UNPKG

@eqxjs/azure-manage-identity

Version:

For get Azure keyvault secret

67 lines 3.03 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.verifyJWTToken = verifyJWTToken; exports.verifyJWTTokenBySecret = verifyJWTTokenBySecret; exports.signJWTToken = signJWTToken; const keyvault_keys_1 = require("@azure/keyvault-keys"); const jwt = require("jsonwebtoken"); var jwkToPem = require('jwk-to-pem'); const confidential_mgnt_1 = require("../confidential.mgnt"); const secret_get_1 = require("../secret/secret.get"); const base64url_1 = require("base64url"); const util_1 = require("util"); const node_crypto_1 = require("node:crypto"); const node_buffer_1 = require("node:buffer"); async function verifyJWTToken(keyURL, keyName, algorithm, jwtToken) { const credential = new confidential_mgnt_1.MyClientAssertionCredential(); const keysClient = new keyvault_keys_1.KeyClient(keyURL, credential); const vaultKey = await keysClient.getKey(keyName); const cryptographyClient = new keyvault_keys_1.CryptographyClient(vaultKey, credential); const jwtArray = jwtToken.split('.'); if (jwtArray.length != 3) { throw new Error(`Invalid JWT: ${jwtToken}`); } const signature = base64url_1.default.toBuffer(jwtArray[2]); const data = (0, util_1.format)('%s.%s', jwtArray[0], jwtArray[1]); const hash = (0, node_crypto_1.createHash)('sha256'); const digest = hash.update(data).digest(); return cryptographyClient.verify(algorithm, digest, signature); } async function verifyJWTTokenBySecret(keyURL, secretName, jwtToken) { const secret = await (0, secret_get_1.getSecret)(keyURL, secretName); let returnCode = { result: false, keyID: "" }; returnCode.result = false; const publicKey = JSON.parse(secret.value); let lastError = ''; if (publicKey.keys && Array.isArray(publicKey.keys)) { for (let i in publicKey.keys) { try { let pem = jwkToPem(publicKey.keys[i]); jwt.verify(jwtToken, pem, { algorithms: ['RS256'] }); returnCode.result = true; } catch (error) { lastError = `Verify token error ${error}`; continue; } } if (!returnCode.result) { throw new Error(lastError); } } else { throw new Error(`Invalid public key: ${secret.value}`); } return returnCode; } async function signJWTToken(keyURL, keyName, algorithm, payload) { const credential = new confidential_mgnt_1.MyClientAssertionCredential(); const keysClient = new keyvault_keys_1.KeyClient(keyURL, credential); const vaultKey = await keysClient.getKey(keyName); const cryptographyClient = new keyvault_keys_1.CryptographyClient(vaultKey, credential); const hash = (0, node_crypto_1.createHash)('sha256'); const digest = hash.update(payload).digest(); let result = await cryptographyClient.sign(algorithm, digest); return base64url_1.default.encode(node_buffer_1.Buffer.from(result.result)); } //# sourceMappingURL=jwt.verify.js.map