ParseApiServerJwt outdated?

[awesterb]

It seems ParseApiServerJwt no longer works:

package main

import (
        "crypto/rsa"
        "crypto/x509"
        "encoding/pem"
        "fmt"
        irma "github.com/privacybydesign/irmago"
)

func main() {
        pkPem, _ := pem.Decode([]byte(`-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+UT9iuCxNHkKe9PCdL0s
Gn+sHPvdMFyRLa+Ho/AYrOzOzdf/gF08EoyDmexYXX6Xcm1DW8i+JrihVHiXZ9Ny
Zm9pNb3WIR2PGOloWVSmYALwWIsb3gvsnpWNtxu563uHNBMkzIyys8DBr0UYuk/F
208bFFOf/Tbb+X+hUSkLvuJOHgNnl186IFBLwlejzJemTiD+15katashLo3Tp3WV
kiLUo5CF4/mCHvKKPtBnUAlkt8uzbJ/7LG1Kc7rK1H9Gg8ar4AfIu5vE75/1wo2L
l75MMWw6zWCNt6VBUD+rLg9Vo65A+jqrGtggD7zFm7zhc7OniT4We3nZaqWOFd8j
b3bW86mgQB/5Qd4S0Cq/LdLw7Gi+jZ4sY7saSmTmrYwnkK60ApodK1PmIKyk0qUL
reY0ecovQdXeVCG74aGC3fulTXkuVlVxxRchjh06P6nyVNEHKtKmdrO1oAxXLC+P
61/B+JvMigprricVHabttd3ArwXFx63jijvuRaI/wK7JEWhSjiONc8CES4+u/fLm
IOn22MXzFT7cSbPkQ/9Rbvv1O8P1DYVSJuuRAGJ5JFnjz6phJ8MgIVU0VGgLixNb
i1ruQJFH8FUiP6wyyqJ7/XYh3xx4y9/0LSUX52VcIBUzDRe6O2guihcf4WSOVbzD
qcHA5hRXJw9KCluxWzSyMiUCAwEAAQ==
-----END PUBLIC KEY-----`))
        pkI, _ := x509.ParsePKIXPublicKey(pkPem.Bytes)
        pk, _ := pkI.(*rsa.PublicKey)
        _, err := irma.ParseApiServerJwt("eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MjM2Nzc5MDAsImlhdCI6MTYyMzY3Nzc4MCwiaXNzIjoiaXJtYXNlcnZlciIsInN1YiI6ImRpc2Nsb3NpbmdfcmVzdWx0IiwidG9rZW4iOiJjUFN5VWRDa3JoZndtaW5OT0RCdiIsInN0YXR1cyI6IkRPTkUiLCJ0eXBlIjoiZGlzY2xvc2luZyIsInByb29mU3RhdHVzIjoiVkFMSUQiLCJkaXNjbG9zZWQiOltbeyJyYXd2YWx1ZSI6ImJyYW1Ad2VzdGVyYmFhbi5uYW1lIiwidmFsdWUiOnsiIjoiYnJhbUB3ZXN0ZXJiYWFuLm5hbWUiLCJlbiI6ImJyYW1Ad2VzdGVyYmFhbi5uYW1lIiwibmwiOiJicmFtQHdlc3RlcmJhYW4ubmFtZSJ9LCJpZCI6InBiZGYucGJkZi5lbWFpbC5lbWFpbCIsInN0YXR1cyI6IlBSRVNFTlQiLCJpc3N1YW5jZXRpbWUiOjE1OTMwNDMyMDB9XSxbeyJyYXd2YWx1ZSI6IkEuQS4gV2VzdGVyYmFhbiIsInZhbHVlIjp7IiI6IkEuQS4gV2VzdGVyYmFhbiIsImVuIjoiQS5BLiBXZXN0ZXJiYWFuIiwibmwiOiJBLkEuIFdlc3RlcmJhYW4ifSwiaWQiOiJwYmRmLmdlbWVlbnRlLnBlcnNvbmFsRGF0YS5mdWxsbmFtZSIsInN0YXR1cyI6IlBSRVNFTlQiLCJpc3N1YW5jZXRpbWUiOjE2MTk2NTQ0MDB9XV19.4PCR5DuiVmMicpdt8B-PfYxpHCAlrYFio40vSgp0PUcEK8WDP7R3Ti6OVf0770eFoewiHgTqU-7YmaaG4-oJeZOY1RPLMjS3AS1-za5SVjZwfK7Us7KUS_p30_zNdRw-0cfQhkQFZjWTLMY5-uRKnEHdWBpl1zrvplKrsrzUNpdOR-T0nyMZyJaiAXioPUPei5fu2vmXm-5RjOUw_9CuOSkvZO9fsOQ0UnPJ-H29YjG7k9A6mQMiqYTRSsEOItJ9ciROopm8jEX5KQNpc4SvfgBhfMG3mTOF7qyEtlVNxDAQkFSp2d6YlnjBnKg9WRJFNDaqd7G0mC7DhMWW8gsIKcXsJ1znX_QaDDuyGojk8zAaeLWD-RVwYzFiokl8cBKQGFEhLQN83P25C9i3_CULum2gr6oCjIq2PXu7KLFuaEMko0McIe1qjyedqguwlaTuy4TiXaYBiUbAZNgUhUR1y1udAOZ8xfPmVVkLqHheZmixBL6SBOXCXxCL0JBlxDsyzYL6vJ-iftRJ2tPJ8x87-cc9lyzZtqBm23oK2UTttydMuJnyo2B5qPOpLy_m4cGTzJnpx3Jhkad0pX8BdFXPEv4fCvPlfQjguhv7JHuMzcuAB_wvKmQeSCJ78P9R31Ba239f-PJEzhdvl9yWHweVFL0pe0G7X7GqPgM1Pt9C5-M", pk)
        fmt.Println(err) // json: cannot unmarshal object into Go value of type jwt.Claims
}

[awesterb]

The problem appears to be that this function is used nowhere, and so has not been updated for some time. Take for example the use of disclosure_result instead of disclosing_result in

irmago/verify.go

Line 466 in f00b9f8

if claims.Subject != "disclosure_result" {

.

[sietseringers]

In fact the problem is that on line 455 the claims are passed directly, but instead a pointer to it should be passed.

However, fixing that will not help you unfortunately. This function was intended to be used for JWTs emitted by the now deprecated predecessor of the irma server, the irma_api_server. That server emits JWTs having a different structure than your JWT, so this function will always return an empty map in your case. This is also the reason why this function is not used elsewhere in the code.

We don't currently seem to have a function for parsing modern JWTs. However, the following should work:

claims := &struct {
    jwt.StandardClaims
    *server.SessionResult
}{}
_, err := jwt.ParseWithClaims(inputJwt, claims, func(token *jwt.Token) (interface{}, error) {
    return signingKey, nil
})

Thanks for pointing this out, anyway. We'll either fix this bug or perhaps remove this function altogether, since the irma_api_server has been deprecated for so long now.

[awesterb]

Thanks for the explanation; I was suspecting something like that. It would be useful though to have an authoritative way to check modern JWTs, be it in irmago or elsewhere. The example code does not check proofStatus is valid, right?

[sietseringers]

Yes, that's right. I see how such code would be useful, but it would apply not just to JWTs (which contain a *server.SessionResult) but to *server.SessionResult instances in general, so that's a bigger issue. We'll look at adding such a function.