You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Consider dropping ES256K (secp256k1) support, which is gated behind the jwx_es256k build tag. It appears unused, is not built into the default binary, and carries maintenance cost.
Why
Opt-in only, likely unused. ES256K is only compiled when building with -tags jwx_es256k (see Makefilebuild target and crypto/jwx/jwx_es256k.go). The default binary does not include it. No known deployment enables it.
Untested / rotted. CI only builds with the tag, it never runs tests with it, so crypto/jwx/jwx_es256k_test.go has silently rotted:
it lives in package jwx but calls ParseJWT, which is in package crypto (would be an import cycle),
it passes the wrong number of arguments to ParseJWT,
it signs with a P-256 key (test.GenerateECKey()) for a secp256k1 algorithm.
The test file has therefore not compiled for a long time and nobody noticed.
Remove ES256K support entirely: delete crypto/jwx/jwx_es256k.go + _test.go, drop the jwx_es256k build tag from the Makefile, and remove the es256k/secp256k1 branches in vdr/didkey/resolver.go and the related test cases in vcr/credential, vcr/pe, vdr/didkey.
Keep it but make it real: run the tagged tests in CI and fix the rotted test, so it can't silently break again.
Recommendation
Remove it (option 1) unless someone identifies an active consumer. secp256k1 is niche for did:web/IAM (our active focus), and an untested, build-tag-gated code path is a liability.
Context
Surfaced during the jwx v2→v3 migration (PR #4391): the jwa.ES256K constant→function change was missed initially because the file is excluded from the default build. The build is now fixed; the tagged test remains broken and was left as-is pending this decision.
Summary
Consider dropping ES256K (secp256k1) support, which is gated behind the
jwx_es256kbuild tag. It appears unused, is not built into the default binary, and carries maintenance cost.Why
-tags jwx_es256k(seeMakefilebuildtarget andcrypto/jwx/jwx_es256k.go). The default binary does not include it. No known deployment enables it.crypto/jwx/jwx_es256k_test.gohas silently rotted:package jwxbut callsParseJWT, which is inpackage crypto(would be an import cycle),ParseJWT,test.GenerateECKey()) for a secp256k1 algorithm.The test file has therefore not compiled for a long time and nobody noticed.
Options
crypto/jwx/jwx_es256k.go+_test.go, drop thejwx_es256kbuild tag from the Makefile, and remove thees256k/secp256k1 branches invdr/didkey/resolver.goand the related test cases invcr/credential,vcr/pe,vdr/didkey.Recommendation
Remove it (option 1) unless someone identifies an active consumer. secp256k1 is niche for did:web/IAM (our active focus), and an untested, build-tag-gated code path is a liability.
Context
Surfaced during the jwx v2→v3 migration (PR #4391): the
jwa.ES256Kconstant→function change was missed initially because the file is excluded from the default build. The build is now fixed; the tagged test remains broken and was left as-is pending this decision.Assisted by AI