spiffe · rturner3 · Jun 30, 2023 · Jun 30, 2023 · Jun 30, 2023
@@ -42,13 +42,19 @@ func (c *JWTSVIDCache) SetJWTSVID(spiffeID spiffeid.ID, audience []string, svid
 func jwtSVIDKey(spiffeID spiffeid.ID, audience []string) string {
 	h := sha256.New()
 
+	// Form the cache key as the SHA-256 hash of the SPIFFE ID and all the audiences.
+	// In order to avoid ambiguities, we will write a nul byte to the hash function after each data
+	// item.
+
 	// duplicate and sort the audience slice
 	audience = append([]string(nil), audience...)
 	sort.Strings(audience)
 
 	_, _ = io.WriteString(h, spiffeID.String())
+	h.Write([]byte{0})
 	for _, a := range audience {
 		_, _ = io.WriteString(h, a)
+		h.Write([]byte{0})
 	}
 
 	return base64.StdEncoding.EncodeToString(h.Sum(nil))

@@ -9,7 +9,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestJWTSVIDCache(t *testing.T) {
+func TestJWTSVIDCacheBasic(t *testing.T) {
 	now := time.Now()
 	expected := &client.JWTSVID{Token: "X", IssuedAt: now, ExpiresAt: now.Add(time.Second)}
 
@@ -28,3 +28,23 @@ func TestJWTSVIDCache(t *testing.T) {
 	assert.True(t, ok)
 	assert.Equal(t, expected, actual)
 }
+
+func TestJWTSVIDCacheKeyHashing(t *testing.T) {
+	spiffeID := spiffeid.RequireFromString("spiffe://example.org/blog")
+	now := time.Now()
+	expected := &client.JWTSVID{Token: "X", IssuedAt: now, ExpiresAt: now.Add(time.Second)}
+
+	cache := NewJWTSVIDCache()
+	cache.SetJWTSVID(spiffeID, []string{"ab", "cd"}, expected)
+
+	// JWT is cached
+	actual, ok := cache.GetJWTSVID(spiffeID, []string{"ab", "cd"})
+	assert.True(t, ok)
+	assert.Equal(t, expected, actual)
+
+	// JWT is not cached, despite concatenation of audiences (in lexicographical order) matching
+	// that of the cached item
+	actual, ok = cache.GetJWTSVID(spiffeID, []string{"a", "bcd"})
+	assert.False(t, ok)
+	assert.Nil(t, actual)
+}