Refactor JWKS into its own module (#249)

### Description

Refactor JWKS into its own module.

### Type of change

* [ ] New feature
* [ ] Feature improvement
* [ ] Bug fix
* [ ] Documentation
* [x] Cleanup / refactoring
* [ ] Other (please explain)

### How is this change tested ?

* [x] Unit tests
* [ ] Manual tests (explain)
* [ ] Tests are not needed

Author: rthellend

.github/workflows/pr.yml

@@ -56,6 +56,12 @@ jobs:
       run: go test -race -timeout=5m -failfast ./...
     - name: Run govulncheck
       run: go install golang.org/x/vuln/cmd/govulncheck@latest && govulncheck ./...
+    - name Test jwks
+      run: |
+        cd ./jwks
+        go build .
+        go vet .
+        go test .
     - name: Build examples
       run: |
         for dir in $(find examples/ -name go.mod); do

jwks/go.mod

@@ -0,0 +1,7 @@
+module github.com/c2FmZQ/tlsproxy/jwks
+
+go 1.25.5
+
+require github.com/hashicorp/go-retryablehttp v0.7.8
+
+require github.com/hashicorp/go-cleanhttp v0.5.2 // indirect

jwks/go.sum

@@ -0,0 +1,14 @@
+github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48=
+github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

jwks/jwks.go

@@ -0,0 +1,176 @@
+// MIT License
+//
+// Copyright (c) 2024 TTBT Enterprises LLC
+// Copyright (c) 2024 Robin Thellend <rthellend@rthellend.com>
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+
+// Package jwks implements a JSON Web Key Set (JWKS) management system.
+package jwks
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/hex"
+	"fmt"
+	"math/big"
+)
+
+// JWKS is a JSON Web Key Set.
+type JWKS struct {
+	Keys []JWK `json:"keys"`
+}
+
+// JWK is a JSON Web Key.
+type JWK struct {
+	Type string `json:"kty"`
+	Use  string `json:"use"`
+	ID   string `json:"kid"`
+	Alg  string `json:"alg"`
+	// EC
+	Curve string `json:"crv,omitempty"`
+	X     string `json:"x,omitempty"`
+	Y     string `json:"y,omitempty"`
+	// RSA
+	N string `json:"n,omitempty"`
+	E string `json:"e,omitempty"`
+}
+
+// PublicKey returns the crypto.PublicKey from the JWK.
+func (k JWK) PublicKey() (crypto.PublicKey, error) {
+	switch k.Type {
+	case "EC":
+		var curve elliptic.Curve
+		switch k.Curve {
+		case "P-256":
+			curve = elliptic.P256()
+		case "P-384":
+			curve = elliptic.P384()
+		case "P-521":
+			curve = elliptic.P521()
+		default:
+			return nil, fmt.Errorf("unsupported EC curve %q", k.Curve)
+		}
+		x, err := base64.RawURLEncoding.DecodeString(k.X)
+		if err != nil {
+			return nil, err
+		}
+		y, err := base64.RawURLEncoding.DecodeString(k.Y)
+		if err != nil {
+			return nil, err
+		}
+		return &ecdsa.PublicKey{Curve: curve, X: new(big.Int).SetBytes(x), Y: new(big.Int).SetBytes(y)}, nil
+	case "RSA":
+		n, err := base64.RawURLEncoding.DecodeString(k.N)
+		if err != nil {
+			return nil, err
+		}
+		eBytes, err := base64.RawURLEncoding.DecodeString(k.E)
+		if err != nil {
+			return nil, err
+		}
+		return &rsa.PublicKey{N: new(big.Int).SetBytes(n), E: int(new(big.Int).SetBytes(eBytes).Int64())}, nil
+	case "OKP": // EdDSA
+		x, err := base64.RawURLEncoding.DecodeString(k.X)
+		if err != nil {
+			return nil, err
+		}
+		return ed25519.PublicKey(x), nil
+	default:
+		return nil, fmt.Errorf("unknown key type %q", k.Type)
+	}
+}
+
+// PublicKeyToJWK converts a crypto.PublicKey to a JWK.
+func PublicKeyToJWK(pub crypto.PublicKey) *JWK {
+	var jwk JWK
+	switch pub := pub.(type) {
+	case *ecdsa.PublicKey:
+		var alg, crv string
+		switch pub.Curve {
+		case elliptic.P256():
+			alg = "ES256"
+			crv = "P-256"
+		case elliptic.P384():
+			alg = "ES384"
+			crv = "P-384"
+		case elliptic.P521():
+			alg = "ES512"
+			crv = "P-521"
+		default:
+			return nil
+		}
+		size := (pub.Curve.Params().BitSize + 7) / 8
+		xBytes := make([]byte, size)
+		yBytes := make([]byte, size)
+		pub.X.FillBytes(xBytes)
+		pub.Y.FillBytes(yBytes)
+		jwk = JWK{
+			Type:  "EC",
+			Use:   "sig",
+			Alg:   alg,
+			Curve: crv,
+			X:     base64.RawURLEncoding.EncodeToString(xBytes),
+			Y:     base64.RawURLEncoding.EncodeToString(yBytes),
+		}
+	case ed25519.PublicKey:
+		jwk = JWK{
+			Type:  "OKP",
+			Use:   "sig",
+			Alg:   "EdDSA",
+			Curve: "Ed25519",
+			X:     base64.RawURLEncoding.EncodeToString(pub),
+		}
+	case *rsa.PublicKey:
+		jwk = JWK{
+			Type: "RSA",
+			Use:  "sig",
+			Alg:  "RS256",
+			N:    base64.RawURLEncoding.EncodeToString(pub.N.Bytes()),
+			E:    base64.RawURLEncoding.EncodeToString(big.NewInt(int64(pub.E)).Bytes()),
+		}
+	default:
+		return nil
+	}
+	// Calculate Key ID (kid)
+	b, err := x509.MarshalPKIXPublicKey(pub)
+	if err == nil {
+		sum := sha256.Sum256(b)
+		jwk.ID = hex.EncodeToString(sum[:])[:16]
+	}
+	return &jwk
+}
+
+// New returns a new JWKS from the provided public keys.
+// Note: RSA keys default to alg:"RS256", which may not be correct, and might need to be updated.
+func New(keys []crypto.PublicKey) *JWKS {
+	var out JWKS
+	for _, pub := range keys {
+		if k := PublicKeyToJWK(pub); k != nil {
+			out.Keys = append(out.Keys, *k)
+		}
+	}
+	return &out
+}

jwks/jwks_test.go

@@ -0,0 +1,96 @@
+// MIT License
+//
+// Copyright (c) 2024 TTBT Enterprises LLC
+// Copyright (c) 2024 Robin Thellend <rthellend@rthellend.com>
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+
+package jwks
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/json"
+	"testing"
+)
+
+func TestJWKS(t *testing.T) {
+	ecKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("ecdsa.GenerateKey: %v", err)
+	}
+	ecKey384, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	if err != nil {
+		t.Fatalf("ecdsa.GenerateKey(P384): %v", err)
+	}
+	ecKey521, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+	if err != nil {
+		t.Fatalf("ecdsa.GenerateKey(P521): %v", err)
+	}
+	rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("rsa.GenerateKey: %v", err)
+	}
+	edPub, _, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatalf("ed25519.GenerateKey: %v", err)
+	}
+
+	ks := New([]crypto.PublicKey{
+		&ecKey.PublicKey,
+		&ecKey384.PublicKey,
+		&ecKey521.PublicKey,
+		&rsaKey.PublicKey,
+		edPub,
+	})
+	if len(ks.Keys) != 5 {
+		t.Errorf("len(ks.Keys) = %d, want 5", len(ks.Keys))
+	}
+	if ks.Keys[0].Type != "EC" || ks.Keys[0].Curve != "P-256" {
+		t.Errorf("ks.Keys[0] = %v, want EC/P-256", ks.Keys[0])
+	}
+	if ks.Keys[1].Type != "EC" || ks.Keys[1].Curve != "P-384" {
+		t.Errorf("ks.Keys[1] = %v, want EC/P-384", ks.Keys[1])
+	}
+	if ks.Keys[2].Type != "EC" || ks.Keys[2].Curve != "P-521" {
+		t.Errorf("ks.Keys[2] = %v, want EC/P-521", ks.Keys[2])
+	}
+	if ks.Keys[3].Type != "RSA" {
+		t.Errorf("ks.Keys[3].Type = %q, want RSA", ks.Keys[3].Type)
+	}
+	if ks.Keys[4].Type != "OKP" {
+		t.Errorf("ks.Keys[4].Type = %q, want OKP", ks.Keys[4].Type)
+	}
+
+	b, err := json.Marshal(ks)
+	if err != nil {
+		t.Fatalf("json.Marshal: %v", err)
+	}
+	var got JWKS
+	if err := json.Unmarshal(b, &got); err != nil {
+		t.Fatalf("json.Unmarshal: %v", err)
+	}
+	if len(got.Keys) != 5 {
+		t.Errorf("len(got.Keys) = %d, want 5", len(got.Keys))
+	}
+}