jwk

func GenerateRSAKey ¶

func GenerateRSAKey(audience string) (*jwkModel.PrivateJSONWebKey, *jwkModel.JSONWebKey, error)

GenerateRSAKey - Generates a 2048-bit RSA Key Pair. The size on this is not adjustable as we want to ensure that we can generate this quickly. After the key is generated, it is validated to ensure that it can be used for signing tokens. Any errors here are propagated with the second return type

Generally, this function is very slow as not only do we have to generate a 2048-bit private key, but we also need to get the checksum of its public exponent. This **should** be ok, as this really only needs to get called on first startup, or whenever the user requests key rotation. Generating a new key with this function will automatically mark it as active

func GetActiveKey ¶

func GetActiveKey(serv *server.Server, alg string, audience string) (*jwkModel.PrivateJSONWebKey, error)

GetActiveKey - Fetches the latest active private key according to the algorithm that is passed in the parameter. The same model (key.PrivateJSONWebKey) is used for both RS256 and HS256 keys, so the same function can be used for either. Additional functions are provided within the package to convert this model into a valid RSA private key to use

TODO: This does not support HS-256 TODO: This may not be needed, validate as the rest of this package gets fleshed out

func GetJWK ¶

func GetJWK(serv *server.Server, kid string) (*jwkModel.JSONWebKey, error)

GetJWK - Fetches the public JSON Web Key that matches the key identifier passed in the parameter. This just returns the model and other functions provided in this package can be used to convert it back to a valid rsa.PublicKey

func GetJWKS ¶

func GetJWKS(serv *server.Server) (*jwkModel.JSONWebKeySet, error)

GetJWKS - Fetches all JSON Web Keys stored in the database and returns them as a slice. Only RSA Keys are returned with this function call, as this is intended to be used with the .well-known/jwks.json endpoint, and HSA secrets should not be exposed publicly as they are symmetrical

TODO: Maybe rethink this to return only keys by a specific audience

func NewKey ¶

func NewKey(serv *server.Server, alg string, audience string) (*jwkModel.PrivateJSONWebKey, error)

NewKey - Generates a new key depending on the algorithm that you specify in the parameter. Calling this function will immediately set the key as the current one, however this will not retroactively update previously issued key. If you are attempting to rotate/revoke keys, then you should use RotateKeys or RotateRevokeKeys.

Additionally, this function does not validate that its given audience exists, before it issues a key for it.

TODO: Update alg to use protobuf enum TODO: Update this to remove alg check. HS256 tokens use client secret for signing

func RotateKeys ¶

func RotateKeys(serv *server.Server, alg string, audience string) error

RotateKeys - Marks all private keys in the database as not available for signing and generates a new key. The new key generated here is automatically marked as available for signing and any new tokens issues post-function call will use this key to sign tokens

This differs from RotateRevokeKeys, as this function leaves the JWK's associated with them in the jwk collection. This means that they can still be fetched under .well-known/jwks.json and any tokens signed with old keys are still considered 'valid'

func ToRSAPrivateKey ¶

func ToRSAPrivateKey(private *jwkModel.PrivateJSONWebKey) (*rsa.PrivateKey, error)

ToRSAPrivateKey - Converts a private JSON Web Key into a rsa.PrivateKey struct so that it can be used with the crypto/rsa package. After the key is parsed, it is checked for mathematical correctness using key.Validate

func ToRSAPublicKey ¶

func ToRSAPublicKey(public *jwkModel.JSONWebKey) (*rsa.PublicKey, error)

ToRSAPublicKey - Converts a public JSON Web Key into a rsa.PublicKey struct so that it can be used with the crypto/rsa package. Any errors in this function are returned wrapped