veraison / go-cose

go library for CBOR Object Signing and Encryption (COSE)
Mozilla Public License 2.0
50 stars 26 forks source link

No ability to import an existing key to use with signer #107

Open OR13 opened 2 years ago

OR13 commented 2 years ago

In order to cross test, we need the ability to import keys generated from other libraries, sign with this library, verify with this library, export the key, make sure it serializes the same way... then test the other library in a similar manner.

AFAIk, this library does not expose any key import / export functionality.

Example key I would like to import:

{
  "kid": "urn:ietf:params:oauth:jwk-thumbprint:sha-256:PWieDT0tQrlUu_YiggAjPhcLYrFmQRxKxstEhH2E7bY",
  "kty": "EC",
  "crv": "P-521",
  "alg": "ES512",
  "x": "AbYsupr2HVrjj-rxRHFuFOoTzjfYJhoMPJHjd6ZoAJu-f4G3j9YkpGZGW03zIbfpB-h4Sa8xp80umXUrwOLNw7ij",
  "y": "AeUJ7n0jk9IwCIZYDTMcZ9Kj4NsDb1SZqBufpbz6CMIciyixMLJjQx5xwLWMLhVDCs-iw3EQnrho6CrRWgqlqQ6p",
  "d": "AVNjoYJ2sPUjNzk_7jvQ9KooE6qBjoPv2p7vk1WXgTSaY-tWSfmIdr3j6HI9b1oAY8s5qbxrpdG4aOqehMPuouTO"
}

Example interfaces I would like supported:

thomas-fossati commented 1 year ago

Zeitgeist! I was going to raise an equivalent FR myself :-)

We use JWK a lot as an interchange format and we have been writing the same adapter code again and again. Having an off-the-shelf SignerFromJWK provided by go-cose would be very handy.

Also in scope, an equivalent adapter around COSE_Key.

yogeshbdeshpande commented 1 year ago

@thomas-fossati Is that the common components of extracting signer and public key from JWK Key, which we use heavily in Veraison code base testing ?

thomas-fossati commented 1 year ago

@thomas-fossati Is that the common components of extracting signer and public key from JWK Key, which we use heavily in Veraison code base testing ?

yes, and in the various CLIs too.

yogeshbdeshpande commented 1 year ago

Yes, best that the code be part of go-cose componentry and every user invokes consistently the same set of methods! 100% with you on this.

yogeshbdeshpande commented 1 year ago

This is not blocking any release but a very useful enhancement to have! Needs to review which is the correct location!

ivarprudnikov commented 1 year ago

You could use https://github.com/MicahParks/keyfunc to import JWKS

Example in their test that converts JSON to a set of keys https://github.com/MicahParks/keyfunc/blob/master/jwks_test.go#L228 via keyfunc.NewJSON([]byte(jwksJSON))

ivarprudnikov commented 1 year ago

There is yet another library for working with JSON representation of the keys https://github.com/lestrrat-go/jwx

SteveLasker commented 8 months ago

@thomas-fossati, any thoughts on this one?