Port Models and upgrade to EdDSA Signing (#8)

* Port Models
* EdDSA Signing and Database Models

Author: bbengfort

cmd/bosun/main.go

@@ -0,0 +1,151 @@
+package main
+
+import (
+	"database/sql/driver"
+	"fmt"
+	"log"
+	"os"
+	"time"
+
+	"github.com/joho/godotenv"
+
+	"github.com/urfave/cli/v2"
+	"go.rtnl.ai/quarterdeck/pkg"
+	"go.rtnl.ai/quarterdeck/pkg/auth"
+	"go.rtnl.ai/quarterdeck/pkg/auth/passwords"
+	"go.rtnl.ai/ulid"
+	"go.rtnl.ai/x/vero"
+)
+
+func main() {
+	// If a dotenv file exists, load it for configuration
+	godotenv.Load()
+
+	// Create a multi-command CLI application
+	app := cli.NewApp()
+	app.Name = "bosun"
+	app.Version = pkg.Version(false)
+	app.Usage = "helpers for quarterdeck testing, debugging, and code generation"
+	app.Flags = []cli.Flag{}
+	app.Commands = []*cli.Command{
+		{
+			Name:      "argon2",
+			Usage:     "create a derived key to use as a fixture for testing",
+			Category:  "testing",
+			Action:    derkey,
+			ArgsUsage: "password [password ...]",
+			Flags:     []cli.Flag{},
+		},
+		{
+			Name:     "keypair",
+			Usage:    "create a fake apikey client ID and secret to use as a fixture for testing",
+			Category: "testing",
+			Action:   keypair,
+			Flags:    []cli.Flag{},
+		},
+		{
+			Name:     "mkkey",
+			Usage:    "generate an RSA token key pair and kid (ulid) for JWT token signing",
+			Category: "testing",
+			Action:   mkkey,
+			Flags: []cli.Flag{
+				&cli.StringFlag{
+					Name:    "out",
+					Aliases: []string{"o"},
+					Usage:   "path to write keys out to (optional, will be saved as [kid].pem by default)",
+				},
+				&cli.IntFlag{
+					Name:    "size",
+					Aliases: []string{"s"},
+					Usage:   "number of bits for the generated keys",
+					Value:   4096,
+				},
+			},
+		},
+		{
+			Name:     "vero",
+			Usage:    "generate a vero token serialized as a database input for testing",
+			Category: "testing",
+			Action:   veroToken,
+			Flags:    []cli.Flag{},
+		},
+	}
+
+	if err := app.Run(os.Args); err != nil {
+		log.Fatal(err)
+	}
+}
+
+//===========================================================================
+// Commands
+//===========================================================================
+
+func derkey(c *cli.Context) error {
+	if c.NArg() == 0 {
+		return cli.Exit("specify password(s) to create argon2 derived key(s) from", 1)
+	}
+
+	for i := 0; i < c.NArg(); i++ {
+		pwdk, err := passwords.CreateDerivedKey(c.Args().Get(i))
+		if err != nil {
+			return cli.Exit(err, 1)
+		}
+		fmt.Println(pwdk)
+	}
+
+	return nil
+}
+
+func keypair(c *cli.Context) error {
+	clientID := passwords.ClientID()
+	secret := passwords.ClientSecret()
+	fmt.Printf("%s.%s\n", clientID, secret)
+	return nil
+}
+
+func mkkey(c *cli.Context) (err error) {
+	// Create ULID and determine outpath
+	keyid := ulid.Make()
+
+	var out string
+	if out = c.String("out"); out == "" {
+		out = fmt.Sprintf("%s.pem", keyid)
+	}
+
+	// Generate Signing Key Pair using Signing Key algorithm currently in use.
+	var keypair auth.SigningKey
+	if keypair, err = auth.GenerateKeys(); err != nil {
+		return cli.Exit(err, 1)
+	}
+
+	// Save the keypair to the specified file in PEM format.
+	if err = keypair.Dump(out); err != nil {
+		return cli.Exit(err, 1)
+	}
+
+	fmt.Printf("signing key id: %s -- saved with PEM encoding to %s\n", keyid, out)
+	return nil
+}
+
+func veroToken(c *cli.Context) (err error) {
+	resourceID := ulid.MakeSecure()
+	expiration := time.Now().Add(87600 * time.Hour)
+
+	var token *vero.Token
+	if token, err = vero.New(resourceID[:], expiration); err != nil {
+		return cli.Exit(err, 1)
+	}
+
+	var signature *vero.SignedToken
+	if _, signature, err = token.Sign(); err != nil {
+		return cli.Exit(err, 1)
+	}
+
+	var value driver.Value
+	if value, err = signature.Value(); err != nil {
+		return cli.Exit(err, 1)
+	}
+
+	fmt.Println(value)
+	return nil
+}

cmd/quarterdeck/main.go

@@ -1,10 +1,6 @@
 package main
 
 import (
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
 	"fmt"
 	"log"
 	"os"
@@ -14,6 +10,7 @@ import (
 	confire "github.com/rotationalio/confire/usage"
 	"github.com/urfave/cli/v2"
 	"go.rtnl.ai/quarterdeck/pkg"
+	"go.rtnl.ai/quarterdeck/pkg/auth"
 	"go.rtnl.ai/quarterdeck/pkg/config"
 	"go.rtnl.ai/quarterdeck/pkg/server"
 	"go.rtnl.ai/ulid"
@@ -53,15 +50,15 @@ func main() {
 			},
 		},
 		{
-			Name:     "tokenkey",
-			Usage:    "generate an RSA token key pair and ksuid for JWT token signing",
+			Name:     "mkkey",
+			Usage:    "generate an RSA token key pair and kid (ulid) for JWT token signing",
 			Category: "utility",
-			Action:   generateTokenKey,
+			Action:   mkkey,
 			Flags: []cli.Flag{
 				&cli.StringFlag{
 					Name:    "out",
 					Aliases: []string{"o"},
-					Usage:   "path to write keys out to (optional, will be saved as ulid.pem by default)",
+					Usage:   "path to write keys out to (optional, will be saved as [kid].pem by default)",
 				},
 				&cli.IntFlag{
 					Name:    "size",
@@ -117,7 +114,7 @@ func usage(c *cli.Context) (err error) {
 	return nil
 }
 
-func generateTokenKey(c *cli.Context) (err error) {
+func mkkey(c *cli.Context) (err error) {
 	// Create ULID and determine outpath
 	keyid := ulid.Make()
 
@@ -126,25 +123,17 @@ func generateTokenKey(c *cli.Context) (err error) {
 		out = fmt.Sprintf("%s.pem", keyid)
 	}
 
-	// Generate RSA keys using crypto random
-	var key *rsa.PrivateKey
-	if key, err = rsa.GenerateKey(rand.Reader, c.Int("size")); err != nil {
+	// Generate Signing Key Pair using Signing Key algorithm currently in use.
+	var keypair auth.SigningKey
+	if keypair, err = auth.GenerateKeys(); err != nil {
 		return cli.Exit(err, 1)
 	}
 
-	// Open file to PEM encode keys to
-	var f *os.File
-	if f, err = os.OpenFile(out, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600); err != nil {
+	// Save the keypair to the specified file in PEM format.
+	if err = keypair.Dump(out); err != nil {
 		return cli.Exit(err, 1)
 	}
 
-	if err = pem.Encode(f, &pem.Block{
-		Type:  "RSA PRIVATE KEY",
-		Bytes: x509.MarshalPKCS1PrivateKey(key),
-	}); err != nil {
-		return cli.Exit(err, 1)
-	}
-
-	fmt.Printf("RSA key id: %s -- saved with PEM encoding to %s\n", keyid, out)
+	fmt.Printf("signing key id: %s -- saved with PEM encoding to %s\n", keyid, out)
 	return nil
 }

go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/urfave/cli/v2 v2.27.7
 	go.rtnl.ai/ulid v1.1.1
 	go.rtnl.ai/x v1.4.0
+	golang.org/x/crypto v0.39.0
 	golang.org/x/text v0.26.0
 )
 
@@ -52,7 +53,6 @@ require (
 	github.com/ugorji/go/codec v1.3.0 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	golang.org/x/arch v0.18.0 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
 	golang.org/x/net v0.41.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect

pkg/auth/issuer.go

@@ -1,11 +1,10 @@
 package auth
 
 import (
+	"crypto"
 	"crypto/rand"
-	"crypto/rsa"
 	"fmt"
 	"net/url"
-	"os"
 	"sync"
 	"time"
 
@@ -18,7 +17,7 @@ import (
 
 // Global variables that should not be changed except between major versions.
 var (
-	signingMethod = jwt.SigningMethodRS384
+	signingMethod = jwt.SigningMethodEdDSA
 	refreshPath   = "/v1/reauthenticate"
 	entropy       = ulid.Monotonic(rand.Reader, 1000)
 	entropyMu     sync.Mutex
@@ -27,8 +26,8 @@ var (
 type ClaimsIssuer struct {
 	conf            config.AuthConfig
 	keyID           ulid.ULID
-	key             *rsa.PrivateKey
-	publicKeys      map[ulid.ULID]*rsa.PublicKey
+	key             crypto.PrivateKey
+	publicKeys      map[ulid.ULID]crypto.PublicKey
 	refreshAudience string
 }
 
@@ -40,42 +39,39 @@ func NewIssuer(conf config.AuthConfig) (_ *ClaimsIssuer, err error) {
 
 	issuer := &ClaimsIssuer{
 		conf:       conf,
-		publicKeys: make(map[ulid.ULID]*rsa.PublicKey, len(conf.Keys)),
+		publicKeys: make(map[ulid.ULID]crypto.PublicKey, len(conf.Keys)),
 	}
 
-	// Load the specified keys from the filesystem
-	// TODO: support loading keys from a vault or other secure storage.
+	// Load the specified keys from the filesystem.
 	for kid, path := range conf.Keys {
 		var keyID ulid.ULID
 		if keyID, err = ulid.Parse(kid); err != nil {
 			return nil, errors.Fmt("could not parse %s as a key id: %w", kid, err)
 		}
 
-		var data []byte
-		if data, err = os.ReadFile(path); err != nil {
-			return nil, errors.Fmt("could not read %s: %w", path, err)
-		}
-
-		var key *rsa.PrivateKey
-		if key, err = jwt.ParseRSAPrivateKeyFromPEM(data); err != nil {
-			return nil, errors.Fmt("could not parse private key %s: %w", path, err)
+		keypair := &keys{}
+		if err = keypair.Load(path); err != nil {
+			return nil, err
 		}
 
-		issuer.publicKeys[keyID] = &key.PublicKey
+		issuer.publicKeys[keyID] = keypair.PublicKey()
 		if issuer.key == nil || keyID.Time() > issuer.keyID.Time() {
-			issuer.key = key
+			issuer.key = keypair.PrivateKey()
 			issuer.keyID = keyID
 		}
 	}
 
 	// If we have no keys, generate one for use (e.g. for testing or simple deployment)
 	if issuer.key == nil {
-		if issuer.key, err = rsa.GenerateKey(rand.Reader, 4096); err != nil {
+		var keypair SigningKey
+		if keypair, err = GenerateKeys(); err != nil {
 			return nil, err
 		}
 
 		issuer.keyID = ulid.MustNew(ulid.Now(), entropy)
-		issuer.publicKeys[issuer.keyID] = &issuer.key.PublicKey
+		issuer.key = keypair.PrivateKey()
+		issuer.publicKeys[issuer.keyID] = keypair.PublicKey()
+
 		log.Warn().Str("keyID", issuer.keyID.String()).Msg("generated volatile claims issuer rsa key")
 	}
 
@@ -189,7 +185,7 @@ func (tm *ClaimsIssuer) CreateTokens(claims *Claims) (signedAccessToken, signedR
 }
 
 // Keys returns the map of ulid to public key for use externally.
-func (tm *ClaimsIssuer) Keys() map[ulid.ULID]*rsa.PublicKey {
+func (tm *ClaimsIssuer) Keys() map[ulid.ULID]crypto.PublicKey {
 	return tm.publicKeys
 }
 
@@ -210,13 +206,13 @@ func (tm *ClaimsIssuer) RefreshAudience() string {
 	return tm.refreshAudience
 }
 
-// keyFunc is an jwt.KeyFunc that selects the RSA public key from the list of managed
+// keyFunc is an jwt.KeyFunc that selects the public key from the list of managed
 // internal keys based on the kid in the token header. If the kid does not exist an
 // error is returned and the token will not be able to be verified.
 func (tm *ClaimsIssuer) keyFunc(token *jwt.Token) (key interface{}, err error) {
 	// Per JWT security notice: do not forget to validate alg is expected
-	if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
-		return nil, errors.Fmt("unexpected signing method: %v", token.Header["alg"])
+	if token.Method.Alg() != signingMethod.Alg() {
+		return nil, errors.Fmt("unexpected signing method: %v", token.Method.Alg())
 	}
 
 	// Fetch the kid from the header