Skip to content

Instantly share code, notes, and snippets.

@iscander
Forked from sam-w/keys-and-jwts.go
Created November 21, 2024 13:06
Show Gist options
  • Save iscander/426dcd1fe208886928d6bf5517dc92f2 to your computer and use it in GitHub Desktop.
Save iscander/426dcd1fe208886928d6bf5517dc92f2 to your computer and use it in GitHub Desktop.
Golang RSA Keys and JWTs
import (
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"errors"
"fmt"
"time"
"gopkg.in/square/go-jose.v2"
"gopkg.in/square/go-jose.v2/jwt"
)
func foo() string {
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
panic(err)
}
// Export the keys to pem string
privatePem := exportRsaPrivateKeyAsPemStr(privateKey)
publicPem, _ := exportRsaPublicKeyAsPemStr(&privateKey.PublicKey)
// Import the keys from pem string
privateParsed, _ := parseRsaPrivateKeyFromPemStr(privatePem)
publicParsed, _ := parseRsaPublicKeyFromPemStr(publicPem)
// Export the newly imported keys
privateParsedPem := exportRsaPrivateKeyAsPemStr(privateParsed)
publicParsedPem, _ := exportRsaPublicKeyAsPemStr(publicParsed)
// Check that the exported/imported keys match the original keys
if privatePem != privateParsedPem || publicPem != publicParsedPem {
panic("Failure: Export and Import did not result in same Keys")
}
// Instantiate a signer using RSASHA256 with the given private key.
signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.RS256, Key: privateKey}, (&jose.SignerOptions{}).WithType("JWT"))
if err != nil {
panic(err)
}
claims := jwt.Claims{
Subject: "abc123",
Issuer: "consumer-app-layer",
IssuedAt: jwt.NewNumericDate(time.Now()),
Expiry: jwt.NewNumericDate(time.Now().Add(36000)),
ID: "OUI5MzlEQjBFMTA3OUExMTg4MTkyNUQzMUFCMDYyREM3NkUwNkUyMA",
Audience: jwt.Audience{"Old Robby Bobson"},
}
privateClaims := struct {
Nickname string `json:"nickname"`
Name string `json:"name"`
ParseSessionToken string `json:"X-Parse-Session-Token"`
}{
"Bob",
"Robert Bobson",
"def456",
}
// NOW VALIDATE IT
token, err := jwt.Signed(signer).Claims(claims).Claims(privateClaims).Token()
if err != nil {
panic(err)
}
containedClaims := jwt.Claims{}
key := &privateKey.PublicKey
if err = token.Claims(key, &containedClaims); err != nil {
panic(err)
}
expected := jwt.Expected{Issuer: "consumer-app-layer", Audience: []string{"Old Robby Bobson"}}.WithTime(time.Now())
err = claims.ValidateWithLeeway(expected, 1*time.Minute)
if err != nil {
panic(err)
}
raw, err := jwt.Signed(signer).Claims(claims).Claims(privateClaims).CompactSerialize()
if err != nil {
panic(err)
}
return raw
}
func exportRsaPrivateKeyAsPemStr(p *rsa.PrivateKey) string {
bytes := x509.MarshalPKCS1PrivateKey(p)
pem := pem.EncodeToMemory(
&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: bytes,
},
)
return string(pem)
}
func parseRsaPrivateKeyFromPemStr(p string) (*rsa.PrivateKey, error) {
block, _ := pem.Decode([]byte(p))
if block == nil {
return nil, errors.New("failed to parse PEM block containing the key")
}
key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
if err != nil {
return nil, err
}
return key, nil
}
func exportRsaPublicKeyAsPemStr(p *rsa.PublicKey) (string, error) {
bytes, err := x509.MarshalPKIXPublicKey(p)
if err != nil {
return "", err
}
pem := pem.EncodeToMemory(
&pem.Block{
Type: "RSA PUBLIC KEY",
Bytes: bytes,
},
)
return string(pem), nil
}
func parseRsaPublicKeyFromPemStr(p string) (*rsa.PublicKey, error) {
block, _ := pem.Decode([]byte(p))
if block == nil {
return nil, errors.New("failed to parse PEM block containing the key")
}
key, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return nil, err
}
switch key := key.(type) {
case *rsa.PublicKey:
return key, nil
default:
break // fall through
}
return nil, errors.New("Key type is not RSA")
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment