jws.go

package jws

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"io/ioutil"

	"github.com/coreos/go-oidc/v3/oidc"
	jwt "github.com/dgrijalva/jwt-go"
	"github.com/lestrrat-go/jwx/jwk"

	"github.com/oidc-mytoken/server/internal/config"
)

// GenerateKeyPair generates a cryptographic key pair for the algorithm specified in the mytoken config.
func GenerateKeyPair() (sk, pk interface{}, err error) {
	alg := config.Get().Signing.Alg
	switch alg {
	case oidc.RS256, oidc.RS384, oidc.RS512, oidc.PS256, oidc.PS384, oidc.PS512:
		keyLen := config.Get().Signing.RSAKeyLen
		if keyLen <= 0 {
			return nil, nil, fmt.Errorf("%s specified, but no valid RSA key len", alg)
		}
		sk, err = rsa.GenerateKey(rand.Reader, keyLen)
	case oidc.ES256:
		sk, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	case oidc.ES384:
		sk, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
	case oidc.ES512:
		sk, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
	default:
		return nil, nil, fmt.Errorf("unknown signing algorithm '%s'", alg)
	}
	if err != nil {
		switch sk := sk.(type) {
		case *rsa.PrivateKey:
			pk = &sk.PublicKey
		case *ecdsa.PrivateKey:
			pk = &sk.PublicKey
		default:
			err = fmt.Errorf("something went wrong, we just created an unknown key type")
		}
	}
	return
}

// ExportPrivateKeyAsPemStr exports the private key
func ExportPrivateKeyAsPemStr(sk interface{}) string {
	switch sk := sk.(type) {
	case *rsa.PrivateKey:
		return exportRSAPrivateKeyAsPemStr(sk)
	case *ecdsa.PrivateKey:
		return exportECPrivateKeyAsPemStr(sk)
	default:
		return ""
	}
}

func exportECPrivateKeyAsPemStr(privkey *ecdsa.PrivateKey) string {
	privkeyBytes, _ := x509.MarshalECPrivateKey(privkey)
	privkeyPem := pem.EncodeToMemory(
		&pem.Block{
			Type:  "EC PRIVATE KEY",
			Bytes: privkeyBytes,
		},
	)
	return string(privkeyPem)
}

func exportRSAPrivateKeyAsPemStr(privkey *rsa.PrivateKey) string {
	privkeyBytes := x509.MarshalPKCS1PrivateKey(privkey)
	privkeyPem := pem.EncodeToMemory(
		&pem.Block{
			Type:  "RSA PRIVATE KEY",
			Bytes: privkeyBytes,
		},
	)
	return string(privkeyPem)
}

var privateKey interface{}
var publicKey interface{}
var jwks = jwk.NewSet()

// GetPrivateKey returns the private key
func GetPrivateKey() interface{} {
	return privateKey
}

// GetPublicKey returns the public key
func GetPublicKey() interface{} {
	return publicKey
}

// GetJWKS returns the jwks
func GetJWKS() jwk.Set {
	return jwks
}

// LoadKey loads the private and public key
func LoadKey() {
	keyFileContent, err := ioutil.ReadFile(config.Get().Signing.KeyFile)
	if err != nil {
		panic(err)
	}
	switch config.Get().Signing.Alg {
	case oidc.RS256, oidc.RS384, oidc.RS512, oidc.PS256, oidc.PS384, oidc.PS512:
		sk, err := jwt.ParseRSAPrivateKeyFromPEM(keyFileContent)
		if err != nil {
			panic(err)
		}
		privateKey = sk
		publicKey = &sk.PublicKey
	case oidc.ES256, oidc.ES384, oidc.ES512:
		sk, err := jwt.ParseECPrivateKeyFromPEM(keyFileContent)
		if err != nil {
			panic(err)
		}
		privateKey = sk
		publicKey = &sk.PublicKey
	default:
		panic(fmt.Errorf("unknown signing alg"))
	}
	key, err := jwk.New(publicKey)
	if err != nil {
		panic(err)
	}
	if err = jwk.AssignKeyID(key); err != nil {
		panic(err)
	}
	if err = key.Set(jwk.KeyUsageKey, string(jwk.ForSignature)); err != nil {
		panic(err)
	}
	jwks.Add(key)
}