1*e7b1675dSTing-Kang Chang// Copyright 2022 Google LLC 2*e7b1675dSTing-Kang Chang// 3*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License"); 4*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License. 5*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang// 7*e7b1675dSTing-Kang Chang// http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang// 9*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software 10*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS, 11*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and 13*e7b1675dSTing-Kang Chang// limitations under the License. 14*e7b1675dSTing-Kang Chang// 15*e7b1675dSTing-Kang Chang//////////////////////////////////////////////////////////////////////////////// 16*e7b1675dSTing-Kang Chang 17*e7b1675dSTing-Kang Changpackage jwt 18*e7b1675dSTing-Kang Chang 19*e7b1675dSTing-Kang Changimport ( 20*e7b1675dSTing-Kang Chang "fmt" 21*e7b1675dSTing-Kang Chang 22*e7b1675dSTing-Kang Chang "github.com/google/tink/go/tink" 23*e7b1675dSTing-Kang Chang) 24*e7b1675dSTing-Kang Chang 25*e7b1675dSTing-Kang Changtype verifierWithKID struct { 26*e7b1675dSTing-Kang Chang tv tink.Verifier 27*e7b1675dSTing-Kang Chang algorithm string 28*e7b1675dSTing-Kang Chang customKID *string 29*e7b1675dSTing-Kang Chang} 30*e7b1675dSTing-Kang Chang 31*e7b1675dSTing-Kang Changfunc newVerifierWithKID(tv tink.Verifier, algorithm string, customKID *string) (*verifierWithKID, error) { 32*e7b1675dSTing-Kang Chang if tv == nil { 33*e7b1675dSTing-Kang Chang return nil, fmt.Errorf("tink verifier can't be nil") 34*e7b1675dSTing-Kang Chang } 35*e7b1675dSTing-Kang Chang return &verifierWithKID{ 36*e7b1675dSTing-Kang Chang tv: tv, 37*e7b1675dSTing-Kang Chang algorithm: algorithm, 38*e7b1675dSTing-Kang Chang customKID: customKID, 39*e7b1675dSTing-Kang Chang }, nil 40*e7b1675dSTing-Kang Chang} 41*e7b1675dSTing-Kang Chang 42*e7b1675dSTing-Kang Chang// VerifyAndDecodeWithKID verifies a digital signature in a compact serialized JWT. 43*e7b1675dSTing-Kang Chang// It then validates the token, and returns a VerifiedJWT or an error. 44*e7b1675dSTing-Kang Changfunc (v *verifierWithKID) VerifyAndDecodeWithKID(compact string, validator *Validator, kid *string) (*VerifiedJWT, error) { 45*e7b1675dSTing-Kang Chang sig, content, err := splitSignedCompact(compact) 46*e7b1675dSTing-Kang Chang if err != nil { 47*e7b1675dSTing-Kang Chang return nil, errJwtVerification 48*e7b1675dSTing-Kang Chang } 49*e7b1675dSTing-Kang Chang if err := v.tv.Verify(sig, []byte(content)); err != nil { 50*e7b1675dSTing-Kang Chang return nil, errJwtVerification 51*e7b1675dSTing-Kang Chang } 52*e7b1675dSTing-Kang Chang rawJWT, err := decodeUnsignedTokenAndValidateHeader(content, v.algorithm, kid, v.customKID) 53*e7b1675dSTing-Kang Chang if err != nil { 54*e7b1675dSTing-Kang Chang return nil, errJwtVerification 55*e7b1675dSTing-Kang Chang } 56*e7b1675dSTing-Kang Chang if err := validator.Validate(rawJWT); err != nil { 57*e7b1675dSTing-Kang Chang return nil, err 58*e7b1675dSTing-Kang Chang } 59*e7b1675dSTing-Kang Chang return newVerifiedJWT(rawJWT) 60*e7b1675dSTing-Kang Chang} 61