Download public keys if possible.

Author: sebadoom

src/public-key-download.js

@@ -0,0 +1,77 @@
+import { httpGet } from './utils.js';
+
+function getKeyFromX5c(x5c) {
+  if(!x5c) {
+    throw new Error('x5c claim not present?');
+  }
+
+  if(!(x5c instanceof Array)) {
+    x5c = [ x5c ];
+  }
+
+  let certChain = '';
+  x5c.forEach(cert => {
+    certChain += '-----BEGIN CERTIFICATE-----\n';
+    certChain += cert + '\n';
+    certChain += '-----END CERTIFICATE-----\n';
+  });
+
+  return certChain;
+}
+
+function getKeyFromX5Claims(claims) {
+  return new Promise((resolve, reject) => {
+    if(claims.x5c) {
+      resolve(getKeyFromX5c(claims.x5c));
+    } else if(claims.x5u) {
+      resolve(httpGet(claims.x5u).then(getKeyFromX5c));
+    } else {
+      reject('x5c or x5u claims not available');
+    }
+  });  
+}
+
+function getKeyFromJwkKeySetUrl(kid, url) {
+  return httpGet(url).then(data => {
+    data = JSON.parse(data);
+    
+    if(!data || !data.keys || !(data.keys instanceof Array)) {
+      throw new Error(`Could not get JWK key set from URL: ${url}`);
+    }
+
+    for(let i = 0; i < data.keys.length; ++i) {
+      const jwk = data.keys[i];
+      if(jwk.kid === kid) {
+        return getKeyFromX5Claims(jwk);
+      }
+    }
+
+    throw new Error(`Could not find key with kid ${kid} in URL: ${url}`);
+  });
+}
+
+export function downloadPublicKeyIfPossible(decodedToken) {
+  return new Promise((resolve, reject) => {
+    const header = decodedToken.header;
+    const payload = decodedToken.payload;
+
+    if(!header.alg || header.alg.indexOf('HS') === 0) {
+      reject(`Unsupported alg: ${header.alg}`);
+      return;
+    }
+
+    if(header.x5c || header.x5u) {
+      resolve(getKeyFromX5Claims(header));
+    } else if(header.jku) {
+      resolve(getKeyFromJwkKeySetUrl(header.kid, header.jku));
+    } else if(header.jwk) {
+      resolve(getKeyFromX5Claims(header.jwk));
+    } else if(header.kid && payload.iss) {
+      //Auth0-specific scheme
+      const url = payload.iss + '.well-known/jwks.json';
+      resolve(getKeyFromJwkKeySetUrl(header.kid, url));
+    } else {
+      reject('No details about key');
+    }
+  });
+}

src/utils.js

@@ -100,8 +100,3 @@ export function isValidKey(key) {
     key: key
   };
 }
-
-export function downloadPublicKeyIfPossible(decodedToken) {
-  return Promise.reject();
-}
-

src/website/editor/index.js

@@ -1,5 +1,5 @@
 import { copyTextToClipboard } from '../utils.js';
-import { downloadPublicKeyIfPossible } from '../../utils.js';
+import { downloadPublicKeyIfPossible } from '../../public-key-download.js';
 import { tooltipHandler } from './tooltip.js';
 import { tokenEditor, headerEditor, payloadEditor } from './instances.js';
 import { 
@@ -114,8 +114,8 @@ export function useDefaultToken(algorithm) {
     if(algorithm.indexOf('HS') === 0) {
       secretInput.value = defaults.secret;
     } else {
-      publicKeyTextArea.firstChild.textContent = defaults.publicKey;
-      privateKeyTextArea.firstChild.textContent = defaults.privateKey;
+      publicKeyTextArea.value = defaults.publicKey;
+      privateKeyTextArea.value = defaults.privateKey;
     }
 
     markAsValid();
@@ -203,7 +203,7 @@ function encodeToken() {
       const encoded = sign(header, payload, 
         header.alg.indexOf('HS') === 0 ?
           secretInput.value :
-          privateKeyTextArea.firstChild.textContent,
+          privateKeyTextArea.value,
           secretBase64Checkbox.checked);
 
       tokenEditor.setValue(encoded);
@@ -224,7 +224,7 @@ function decodeToken() {
       selectAlgorithm(decoded.header.alg);
       downloadPublicKeyIfPossible(decoded).then(publicKey => {
         eventManager.withDisabledEvents(() => {
-          publicKeyTextArea.firstChild.textContent = publicKey;
+          publicKeyTextArea.value = publicKey;
           verifyToken();
         });
       });
@@ -251,7 +251,7 @@ function verifyToken() {
   const publicKeyOrSecret = 
     decoded.header.alg.indexOf('HS') === 0 ?
       secretInput.value : 
-      publicKeyTextArea.firstChild.textContent;
+      publicKeyTextArea.value;
 
   if(verify(jwt, publicKeyOrSecret, secretBase64Checkbox.checked)) {
     markAsValid();