Feature Request: Built-In RSA Key Parser for JWT Signing (RSA PEM to JWK)

[cris-he]

Expected Behavior

I generated a pair of RSA keys that will be used for JWT signing, and in the example on the OPA docs (https://www.openpolicyagent.org/docs/v0.14.2/policy-reference/#rsa-key-rsa-signature-with-sha-256), it is asking the RSA key in the JWK format where contains the algo params (e.g. "n", "e", "d", "p", "q" etc.)

I am looking for a built-in function that can convert the RSA key into the JWK, so end users can use it in the rego file.

[srenatus]

Got me curious re: how these are encoded... seems like it's asn1:

scratch/rsa % openssl genrsa -out key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................................+++++
........+++++
e is 65537 (0x010001)
scratch/rsa % openssl asn1parse < key.pem
    0:d=0  hl=4 l=1187 cons: SEQUENCE
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=4 l= 257 prim: INTEGER           :CD56810347CF340AACBB605BF02D823EAD7204D91349773CF87029E8A107502705261DB151AB14DFBD0EB60231D497D39D683EDC043D30DE9493AC3CF581C268272AB3E995CF84A69027F46E1CF951BB395DAF235AAF4BE4B16A10D6268069B0E7746599A2E7F954441A6684AD7A1895428E4F1FC8603E662BC02126CE5928A5AFD52BB6F34DF76780AC856FED33D6F54681A7696A89BF7EB363989B62EBEE07416A29A28E942FBE3363E87851A3FFFA7BC3D478871C1A1A9FF96792A8EEFA8E21531F67227645E8FBC11B2776CEAC6A539F95EC42CC97012CAD17B1C315D1AF5026849122A922A96C66B654AD35066BCD99A58230786D455EBA0974FDE47D11
  268:d=1  hl=2 l=   3 prim: INTEGER           :010001
  273:d=1  hl=4 l= 256 prim: INTEGER           :7F0A4D099D8D09B2AD09C4E53CE4BB1752321FE3B9F6130AAADEA25F25F9A35270F2131ED8DB532FD6055B00629A185139AAFC711D424A90FB359E339CE56A450C2E745F496BB9B35FAF08A073D6A10587C97989131B2F864F69C2FEEB95394ED4F483C399319265DB38C642C21DAF45F186A057969E4D1CE3669C5C2900AA8F33DC4AD223237A8C3FCFC451BBFB601C64102480F258B60340E8238FC9DD9E65CB78428BCC4650131075174FEF06BAC3A48FC556B051B2C11A888E32A0393CB22DEA4195A1CB30F731A3719143ACB082F57C4E47FCCFD10904E46EACA6D345B7707B535A9B83D1AF84CBE3933B2B24EFE39332329599EB06201C8CA1069A5DED
  533:d=1  hl=3 l= 129 prim: INTEGER           :F2E8526EB11DD4835185A0CC20A24DB9F65A6B03B84E3B69314441EB7928183AC163884E182163A44DC83CED0897EBCA26AF63F5D0BBDCC940498334D451B6C4A9EDACEB2278B6E972740069C56A1F485AC09FF28ABF273446F58AB2C1DE23B74BF98DED30AB5EE49C9D0BA8B356783FCA551A7B2169AB44725846E9562CEC9F
  665:d=1  hl=3 l= 129 prim: INTEGER           :D867CA55C9FA75A3D06BF1DEBF72B1785A3B99A7E0804B71C39616DCE1F56F00E5E3E134727ED0F773D8FA2960949005C853A8A7B3329DD6073DBC88519CEFDE9689EFDFD78087DAE1B850BFF87C21B3A0D9BC0EF3826C6AD3E403A92C777013EBE372BDFD6DCE40EF690A428545CA1362E19C04DE87160011F67C75D3CD884F
  797:d=1  hl=3 l= 129 prim: INTEGER           :A1AAA2026DFB2E8F5FD8921689B9BC0582C2D6EA98E5E880B07B7F6C1B2CE64364A6BBF74DF41AFF258D998F20E30BD97539D24BAE6AFA1D2F9E3DA711907916170ACAC58C21CF8B3BD39CDAC8BB42AAC34BE4A86653A6E2124025D9A752136F512F7C985A8614180F6C2E704F3BC3B8A10F571A903865F69E2BC6B651D6807D
  929:d=1  hl=3 l= 128 prim: INTEGER           :300ECC9644A6845D7EB99A1B177507086D31732C1EE51EDC02CD60026983B1C507489608A9AC940780089D7576E7471CA1A242800B81A01F99B812184BD788456C34F1BA4A0757243AA04DFE73D64D3DB0E8E9A4805B646C4CE604121BB7E281EA0EB6BA8E7F4620918A482701A5BFFC9226FC18F0BA1B1EA4DE9241306A226D
 1060:d=1  hl=3 l= 128 prim: INTEGER           :660043B0305A4583ABB737F7144D0633C5C03894327D947018246A39AF8DA30BA58CF1213C88033C919F3BF0A64D61755FB747FAFB56FF6D4F2C96A7CBB4B27C97E5F8E4603B92DB24BEF902F9BB440DF92241C048AD4531B056648B0D05BD6FE096286F4CDE3FBBE3998A117828D1C5F13A47B125C53EE51B8DB6B90B05E323
scratch/rsa %

[cris-he]

Im recalling all the crypto concepts from the security course back in school 😆

here is what I found an online tool that does the RSA private key conversion to jwk: https://russelldavies.github.io/jwk-creator/

[srenatus]

💭 I guess we could also make io.jwt.encode_sign accept a string key, and do the translation on the fly...? Just a quick thought, thought, I don't know if this works fine with the different possible algorithms used...

[cris-he]

That would be absolutely more easy for end users, honestly at the beginning when I worked on my POC it took me a little time to find out the "kty" is actually required even for a symmetric key. Everything become more clear when I have the source code cloned and run locally.

I did some "google search" before I submit this issue because I thought it was only me that did not figure out how to convert from PEM to JWK in the rego, but looks no one else seeing this before. So it might be a minority issue 😃, and I guess for now it's ok to only make a simple built-in to unblock the whole process. If we want to go with the full solution later, I think there would be a lot places in the code needed to be updated, and the doc will need to be updated as well as notify the end users regarding the updates.

[anderseknert]

Agreed. While the encode functions are rarely used compared to the decoding ones, supporting PEM formatted private keys would simplify things, as that's what you'll normally get from the OpenSSL commands commonly used in examples.

[cris-he]

Hi there, @srenatus and @anderseknert , I have made the changes in my local, could you please walk me thru how to create a pull request?

I made a branch locally named "#3765" but I can't push due to permission denied.

[srenatus]

Oh great! Thank you!

In short, you'll have to push your branch to a fork of this repo. If you fork it, you'll have full access to your fork and push it there. When you've done that, you can open a PR using github's features. See for example https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork.

[srenatus]

Also let us know if you get stuck there. Happy to help!

[cris-he]

Thanks for the information, and I have created a PR, could anyone please take a look? Thanks again.