Update tool dependencies and fix new lint issues (#36702)
## Summary - Update golangci-lint v2.9.0 → v2.10.1, misspell v0.7.0 → v0.8.0, actionlint v1.7.10 → v1.7.11 - Fix 20 new QF1012 staticcheck findings by using `fmt.Fprintf` instead of `WriteString(fmt.Sprintf(...))` - Fix SA1019: replace deprecated `ecdsa.PublicKey` field access with `PublicKey.Bytes()` for JWK encoding, with SEC 1 validation and curve derived from signing algorithm - Add unit test for `ToJWK()` covering P-256, P-384, and P-521 curves, also verifying correct coordinate padding per RFC 7518 - Remove dead staticcheck linter exclusion for "argument x is overwritten before first use" ## Test plan - [x] `make lint-go` passes with 0 issues - [x] `go test ./services/oauth2_provider/ -run TestECDSASigningKeyToJWK` passes for all curves 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -214,13 +214,20 @@ func (key ecdsaSingingKey) VerifyKey() any {
|
||||
func (key ecdsaSingingKey) ToJWK() (map[string]string, error) {
|
||||
pubKey := key.key.Public().(*ecdsa.PublicKey)
|
||||
|
||||
// PublicKey.Bytes returns the uncompressed SEC 1 format: 0x04 || X || Y
|
||||
pubKeyBytes, err := pubKey.Bytes()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
coordLen := (len(pubKeyBytes) - 1) / 2
|
||||
return map[string]string{
|
||||
"kty": "EC",
|
||||
"alg": key.SigningMethod().Alg(),
|
||||
"kid": key.id,
|
||||
"crv": pubKey.Params().Name,
|
||||
"x": base64.RawURLEncoding.EncodeToString(pubKey.X.Bytes()),
|
||||
"y": base64.RawURLEncoding.EncodeToString(pubKey.Y.Bytes()),
|
||||
"x": base64.RawURLEncoding.EncodeToString(pubKeyBytes[1 : 1+coordLen]),
|
||||
"y": base64.RawURLEncoding.EncodeToString(pubKeyBytes[1+coordLen:]),
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,61 @@
|
||||
// Copyright 2026 The Gitea Authors. All rights reserved.
|
||||
// SPDX-License-Identifier: MIT
|
||||
|
||||
package oauth2_provider
|
||||
|
||||
import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"encoding/base64"
|
||||
"math/big"
|
||||
"testing"
|
||||
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestECDSASigningKeyToJWK(t *testing.T) {
|
||||
for _, tc := range []struct {
|
||||
curve elliptic.Curve
|
||||
signingMethod jwt.SigningMethod
|
||||
expectedAlg string
|
||||
expectedCrv string
|
||||
coordLen int
|
||||
}{
|
||||
{elliptic.P256(), jwt.SigningMethodES256, "ES256", "P-256", 32},
|
||||
{elliptic.P384(), jwt.SigningMethodES384, "ES384", "P-384", 48},
|
||||
{elliptic.P521(), jwt.SigningMethodES512, "ES512", "P-521", 66},
|
||||
} {
|
||||
t.Run(tc.expectedCrv, func(t *testing.T) {
|
||||
privKey, err := ecdsa.GenerateKey(tc.curve, rand.Reader)
|
||||
require.NoError(t, err)
|
||||
|
||||
signingKey, err := newECDSASingingKey(tc.signingMethod, privKey)
|
||||
require.NoError(t, err)
|
||||
|
||||
jwk, err := signingKey.ToJWK()
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.Equal(t, "EC", jwk["kty"])
|
||||
assert.Equal(t, tc.expectedAlg, jwk["alg"])
|
||||
assert.Equal(t, tc.expectedCrv, jwk["crv"])
|
||||
assert.NotEmpty(t, jwk["kid"])
|
||||
|
||||
// Verify coordinates are the correct fixed length per RFC 7518 / SEC 1
|
||||
xBytes, err := base64.RawURLEncoding.DecodeString(jwk["x"])
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, xBytes, tc.coordLen)
|
||||
|
||||
yBytes, err := base64.RawURLEncoding.DecodeString(jwk["y"])
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, yBytes, tc.coordLen)
|
||||
|
||||
// Verify the decoded coordinates reconstruct the original public key point
|
||||
pubKey := privKey.Public().(*ecdsa.PublicKey)
|
||||
assert.Equal(t, 0, new(big.Int).SetBytes(xBytes).Cmp(pubKey.X))
|
||||
assert.Equal(t, 0, new(big.Int).SetBytes(yBytes).Cmp(pubKey.Y))
|
||||
})
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user