hpke: move published public keys to a new endpoint (#4044)

internal/handlers/jwks_test.go

@@ -16,7 +16,6 @@ import (
 	"github.com/pomerium/pomerium/internal/deterministicecdsa"
 	"github.com/pomerium/pomerium/internal/handlers"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
-	"github.com/pomerium/pomerium/pkg/hpke"
 )
 
 func TestJWKSHandler(t *testing.T) {
@@ -38,24 +37,18 @@ func TestJWKSHandler(t *testing.T) {
 	jwkSigningKey2, err := cryptutil.PublicJWKFromBytes(rawSigningKey2)
 	require.NoError(t, err)
 
-	hpkePrivateKey, err := hpke.GeneratePrivateKey()
-	require.NoError(t, err)
-
 	t.Run("cors", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest(http.MethodOptions, "/", nil)
 		r.Header.Set("Origin", "https://www.example.com")
 		r.Header.Set("Access-Control-Request-Method", "GET")
-		handlers.JWKSHandler(nil, hpkePrivateKey.PublicKey()).ServeHTTP(w, r)
+		handlers.JWKSHandler(nil).ServeHTTP(w, r)
 		assert.Equal(t, http.StatusNoContent, w.Result().StatusCode)
 	})
 	t.Run("keys", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest(http.MethodGet, "/", nil)
-		handlers.JWKSHandler(
-			append(rawSigningKey1, rawSigningKey2...),
-			hpkePrivateKey.PublicKey(),
-		).ServeHTTP(w, r)
+		handlers.JWKSHandler(append(rawSigningKey1, rawSigningKey2...)).ServeHTTP(w, r)
 
 		var expect any = map[string]any{
 			"keys": []any{
@@ -77,12 +70,6 @@ func TestJWKSHandler(t *testing.T) {
 					"x":   base64.RawURLEncoding.EncodeToString(jwkSigningKey2.Key.(*ecdsa.PublicKey).X.Bytes()),
 					"y":   base64.RawURLEncoding.EncodeToString(jwkSigningKey2.Key.(*ecdsa.PublicKey).Y.Bytes()),
 				},
-				map[string]any{
-					"kty": "OKP",
-					"kid": "pomerium/hpke",
-					"crv": "X25519",
-					"x":   hpkePrivateKey.PublicKey().String(),
-				},
 			},
 		}
 		var actual any