Fixes #272: we now support plain RSA public keys without the X.509

sebadoom · sebadoom · commit 375c9e187023 · 2018-03-26T22:26:19.000-03:00
SubjectPublicKeyInfo header.
diff --git a/src/editor/jwt.js b/src/editor/jwt.js
@@ -5,7 +5,9 @@ import {
   KEYUTIL,
   b64utoutf8,
   b64utohex,
-  utf8tohex 
+  utf8tohex, 
+  b64tohex,
+  ASN1HEX
 } from 'jsrsasign';
 
 import log from 'loglevel';
@@ -28,6 +30,44 @@ export function sign(header,
   }
 }
 
+/**
+ * This function takes a PEM string with a public key and returns a
+ * jsrsasign key object (RSAKey, KJUR.crypto.DSA, KJUR.crypto.ECDSA). It also
+ * handles plain RSA keys not wrapped in a X.509 SubjectPublicKeyInfo
+ * structure.
+ * See: https://stackoverflow.com/questions/18039401/how-can-i-transform-between-the-two-styles-of-public-key-format-one-begin-rsa
+ * @param {String} publicKey The public key as a PEM string.
+ * @returns {Object} The public key as a jsrsasign key object.
+ */
+function getPublicKeyObject(publicKey) {
+  try {
+    const startTag = '-----BEGIN RSA PUBLIC KEY-----';
+    const endTag = '-----END RSA PUBLIC KEY-----';
+    const startTagPos = publicKey.indexOf(startTag);
+    const endTagPos = publicKey.indexOf(endTag);
+      
+    if(startTagPos !== -1 && endTagPos !== -1) {
+      const plainDataBase64 =
+      publicKey.substr(0, endTagPos)
+               .substr(startTagPos + startTag.length);
+    
+      const plainDataDER = b64tohex(plainDataBase64);
+
+      const barePublicKey = {
+        n: ASN1HEX.getVbyList(plainDataDER, 0, [0], '02'),
+        e: ASN1HEX.getVbyList(plainDataDER, 0, [1], '02')
+      };
+
+      return KEYUTIL.getKey(barePublicKey);
+    }
+  } catch(e) {
+    log.error('Failed to make public key into X.509 ' + 
+              'SubjectPublicKeyInfo key:', e);
+  }
+
+  return KEYUTIL.getKey(publicKey);
+}
+
 export function verify(jwt, secretOrPublicKeyString, base64Secret = false) {
   if(!isToken(jwt)) {
     return false;
@@ -46,11 +86,12 @@ export function verify(jwt, secretOrPublicKeyString, base64Secret = false) {
           b64utohex(secretOrPublicKeyString) : 
           utf8tohex(secretOrPublicKeyString));
     } else {
-      return jws.JWS.verify(jwt, secretOrPublicKeyString);
+      const publicKeyObject = getPublicKeyObject(secretOrPublicKeyString);
+      return jws.JWS.verify(jwt, publicKeyObject);
     }
   } catch(e) {
     log.warn('Could not verify token, ' +
-                  'probably due to bad data in it or the keys: ', e);
+             'probably due to bad data in it or the keys: ', e);
     return false;
   }
 }
diff --git a/test/unit/editor/jwt.js b/test/unit/editor/jwt.js
@@ -9,6 +9,13 @@ import { should } from 'chai';
 
 should();
 
+const publicKeyPlainRSA =
+`-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAN2Vq1GNGOiCjdaiOAYcUdgu6B1RYBj2JHd/LhqtY0DUqhLyRXDfdwmJ
+tevxu/BQBSlqsLCW91sfp28Q5+i7T+AIVCwdR9CtIO/4y5JQwB7yPMoTipb6Mr7F
+BT1rTcZScoeSSV75DSlf+DqNdnuvX/EArkOjaRD5fnEr1yKlGAQrAgMBAAE=
+-----END RSA PUBLIC KEY-----`;
+
 describe('JWT', function() {
   it('detects tokens', function() {
     jwt.isToken('skdjf9238ujdhkf.asdfasdf2.sdsdffsfsd').should.be.false;
@@ -97,7 +104,7 @@ describe('JWT', function() {
     }
   });
 
-  it('signs tokens (HS256)', function() {
+  it('signs/verifies tokens (HS256)', function() {
     const header = {
       alg: 'HS256'
     };
@@ -118,7 +125,7 @@ describe('JWT', function() {
     decoded.payload.should.deep.equal(payload);
   });
 
-  it('signs tokens (RS256)', function() {
+  it('signs/verifies tokens (RS256)', function() {
     const header = {
       alg: 'RS256'
     };
@@ -139,7 +146,7 @@ describe('JWT', function() {
     decoded.payload.should.deep.equal(payload);
   });
 
-  it('signs tokens (ES256)', function() {
+  it('signs/verifies tokens (ES256)', function() {
     const header = {
       alg: 'ES256'
     };
@@ -160,7 +167,7 @@ describe('JWT', function() {
     decoded.payload.should.deep.equal(payload);
   });
 
-  it('signs tokens (PS256)', function() {
+  it('signs/verifies tokens (PS256)', function() {
     const header = {
       alg: 'PS256'
     };
@@ -180,4 +187,17 @@ describe('JWT', function() {
     decoded.header.should.deep.equal(header);
     decoded.payload.should.deep.equal(payload);
   });
+
+  it('verifies tokens (RS256) using a plain RSA public key', function() {
+    const header = {
+      alg: 'RS256'
+    };
+    const payload = {
+      sub: 'test'
+    };
+
+    const token = jwt.sign(header, payload, tokens.rs256.privateKey);
+    
+    jwt.verify(token, publicKeyPlainRSA).should.be.true;
+  });
 });
