Ability to use Google Key Management System MAC feature for signing JWT

[rnadhani-ns]

Hello,

This is an extension of: #556, I would like to use Google KMS digital signature feature for signing my JWT: https://cloud.google.com/kms/docs/create-validate-mac-signatures

I tried to follow: https://github.com/jwx-go/crypto-signer/tree/main/gcp and was trying to find out what interface I have to implement to be able to do it.

Something like:

type Signer struct {
	client *kms.KeyManagementClient
	ctx    context.Context
	name   string
}

// WithContext associates a new context.Context with the object, which will be used for Sign() and Public()
func (cs *Signer) WithContext(v context.Context) *Signer {
	return &Signer{
		client: cs.client,
		ctx:    v,
		name:   cs.name,
	}
}

// WithName associates a new string with the object, which will be used for Sign() and Public()
func (cs *Signer) WithName(v string) *Signer {
	return &Signer{
		client: cs.client,
		ctx:    cs.ctx,
		name:   v,
	}
}

func New(client *kms.KeyManagementClient) *Signer {
	return &Signer{
		client: client,
	}
}

func (sv *Signer) getContext() context.Context {
	ctx := sv.ctx
	if ctx == nil {
		ctx = context.Background()
	}
	return ctx
}

func main()  {
	key := []byte("secret key")
	_ = key
	data := []byte("lorem ipsum")

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		log.Fatalf("failed to setup client: %v", err)
	}
	defer client.Close()

	s := New(client).WithName("Foo").WithContext(ctx)

	// work with jws
	{
		signature, err := jws.Sign(data, jws.WithKey(jwa.HS256, s))
		if err != nil {
			fmt.Println(err)
			os.Exit(1)
		}

		fmt.Println("JWS Signature ", string(signature))

		var m jws.Message

		msg, err := jws.Verify(signature, jws.WithKey(jwa.HS256, s), jws.WithMessage(&m))
		if err != nil {
			fmt.Println("Verify failed ", err)
			os.Exit(1)
		}

		fmt.Println("Msg: ", string(msg), " Message: ", m)
	}

but it looks like for HS256, I can only pass string as the key:

2024/02/27 21:52:16 failed to verify signature: rpc error: code = FailedPrecondition desc = projects/data-qe-da7e1252/locations/us-west1/keyRings/device-kms-test/cryptoKeys/mp_tenant1_hmac/cryptoKeyVersions/1 is not enabled, current state is: DISABLED.
error details: name = PreconditionFailure type = KEY_DISABLED subj = projects/data-qe-da7e1252/locations/us-west1/keyRings/device-kms-test/cryptoKeys/mp_tenant1_hmac/cryptoKeyVersions/1 desc =
exit status 1

which seems to come from: https://github.com/lestrrat-go/jwx/blob/develop/v2/jws/hmac.go#L50

But looking at: https://github.com/lestrrat-go/jwx/blob/develop/v2/jws/interface.go it does seem like we can provide a different implementation.

Can somebody help me on how can I extend JWX to use KMS methods instead of the local one? Due to compliance issue, we dont have access to the actual key for signing/verify so we want to use the cloud service.

[rnadhani-ns]

Never mind, i was able to figure this out. We can just register our Signer/Verifier and then call KMS accordingly.