(ctx *cli.Context)
| 88 | } |
| 89 | |
| 90 | func verifyAction(ctx *cli.Context) error { |
| 91 | token, err := utils.ReadString(os.Stdin) |
| 92 | if err != nil { |
| 93 | return errors.Wrap(err, "error reading token") |
| 94 | } |
| 95 | |
| 96 | tok, err := jose.ParseJWS(token) |
| 97 | if err != nil { |
| 98 | return errors.Errorf("error parsing token: %s", jose.TrimPrefix(err)) |
| 99 | } |
| 100 | |
| 101 | // We don't support multiple signatures |
| 102 | if len(tok.Signatures) > 1 { |
| 103 | return errors.New("validation failed: multiple signatures are not supported") |
| 104 | } |
| 105 | |
| 106 | // Validate key, jwks and kid |
| 107 | key := ctx.String("key") |
| 108 | jwks := ctx.String("jwks") |
| 109 | kid := ctx.String("kid") |
| 110 | alg := ctx.String("alg") |
| 111 | switch { |
| 112 | case key == "" && jwks == "": |
| 113 | return errs.RequiredOrFlag(ctx, "key", "jwks") |
| 114 | case key != "" && jwks != "": |
| 115 | return errs.MutuallyExclusiveFlags(ctx, "key", "jwks") |
| 116 | case jwks != "" && kid == "": |
| 117 | if tok.Signatures[0].Header.KeyID == "" { |
| 118 | return errs.RequiredWithFlag(ctx, "kid", "jwks") |
| 119 | } |
| 120 | kid = tok.Signatures[0].Header.KeyID |
| 121 | } |
| 122 | |
| 123 | // Add parse options |
| 124 | var options []jose.Option |
| 125 | options = append(options, jose.WithUse("sig")) |
| 126 | if alg != "" { |
| 127 | options = append(options, jose.WithAlg(alg)) |
| 128 | } |
| 129 | if kid != "" { |
| 130 | options = append(options, jose.WithKid(kid)) |
| 131 | } |
| 132 | if !ctx.Bool("insecure") { |
| 133 | options = append(options, jose.WithNoDefaults(true)) |
| 134 | } |
| 135 | |
| 136 | // Read key from --key or --jwks |
| 137 | var jwk *jose.JSONWebKey |
| 138 | switch { |
| 139 | case key != "": |
| 140 | jwk, err = jose.ReadKey(key, options...) |
| 141 | case jwks != "": |
| 142 | jwk, err = jose.ReadKeySet(jwks, options...) |
| 143 | default: |
| 144 | return errs.RequiredOrFlag(ctx, "key", "jwks") |
| 145 | } |
| 146 | if err != nil { |
| 147 | return err |
nothing calls this directly
no test coverage detected
searching dependent graphs…