2fas-server/internal/pass/sign/lib.go

package sign

import (
	"crypto"
	"crypto/ecdsa"
	"crypto/x509"
	"fmt"

	"github.com/aws/aws-sdk-go/service/kms"
	"github.com/golang-jwt/jwt/v5"
)

const (
	awsKeySpec          = "ECC_NIST_P256"
	awsSigningAlgorithm = "ECDSA_SHA_256"
	jwtSigningAlgorithm = "ES256"

	// since we control both signature and verification, and we always use the same
	// algorithm, jwt header part (first segment) is always the same.
	// we can skip it (as in not send it) to save bytes in QR code.
	// note: header has only key type, not key id.
	jwtHeader = "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9."
)

type Service struct {
	publicKey     *ecdsa.PublicKey
	signingMethod jwt.SigningMethod
}

func NewService(keyID string, client *kms.KMS) (*Service, error) {
	resp, err := client.GetPublicKey(&kms.GetPublicKeyInput{
		KeyId: &keyID,
	})
	if err != nil {
		return nil, fmt.Errorf("failed to fetch key for %q: %w", keyID, err)
	}
	if *resp.KeySpec != awsKeySpec {
		return nil, fmt.Errorf("the only supported key spec is %q, received: %q", awsKeySpec, *resp.KeySpec)
	}

	key, err := x509.ParsePKIXPublicKey(resp.PublicKey)
	if err != nil {
		return nil, fmt.Errorf("failed to parse response from KMSas public key: %w", err)
	}

	return &Service{
		publicKey: key.(*ecdsa.PublicKey),
		signingMethod: kmsSigningMethod{
			client: client,
			keyID:  keyID,
			hash:   crypto.SHA256,
		},
	}, nil
}

type ConnectionType string

const (
	ConnectionTypeBrowserExtensionWait  ConnectionType = "be/wait"
	ConnectionTypeBrowserExtensionProxy ConnectionType = "be/proxy"
	ConnectionTypeMobileProxy           ConnectionType = "mobile/proxy"
	ConnectionTypeMobileConfirm         ConnectionType = "mobile/confirm"
)
feat(pass): tokens (#24) feat(pass): tokens Add token signing and verification to be used by pass. 2024-01-19 15:34:02 +01:00			`package sign`

			`import (`
			`"crypto"`
			`"crypto/ecdsa"`
			`"crypto/x509"`
			`"fmt"`

			`"github.com/aws/aws-sdk-go/service/kms"`
			`"github.com/golang-jwt/jwt/v5"`
			`)`

			`const (`
			`awsKeySpec = "ECC_NIST_P256"`
			`awsSigningAlgorithm = "ECDSA_SHA_256"`
			`jwtSigningAlgorithm = "ES256"`

			`// since we control both signature and verification, and we always use the same`
			`// algorithm, jwt header part (first segment) is always the same.`
			`// we can skip it (as in not send it) to save bytes in QR code.`
			`// note: header has only key type, not key id.`
			`jwtHeader = "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9."`
			`)`

			`type Service struct {`
			`publicKey *ecdsa.PublicKey`
			`signingMethod jwt.SigningMethod`
			`}`

			`func NewService(keyID string, client kms.KMS) (Service, error) {`
			`resp, err := client.GetPublicKey(&kms.GetPublicKeyInput{`
			`KeyId: &keyID,`
			`})`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to fetch key for %q: %w", keyID, err)`
			`}`
			`if *resp.KeySpec != awsKeySpec {`
			`return nil, fmt.Errorf("the only supported key spec is %q, received: %q", awsKeySpec, *resp.KeySpec)`
			`}`

			`key, err := x509.ParsePKIXPublicKey(resp.PublicKey)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to parse response from KMSas public key: %w", err)`
			`}`

			`return &Service{`
			`publicKey: key.(*ecdsa.PublicKey),`
			`signingMethod: kmsSigningMethod{`
			`client: client,`
			`keyID: keyID,`
			`hash: crypto.SHA256,`
			`},`
			`}, nil`
			`}`

			`type ConnectionType string`

			`const (`
			`ConnectionTypeBrowserExtensionWait ConnectionType = "be/wait"`
			`ConnectionTypeBrowserExtensionProxy ConnectionType = "be/proxy"`
			`ConnectionTypeMobileProxy ConnectionType = "mobile/proxy"`
feat: connect pass with kms (#29) 2024-01-24 20:57:31 +01:00			`ConnectionTypeMobileConfirm ConnectionType = "mobile/confirm"`
feat(pass): tokens (#24) feat(pass): tokens Add token signing and verification to be used by pass. 2024-01-19 15:34:02 +01:00			`)`