Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement NewJwtSigner and CreateAttestation #579

Draft
wants to merge 11 commits into
base: master
Choose a base branch
from

Conversation

treyridley
Copy link
Contributor

No description provided.

@treyridley treyridley requested review from alexcope and ooq July 29, 2020 16:37
@treyridley treyridley marked this pull request as ready for review July 29, 2020 16:38
@treyridley treyridley requested a review from nenaddedic July 29, 2020 16:41

// NewJwtSigner creates a Signer interface for JWT Attestations. `publicKeyID`
// is the ID of the public key that can verify the Attestation signature.
// TODO: Explain formatting of JWT private keys.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

name or bug/github issue with all TODOs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

}

// NewJwtSigner creates a Signer interface for JWT Attestations. `publicKeyID`
// is the ID of the public key that can verify the Attestation signature.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move "publicKeyID" to be the last arguement, and in comment say that it should normally be left empty.

Alternatively, I like the idea of having two functions "NewJwtSigner" and "NewJwtSignerExplcitKeyId" , and have the former generate kid and call the latter.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

}

// CreateAttestation creates a signed JWT Attestation. See Signer for more details.
func (s *jwtSigner) CreateAttestation(payload []byte) (*Attestation, error) {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

payload -> JsonJwtBody, with comment explaining what that is.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

return &Attestation{
PublicKeyID: s.publicKeyID,
Signature: []byte(jwt),
SerializedPayload: payload,

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from attestation.go: // SerializedPayload stores the payload over which the signature was
// signed. This field is only used for PKIX Attestations.

This is not accurate in the case of JWTs as written now. I think the cleanest way to handle it is to leave SerializedPayload empty for JWTs and update the documentation to reflect that

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was a mistake. I updated it to leave the SerializedPayload field empty.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

}
} else {
if err != nil {
t.Errorf("NewJwtSigner(...)=%v, expected nil", err)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: spacing around =

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

}
_, err = createDetachedSignature(privKey, []byte(payload), tc.alg)
if tc.expectedError {
if err == nil {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: spacing around =

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Copy link
Contributor

@ooq ooq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. Left some comments.

alg: RsaSignPkcs12048Sha256,
expectedError: false,
}, {
name: "create ecdsa signature success",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add two bad cases where alg does not match the key passed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

_, err = createDetachedSignature(privKey, []byte(payload), tc.alg)
if tc.expectedError {
if err == nil {
t.Errorf("createDetachedSignature(...)=nil, expected non-nil")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit confusing, can be understood as signature is nil.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

discussed during sync.

expectedError bool
}{
{
name: "new jwt singer success",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: singer->signer

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

expectedError: false,
},
{
name: "new jwt singer with no key id success",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same typo

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

}
attestation, err := signer.CreateAttestation([]byte(payload))
if err != nil {
t.Errorf("CreateAttestation(..) = %v, expected nil", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: spacing around =

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

_, err := NewJwtSigner(tc.key, tc.alg, tc.publicKeyId)
if tc.expectedError {
if err == nil {
t.Errorf("NewJwtSigner(...) = nil, expected non nil")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: spacing around =

Also ditto as above, would this be confusing as to which return value it is referring to?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

}
} else {
if err != nil {
t.Errorf("NewJwtSigner(...) = %v, expected nil", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: spacing around =

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

if err != nil {
t.Errorf("CreateAttestation(..) = %v, expected nil", err)
} else if attestation.PublicKeyID != "kid" {
t.Errorf("attestation.PublicKeyID = %v, expected kid", attestation.PublicKeyID)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: spacing around =

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

@treyridley treyridley marked this pull request as draft August 24, 2020 15:56
@ooq
Copy link
Contributor

ooq commented Sep 11, 2020

Should we merge this? @treyridley

@treyridley
Copy link
Contributor Author

Should we merge this? @treyridley

I changed this to a draft until it is decided if we are going to continue with JWTs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants