Repair and simplify private key JWT generation

cmd/openid-client.go

@@ -13,8 +13,8 @@ import (
 
 	oidc "github.com/coreos/go-oidc"
 	"github.com/strehle/cmdline-openid-client/pkg/client"
-	"golang.org/x/crypto/pkcs12"
 	"golang.org/x/net/context"
+	"software.sslmate.com/src/go-pkcs12"
 )
 
 func main() {
@@ -114,7 +114,7 @@ func main() {
 			if err != nil {
 				log.Fatal(err)
 			}
-			privateKeyJwt, err = client.CreatePrivateKeyJwt(*clientID, *cert0, claims.TokenEndPoint, pemData)
+			privateKeyJwt, err = client.CreatePrivateKeyJwt(*clientID, *cert0, claims.TokenEndPoint, cert.PrivateKey)
 			if err != nil {
 				log.Fatal(err)
 			}

go.mod

@@ -7,12 +7,13 @@ require (
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/google/uuid v1.6.0
-	golang.org/x/crypto v0.22.0
 	golang.org/x/net v0.24.0
 	golang.org/x/oauth2 v0.19.0
 )
 
 require (
 	github.com/pquerna/cachecontrol v0.1.0 // indirect
+	golang.org/x/crypto v0.22.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
+	software.sslmate.com/src/go-pkcs12 v0.4.0
 )

go.sum

@@ -8,6 +8,7 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -30,3 +31,5 @@ gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
+software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=

pkg/client/client.go

@@ -2,6 +2,7 @@ package client
 
 import (
 	"context"
+	"crypto"
 	"crypto/sha1"
 	"crypto/tls"
 	"crypto/x509"
@@ -303,11 +304,7 @@ func HandleRefreshFlow(clientID string, clientSecret string, existingRefresh str
 	return refreshToken
 }
 
-func CreatePrivateKeyJwt(clientID string, x509Cert x509.Certificate, tokenEndpoint string, pemData []byte) (string, error) {
-	key, err := jwt.ParseRSAPrivateKeyFromPEM(pemData)
-	if err != nil {
-		return "", fmt.Errorf("create: parse key: %w", err)
-	}
+func CreatePrivateKeyJwt(clientID string, x509Cert x509.Certificate, tokenEndpoint string, privateKey crypto.PrivateKey) (string, error) {
 	certSum := sha1.Sum(x509Cert.Raw)
 	sha1Sum := base64.RawURLEncoding.EncodeToString(certSum[:])
 	now := time.Now().UTC()
@@ -323,7 +320,7 @@ func CreatePrivateKeyJwt(clientID string, x509Cert x509.Certificate, tokenEndpoi
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims) // .SignedString(key)
 	token.Header["kid"] = sha1Sum
 	token.Header["x5t"] = sha1Sum
-	tokenString, err := token.SignedString(key)
+	tokenString, err := token.SignedString(privateKey)
 	if err != nil {
 		return "", fmt.Errorf("create: sign token: %w", err)
 	}