Failure in Validating an EdDSA signed JWT when Key in Keystore has Private Part

[Unkn0wnCat]

Heyo,

I'm currently working on an auth server and I need to both generate and later validate JWTs. For this I'm using an Ed25519-key from a Keystore:

{
  "keys": [
    {
      "alg": "EdDSA",
      "crv": "Ed25519",
      "d": "coaeZE6dZkrtXbv4I4igYvt48K_24CLPfejP3dUWk5I",
      "kid": "3V0cnH2jLGOY/6wOlmGIwjEoJjsb7BCL5BX1d4xqXaXz/5i1L7PDMPCmxtNWVxLNGAVuPv5wLxGYvwzIAOAASw==",
      "kty": "OKP",
      "x": "aquIV-zMEoRL7K65jzwncCKQCfsaYdvjRFSVYjYyldk"
    }
  ]
}

(Don't worry, these are Dev keys and will be thrown away after this is all done 😛)

Then later I sign a key like this:

	kid := viper.GetString("crypto.use_key.frontend")

	key, found := keystore.Global.LookupKeyID(kid)
	if !found {
		logger.Logger.Error("Keystore doesn't contain key to use for frontend!")
		return "", errors.New("misconfigured server")
	}

	signed, err := jwt.Sign(token, jwa.EdDSA, key, jwt.WithHeaders(headers))
	if err != nil {
		return "", err
	}

Which produces a token (eyJhbGciOiJFZERTQSIsImtpZCI6IjNWMGNuSDJqTEdPWS82d09sbUdJd2pFb0pqc2I3QkNMNUJYMWQ0eHFYYVh6LzVpMUw3UERNUENteHROV1Z4TE5HQVZ1UHY1d0x4R1l2d3pJQU9BQVN3PT0iLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiaHR0cDovL3Rlc3QubG9jYWwiXSwiaWF0IjoxNzAyOTMzMzMyLCJpc19mcm9udGVuZF90b2tlbiI6dHJ1ZSwiaXNzIjoiaHR0cDovL3Rlc3QubG9jYWwiLCJqdGkiOiI2NTgwYjM1NDFhMTBjNTQ1ZmEwZmUyZjgifQ.oMmzxCYH0s3N5ZalFE4vazw-t0IWTPQambrwFYenXKuIlnbWPGfBTYkMJqTAbZcPrPHPcxlnYo6PSIqBnJ4aBA) which I then want to validate:

        token, err := jwt.Parse([]byte(tokenString), jwt.WithKeySet(keystore.Global))
	if err != nil {
		logger.Logger.Info("FeToken - Could not parse token", zap.Error(err), zap.String("requestId", middleware.GetReqID(r.Context())))
		return nil
	}

Unfortunately this is where the whole excercise takes a turn for the worse and my program dies:

2023-12-18T21:06:28.179Z        INFO    fetoken/fetoken.go:35   FeToken - Could not parse token {"error": "failed to verify jws signature: failed to verify message: failed to retrieve ed25519.PublicKey out of *jwk.okpPrivateKey: failed to produce ed25519.PublicKey from *jwk.okpPrivateKey: argument to AssignIfCompatible() must be compatible with ed25519.PrivateKey (was *ed25519.PublicKey)", "errorVerbose": "argument to AssignIfCompatible() must be compatible with ed25519.PrivateKey (was *ed25519.PublicKey)\nfailed to produce ed25519.PublicKey from *jwk.okpPrivateKey\ngithub.com/lestrrat-go/jwx/internal/keyconv.Ed25519PublicKey\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/internal/keyconv/keyconv.go:150\ngithub.com/lestrrat-go/jwx/jws.eddsaVerifier.Verify\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/eddsa.go:63\ngithub.com/lestrrat-go/jwx/jws.(*verifyCtx).tryVerify\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/jws.go:614\ngithub.com/lestrrat-go/jwx/jws.(*verifyCtx).verifyCompact\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/jws.go:522\ngithub.com/lestrrat-go/jwx/jws.(*verifyCtx).verify\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/jws.go:332\ngithub.com/lestrrat-go/jwx/jws.Verify\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/jws.go:320\ngithub.com/lestrrat-go/jwx/jwt.verifyJWSWithParams\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:301\ngithub.com/lestrrat-go/jwx/jwt.verifyJWSWithKeySet\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:268\ngithub.com/lestrrat-go/jwx/jwt.verifyJWS\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:190\ngithub.com/lestrrat-go/jwx/jwt.parse\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:382\ngithub.com/lestrrat-go/jwx/jwt.parseBytes\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:169\ngithub.com/lestrrat-go/jwx/jwt.Parse\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:83\ngit.1in9.net/raider/wroofauth/internal/helpers/fetoken.getFeToken\n\t/home/kevin/projects/wroofauth/internal/helpers/fetoken/fetoken.go:33\ngit.1in9.net/raider/wroofauth/internal/server.SetupAPI.Middleware.func4.1\n\t/home/kevin/projects/wroofauth/internal/helpers/fetoken/fetoken.go:68\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/766b/chi-prometheus.Middleware.handler-fm.Middleware.handler.func1\n\t/go/pkg/mod/github.com/766b/[email protected]/middleware.go:64\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/cors.(*Cors).Handler-fm.(*Cors).Handler.func1\n\t/go/pkg/mod/github.com/go-chi/[email protected]/cors.go:228\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5.(*Mux).ServeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:73\ngithub.com/go-chi/chi/v5.(*Mux).Mount.func1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:316\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5.(*Mux).routeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:444\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngit.1in9.net/raider/wroofauth/internal/server.Serve.Timeout.func2.1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/timeout.go:45\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5/middleware.Recoverer.func1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/recoverer.go:45\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngit.1in9.net/raider/wroofauth/internal/server.Serve.func1.1\n\t/home/kevin/projects/wroofauth/internal/server/server.go:81\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5/middleware.RequestID.func1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/request_id.go:76\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\nfailed to retrieve ed25519.PublicKey out of *jwk.okpPrivateKey\ngithub.com/lestrrat-go/jwx/jws.eddsaVerifier.Verify\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/eddsa.go:64\ngithub.com/lestrrat-go/jwx/jws.(*verifyCtx).tryVerify\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/jws.go:614\ngithub.com/lestrrat-go/jwx/jws.(*verifyCtx).verifyCompact\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/jws.go:522\ngithub.com/lestrrat-go/jwx/jws.(*verifyCtx).verify\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/jws.go:332\ngithub.com/lestrrat-go/jwx/jws.Verify\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/jws.go:320\ngithub.com/lestrrat-go/jwx/jwt.verifyJWSWithParams\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:301\ngithub.com/lestrrat-go/jwx/jwt.verifyJWSWithKeySet\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:268\ngithub.com/lestrrat-go/jwx/jwt.verifyJWS\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:190\ngithub.com/lestrrat-go/jwx/jwt.parse\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:382\ngithub.com/lestrrat-go/jwx/jwt.parseBytes\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:169\ngithub.com/lestrrat-go/jwx/jwt.Parse\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:83\ngit.1in9.net/raider/wroofauth/internal/helpers/fetoken.getFeToken\n\t/home/kevin/projects/wroofauth/internal/helpers/fetoken/fetoken.go:33\ngit.1in9.net/raider/wroofauth/internal/server.SetupAPI.Middleware.func4.1\n\t/home/kevin/projects/wroofauth/internal/helpers/fetoken/fetoken.go:68\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/766b/chi-prometheus.Middleware.handler-fm.Middleware.handler.func1\n\t/go/pkg/mod/github.com/766b/[email protected]/middleware.go:64\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/cors.(*Cors).Handler-fm.(*Cors).Handler.func1\n\t/go/pkg/mod/github.com/go-chi/[email protected]/cors.go:228\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5.(*Mux).ServeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:73\ngithub.com/go-chi/chi/v5.(*Mux).Mount.func1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:316\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5.(*Mux).routeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:444\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngit.1in9.net/raider/wroofauth/internal/server.Serve.Timeout.func2.1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/timeout.go:45\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5/middleware.Recoverer.func1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/recoverer.go:45\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngit.1in9.net/raider/wroofauth/internal/server.Serve.func1.1\n\t/home/kevin/projects/wroofauth/internal/server/server.go:81\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5/middleware.RequestID.func1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/request_id.go:76\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5.(*Mux).ServeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:90\nfailed to verify message\ngithub.com/lestrrat-go/jwx/jws.(*verifyCtx).tryVerify\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/jws.go:615\ngithub.com/lestrrat-go/jwx/jws.(*verifyCtx).verifyCompact\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/jws.go:522\ngithub.com/lestrrat-go/jwx/jws.(*verifyCtx).verify\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/jws.go:332\ngithub.com/lestrrat-go/jwx/jws.Verify\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jws/jws.go:320\ngithub.com/lestrrat-go/jwx/jwt.verifyJWSWithParams\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:301\ngithub.com/lestrrat-go/jwx/jwt.verifyJWSWithKeySet\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:268\ngithub.com/lestrrat-go/jwx/jwt.verifyJWS\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:190\ngithub.com/lestrrat-go/jwx/jwt.parse\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:382\ngithub.com/lestrrat-go/jwx/jwt.parseBytes\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:169\ngithub.com/lestrrat-go/jwx/jwt.Parse\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:83\ngit.1in9.net/raider/wroofauth/internal/helpers/fetoken.getFeToken\n\t/home/kevin/projects/wroofauth/internal/helpers/fetoken/fetoken.go:33\ngit.1in9.net/raider/wroofauth/internal/server.SetupAPI.Middleware.func4.1\n\t/home/kevin/projects/wroofauth/internal/helpers/fetoken/fetoken.go:68\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/766b/chi-prometheus.Middleware.handler-fm.Middleware.handler.func1\n\t/go/pkg/mod/github.com/766b/[email protected]/middleware.go:64\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/cors.(*Cors).Handler-fm.(*Cors).Handler.func1\n\t/go/pkg/mod/github.com/go-chi/[email protected]/cors.go:228\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5.(*Mux).ServeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:73\ngithub.com/go-chi/chi/v5.(*Mux).Mount.func1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:316\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5.(*Mux).routeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:444\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngit.1in9.net/raider/wroofauth/internal/server.Serve.Timeout.func2.1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/timeout.go:45\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5/middleware.Recoverer.func1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/recoverer.go:45\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngit.1in9.net/raider/wroofauth/internal/server.Serve.func1.1\n\t/home/kevin/projects/wroofauth/internal/server/server.go:81\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5/middleware.RequestID.func1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/request_id.go:76\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5.(*Mux).ServeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:90\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2938\nfailed to verify jws signature\ngithub.com/lestrrat-go/jwx/jwt.verifyJWSWithParams\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:303\ngithub.com/lestrrat-go/jwx/jwt.verifyJWSWithKeySet\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:268\ngithub.com/lestrrat-go/jwx/jwt.verifyJWS\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:190\ngithub.com/lestrrat-go/jwx/jwt.parse\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:382\ngithub.com/lestrrat-go/jwx/jwt.parseBytes\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:169\ngithub.com/lestrrat-go/jwx/jwt.Parse\n\t/go/pkg/mod/github.com/lestrrat-go/[email protected]/jwt/jwt.go:83\ngit.1in9.net/raider/wroofauth/internal/helpers/fetoken.getFeToken\n\t/home/kevin/projects/wroofauth/internal/helpers/fetoken/fetoken.go:33\ngit.1in9.net/raider/wroofauth/internal/server.SetupAPI.Middleware.func4.1\n\t/home/kevin/projects/wroofauth/internal/helpers/fetoken/fetoken.go:68\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/766b/chi-prometheus.Middleware.handler-fm.Middleware.handler.func1\n\t/go/pkg/mod/github.com/766b/[email protected]/middleware.go:64\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/cors.(*Cors).Handler-fm.(*Cors).Handler.func1\n\t/go/pkg/mod/github.com/go-chi/[email protected]/cors.go:228\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5.(*Mux).ServeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:73\ngithub.com/go-chi/chi/v5.(*Mux).Mount.func1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:316\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5.(*Mux).routeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:444\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngit.1in9.net/raider/wroofauth/internal/server.Serve.Timeout.func2.1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/timeout.go:45\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5/middleware.Recoverer.func1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/recoverer.go:45\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngit.1in9.net/raider/wroofauth/internal/server.Serve.func1.1\n\t/home/kevin/projects/wroofauth/internal/server/server.go:81\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5/middleware.RequestID.func1\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/request_id.go:76\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/go-chi/chi/v5.(*Mux).ServeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:90\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2938\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:2009\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1650", "requestId": "webdev/UpMoKnhqLZ-000002"}

This seems to be due to the key in the keystore containing a private part. When d is removed from the keystore the validation succeeds.

The actual question: Is there any good way on how to fix this without keeping two keystores?

I've tried looking through the docs, but couldn't find anything on this. Please excuse if I just overlooked something. 😄

Thanks in advance and have a nice day,
Kevin

---

EDIT When explicitly choosing a key and converting it to a public key it works:

	kid := viper.GetString("crypto.use_key.frontend")

	key, found := keystore.Global.LookupKeyID(kid)
	if !found {
		logger.Logger.Error("Keystore doesn't contain key to use for frontend!")
		return nil
	}

	public, err := key.PublicKey()
	if err != nil {
		logger.Logger.Error("Failed to make key into public key!", zap.Error(err))
		return nil
	}

	token, err := jwt.Parse([]byte(tokenString), jwt.WithVerify(jwa.EdDSA, public))
	if err != nil {
		logger.Logger.Info("FeToken - Could not parse token", zap.Error(err), zap.String("requestId", middleware.GetReqID(r.Context())))
		return nil
	}

This just kinda defeats the purpose of putting my kid and alg in the JWT...

[lestrrat]

@Unkn0wnCat Hmmm, I think this can be fixed internally. Does this PoC patch work for you?

diff --git a/internal/keyconv/keyconv.go b/internal/keyconv/keyconv.go
index 807da1d..907f8aa 100644
--- a/internal/keyconv/keyconv.go
+++ b/internal/keyconv/keyconv.go
@@ -145,6 +145,13 @@ func Ed25519PrivateKey(dst, src interface{}) error {
 
 func Ed25519PublicKey(dst, src interface{}) error {
        if jwkKey, ok := src.(jwk.Key); ok {
+               if okpPrivateKey, ok := jwkKey.(jwk.OKPPrivateKey); ok {
+                       okpPublicKey, err := okpPrivateKey.PublicKey()
+                       if err != nil {
+                               return fmt.Errorf(`failed to convert jwk.OKPPrivateKey to jwk.OKPPublicKe: %w`, src, err)
+                       }
+                       jwkKey = okpPublicKey
+               }
                var raw ed25519.PublicKey
                if err := jwkKey.Raw(&raw); err != nil {
                        return fmt.Errorf(`failed to produce ed25519.PublicKey from %T: %w`, src, err)

[lestrrat]

For the record this (its equivalent) was released with v2.0.20