Extend jose.NewSigner support for other types #689
Conversation
This commit adds support for custom crypto.Signer types for signing tokens. With this, one can use the signer implemented in a KMS or even step + step-kms-plugin to sign JWTs.
The crypto PR allows to sign tokens using step-kms-plugin.
The crypto PR allows to sign tokens using step-kms-plugin.
|
|
||
| func guessOpaqueSigner(key crypto.PrivateKey) crypto.PrivateKey { |
There was a problem hiding this comment.
Should this be called guessSigner, since it can also return other types of signers, specifically the X25519Signer (and will leave others untouched)?
A small blurb of doc might be good too.
There was a problem hiding this comment.
X25519Signer is an implementation of the OpaqueSigner interface.
There was a problem hiding this comment.
The method intends to return an OpaqueSigner only if necessary.
| func (w wrapSigner) Public() crypto.PublicKey { | ||
| if w.Signer == nil { | ||
| return nil | ||
| } | ||
| return w.Signer.Public() | ||
| } | ||
|
|
||
| func (w wrapSigner) Sign(r io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { | ||
| if w.Signer == nil { | ||
| return nil, errors.New("not implemented") | ||
| } |
There was a problem hiding this comment.
Since wrapSigner is only used in tests, you could make it take t *testing.T, and fail immediately when Signer is nil. Then you can remove some test cases that are only testing this test struct's functioning.
There was a problem hiding this comment.
There are specific cases where I don't want the test to fail. For example, when I create an opaque signer with NewOpaqueSigner(wrapSigner{}), this method will end up calling signer.Public(), I don't care about the output, but I don't want the method to fail, I want only that the opaqueSigner is not able to recognize the type of the key.
This commit adds support for custom
crypto.Signertypes for signing tokens. With this, one can use the signer implemented in a KMS or evenstep+step-kms-pluginto sign JWTs.