mirror of
https://github.com/kanidm/kanidm.git
synced 2025-05-25 10:23:55 +02:00
Set kid manually to prevent divergence
Due to a quirk of how compact-jwt worked, the Key ID (kid) that it would use for signing may be different to the kid that Kanidm was using to reference the key. This was due to a change in the kid format, that wasn't fully handled. Now on key load, the correct kid can be set by Kanidm so that all signatures have a kid that matches what Kanidm believes the kid to be.
This commit is contained in:
parent
bb53f17b80
commit
378ddadeda
2
Cargo.lock
generated
2
Cargo.lock
generated
|
@ -776,7 +776,7 @@ checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
|
|||
[[package]]
|
||||
name = "compact_jwt"
|
||||
version = "0.4.3"
|
||||
source = "git+https://github.com/Firstyear/compact-jwt.git?rev=b3d2b5700cfe567d384c81df35d25537fbf7f110#b3d2b5700cfe567d384c81df35d25537fbf7f110"
|
||||
source = "git+https://github.com/Firstyear/compact-jwt.git?rev=043976842773dd035fe394261347edeb644e3091#043976842773dd035fe394261347edeb644e3091"
|
||||
dependencies = [
|
||||
"base64 0.21.7",
|
||||
"base64urlsafedata",
|
||||
|
|
|
@ -125,7 +125,7 @@ sshkeys = { git = "https://github.com/Firstyear/rust-sshkeys.git", rev = "3a081c
|
|||
# Branch currently carrying some needed rs256 signer patches for jwk handling,
|
||||
# as main is currently working to drop openssl and may need more work before
|
||||
# we commit to that change here.
|
||||
compact_jwt = { git = "https://github.com/Firstyear/compact-jwt.git", rev = "b3d2b5700cfe567d384c81df35d25537fbf7f110" }
|
||||
compact_jwt = { git = "https://github.com/Firstyear/compact-jwt.git", rev = "043976842773dd035fe394261347edeb644e3091" }
|
||||
|
||||
[workspace.dependencies]
|
||||
kanidmd_core = { path = "./server/core", version = "=1.7.0-dev" }
|
||||
|
|
|
@ -451,7 +451,7 @@ impl KeyObjectInternalJwtEs256 {
|
|||
let valid_from = valid_from.as_secs();
|
||||
|
||||
for private_der in import_keys {
|
||||
let signer = JwsEs256Signer::from_es256_der(private_der).map_err(|err| {
|
||||
let mut signer = JwsEs256Signer::from_es256_der(private_der).map_err(|err| {
|
||||
error!(?err, "Unable to load imported es256 DER signer");
|
||||
OperationError::KP0028KeyObjectImportJwsEs256DerInvalid
|
||||
})?;
|
||||
|
@ -468,6 +468,9 @@ impl KeyObjectInternalJwtEs256 {
|
|||
let kid = signer.get_legacy_kid().to_string();
|
||||
debug!(?kid, "imported key");
|
||||
|
||||
// Indicate to the signer we wish to use the legacy kid for this signer.
|
||||
signer.set_kid(kid.as_str());
|
||||
|
||||
self.active.insert(valid_from, signer.clone());
|
||||
|
||||
self.all.insert(
|
||||
|
@ -576,11 +579,14 @@ impl KeyObjectInternalJwtEs256 {
|
|||
|
||||
let status = match status {
|
||||
KeyStatus::Valid => {
|
||||
let signer = JwsEs256Signer::from_es256_der(der).map_err(|err| {
|
||||
let mut signer = JwsEs256Signer::from_es256_der(der).map_err(|err| {
|
||||
error!(?err, ?id, "Unable to load es256 DER signer");
|
||||
OperationError::KP0013KeyObjectJwsEs256DerInvalid
|
||||
})?;
|
||||
|
||||
// Ensure that the signer has a coherent kid
|
||||
signer.set_kid(id.as_str());
|
||||
|
||||
let verifier = signer.get_verifier().map_err(|err| {
|
||||
error!(?err, "Unable to retrieve verifier from signer");
|
||||
OperationError::KP0014KeyObjectSignerToVerifier
|
||||
|
@ -830,7 +836,7 @@ impl KeyObjectInternalJwtRs256 {
|
|||
let valid_from = valid_from.as_secs();
|
||||
|
||||
for private_der in import_keys {
|
||||
let signer = JwsRs256Signer::from_rs256_der(private_der).map_err(|err| {
|
||||
let mut signer = JwsRs256Signer::from_rs256_der(private_der).map_err(|err| {
|
||||
error!(?err, "Unable to load imported rs256 DER signer");
|
||||
OperationError::KP0045KeyObjectImportJwsRs256DerInvalid
|
||||
})?;
|
||||
|
@ -847,6 +853,9 @@ impl KeyObjectInternalJwtRs256 {
|
|||
let kid = signer.get_legacy_kid().to_string();
|
||||
debug!(?kid, "imported key");
|
||||
|
||||
// Indicate to the signer we wish to use the legacy kid for this signer.
|
||||
signer.set_kid(kid.as_str());
|
||||
|
||||
self.active.insert(valid_from, signer.clone());
|
||||
|
||||
self.all.insert(
|
||||
|
@ -955,11 +964,14 @@ impl KeyObjectInternalJwtRs256 {
|
|||
|
||||
let status = match status {
|
||||
KeyStatus::Valid => {
|
||||
let signer = JwsRs256Signer::from_rs256_der(der).map_err(|err| {
|
||||
let mut signer = JwsRs256Signer::from_rs256_der(der).map_err(|err| {
|
||||
error!(?err, ?id, "Unable to load rs256 DER signer");
|
||||
OperationError::KP0052KeyObjectJwsRs256DerInvalid
|
||||
})?;
|
||||
|
||||
// Ensure that the signer has a coherent kid
|
||||
signer.set_kid(id.as_str());
|
||||
|
||||
let verifier = signer.get_verifier().map_err(|err| {
|
||||
error!(?err, "Unable to retrieve verifier from signer");
|
||||
OperationError::KP0053KeyObjectSignerToVerifier
|
||||
|
|
Loading…
Reference in a new issue