Skip to content

Add crypto.Signer support for KMS/HSM keys #654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dineshudayakumar wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Add crypto.Signer support for KMS/HSM keys #654

dineshudayakumar wants to merge 10 commits into from

Conversation

@dineshudayakumar
Copy link

@dineshudayakumar dineshudayakumar commented Jan 15, 2026

Summary

  • Check public key type instead of private key type to support crypto.Signer implementations (GCP KMS, AWS KMS, HSM) that aren't concrete *rsa.PrivateKey or *ecdsa.PrivateKey types
  • Add fallback JWT signing using crypto.Signer interface for KMS/HSM keys
  • Update key type validation in GetSigningContext() to check public key type

dependabot bot and others added 4 commits January 15, 2026 05:21
@dependabot
Bump golang.org/x/crypto from 0.33.0 to 0.45.0
86c67e9 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.33.0 to 0.45.0.
- [Commits](golang/crypto@v0.33.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dineshudayakumar
Merge pull request #1 from retailnext/dependabot/go_modules/golang.or…
827fdd2 
…g/x/crypto-0.45.0

Bump golang.org/x/crypto from 0.33.0 to 0.45.0
@dependabot
Bump github.com/golang-jwt/jwt/v5 from 5.2.2 to 5.3.0
52b35ff 
Bumps [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) from 5.2.2 to 5.3.0.
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Commits](golang-jwt/jwt@v5.2.2...v5.3.0)

---
updated-dependencies:
- dependency-name: github.com/golang-jwt/jwt/v5
  dependency-version: 5.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump github.com/russellhaering/goxmldsig from 1.4.0 to 1.5.0
fe4d2f7 
Bumps [github.com/russellhaering/goxmldsig](https://github.com/russellhaering/goxmldsig) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/russellhaering/goxmldsig/releases)
- [Commits](russellhaering/goxmldsig@v1.4.0...v1.5.0)

---
updated-dependencies:
- dependency-name: github.com/russellhaering/goxmldsig
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
dineshudayakumar and others added 5 commits January 16, 2026 14:25
@dineshudayakumar
Merge pull request #4 from retailnext/dependabot/go_modules/github.co…
635141c 
…m/russellhaering/goxmldsig-1.5.0

Bump github.com/russellhaering/goxmldsig from 1.4.0 to 1.5.0
@dineshudayakumar
Merge pull request #3 from retailnext/dependabot/go_modules/github.co…
5439ad7 
…m/golang-jwt/jwt/v5-5.3.0

Bump github.com/golang-jwt/jwt/v5 from 5.2.2 to 5.3.0
@dependabot
Bump golang.org/x/crypto from 0.45.0 to 0.47.0
b28c88c 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.45.0 to 0.47.0.
- [Commits](golang/crypto@v0.45.0...v0.47.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.47.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dineshudayakumar
Use flexible error assertions in XSW tests
3167922
@dineshudayakumar
Merge pull request #2 from retailnext/dependabot/go_modules/golang.or…
4bc7ace 
…g/x/crypto-0.47.0

Bump golang.org/x/crypto from 0.45.0 to 0.47.0
@dineshudayakumar dineshudayakumar force-pushed the crypto-signer-support branch 5 times, most recently from 9ad3a32 to 9f655f0 Compare January 23, 2026 16:55
@dineshudayakumar
Add crypto.Signer support for KMS/HSM keys
9399db6 
Check public key type instead of private key type to support
crypto.Signer implementations (GCP KMS, AWS KMS, HSM) that
aren't concrete *rsa.PrivateKey or *ecdsa.PrivateKey types.

Changes:
- samlsp/new.go: Update defaultSigningMethodForKey()
- samlsp/session_jwt.go: Add fallback signing with crypto.Signer
- samlsp/request_tracker_jwt.go: Add fallback signing
- service_provider.go: Update GetSigningContext() validation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crewjam crewjam Awaiting requested review from crewjam crewjam is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dineshudayakumar