fix: no longer use separate public and private keys in HSM key manager (#3401)

aarmam · web-flow · commit 375bd5a69c0e · 2023-03-02T14:03:36.000+01:00
diff --git a/hsm/manager_hsm.go b/hsm/manager_hsm.go
@@ -187,7 +187,7 @@ func (m *KeyManager) GetKeySet(ctx context.Context, set string) (*jose.JSONWebKe
 }
 
 func (m *KeyManager) DeleteKey(ctx context.Context, set, kid string) error {
-	ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.GetKeySet")
+	ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.DeleteKey")
 	defer span.End()
 	attrs := map[string]string{
 		"set": set,
@@ -217,7 +217,7 @@ func (m *KeyManager) DeleteKey(ctx context.Context, set, kid string) error {
 }
 
 func (m *KeyManager) DeleteKeySet(ctx context.Context, set string) error {
-	ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.GetKeySet")
+	ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.DeleteKeySet")
 	defer span.End()
 	attrs := map[string]string{
 		"set": set,
@@ -361,14 +361,6 @@ func createKeys(key crypto11.Signer, kid, alg, use string) []jose.JSONWebKey {
 		Certificates:                []*x509.Certificate{},
 		CertificateThumbprintSHA1:   []uint8{},
 		CertificateThumbprintSHA256: []uint8{},
-	}, {
-		Algorithm:                   alg,
-		Use:                         use,
-		Key:                         key.Public(),
-		KeyID:                       kid,
-		Certificates:                []*x509.Certificate{},
-		CertificateThumbprintSHA1:   []uint8{},
-		CertificateThumbprintSHA256: []uint8{},
 	}}
 }
 
diff --git a/hsm/manager_hsm_test.go b/hsm/manager_hsm_test.go
@@ -883,13 +883,5 @@ func createJSONWebKeys(keyPair *MockSignerDecrypter, kid string, alg string, use
 		Certificates:                []*x509.Certificate{},
 		CertificateThumbprintSHA1:   []uint8{},
 		CertificateThumbprintSHA256: []uint8{},
-	}, {
-		Algorithm:                   alg,
-		Use:                         use,
-		Key:                         keyPair.Public(),
-		KeyID:                       kid,
-		Certificates:                []*x509.Certificate{},
-		CertificateThumbprintSHA1:   []uint8{},
-		CertificateThumbprintSHA256: []uint8{},
 	}}
 }
diff --git a/jwk/handler_test.go b/jwk/handler_test.go
@@ -83,11 +83,7 @@ func TestHandlerWellKnown(t *testing.T) {
 		var known jose.JSONWebKeySet
 		err = json.NewDecoder(res.Body).Decode(&known)
 		require.NoError(t, err, "problem in decoding response")
-		if conf.HSMEnabled() {
-			require.Len(t, known.Keys, 2)
-		} else {
-			require.Len(t, known.Keys, 1)
-		}
+		require.Len(t, known.Keys, 1)
 
 		knownKey := known.Key("test-id-2")[0]
 		require.NotNil(t, knownKey, "Could not find key public")
diff --git a/jwk/helper.go b/jwk/helper.go
@@ -119,9 +119,11 @@ func ExcludePrivateKeys(set *jose.JSONWebKeySet) *jose.JSONWebKeySet {
 
 func ExcludeOpaquePrivateKeys(set *jose.JSONWebKeySet) *jose.JSONWebKeySet {
 	keys := new(jose.JSONWebKeySet)
-	for _, k := range set.Keys {
-		if _, opaque := k.Key.(jose.OpaqueSigner); !opaque {
-			keys.Keys = append(keys.Keys, k)
+	for i := range set.Keys {
+		if _, opaque := set.Keys[i].Key.(jose.OpaqueSigner); opaque {
+			keys.Keys = append(keys.Keys, josex.ToPublicKey(&set.Keys[i]))
+		} else {
+			keys.Keys = append(keys.Keys, set.Keys[i])
 		}
 	}
 	return keys
diff --git a/jwk/helper_test.go b/jwk/helper_test.go
@@ -189,8 +189,13 @@ func TestExcludeOpaquePrivateKeys(t *testing.T) {
 	assert.NoError(t, err)
 	require.Len(t, opaqueKeys.Keys, 1)
 	opaqueKeys.Keys[0].Key = cryptosigner.Opaque(opaqueKeys.Keys[0].Key.(*rsa.PrivateKey))
+
 	keys := jwk.ExcludeOpaquePrivateKeys(opaqueKeys)
-	require.Len(t, keys.Keys, 0)
+
+	require.Len(t, keys.Keys, 1)
+	k := keys.Keys[0]
+	_, isPublic := k.Key.(*rsa.PublicKey)
+	assert.True(t, isPublic)
 }
 
 func TestGetOrGenerateKeys(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -119,9 +119,11 @@ func ExcludePrivateKeys(set jose.JSONWebKeySet) jose.JSONWebKeySet {`
`119`	`119`
`120`	`120`	`func ExcludeOpaquePrivateKeys(set jose.JSONWebKeySet) jose.JSONWebKeySet {`
`121`	`121`	`keys := new(jose.JSONWebKeySet)`
`122`		`- for _, k := range set.Keys {`
`123`		`- if _, opaque := k.Key.(jose.OpaqueSigner); !opaque {`
`124`		`- keys.Keys = append(keys.Keys, k)`
	`122`	`+ for i := range set.Keys {`
	`123`	`+ if _, opaque := set.Keys[i].Key.(jose.OpaqueSigner); opaque {`
	`124`	`+ keys.Keys = append(keys.Keys, josex.ToPublicKey(&set.Keys[i]))`
	`125`	`+ } else {`
	`126`	`+ keys.Keys = append(keys.Keys, set.Keys[i])`
`125`	`127`	`}`
`126`	`128`	`}`
`127`	`129`	`return keys`