serviceaccounts: Add JWT KeyIDs to tokens

This commit fills out the JWT "kid" (KeyID) field on most
serviceaccount tokens we create.  The KeyID value we use is derived
from the public key of keypair that backs the cluster's OIDC issuer.

OIDC verifiers use the KeyID to smoothly cope with key rotations:

  * During a rotation, the verifier will have multiple keys cached
    from the issuer, any of which could have signed the token being
    verified.  KeyIDs let the verifier pick the appropriate key
    without having to try each one.

  * Seeing a new KeyID is a trigger for the verifier to invalidate its
    cached keys and fetch the new set of valid keys from the identity
    provider.

The value we use for the KeyID is derived from the identity provider's
public key by serializing it in DER format, taking the SHA256 hash,
and then urlsafe base64-encoding it.  This gives a value that is
strongly bound to the key, but can't be reversed to obtain the public
key, which keeps people from being tempted to derive the key from the
key ID and using that for verification.

Tokens based on jose OpaqueSigners are omitted for now --- I don't see
any way to actually run the API server that results in an OpaqueSigner
being used.
This commit is contained in:
Taahir Ahmed 2019-05-29 13:44:45 -07:00
parent 8b4fd4104d
commit b4e99584ce
3 changed files with 161 additions and 20 deletions

View File

@ -60,6 +60,7 @@ go_test(
"//staging/src/k8s.io/client-go/listers/core/v1:go_default_library",
"//staging/src/k8s.io/client-go/tools/cache:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//vendor/gopkg.in/square/go-jose.v2:go_default_library",
"//vendor/gopkg.in/square/go-jose.v2/jwt:go_default_library",
],
)

View File

@ -18,9 +18,11 @@ package serviceaccount
import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rsa"
"crypto/x509"
"encoding/base64"
"encoding/json"
"fmt"
@ -29,7 +31,7 @@ import (
jose "gopkg.in/square/go-jose.v2"
"gopkg.in/square/go-jose.v2/jwt"
"k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apiserver/pkg/authentication/authenticator"
)
@ -53,43 +55,148 @@ type TokenGenerator interface {
// JWTTokenGenerator returns a TokenGenerator that generates signed JWT tokens, using the given privateKey.
// privateKey is a PEM-encoded byte array of a private RSA key.
// JWTTokenAuthenticator()
func JWTTokenGenerator(iss string, privateKey interface{}) (TokenGenerator, error) {
var alg jose.SignatureAlgorithm
var signer jose.Signer
var err error
switch pk := privateKey.(type) {
case *rsa.PrivateKey:
alg = jose.RS256
signer, err = signerFromRSAPrivateKey(pk)
if err != nil {
return nil, fmt.Errorf("could not generate signer for RSA keypair: %v", err)
}
case *ecdsa.PrivateKey:
switch pk.Curve {
case elliptic.P256():
alg = jose.ES256
case elliptic.P384():
alg = jose.ES384
case elliptic.P521():
alg = jose.ES512
default:
return nil, fmt.Errorf("unknown private key curve, must be 256, 384, or 521")
signer, err = signerFromECDSAPrivateKey(pk)
if err != nil {
return nil, fmt.Errorf("could not generate signer for ECDSA keypair: %v", err)
}
case jose.OpaqueSigner:
alg = jose.SignatureAlgorithm(pk.Public().Algorithm)
signer, err = signerFromOpaqueSigner(pk)
if err != nil {
return nil, fmt.Errorf("could not generate signer for OpaqueSigner: %v", err)
}
default:
return nil, fmt.Errorf("unknown private key type %T, must be *rsa.PrivateKey, *ecdsa.PrivateKey, or jose.OpaqueSigner", privateKey)
}
return &jwtTokenGenerator{
iss: iss,
signer: signer,
}, nil
}
// keyIDFromPublicKey derives a key ID non-reversibly from a public key.
//
// The Key ID is field on a given on JWTs and JWKs that help relying parties
// pick the correct key for verification when the identity party advertises
// multiple keys.
//
// Making the derivation non-reversible makes it impossible for someone to
// accidentally obtain the real key from the key ID and use it for token
// validation.
func keyIDFromPublicKey(publicKey interface{}) (string, error) {
publicKeyDERBytes, err := x509.MarshalPKIXPublicKey(publicKey)
if err != nil {
return "", fmt.Errorf("failed to serialize public key to DER format: %v", err)
}
hasher := crypto.SHA256.New()
hasher.Write(publicKeyDERBytes)
publicKeyDERHash := hasher.Sum(nil)
keyID := base64.RawURLEncoding.EncodeToString(publicKeyDERHash)
return keyID, nil
}
func signerFromRSAPrivateKey(keyPair *rsa.PrivateKey) (jose.Signer, error) {
keyID, err := keyIDFromPublicKey(&keyPair.PublicKey)
if err != nil {
return nil, fmt.Errorf("failed to derive keyID: %v", err)
}
// Wrap the RSA keypair in a JOSE JWK with the designated key ID.
privateJWK := &jose.JSONWebKey{
Algorithm: string(jose.RS256),
Key: keyPair,
KeyID: keyID,
Use: "sig",
}
signer, err := jose.NewSigner(
jose.SigningKey{
Algorithm: jose.RS256,
Key: privateJWK,
},
nil,
)
if err != nil {
return nil, fmt.Errorf("failed to create signer: %v", err)
}
return signer, nil
}
func signerFromECDSAPrivateKey(keyPair *ecdsa.PrivateKey) (jose.Signer, error) {
var alg jose.SignatureAlgorithm
switch keyPair.Curve {
case elliptic.P256():
alg = jose.ES256
case elliptic.P384():
alg = jose.ES384
case elliptic.P521():
alg = jose.ES512
default:
return nil, fmt.Errorf("unknown private key curve, must be 256, 384, or 521")
}
keyID, err := keyIDFromPublicKey(&keyPair.PublicKey)
if err != nil {
return nil, fmt.Errorf("failed to derive keyID: %v", err)
}
// Wrap the ECDSA keypair in a JOSE JWK with the designated key ID.
privateJWK := &jose.JSONWebKey{
Algorithm: string(alg),
Key: keyPair,
KeyID: keyID,
Use: "sig",
}
signer, err := jose.NewSigner(
jose.SigningKey{
Algorithm: alg,
Key: privateKey,
Key: privateJWK,
},
nil,
)
if err != nil {
return nil, err
return nil, fmt.Errorf("failed to create signer: %v", err)
}
return &jwtTokenGenerator{
iss: iss,
signer: signer,
}, nil
return signer, nil
}
func signerFromOpaqueSigner(opaqueSigner jose.OpaqueSigner) (jose.Signer, error) {
alg := jose.SignatureAlgorithm(opaqueSigner.Public().Algorithm)
signer, err := jose.NewSigner(
jose.SigningKey{
Algorithm: alg,
Key: &jose.JSONWebKey{
Algorithm: string(alg),
Key: opaqueSigner,
KeyID: opaqueSigner.Public().KeyID,
Use: "sig",
},
},
nil,
)
if err != nil {
return nil, fmt.Errorf("failed to create signer: %v", err)
}
return signer, nil
}
type jwtTokenGenerator struct {
@ -155,6 +262,7 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(ctx context.Context, tokenData
public := &jwt.Claims{}
private := j.validator.NewPrivateClaims()
// TODO: Pick the key that has the same key ID as `tok`, if one exists.
var (
found bool
errlist []error

View File

@ -22,6 +22,8 @@ import (
"strings"
"testing"
jose "gopkg.in/square/go-jose.v2"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/authentication/authenticator"
@ -55,6 +57,13 @@ WwIDAQAB
-----END PUBLIC KEY-----
`
// Obtained by:
//
// 1. Serializing rsaPublicKey as DER
// 2. Taking the SHA256 of the DER bytes
// 3. URLSafe Base64-encoding the sha bytes
const rsaKeyID = "JHJehTTTZlsspKHT-GaJxK7Kd1NQgZJu3fyK6K_QDYU"
const rsaPrivateKey = `-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA249XwEo9k4tM8fMxV7zxOhcrP+WvXn917koM5Qr2ZXs4vo26
e4ytdlrV0bQ9SlcLpQVSYjIxNfhTZdDt+ecIzshKuv1gKIxbbLQMOuK1eA/4HALy
@ -97,6 +106,13 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEH6cuzP8XuD5wal6wf9M6xDljTOPL
X2i8uIp/C/ASqiIGUeeKQtX0/IR3qCXyThP/dbCiHrF3v1cuhBOHY8CLVg==
-----END PUBLIC KEY-----`
// Obtained by:
//
// 1. Serializing ecdsaPublicKey as DER
// 2. Taking the SHA256 of the DER bytes
// 3. URLSafe Base64-encoding the sha bytes
const ecdsaKeyID = "SoABiieYuNx4UdqYvZRVeuC6SihxgLrhLy9peHMHpTc"
func getPrivateKey(data string) interface{} {
key, _ := keyutil.ParsePrivateKeyPEM([]byte(data))
return key
@ -106,6 +122,7 @@ func getPublicKey(data string) interface{} {
keys, _ := keyutil.ParsePublicKeysPEM([]byte(data))
return keys[0]
}
func TestTokenGenerateAndValidate(t *testing.T) {
expectedUserName := "system:serviceaccount:test:my-service-account"
expectedUserUID := "12345"
@ -147,6 +164,8 @@ func TestTokenGenerateAndValidate(t *testing.T) {
"token": []byte(rsaToken),
}
checkJSONWebSignatureHasKeyID(t, rsaToken, rsaKeyID)
// Generate the ECDSA token
ecdsaGenerator, err := serviceaccount.JWTTokenGenerator(serviceaccount.LegacyIssuer, getPrivateKey(ecdsaPrivateKey))
if err != nil {
@ -163,6 +182,8 @@ func TestTokenGenerateAndValidate(t *testing.T) {
"token": []byte(ecdsaToken),
}
checkJSONWebSignatureHasKeyID(t, ecdsaToken, ecdsaKeyID)
// Generate signer with same keys as RSA signer but different issuer
badIssuerGenerator, err := serviceaccount.JWTTokenGenerator("foo", getPrivateKey(rsaPrivateKey))
if err != nil {
@ -331,6 +352,17 @@ func TestTokenGenerateAndValidate(t *testing.T) {
}
}
func checkJSONWebSignatureHasKeyID(t *testing.T, jwsString string, expectedKeyID string) {
jws, err := jose.ParseSigned(jwsString)
if err != nil {
t.Fatalf("Error checking for key ID: couldn't parse token: %v", err)
}
if jws.Signatures[0].Header.KeyID != expectedKeyID {
t.Errorf("Token %q has the wrong KeyID (got %q, want %q)", jwsString, jws.Signatures[0].Header.KeyID, expectedKeyID)
}
}
func newIndexer(get func(namespace, name string) (interface{}, error)) cache.Indexer {
return &fakeIndexer{get: get}
}