feat(jwt_issuer): add -priv-in flag to load existing private key from…#477
feat(jwt_issuer): add -priv-in flag to load existing private key from…#477leifj wants to merge 2 commits into
Conversation
… file Adds a -priv-in flag that allows specifying an existing private JWK file instead of generating a new key pair on every run. This is useful when you need a stable signing key across multiple invocations. When -priv-in is not set, behavior is unchanged (new key generated).
There was a problem hiding this comment.
Pull request overview
Adds support to developer_tools/scripts/jwt_issuer for reusing an existing private signing key across runs by introducing a new -priv-in flag that loads a private JWK from disk instead of generating a fresh key each invocation. This improves stability for repeated testing against api_server.api_auth.jwks setups where a consistent signing key is required.
Changes:
- Add
-priv-inflag to load an existing private JWK (otherwise keep existing “generate new key” behavior). - Update the README with an example invocation and the new flag in the flags table.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| developer_tools/scripts/jwt_issuer/README.md | Documents the new -priv-in option and provides a usage example. |
| developer_tools/scripts/jwt_issuer/main.go | Implements loading a private JWK from a file when -priv-in is set. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| privJWK, err = jwk.ParseKey(privJSON) | ||
| if err != nil { | ||
| fatal("parse private key: %v", err) | ||
| } | ||
| fmt.Printf("Private key loaded from %s\n", *privInFile) |
There was a problem hiding this comment.
This feedback makes sense!
s-jairl
left a comment
s-jairl
left a comment
There was a problem hiding this comment.
See comment from Copilot - otherwise good!
|
@copilot address |
| privJWK, err = jwk.ParseKey(privJSON) | ||
| if err != nil { | ||
| fatal("parse private key: %v", err) | ||
| } | ||
| fmt.Printf("Private key loaded from %s\n", *privInFile) |
There was a problem hiding this comment.
Fixed in 373ce75 — after parsing, we now export to ecdsa.PrivateKey and verify the curve is P-256. This catches public-only keys, wrong kty, and wrong curves immediately.
| jwtFile := flag.String("jwt-out", "token.jwt", "output file for the signed JWT") | ||
| jwkFile := flag.String("jwk-out", "jwks.json", "output file for the JWKS (public keys)") | ||
| privFile := flag.String("priv-out", "", "output file for the private JWK (optional)") | ||
| privInFile := flag.String("priv-in", "", "input file for an existing private JWK (optional, generates new key if not set)") | ||
|
|
There was a problem hiding this comment.
Fixed in 373ce75 — added a guard that checks all output paths against -priv-in before proceeding.
- Validate that -priv-in contains an EC P-256 private key immediately after parsing, failing fast with a clear error for wrong key type, curve, or public-only keys. - Guard against output files (-jwt-out, -jwk-out, -priv-out) matching -priv-in, preventing accidental overwrite of the private key.
|
… file
Adds a -priv-in flag that allows specifying an existing private JWK file instead of generating a new key pair on every run. This is useful when you need a stable signing key across multiple invocations.
When -priv-in is not set, behavior is unchanged (new key generated).