go-cose icon indicating copy to clipboard operation
go-cose copied to clipboard
verified publisher icon veraison

No ability to import an existing key to use with signer

Open OR13 opened this issue 3 years ago • 8 comments

In order to cross test, we need the ability to import keys generated from other libraries, sign with this library, verify with this library, export the key, make sure it serializes the same way... then test the other library in a similar manner.

AFAIk, this library does not expose any key import / export functionality.

Example key I would like to import:

{
  "kid": "urn:ietf:params:oauth:jwk-thumbprint:sha-256:PWieDT0tQrlUu_YiggAjPhcLYrFmQRxKxstEhH2E7bY",
  "kty": "EC",
  "crv": "P-521",
  "alg": "ES512",
  "x": "AbYsupr2HVrjj-rxRHFuFOoTzjfYJhoMPJHjd6ZoAJu-f4G3j9YkpGZGW03zIbfpB-h4Sa8xp80umXUrwOLNw7ij",
  "y": "AeUJ7n0jk9IwCIZYDTMcZ9Kj4NsDb1SZqBufpbz6CMIciyixMLJjQx5xwLWMLhVDCs-iw3EQnrho6CrRWgqlqQ6p",
  "d": "AVNjoYJ2sPUjNzk_7jvQ9KooE6qBjoPv2p7vk1WXgTSaY-tWSfmIdr3j6HI9b1oAY8s5qbxrpdG4aOqehMPuouTO"
}

Example interfaces I would like supported:

  • https://github.com/panva/jose/blob/HEAD/docs/functions/key_import.importJWK.md#readme
  • https://github.com/panva/jose/blob/HEAD/docs/functions/key_export.exportJWK.md#readme

OR13 avatar Oct 01 '22 16:10 OR13

Zeitgeist! I was going to raise an equivalent FR myself :-)

We use JWK a lot as an interchange format and we have been writing the same adapter code again and again. Having an off-the-shelf SignerFromJWK provided by go-cose would be very handy.

Also in scope, an equivalent adapter around COSE_Key.

thomas-fossati avatar Nov 03 '22 10:11 thomas-fossati

@thomas-fossati Is that the common components of extracting signer and public key from JWK Key, which we use heavily in Veraison code base testing ?

yogeshbdeshpande avatar Nov 03 '22 10:11 yogeshbdeshpande

@thomas-fossati Is that the common components of extracting signer and public key from JWK Key, which we use heavily in Veraison code base testing ?

yes, and in the various CLIs too.

thomas-fossati avatar Nov 03 '22 10:11 thomas-fossati

Yes, best that the code be part of go-cose componentry and every user invokes consistently the same set of methods! 100% with you on this.

yogeshbdeshpande avatar Nov 03 '22 11:11 yogeshbdeshpande

This is not blocking any release but a very useful enhancement to have! Needs to review which is the correct location!

yogeshbdeshpande avatar Nov 04 '22 15:11 yogeshbdeshpande

You could use https://github.com/MicahParks/keyfunc to import JWKS

Example in their test that converts JSON to a set of keys https://github.com/MicahParks/keyfunc/blob/master/jwks_test.go#L228 via keyfunc.NewJSON([]byte(jwksJSON))

ivarprudnikov avatar Nov 10 '22 15:11 ivarprudnikov

There is yet another library for working with JSON representation of the keys https://github.com/lestrrat-go/jwx

ivarprudnikov avatar Mar 06 '23 16:03 ivarprudnikov

@thomas-fossati, any thoughts on this one?

SteveLasker avatar Feb 23 '24 16:02 SteveLasker