Golang google id token validation ( verify signature) error

[iJamnica]

I need to validate a google id_token and one step involves to check the token signature.

First I obtain the certificate from: https://www.googleapis.com/oauth2/v2/certs  and extract the modulus (n) and exponent (e) part from the certificate and generate a public key, then I take apart the token (header, payload and digest), after then I send the decoded header.payload together with the Google pKey + digest to the rsa function rsa.VerifyPKCS1v15.

I am stuck with this verification error: crypto/rsa: verification error

Here's the code (I commented the part of code which fails with // validation here fails):

func ValidateIDToken(auth_token string) (err error){    
    res, err := http.Get("https://www.googleapis.com/oauth2/v2/certs")
    if err != nil {
        log.Fatal(err)
        return err
    }

    certs, err := ioutil.ReadAll(res.Body)
    res.Body.Close()
    if err != nil {
        log.Fatal(err)
        return err
    }

    //get modulus and exponent from the cert
    var goCertificate interface{}

    err = json.Unmarshal(certs, &goCertificate)    
    k := goCertificate.(map[string]interface{})["keys"]
    j := k.([]interface{})
    x := j[1]
    h := x.(map[string]interface{})["n"]
    g := x.(map[string]interface{})["e"]
    e64 := base64.StdEncoding
    //build the google pub key
    nStr := h.(string)
    decN, err := base64.StdEncoding.DecodeString(nStr)
    if err != nil {
        log.Println(err)
        return
    }

    n := big.NewInt(0)
    n.SetBytes(decN)
    eStr := g.(string)
    decE, err := base64.StdEncoding.DecodeString(eStr)
    if err != nil {
        log.Println(err)
        return
    }

    var eBytes []byte
    if len(decE) < 8 {
        eBytes = make([]byte, 8-len(decE), 8)
        eBytes = append(eBytes, decE...)
    } else {
        eBytes = decE
    }

    eReader := bytes.NewReader(eBytes)
    var e uint64
    err = binary.Read(eReader, binary.BigEndian, &e)
    if err != nil {
        log.Println(err)
        return
    }

    pKey := rsa.PublicKey{N: n, E: int(e)}
    w := strings.SplitAfter(auth_token, ".")    
    for i, val := range w {
        w[i] = strings.Trim(val, ".")
    }
    y := w[0:2]

    //Join just the first two parts, the header and the payload without the signature
    o := strings.Join(y, ".")   
    headerOauth := DecodeB64(nil,[]byte(w[0]),e64)
    inblockOauth := DecodeB64(nil,[]byte(w[1]),e64)
    toHash := string(headerOauth) + "}." + string(inblockOauth)
    digestOauth := DecodeB64(nil, []byte(w[2]),e64)

    hasherOauth := sha256.New()
    hasherOauth.Write([]byte(toHash))

    // validation here fails
    err = rsa.VerifyPKCS1v15(&pKey,crypto.SHA256,hasherOauth.Sum(nil),digestOauth)

    if err != nil {
        log.Printf("Error verifying key %s",err.Error())
        return err
    }
    return err
}

[ed.r...@coreos.com]

I think the encoding might be what's tripping you up. Should be base64.URLEncoding.DecodeString().

There's a working example here:

http://stackoverflow.com/a/26287613/275016