options: support multiple signing keys

2025-07-12 22:38:21 +02:00 · 2022-12-20 11:11:52 -07:00 · 2022-12-20 11:11:52 -07:00 · 41b51d04ef
commit 41b51d04ef
parent c048af7523
12 changed files with 223 additions and 67 deletions
--- a/authorize/check_response_test.go
+++ b/authorize/check_response_test.go
@ -33,7 +33,10 @@ func TestAuthorize_handleResult(t *testing.T) {
 	htpkePrivateKey, err := opt.GetHPKEPrivateKey()
 	require.NoError(t, err)

-	authnSrv := httptest.NewServer(handlers.JWKSHandler(opt.SigningKey, htpkePrivateKey.PublicKey()))
+	signingKey, err := opt.GetSigningKey()
+	require.NoError(t, err)
+
+	authnSrv := httptest.NewServer(handlers.JWKSHandler(signingKey, htpkePrivateKey.PublicKey()))
 	t.Cleanup(authnSrv.Close)
 	opt.AuthenticateURLString = authnSrv.URL

@ -198,7 +201,10 @@ func TestRequireLogin(t *testing.T) {
 	htpkePrivateKey, err := opt.GetHPKEPrivateKey()
 	require.NoError(t, err)

-	authnSrv := httptest.NewServer(handlers.JWKSHandler(opt.SigningKey, htpkePrivateKey.PublicKey()))
+	signingKey, err := opt.GetSigningKey()
+	require.NoError(t, err)
+
+	authnSrv := httptest.NewServer(handlers.JWKSHandler(signingKey, htpkePrivateKey.PublicKey()))
 	t.Cleanup(authnSrv.Close)
 	opt.AuthenticateURLString = authnSrv.URL

--- a/authorize/evaluator/config.go
+++ b/authorize/evaluator/config.go
@ -7,7 +7,7 @@ import (
 type evaluatorConfig struct {
 	policies                                          []config.Policy
 	clientCA                                          []byte
-	signingKey                                        string
+	signingKey                                        []byte
 	authenticateURL                                   string
 	googleCloudServerlessAuthenticationServiceAccount string
 	jwtClaimsHeaders                                  config.JWTClaimHeaders
@ -39,7 +39,7 @@ func WithClientCA(clientCA []byte) Option {
 }

 // WithSigningKey sets the signing key and algorithm in the config.
-func WithSigningKey(signingKey string) Option {
+func WithSigningKey(signingKey []byte) Option {
 	return func(cfg *evaluatorConfig) {
 		cfg.signingKey = signingKey
 	}
--- a/authorize/evaluator/evaluator.go
+++ b/authorize/evaluator/evaluator.go
@ -223,7 +223,7 @@ func (e *Evaluator) updateStore(cfg *evaluatorConfig) error {
 func getJWK(cfg *evaluatorConfig) (*jose.JSONWebKey, error) {
 	var decodedCert []byte
 	// if we don't have a signing key, generate one
-	if cfg.signingKey == "" {
+	if len(cfg.signingKey) == 0 {
 		key, err := cryptutil.NewSigningKey()
 		if err != nil {
 			return nil, fmt.Errorf("couldn't generate signing key: %w", err)
@ -233,11 +233,7 @@ func getJWK(cfg *evaluatorConfig) (*jose.JSONWebKey, error) {
 			return nil, fmt.Errorf("bad signing key: %w", err)
 		}
 	} else {
-		var err error
-		decodedCert, err = base64.StdEncoding.DecodeString(cfg.signingKey)
-		if err != nil {
-			return nil, fmt.Errorf("bad signing key: %w", err)
-		}
+		decodedCert = cfg.signingKey
 	}

 	jwk, err := cryptutil.PrivateJWKFromBytes(decodedCert)