options: support multiple signing keys

2025-07-06 19:38:09 +02:00 · 2022-12-20 11:11:52 -07:00 · 2022-12-20 11:11:52 -07:00 · 41b51d04ef
commit 41b51d04ef
parent c048af7523
12 changed files with 223 additions and 67 deletions
--- a/authenticate/authenticate_test.go
+++ b/authenticate/authenticate_test.go
@ -89,10 +89,7 @@ func TestNew(t *testing.T) {
 	goodSigningKey.SigningKey = "LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUpCMFZkbko1VjEvbVlpYUlIWHhnd2Q0Yzd5YWRTeXMxb3Y0bzA1b0F3ekdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVUc1eENQMEpUVDFINklvbDhqS3VUSVBWTE0wNENnVzlQbEV5cE5SbVdsb29LRVhSOUhUMwpPYnp6aktZaWN6YjArMUt3VjJmTVRFMTh1dy82MXJVQ0JBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo="

 	badSigningKey := newTestOptions(t)
-	badSigningKey.SigningKey = "%"
-
-	badSigninKeyPublic := newTestOptions(t)
-	badSigninKeyPublic.SigningKey = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJFakNCdWdJSkFNWUdtVzhpYWd1TU1Bb0dDQ3FHU000OUJBTUNNQkV4RHpBTkJnTlZCQU1NQm5WdWRYTmwKWkRBZ0Z3MHlNREExTWpJeU1EUTFNalJhR0E4ME56VTRNRFF4T1RJd05EVXlORm93RVRFUE1BMEdBMVVFQXd3RwpkVzUxYzJWa01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVVHNXhDUDBKVFQxSDZJb2w4akt1ClRJUFZMTTA0Q2dXOVBsRXlwTlJtV2xvb0tFWFI5SFQzT2J6empLWWljemIwKzFLd1YyZk1URTE4dXcvNjFyVUMKQkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBSFFDUFh2WG5oeHlDTGNhZ3N3eWt4RUM1NFV5RmdyUVJVRmVCYwpPUzVCSFFJZ1Y3T2FXY2pMeHdsRlIrWDZTQ2daZDI5bXBtOVZKNnpXQURhWGdEN3FURW89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+	badSigningKey.SigningKey = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJFakNCdWdJSkFNWUdtVzhpYWd1TU1Bb0dDQ3FHU000OUJBTUNNQkV4RHpBTkJnTlZCQU1NQm5WdWRYTmwKWkRBZ0Z3MHlNREExTWpJeU1EUTFNalJhR0E4ME56VTRNRFF4T1RJd05EVXlORm93RVRFUE1BMEdBMVVFQXd3RwpkVzUxYzJWa01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVVHNXhDUDBKVFQxSDZJb2w4akt1ClRJUFZMTTA0Q2dXOVBsRXlwTlJtV2xvb0tFWFI5SFQzT2J6empLWWljemIwKzFLd1YyZk1URTE4dXcvNjFyVUMKQkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBSFFDUFh2WG5oeHlDTGNhZ3N3eWt4RUM1NFV5RmdyUVJVRmVCYwpPUzVCSFFJZ1Y3T2FXY2pMeHdsRlIrWDZTQ2daZDI5bXBtOVZKNnpXQURhWGdEN3FURW89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"

 	tests := []struct {
 		name string
@ -105,7 +102,6 @@ func TestNew(t *testing.T) {
 		{"fails to validate", badRedirectURL, true},
 		{"good signing key", goodSigningKey, false},
 		{"bad signing key", badSigningKey, true},
-		{"bad public signing key", badSigninKeyPublic, true},
 	}
 	for _, tt := range tests {
 		tt := tt
--- a/authenticate/state.go
+++ b/authenticate/state.go
@ -2,7 +2,6 @@ package authenticate

 import (
 	"crypto/cipher"
-	"encoding/base64"
 	"fmt"
 	"net/url"

@ -115,16 +114,14 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err
 	if err != nil {
 		return nil, err
 	}
-	if signingKey != "" {
-		decodedCert, err := base64.StdEncoding.DecodeString(cfg.Options.SigningKey)
-		if err != nil {
-			return nil, fmt.Errorf("authenticate: failed to decode signing key: %w", err)
-		}
-		jwk, err := cryptutil.PublicJWKFromBytes(decodedCert)
+	if len(signingKey) > 0 {
+		ks, err := cryptutil.PublicJWKsFromBytes(signingKey)
 		if err != nil {
 			return nil, fmt.Errorf("authenticate: failed to convert jwks: %w", err)
 		}
-		state.jwk.Keys = append(state.jwk.Keys, *jwk)
+		for _, k := range ks {
+			state.jwk.Keys = append(state.jwk.Keys, *k)
+		}
 	}

 	sharedKey, err := cfg.Options.GetSharedKey()