support for local CA added

.gitignore

@@ -1,2 +1,4 @@
 vendor
 coverage.out
+cert.pem
+key.pem

Makefile

@@ -13,4 +13,5 @@ deps:
 	dep status
 
 test:
+	go generate
 	go test -cover ./...

jose.go

@@ -28,15 +28,22 @@ func NewValidator(signatureConfig *SignatureConfig, ef ExtractorFactory) (*auth0
 	}
 
 	cfg := SecretProviderConfig{
-		URI:          signatureConfig.URI,
-		CacheEnabled: signatureConfig.CacheEnabled,
-		Cs:           signatureConfig.CipherSuites,
-		Fingerprints: decodedFs,
+		URI:           signatureConfig.URI,
+		CacheEnabled:  signatureConfig.CacheEnabled,
+		Cs:            signatureConfig.CipherSuites,
+		Fingerprints:  decodedFs,
+		LocalCA:       signatureConfig.LocalCA,
+		AllowInsecure: signatureConfig.DisableJWKSecurity,
+	}
+
+	sp, err := SecretProvider(cfg, te)
+	if err != nil {
+		return nil, err
 	}
 
 	return auth0.NewValidator(
 		auth0.NewConfiguration(
-			SecretProvider(cfg, te),
+			sp,
 			signatureConfig.Audience,
 			signatureConfig.Issuer,
 			sa,

jwk.go

@@ -9,6 +9,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -18,24 +19,39 @@ import (
 )
 
 type SecretProviderConfig struct {
-	URI          string
-	CacheEnabled bool
-	Fingerprints [][]byte
-	Cs           []uint16
+	URI           string
+	CacheEnabled  bool
+	Fingerprints  [][]byte
+	Cs            []uint16
+	LocalCA       string
+	AllowInsecure bool
 }
 
 var (
 	ErrInsecureJWKSource = errors.New("JWK client is using an insecure connection to the JWK service")
 	ErrPinnedKeyNotFound = errors.New("JWK client did not find a pinned key")
 )
 
-func SecretProvider(cfg SecretProviderConfig, te auth0.RequestTokenExtractor) *auth0.JWKClient {
+func SecretProvider(cfg SecretProviderConfig, te auth0.RequestTokenExtractor) (*auth0.JWKClient, error) {
 	if len(cfg.Cs) == 0 {
 		cfg.Cs = DefaultEnabledCipherSuites
 	}
 
 	dialer := NewDialer(cfg)
 
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+
+	if cfg.LocalCA != "" {
+		certs, err := ioutil.ReadFile(cfg.LocalCA)
+		if err != nil {
+			return nil, fmt.Errorf("Failed to append %q to RootCAs: %v", cfg.LocalCA, err)
+		}
+		rootCAs.AppendCertsFromPEM(certs)
+	}
+
 	transport := &http.Transport{
 		Proxy:                 http.ProxyFromEnvironment,
 		DialContext:           dialer.DialContext,
@@ -44,8 +60,10 @@ func SecretProvider(cfg SecretProviderConfig, te auth0.RequestTokenExtractor) *a
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		TLSClientConfig: &tls.Config{
-			CipherSuites: cfg.Cs,
-			MinVersion:   tls.VersionTLS12,
+			CipherSuites:       cfg.Cs,
+			MinVersion:         tls.VersionTLS12,
+			InsecureSkipVerify: cfg.AllowInsecure,
+			RootCAs:            rootCAs,
 		},
 	}
 
@@ -61,10 +79,10 @@ func SecretProvider(cfg SecretProviderConfig, te auth0.RequestTokenExtractor) *a
 	}
 
 	if !cfg.CacheEnabled {
-		return auth0.NewJWKClient(opts, te)
+		return auth0.NewJWKClient(opts, te), nil
 	}
 	keyCacher := auth0.NewMemoryKeyCacher(15*time.Minute, 100)
-	return auth0.NewJWKClientWithCache(opts, te, keyCacher)
+	return auth0.NewJWKClientWithCache(opts, te, keyCacher), nil
 }
 
 func DecodeFingerprints(in []string) ([][]byte, error) {

jwk_test.go

@@ -1,13 +1,21 @@
+//go:generate go run $GOROOT/src/crypto/tls/generate_cert.go --rsa-bits 1024 --host 127.0.0.1,::1,localhost --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
 package jose
 
 import (
+	"crypto/tls"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 )
 
 func TestJWK(t *testing.T) {
+	cert, err := tls.LoadX509KeyPair("cert.pem", "key.pem")
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
 	for _, tc := range []struct {
 		Name string
 		Alg  string
@@ -37,9 +45,15 @@ func TestJWK(t *testing.T) {
 			Alg:  "HS256",
 		},
 	} {
-		server := httptest.NewServer(jwkEndpoint(tc.Name))
+		server := httptest.NewUnstartedServer(jwkEndpoint(tc.Name))
 		defer server.Close()
-		secretProvidr := SecretProvider(SecretProviderConfig{URI: server.URL}, nil)
+		server.TLS = &tls.Config{Certificates: []tls.Certificate{cert}}
+		server.StartTLS()
+
+		secretProvidr, err := SecretProvider(SecretProviderConfig{URI: server.URL, LocalCA: "cert.pem"}, nil)
+		if err != nil {
+			t.Error(err)
+		}
 		for _, k := range tc.ID {
 			key, err := secretProvidr.GetKey(k)
 			if err != nil {

jws.go

@@ -29,6 +29,7 @@ type SignatureConfig struct {
 	CipherSuites       []uint16 `json:"cipher_suites,omitempty"`
 	DisableJWKSecurity bool     `json:"disable_jwk_security"`
 	Fingerprints       []string `json:"jwk_fingerprints,omitempty"`
+	LocalCA            string   `json:"jwk_local_ca,omitempty"`
 }
 
 type SignerConfig struct {
@@ -40,6 +41,7 @@ type SignerConfig struct {
 	CipherSuites       []uint16 `json:"cipher_suites,omitempty"`
 	DisableJWKSecurity bool     `json:"disable_jwk_security"`
 	Fingerprints       []string `json:"jwk_fingerprints,omitempty"`
+	LocalCA            string   `json:"jwk_local_ca,omitempty"`
 }
 
 var (
@@ -95,12 +97,17 @@ func NewSigner(cfg *config.EndpointConfig, te auth0.RequestTokenExtractor) (*Sig
 	}
 
 	spcfg := SecretProviderConfig{
-		URI:          signerCfg.URI,
-		Cs:           signerCfg.CipherSuites,
-		Fingerprints: decodedFs,
+		URI:           signerCfg.URI,
+		Cs:            signerCfg.CipherSuites,
+		Fingerprints:  decodedFs,
+		LocalCA:       signerCfg.LocalCA,
+		AllowInsecure: signerCfg.DisableJWKSecurity,
 	}
 
-	sp := SecretProvider(spcfg, te)
+	sp, err := SecretProvider(spcfg, te)
+	if err != nil {
+		return signerCfg, nopSigner, err
+	}
 	key, err := sp.GetKey(signerCfg.KeyID)
 	if err != nil {
 		return signerCfg, nopSigner, err

jws_test.go

@@ -189,7 +189,11 @@ func testPrivateSigner(t *testing.T, keyType, keyName, full, compact string) {
 	server := httptest.NewServer(jwkEndpoint(keyType))
 	defer server.Close()
 
-	sp := SecretProvider(SecretProviderConfig{URI: server.URL}, nil)
+	sp, err := SecretProvider(SecretProviderConfig{URI: server.URL}, nil)
+	if err != nil {
+		t.Error(err)
+		return
+	}
 	key, err := sp.GetKey(keyName)
 	if err != nil {
 		t.Errorf("getting the key: %s", err.Error())