Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HMS-2695 feat: JWK encryption with AES-GCM #13

Merged
merged 1 commit into from
Oct 5, 2023
Merged

HMS-2695 feat: JWK encryption with AES-GCM #13

merged 1 commit into from
Oct 5, 2023

Conversation

tiran
Copy link
Collaborator

@tiran tiran commented Oct 4, 2023

Implement helpers to encrypt and decrypt a JWK with AES-GCM AEAD.

EncryptJWK() takes a raw AES encryption key plus jwk.Key and returns the encrypted key. The key is encrypted and protected with AES-GCM. The random nonce is pre-pended to the output stream.

DecryptJWK() is the reverse operation. It takes a raw AES key and cipher text with nonce pre-pended. On success, it returns a jwk.Key. Invalid key and tampering are detected by AEAD.

Also pulls the latest lestrrat-go/jwx@v2 go module.

frasertweedale
frasertweedale requested changes Oct 5, 2023
View reviewed changes
Copy link
Contributor

@frasertweedale frasertweedale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One suggestion to extend the tests.

internal/infrastructure/token/encrypt_test.go Show resolved Hide resolved
@tiran
HMS-2695 feat: JWK encryption with AES-GCM
56c73e6 
Implement helpers to encrypt and decrypt a JWK with AES-GCM AEAD.

`EncryptJWK()` takes a raw AES encryption key plus `jwk.Key` and returns
the encrypted key. The key is encrypted and protected with AES-GCM. The
random nonce is pre-pended to the output stream.

`DecryptJWK()` is the reverse operation. It takes a raw AES key and
cipher text with nonce pre-pended. On success, it returns a `jwk.Key`.
Invalid key and tampering are detected by AEAD.

Also pulls the latest `lestrrat-go/jwx@v2` go module.

Signed-off-by: Christian Heimes <[email protected]>
@frasertweedale frasertweedale merged commit 2daaa64 into podengo-project:main Oct 5, 2023
1 check passed
@tiran tiran deleted the hms-2695-encrypt-jwk branch October 5, 2023 13:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frasertweedale frasertweedale frasertweedale approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tiran @frasertweedale