Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HMS-2695 feat: JWK encryption with AES-GCM #13

Merged
merged 1 commit into from
Oct 5, 2023

Conversation

tiran
Copy link
Collaborator

@tiran tiran commented Oct 4, 2023

Implement helpers to encrypt and decrypt a JWK with AES-GCM AEAD.

EncryptJWK() takes a raw AES encryption key plus jwk.Key and returns the encrypted key. The key is encrypted and protected with AES-GCM. The random nonce is pre-pended to the output stream.

DecryptJWK() is the reverse operation. It takes a raw AES key and cipher text with nonce pre-pended. On success, it returns a jwk.Key. Invalid key and tampering are detected by AEAD.

Also pulls the latest lestrrat-go/jwx@v2 go module.

@tiran tiran force-pushed the hms-2695-encrypt-jwk branch from e19ea9e to 727b26f Compare October 4, 2023 10:23
Copy link
Contributor

@frasertweedale frasertweedale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One suggestion to extend the tests.

internal/infrastructure/token/encrypt_test.go Show resolved Hide resolved
Implement helpers to encrypt and decrypt a JWK with AES-GCM AEAD.

`EncryptJWK()` takes a raw AES encryption key plus `jwk.Key` and returns
the encrypted key. The key is encrypted and protected with AES-GCM. The
random nonce is pre-pended to the output stream.

`DecryptJWK()` is the reverse operation. It takes a raw AES key and
cipher text with nonce pre-pended. On success, it returns a `jwk.Key`.
Invalid key and tampering are detected by AEAD.

Also pulls the latest `lestrrat-go/jwx@v2` go module.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
@tiran tiran force-pushed the hms-2695-encrypt-jwk branch from 727b26f to 56c73e6 Compare October 5, 2023 06:12
@tiran tiran requested a review from frasertweedale October 5, 2023 07:20
@frasertweedale frasertweedale merged commit 2daaa64 into podengo-project:main Oct 5, 2023
1 check passed
@tiran tiran deleted the hms-2695-encrypt-jwk branch October 5, 2023 13:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants