diff --git a/auth_server/server/config.go b/auth_server/server/config.go index ead4f82a..056375c5 100644 --- a/auth_server/server/config.go +++ b/auth_server/server/config.go @@ -70,6 +70,7 @@ type ServerConfig struct { publicKey libtrust.PublicKey privateKey libtrust.PrivateKey + sigAlg string } type LetsEncryptConfig struct { @@ -86,6 +87,7 @@ type TokenConfig struct { publicKey libtrust.PublicKey privateKey libtrust.PrivateKey + sigAlg string } // TLSCipherSuitesValues maps CipherSuite names as strings to the actual values @@ -335,7 +337,7 @@ func validate(c *Config) error { return nil } -func loadCertAndKey(certFile string, keyFile string) (pk libtrust.PublicKey, prk libtrust.PrivateKey, err error) { +func loadCertAndKey(certFile string, keyFile string) (pk libtrust.PublicKey, prk libtrust.PrivateKey, sigAlg string, err error) { cert, err := tls.LoadX509KeyPair(certFile, keyFile) if err != nil { return @@ -349,6 +351,11 @@ func loadCertAndKey(certFile string, keyFile string) (pk libtrust.PublicKey, prk return } prk, err = libtrust.FromCryptoPrivateKey(cert.PrivateKey) + _, sigAlg, errStr := prk.Sign(strings.NewReader("dummy"), 0) + if errStr != nil { + err = fmt.Errorf("failed to sign: %s", errStr) + return + } return } @@ -370,7 +377,7 @@ func LoadConfig(fileName string) (*Config, error) { if c.Server.CertFile == "" || c.Server.KeyFile == "" { return nil, fmt.Errorf("failed to load server cert and key: both were not provided") } - c.Server.publicKey, c.Server.privateKey, err = loadCertAndKey(c.Server.CertFile, c.Server.KeyFile) + c.Server.publicKey, c.Server.privateKey, c.Server.sigAlg, err = loadCertAndKey(c.Server.CertFile, c.Server.KeyFile) if err != nil { return nil, fmt.Errorf("failed to load server cert and key: %s", err) } @@ -382,7 +389,7 @@ func LoadConfig(fileName string) (*Config, error) { if c.Token.CertFile == "" || c.Token.KeyFile == "" { return nil, fmt.Errorf("failed to load token cert and key: both were not provided") } - c.Token.publicKey, c.Token.privateKey, err = loadCertAndKey(c.Token.CertFile, c.Token.KeyFile) + c.Token.publicKey, c.Token.privateKey, c.Token.sigAlg, err = loadCertAndKey(c.Token.CertFile, c.Token.KeyFile) if err != nil { return nil, fmt.Errorf("failed to load token cert and key: %s", err) } @@ -390,7 +397,7 @@ func LoadConfig(fileName string) (*Config, error) { } if serverConfigured && !tokenConfigured { - c.Token.publicKey, c.Token.privateKey = c.Server.publicKey, c.Server.privateKey + c.Token.publicKey, c.Token.privateKey, c.Token.sigAlg = c.Server.publicKey, c.Server.privateKey, c.Server.sigAlg tokenConfigured = true } diff --git a/auth_server/server/server.go b/auth_server/server/server.go index 3ca0c367..2592b533 100644 --- a/auth_server/server/server.go +++ b/auth_server/server/server.go @@ -378,14 +378,9 @@ func (as *AuthServer) CreateToken(ar *authRequest, ares []authzResult) (string, now := time.Now().Unix() tc := &as.config.Token - // Sign something dummy to find out which algorithm is used. - _, sigAlg, err := tc.privateKey.Sign(strings.NewReader("dummy"), 0) - if err != nil { - return "", fmt.Errorf("failed to sign: %s", err) - } header := token.Header{ Type: "JWT", - SigningAlg: sigAlg, + SigningAlg: tc.sigAlg, KeyID: tc.publicKey.KeyID(), } headerJSON, err := json.Marshal(header) @@ -423,7 +418,7 @@ func (as *AuthServer) CreateToken(ar *authRequest, ares []authzResult) (string, payload := fmt.Sprintf("%s%s%s", joseBase64UrlEncode(headerJSON), token.TokenSeparator, joseBase64UrlEncode(claimsJSON)) sig, sigAlg2, err := tc.privateKey.Sign(strings.NewReader(payload), 0) - if err != nil || sigAlg2 != sigAlg { + if err != nil || sigAlg2 != tc.sigAlg { return "", fmt.Errorf("failed to sign token: %s", err) } glog.Infof("New token for %s %+v: %s", *ar, ar.Labels, claimsJSON)