allow by pass oidc signature check

IABTechLab · Jul 20, 2023 · 94e5500 · 94e5500
1 parent ceee06b
commit 94e5500
Showing 1 changed file with 19 additions and 9 deletions.
diff --git a/src/main/java/com/uid2/shared/secure/gcpoidc/TokenSignatureValidator.java b/src/main/java/com/uid2/shared/secure/gcpoidc/TokenSignatureValidator.java
@@ -1,17 +1,19 @@
 package com.uid2.shared.secure.gcpoidc;
 
+import com.google.api.client.json.gson.GsonFactory;
 import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.api.client.util.Clock;
 import com.google.auth.oauth2.TokenVerifier;
 import com.google.common.base.Strings;
 import com.uid2.shared.secure.AttestationException;
 
+import java.io.IOException;
 import java.security.PublicKey;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 
-public class TokenSignatureValidator implements ITokenSignatureValidator{
+public class TokenSignatureValidator implements ITokenSignatureValidator {
     private static final String PUBLIC_CERT_LOCATION =
             "https://www.googleapis.com/service_accounts/v1/metadata/jwk/[email protected]";
 
@@ -20,19 +22,22 @@ public class TokenSignatureValidator implements ITokenSignatureValidator{
     private static final String ISSUER = "https://confidentialcomputing.googleapis.com";
     private final TokenVerifier tokenVerifier;
 
-    public TokenSignatureValidator(){
+    // set to true to facilitate local test with self-signed cert.
+    public static final boolean BYPASS_SIGNATURE_CHECK = false;
+
+    public TokenSignatureValidator() {
         this(null, null);
     }
 
-    protected TokenSignatureValidator(PublicKey publicKeyOverride, Clock clockOverride){
+    protected TokenSignatureValidator(PublicKey publicKeyOverride, Clock clockOverride) {
         var verifierBuilder = TokenVerifier.newBuilder();
         verifierBuilder.setCertificatesLocation(PUBLIC_CERT_LOCATION);
 
-        if(publicKeyOverride != null){
+        if (publicKeyOverride != null) {
             verifierBuilder.setPublicKey(publicKeyOverride);
         }
 
-        if(clockOverride != null){
+        if (clockOverride != null) {
             verifierBuilder.setClock(clockOverride);
         }
 
@@ -50,11 +55,16 @@ public TokenPayload validate(String tokenString) throws AttestationException {
 
         // Validate Signature
         JsonWebSignature signature;
-        try{
-            signature = tokenVerifier.verify(tokenString);
-        }
-        catch (TokenVerifier.VerificationException e){
+        try {
+            if (BYPASS_SIGNATURE_CHECK) {
+                signature = JsonWebSignature.parse(GsonFactory.getDefaultInstance(), tokenString);
+            } else {
+                signature = tokenVerifier.verify(tokenString);
+            }
+        } catch (TokenVerifier.VerificationException e) {
             throw new AttestationException("Fail to validate the token signature, error: " + e.getMessage());
+        } catch (IOException e) {
+            throw new AttestationException("Fail to parse token, error: " + e.getMessage());
         }
 
         // Parse Payload