Support exporting RSA JWK private keys #375
Conversation
![sourcelevel-bot[bot]](https://avatars.githubusercontent.com/in/597?s=60&v=4){kind=small}
anakinj
force-pushed
the
rsa-jwk-improvements
branch
from
63f1a4a to
7055538
Compare
lib/jwt/jwk/rsa.rb
Outdated
| @@ -2,16 +2,18 @@ | |||
|
|
|||
| module JWT | |||
| module JWK | |||
| class RSA | |||
| class RSA < KeyAbstract | |||
| attr_reader :keypair | |||
There was a problem hiding this comment.
attr_reader :keypair can be removed, because inherited from KeyAbstract.
lib/jwt/jwk/rsa.rb
Outdated
| sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(public_key.n), | ||
| OpenSSL::ASN1::Integer.new(public_key.e)]) | ||
| OpenSSL::Digest::SHA256.hexdigest(sequence.to_der) | ||
| @kid ||= generate_kid |
There was a problem hiding this comment.
You can remove this method def kid and move @kid ||= generate_kid to initialize method like in https://github.com/jwt/ruby-jwt/blob/master/lib/jwt/jwk/hmac.rb
There was a problem hiding this comment.
This is a little problematic. I would like to do it so the @kid would only be set once. Doing it after super would potentially set the kid twice in the initializer.
I would like to do it like this but the keypair that generate_kid needs is not initialized yet.
def initialize(keypair, kid = nil)
raise ArgumentError, 'keypair must be of type OpenSSL::PKey::RSA' unless keypair.is_a?(OpenSSL::PKey::RSA)
super(keypair, kid || generate_kid)
end
A litte ugly solution but would work is to have the kid generation as a static method that gets the public_key as a parameter. I think I'll go with that.
There was a problem hiding this comment.
"Doing it after super would potentially set the kid twice in the initializer.", at the moment I don't understand why, but you have a better overview of the JWK RSA code flow.
My opinion: a developer can set the kid manually on JWK creation or leave this parameter blank and it gets generated automatically. And import uses the kid to have the same kid from export. I cannot see the problem with set kid twice.
There was a problem hiding this comment.
I meant in cases where the kid is not given. Then the super will set the @kid instance variable to nil and then the derived class will set @kid to the generated kid.
What i changed this to give the generated kid to the parent if no kid is provided to the derived class, then @kid is only set once in the super.
There was a problem hiding this comment.
Is it a problem, if kid is set to nil first? I see no problem with that and the code looks much simpler to understand.
There was a problem hiding this comment.
I feel that im starting to over analyse this, sorry for that :) But when the kid is set from outside the parent it could to be set via attribute writer. Maybe @kid should not be used from the derived classes at all but the kid accessors instead.
There was a problem hiding this comment.
Yep! That's true. Then we remove @kid = kid from initialize method in KeyAbstract class after PR are merged? Or can you remove it with this PR please?
E.g.:
def initialize(keypair, _kid = nil)
@keypair = keypair
end
There was a problem hiding this comment.
I was maybe more referring to not setting @kid directly from the RSA, EC or HMAC classes but via some accessor.
What about something like this 6754a58
lib/jwt/jwk/rsa.rb
Outdated
|
|
||
| def initialize(keypair) | ||
| def initialize(keypair, kid = nil) | ||
| raise ArgumentError, 'keypair must be of type OpenSSL::PKey::RSA' unless keypair.is_a?(OpenSSL::PKey::RSA) | ||
|
|
||
| @keypair = keypair |
There was a problem hiding this comment.
Remove this line @keypair = keypair and add super instead.
anakinj
force-pushed
the
rsa-jwk-improvements
branch
from
a3843e3 to
ec9a4c7
Compare
|
Try a rebase from upstream master first.
Joakim Antman <[email protected]> schrieb am Fr. 2. Okt. 2020 um
14:31:
***@***.**** commented on this pull request.
------------------------------
In lib/jwt/jwk/rsa.rb
<#375 (comment)>:
> @@ -23,50 +25,97 @@ def public_key
end
def kid
- sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(public_key.n),
- OpenSSL::ASN1::Integer.new(public_key.e)])
- OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
+ @kid ||= generate_kid
I meant in cases where the kid is not given. Then the super will set the
@kid instance variable to nil and then the derived class will set @kid to
the generated kid.
What i changed this to give the generated kid to the parent if no kid is
provided to the derived class, then @kid <https://github.com/kid> is only
set once in the super.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#375 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABYDGTLMPQWXIJAKZFA6BLSIXBZFANCNFSM4SA36BJA>
.
--
Mit freundlichen Grüßen,
Tim Rudat
|
anakinj
force-pushed
the
rsa-jwk-improvements
branch
from
840a1e8 to
7edbec0
Compare
|
SourceLevel has finished reviewing this Pull Request and has found:
|
anakinj
force-pushed
the
rsa-jwk-improvements
branch
from
7edbec0 to
6754a58
Compare
|
Where is authorized to merge this PR? |
anakinj
force-pushed
the
rsa-jwk-improvements
branch
from
6754a58 to
f44445b
Compare
|
Could you @excpt retrigger the CI for this. |
|
Build restarted. :-) |
|
@anakinj do you need help to get this merged? |
|
@anakinj, are there any plans to cut a new release with these changes or will it only happen when the milestone is complete? I'm specifically interested in the |
This replaces and improves #373
Created a new branch and combined the following:
Still not totally sure if the test matrix is able to test both versions of the
populate_keymethod. The original issue was fixed in #333 but before that there were no failing tests so I don't think the tests cover the older versions. Maybe we don't need to support the outdated rubies anyway soon.FYI @richardlarocque, @phlegx This includes fixes for the great comments you provided.