Merge pull request #5 from ravenscar/master

remove x5c check in case that we do not have trusted_certs_file
SkyLothar · Sep 13, 2015 · 6e33ee1 · 6e33ee1
2 parents b797648 + 52576da
commit 6e33ee1
Showing 1 changed file with 22 additions and 20 deletions.
diff --git a/lib/resty/jwt.lua b/lib/resty/jwt.lua
@@ -163,33 +163,35 @@ function _M.verify_jwt_obj(self, secret, jwt_obj, leeway)
             jwt_obj["reason"] = "signature mismatch: " .. jwt_obj["signature"]
         end
     elseif alg == "RS256" then
-        local x5c = jwt_obj['header']['x5c']
-        if not x5c or not x5c[1] then
-            jwt_obj["reason"] = "Unsupported RS256 key model"
-            return jwt_obj
-            -- TODO - Implement jwk and kid based models...
-        end
-
-        -- TODO Might want to add support for intermediaries that we
-        -- don't have in our trusted chain (items 2... if present)
-        local cert_str = ngx.decode_base64(x5c[1])
-        if not cert_str then
-            jwt_obj["reason"] = "Malformed x5c header"
-            return jwt_obj
-        end
-        local cert, err = evp.Cert:new(cert_str)
-        if not cert then
-            jwt_obj["reason"] = "Unable to extract signing cert from JWT: " .. err
-            return jwt_obj
-        end
-        -- Try validating against trusted CA's, then a cert passed as secret
+        local cert
         if self.trusted_certs_file ~= nil then
+            local err, x5c = jwt_obj['header']['x5c']
+            if not x5c or not x5c[1] then
+                jwt_obj["reason"] = "Unsupported RS256 key model"
+                return jwt_obj
+                -- TODO - Implement jwk and kid based models...
+            end
+
+            -- TODO Might want to add support for intermediaries that we
+            -- don't have in our trusted chain (items 2... if present)
+            local cert_str = ngx.decode_base64(x5c[1])
+            if not cert_str then
+                jwt_obj["reason"] = "Malformed x5c header"
+                return jwt_obj
+            end
+            cert, err = evp.Cert:new(cert_str)
+            if not cert then
+                jwt_obj["reason"] = "Unable to extract signing cert from JWT: " .. err
+                return jwt_obj
+            end
+            -- Try validating against trusted CA's, then a cert passed as secret
             local trusted, err = cert:verify_trust(self.trusted_certs_file)
             if not trusted then
                 jwt_obj["reason"] = "Cert used to sign the JWT isn't trusted: " .. err
                 return jwt_obj
             end
         elseif secret ~= nil then
+            local err
             cert, err = evp.Cert:new(secret)
             if not cert then
                 jwt_obj["reason"] = "Decode secret is not a valid cert: " .. err