Set kid manually to prevent divergence

Due to a quirk of how compact-jwt worked, the Key ID (kid) that it
would use for signing may be different to the kid that Kanidm was
using to reference the key. This was due to a change in the kid
format, that wasn't fully handled.

Now on key load, the correct kid can be set by Kanidm so that
all signatures have a kid that matches what Kanidm believes the
kid to be.
This commit is contained in:
William Brown 2025-05-08 16:07:19 +10:00 committed by Firstyear
parent bb53f17b80
commit 378ddadeda
3 changed files with 18 additions and 6 deletions
Cargo.lockCargo.toml
server/lib/src/server/keys

2
Cargo.lock generated
View file

@ -776,7 +776,7 @@ checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
[[package]]
name = "compact_jwt"
version = "0.4.3"
source = "git+https://github.com/Firstyear/compact-jwt.git?rev=b3d2b5700cfe567d384c81df35d25537fbf7f110#b3d2b5700cfe567d384c81df35d25537fbf7f110"
source = "git+https://github.com/Firstyear/compact-jwt.git?rev=043976842773dd035fe394261347edeb644e3091#043976842773dd035fe394261347edeb644e3091"
dependencies = [
"base64 0.21.7",
"base64urlsafedata",

View file

@ -125,7 +125,7 @@ sshkeys = { git = "https://github.com/Firstyear/rust-sshkeys.git", rev = "3a081c
# Branch currently carrying some needed rs256 signer patches for jwk handling,
# as main is currently working to drop openssl and may need more work before
# we commit to that change here.
compact_jwt = { git = "https://github.com/Firstyear/compact-jwt.git", rev = "b3d2b5700cfe567d384c81df35d25537fbf7f110" }
compact_jwt = { git = "https://github.com/Firstyear/compact-jwt.git", rev = "043976842773dd035fe394261347edeb644e3091" }
[workspace.dependencies]
kanidmd_core = { path = "./server/core", version = "=1.7.0-dev" }

View file

@ -451,7 +451,7 @@ impl KeyObjectInternalJwtEs256 {
let valid_from = valid_from.as_secs();
for private_der in import_keys {
let signer = JwsEs256Signer::from_es256_der(private_der).map_err(|err| {
let mut signer = JwsEs256Signer::from_es256_der(private_der).map_err(|err| {
error!(?err, "Unable to load imported es256 DER signer");
OperationError::KP0028KeyObjectImportJwsEs256DerInvalid
})?;
@ -468,6 +468,9 @@ impl KeyObjectInternalJwtEs256 {
let kid = signer.get_legacy_kid().to_string();
debug!(?kid, "imported key");
// Indicate to the signer we wish to use the legacy kid for this signer.
signer.set_kid(kid.as_str());
self.active.insert(valid_from, signer.clone());
self.all.insert(
@ -576,11 +579,14 @@ impl KeyObjectInternalJwtEs256 {
let status = match status {
KeyStatus::Valid => {
let signer = JwsEs256Signer::from_es256_der(der).map_err(|err| {
let mut signer = JwsEs256Signer::from_es256_der(der).map_err(|err| {
error!(?err, ?id, "Unable to load es256 DER signer");
OperationError::KP0013KeyObjectJwsEs256DerInvalid
})?;
// Ensure that the signer has a coherent kid
signer.set_kid(id.as_str());
let verifier = signer.get_verifier().map_err(|err| {
error!(?err, "Unable to retrieve verifier from signer");
OperationError::KP0014KeyObjectSignerToVerifier
@ -830,7 +836,7 @@ impl KeyObjectInternalJwtRs256 {
let valid_from = valid_from.as_secs();
for private_der in import_keys {
let signer = JwsRs256Signer::from_rs256_der(private_der).map_err(|err| {
let mut signer = JwsRs256Signer::from_rs256_der(private_der).map_err(|err| {
error!(?err, "Unable to load imported rs256 DER signer");
OperationError::KP0045KeyObjectImportJwsRs256DerInvalid
})?;
@ -847,6 +853,9 @@ impl KeyObjectInternalJwtRs256 {
let kid = signer.get_legacy_kid().to_string();
debug!(?kid, "imported key");
// Indicate to the signer we wish to use the legacy kid for this signer.
signer.set_kid(kid.as_str());
self.active.insert(valid_from, signer.clone());
self.all.insert(
@ -955,11 +964,14 @@ impl KeyObjectInternalJwtRs256 {
let status = match status {
KeyStatus::Valid => {
let signer = JwsRs256Signer::from_rs256_der(der).map_err(|err| {
let mut signer = JwsRs256Signer::from_rs256_der(der).map_err(|err| {
error!(?err, ?id, "Unable to load rs256 DER signer");
OperationError::KP0052KeyObjectJwsRs256DerInvalid
})?;
// Ensure that the signer has a coherent kid
signer.set_kid(id.as_str());
let verifier = signer.get_verifier().map_err(|err| {
error!(?err, "Unable to retrieve verifier from signer");
OperationError::KP0053KeyObjectSignerToVerifier