-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement NewJwtSigner and CreateAttestation #579
base: master
Are you sure you want to change the base?
Conversation
pkg/attestlib/jwt.go
Outdated
|
||
// NewJwtSigner creates a Signer interface for JWT Attestations. `publicKeyID` | ||
// is the ID of the public key that can verify the Attestation signature. | ||
// TODO: Explain formatting of JWT private keys. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name or bug/github issue with all TODOs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
pkg/attestlib/jwt.go
Outdated
} | ||
|
||
// NewJwtSigner creates a Signer interface for JWT Attestations. `publicKeyID` | ||
// is the ID of the public key that can verify the Attestation signature. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move "publicKeyID" to be the last arguement, and in comment say that it should normally be left empty.
Alternatively, I like the idea of having two functions "NewJwtSigner" and "NewJwtSignerExplcitKeyId" , and have the former generate kid and call the latter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
pkg/attestlib/jwt.go
Outdated
} | ||
|
||
// CreateAttestation creates a signed JWT Attestation. See Signer for more details. | ||
func (s *jwtSigner) CreateAttestation(payload []byte) (*Attestation, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
payload -> JsonJwtBody, with comment explaining what that is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
pkg/attestlib/jwt.go
Outdated
return &Attestation{ | ||
PublicKeyID: s.publicKeyID, | ||
Signature: []byte(jwt), | ||
SerializedPayload: payload, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from attestation.go: // SerializedPayload stores the payload over which the signature was
// signed. This field is only used for PKIX Attestations.
This is not accurate in the case of JWTs as written now. I think the cleanest way to handle it is to leave SerializedPayload empty for JWTs and update the documentation to reflect that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this was a mistake. I updated it to leave the SerializedPayload field empty.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
} | ||
} else { | ||
if err != nil { | ||
t.Errorf("NewJwtSigner(...)=%v, expected nil", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: spacing around =
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
} | ||
_, err = createDetachedSignature(privKey, []byte(payload), tc.alg) | ||
if tc.expectedError { | ||
if err == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: spacing around =
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR. Left some comments.
alg: RsaSignPkcs12048Sha256, | ||
expectedError: false, | ||
}, { | ||
name: "create ecdsa signature success", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add two bad cases where alg does not match the key passed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
_, err = createDetachedSignature(privKey, []byte(payload), tc.alg) | ||
if tc.expectedError { | ||
if err == nil { | ||
t.Errorf("createDetachedSignature(...)=nil, expected non-nil") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bit confusing, can be understood as signature is nil.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
discussed during sync.
pkg/attestlib/jwt_test.go
Outdated
expectedError bool | ||
}{ | ||
{ | ||
name: "new jwt singer success", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: singer->signer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
pkg/attestlib/jwt_test.go
Outdated
expectedError: false, | ||
}, | ||
{ | ||
name: "new jwt singer with no key id success", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same typo
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
pkg/attestlib/jwt_test.go
Outdated
} | ||
attestation, err := signer.CreateAttestation([]byte(payload)) | ||
if err != nil { | ||
t.Errorf("CreateAttestation(..) = %v, expected nil", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: spacing around =
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
pkg/attestlib/jwt_test.go
Outdated
_, err := NewJwtSigner(tc.key, tc.alg, tc.publicKeyId) | ||
if tc.expectedError { | ||
if err == nil { | ||
t.Errorf("NewJwtSigner(...) = nil, expected non nil") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: spacing around =
Also ditto as above, would this be confusing as to which return value it is referring to?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
pkg/attestlib/jwt_test.go
Outdated
} | ||
} else { | ||
if err != nil { | ||
t.Errorf("NewJwtSigner(...) = %v, expected nil", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: spacing around =
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
pkg/attestlib/jwt_test.go
Outdated
if err != nil { | ||
t.Errorf("CreateAttestation(..) = %v, expected nil", err) | ||
} else if attestation.PublicKeyID != "kid" { | ||
t.Errorf("attestation.PublicKeyID = %v, expected kid", attestation.PublicKeyID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: spacing around =
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
Should we merge this? @treyridley |
I changed this to a draft until it is decided if we are going to continue with JWTs. |
No description provided.