options: support multiple signing keys (#3828)

* options: support multiple signing keys

* fix controlplane method, errors

authorize/check_response_test.go

@@ -33,7 +33,10 @@ func TestAuthorize_handleResult(t *testing.T) {
 	htpkePrivateKey, err := opt.GetHPKEPrivateKey()
 	require.NoError(t, err)
 
-	authnSrv := httptest.NewServer(handlers.JWKSHandler(opt.SigningKey, htpkePrivateKey.PublicKey()))
+	signingKey, err := opt.GetSigningKey()
+	require.NoError(t, err)
+
+	authnSrv := httptest.NewServer(handlers.JWKSHandler(signingKey, htpkePrivateKey.PublicKey()))
 	t.Cleanup(authnSrv.Close)
 	opt.AuthenticateURLString = authnSrv.URL
 
@@ -198,7 +201,10 @@ func TestRequireLogin(t *testing.T) {
 	htpkePrivateKey, err := opt.GetHPKEPrivateKey()
 	require.NoError(t, err)
 
-	authnSrv := httptest.NewServer(handlers.JWKSHandler(opt.SigningKey, htpkePrivateKey.PublicKey()))
+	signingKey, err := opt.GetSigningKey()
+	require.NoError(t, err)
+
+	authnSrv := httptest.NewServer(handlers.JWKSHandler(signingKey, htpkePrivateKey.PublicKey()))
 	t.Cleanup(authnSrv.Close)
 	opt.AuthenticateURLString = authnSrv.URL
 

authorize/evaluator/config.go

@@ -7,7 +7,7 @@ import (
 type evaluatorConfig struct {
 	policies                                          []config.Policy
 	clientCA                                          []byte
-	signingKey                                        string
+	signingKey                                        []byte
 	authenticateURL                                   string
 	googleCloudServerlessAuthenticationServiceAccount string
 	jwtClaimsHeaders                                  config.JWTClaimHeaders
@@ -39,7 +39,7 @@ func WithClientCA(clientCA []byte) Option {
 }
 
 // WithSigningKey sets the signing key and algorithm in the config.
-func WithSigningKey(signingKey string) Option {
+func WithSigningKey(signingKey []byte) Option {
 	return func(cfg *evaluatorConfig) {
 		cfg.signingKey = signingKey
 	}

authorize/evaluator/evaluator.go

@@ -223,7 +223,7 @@ func (e *Evaluator) updateStore(cfg *evaluatorConfig) error {
 func getJWK(cfg *evaluatorConfig) (*jose.JSONWebKey, error) {
 	var decodedCert []byte
 	// if we don't have a signing key, generate one
-	if cfg.signingKey == "" {
+	if len(cfg.signingKey) == 0 {
 		key, err := cryptutil.NewSigningKey()
 		if err != nil {
 			return nil, fmt.Errorf("couldn't generate signing key: %w", err)
@@ -233,11 +233,7 @@ func getJWK(cfg *evaluatorConfig) (*jose.JSONWebKey, error) {
 			return nil, fmt.Errorf("bad signing key: %w", err)
 		}
 	} else {
-		var err error
-		decodedCert, err = base64.StdEncoding.DecodeString(cfg.signingKey)
-		if err != nil {
-			return nil, fmt.Errorf("bad signing key: %w", err)
-		}
+		decodedCert = cfg.signingKey
 	}
 
 	jwk, err := cryptutil.PrivateJWKFromBytes(decodedCert)