Allow flexible key usage values

lestrrat-go · Oct 3, 2024 · 4b3d083 · 4b3d083
1 parent acb931c
commit 4b3d083
Show file tree

Hide file tree

Showing 6 changed files with 131 additions and 21 deletions.
diff --git a/jwk/jwk.go b/jwk/jwk.go
@@ -619,3 +619,20 @@ func IsKeyValidationError(err error) bool {
 	var kve keyValidationError
 	return errors.Is(err, &kve)
 }
+
+// Configure is used to configure global behavior of the jwk package.
+func Configure(options ...GlobalOption) {
+	var strictKeyUsagePtr *bool
+	//nolint:forcetypeassert
+	for _, option := range options {
+		switch option.Ident() {
+		case identStrictKeyUsage{}:
+			v := option.Value().(bool)
+			strictKeyUsagePtr = &v
+		}
+	}
+
+	if strictKeyUsagePtr != nil {
+		strictKeyUsage.Store(*strictKeyUsagePtr)
+	}
+}
diff --git a/jwk/jwk_test.go b/jwk/jwk_test.go
@@ -783,13 +783,9 @@ func TestAccept(t *testing.T) {
 		for _, test := range testcases {
 			var usage jwk.KeyUsageType
 			if test.Error {
-				if !assert.Error(t, usage.Accept(test.Args), `KeyUsage.Accept should fail`) {
-					return
-				}
+				require.Error(t, usage.Accept(test.Args), `KeyUsage.Accept should fail`)
 			} else {
-				if !assert.NoError(t, usage.Accept(test.Args), `KeyUsage.Accept should succeed`) {
-					return
-				}
+				require.NoError(t, usage.Accept(test.Args), `KeyUsage.Accept should succeed`)
 			}
 		}
 	})

diff --git a/jwk/options.yaml b/jwk/options.yaml
@@ -41,6 +41,10 @@ interfaces:
       - parseOption
     comment: |
       RegisterFetchOption describes options that can be passed to `(jwk.Cache).Register()` and `jwk.Fetch()`
+  - name: GlobalOption
+    comment: |
+      GlobalOption is a type of Option that can be passed to the `jwk.Configure()` to
+      change the global configuration of the jwk package.
 options:
   - ident: HTTPClient
     interface: RegisterFetchOption
@@ -109,4 +113,19 @@ options:
       first fetch is done before returning from the `Register()` call.
       
       This option is by default true. Specify a false value if you would
-      like to return immediately from the `Register()` call.
+      like to return immediately from the `Register()` call.
+
+      This options is exactly the same as `httprc.WithWaitReady()`
+  - ident: StrictKeyUsage
+    interface: GlobalOption
+    argument_type: bool
+    comment: |
+      WithStrictKeyUsage specifies if during JWK parsing, the "use" field
+      should be confined to the values that have been registered via
+      `jwk.RegisterKeyType()`. By default this option is true, and the
+      initial allowed values are "use" and "enc" only.
+
+      If this option is set to false, then the "use" field can be any
+      value. If this options is set to true, then the "use" field must
+      be one of the registered values, and otherwise an error will be
+      reported during parsing / assignment to `jwk.KeyUsageType`
diff --git a/jwk/options_gen.go b/jwk/options_gen.go
diff --git a/jwk/options_gen_test.go b/jwk/options_gen_test.go
diff --git a/jwk/usage.go b/jwk/usage.go
@@ -1,6 +1,54 @@
 package jwk
 
-import "fmt"
+import (
+	"fmt"
+	"sync"
+	"sync/atomic"
+)
+
+var strictKeyUsage = atomic.Bool{}
+var keyUsageNames = map[string]struct{}{}
+var muKeyUsageName sync.RWMutex
+
+// RegisterKeyUsage registers a possible value that can be used for KeyUsageType.
+// Normally, key usage (or the "use" field in a JWK) is either "sig" or "enc",
+// but other values may be used.
+//
+// While this module only works with "sig" and "enc", it is possible that
+// systems choose to use other values. This function allows users to register
+// new values to be accepted as valid key usage types. Values are case sensitive.
+//
+// Furthermore, the check against registered values can be completely turned off
+// by setting the global option `jwk.WithStrictKeyUsage(false)`.
+func RegisterKeyUsage(v string) {
+	muKeyUsageName.Lock()
+	defer muKeyUsageName.Unlock()
+	keyUsageNames[v] = struct{}{}
+}
+
+func UnregisterKeyUsage(v string) {
+	muKeyUsageName.Lock()
+	defer muKeyUsageName.Unlock()
+	delete(keyUsageNames, v)
+}
+
+func init() {
+	strictKeyUsage.Store(true)
+	RegisterKeyUsage("sig")
+	RegisterKeyUsage("enc")
+}
+
+func isValidUsage(v string) bool {
+	// This function can return true if strictKeyUsage is false
+	if !strictKeyUsage.Load() {
+		return true
+	}
+
+	muKeyUsageName.RLock()
+	defer muKeyUsageName.RUnlock()
+	_, ok := keyUsageNames[v]
+	return ok
+}
 
 func (k KeyUsageType) String() string {
 	return string(k)
@@ -9,22 +57,18 @@ func (k KeyUsageType) String() string {
 func (k *KeyUsageType) Accept(v interface{}) error {
 	switch v := v.(type) {
 	case KeyUsageType:
-		switch v {
-		case ForSignature, ForEncryption:
-			*k = v
-			return nil
-		default:
-			return fmt.Errorf("invalid key usage type %s", v)
+		if !isValidUsage(v.String()) {
+			return fmt.Errorf("invalid key usage type: %q", v)
 		}
+		*k = v
+		return nil
 	case string:
-		switch v {
-		case ForSignature.String(), ForEncryption.String():
-			*k = KeyUsageType(v)
-			return nil
-		default:
-			return fmt.Errorf("invalid key usage type %s", v)
+		if !isValidUsage(v) {
+			return fmt.Errorf("invalid key usage type: %q", v)
 		}
+		*k = KeyUsageType(v)
+		return nil
 	}
 
-	return fmt.Errorf("invalid value for key usage type %s", v)
+	return fmt.Errorf("invalid Go type for key usage type: %T", v)
 }