silverwind
f7f55a356f
## Summary - Update golangci-lint v2.9.0 → v2.10.1, misspell v0.7.0 → v0.8.0, actionlint v1.7.10 → v1.7.11 - Fix 20 new QF1012 staticcheck findings by using `fmt.Fprintf` instead of `WriteString(fmt.Sprintf(...))` - Fix SA1019: replace deprecated `ecdsa.PublicKey` field access with `PublicKey.Bytes()` for JWK encoding, with SEC 1 validation and curve derived from signing algorithm - Add unit test for `ToJWK()` covering P-256, P-384, and P-521 curves, also verifying correct coordinate padding per RFC 7518 - Remove dead staticcheck linter exclusion for "argument x is overwritten before first use" ## Test plan - [x] `make lint-go` passes with 0 issues - [x] `go test ./services/oauth2_provider/ -run TestECDSASigningKeyToJWK` passes for all curves 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
62 lines
1.8 KiB
Go
62 lines
1.8 KiB
Go
// Copyright 2026 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package oauth2_provider
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"math/big"
|
|
"testing"
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestECDSASigningKeyToJWK(t *testing.T) {
|
|
for _, tc := range []struct {
|
|
curve elliptic.Curve
|
|
signingMethod jwt.SigningMethod
|
|
expectedAlg string
|
|
expectedCrv string
|
|
coordLen int
|
|
}{
|
|
{elliptic.P256(), jwt.SigningMethodES256, "ES256", "P-256", 32},
|
|
{elliptic.P384(), jwt.SigningMethodES384, "ES384", "P-384", 48},
|
|
{elliptic.P521(), jwt.SigningMethodES512, "ES512", "P-521", 66},
|
|
} {
|
|
t.Run(tc.expectedCrv, func(t *testing.T) {
|
|
privKey, err := ecdsa.GenerateKey(tc.curve, rand.Reader)
|
|
require.NoError(t, err)
|
|
|
|
signingKey, err := newECDSASingingKey(tc.signingMethod, privKey)
|
|
require.NoError(t, err)
|
|
|
|
jwk, err := signingKey.ToJWK()
|
|
require.NoError(t, err)
|
|
|
|
assert.Equal(t, "EC", jwk["kty"])
|
|
assert.Equal(t, tc.expectedAlg, jwk["alg"])
|
|
assert.Equal(t, tc.expectedCrv, jwk["crv"])
|
|
assert.NotEmpty(t, jwk["kid"])
|
|
|
|
// Verify coordinates are the correct fixed length per RFC 7518 / SEC 1
|
|
xBytes, err := base64.RawURLEncoding.DecodeString(jwk["x"])
|
|
require.NoError(t, err)
|
|
assert.Len(t, xBytes, tc.coordLen)
|
|
|
|
yBytes, err := base64.RawURLEncoding.DecodeString(jwk["y"])
|
|
require.NoError(t, err)
|
|
assert.Len(t, yBytes, tc.coordLen)
|
|
|
|
// Verify the decoded coordinates reconstruct the original public key point
|
|
pubKey := privKey.Public().(*ecdsa.PublicKey)
|
|
assert.Equal(t, 0, new(big.Int).SetBytes(xBytes).Cmp(pubKey.X))
|
|
assert.Equal(t, 0, new(big.Int).SetBytes(yBytes).Cmp(pubKey.Y))
|
|
})
|
|
}
|
|
}
|