Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow selecting root public key by ID #154

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

seh
Copy link
Contributor

@seh seh commented Dec 17, 2024

In order to more easily accommodate rotating of root private keys when issuing biscuits, allow consumers to choose which root public key to use when verifying the biscuit based on the key ID embedded within it at composition time, if any. Consumers can then accept biscuits signed with several root keys, learning to accept signatures from a rolling set of both older and newer keys.

Introduce the (*Biscuit).AuthorizerFor method as an eventual replacement for the longstanding (*Biscuit).Authorizer method, along with with two new options for supplying either a single public key or a mapping from ID to public key (together with an optional default public key to use when the biscuit in question embeds no root key ID). Alternately, callers may supply a projection function that consumes an optional root key ID.

Fixes #150.

@seh
Copy link
Contributor Author

seh commented Dec 20, 2024

I started using this patch in my project by way of a replace directive in my go.mod file, and find that it works well so far.

@seh
Copy link
Contributor Author

seh commented Dec 23, 2024

Something that's a little odd about this approach: Given that we already merged #151 that exposed the Biscuit.RootKeyID method, a caller already has the information he needs to consider an embedded key ID and choose a root public key before calling on the (*Biscuit).AuthorizerFor method proposed in this patch. We wind up with two different ways to accomplish the same outcome.

@divarvel
Copy link
Contributor

In other libraries (biscuit-rust, biscuit-haskell at least), parsing and signature verification are done at the same time. This makes the library harder to misuse, and in the case of biscuit-haskell, this allows to abort parsing as soon as possible. (It is still possible to parse a biscuit into an UnverifiedBiscuit type for inspection purposes)

I think the go library would benefit from this approach.

@seh
Copy link
Contributor Author

seh commented Dec 23, 2024

I think the go library would benefit from this approach.

If I follow you correctly, in the Go library, rather that having the existing Unmarshal function consume just a byte vector and return a *Biscuit, it would also consume a projection function to select a root public key—like I've proposed in this patch—so that it could do the work that produces an *Authorizer at the same time. Right now, Unmarshal returns an unverified *Biscuit, which is interesting to inspect in some cases, but not yet trustworthy.

In order to more easily accommodate rotating of root private keys when
issuing biscuits, allow consumers to choose which root public key to
use when verifying the biscuit based on the key ID embedded within it
at composition time, if any. Consumers can then accept biscuits signed
with several root keys, learning to accept signatures from a rolling
set of both older and newer keys.

Introduce the "(*Biscuit).AuthorizerFor" method as an eventual
replacement for the longstanding "(*Biscuit).Authorizer" method, along
with with two new options for supplying either a single public key or
a mapping from ID to public key (together with an optional default
public key to use when the biscuit in question embeds no root key
ID). Alternately, callers may supply a projection function that
consumes an optional root key ID.
@seh seh force-pushed the allow-selecting-root-key-by-id branch from 8bf6ea3 to 7b44ee4 Compare January 12, 2025 14:39
@seh
Copy link
Contributor Author

seh commented Jan 12, 2025

I think the go library would benefit from this approach.

I agree, but I'm not sure if you're proposing that as work to follow merging this proposed patch, or something we should pursue now instead of this patch? In other words, do we have any hope of this patch getting merged soon?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

How should authorizers handle key rotation?
2 participants