Module: WebBotAuth::Key

Defined in:

app/services/web_bot_auth/key.rb

Overview

The Ed25519 signing key used for Web Bot Auth, plus its public JWK
representation and key-id thumbprint.

The private key (PEM) is stored at +web_bot_auth.signing_key+ in
+config/credentials.yml.enc+, environment-namespaced via
Heatwave::Configuration (production / development; test and staging fall
back to development). The public JWK and its key id are derived from the
private key at runtime, so there is no separate public material to drift.

See Also:

• https://www.rfc-editor.org/rfc/rfc8037#appendix-A.3

Class Method Summary

• .configured? ⇒ Boolean

  Whether a usable signing key is configured.

• .kid ⇒ String

  The key id: the base64url (unpadded) SHA-256 JWK thumbprint (RFC 8037 App. A.3 / RFC 7638) over the canonical +crv,kty,x+ JSON.

• .private_key ⇒ OpenSSL::PKey::PKey^?

  The memoised Ed25519 private key, or nil when none is configured.

• .public_jwk ⇒ Hash

  The public key as a JWK (RFC 7517 / RFC 8037).

• .reset! ⇒ void

  Clear the memoised key.

• .sign(data) ⇒ String

  Sign a message with the Ed25519 private key.

• .x ⇒ String

  The base64url (unpadded) Ed25519 public key — the JWK +x+ parameter.

Class Method Details

.configured? ⇒ Boolean

Whether a usable signing key is configured.

Returns:

• (Boolean)

# File 'app/services/web_bot_auth/key.rb', line 26

def configured?
  private_key.present?
rescue StandardError
  false
end

.kid ⇒ String

The key id: the base64url (unpadded) SHA-256 JWK thumbprint
(RFC 8037 App. A.3 / RFC 7638) over the canonical +crv,kty,x+ JSON.

Returns:

• (String)

# File 'app/services/web_bot_auth/key.rb', line 51

def kid
  canonical = %({"crv":"Ed25519","kty":"OKP","x":"#{x}"})
  Base64.urlsafe_encode64(OpenSSL::Digest::SHA256.digest(canonical), padding: false)
end

.private_key ⇒ OpenSSL::PKey::PKey^?

The memoised Ed25519 private key, or nil when none is configured.

Returns:

• (OpenSSL::PKey::PKey, nil)

# File 'app/services/web_bot_auth/key.rb', line 19

def private_key
  @private_key ||= load_private_key
end

.public_jwk ⇒ Hash

The public key as a JWK (RFC 7517 / RFC 8037).

Returns:

• (Hash)

# File 'app/services/web_bot_auth/key.rb', line 59

def public_jwk
  { kid: kid, kty: 'OKP', crv: 'Ed25519', x: x }
end

.reset! ⇒ void

This method returns an undefined value.

Clear the memoised key. Intended for test isolation.

# File 'app/services/web_bot_auth/key.rb', line 66

def reset!
  @private_key = nil
end

.sign(data) ⇒ String

Sign a message with the Ed25519 private key.

Parameters:

• data (String) —

  the bytes to sign

Returns:

• (String) —

  the raw 64-byte Ed25519 signature

# File 'app/services/web_bot_auth/key.rb', line 36

def sign(data)
  private_key.sign(nil, data)
end

.x ⇒ String

The base64url (unpadded) Ed25519 public key — the JWK +x+ parameter.

Returns:

• (String)

# File 'app/services/web_bot_auth/key.rb', line 43

def x
  Base64.urlsafe_encode64(private_key.raw_public_key, padding: false)
end