loading up the forgejo repo on tangled to test page performance
Merge pull request 'bug: correctly generate oauth2 jwt signing key' (#5986) from gusted/improve-oauth2-jwt into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5986
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
+136
-2
+20
-2
services/auth/source/oauth2/jwtsigningkey.go
+20
-2
services/auth/source/oauth2/jwtsigningkey.go
···
347
347
key, err := func() (any, error) {
348
348
switch {
349
349
case strings.HasPrefix(setting.OAuth2.JWTSigningAlgorithm, "RS"):
350
-
return rsa.GenerateKey(rand.Reader, 4096)
350
+
var bits int
351
+
switch setting.OAuth2.JWTSigningAlgorithm {
352
+
case "RS256":
353
+
bits = 2048
354
+
case "RS384":
355
+
bits = 3072
356
+
case "RS512":
357
+
bits = 4096
358
+
}
359
+
return rsa.GenerateKey(rand.Reader, bits)
351
360
case setting.OAuth2.JWTSigningAlgorithm == "EdDSA":
352
361
_, pk, err := ed25519.GenerateKey(rand.Reader)
353
362
return pk, err
354
363
default:
355
-
return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
364
+
var curve elliptic.Curve
365
+
switch setting.OAuth2.JWTSigningAlgorithm {
366
+
case "ES256":
367
+
curve = elliptic.P256()
368
+
case "ES384":
369
+
curve = elliptic.P384()
370
+
case "ES512":
371
+
curve = elliptic.P521()
372
+
}
373
+
return ecdsa.GenerateKey(curve, rand.Reader)
356
374
}
357
375
}()
358
376
if err != nil {
+116
services/auth/source/oauth2/jwtsigningkey_test.go
+116
services/auth/source/oauth2/jwtsigningkey_test.go
···
1
+
// Copyright 2024 The Forgejo Authors. All rights reserved.
2
+
// SPDX-License-Identifier: GPL-3.0-or-later
3
+
4
+
package oauth2
5
+
6
+
import (
7
+
"crypto/ecdsa"
8
+
"crypto/ed25519"
9
+
"crypto/rsa"
10
+
"crypto/x509"
11
+
"encoding/pem"
12
+
"os"
13
+
"path/filepath"
14
+
"testing"
15
+
16
+
"code.gitea.io/gitea/modules/setting"
17
+
"code.gitea.io/gitea/modules/test"
18
+
19
+
"github.com/stretchr/testify/assert"
20
+
"github.com/stretchr/testify/require"
21
+
)
22
+
23
+
func TestLoadOrCreateAsymmetricKey(t *testing.T) {
24
+
loadKey := func(t *testing.T) any {
25
+
t.Helper()
26
+
loadOrCreateAsymmetricKey()
27
+
28
+
fileContent, err := os.ReadFile(setting.OAuth2.JWTSigningPrivateKeyFile)
29
+
require.NoError(t, err)
30
+
31
+
block, _ := pem.Decode(fileContent)
32
+
assert.NotNil(t, block)
33
+
assert.EqualValues(t, "PRIVATE KEY", block.Type)
34
+
35
+
parsedKey, err := x509.ParsePKCS8PrivateKey(block.Bytes)
36
+
require.NoError(t, err)
37
+
38
+
return parsedKey
39
+
}
40
+
t.Run("RSA-2048", func(t *testing.T) {
41
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningPrivateKeyFile, filepath.Join(t.TempDir(), "jwt-rsa-2048.priv"))()
42
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningAlgorithm, "RS256")()
43
+
44
+
parsedKey := loadKey(t)
45
+
46
+
rsaPrivateKey := parsedKey.(*rsa.PrivateKey)
47
+
assert.EqualValues(t, 2048, rsaPrivateKey.N.BitLen())
48
+
49
+
t.Run("Load key with differ specified algorithm", func(t *testing.T) {
50
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningAlgorithm, "EdDSA")()
51
+
52
+
parsedKey := loadKey(t)
53
+
rsaPrivateKey := parsedKey.(*rsa.PrivateKey)
54
+
assert.EqualValues(t, 2048, rsaPrivateKey.N.BitLen())
55
+
})
56
+
})
57
+
58
+
t.Run("RSA-3072", func(t *testing.T) {
59
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningPrivateKeyFile, filepath.Join(t.TempDir(), "jwt-rsa-3072.priv"))()
60
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningAlgorithm, "RS384")()
61
+
62
+
parsedKey := loadKey(t)
63
+
64
+
rsaPrivateKey := parsedKey.(*rsa.PrivateKey)
65
+
assert.EqualValues(t, 3072, rsaPrivateKey.N.BitLen())
66
+
})
67
+
68
+
t.Run("RSA-4096", func(t *testing.T) {
69
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningPrivateKeyFile, filepath.Join(t.TempDir(), "jwt-rsa-4096.priv"))()
70
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningAlgorithm, "RS512")()
71
+
72
+
parsedKey := loadKey(t)
73
+
74
+
rsaPrivateKey := parsedKey.(*rsa.PrivateKey)
75
+
assert.EqualValues(t, 4096, rsaPrivateKey.N.BitLen())
76
+
})
77
+
78
+
t.Run("ECDSA-256", func(t *testing.T) {
79
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningPrivateKeyFile, filepath.Join(t.TempDir(), "jwt-ecdsa-256.priv"))()
80
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningAlgorithm, "ES256")()
81
+
82
+
parsedKey := loadKey(t)
83
+
84
+
ecdsaPrivateKey := parsedKey.(*ecdsa.PrivateKey)
85
+
assert.EqualValues(t, 256, ecdsaPrivateKey.Params().BitSize)
86
+
})
87
+
88
+
t.Run("ECDSA-384", func(t *testing.T) {
89
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningPrivateKeyFile, filepath.Join(t.TempDir(), "jwt-ecdsa-384.priv"))()
90
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningAlgorithm, "ES384")()
91
+
92
+
parsedKey := loadKey(t)
93
+
94
+
ecdsaPrivateKey := parsedKey.(*ecdsa.PrivateKey)
95
+
assert.EqualValues(t, 384, ecdsaPrivateKey.Params().BitSize)
96
+
})
97
+
98
+
t.Run("ECDSA-512", func(t *testing.T) {
99
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningPrivateKeyFile, filepath.Join(t.TempDir(), "jwt-ecdsa-512.priv"))()
100
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningAlgorithm, "ES512")()
101
+
102
+
parsedKey := loadKey(t)
103
+
104
+
ecdsaPrivateKey := parsedKey.(*ecdsa.PrivateKey)
105
+
assert.EqualValues(t, 521, ecdsaPrivateKey.Params().BitSize)
106
+
})
107
+
108
+
t.Run("EdDSA", func(t *testing.T) {
109
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningPrivateKeyFile, filepath.Join(t.TempDir(), "jwt-eddsa.priv"))()
110
+
defer test.MockVariableValue(&setting.OAuth2.JWTSigningAlgorithm, "EdDSA")()
111
+
112
+
parsedKey := loadKey(t)
113
+
114
+
assert.NotNil(t, parsedKey.(ed25519.PrivateKey))
115
+
})
116
+
}