[feat]: add support for EC/ED25519 public keys for token authentication (#2998)

* feat: rework token auth to allow ED25519/EC public keys Signed-off-by: evanebb <git@evanus.nl> * fix: shadow err variable to hopefully avoid data race Signed-off-by: evanebb <git@evanus.nl> * fix: apply golangci-lint feedback Signed-off-by: evanebb <git@evanus.nl> * fix: simplify public key loading by only supporting certificates, fixes ED25519 certificate handling Signed-off-by: evanebb <git@evanus.nl> * test: add golang-jwt based test auth server and test RSA/EC/ED25519 keys Signed-off-by: evanebb <git@evanus.nl> * fix: restrict allowed signing algorithms as recommended by library Signed-off-by: evanebb <git@evanus.nl> * test: add more bearer authorizer tests Signed-off-by: evanebb <git@evanus.nl> * fix: apply more golangci-lint feedback Signed-off-by: evanebb <git@evanus.nl> * test: ensure chmod calls run on test failure for authn errors test Signed-off-by: evanebb <git@evanus.nl> * fix: verify issued-at in given token if present Pulls the validation in-line with the old library Signed-off-by: evanebb <git@evanus.nl> --------- Signed-off-by: evanebb <git@evanus.nl>
2026-06-17 21:17:58 +08:00 · 2025-03-06 23:32:13 +01:00
parent e7fb9c5e60
commit d465690630
11 changed files with 1413 additions and 759 deletions
@@ -2,6 +2,7 @@

 set -xe

+# RSA
 openssl req \
    -newkey rsa:2048 \
    -nodes \
@@ -45,3 +46,78 @@ openssl x509 \
    -CAkey ca.key \
    -CAcreateserial \
    -out client.cert
+
+# ECDSA
+openssl ecparam \
+    -name prime256v1 \
+    -genkey \
+    -noout \
+    -out ca-ecdsa.key
+
+openssl req \
+    -new \
+    -key ca-ecdsa.key \
+    -nodes \
+    -days 3650 \
+    -x509 \
+    -out ca-ecdsa.crt \
+    -subj "/CN=*"
+
+openssl ecparam \
+    -name prime256v1 \
+    -genkey \
+    -noout \
+    -out server-ecdsa.key
+
+openssl req \
+    -new \
+    -key server-ecdsa.key \
+    -nodes \
+    -out server-ecdsa.csr \
+    -subj "/OU=TestServer/CN=*"
+
+openssl x509 \
+    -req \
+    -days 3650 \
+    -sha256 \
+    -in server-ecdsa.csr \
+    -CA ca-ecdsa.crt \
+    -CAkey ca-ecdsa.key \
+    -CAcreateserial \
+    -out server-ecdsa.cert \
+    -extfile <(echo subjectAltName = IP:127.0.0.1)
+
+# ED25519
+openssl genpkey \
+    -algorithm ed25519 \
+    -out ca-ed25519.key
+
+openssl req \
+    -new \
+    -key ca-ed25519.key \
+    -nodes \
+    -days 3650 \
+    -x509 \
+    -out ca-ed25519.crt \
+    -subj "/CN=*"
+
+openssl genpkey \
+    -algorithm ed25519 \
+    -out server-ed25519.key
+
+openssl req \
+    -new \
+    -key server-ed25519.key \
+    -nodes \
+    -out server-ed25519.csr \
+    -subj "/OU=TestServer/CN=*"
+
+openssl x509 \
+    -req \
+    -days 3650 \
+    -in server-ed25519.csr \
+    -CA ca-ed25519.crt \
+    -CAkey ca-ed25519.key \
+    -CAcreateserial \
+    -out server-ed25519.cert \
+    -extfile <(echo subjectAltName = IP:127.0.0.1)