Skip to content

Commit e654a65

Browse files
sreyasreya
committed
Refactor cryptokeys and jwtutils interfaces and logic
- Enhance comments for key interfaces to clarify usage and considerations for time validity and clock skew. - Refactor JWE/JWS logic to simplify serialization and deserialization processes, ensuring more efficient and concise handling of JWTs. Implement compact serialization and remove unnecessary base64 encoding.
1 parent 93603a2 commit e654a65

File tree

3 files changed

+23
-15
lines changed

3 files changed

+23
-15
lines changed

coderd/cryptokeys/keycache.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,13 +15,27 @@ var (
1515
)
1616

1717
type EncryptionKeycache interface {
18+
// EncryptingKey returns the latest valid key for encrypting payloads. A valid
19+
// key is one that is both past its start time and before its deletion time.
1820
EncryptingKey(ctx context.Context) (id string, key interface{}, err error)
21+
// DecryptingKey returns the key with the provided id which maps to its sequence
22+
// number. The key is valid for decryption as long as it is not deleted or past
23+
// its deletion date. We must allow for keys prior to their start time to
24+
// account for clock skew between peers (one key may be past its start time on
25+
// one machine while another is not).
1926
DecryptingKey(ctx context.Context, id string) (key interface{}, err error)
2027
io.Closer
2128
}
2229

2330
type SigningKeycache interface {
31+
// SigningKey returns the latest valid key for signing. A valid key is one
32+
// that is both past its start time and before its deletion time.
2433
SigningKey(ctx context.Context) (id string, key interface{}, err error)
34+
// VerifyingKey returns the key with the provided id which should map to its
35+
// sequence number. The key is valid for verifying as long as it is not deleted
36+
// or past its deletion date. We must allow for keys prior to their start time
37+
// to account for clock skew between peers (one key may be past its start time
38+
// on one machine while another is not).
2539
VerifyingKey(ctx context.Context, id string) (key interface{}, err error)
2640
io.Closer
2741
}

coderd/jwtutils/jwe.go

Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@ package jwtutils
22

33
import (
44
"context"
5-
"encoding/base64"
65
"encoding/json"
76
"time"
87

@@ -58,15 +57,17 @@ func Encrypt(ctx context.Context, e EncryptKeyProvider, claims Claims) (string,
5857
return "", xerrors.Errorf("encrypt: %w", err)
5958
}
6059

61-
serialized := []byte(encrypted.FullSerialize())
62-
return base64.RawURLEncoding.EncodeToString(serialized), nil
60+
compact, err := encrypted.CompactSerialize()
61+
if err != nil {
62+
return "", xerrors.Errorf("compact serialize: %w", err)
63+
}
64+
65+
return compact, nil
6366
}
6467

6568
// DecryptOptions are options for decrypting a JWE.
6669
type DecryptOptions struct {
67-
RegisteredClaims jwt.Expected
68-
69-
// The following should only be used for JWEs.
70+
RegisteredClaims jwt.Expected
7071
KeyAlgorithm jose.KeyAlgorithm
7172
ContentEncryptionAlgorithm jose.ContentEncryption
7273
}
@@ -85,12 +86,7 @@ func Decrypt(ctx context.Context, d DecryptKeyProvider, token string, claims Cla
8586
opt(&options)
8687
}
8788

88-
encrypted, err := base64.RawURLEncoding.DecodeString(token)
89-
if err != nil {
90-
return xerrors.Errorf("decode: %w", err)
91-
}
92-
93-
object, err := jose.ParseEncrypted(string(encrypted),
89+
object, err := jose.ParseEncrypted(token,
9490
[]jose.KeyAlgorithm{options.KeyAlgorithm},
9591
[]jose.ContentEncryption{options.ContentEncryptionAlgorithm},
9692
)

coderd/jwtutils/jws.go

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -71,9 +71,7 @@ func Sign(ctx context.Context, s SigningKeyProvider, claims Claims) (string, err
7171

7272
// VerifyOptions are options for verifying a JWT.
7373
type VerifyOptions struct {
74-
RegisteredClaims jwt.Expected
75-
76-
// The following are only used for JWSs.
74+
RegisteredClaims jwt.Expected
7775
SignatureAlgorithm jose.SignatureAlgorithm
7876
}
7977

0 commit comments

Comments
 (0)