2acc..7d95970c 100644 --- a/server/http_test.go +++ b/server/http_test.go @@ -810,7 +810,7 @@ func TestHandleKeysFunc(t *testing.T) { t.Fatalf("Incorrect headers: want=%#v got=%#v", wantHeader, gotHeader) } - wantBody := `{"keys":[{"kid":"1234","kty":"RSA","alg":"RS256","use":"sig","e":"AQAB","n":"FE9chh46rg=="},{"kid":"5678","kty":"RSA","alg":"RS256","use":"sig","e":"AQAB","n":"BGKVohEShg=="}]}` + wantBody := `{"keys":[{"kid":"1234","kty":"RSA","alg":"RS256","use":"sig","e":"AQAB","n":"FE9chh46rg"},{"kid":"5678","kty":"RSA","alg":"RS256","use":"sig","e":"AQAB","n":"BGKVohEShg"}]}` gotBody := w.Body.String() if wantBody != gotBody { t.Fatalf("Incorrect body: want=%s got=%s", wantBody, gotBody)