DEV Community

ElioenaiFerrari
ElioenaiFerrari

Posted on

Rotation keys in Golang

#go #security #cryptography

The idea here is to rotate the ed25519 keys for the signatures of our tokens. In this way we achieve greater security and unpredictability with asymmetric signature.

First, let's assemble our containers.

// Dockerfile
FROM golang:1.20-alpine

WORKDIR /app
COPY go.* .
RUN go mod tidy
COPY . .
RUN go build -buildvcs=false -ldflags '-s -w' -o ./bin ./cmd/guardian

EXPOSE 4000

CMD [ "./bin/guardian" ]
Enter fullscreen mode Exit fullscreen mode 
// docker-compose.yml
version: '3'

networks:
  guardian:
    driver: bridge

services:
  cache:
    image: redis:7.0-alpine
    hostname: cache.guardian.local
    restart: always
    ports:
      - '6379:6379'
    networks:
      - guardian
  app:
    platform: linux/amd64
    build: .
    hostname: app.guardian.local
    depends_on:
      - cache
    networks:
      - guardian
    ports:
      - 4000:4000
Enter fullscreen mode Exit fullscreen mode

The key server module will be responsible for setting the last key id, generating the tokens with the last generated key, and rotating the keys in the given interval.
The kid is the identifier of the key in question. Every time we generate a token we will use the last key stored in redis. Our ks.Start() worker in the main file will rotate keys every 5 minutes.

// internal/key-server/key-server.go
package keyserver

import (
    "context"
    "crypto/ed25519"
    "crypto/rand"
    "crypto/x509"
    "errors"
    "time"

    "github.com/golang-jwt/jwt"
    gonanoid "github.com/matoous/go-nanoid/v2"
    "github.com/redis/go-redis/v9"
)

type KeyServer struct {
    cache *redis.Client
}

func New(cache *redis.Client) *KeyServer {
    return &KeyServer{
        cache: cache,
    }
}

func (ks *KeyServer) NewSignedToken(ctx context.Context, data map[string]interface{}) (string, jwt.Claims, error) {
    lastKID, err := ks.GetLastKID(ctx)
    if err != nil {
        return "", nil, err
    }

    lastKey, err := ks.GetKeyByKID(ctx, lastKID)
    if err != nil {
        return "", nil, err
    }

    claims := jwt.MapClaims{
        "exp": time.Now().Add(15 * time.Minute).Unix(),
        "iss": "guardian",
        "kid": lastKID,
        "dat": data,
    }
    token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
    signedToken, err := token.SignedString(lastKey)

    return signedToken, claims, err
}

func (ks *KeyServer) DecodeSignedToken(ctx context.Context, signedToken string) (*jwt.Token, jwt.Claims, error) {
    claims := jwt.MapClaims{}
    token, err := jwt.ParseWithClaims(signedToken, &claims, func(t *jwt.Token) (interface{}, error) {
        claims, ok := t.Claims.(*jwt.MapClaims)
        if !ok {
            return nil, errors.New("invalid token")
        }

        key, err := ks.GetKeyByKID(ctx, (*claims)["kid"].(string))
        if err != nil {
            return nil, err
        }

        return key.Public(), nil
    })

    if err != nil {
        return nil, nil, err
    }

    return token, claims, nil
}

func (ks *KeyServer) SetLastKID(ctx context.Context, kid string) error {
    return ks.cache.Set(ctx, "last-kid", kid, time.Minute*15).Err()
}

func (ks *KeyServer) SetLastKey(ctx context.Context, kid string, pvk ed25519.PrivateKey) error {
    b, err := x509.MarshalPKCS8PrivateKey(pvk)
    if err != nil {
        return err
    }

    if err := ks.cache.Set(ctx, kid, b, time.Minute*15).Err(); err != nil {
        return err
    }

    return nil
}

func (ks *KeyServer) GetKeyByKID(ctx context.Context, kid string) (ed25519.PrivateKey, error) {
    key, err := ks.cache.Get(ctx, kid).Result()
    if err != nil {
        return nil, err
    }

    pvk, err := x509.ParsePKCS8PrivateKey([]byte(key))
    if err != nil {
        return nil, err
    }

    return pvk.(ed25519.PrivateKey), nil
}

func (ks *KeyServer) GetLastKID(ctx context.Context) (string, error) {
    lastKID, err := ks.cache.Get(ctx, "last-kid").Result()
    if err != nil {
        return "", err
    }

    return lastKID, nil
}

func (ks *KeyServer) Rotate(ctx context.Context) error {
    kid, err := gonanoid.New(8)
    if err != nil {
        return err
    }

    _, pvk, err := ed25519.GenerateKey(rand.Reader)
    if err != nil {
        return err
    }

    if err := ks.SetLastKID(ctx, kid); err != nil {
        return err
    }

    if err := ks.SetLastKey(ctx, kid, pvk); err != nil {
        return err
    }

    return nil
}

func (ks *KeyServer) Start(ctx context.Context) error {
    ks.Rotate(ctx)

    for range time.Tick(time.Minute * 5) {
        ks.Rotate(ctx)
    }

    return nil
}
Enter fullscreen mode Exit fullscreen mode

The POST /api/v1/tokens route will generate a token with the claims defined in the body sent (JSON). And the GET /api/v1/tokens route will only act as a validator for us to test our tokens.
The token is signed with a private ed2559 key and validated with the public key of that same key.

// cmd/guardian/main.go
package main

import (
    "context"
    "log"
    "net/http"

    keyserver "github.com/ElioenaiFerrari/guardian/internal/key-server"
    "github.com/gofiber/fiber/v2"
    "github.com/gofiber/fiber/v2/middleware/cors"
    "github.com/gofiber/fiber/v2/middleware/logger"
    "github.com/gofiber/fiber/v2/middleware/recover"
    "github.com/redis/go-redis/v9"
)

func main() {
    cache := redis.NewClient(&redis.Options{
        Addr:     "cache.guardian.local:6379",
        DB:       0,
        Password: "",
    })
    ks := keyserver.New(cache)
    ctx := context.Background()

    go ks.Start(ctx)

    app := fiber.New()
    app.Use(logger.New())
    app.Use(recover.New())
    app.Use(cors.New())

    v1 := app.Group("/api/v1")
    v1.Post("/tokens", func(c *fiber.Ctx) error {
        var data map[string]interface{}

        if err := c.BodyParser(&data); err != nil {
            return fiber.NewError(http.StatusBadRequest, err.Error())
        }

        token, claims, err := ks.NewSignedToken(ctx, data)
        if err != nil {
            return fiber.NewError(http.StatusInternalServerError, err.Error())
        }

        return c.Status(http.StatusCreated).JSON(fiber.Map{
            "token":  token,
            "claims": claims,
        })
    })

    v1.Get("/tokens", func(c *fiber.Ctx) error {
        signedToken := c.Get("Authorization")
        if signedToken == "" {
            return fiber.NewError(http.StatusUnauthorized, "unauthorized")
        }

        token, claims, err := ks.DecodeSignedToken(ctx, signedToken)
        if err != nil {
            return fiber.NewError(http.StatusUnauthorized, err.Error())
        }

        return c.Status(http.StatusCreated).JSON(fiber.Map{
            "token":  token,
            "claims": claims,
        })
    })

    log.Fatal(app.Listen(":4000"))
}
Enter fullscreen mode Exit fullscreen mode

Let's start our server.

docker-compose up --build
Enter fullscreen mode Exit fullscreen mode

Examples:

  • POST request 
curl --location 'http://localhost:4000/api/v1/tokens' \
--header 'Content-Type: application/json' \
--data '{
    "sub": "123123123"
}'
Enter fullscreen mode Exit fullscreen mode
  • POST response 
{
    "claims": {
        "dat": {
            "sub": "123123123"
        },
        "exp": 1678807427,
        "iss": "guardian",
        "kid": "rwqgN9dI"
    },
    "token": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJkYXQiOnsic3ViIjoiMTIzMTIzMTIzIn0sImV4cCI6MTY3ODgwNzQyNywiaXNzIjoiZ3VhcmRpYW4iLCJraWQiOiJyd3FnTjlkSSJ9.8yUZ-0XSZk5UMITSUZLX2SXIs5MIIXCID4X4IBxWy_N9WHXCBk0v6o0urB5r7Sr8vz7T_Z_2JVsNU4j681PMAw"
}
Enter fullscreen mode Exit fullscreen mode
  • GET request 
curl --location 'http://localhost:4000/api/v1/tokens' \
--header 'Authorization: eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJkYXQiOnsic3ViIjoiMTIzMTIzMTIzIn0sImV4cCI6MTY3ODgwNzQyNywiaXNzIjoiZ3VhcmRpYW4iLCJraWQiOiJyd3FnTjlkSSJ9.8yUZ-0XSZk5UMITSUZLX2SXIs5MIIXCID4X4IBxWy_N9WHXCBk0v6o0urB5r7Sr8vz7T_Z_2JVsNU4j681PMAw'
Enter fullscreen mode Exit fullscreen mode
  • GET response 
{
    "claims": {
        "dat": {
            "sub": "123123123"
        },
        "exp": 1678807427,
        "iss": "guardian",
        "kid": "rwqgN9dI"
    },
    "token": {
        "Raw": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJkYXQiOnsic3ViIjoiMTIzMTIzMTIzIn0sImV4cCI6MTY3ODgwNzQyNywiaXNzIjoiZ3VhcmRpYW4iLCJraWQiOiJyd3FnTjlkSSJ9.8yUZ-0XSZk5UMITSUZLX2SXIs5MIIXCID4X4IBxWy_N9WHXCBk0v6o0urB5r7Sr8vz7T_Z_2JVsNU4j681PMAw",
        "Method": {},
        "Header": {
            "alg": "EdDSA",
            "typ": "JWT"
        },
        "Claims": {
            "dat": {
                "sub": "123123123"
            },
            "exp": 1678807427,
            "iss": "guardian",
            "kid": "rwqgN9dI"
        },
        "Signature": "8yUZ-0XSZk5UMITSUZLX2SXIs5MIIXCID4X4IBxWy_N9WHXCBk0v6o0urB5r7Sr8vz7T_Z_2JVsNU4j681PMAw",
        "Valid": true
    }
}
Enter fullscreen mode Exit fullscreen mode

Give me a star in repository and contribute to our group. Also look at my portfolio.

Top comments (0)

Read next

jrthreadgill profile image

Creating Passkey Authentication in a Rails 7 Application

Royce Threadgill -

shrihariharidass profile image

Terraform & HashiCorp Vault Integration: Seamless Secrets Management

Shrihari Haridass -

schalkneethling profile image

7 Frameworks, One SAML Jackson - Your Open Source Single Sign-On Solution

Schalk Neethling -

logeshn21 profile image

COMMON VULNERABILITIES: REENTRANCY PART — I

Logesh N -