in assertion/pkg/jwtvault/helpers.go [95:150]
func JWKS(vaultClient *api.Client, transitPath, keyName string) (*jose.JSONWebKeySet, error) {
// Check arguments
if vaultClient == nil {
return nil, fmt.Errorf("vault client must not be nil")
}
if transitPath == "" {
return nil, fmt.Errorf("transit path path must not be blank")
}
if keyName == "" {
return nil, fmt.Errorf("key name must not be blank")
}
// Retrieve transit key
tk, err := vaultClient.Logical().Read(path.Join(transitPath, "keys", keyName))
if err != nil {
return nil, fmt.Errorf("unable to retrieve key details: %w", err)
}
if tk == nil {
return nil, fmt.Errorf("returned key details are nil")
}
// Decode data
var transitKey keyResponse
if err = mapstructure.Decode(tk.Data, &transitKey); err != nil {
return nil, fmt.Errorf("unable to decode transit key response: %w", err)
}
// Prepare key set
jwks := &jose.JSONWebKeySet{
Keys: []jose.JSONWebKey{},
}
// Iterate over all keys
for kid, keyVersion := range transitKey.Keys {
// Decode PEM
block, _ := pem.Decode([]byte(keyVersion.PublicKey))
if block == nil {
return nil, fmt.Errorf("unable to decode public key PEM block")
}
// Parse key
pub, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return nil, fmt.Errorf("unable to decode publiv key: %w", err)
}
// Prepare JWK
jwks.Keys = append(jwks.Keys, jose.JSONWebKey{
KeyID: fmt.Sprintf("vault:%s:%s:v%s", transitPath, keyName, kid),
Key: pub,
})
}
// No error
return jwks, nil
}