From b265b4068052d49ba6eda013fa5a87f850508fa8 Mon Sep 17 00:00:00 2001 From: Finn Date: Tue, 17 Sep 2024 17:55:56 -0700 Subject: [PATCH] back to ed25519 keys --- go.mod | 1 + go.sum | 5 +++++ routers/api/actions/oidc.go | 29 ++++++++--------------------- 3 files changed, 14 insertions(+), 21 deletions(-) diff --git a/go.mod b/go.mod index 55d70febc..5bfd7c903 100644 --- a/go.mod +++ b/go.mod @@ -85,6 +85,7 @@ require ( github.com/pquerna/otp v1.4.0 github.com/prometheus/client_golang v1.18.0 github.com/quasoft/websspi v1.1.2 + github.com/rakutentech/jwk-go v1.1.3 github.com/redis/go-redis/v9 v9.6.1 github.com/robfig/cron/v3 v3.0.1 github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 diff --git a/go.sum b/go.sum index ffa5ce5cc..86bced258 100644 --- a/go.sum +++ b/go.sum @@ -542,11 +542,13 @@ github.com/olivere/elastic/v7 v7.0.32 h1:R7CXvbu8Eq+WlsLgxmKVKPox0oOwAE/2T9Si5Bn github.com/olivere/elastic/v7 v7.0.32/go.mod h1:c7PVmLe3Fxq77PIfY/bZmxY/TAamBhCzZ8xDOE09a9k= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= @@ -583,6 +585,8 @@ github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= github.com/quasoft/websspi v1.1.2 h1:/mA4w0LxWlE3novvsoEL6BBA1WnjJATbjkh1kFrTidw= github.com/quasoft/websspi v1.1.2/go.mod h1:HmVdl939dQ0WIXZhyik+ARdI03M6bQzaSEKcgpFmewk= +github.com/rakutentech/jwk-go v1.1.3 h1:PiLwepKyUaW+QFG3ki78DIO2+b4IVK3nMhlxM70zrQ4= +github.com/rakutentech/jwk-go v1.1.3/go.mod h1:LtzSv4/+Iti1nnNeVQiP6l5cI74GBStbhyXCYvgPZFk= github.com/redis/go-redis/v9 v9.6.1 h1:HHDteefn6ZkTtY5fGUE8tj8uy85AHk6zP7CpzIAM0y4= github.com/redis/go-redis/v9 v9.6.1/go.mod h1:0C0c6ycQsdpVNQpxb1njEQIqkx5UcsM8FJCQLgE9+RA= github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 h1:OdAsTTz6OkFY5QxjkYwrChwuRruF69c169dPK26NUlk= @@ -725,6 +729,7 @@ go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= diff --git a/routers/api/actions/oidc.go b/routers/api/actions/oidc.go index 745d77ee9..62d1e7b77 100644 --- a/routers/api/actions/oidc.go +++ b/routers/api/actions/oidc.go @@ -1,8 +1,8 @@ package actions import ( + "crypto/ed25519" "crypto/rand" - "crypto/rsa" "encoding/json" "fmt" "net/http" @@ -14,22 +14,16 @@ import ( "code.gitea.io/gitea/modules/web" "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" + "github.com/rakutentech/jwk-go/jwk" + "github.com/rakutentech/jwk-go/okp" ) type oidcRoutes struct { - ca *rsa.PrivateKey - jwks []jwks + ca ed25519.PrivateKey + jwks []*jwk.KeySpec openIDConfiguration openIDConfiguration } -type jwks struct { - KeyType string `json:"kty"` - Algorithm string `json:"alg"` - Use string `json:"use"` - N string `json:"n"` - E int `json:"e"` -} - type openIDConfiguration struct { Issuer string `json:"issuer"` JwksURI string `json:"jwks_uri"` @@ -46,22 +40,15 @@ func OIDCRoutes(prefix string) *web.Route { prefix = strings.TrimPrefix(prefix, "/") // TODO: generate this once and store it across restarts. In the database I assume? - caPrivateKey, err := rsa.GenerateKey(rand.Reader, 4096) - // _, caPrivateKey, err := ed25519.GenerateKey(rand.Reader) + caPublicKey, caPrivateKey, err := ed25519.GenerateKey(rand.Reader) if err != nil { panic(err) } r := oidcRoutes{ ca: caPrivateKey, - jwks: []jwks{ // https://token.actions.githubusercontent.com/.well-known/jwks - { - KeyType: "RSA", - Algorithm: "RS256", - Use: "sig", - N: caPrivateKey.PublicKey.N.String(), - E: caPrivateKey.PublicKey.E, // Github: AQAB - }, + jwks: []*jwk.KeySpec{ // https://token.actions.githubusercontent.com/.well-known/jwks + jwk.NewSpec(okp.NewCurve25519(caPublicKey, caPrivateKey)), }, openIDConfiguration: openIDConfiguration{ Issuer: setting.AppURL + setting.AppSubURL + prefix, // TODO: how do i check the public domain?