Skip to content

Commit

Permalink
oidc algs: added EdDSA as a supported algorithm
Browse files Browse the repository at this point in the history
Support EdDSA alogrithm for providers.
  • Loading branch information
lritter-fan authored and ericchiang committed May 16, 2023
1 parent 82f6983 commit cd52382
Show file tree
Hide file tree
Showing 6 changed files with 48 additions and 3 deletions.
1 change: 1 addition & 0 deletions oidc/jose.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,5 @@ const (
PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
EdDSA = "EdDSA" // Ed25519 using SHA-512
)
2 changes: 2 additions & 0 deletions oidc/jwks.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/rsa"
"errors"
"fmt"
Expand Down Expand Up @@ -32,6 +33,7 @@ func (s *StaticKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte,
switch pub.(type) {
case *rsa.PublicKey:
case *ecdsa.PublicKey:
case ed25519.PublicKey:
default:
return nil, fmt.Errorf("invalid public key type provided: %T", pub)
}
Expand Down
15 changes: 15 additions & 0 deletions oidc/jwks_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"bytes"
"context"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
Expand Down Expand Up @@ -79,6 +80,14 @@ func newECDSAKey(t *testing.T) *signingKey {
return &signingKey{"", priv, priv.Public(), jose.ES256}
}

func newEdDSAKey(t *testing.T) *signingKey {
publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
t.Fatal(err)
}
return &signingKey{"", privateKey, publicKey, jose.EdDSA}
}

func TestRSAVerify(t *testing.T) {
good := newRSAKey(t)
bad := newRSAKey(t)
Expand All @@ -92,6 +101,12 @@ func TestECDSAVerify(t *testing.T) {
testKeyVerify(t, good, bad, good)
}

func TestEdDSAVerify(t *testing.T) {
good := newEdDSAKey(t)
bad := newEdDSAKey(t)
testKeyVerify(t, good, bad, good)
}

func TestMultipleKeysVerify(t *testing.T) {
key1 := newRSAKey(t)
key2 := newRSAKey(t)
Expand Down
3 changes: 2 additions & 1 deletion oidc/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ var supportedAlgorithms = map[string]bool{
PS256: true,
PS384: true,
PS512: true,
EdDSA: true,
}

// ProviderConfig allows creating providers when discovery isn't supported. It's
Expand Down Expand Up @@ -448,7 +449,7 @@ func (i *IDToken) VerifyAccessToken(accessToken string) error {
h = sha256.New()
case RS384, ES384, PS384:
h = sha512.New384()
case RS512, ES512, PS512:
case RS512, ES512, PS512, EdDSA:
h = sha512.New()
default:
return fmt.Errorf("oidc: unsupported signing algorithm %q", i.sigAlgorithm)
Expand Down
10 changes: 8 additions & 2 deletions oidc/oidc_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,12 @@ func TestAccessTokenVerification(t *testing.T) {
googleAccessToken,
assertMsg("id token did not have an access token hash"),
},
{
"EdDSA",
newToken("EdDSA", computed512TokenHash),
googleAccessToken,
assertNil,
},
{
"badSignAlgo",
newToken("none", "xxx"),
Expand Down Expand Up @@ -135,11 +141,11 @@ func TestNewProvider(t *testing.T) {
"authorization_endpoint": "https://example.com/auth",
"token_endpoint": "https://example.com/token",
"jwks_uri": "https://example.com/keys",
"id_token_signing_alg_values_supported": ["RS256", "RS384", "ES256"]
"id_token_signing_alg_values_supported": ["RS256", "RS384", "ES256", "EdDSA"]
}`,
wantAuthURL: "https://example.com/auth",
wantTokenURL: "https://example.com/token",
wantAlgorithms: []string{"RS256", "RS384", "ES256"},
wantAlgorithms: []string{"RS256", "RS384", "ES256", "EdDSA"},
},
{
name: "unsupported_algorithms",
Expand Down
20 changes: 20 additions & 0 deletions oidc/verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,16 @@ func TestVerify(t *testing.T) {
},
signKey: newRSAKey(t),
},
{
name: "good eddsa token",
idToken: `{"iss":"https://foo"}`,
config: Config{
SkipClientIDCheck: true,
SkipExpiryCheck: true,
SupportedSigningAlgs: []string{EdDSA},
},
signKey: newEdDSAKey(t),
},
{
name: "invalid issuer",
issuer: "https://bar",
Expand Down Expand Up @@ -214,6 +224,16 @@ func TestVerifySigningAlg(t *testing.T) {
},
signKey: newECDSAKey(t),
},
{
name: "eddsa signing",
idToken: `{"iss":"https://foo"}`,
config: Config{
SkipClientIDCheck: true,
SkipExpiryCheck: true,
SupportedSigningAlgs: []string{EdDSA},
},
signKey: newEdDSAKey(t),
},
{
name: "one of many supported",
idToken: `{"iss":"https://foo"}`,
Expand Down

0 comments on commit cd52382

Please sign in to comment.