func()

in assertion/pkg/jwtvault/signer.go [68:118]

• 37 lines of code
• 9 McCabe index (conditional complexity)

func (o *opaqueSigner) SignPayload(payload []byte, alg jose.SignatureAlgorithm) ([]byte, error) {
	// Check arguments
	if o.vaultClient == nil {
		return nil, fmt.Errorf("vault client must not be nil")
	}
	if o.transitPath == "" {
		return nil, fmt.Errorf("transit path path must not be blank")
	}
	if o.keyName == "" {
		return nil, fmt.Errorf("key name must not be blank")
	}

	// Compute sha512/384 hash
	h := sha512.New384()
	if _, err := h.Write(payload); err != nil {
		return nil, fmt.Errorf("unable to compute sha512/384 hash of payload: %w", err)
	}

	// Sign with transit key
	d, err := o.vaultClient.Logical().Write(path.Join(o.transitPath, "sign", o.keyName), map[string]interface{}{
		"prehashed":            true,  // Send hash only
		"marshaling_algorithm": "jws", // Force JWS Encoding
		"input":                base64.StdEncoding.EncodeToString(h.Sum(nil)),
	})
	if err != nil {
		return nil, fmt.Errorf("unable to sign token: %w", err)
	}
	if d == nil {
		return nil, fmt.Errorf("returned signature is nil")
	}

	// Check if response have a signature
	sig, sigOk := d.Data["signature"]
	if !sigOk {
		return nil, fmt.Errorf("signature not found is response")
	}

	// Clean signature
	cleanSig := sig.(string)
	// vault:v1:<base64url>
	sigParts := strings.SplitN(cleanSig, ":", 3)

	// Decode signature
	signatureBytes, err := base64.RawURLEncoding.DecodeString(sigParts[2])
	if err != nil {
		return nil, fmt.Errorf("invalid signature encoding: %w", err)
	}

	// No error
	return signatureBytes, nil
}