Skip to content

feat(crypto): accept RS256 in SupportedAlgorithms#4252

Merged
stevenvegt merged 1 commit into
masterfrom
worktree-4234-add-rs256-supported-algorithms
May 12, 2026
Merged

feat(crypto): accept RS256 in SupportedAlgorithms#4252
stevenvegt merged 1 commit into
masterfrom
worktree-4234-add-rs256-supported-algorithms

Conversation

@stevenvegt
Copy link
Copy Markdown
Member

@stevenvegt stevenvegt commented May 12, 2026

Summary

  • Add jwa.RS256 to crypto/jwx.SupportedAlgorithms so ParseJWT accepts RS256-signed JWS on input (wallet VC ingest, VP verification, OAuth bearer-token parsing).
  • Network DAG transactions keep their own narrower allowlist (no RS256) untouched.
  • Outbound signing is unaffected; the node continues to sign with PS256.

Motivation

The AET ZORG-ID issuer used for HealthCareProfessionalDelegationCredential / PatientEnrollmentCredential in the LSPxNuts flows (#4188, #4233) signs all RSA-keyed soft certs with RS256 and exposes no algorithm knob. With the previous allowlist, every credential AET issued was rejected at POST /internal/vcr/v2/holder/{subject}/vc with:

token signing algorithm is not supported: RS256

Verified end-to-end: with this change the AET -> Nuts wallet round-trip (issuance, chain validation, persistence) succeeds.

Closes #4234

Test plan

  • go test ./... (full suite passes locally)
  • Test_isAlgorithmSupported now asserts RS256 is accepted
  • TestParseJWT/unsupported_algorithm rewritten to use HS256 as the rejected algorithm
  • TestService_parseAndValidateJwtBearerToken/wrong_signing_algorithm rewritten to use HS256
  • Network DAG parser_test.go still asserts RS256 is rejected for transactions (separate allowlist, unchanged)
  • Confirm AET -> wallet round-trip in the LSPxNuts integration environment

Assisted-by: AI

@stevenvegt
feat(crypto): accept RS256 in SupportedAlgorithms
3b412a5 
The JWS allowlist used by ParseJWT (wallet ingest, VP verification,
OAuth bearer-token parsing) excluded RS256 in favour of PS256. The AET
ZORG-ID issuer always signs soft-cert RSA keys with RS256 and offers no
algorithm knob, so HealthCareProfessionalDelegationCredential and
PatientEnrollmentCredential VCs were rejected at POST /internal/vcr/v2/
holder/{subject}/vc with "token signing algorithm is not supported:
RS256". Accept RS256 on input; outbound signing continues to use PS256.

The network DAG keeps its own narrower allowlist and still rejects
RS256 for transactions. Two tests that asserted RS256 rejection via the
shared allowlist now use HS256 instead.

Closes #4234

Assisted-by: AI
@qltysh
Copy link
Copy Markdown
Contributor

qltysh Bot commented May 12, 2026
edited
Loading

Qlty


Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.02%.

🚦 See full report on Qlty Cloud »

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@stevenvegt stevenvegt merged commit 649cb91 into master May 12, 2026
13 checks passed
@stevenvegt stevenvegt deleted the worktree-4234-add-rs256-supported-algorithms branch May 12, 2026 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reinkrul reinkrul reinkrul approved these changes

@woutslakhorst woutslakhorst Awaiting requested review from woutslakhorst woutslakhorst is a code owner

@gerardsn gerardsn Awaiting requested review from gerardsn gerardsn is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

crypto: add RS256 to SupportedAlgorithms

2 participants

@stevenvegt @reinkrul