stacklok / toolhive / 20954959704

58%

Build Type

push

github

Committed by web-flow

Commit Message

Add cryptographic utilities for OAuth authorization server (#3265)

Add the crypto package with utilities for JWT signing key management,
HMAC secret handling with rotation support, and PKCE implementation.

Heavily inspired by code in Ory Hydra. I considered using their code
direclty, but being outside fosite it's not considered stable.

So far this code is unused, just tested, but these utilities will be consumed by:
- runconfig.BuildConfig() to load keys from CLI flags
- server.NewOAuth2Provider() to configure fosite with signing keys
- OAuth flow handlers for PKCE validation and upstream IDP redirects

Key loading (keys.go):
- LoadSigningKey: Load private keys from PEM files (RSA PKCS1/PKCS8,
  ECDSA SEC1/PKCS8, Ed25519 PKCS8) with RSA minimum 2048-bit validation
- DeriveKeyID: Compute RFC 7638 JWK Thumbprint for stable key identifiers
- DeriveAlgorithm: Auto-detect signing algorithm from key type
  (RS256, ES256/384/512, EdDSA)
- ValidateAlgorithmForKey: Validate algorithm compatibility with key type
- DeriveSigningKeyParams: Orchestrate key parameter derivation/validation

HMAC secret management (keys.go):
- LoadHMACSecrets: Load secrets with rotation support for zero-downtime
  rotation. paths[0] is the current signing secret, paths[1:] are
  rotated verification-only secrets. Integrates with fosite's
  GlobalSecret/RotatedGlobalSecrets interfaces.

PKCE (pkce.go):
- GeneratePKCEVerifier: Generate RFC 7636 code_verifier (32 bytes,
  base64url encoded)
- ComputePKCEChallenge: Compute S256 code_challenge from verifier

Run Details

141 of 161 new or added lines in 2 files covered. (87.58%)

41 existing lines in 4 files now uncovered.

34281 of 59136 relevant lines covered (57.97%)

80.81 hits per line