mirror of
https://github.com/distribution/distribution.git
synced 2025-07-31 22:55:29 +00:00
auth: fix token verification chain (#4415)
This commit is contained in:
commit
f0bd0f6899
@ -162,7 +162,7 @@ func (t *Token) Verify(verifyOpts VerifyOptions) (*ClaimSet, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// VerifySigningKey attempts to verify and return the signing key which was used to sign the token.
|
// VerifySigningKey attempts to verify and return the signing key which was used to sign the token.
|
||||||
func (t *Token) VerifySigningKey(verifyOpts VerifyOptions) (signingKey crypto.PublicKey, err error) {
|
func (t *Token) VerifySigningKey(verifyOpts VerifyOptions) (crypto.PublicKey, error) {
|
||||||
if len(t.JWT.Headers) == 0 {
|
if len(t.JWT.Headers) == 0 {
|
||||||
return nil, ErrInvalidToken
|
return nil, ErrInvalidToken
|
||||||
}
|
}
|
||||||
@ -172,26 +172,27 @@ func (t *Token) VerifySigningKey(verifyOpts VerifyOptions) (signingKey crypto.Pu
|
|||||||
// verifying the first one in the list only at the moment.
|
// verifying the first one in the list only at the moment.
|
||||||
header := t.JWT.Headers[0]
|
header := t.JWT.Headers[0]
|
||||||
|
|
||||||
signingKey, err = verifyCertChain(header, verifyOpts.Roots)
|
signingKey, err := verifyCertChain(header, verifyOpts.Roots)
|
||||||
// NOTE(milosgajdos): if the x5c header is missing
|
if err != nil {
|
||||||
// the token may have been signed by a JWKS.
|
// NOTE(milosgajdos): if the x5c header is missing
|
||||||
if err != nil && err != jose.ErrMissingX5cHeader {
|
// the token may have been signed by a JWKS.
|
||||||
return
|
if errors.Is(err, jose.ErrMissingX5cHeader) {
|
||||||
}
|
switch {
|
||||||
|
case header.JSONWebKey != nil:
|
||||||
switch {
|
return verifyJWK(header, verifyOpts)
|
||||||
case header.JSONWebKey != nil:
|
case header.KeyID != "":
|
||||||
signingKey, err = verifyJWK(header, verifyOpts)
|
if signingKey, ok := verifyOpts.TrustedKeys[header.KeyID]; ok {
|
||||||
case len(header.KeyID) > 0:
|
return signingKey, nil
|
||||||
signingKey = verifyOpts.TrustedKeys[header.KeyID]
|
}
|
||||||
if signingKey == nil {
|
return nil, fmt.Errorf("token signed by untrusted key with ID: %q", header.KeyID)
|
||||||
err = fmt.Errorf("token signed by untrusted key with ID: %q", header.KeyID)
|
default:
|
||||||
|
return nil, ErrInvalidToken
|
||||||
|
}
|
||||||
}
|
}
|
||||||
default:
|
return nil, err
|
||||||
err = ErrInvalidToken
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return
|
return signingKey, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func verifyCertChain(header jose.Header, roots *x509.CertPool) (signingKey crypto.PublicKey, err error) {
|
func verifyCertChain(header jose.Header, roots *x509.CertPool) (signingKey crypto.PublicKey, err error) {
|
||||||
|
Loading…
Reference in New Issue
Block a user