Skip to content

Convert RSA envelope encryption to JWE #767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
SgtCoDFish merged 1 commit into from
Feb 2, 2026
Merged

Convert RSA envelope encryption to JWE #767

SgtCoDFish merged 1 commit into from
Feb 2, 2026
+181 −151

Conversation

@SgtCoDFish
Copy link
Contributor

@SgtCoDFish SgtCoDFish commented Jan 30, 2026
edited
Loading

This matches what the upstream will expect - we agreed last week to use JWE in this case. To make it easier to migrate to other encodings later, I make the EncryptedData struct depend on a tag.

Important: This code still remains unused! The aim is to get the cryptography correct for now - we'll use it later.

Uses the github.com/lestrrat-go/jwx/v3 library, which seemed like the best choice from the ones I surveyed (e.g. https://github.com/golang-jwt/jwe has 2 contributors and no commits for 4 years)

@SgtCoDFish SgtCoDFish force-pushed the jwe branch 2 times, most recently from 9a85e11 to 8b85fa9 Compare February 2, 2026 10:09
@SgtCoDFish SgtCoDFish changed the title wip: jwe Convert RSA envelope encryption to JWE Feb 2, 2026
@SgtCoDFish SgtCoDFish force-pushed the jwe branch 2 times, most recently from 41454cb to 00389ff Compare February 2, 2026 10:30
SgtCoDFish
SgtCoDFish commented Feb 2, 2026
View reviewed changes
internal/envelope/rsa/encryptor.go
Comment on lines -75 to -79
defer func() {
for i := range aesKey {
aesKey[i] = 0
}
}()
Copy link
Contributor Author

@SgtCoDFish SgtCoDFish Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: we could generate the key outside of jwe.Encrypt and pass it in using WithKey, and keep our zeroising function here. Since we have to pass the key into a third party library in that case, I don't think we really gain much by zeroising here (we can't control what that third party does when the library updates).

This is what go1.26's secret.Do will be for. For now, having the jwe library generate the key means we never have to touch it in our code in plaintext.

@SgtCoDFish SgtCoDFish force-pushed the jwe branch 2 times, most recently from 6f28709 to 5231bd5 Compare February 2, 2026 10:50
maelvls
maelvls reviewed Feb 2, 2026
View reviewed changes
maelvls
maelvls reviewed Feb 2, 2026
View reviewed changes
maelvls
maelvls reviewed Feb 2, 2026
View reviewed changes
@maelvls
Copy link
Member

maelvls commented Feb 2, 2026

Looks good to me. I haven't dug into the cryptographic side of things. My only remark was that we are relying on RSA key signature but not a big deal.

While reviewing, I've discovered an interesting CLI named jose:

go install github.com/nao1215/jose@latest

I wish I had been able to test the new library using jose but I haven't spent enough time playing with it to be able to test things manually.

@SgtCoDFish
convert RSA envelope encryption to JWE
666d6bf 
Uses github.com/lestrrat-go/jwx/v3, should be the same functionality as
before

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
@SgtCoDFish SgtCoDFish merged commit dfc7c39 into master Feb 2, 2026
12 of 16 checks passed
@SgtCoDFish SgtCoDFish deleted the jwe branch February 2, 2026 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maelvls maelvls maelvls approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SgtCoDFish @maelvls