1029905495

Committed 09 Oct 2023 04:24AM UTC coverage: 83.929% (-3.9%) from 87.856%

Build # 1029905495

Build Type

Pull #674

gitlab-ci

Committed by

tranchitella

Commit Message

feat: support for ED25519 server keys for signing the JWT tokens

Ticket: MEN-6775
Changelog: Title

Signed-off-by: Fabio Tranchitella <fabio.tranchitella@northern.tech>

Pull Request Pull Request #674: feat: support for ED25519 server keys for signing the JWT tokens

Run Details

139 of 148 new or added lines in 4 files covered. (93.92%)

88 existing lines in 3 files now uncovered.

4721 of 5625 relevant lines covered (83.93%)

46.83 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

94.0

/jwt/jwt_ed25519.go

// Copyright 2023 Northern.tech AS
//
//        Licensed under the Apache License, Version 2.0 (the "License");
//        you may not use this file except in compliance with the License.
//        You may obtain a copy of the License at
//
//            http://www.apache.org/licenses/LICENSE-2.0
//
//        Unless required by applicable law or agreed to in writing, software
//        distributed under the License is distributed on an "AS IS" BASIS,
//        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//        See the License for the specific language governing permissions and
//        limitations under the License.
package jwt

import (
        "crypto/ed25519"

        "github.com/golang-jwt/jwt/v4"
        "github.com/pkg/errors"
)

// JWTHandlerEd25519 is an Ed25519-specific JWTHandler
type JWTHandlerEd25519 struct {
        privKey         *ed25519.PrivateKey
        fallbackPrivKey *ed25519.PrivateKey
}

func NewJWTHandlerEd25519(privKey *ed25519.PrivateKey,
        fallbackPrivKey *ed25519.PrivateKey) *JWTHandlerEd25519 {
        return &JWTHandlerEd25519{
                privKey:         privKey,
                fallbackPrivKey: fallbackPrivKey,
        }
}

func (j *JWTHandlerEd25519) ToJWT(token *Token) (string, error) {
        //generate
        jt := jwt.NewWithClaims(jwt.SigningMethodEdDSA, &token.Claims)

        //sign
        data, err := jt.SignedString(j.privKey)
        return data, err
}

func (j *JWTHandlerEd25519) FromJWT(tokstr string) (*Token, error) {
        parser := jwt.NewParser(jwt.WithoutClaimsValidation())
        jwttoken, _, err := parser.ParseUnverified(tokstr, &Claims{})
        if err == nil {
                token := Token{}
                if claims, ok := jwttoken.Claims.(*Claims); ok {
                        token.Claims = *claims
                        return &token, nil
                }
        }

        return nil, ErrTokenInvalid
}

func (j *JWTHandlerEd25519) Validate(tokstr string) error {
        var err error
        var jwttoken *jwt.Token
        for _, privKey := range []*ed25519.PrivateKey{
                j.privKey,
                j.fallbackPrivKey,
        } {
                if privKey != nil {
                        jwttoken, err = jwt.ParseWithClaims(tokstr, &Claims{},
                                func(token *jwt.Token) (interface{}, error) {
                                        if _, ok := token.Method.(*jwt.SigningMethodEd25519); !ok {
                                                return nil, errors.New("unexpected signing method: " + token.Method.Alg())
                                        }
                                        return privKey.Public(), nil
                                },
                        )
                        if jwttoken != nil && err == nil {
                                break
                        }
                }
        }

        // our Claims return Mender-specific validation errors
        // go-jwt will wrap them in a generic ValidationError - unwrap and return directly
        if jwttoken != nil && !jwttoken.Valid {
                return ErrTokenInvalid
        } else if err != nil {
                err, ok := err.(*jwt.ValidationError)
                if ok && err.Inner != nil {
                        return err.Inner
                } else {
                        return err
                }
        }

        return nil
}

1	// Copyright 2023 Northern.tech AS
2	//
3	// Licensed under the Apache License, Version 2.0 (the "License");
4	// you may not use this file except in compliance with the License.
5	// You may obtain a copy of the License at
6	//
7	// http://www.apache.org/licenses/LICENSE-2.0
8	//
9	// Unless required by applicable law or agreed to in writing, software
10	// distributed under the License is distributed on an "AS IS" BASIS,
11	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	// See the License for the specific language governing permissions and
13	// limitations under the License.
14	package jwt
15
16	import (
17	"crypto/ed25519"
18
19	"github.com/golang-jwt/jwt/v4"
20	"github.com/pkg/errors"
21	)
22
23	// JWTHandlerEd25519 is an Ed25519-specific JWTHandler
24	type JWTHandlerEd25519 struct {
25	privKey *ed25519.PrivateKey
26	fallbackPrivKey *ed25519.PrivateKey
27	}
28
29	func NewJWTHandlerEd25519(privKey *ed25519.PrivateKey,
30	fallbackPrivKey ed25519.PrivateKey) JWTHandlerEd25519 {	15✔
31	return &JWTHandlerEd25519{	15✔
32	privKey: privKey,	15✔
33	fallbackPrivKey: fallbackPrivKey,	15✔
34	}	15✔
35	}	15✔
36
37	func (j JWTHandlerEd25519) ToJWT(token Token) (string, error) {	2✔
38	//generate	2✔
39	jt := jwt.NewWithClaims(jwt.SigningMethodEdDSA, &token.Claims)	2✔
40		2✔
41	//sign	2✔
42	data, err := jt.SignedString(j.privKey)	2✔
43	return data, err	2✔
44	}	2✔
45
46	func (j JWTHandlerEd25519) FromJWT(tokstr string) (Token, error) {	5✔
47	parser := jwt.NewParser(jwt.WithoutClaimsValidation())	5✔
48	jwttoken, _, err := parser.ParseUnverified(tokstr, &Claims{})	5✔
49	if err == nil {	9✔
50	token := Token{}	4✔
51	if claims, ok := jwttoken.Claims.(*Claims); ok {	8✔
52	token.Claims = *claims	4✔
53	return &token, nil	4✔
54	}	4✔
55	}
56
57	return nil, ErrTokenInvalid	1✔
58	}
59
60	func (j *JWTHandlerEd25519) Validate(tokstr string) error {	7✔
61	var err error	7✔
62	var jwttoken *jwt.Token	7✔
63	for _, privKey := range []*ed25519.PrivateKey{	7✔
64	j.privKey,	7✔
65	j.fallbackPrivKey,	7✔
66	} {	18✔
67	if privKey != nil {	21✔
68	jwttoken, err = jwt.ParseWithClaims(tokstr, &Claims{},	10✔
69	func(token *jwt.Token) (interface{}, error) {	19✔
70	if _, ok := token.Method.(*jwt.SigningMethodEd25519); !ok {	9✔
NEW 71	return nil, errors.New("unexpected signing method: " + token.Method.Alg())	×
NEW 72	}	×
73	return privKey.Public(), nil	9✔
74	},
75	)
76	if jwttoken != nil && err == nil {	14✔
77	break	4✔
78	}
79	}
80	}
81
82	// our Claims return Mender-specific validation errors
83	// go-jwt will wrap them in a generic ValidationError - unwrap and return directly
84	if jwttoken != nil && !jwttoken.Valid {	9✔
85	return ErrTokenInvalid	2✔
86	} else if err != nil {	8✔
87	err, ok := err.(*jwt.ValidationError)	1✔
88	if ok && err.Inner != nil {	1✔
NEW 89	return err.Inner	×
90	} else {	1✔
91	return err	1✔
92	}	1✔
93	}
94
95	return nil	4✔
96	}

mendersoftware / deviceauth / 1029905495

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous