Skip to content

Implement io.jwt.verify_eddsa builtin (closes #145)#153

Open
ume3445 wants to merge 1 commit into
open-policy-agent:mainfrom
ume3445:implement-jwt-verify-eddsa
Open

Implement io.jwt.verify_eddsa builtin (closes #145)#153
ume3445 wants to merge 1 commit into
open-policy-agent:mainfrom
ume3445:implement-jwt-verify-eddsa

Conversation

@ume3445

@ume3445 ume3445 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Implements io.jwt.verify_eddsa as described in #145.

Changes

  • Added a public verifyEdDSA method to TokenBuiltins.java, following the exact pattern of the existing verify_es256/verify_es384/verify_es512 methods
  • Delegates to the existing private _verifyEdDSA method, which already correctly implements EdDSA verification matching OPA's Go reference implementation (topdown/tokens.go): raw signing input with no pre-hashing, verified via Ed25519 through BouncyCastle
  • Registered the new builtin in the builtins() map alongside the other io.jwt.verify_* entries
  • The verification logic itself was already correct and in use internally by io.jwt.decode_verify; this PR only exposes it as a standalone public builtin

Testing

  • Verified against the jwtverifyeddsa/success-cert compliance fixture, which now correctly evaluates and passes (previously the missing function meant the test was silently skipped rather than actually asserted, since the test harness ignores FunctionNotFoundError cases)
  • Confirmed the existing jwtdecodeverify EdDSA case still passes, since it exercises the same shared _verifyEdDSA path
  • Full opa-evaluator suite shows no new regressions (stash-and-compare against the pre-existing failure set, identical 62 unrelated failures with and without the change)

Closes #145.

Signed-off-by: Muhammad Umer Hammad <umerhammad010@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Implement io.jwt.verify_eddsa builtin

1 participant