-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EncodingKey to JWK #357
Comments
Ah... ring limitations. briansmith/ring#579 and confirmed in breard-r/acmed#2 (comment) |
Partially solved: briansmith/ring#1161 (RSA) |
It looks like it's pretty easy to get the ecdsa public key coords, if uncompressed it's just 1 byte past the public key start. https://datatracker.ietf.org/doc/html/rfc5480#section-2.2 with a hint in https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.2 and .3 Ed25519 looks very complex, comparatively: https://crypto.stackexchange.com/questions/51663/how-can-i-split-a-packed-ed25519-public-signing-key-into-its-x-and-y-coordinates |
FWIW Caddy doesn't support Ed25519 either: https://github.com/mholt/acmez/blob/422d0ad3b73253c35dc2b9d0be29ad55385df3ff/examples/attestation/main.go#L268 |
The same way that there's a way to go from JWK to DecodingKey, when creating a JWT you generate a key and need to embed information about that key in the payload.
I think the expected usage (? I couldn't find an example here) is to generate the private key and at the same point generate the JWK, then pass them around together. This risks mixing up the JWK and key leading to invalid tokens, vs generating the JWK from the key at the time of generating the JWT.
Right now EncodingKey contains an opaque u8 blob which is decoded into the correct key type at the time of signing. Following this approach, it would have to be decoded twice, once for signing and once for JWK generation. I think it may be better to decode the key into the parsed structure immediately when creating the EncodingKey -- this has the added benefit of validating the key early.
The text was updated successfully, but these errors were encountered: