Conversation
jsnctl
force-pushed
the
jsnctl/wit-bundle
branch
from
08a78d4 to
2940c6b
Compare
| // AddWITAuthority adds a WIT authority to the bundle. If a WIT authority already exists | ||
| // under the given key ID, it is replaced. A key ID must be specified. | ||
| func (b *Bundle) AddWITAuthority(keyID string, witAuthority crypto.PublicKey) error { | ||
| if keyID == "" { |
There was a problem hiding this comment.
The constraint that a keypair must have a kid is interesting - I have raised this for discussion on spiffe/spiffe#327 (comment)
Today, the JWT-SVID/WIT-SVID profiles of the Workload API do not make the kid member of the JWKS mandatory - but it looks like go-spiffe treats it as such. I do think that the behaviour of go-spiffe here is reasonable, but, we should consider at least modifying the WIP WIT-SVID profile to express that the kid member is mandatory.
There was a problem hiding this comment.
Looking at the existing jwtsvid implementation, it also concretely relies on the kid in the FindJWTAuthority call for verification (the corresponding witsvid changes will be in a separate merge)
go-spiffe/svid/jwtsvid/svid.go
Lines 53 to 69 in c03307b
Presumably JWKS usage without a kid in each authority would just require iterating over all available JWKs, so this seems like a nice pattern to maintain here.
As for the spec, you can imagine (less tidy) downstream implementations which use valid JWKS without the kid? Perhaps the opinion of go-spiffe here isn't the only valid consideration?
There was a problem hiding this comment.
Perhaps the opinion of go-spiffe here isn't the only valid consideration?
Perhaps so - although it definitely carries a fair bit of weight in terms of the "real-world" usage of the specification. Today, if a Workload API implementation does not provide the kid member of the trust bundle JWKS, then it looks like go-spiffe/jwtbundle would fail to unmarshal it. Fortunately, I think all "real-world" implementations of the SPIFFE specification are likely to include the kid member.
However, as we're introducing a new profile for WIT, it does seem like a good opportunity to make the spec a little more restrictive if it means that all proper implementations of the spec will be compatible with the SDKs. At the moment the gray area where an implementation could be spec-compliant but not work with go-spiffe seems a little problematic.
arndt-s
left a comment
arndt-s
left a comment
There was a problem hiding this comment.
I started a review last week but got distracted. Publishing my comments so far.
|
|
||
| // Load loads a bundle from a file on disk. The file must contain a standard RFC 7517 JWKS document. | ||
| func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) { | ||
| bundleBytes, err := os.ReadFile(path) |
There was a problem hiding this comment.
nit: you could use Read() here and supply the file as io.Reader.
There was a problem hiding this comment.
I agree this would be a nicer implementation - do we want to keep things consistent with the methods in the other *bundle implementations though?
go-spiffe/bundle/jwtbundle/bundle.go
Lines 41 to 49 in c03307b
go-spiffe/bundle/x509bundle/bundle.go
Lines 40 to 47 in c03307b
go-spiffe/bundle/spiffebundle/bundle.go
Lines 55 to 64 in c03307b
There was a problem hiding this comment.
I think consistency is likely more important here - that being said - it'd be nice if we did extend the API of all the profiles to include LoadFromReader or similar? and perhaps refactor Load to leverage that under the hood.
There was a problem hiding this comment.
This should ideally be a generic. Curious to get the maintainers POV on this. But maybe something for another day.
jsnctl
force-pushed
the
jsnctl/wit-bundle
branch
from
25c8efc to
029eaa3
Compare
* Note this commit still has JWTs in testdata. These will be replaced with WIMSE-compliant WITs in a later push Signed-off-by: Jason Costello <jason@cofide.io>
Signed-off-by: Jason Costello <jason@cofide.io>
Signed-off-by: Jason Costello <jason@cofide.io>
Signed-off-by: Jason Costello <jason@cofide.io>
Signed-off-by: Jason Costello <jason@cofide.io>
Signed-off-by: Jason Costello <jason@cofide.io>
Signed-off-by: Jason Costello <jason@cofide.io>
jsnctl
force-pushed
the
jsnctl/wit-bundle
branch
from
029eaa3 to
20e33c7
Compare
|
We'd originally said to hold off a merge until spiffe/spiffe#327 was merged (which it is now), do with think that's still applicable here? |
|
Not sure of the best way to stack this, but I've also got a branch based off this diff for the corresponding |
3 participants
implements #365
Opening draft PR ahead of merge of upstream spiffe/spiffe#327 (per discussion here)