options: support multiple signing keys

2025-07-19 09:38:03 +02:00 · 2022-12-20 11:11:52 -07:00 · 2022-12-20 11:11:52 -07:00 · 41b51d04ef
commit 41b51d04ef
parent c048af7523
12 changed files with 223 additions and 67 deletions
--- a/internal/handlers/jwks.go
+++ b/internal/handlers/jwks.go
@ -2,7 +2,6 @@ package handlers

 import (
 	"bytes"
-	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -19,23 +18,21 @@ import (

 // JWKSHandler returns the /.well-known/pomerium/jwks.json handler.
 func JWKSHandler(
-	rawSigningKey string,
+	signingKey []byte,
 	additionalKeys ...any,
 ) http.Handler {
 	return cors.AllowAll().Handler(httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
 		var jwks struct {
 			Keys []any `json:"keys"`
 		}
-		if rawSigningKey != "" {
-			decodedCert, err := base64.StdEncoding.DecodeString(rawSigningKey)
-			if err != nil {
-				return httputil.NewError(http.StatusInternalServerError, errors.New("bad base64 encoding for signing key"))
-			}
-			jwk, err := cryptutil.PublicJWKFromBytes(decodedCert)
+		if len(signingKey) > 0 {
+			ks, err := cryptutil.PublicJWKsFromBytes(signingKey)
 			if err != nil {
 				return httputil.NewError(http.StatusInternalServerError, errors.New("bad signing key"))
 			}
-			jwks.Keys = append(jwks.Keys, *jwk)
+			for _, k := range ks {
+				jwks.Keys = append(jwks.Keys, *k)
+			}
 		}
 		jwks.Keys = append(jwks.Keys, additionalKeys...)