issuer.rest.walnut.js/jwks.js

'use strict';

var crypto = require('crypto');
var PromiseA = require('bluebird');
var OpErr = PromiseA.OperationalError;

function makeB64UrlSafe(b64) {
  return b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=*$/, '');
}

function thumbprint(jwk) {
  // To produce a thumbprint we need to create a JSON string with only the required keys for
  // the key type, with the keys sorted lexicographically and no white space. We then need
  // run it through a SHA-256 and encode the result in url safe base64.
  // https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk
  var keys;
  if (jwk.kty === 'EC') {
    keys = ['crv', 'x', 'y'];
  } else if (jwk.kty === 'RSA') {
    keys = ['e', 'n'];
  } else {
    return PromiseA.reject(new Error('invalid JWK key type ' + jwk.kty));
  }
  keys.push('kty');
  keys.sort();

  var missing = keys.filter(function (name) { return !jwk.hasOwnProperty(name); });
  if (missing.length > 0) {
    return PromiseA.reject(new Error('JWK of type '+jwk.kty+' missing fields ' + missing));
  }

  // I'm not 100% sure this behavior is guaranteed by a real standard, but when we use an array
  // as the replacer argument the keys are always in the order they appeared in the array.
  var jwkStr = JSON.stringify(jwk, keys);
  var hash = crypto.createHash('sha256').update(jwkStr).digest('base64');
  return PromiseA.resolve(makeB64UrlSafe(hash));
}

function create(app) {
  var restful = {};
  restful.get = function (req, res) {
    // The sub in params is the 3rd party PPID, but the keys are stored by the issuer PPID, so
    // we need to look up the issuer PPID using the 3rd party PPID.
    var promise = req.getSiteStore().then(function (store) {
      if (req.params.kid === req.experienceId) {
        return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId);
      }

      return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) {
        if (!results.length) {
          throw new OpErr("unknown PPID '"+req.params.sub+"'");
        }
        if (results.length > 1) {
          // This should not ever happen since there is a check for PPID collisions when saving
          // grants, but it's probably better to have this check anyway just incase something
          // happens that isn't currently accounted for.
          throw new OpErr('PPID collision - unable to safely retrieve keys');
        }

        return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);
      });
    }).then(function (jwk) {
      if (!jwk) {
        throw new OpErr("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub);
      }

      // We need to sanitize the key to make sure we don't deliver any private keys fields if
      // we were given a key we could use to sign tokens on behalf of the user. We also don't
      // want to deliver the sub or any other PPIDs.
      var whitelist = [ 'kty', 'alg', 'kid', 'use' ];
      if (jwk.kty === 'EC') {
        whitelist = whitelist.concat([ 'crv', 'x', 'y' ]);
      } else if (jwk.kty === 'RSA') {
        whitelist = whitelist.concat([ 'e', 'n' ]);
      }

      var result = {};
      whitelist.forEach(function (key) {
        result[key] = jwk[key];
      });
      return result;
    });

    app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve JWK");
  };
  restful.saveNew = function (req, res) {
    var jwk = req.body;
    var promise = thumbprint(jwk).then(function (kid) {
      if (jwk.kid && jwk.kid !== kid) {
        throw new OpErr('provided kid "'+jwk.kid+'" does not match calculated "'+kid+'"');
      }
      jwk.kid = kid;
      jwk.sub = req.params.sub;

      return req.Store.upsert(jwk.sub+'/'+jwk.kid, jwk);
    }).then(function () {
      return { success: true };
    });

    app.handlePromise(req, res, promise, "[issuer@oauth3.org] save JWK");
  };

  return {
    thumbprint: thumbprint,
    restful: restful,
  };
}

module.exports.create = create;
separated the code into different files 2017-07-24 23:10:41 +00:00			`'use strict';`

			`var crypto = require('crypto');`
			`var PromiseA = require('bluebird');`
			`var OpErr = PromiseA.OperationalError;`

			`function makeB64UrlSafe(b64) {`
			`return b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=*$/, '');`
			`}`

			`function thumbprint(jwk) {`
			`// To produce a thumbprint we need to create a JSON string with only the required keys for`
			`// the key type, with the keys sorted lexicographically and no white space. We then need`
			`// run it through a SHA-256 and encode the result in url safe base64.`
			`// https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk`
			`var keys;`
			`if (jwk.kty === 'EC') {`
			`keys = ['crv', 'x', 'y'];`
			`} else if (jwk.kty === 'RSA') {`
			`keys = ['e', 'n'];`
			`} else {`
			`return PromiseA.reject(new Error('invalid JWK key type ' + jwk.kty));`
			`}`
			`keys.push('kty');`
			`keys.sort();`

			`var missing = keys.filter(function (name) { return !jwk.hasOwnProperty(name); });`
			`if (missing.length > 0) {`
			`return PromiseA.reject(new Error('JWK of type '+jwk.kty+' missing fields ' + missing));`
			`}`

			`// I'm not 100% sure this behavior is guaranteed by a real standard, but when we use an array`
			`// as the replacer argument the keys are always in the order they appeared in the array.`
			`var jwkStr = JSON.stringify(jwk, keys);`
			`var hash = crypto.createHash('sha256').update(jwkStr).digest('base64');`
			`return PromiseA.resolve(makeB64UrlSafe(hash));`
			`}`

			`function create(app) {`
			`var restful = {};`
			`restful.get = function (req, res) {`
			`// The sub in params is the 3rd party PPID, but the keys are stored by the issuer PPID, so`
			`// we need to look up the issuer PPID using the 3rd party PPID.`
			`var promise = req.getSiteStore().then(function (store) {`
			`if (req.params.kid === req.experienceId) {`
			`return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId);`
			`}`

			`return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) {`
			`if (!results.length) {`
			`throw new OpErr("unknown PPID '"+req.params.sub+"'");`
			`}`
			`if (results.length > 1) {`
			`// This should not ever happen since there is a check for PPID collisions when saving`
			`// grants, but it's probably better to have this check anyway just incase something`
			`// happens that isn't currently accounted for.`
			`throw new OpErr('PPID collision - unable to safely retrieve keys');`
			`}`

			`return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);`
			`});`
			`}).then(function (jwk) {`
			`if (!jwk) {`
			`throw new OpErr("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub);`
			`}`

			`// We need to sanitize the key to make sure we don't deliver any private keys fields if`
			`// we were given a key we could use to sign tokens on behalf of the user. We also don't`
			`// want to deliver the sub or any other PPIDs.`
			`var whitelist = [ 'kty', 'alg', 'kid', 'use' ];`
			`if (jwk.kty === 'EC') {`
			`whitelist = whitelist.concat([ 'crv', 'x', 'y' ]);`
			`} else if (jwk.kty === 'RSA') {`
			`whitelist = whitelist.concat([ 'e', 'n' ]);`
			`}`

			`var result = {};`
			`whitelist.forEach(function (key) {`
			`result[key] = jwk[key];`
			`});`
			`return result;`
			`});`

			`app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve JWK");`
			`};`
			`restful.saveNew = function (req, res) {`
			`var jwk = req.body;`
			`var promise = thumbprint(jwk).then(function (kid) {`
			`if (jwk.kid && jwk.kid !== kid) {`
			`throw new OpErr('provided kid "'+jwk.kid+'" does not match calculated "'+kid+'"');`
			`}`
			`jwk.kid = kid;`
			`jwk.sub = req.params.sub;`

			`return req.Store.upsert(jwk.sub+'/'+jwk.kid, jwk);`
			`}).then(function () {`
			`return { success: true };`
			`});`

			`app.handlePromise(req, res, promise, "[issuer@oauth3.org] save JWK");`
			`};`

			`return {`
			`thumbprint: thumbprint,`
			`restful: restful,`
			`};`
			`}`

			`module.exports.create = create;`