Refactor cryptokeys and jwtutils interfaces and logic

- Enhance comments for key interfaces to clarify usage and considerations for time validity and clock skew. - Refactor JWE/JWS logic to simplify serialization and deserialization processes, ensuring more efficient and concise handling of JWTs. Implement compact serialization and remove unnecessary base64 encoding.
coder · sreya · Oct 4, 2024 · Oct 1, 2024 · Oct 2, 2024 · Oct 2, 2024
commit e654a6552ca36914b689228eb1b4b07041f90a83
diff --git a/coderd/cryptokeys/keycache.go b/coderd/cryptokeys/keycache.go
@@ -15,13 +15,27 @@ var (
 )
 
 type EncryptionKeycache interface {
+	// EncryptingKey returns the latest valid key for encrypting payloads. A valid
+	// key is one that is both past its start time and before its deletion time.
 	EncryptingKey(ctx context.Context) (id string, key interface{}, err error)
+	// DecryptingKey returns the key with the provided id which maps to its sequence
+	// number. The key is valid for decryption as long as it is not deleted or past
+	// its deletion date. We must allow for keys prior to their start time to
+	// account for clock skew between peers (one key may be past its start time on
+	// one machine while another is not).
 	DecryptingKey(ctx context.Context, id string) (key interface{}, err error)
 	io.Closer
 }
 
 type SigningKeycache interface {
+	// SigningKey returns the latest valid key for signing. A valid key is one
+	// that is both past its start time and before its deletion time.
 	SigningKey(ctx context.Context) (id string, key interface{}, err error)
+	// VerifyingKey returns the key with the provided id which should map to its
+	// sequence number. The key is valid for verifying as long as it is not deleted
+	// or past its deletion date. We must allow for keys prior to their start time
+	// to account for clock skew between peers (one key may be past its start time
+	// on one machine while another is not).
 	VerifyingKey(ctx context.Context, id string) (key interface{}, err error)
 	io.Closer
 }
diff --git a/coderd/jwtutils/jwe.go b/coderd/jwtutils/jwe.go
@@ -2,7 +2,6 @@ package jwtutils
 
 import (
 	"context"
-	"encoding/base64"
 	"encoding/json"
 	"time"
 
@@ -58,15 +57,17 @@ func Encrypt(ctx context.Context, e EncryptKeyProvider, claims Claims) (string,
 		return "", xerrors.Errorf("encrypt: %w", err)
 	}
 
-	serialized := []byte(encrypted.FullSerialize())
-	return base64.RawURLEncoding.EncodeToString(serialized), nil
+	compact, err := encrypted.CompactSerialize()
+	if err != nil {
+		return "", xerrors.Errorf("compact serialize: %w", err)
+	}
+
+	return compact, nil
 }
 
 // DecryptOptions are options for decrypting a JWE.
 type DecryptOptions struct {
-	RegisteredClaims jwt.Expected
-
-	// The following should only be used for JWEs.
+	RegisteredClaims           jwt.Expected
 	KeyAlgorithm               jose.KeyAlgorithm
 	ContentEncryptionAlgorithm jose.ContentEncryption
 }
@@ -85,12 +86,7 @@ func Decrypt(ctx context.Context, d DecryptKeyProvider, token string, claims Cla
 		opt(&options)
 	}
 
-	encrypted, err := base64.RawURLEncoding.DecodeString(token)
-	if err != nil {
-		return xerrors.Errorf("decode: %w", err)
-	}
-
-	object, err := jose.ParseEncrypted(string(encrypted),
+	object, err := jose.ParseEncrypted(token,
 		[]jose.KeyAlgorithm{options.KeyAlgorithm},
 		[]jose.ContentEncryption{options.ContentEncryptionAlgorithm},
 	)

diff --git a/coderd/jwtutils/jws.go b/coderd/jwtutils/jws.go
@@ -71,9 +71,7 @@ func Sign(ctx context.Context, s SigningKeyProvider, claims Claims) (string, err
 
 // VerifyOptions are options for verifying a JWT.
 type VerifyOptions struct {
-	RegisteredClaims jwt.Expected
-
-	// The following are only used for JWSs.
+	RegisteredClaims   jwt.Expected
 	SignatureAlgorithm jose.SignatureAlgorithm
 }