From e05213f9dd55a8bc76e16dd825c925c3a8421364 Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Thu, 15 Oct 2020 11:33:08 -0400 Subject: [PATCH] supervisor-generate-key: use EC keys intead of RSA EC keys are smaller and take less time to generate. Our integration tests were super flakey because generating an RSA key would take up to 10 seconds *gasp*. The main token verifier that we care about is Kubernetes, which supports P256, so hopefully it won't be that much of an issue that our default signing key type is EC. The OIDC spec seems kinda squirmy when it comes to using non-RSA signing algorithms... Signed-off-by: Andrew Keesler --- internal/controller/supervisorconfig/jwks.go | 17 ++++++------ .../controller/supervisorconfig/jwks_test.go | 12 ++++----- .../supervisorconfig/testdata/good-ec-key.pem | 5 ++++ .../supervisorconfig/testdata/good-jwk.json | 18 +++++-------- .../supervisorconfig/testdata/good-jwks.json | 11 ++++---- .../testdata/good-rsa-key.pem | 27 ------------------- .../testdata/invalid-key-jwk.json | 12 +++++---- .../testdata/invalid-key-jwks.json | 11 ++++---- .../testdata/missing-active-jwks.json | 9 ++++--- .../testdata/private-jwks.json | 18 +++++-------- .../supervisorconfig/testdata/public-jwk.json | 11 ++++---- test/integration/supervisor_keys_test.go | 1 - 12 files changed, 64 insertions(+), 88 deletions(-) create mode 100644 internal/controller/supervisorconfig/testdata/good-ec-key.pem delete mode 100644 internal/controller/supervisorconfig/testdata/good-rsa-key.pem diff --git a/internal/controller/supervisorconfig/jwks.go b/internal/controller/supervisorconfig/jwks.go index 24fa67ff..a507df90 100644 --- a/internal/controller/supervisorconfig/jwks.go +++ b/internal/controller/supervisorconfig/jwks.go @@ -5,8 +5,9 @@ package supervisorconfig import ( "context" + "crypto/ecdsa" + "crypto/elliptic" "crypto/rand" - "crypto/rsa" "encoding/json" "fmt" "io" @@ -44,12 +45,12 @@ const ( opcKind = "OIDCProviderConfig" ) -// generateKey is stubbed out for the purpose of testing. The default behavior is to generate an RSA key. +// generateKey is stubbed out for the purpose of testing. The default behavior is to generate an EC key. //nolint:gochecknoglobals -var generateKey func(r io.Reader, bits int) (interface{}, error) = generateRSAKey +var generateKey func(r io.Reader) (interface{}, error) = generateECKey -func generateRSAKey(r io.Reader, bits int) (interface{}, error) { - return rsa.GenerateKey(r, bits) +func generateECKey(r io.Reader) (interface{}, error) { + return ecdsa.GenerateKey(elliptic.P256(), r) } // jwkController holds the fields necessary for the JWKS controller to communicate with OPC's and @@ -205,15 +206,15 @@ func (c *jwksController) generateSecret(opc *configv1alpha1.OIDCProviderConfig) // // For now, we just generate an new RSA keypair and put that in the secret. - key, err := generateKey(rand.Reader, 4096) + key, err := generateKey(rand.Reader) if err != nil { return nil, fmt.Errorf("cannot generate key: %w", err) } jwk := jose.JSONWebKey{ Key: key, - KeyID: "some-key", - Algorithm: "RS256", + KeyID: "pinniped-supervisor-key", + Algorithm: "ES256", Use: "sig", } jwkData, err := json.Marshal(jwk) diff --git a/internal/controller/supervisorconfig/jwks_test.go b/internal/controller/supervisorconfig/jwks_test.go index 30298db4..ecab24ad 100644 --- a/internal/controller/supervisorconfig/jwks_test.go +++ b/internal/controller/supervisorconfig/jwks_test.go @@ -227,11 +227,11 @@ func TestJWKSControllerSync(t *testing.T) { const namespace = "tuna-namespace" - goodRSAKeyPEM, err := ioutil.ReadFile("testdata/good-rsa-key.pem") + goodKeyPEM, err := ioutil.ReadFile("testdata/good-ec-key.pem") require.NoError(t, err) - block, _ := pem.Decode(goodRSAKeyPEM) - require.NotNil(t, block, "expected block to be non-nil...is goodRSAKeyPEM a valid PEM?") - goodRSAKey, err := x509.ParsePKCS1PrivateKey(block.Bytes) + block, _ := pem.Decode(goodKeyPEM) + require.NotNil(t, block, "expected block to be non-nil...is goodKeyPEM a valid PEM?") + goodKey, err := x509.ParseECPrivateKey(block.Bytes) require.NoError(t, err) opcGVR := schema.GroupVersionResource{ @@ -610,9 +610,9 @@ func TestJWKSControllerSync(t *testing.T) { t.Run(test.name, func(t *testing.T) { // We shouldn't run this test in parallel since it messes with a global function (generateKey). generateKeyCount := 0 - generateKey = func(_ io.Reader, _ int) (interface{}, error) { + generateKey = func(_ io.Reader) (interface{}, error) { generateKeyCount++ - return goodRSAKey, test.generateKeyErr + return goodKey, test.generateKeyErr } ctx, cancel := context.WithTimeout(context.Background(), time.Second*3) diff --git a/internal/controller/supervisorconfig/testdata/good-ec-key.pem b/internal/controller/supervisorconfig/testdata/good-ec-key.pem new file mode 100644 index 00000000..211202f4 --- /dev/null +++ b/internal/controller/supervisorconfig/testdata/good-ec-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEINR2PAduYBO64CaDT4vLoMnn8y4UX5VTFdOA7wUQF0n/oAoGCCqGSM49 +AwEHoUQDQgAEawmmj6CIMhSoJyfsqH7sekbTeY72GGPLEy16tPWVz2UVwyHTq5ct +qr1vYw6LGUtWJ1STJw7W7sgc6StOLs3RrA== +-----END EC PRIVATE KEY----- diff --git a/internal/controller/supervisorconfig/testdata/good-jwk.json b/internal/controller/supervisorconfig/testdata/good-jwk.json index 20cda4f3..89e4be66 100644 --- a/internal/controller/supervisorconfig/testdata/good-jwk.json +++ b/internal/controller/supervisorconfig/testdata/good-jwk.json @@ -1,14 +1,10 @@ { "use": "sig", - "kty": "RSA", - "kid": "some-key", - "alg": "RS256", - "n": "z6UWJvYJtVxXpvITGDdq9I2ln73zu7gH4RB4q7t5bKFPYAEo2XshthG21-L82rmxUQ23-1XTkBSBK5iZl3Q_liHt1MLjZrpjuRc0CKMDcrExAMX6duicFVlhkIakIeupp-PrlvLSp9ZNXuQ3z1eSKK51d2svHRSqJXdHBa-c2GXuEuX572CnV2oGO06L8f1Tt0yLT3HxzHMRbwntID9Rg2KJj0f5lBin2Kd4wJejHgBj8hnAdxe6nnDsFYqgUQu3Qao9edgwiX9EftzGlo9B_Q0g3vGyFNVf0MM4LX3OSre4yVlphZOW3YeLIeBq_4KmgutD0AZHzCF18KUjJgOv9w", - "e": "AQAB", - "d": "yIaLQBD3CzgkRcsdeZN7LLTmL8BHcw-kPEul3WLtPmUBvJsiEfUBd0zgINjKi4gsnzP6azRVXZ0PqURzf3n6NkiJ36Bd70UtLQAldfnHSKmpwy9uVAsLQOrSd7ovI7rsWoCXcW0K1p70lSEcbJYLRlJEipDuLM1aC1iHNAyGEcuQr4vlKaaWJ0lwQv0dxeEYsOTvMUvewOy1T8gREdSOQYJ5PgcF6solq04gCYmGv2paEersPFcfEarA5h8FHKlqGRTGwg3ltJMA1NaRPs0teYR2nKdLUk8nc012F7qfpN8iDx6H6f8tJn_QchgbLo8_s5uB6KC2zmdceCLRiP-VQQ", - "p": "53FGQ4Kc-bJeZfRejxgg1avgi0i7THXpb2_-E2hgUpzFEza2e3TOQ1-N44sotDVjv7bylZwuLsdV7ug9jIVWzr4qldEOlpvGOh_QjqrEl12lwA-9EFNp3UrMwclGUvLwm5QjFRE74iEQR0b0ljetvupNE-FncNWhxlOnQEDXVjE", - "q": "5a1kYSkozQiPHEycYpuflRWRY_twrWywhO2Gwzqq583qBUYInUjhNS6_dzrAA_6rDSuPXux4OjxdkLbVziLfHhLo_f1fCTm0-UlQIasxfn-WTFRpZsAjzaaiL5n0OegvSDAKXbT9zuAfH5r6RjhsSXqG-s5jbk810rVmwUh2Vqc", - "dp": "bhRnaga-qNjYoz-GliLQwzA73aObSjOu8szemNaFMeXUql3Uj4Wv8UWKlBaFJqlaJz5ZxSUCpkczLS2S0Lo-3ph-YsGLYcD3mH-3T5QTazckdeRGdXRnHtTL7MPRyfQ40paz1PpcdCJrvqsV_DjBT9PbE0CbVYSWrGDvZNUyVpE", - "dq": "4jjKASVQSbtfcklHU5zjLy3COc-EaVz_9L4cGZlkktNv6GfVvk31fLOh5OcaEBU8F8nK-n1B4mJo6kwcBWC1kOKhWOLCQ8zyIwQCCFeddXJn8KDH_GvOGBZD80zZkFvQjnK7ExddUvHP1gqI7rdOeYVVBB5bM2CTrAn-vuwHm0s", - "qi": "brSwOeUadJ9wnqNN_cdCKyDb8ed37h7Cd509hkiby7JiD7VqBfFWmYqtIdX-jEfms6OSlCiUKAeTHryKAV7Wb6yHNgT78iOCfgGIIz2mmV8KNdAzdkkMlGu5Uuwi0EW8ww25Xw0c5zIneVZmg-0ydFUUa5GEHrQ3Du7MMAHlQCo" + "kty": "EC", + "kid": "pinniped-supervisor-key", + "crv": "P-256", + "alg": "ES256", + "x": "awmmj6CIMhSoJyfsqH7sekbTeY72GGPLEy16tPWVz2U", + "y": "FcMh06uXLaq9b2MOixlLVidUkycO1u7IHOkrTi7N0aw", + "d": "1HY8B25gE7rgJoNPi8ugyefzLhRflVMV04DvBRAXSf8" } diff --git a/internal/controller/supervisorconfig/testdata/good-jwks.json b/internal/controller/supervisorconfig/testdata/good-jwks.json index ddb4fecb..b099245e 100644 --- a/internal/controller/supervisorconfig/testdata/good-jwks.json +++ b/internal/controller/supervisorconfig/testdata/good-jwks.json @@ -2,11 +2,12 @@ "keys": [ { "use": "sig", - "kty": "RSA", - "kid": "some-key", - "alg": "RS256", - "n": "z6UWJvYJtVxXpvITGDdq9I2ln73zu7gH4RB4q7t5bKFPYAEo2XshthG21-L82rmxUQ23-1XTkBSBK5iZl3Q_liHt1MLjZrpjuRc0CKMDcrExAMX6duicFVlhkIakIeupp-PrlvLSp9ZNXuQ3z1eSKK51d2svHRSqJXdHBa-c2GXuEuX572CnV2oGO06L8f1Tt0yLT3HxzHMRbwntID9Rg2KJj0f5lBin2Kd4wJejHgBj8hnAdxe6nnDsFYqgUQu3Qao9edgwiX9EftzGlo9B_Q0g3vGyFNVf0MM4LX3OSre4yVlphZOW3YeLIeBq_4KmgutD0AZHzCF18KUjJgOv9w", - "e": "AQAB" + "kty": "EC", + "kid": "pinniped-supervisor-key", + "crv": "P-256", + "alg": "ES256", + "x": "awmmj6CIMhSoJyfsqH7sekbTeY72GGPLEy16tPWVz2U", + "y": "FcMh06uXLaq9b2MOixlLVidUkycO1u7IHOkrTi7N0aw" } ] } diff --git a/internal/controller/supervisorconfig/testdata/good-rsa-key.pem b/internal/controller/supervisorconfig/testdata/good-rsa-key.pem deleted file mode 100644 index 459761eb..00000000 --- a/internal/controller/supervisorconfig/testdata/good-rsa-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAz6UWJvYJtVxXpvITGDdq9I2ln73zu7gH4RB4q7t5bKFPYAEo -2XshthG21+L82rmxUQ23+1XTkBSBK5iZl3Q/liHt1MLjZrpjuRc0CKMDcrExAMX6 -duicFVlhkIakIeupp+PrlvLSp9ZNXuQ3z1eSKK51d2svHRSqJXdHBa+c2GXuEuX5 -72CnV2oGO06L8f1Tt0yLT3HxzHMRbwntID9Rg2KJj0f5lBin2Kd4wJejHgBj8hnA -dxe6nnDsFYqgUQu3Qao9edgwiX9EftzGlo9B/Q0g3vGyFNVf0MM4LX3OSre4yVlp -hZOW3YeLIeBq/4KmgutD0AZHzCF18KUjJgOv9wIDAQABAoIBAQDIhotAEPcLOCRF -yx15k3sstOYvwEdzD6Q8S6XdYu0+ZQG8myIR9QF3TOAg2MqLiCyfM/prNFVdnQ+p -RHN/efo2SInfoF3vRS0tACV1+cdIqanDL25UCwtA6tJ3ui8juuxagJdxbQrWnvSV -IRxslgtGUkSKkO4szVoLWIc0DIYRy5Cvi+UpppYnSXBC/R3F4Riw5O8xS97A7LVP -yBER1I5Bgnk+BwXqyiWrTiAJiYa/aloR6uw8Vx8RqsDmHwUcqWoZFMbCDeW0kwDU -1pE+zS15hHacp0tSTydzTXYXup+k3yIPHofp/y0mf9ByGBsujz+zm4HooLbOZ1x4 -ItGI/5VBAoGBAOdxRkOCnPmyXmX0Xo8YINWr4ItIu0x16W9v/hNoYFKcxRM2tnt0 -zkNfjeOLKLQ1Y7+28pWcLi7HVe7oPYyFVs6+KpXRDpabxjof0I6qxJddpcAPvRBT -ad1KzMHJRlLy8JuUIxURO+IhEEdG9JY3rb7qTRPhZ3DVocZTp0BA11YxAoGBAOWt -ZGEpKM0IjxxMnGKbn5UVkWP7cK1ssITthsM6qufN6gVGCJ1I4TUuv3c6wAP+qw0r -j17seDo8XZC21c4i3x4S6P39Xwk5tPlJUCGrMX5/lkxUaWbAI82moi+Z9DnoL0gw -Cl20/c7gHx+a+kY4bEl6hvrOY25PNdK1ZsFIdlanAoGAbhRnaga+qNjYoz+GliLQ -wzA73aObSjOu8szemNaFMeXUql3Uj4Wv8UWKlBaFJqlaJz5ZxSUCpkczLS2S0Lo+ -3ph+YsGLYcD3mH+3T5QTazckdeRGdXRnHtTL7MPRyfQ40paz1PpcdCJrvqsV/DjB -T9PbE0CbVYSWrGDvZNUyVpECgYEA4jjKASVQSbtfcklHU5zjLy3COc+EaVz/9L4c -GZlkktNv6GfVvk31fLOh5OcaEBU8F8nK+n1B4mJo6kwcBWC1kOKhWOLCQ8zyIwQC -CFeddXJn8KDH/GvOGBZD80zZkFvQjnK7ExddUvHP1gqI7rdOeYVVBB5bM2CTrAn+ -vuwHm0sCgYButLA55Rp0n3Ceo039x0IrINvx53fuHsJ3nT2GSJvLsmIPtWoF8VaZ -iq0h1f6MR+azo5KUKJQoB5MevIoBXtZvrIc2BPvyI4J+AYgjPaaZXwo10DN2SQyU -a7lS7CLQRbzDDblfDRznMid5VmaD7TJ0VRRrkYQetDcO7swwAeVAKg== ------END RSA PRIVATE KEY----- diff --git a/internal/controller/supervisorconfig/testdata/invalid-key-jwk.json b/internal/controller/supervisorconfig/testdata/invalid-key-jwk.json index 4c51e5c9..cee9bfb9 100644 --- a/internal/controller/supervisorconfig/testdata/invalid-key-jwk.json +++ b/internal/controller/supervisorconfig/testdata/invalid-key-jwk.json @@ -1,8 +1,10 @@ { "use": "sig", - "kty": "RSA", - "kid": "some-key", - "alg": "RS256", - "n": "z6UWJvYJtVxXpvITGDdq9I2ln73zu7gH4RB4q7t5bKFPYAEo2XshthG21-L82rmxUQ23-1XTkBSBK5iZl3Q_liHt1MLjZrpjuRc0CKMDcrExAMX6duicFVlhkIakIeupp-PrlvLSp9ZNXuQ3z1eSKK51d2svHRSqJXdHBa-c2GXuEuX572CnV2oGO06L8f1Tt0yLT3HxzHMRbwntID9Rg2KJj0f5lBin2Kd4wJejHgBj8hnAdxe6nnDsFYqgUQu3Qao9edgwiX9EftzGlo9B_Q0g3vGyFNVf0MM4LX3OSre4yVlphZOW3YeLIeBq_4KmgutD0AZHzCF18KUjJgOv9w", - "e": "0" + "kty": "EC", + "kid": "pinniped-supervisor-key", + "crv": "P-256", + "alg": "ES256", + "x": "0", + "y": "FcMh06uXLaq9b2MOixlLVidUkycO1u7IHOkrTi7N0aw", + "d": "1HY8B25gE7rgJoNPi8ugyefzLhRflVMV04DvBRAXSf8" } diff --git a/internal/controller/supervisorconfig/testdata/invalid-key-jwks.json b/internal/controller/supervisorconfig/testdata/invalid-key-jwks.json index b5eef40e..cff683f2 100644 --- a/internal/controller/supervisorconfig/testdata/invalid-key-jwks.json +++ b/internal/controller/supervisorconfig/testdata/invalid-key-jwks.json @@ -2,11 +2,12 @@ "keys": [ { "use": "sig", - "kty": "RSA", - "kid": "some-key", - "alg": "RS256", - "n": "0", - "e": "AQAB" + "kty": "EC", + "kid": "pinniped-supervisor-key", + "crv": "P-256", + "alg": "ES256", + "x": "awmmj6CIMhSoJyfsqH7sekbTeY72GGPLEy16tPWVz2U", + "y": "0" } ] } diff --git a/internal/controller/supervisorconfig/testdata/missing-active-jwks.json b/internal/controller/supervisorconfig/testdata/missing-active-jwks.json index 08e36e4f..c6e77e6f 100644 --- a/internal/controller/supervisorconfig/testdata/missing-active-jwks.json +++ b/internal/controller/supervisorconfig/testdata/missing-active-jwks.json @@ -2,11 +2,12 @@ "keys": [ { "use": "sig", - "kty": "RSA", + "kty": "EC", "kid": "some-other-key", - "alg": "RS256", - "n": "qNAsShEVuXiPz2UmI-1q_R_80WA3VHWt7WU7NbhPf59GohTKKvosG4a1C8alY2eh25yFIB6BbyPOFnTWFDrPnNmZYn0m0ByHW7EbO92yFKjS6F9p1VICWOp003F5UWIfCy5fzFA3oDBPSBs2r6N9g0xcqbwihuT1Cn1vQb_CRA0-G44XFQ4hHnHJfmFsgv-za7BlcT4V_RRaPtJBNnQRVmNXxjKwLs1XwGAW-I0QObr4HPsMBdBPXJYQeC5WJS59KbP2wvimgkArzStdw-n2H_5TYUaKFyylX8vCb3ndCs7Mp90fI3YGhvZrQ7N7mmL_vn4lrCcQMD2T_U9-dKbB6aXXNlyS-VY-MXbhnY_MGbGIGEdIdwGynGmyuLiNCA9qXDJ4zVWdlatsTqSFyGh20ntj8fcdxfjMg_AXbwr_Fc_9dkvshU9Qsui6FCxB6GwZA4o9Pyu0NtzetWcwZdpKpDaFTkmhQbPMP6MoshovaYdJWYsvuBSjTZycawikgMWAPuinFSAcwI10P6YucJRVlUgIOMusKnGfu8xXxQWysleesJe-1BSQHmyKjIGuIIjiWamAga8Hn4n24LqlBhRgjPJqL_QH25GrpIyFW-6DsHuOKNgJk7IJSZOl6Mkox660gsbdfpTsYeEY9IWc5am4vZOfadx86d9O13p7rZBUsus", - "e": "AQAB" + "crv": "P-256", + "alg": "ES256", + "x": "awmmj6CIMhSoJyfsqH7sekbTeY72GGPLEy16tPWVz2U", + "y": "0" } ] } diff --git a/internal/controller/supervisorconfig/testdata/private-jwks.json b/internal/controller/supervisorconfig/testdata/private-jwks.json index d72ce22b..b88f8fcc 100644 --- a/internal/controller/supervisorconfig/testdata/private-jwks.json +++ b/internal/controller/supervisorconfig/testdata/private-jwks.json @@ -2,17 +2,13 @@ "keys": [ { "use": "sig", - "kty": "RSA", - "kid": "some-key", - "alg": "RS256", - "n": "z6UWJvYJtVxXpvITGDdq9I2ln73zu7gH4RB4q7t5bKFPYAEo2XshthG21-L82rmxUQ23-1XTkBSBK5iZl3Q_liHt1MLjZrpjuRc0CKMDcrExAMX6duicFVlhkIakIeupp-PrlvLSp9ZNXuQ3z1eSKK51d2svHRSqJXdHBa-c2GXuEuX572CnV2oGO06L8f1Tt0yLT3HxzHMRbwntID9Rg2KJj0f5lBin2Kd4wJejHgBj8hnAdxe6nnDsFYqgUQu3Qao9edgwiX9EftzGlo9B_Q0g3vGyFNVf0MM4LX3OSre4yVlphZOW3YeLIeBq_4KmgutD0AZHzCF18KUjJgOv9w", - "e": "AQAB", - "d": "yIaLQBD3CzgkRcsdeZN7LLTmL8BHcw-kPEul3WLtPmUBvJsiEfUBd0zgINjKi4gsnzP6azRVXZ0PqURzf3n6NkiJ36Bd70UtLQAldfnHSKmpwy9uVAsLQOrSd7ovI7rsWoCXcW0K1p70lSEcbJYLRlJEipDuLM1aC1iHNAyGEcuQr4vlKaaWJ0lwQv0dxeEYsOTvMUvewOy1T8gREdSOQYJ5PgcF6solq04gCYmGv2paEersPFcfEarA5h8FHKlqGRTGwg3ltJMA1NaRPs0teYR2nKdLUk8nc012F7qfpN8iDx6H6f8tJn_QchgbLo8_s5uB6KC2zmdceCLRiP-VQQ", - "p": "53FGQ4Kc-bJeZfRejxgg1avgi0i7THXpb2_-E2hgUpzFEza2e3TOQ1-N44sotDVjv7bylZwuLsdV7ug9jIVWzr4qldEOlpvGOh_QjqrEl12lwA-9EFNp3UrMwclGUvLwm5QjFRE74iEQR0b0ljetvupNE-FncNWhxlOnQEDXVjE", - "q": "5a1kYSkozQiPHEycYpuflRWRY_twrWywhO2Gwzqq583qBUYInUjhNS6_dzrAA_6rDSuPXux4OjxdkLbVziLfHhLo_f1fCTm0-UlQIasxfn-WTFRpZsAjzaaiL5n0OegvSDAKXbT9zuAfH5r6RjhsSXqG-s5jbk810rVmwUh2Vqc", - "dp": "bhRnaga-qNjYoz-GliLQwzA73aObSjOu8szemNaFMeXUql3Uj4Wv8UWKlBaFJqlaJz5ZxSUCpkczLS2S0Lo-3ph-YsGLYcD3mH-3T5QTazckdeRGdXRnHtTL7MPRyfQ40paz1PpcdCJrvqsV_DjBT9PbE0CbVYSWrGDvZNUyVpE", - "dq": "4jjKASVQSbtfcklHU5zjLy3COc-EaVz_9L4cGZlkktNv6GfVvk31fLOh5OcaEBU8F8nK-n1B4mJo6kwcBWC1kOKhWOLCQ8zyIwQCCFeddXJn8KDH_GvOGBZD80zZkFvQjnK7ExddUvHP1gqI7rdOeYVVBB5bM2CTrAn-vuwHm0s", - "qi": "brSwOeUadJ9wnqNN_cdCKyDb8ed37h7Cd509hkiby7JiD7VqBfFWmYqtIdX-jEfms6OSlCiUKAeTHryKAV7Wb6yHNgT78iOCfgGIIz2mmV8KNdAzdkkMlGu5Uuwi0EW8ww25Xw0c5zIneVZmg-0ydFUUa5GEHrQ3Du7MMAHlQCo" + "kty": "EC", + "kid": "pinniped-supervisor-key", + "crv": "P-256", + "alg": "ES256", + "x": "awmmj6CIMhSoJyfsqH7sekbTeY72GGPLEy16tPWVz2U", + "y": "FcMh06uXLaq9b2MOixlLVidUkycO1u7IHOkrTi7N0aw", + "d": "1HY8B25gE7rgJoNPi8ugyefzLhRflVMV04DvBRAXSf8" } ] } diff --git a/internal/controller/supervisorconfig/testdata/public-jwk.json b/internal/controller/supervisorconfig/testdata/public-jwk.json index 1b4b7a88..bd440e4e 100644 --- a/internal/controller/supervisorconfig/testdata/public-jwk.json +++ b/internal/controller/supervisorconfig/testdata/public-jwk.json @@ -1,8 +1,9 @@ { "use": "sig", - "kty": "RSA", - "kid": "some-key", - "alg": "RS256", - "n": "z6UWJvYJtVxXpvITGDdq9I2ln73zu7gH4RB4q7t5bKFPYAEo2XshthG21-L82rmxUQ23-1XTkBSBK5iZl3Q_liHt1MLjZrpjuRc0CKMDcrExAMX6duicFVlhkIakIeupp-PrlvLSp9ZNXuQ3z1eSKK51d2svHRSqJXdHBa-c2GXuEuX572CnV2oGO06L8f1Tt0yLT3HxzHMRbwntID9Rg2KJj0f5lBin2Kd4wJejHgBj8hnAdxe6nnDsFYqgUQu3Qao9edgwiX9EftzGlo9B_Q0g3vGyFNVf0MM4LX3OSre4yVlphZOW3YeLIeBq_4KmgutD0AZHzCF18KUjJgOv9w", - "e": "AQAB" + "kty": "EC", + "kid": "pinniped-supervisor-key", + "crv": "P-256", + "alg": "ES256", + "x": "awmmj6CIMhSoJyfsqH7sekbTeY72GGPLEy16tPWVz2U", + "y": "FcMh06uXLaq9b2MOixlLVidUkycO1u7IHOkrTi7N0aw" } diff --git a/test/integration/supervisor_keys_test.go b/test/integration/supervisor_keys_test.go index feb7f50c..b6f73e93 100644 --- a/test/integration/supervisor_keys_test.go +++ b/test/integration/supervisor_keys_test.go @@ -27,7 +27,6 @@ func TestSupervisorOIDCKeys(t *testing.T) { defer cancel() // Create our OPC under test. - // TODO: maybe use this in other supervisor test? opc := library.CreateTestOIDCProvider(ctx, t, "") // Ensure a secret is created with the OPC's JWKS.