diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml
index a5e30e0..bff19a9 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml
@@ -46,7 +46,7 @@ spec:
podDisruptionBudget:
maxUnavailable: "50%"
git:
- tag: "r-88ce7fd041e9106c6f5b1f1cb0892a56f30d8993"
+ tag: "r-605d91273a27806035012a52e1c36c5421092a85"
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp"
credentials: "git-credentials"
keystores:
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/recovery_pdf_session_processing.lua b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/recovery_pdf_session_processing.lua
index 7db8cf9..3f0808b 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/recovery_pdf_session_processing.lua
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/recovery_pdf_session_processing.lua
@@ -22,7 +22,10 @@ function inputHeader(request, response)
local jwtHandler = nevis.util.jwt.new()
local publickey = param_auth_signer_key:gsub("
", "\n")
- trace:debug("publickey: '" .. publickey .. "'")
+ trace:debug("public key: '" .. publickey .. "'")
+
+ local newPublickey = param_auth_signer_new_key:gsub("
", "\n")
+ trace:debug("new public key: '" .. newPublickey .. "'")
local base64 = nevis.crypto.base64.new()
token = base64:decode(token)
@@ -30,6 +33,11 @@ function inputHeader(request, response)
local verified = jwtHandler:verifySignature(token, "rs256", publickey)
+ if not verified and newPublickey ~= "none" then
+ trace:notice("AGOV: Check key rotation, using new public key to validate JWT token")
+ verified = jwtHandler:verifySignature(token, "rs256", newPublickey)
+ end
+
if not verified then
trace:error("Blocking request: Invalid JWT : '" .. token .. "'")
response:setBody("Blocking request: Invalid JWT")
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml
index 7c0a0ef..0f431de 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml
@@ -541,6 +541,11 @@
param_auth_signer_key
-----BEGIN PUBLIC KEY-----<br>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvxncA6FeBG4LsoyaUceW<br>McMKp2/pu7sgTCTigv7JCgHWlV1+RYLHnXq/j4dtyOWqb4l2Mbc99Kbj4nJt779G<br>yPn6XrRKy8xPZ/T3enFz4d5zBPtN3dgPQt2Qz9bh9xE45HjT31f0qTqNs3C+VQU7<br>nlN/IkWhSAlBBTZdotQ9O8eHUnunnRs3WfLBgMs1uR3Ue27pXvtWuJo/d20kfumH<br>hbAWEGcM9hgvO7HyMeNVKobdBVZepDzDgXEXav22gmGTYcwzCf5HX9yzaqSMkbth<br>dvjnT9ovHpNgkzTJDSu6SiUTh8HuRsmCrHC4jsvJqS4dXDWYYXAS8aX9Fs8/uYvS<br>8wIDAQAB<br>-----END PUBLIC KEY-----
+
+
+ param_auth_signer_new_key
+ none
+