Skip to content

sec(oidc): switch JWT signing from PKCS1v15 to ES256#882

Open
cristim wants to merge 2 commits into
feat/multicloud-web-frontendfrom
fix/422-wave20
Open

sec(oidc): switch JWT signing from PKCS1v15 to ES256#882
cristim wants to merge 2 commits into
feat/multicloud-web-frontendfrom
fix/422-wave20

Conversation

@cristim
Copy link
Copy Markdown
Member

@cristim cristim commented May 30, 2026

Summary

  • Replaces RSA-PKCS1v15 (RS256) with ECDSA P-256 (ES256) across the entire internal/oidc package
  • Updates Algorithm constant, Signer interface, LocalSigner, all three KMS signer stubs, the JWKS builder, and all tests
  • All tests positively assert ES256 algorithm and EC JWK fields (kty=EC, crv=P-256, x, y) -- regression to RS256 will fail tests

Closes #422

Test plan

  • go test ./internal/oidc/... -- 9 tests pass
  • go test ./internal/api/... -- handler_oidc_test.go asserts EC JWK fields
  • go vet ./... -- clean
  • TestLocalSignerMintAndVerify asserts alg == "ES256" and verifies with ecdsa.VerifyASN1
  • TestBuildJWKS asserts kty=EC, crv=P-256, presence of x/y, absence of RSA n/e
  • TestBuildDiscovery asserts id_token_signing_alg_values_supported == ["ES256"]

@cristim
sec(oidc): switch JWT signing from PKCS1v15 to ES256 (closes #422)
560ba87 
Replace RSA-PKCS1v15 (RS256) with ECDSA P-256 (ES256) across the entire
oidc package:

- LocalSigner: ecdsa.GenerateKey(P256) + ecdsa.SignASN1 instead of
  rsa.GenerateKey + rsa.SignPKCS1v15
- Signer interface: PublicKey() returns crypto.PublicKey (was *rsa.PublicKey)
- Algorithm constant: "ES256" (was "RS256")
- ComputeKeyID: accepts crypto.PublicKey, hashes uncompressed EC point
- JWK: EC fields (kty=EC, crv=P-256, x, y); RSA fields (n, e) removed
- AWSKMSSigner: SigningAlgorithmSpecEcdsaSha256 + *ecdsa.PublicKey assertion
- AzureKeyVaultSigner: SignatureAlgorithmES256 + EC key (X/Y) extraction
- GCPKMSSigner: *ecdsa.PublicKey assertion (digest call is key-type-agnostic)
- All tests: positive assertions on ES256 algorithm and EC JWK fields
@cristim cristim added triaged Item has been triaged priority/p3 Polish / idea / may never ship severity/low Minor harm urgency/eventually No deadline impact/internal Team-internal only effort/m Days type/security Security finding labels May 30, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 30, 2026
edited
Loading

Warning

Review limit reached

@cristim, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 22 minutes and 12 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8b2b653c-0dc0-410a-9855-d3fdb28fb884

📥 Commits

Reviewing files that changed from the base of the PR and between 4956d66 and cc00927.

📒 Files selected for processing (10)
  • go.mod
  • internal/api/handler_oidc_test.go
  • internal/oidc/aws_signer.go
  • internal/oidc/aws_signer_test.go
  • internal/oidc/azure_signer.go
  • internal/oidc/backend_jws_test.go
  • internal/oidc/gcp_signer.go
  • internal/oidc/jwks.go
  • internal/oidc/signer.go
  • internal/oidc/signer_test.go
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/422-wave20

Comment @coderabbitai help to get the list of available commands and usage tips.

@cristim
Copy link
Copy Markdown
Member Author

cristim commented May 30, 2026

@coderabbitai review

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 30, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@cristim
Copy link
Copy Markdown
Member Author

cristim commented Jun 4, 2026

@coderabbitai review

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jun 4, 2026
edited
Loading

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@cristim
fix(oidc): emit RFC7518 raw R||S ES256 JWS signatures across all sign…
cc00927 
…er backends (refs #422)

Mint base64url-encoded the signer's raw output directly into the JWS
signature segment, but the Local/AWS/GCP signers return DER/ASN.1 ECDSA
signatures (ecdsa.SignASN1, AWS ECDSA_SHA_256, GCP EC sign all yield
ASN.1 DER). RFC 7518 section 3.4 requires an ES256 JWS signature to be
the raw fixed-length R || S concatenation (32 bytes each = 64 bytes for
P-256), NOT DER. As a result AWS/GCP/Local minted tokens that real OIDC
consumers (the stated Azure AD target) reject. Azure Key Vault already
returns raw R||S, so only Azure was correct, leaving the four backends
mutually inconsistent. The Azure Sign comment also wrongly claimed
Key Vault returns DER.

Contract: Signer.Sign now returns the RFC 7518 raw R||S form. DER
backends (Local/AWS/GCP) convert via a single shared
derToRawECDSASignature helper; Azure passes through unchanged (no
double-conversion). Mint encodes the result directly and defensively
rejects any signature that is not 64 bytes.

- signer.go: add derToRawECDSASignature; LocalSigner.Sign converts;
  Mint enforces the 64-byte contract; document the contract on the
  Signer interface.
- aws_signer.go, gcp_signer.go: convert KMS DER output to raw R||S.
- azure_signer.go: fix the wrong "DER-encoded" comment; keep passthrough.
- tests: add assertRawES256JWS asserting the JWS sig is exactly 64 bytes,
  splitting R||S for ecdsa.Verify, and parsing with a real golang-jwt
  ES256 parser. Cover Local, AWS (DER fake), GCP (DER fake) and Azure
  (raw fake). The DER-path tests fail on the pre-fix code (71/69-byte
  signatures) and pass after; the Azure raw path stays correct.
- go.mod: promote golang-jwt/jwt/v5 to a direct dependency (test use).
@cristim
Copy link
Copy Markdown
Member Author

cristim commented Jun 5, 2026

@coderabbitai review

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jun 5, 2026
edited
Loading

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

effort/m Days impact/internal Team-internal only priority/p3 Polish / idea / may never ship severity/low Minor harm triaged Item has been triaged type/security Security finding urgency/eventually No deadline

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cristim