coolaj86/issuer.rest.walnut.js
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
issuer.rest.walnut.js/jwks.js

117 lines
4.3 KiB
JavaScript
Raw Permalink Blame History

'use strict';
var crypto = require('crypto');
var PromiseA = require('bluebird');
var OpErr = PromiseA.OperationalError;
var makeB64UrlSafe = require('./common').makeB64UrlSafe;
function thumbprint(jwk) {
// To produce a thumbprint we need to create a JSON string with only the required keys for
// the key type, with the keys sorted lexicographically and no white space. We then need
// run it through a SHA-256 and encode the result in url safe base64.
// https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk
var keys;
if (jwk.kty === 'EC') {
keys = ['crv', 'x', 'y'];
} else if (jwk.kty === 'RSA') {
keys = ['e', 'n'];
} else {
return PromiseA.reject(new Error('invalid JWK key type ' + jwk.kty));
}
keys.push('kty');
keys.sort();
var missing = keys.filter(function (name) { return !jwk.hasOwnProperty(name); });
if (missing.length > 0) {
return PromiseA.reject(new Error('JWK of type '+jwk.kty+' missing fields ' + missing));
}
// I'm not 100% sure this behavior is guaranteed by a real standard, but when we use an array
// as the replacer argument the keys are always in the order they appeared in the array.
var jwkStr = JSON.stringify(jwk, keys);
var hash = crypto.createHash('sha256').update(jwkStr).digest('base64');
return PromiseA.resolve(makeB64UrlSafe(hash));
}
function create(app) {
var restful = {};
restful.get = function (req, res) {
// The sub in params is the 3rd party PPID, but the keys are stored by the issuer PPID, so
// we need to look up the issuer PPID using the 3rd party PPID.
var promise = req.getSiteStore().then(function (store) {
if (req.params.kid === req.experienceId) {
return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId);
}
// First we check to see if the key is being requested by the `sub` that we as the issuer use
// to identify the user, and if not then we need to look up the specified `sub` to see if
// we can determine which (if any) account it's associated with.
return store.IssuerOauth3OrgJwks.get(req.params.sub+'/'+req.params.kid).then(function (jwk) {
if (jwk) {
return jwk;
}
return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) {
if (!results.length) {
throw new OpErr("unknown PPID '"+req.params.sub+"'");
}
if (results.length > 1) {
// This should not ever happen since there is a check for PPID collisions when saving
// grants, but it's probably better to have this check anyway just incase something
// happens that isn't currently accounted for.
throw new OpErr('PPID collision - unable to safely retrieve keys');
}
return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);
});
});
}).then(function (jwk) {
if (!jwk) {
throw new OpErr("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub);
}
// We need to sanitize the key to make sure we don't deliver any private keys fields if
// we were given a key we could use to sign tokens on behalf of the user. We also don't
// want to deliver the sub or any other PPIDs.
var whitelist = [ 'kty', 'alg', 'kid', 'use' ];
if (jwk.kty === 'EC') {
whitelist = whitelist.concat([ 'crv', 'x', 'y' ]);
} else if (jwk.kty === 'RSA') {
whitelist = whitelist.concat([ 'e', 'n' ]);
}
var result = {};
whitelist.forEach(function (key) {
result[key] = jwk[key];
});
return result;
});
app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve JWK");
};
restful.saveNew = function (req, res) {
var jwk = req.body;
var promise = thumbprint(jwk).then(function (kid) {
if (jwk.kid && jwk.kid !== kid) {
throw new OpErr('provided kid "'+jwk.kid+'" does not match calculated "'+kid+'"');
}
jwk.kid = kid;
jwk.sub = req.params.sub;
return req.Store.upsert(jwk.sub+'/'+jwk.kid, jwk);
}).then(function () {
return { success: true };
});
app.handlePromise(req, res, promise, "[issuer@oauth3.org] save JWK");
};
return {
thumbprint: thumbprint,
restful: restful,
};
}
module.exports.thumbprint = thumbprint;
module.exports.create = create;
Reference in New Issue View Git Blame Copy Permalink