Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add EdDSA JWT signing algorithm #16786

Merged
merged 4 commits into from
Aug 25, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion custom/conf/app.example.ini
Original file line number Diff line number Diff line change
Expand Up @@ -392,7 +392,7 @@ INTERNAL_TOKEN=
;; Enables OAuth2 provider
ENABLE = true
;;
;; Algorithm used to sign OAuth2 tokens. Valid values: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512
;; Algorithm used to sign OAuth2 tokens. Valid values: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, EdDSA
;JWT_SIGNING_ALGORITHM = RS256
;;
;; Private key file path used to sign OAuth2 tokens. The path is relative to APP_DATA_PATH.
Expand Down
2 changes: 1 addition & 1 deletion routers/web/user/oauth.go
Original file line number Diff line number Diff line change
Expand Up @@ -546,7 +546,7 @@ func AccessTokenOAuth(ctx *context.Context) {

signingKey := oauth2.DefaultSigningKey
if signingKey.IsSymmetric() {
clientKey, err := oauth2.CreateJWTSingingKey(signingKey.SigningMethod().Alg(), []byte(form.ClientSecret))
clientKey, err := oauth2.CreateJWTSigningKey(signingKey.SigningMethod().Alg(), []byte(form.ClientSecret))
if err != nil {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
Expand Down
2 changes: 1 addition & 1 deletion routers/web/user/oauth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ import (
)

func createAndParseToken(t *testing.T, grant *models.OAuth2Grant) *oauth2.OIDCToken {
signingKey, err := oauth2.CreateJWTSingingKey("HS256", make([]byte, 32))
signingKey, err := oauth2.CreateJWTSigningKey("HS256", make([]byte, 32))
assert.NoError(t, err)
assert.NotNil(t, signingKey)
oauth2.DefaultSigningKey = signingKey
Expand Down
79 changes: 73 additions & 6 deletions services/auth/source/oauth2/jwtsigningkey.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package oauth2

import (
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
Expand Down Expand Up @@ -129,6 +130,57 @@ func (key rsaSingingKey) PreProcessToken(token *jwt.Token) {
token.Header["kid"] = key.id
}

type eddsaSigningKey struct {
signingMethod jwt.SigningMethod
key ed25519.PrivateKey
id string
}

func newEdDSASingingKey(signingMethod jwt.SigningMethod, key ed25519.PrivateKey) (eddsaSigningKey, error) {
kid, err := createPublicKeyFingerprint(key.Public().(ed25519.PublicKey))
if err != nil {
return eddsaSigningKey{}, err
}

return eddsaSigningKey{
signingMethod,
key,
base64.RawURLEncoding.EncodeToString(kid),
}, nil
}

func (key eddsaSigningKey) IsSymmetric() bool {
return false
}

func (key eddsaSigningKey) SigningMethod() jwt.SigningMethod {
return key.signingMethod
}

func (key eddsaSigningKey) SignKey() interface{} {
return key.key
}

func (key eddsaSigningKey) VerifyKey() interface{} {
return key.key.Public()
}

func (key eddsaSigningKey) ToJWK() (map[string]string, error) {
pubKey := key.key.Public().(ed25519.PublicKey)

return map[string]string{
"alg": key.SigningMethod().Alg(),
"kid": key.id,
"kty": "OKP",
"crv": "Ed25519",
"x": base64.RawURLEncoding.EncodeToString(pubKey),
}, nil
}

func (key eddsaSigningKey) PreProcessToken(token *jwt.Token) {
token.Header["kid"] = key.id
}

type ecdsaSingingKey struct {
signingMethod jwt.SigningMethod
key *ecdsa.PrivateKey
Expand Down Expand Up @@ -194,8 +246,8 @@ func createPublicKeyFingerprint(key interface{}) ([]byte, error) {
return checksum[:], nil
}

// CreateJWTSingingKey creates a signing key from an algorithm / key pair.
func CreateJWTSingingKey(algorithm string, key interface{}) (JWTSigningKey, error) {
// CreateJWTSigningKey creates a signing key from an algorithm / key pair.
func CreateJWTSigningKey(algorithm string, key interface{}) (JWTSigningKey, error) {
var signingMethod jwt.SigningMethod
switch algorithm {
case "HS256":
Expand All @@ -218,11 +270,19 @@ func CreateJWTSingingKey(algorithm string, key interface{}) (JWTSigningKey, erro
signingMethod = jwt.SigningMethodES384
case "ES512":
signingMethod = jwt.SigningMethodES512
case "EdDSA":
signingMethod = jwt.SigningMethodEdDSA
default:
return nil, ErrInvalidAlgorithmType{algorithm}
}

switch signingMethod.(type) {
case *jwt.SigningMethodEd25519:
privateKey, ok := key.(ed25519.PrivateKey)
if !ok {
return nil, jwt.ErrInvalidKeyType
}
return newEdDSASingingKey(signingMethod, privateKey)
case *jwt.SigningMethodECDSA:
privateKey, ok := key.(*ecdsa.PrivateKey)
if !ok {
Expand Down Expand Up @@ -271,17 +331,19 @@ func InitSigningKey() error {
case "ES384":
fallthrough
case "ES512":
fallthrough
case "EdDSA":
key, err = loadOrCreateAsymmetricKey()

default:
return ErrInvalidAlgorithmType{setting.OAuth2.JWTSigningAlgorithm}
}

if err != nil {
return fmt.Errorf("Error while loading or creating symmetric key: %v", err)
return fmt.Errorf("Error while loading or creating JWT key: %v", err)
}

signingKey, err := CreateJWTSingingKey(setting.OAuth2.JWTSigningAlgorithm, key)
signingKey, err := CreateJWTSigningKey(setting.OAuth2.JWTSigningAlgorithm, key)
if err != nil {
return err
}
Expand Down Expand Up @@ -324,10 +386,15 @@ func loadOrCreateAsymmetricKey() (interface{}, error) {
if !isExist {
err := func() error {
key, err := func() (interface{}, error) {
if strings.HasPrefix(setting.OAuth2.JWTSigningAlgorithm, "RS") {
switch {
case strings.HasPrefix(setting.OAuth2.JWTSigningAlgorithm, "RS"):
return rsa.GenerateKey(rand.Reader, 4096)
case setting.OAuth2.JWTSigningAlgorithm == "EdDSA":
_, pk, err := ed25519.GenerateKey(rand.Reader)
return pk, err
default:
return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
}
return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
}()
if err != nil {
return err
Expand Down