added a check when generating creds that the specified key is valid for the JWT provided.

Author: aricart

v2/creds_utils.go

@@ -138,6 +138,18 @@ func FormatUserConfig(jwtString string, seed []byte) ([]byte, error) {
 		return nil, fmt.Errorf("nkey seed is not an user seed")
 	}
 
+	kp, err := nkeys.FromSeed(seed)
+	if err != nil {
+		return nil, err
+	}
+	pk, err := kp.PublicKey()
+	if err != nil {
+		return nil, err
+	}
+	if pk != gc.Claims().Subject {
+		return nil, fmt.Errorf("nkey seed does not match the jwt subject")
+	}
+
 	d, err := DecorateSeed(seed)
 	if err != nil {
 		return nil, err

v2/creds_utils_test.go

@@ -291,6 +291,22 @@ func Test_ParseCreds(t *testing.T) {
 	}
 }
 
+func Test_FormatUserConfigMismatchedNKey(t *testing.T) {
+	token, _ := makeJWT(t)
+
+	// different user nkey that doesn't match the JWT subject
+	otherKp := createUserNKey(t)
+	otherSeed := seedKey(otherKp, t)
+
+	_, err := FormatUserConfig(token, otherSeed)
+	if err == nil {
+		t.Fatal("expected error for mismatched nkey")
+	}
+	if !strings.Contains(err.Error(), "does not match") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
 func Test_ParseCredsWithCrLfs(t *testing.T) {
 	token, kp := makeJWT(t)
 	d, err := FormatUserConfig(token, seedKey(kp, t))