From bdd21e150efaabcc0e3c4816545e761f899bcfc5 Mon Sep 17 00:00:00 2001 From: Leo Nash Date: Sat, 7 Feb 2026 05:37:04 +0000 Subject: [PATCH 1/4] Drop jsonwebtoken dependency --- rust/Cargo.lock | 137 +++++++++++++++++++++++++++++++ rust/auth-impls/Cargo.toml | 12 +-- rust/auth-impls/src/jwt.rs | 64 +++++++++++++-- rust/auth-impls/src/signature.rs | 2 +- 4 files changed, 200 insertions(+), 15 deletions(-) diff --git a/rust/Cargo.lock b/rust/Cargo.lock index c79bbccb..d41aff40 100644 --- a/rust/Cargo.lock +++ b/rust/Cargo.lock @@ -67,11 +67,14 @@ version = "0.1.0" dependencies = [ "api", "async-trait", + "base64 0.22.1", "bitcoin_hashes 0.19.0", "hex-conservative 1.0.1", "jsonwebtoken", + "rsa", "secp256k1", "serde", + "serde_json", "tokio", ] @@ -93,6 +96,12 @@ version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" +[[package]] +name = "base64ct" +version = "1.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06" + [[package]] name = "bitcoin-consensus-encoding" version = "1.0.0-rc.3" @@ -202,6 +211,12 @@ dependencies = [ "windows-link", ] +[[package]] +name = "const-oid" +version = "0.9.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" + [[package]] name = "core-foundation" version = "0.9.4" @@ -237,6 +252,16 @@ dependencies = [ "typenum", ] +[[package]] +name = "der" +version = "0.7.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb" +dependencies = [ + "const-oid", + "zeroize", +] + [[package]] name = "deranged" version = "0.5.5" @@ -253,6 +278,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" dependencies = [ "block-buffer", + "const-oid", "crypto-common", "subtle", ] @@ -844,6 +870,9 @@ name = "lazy_static" version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" +dependencies = [ + "spin", +] [[package]] name = "libc" @@ -851,6 +880,12 @@ version = "0.2.180" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc" +[[package]] +name = "libm" +version = "0.2.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981" + [[package]] name = "libredox" version = "0.1.12" @@ -960,6 +995,22 @@ dependencies = [ "num-traits", ] +[[package]] +name = "num-bigint-dig" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e661dda6640fad38e827a6d4a310ff4763082116fe217f279885c97f511bb0b7" +dependencies = [ + "lazy_static", + "libm", + "num-integer", + "num-iter", + "num-traits", + "rand 0.8.5", + "smallvec", + "zeroize", +] + [[package]] name = "num-conv" version = "0.1.0" @@ -975,6 +1026,17 @@ dependencies = [ "num-traits", ] +[[package]] +name = "num-iter" +version = "0.1.45" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf" +dependencies = [ + "autocfg", + "num-integer", + "num-traits", +] + [[package]] name = "num-traits" version = "0.2.19" @@ -982,6 +1044,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" dependencies = [ "autocfg", + "libm", ] [[package]] @@ -1114,6 +1177,27 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" +[[package]] +name = "pkcs1" +version = "0.7.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f" +dependencies = [ + "der", + "pkcs8", + "spki", +] + +[[package]] +name = "pkcs8" +version = "0.10.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" +dependencies = [ + "der", + "spki", +] + [[package]] name = "pkg-config" version = "0.3.32" @@ -1426,6 +1510,27 @@ dependencies = [ "windows-sys 0.52.0", ] +[[package]] +name = "rsa" +version = "0.9.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8573f03f5883dcaebdfcf4725caa1ecb9c15b2ef50c43a07b816e06799bb12d" +dependencies = [ + "const-oid", + "digest", + "num-bigint-dig", + "num-integer", + "num-traits", + "pkcs1", + "pkcs8", + "rand_core 0.6.4", + "sha2", + "signature", + "spki", + "subtle", + "zeroize", +] + [[package]] name = "rustix" version = "0.38.44" @@ -1654,6 +1759,16 @@ dependencies = [ "libc", ] +[[package]] +name = "signature" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de" +dependencies = [ + "digest", + "rand_core 0.6.4", +] + [[package]] name = "simple_asn1" version = "0.6.3" @@ -1704,6 +1819,22 @@ dependencies = [ "windows-sys 0.60.2", ] +[[package]] +name = "spin" +version = "0.9.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" + +[[package]] +name = "spki" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d" +dependencies = [ + "base64ct", + "der", +] + [[package]] name = "stable_deref_trait" version = "1.2.1" @@ -2641,6 +2772,12 @@ dependencies = [ "synstructure", ] +[[package]] +name = "zeroize" +version = "1.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0" + [[package]] name = "zerotrie" version = "0.2.3" diff --git a/rust/auth-impls/Cargo.toml b/rust/auth-impls/Cargo.toml index a6a0698c..4d64fa8c 100644 --- a/rust/auth-impls/Cargo.toml +++ b/rust/auth-impls/Cargo.toml @@ -5,18 +5,20 @@ edition = "2021" rust-version.workspace = true [features] -jwt = [ "jsonwebtoken", "serde" ] +jwt = [ "base64", "serde", "serde_json", "rsa" ] sigs = [ "bitcoin_hashes", "hex-conservative", "secp256k1" ] [dependencies] -async-trait = "0.1.77" api = { path = "../api" } -jsonwebtoken = { version = "9.3.0", optional = true, default-features = false, features = ["use_pem"] } -serde = { version = "1.0.210", optional = true, default-features = false, features = ["derive"] } - +async-trait = "0.1.77" +base64 = { version = "0.22.1", optional = true, default-features = false, features = ["std"] } bitcoin_hashes = { version = "0.19", optional = true, default-features = false } hex-conservative = { version = "1.0", optional = true, default-features = false } +rsa = { version = "0.9.10", optional = true, default-features = false, features = ["sha2"] } secp256k1 = { version = "0.31", optional = true, default-features = false, features = [ "global-context" ] } +serde = { version = "1.0.210", optional = true, default-features = false, features = ["derive"] } +serde_json = { version = "1.0.149", optional = true, default-features = false, features = ["std"] } [dev-dependencies] +jsonwebtoken = { version = "9.3.0", default-features = false, features = ["use_pem"] } tokio = { version = "1.38.0", default-features = false, features = ["rt-multi-thread", "macros"] } diff --git a/rust/auth-impls/src/jwt.rs b/rust/auth-impls/src/jwt.rs index 01889de2..69b57305 100644 --- a/rust/auth-impls/src/jwt.rs +++ b/rust/auth-impls/src/jwt.rs @@ -5,8 +5,11 @@ use api::auth::{AuthResponse, Authorizer}; use api::error::VssError; use async_trait::async_trait; -use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation}; -use serde::{Deserialize, Serialize}; +use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD}; +use base64::Engine; +use rsa::sha2::{Digest, Sha256}; +use rsa::{pkcs8::DecodePublicKey, RsaPublicKey}; +use serde::Deserialize; use std::collections::HashMap; /// A JWT based authorizer, only allows requests with verified 'JsonWebToken' signed by the given @@ -14,13 +17,13 @@ use std::collections::HashMap; /// /// Refer: https://datatracker.ietf.org/doc/html/rfc7519 pub struct JWTAuthorizer { - jwt_issuer_key: DecodingKey, + jwt_issuer_key: RsaPublicKey, } /// A set of Claims claimed by 'JsonWebToken' /// /// Refer: https://datatracker.ietf.org/doc/html/rfc7519#section-4 -#[derive(Serialize, Deserialize, Debug)] +#[derive(Deserialize, Debug)] pub(crate) struct Claims { /// The "sub" (subject) claim identifies the principal that is the subject of the JWT. /// The claims in a JWT are statements about the subject. This can be used as user identifier. @@ -31,10 +34,22 @@ pub(crate) struct Claims { const BEARER_PREFIX: &str = "Bearer "; +fn parse_public_key_pem(pem: &str) -> Result { + let body = pem + .trim() + .strip_prefix("-----BEGIN PUBLIC KEY-----") + .ok_or(String::from("Prefix not found"))? + .strip_suffix("-----END PUBLIC KEY-----") + .ok_or(String::from("Suffix not found"))?; + let body: String = body.lines().map(|line| line.trim()).collect(); + let body = STANDARD.decode(body).map_err(|_| String::from("Base64 decode failed"))?; + RsaPublicKey::from_public_key_der(&body).map_err(|_| String::from("DER decode failed")) +} + impl JWTAuthorizer { /// Creates a new instance of [`JWTAuthorizer`], fails on failure to parse the PEM formatted RSA public key pub async fn new(rsa_pem: &str) -> Result { - let jwt_issuer_key = DecodingKey::from_rsa_pem(rsa_pem.as_bytes()) + let jwt_issuer_key = parse_public_key_pem(rsa_pem) .map_err(|e| format!("Failed to parse the PEM formatted RSA public key: {}", e))?; Ok(Self { jwt_issuer_key }) } @@ -53,10 +68,41 @@ impl Authorizer for JWTAuthorizer { .strip_prefix(BEARER_PREFIX) .ok_or(VssError::AuthError("Invalid token format.".to_string()))?; - let claims = - decode::(token, &self.jwt_issuer_key, &Validation::new(Algorithm::RS256)) - .map_err(|e| VssError::AuthError(format!("Authentication failure. {}", e)))? - .claims; + let mut iter = token.split('.'); + let [header_base64, claims_base64, signature_base64] = + match [iter.next(), iter.next(), iter.next(), iter.next()] { + [Some(h), Some(c), Some(s), None] => [h, c, s], + _ => { + return Err(VssError::AuthError(String::from( + "Token does not have three parts", + ))) + }, + }; + + let header_bytes = URL_SAFE_NO_PAD + .decode(header_base64) + .map_err(|_| VssError::AuthError(String::from("Header base64 decode failed")))?; + let header: serde_json::Value = serde_json::from_slice(&header_bytes) + .map_err(|_| VssError::AuthError(String::from("Header json decode failed")))?; + match header["alg"] { + serde_json::Value::String(ref alg) if alg == "RS256" => (), + _ => return Err(VssError::AuthError(String::from("alg: RS256 not found in header"))), + } + + let (message, _) = token.rsplit_once('.').expect("There are two periods in the token"); + let signature = URL_SAFE_NO_PAD + .decode(signature_base64) + .map_err(|_| VssError::AuthError(String::from("Signature base64 decode failed")))?; + let digest = Sha256::digest(message.as_bytes()); + self.jwt_issuer_key + .verify(rsa::pkcs1v15::Pkcs1v15Sign::new::(), &digest, &signature) + .map_err(|_| VssError::AuthError(String::from("RSA verification failed")))?; + + let claims_json = URL_SAFE_NO_PAD + .decode(claims_base64) + .map_err(|_| VssError::AuthError(String::from("Claims base64 decode failed")))?; + let claims: Claims = serde_json::from_slice(&claims_json) + .map_err(|_| VssError::AuthError(String::from("Claims json decode failed")))?; Ok(AuthResponse { user_token: claims.sub }) } diff --git a/rust/auth-impls/src/signature.rs b/rust/auth-impls/src/signature.rs index 428dd57d..dfc8cf6e 100644 --- a/rust/auth-impls/src/signature.rs +++ b/rust/auth-impls/src/signature.rs @@ -92,7 +92,7 @@ mod tests { use crate::signature::{SignatureValidatingAuthorizer, SIGNING_CONSTANT}; use api::auth::Authorizer; use api::error::VssError; - use secp256k1::{Message, PublicKey, Secp256k1, SecretKey}; + use secp256k1::{Message, PublicKey, SecretKey}; use std::collections::HashMap; use std::fmt::Write; use std::time::SystemTime; From 582a3d53057ef980632cb35211acaa8c9d18ea82 Mon Sep 17 00:00:00 2001 From: Leo Nash Date: Tue, 10 Feb 2026 07:16:19 +0000 Subject: [PATCH 2/4] fixup: Use openssl instead of rsa --- rust/Cargo.lock | 136 +------------------------------------ rust/auth-impls/Cargo.toml | 4 +- rust/auth-impls/src/jwt.rs | 24 ++++--- 3 files changed, 18 insertions(+), 146 deletions(-) diff --git a/rust/Cargo.lock b/rust/Cargo.lock index d41aff40..fc01bf82 100644 --- a/rust/Cargo.lock +++ b/rust/Cargo.lock @@ -71,7 +71,7 @@ dependencies = [ "bitcoin_hashes 0.19.0", "hex-conservative 1.0.1", "jsonwebtoken", - "rsa", + "openssl", "secp256k1", "serde", "serde_json", @@ -96,12 +96,6 @@ version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" -[[package]] -name = "base64ct" -version = "1.8.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06" - [[package]] name = "bitcoin-consensus-encoding" version = "1.0.0-rc.3" @@ -211,12 +205,6 @@ dependencies = [ "windows-link", ] -[[package]] -name = "const-oid" -version = "0.9.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" - [[package]] name = "core-foundation" version = "0.9.4" @@ -252,16 +240,6 @@ dependencies = [ "typenum", ] -[[package]] -name = "der" -version = "0.7.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb" -dependencies = [ - "const-oid", - "zeroize", -] - [[package]] name = "deranged" version = "0.5.5" @@ -278,7 +256,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" dependencies = [ "block-buffer", - "const-oid", "crypto-common", "subtle", ] @@ -870,9 +847,6 @@ name = "lazy_static" version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" -dependencies = [ - "spin", -] [[package]] name = "libc" @@ -880,12 +854,6 @@ version = "0.2.180" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc" -[[package]] -name = "libm" -version = "0.2.16" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981" - [[package]] name = "libredox" version = "0.1.12" @@ -995,22 +963,6 @@ dependencies = [ "num-traits", ] -[[package]] -name = "num-bigint-dig" -version = "0.8.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e661dda6640fad38e827a6d4a310ff4763082116fe217f279885c97f511bb0b7" -dependencies = [ - "lazy_static", - "libm", - "num-integer", - "num-iter", - "num-traits", - "rand 0.8.5", - "smallvec", - "zeroize", -] - [[package]] name = "num-conv" version = "0.1.0" @@ -1026,17 +978,6 @@ dependencies = [ "num-traits", ] -[[package]] -name = "num-iter" -version = "0.1.45" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf" -dependencies = [ - "autocfg", - "num-integer", - "num-traits", -] - [[package]] name = "num-traits" version = "0.2.19" @@ -1044,7 +985,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" dependencies = [ "autocfg", - "libm", ] [[package]] @@ -1177,27 +1117,6 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" -[[package]] -name = "pkcs1" -version = "0.7.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f" -dependencies = [ - "der", - "pkcs8", - "spki", -] - -[[package]] -name = "pkcs8" -version = "0.10.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" -dependencies = [ - "der", - "spki", -] - [[package]] name = "pkg-config" version = "0.3.32" @@ -1510,27 +1429,6 @@ dependencies = [ "windows-sys 0.52.0", ] -[[package]] -name = "rsa" -version = "0.9.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8573f03f5883dcaebdfcf4725caa1ecb9c15b2ef50c43a07b816e06799bb12d" -dependencies = [ - "const-oid", - "digest", - "num-bigint-dig", - "num-integer", - "num-traits", - "pkcs1", - "pkcs8", - "rand_core 0.6.4", - "sha2", - "signature", - "spki", - "subtle", - "zeroize", -] - [[package]] name = "rustix" version = "0.38.44" @@ -1759,16 +1657,6 @@ dependencies = [ "libc", ] -[[package]] -name = "signature" -version = "2.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de" -dependencies = [ - "digest", - "rand_core 0.6.4", -] - [[package]] name = "simple_asn1" version = "0.6.3" @@ -1819,22 +1707,6 @@ dependencies = [ "windows-sys 0.60.2", ] -[[package]] -name = "spin" -version = "0.9.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" - -[[package]] -name = "spki" -version = "0.7.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d" -dependencies = [ - "base64ct", - "der", -] - [[package]] name = "stable_deref_trait" version = "1.2.1" @@ -2772,12 +2644,6 @@ dependencies = [ "synstructure", ] -[[package]] -name = "zeroize" -version = "1.8.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0" - [[package]] name = "zerotrie" version = "0.2.3" diff --git a/rust/auth-impls/Cargo.toml b/rust/auth-impls/Cargo.toml index 4d64fa8c..819a7482 100644 --- a/rust/auth-impls/Cargo.toml +++ b/rust/auth-impls/Cargo.toml @@ -5,7 +5,7 @@ edition = "2021" rust-version.workspace = true [features] -jwt = [ "base64", "serde", "serde_json", "rsa" ] +jwt = [ "base64", "serde", "serde_json", "openssl" ] sigs = [ "bitcoin_hashes", "hex-conservative", "secp256k1" ] [dependencies] @@ -14,7 +14,7 @@ async-trait = "0.1.77" base64 = { version = "0.22.1", optional = true, default-features = false, features = ["std"] } bitcoin_hashes = { version = "0.19", optional = true, default-features = false } hex-conservative = { version = "1.0", optional = true, default-features = false } -rsa = { version = "0.9.10", optional = true, default-features = false, features = ["sha2"] } +openssl = { version = "0.10.75", optional = true, default-features = false } secp256k1 = { version = "0.31", optional = true, default-features = false, features = [ "global-context" ] } serde = { version = "1.0.210", optional = true, default-features = false, features = ["derive"] } serde_json = { version = "1.0.149", optional = true, default-features = false, features = ["std"] } diff --git a/rust/auth-impls/src/jwt.rs b/rust/auth-impls/src/jwt.rs index 69b57305..e8812283 100644 --- a/rust/auth-impls/src/jwt.rs +++ b/rust/auth-impls/src/jwt.rs @@ -7,8 +7,10 @@ use api::error::VssError; use async_trait::async_trait; use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD}; use base64::Engine; -use rsa::sha2::{Digest, Sha256}; -use rsa::{pkcs8::DecodePublicKey, RsaPublicKey}; +use openssl::hash::MessageDigest; +use openssl::pkey::PKey; +use openssl::pkey::Public; +use openssl::sign::Verifier; use serde::Deserialize; use std::collections::HashMap; @@ -17,7 +19,7 @@ use std::collections::HashMap; /// /// Refer: https://datatracker.ietf.org/doc/html/rfc7519 pub struct JWTAuthorizer { - jwt_issuer_key: RsaPublicKey, + jwt_issuer_key: PKey, } /// A set of Claims claimed by 'JsonWebToken' @@ -34,7 +36,7 @@ pub(crate) struct Claims { const BEARER_PREFIX: &str = "Bearer "; -fn parse_public_key_pem(pem: &str) -> Result { +fn parse_public_key_pem(pem: &str) -> Result, String> { let body = pem .trim() .strip_prefix("-----BEGIN PUBLIC KEY-----") @@ -43,7 +45,7 @@ fn parse_public_key_pem(pem: &str) -> Result { .ok_or(String::from("Suffix not found"))?; let body: String = body.lines().map(|line| line.trim()).collect(); let body = STANDARD.decode(body).map_err(|_| String::from("Base64 decode failed"))?; - RsaPublicKey::from_public_key_der(&body).map_err(|_| String::from("DER decode failed")) + PKey::public_key_from_der(&body).map_err(|_| String::from("DER decode failed")) } impl JWTAuthorizer { @@ -93,10 +95,14 @@ impl Authorizer for JWTAuthorizer { let signature = URL_SAFE_NO_PAD .decode(signature_base64) .map_err(|_| VssError::AuthError(String::from("Signature base64 decode failed")))?; - let digest = Sha256::digest(message.as_bytes()); - self.jwt_issuer_key - .verify(rsa::pkcs1v15::Pkcs1v15Sign::new::(), &digest, &signature) - .map_err(|_| VssError::AuthError(String::from("RSA verification failed")))?; + let mut verifier = Verifier::new(MessageDigest::sha256(), &self.jwt_issuer_key) + .map_err(|_| VssError::AuthError(String::from("RSA initialization failed")))?; + if !verifier + .verify_oneshot(&signature, message.as_bytes()) + .map_err(|_| VssError::AuthError(String::from("RSA verification failed")))? + { + return Err(VssError::AuthError(String::from("RSA verification failed"))); + } let claims_json = URL_SAFE_NO_PAD .decode(claims_base64) From b786c5c307abc3b78dea12e4712f69127deb8181 Mon Sep 17 00:00:00 2001 From: Leo Nash Date: Tue, 28 Apr 2026 18:10:36 +0000 Subject: [PATCH 3/4] fixup: use the unit type to return an error from jwt setup there is only one possible error here so keep things simple for now --- rust/auth-impls/src/jwt.rs | 15 +++++++-------- rust/server/src/main.rs | 4 ++-- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/rust/auth-impls/src/jwt.rs b/rust/auth-impls/src/jwt.rs index e8812283..adbc8986 100644 --- a/rust/auth-impls/src/jwt.rs +++ b/rust/auth-impls/src/jwt.rs @@ -36,23 +36,22 @@ pub(crate) struct Claims { const BEARER_PREFIX: &str = "Bearer "; -fn parse_public_key_pem(pem: &str) -> Result, String> { +fn parse_public_key_pem(pem: &str) -> Result, ()> { let body = pem .trim() .strip_prefix("-----BEGIN PUBLIC KEY-----") - .ok_or(String::from("Prefix not found"))? + .ok_or(())? .strip_suffix("-----END PUBLIC KEY-----") - .ok_or(String::from("Suffix not found"))?; + .ok_or(())?; let body: String = body.lines().map(|line| line.trim()).collect(); - let body = STANDARD.decode(body).map_err(|_| String::from("Base64 decode failed"))?; - PKey::public_key_from_der(&body).map_err(|_| String::from("DER decode failed")) + let body = STANDARD.decode(body).map_err(|_| ())?; + PKey::public_key_from_der(&body).map_err(|_| ()) } impl JWTAuthorizer { /// Creates a new instance of [`JWTAuthorizer`], fails on failure to parse the PEM formatted RSA public key - pub async fn new(rsa_pem: &str) -> Result { - let jwt_issuer_key = parse_public_key_pem(rsa_pem) - .map_err(|e| format!("Failed to parse the PEM formatted RSA public key: {}", e))?; + pub async fn new(rsa_pem: &str) -> Result { + let jwt_issuer_key = parse_public_key_pem(rsa_pem)?; Ok(Self { jwt_issuer_key }) } } diff --git a/rust/server/src/main.rs b/rust/server/src/main.rs index 16515c41..f1d39187 100644 --- a/rust/server/src/main.rs +++ b/rust/server/src/main.rs @@ -86,8 +86,8 @@ fn main() { info!("Configured JWT authorizer with RSA public key"); Some(Arc::new(auth)) }, - Err(e) => { - error!("Failed to configure JWT authorizer: {}", e); + Err(()) => { + error!("Failed to configure JWT authorizer"); std::process::exit(-1); }, }; From 0a62f3f7926446ca81d4922c85662d92cdc755f0 Mon Sep 17 00:00:00 2001 From: Leo Nash Date: Fri, 1 May 2026 23:56:26 +0000 Subject: [PATCH 4/4] fixup: Add better test coverage, validate `exp` claims if present --- rust/auth-impls/src/jwt.rs | 358 +++++++++++++++++++++++++------------ 1 file changed, 242 insertions(+), 116 deletions(-) diff --git a/rust/auth-impls/src/jwt.rs b/rust/auth-impls/src/jwt.rs index adbc8986..d2434689 100644 --- a/rust/auth-impls/src/jwt.rs +++ b/rust/auth-impls/src/jwt.rs @@ -11,8 +11,12 @@ use openssl::hash::MessageDigest; use openssl::pkey::PKey; use openssl::pkey::Public; use openssl::sign::Verifier; -use serde::Deserialize; +use serde::{Deserialize, Serialize}; use std::collections::HashMap; +use std::time::SystemTime; + +/// The tolerance used when validating the expiry claim of the token +const CLOCK_SKEW_TOLERANCE_SEC: u64 = 20; /// A JWT based authorizer, only allows requests with verified 'JsonWebToken' signed by the given /// issuer key. @@ -25,13 +29,15 @@ pub struct JWTAuthorizer { /// A set of Claims claimed by 'JsonWebToken' /// /// Refer: https://datatracker.ietf.org/doc/html/rfc7519#section-4 -#[derive(Deserialize, Debug)] +#[derive(Clone, Debug, Serialize, Deserialize, PartialEq)] pub(crate) struct Claims { /// The "sub" (subject) claim identifies the principal that is the subject of the JWT. /// The claims in a JWT are statements about the subject. This can be used as user identifier. /// /// Refer: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2 sub: String, + /// Expiration Time + exp: Option, } const BEARER_PREFIX: &str = "Bearer "; @@ -56,19 +62,8 @@ impl JWTAuthorizer { } } -#[async_trait] -impl Authorizer for JWTAuthorizer { - async fn verify( - &self, headers_map: &HashMap, - ) -> Result { - let auth_header = headers_map - .get("authorization") - .ok_or(VssError::AuthError("Authorization header not found.".to_string()))?; - - let token = auth_header - .strip_prefix(BEARER_PREFIX) - .ok_or(VssError::AuthError("Invalid token format.".to_string()))?; - +impl JWTAuthorizer { + fn decode_claims(&self, token: &str) -> Result { let mut iter = token.split('.'); let [header_base64, claims_base64, signature_base64] = match [iter.next(), iter.next(), iter.next(), iter.next()] { @@ -80,6 +75,7 @@ impl Authorizer for JWTAuthorizer { }, }; + // Read the RS256 field in the header let header_bytes = URL_SAFE_NO_PAD .decode(header_base64) .map_err(|_| VssError::AuthError(String::from("Header base64 decode failed")))?; @@ -90,6 +86,7 @@ impl Authorizer for JWTAuthorizer { _ => return Err(VssError::AuthError(String::from("alg: RS256 not found in header"))), } + // Check the signature let (message, _) = token.rsplit_once('.').expect("There are two periods in the token"); let signature = URL_SAFE_NO_PAD .decode(signature_base64) @@ -103,12 +100,40 @@ impl Authorizer for JWTAuthorizer { return Err(VssError::AuthError(String::from("RSA verification failed"))); } + // Decode the claims let claims_json = URL_SAFE_NO_PAD .decode(claims_base64) .map_err(|_| VssError::AuthError(String::from("Claims base64 decode failed")))?; let claims: Claims = serde_json::from_slice(&claims_json) .map_err(|_| VssError::AuthError(String::from("Claims json decode failed")))?; + // Check if the token is expired + if let Some(exp) = claims.exp { + let now = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs(); + if now > exp.saturating_add(CLOCK_SKEW_TOLERANCE_SEC) { + return Err(VssError::AuthError(String::from("The token is expired"))); + } + } + + Ok(claims) + } +} + +#[async_trait] +impl Authorizer for JWTAuthorizer { + async fn verify( + &self, headers_map: &HashMap, + ) -> Result { + let auth_header = headers_map + .get("authorization") + .ok_or(VssError::AuthError("Authorization header not found.".to_string()))?; + + let token = auth_header + .strip_prefix(BEARER_PREFIX) + .ok_or(VssError::AuthError("Invalid token format.".to_string()))?; + + let claims = self.decode_claims(token)?; + Ok(AuthResponse { user_token: claims.sub }) } } @@ -118,130 +143,231 @@ mod tests { use crate::jwt::JWTAuthorizer; use api::auth::Authorizer; use api::error::VssError; - use jsonwebtoken::{encode, Algorithm, EncodingKey, Header}; + use serde::de::DeserializeOwned; use serde::{Deserialize, Serialize}; use std::collections::HashMap; use std::time::SystemTime; - #[derive(Deserialize, Serialize)] - struct TestClaims { - sub: String, - iat: i64, - nbf: i64, - exp: i64, + use super::Claims; + + const ALICE_PRIVATE_KEY: &str = "-----BEGIN PRIVATE KEY-----\ + MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKwakpT4j2L1v5\ + BlIA278TFoDrDiqJB0Vlpd5F6LPj2vWgN8AHAogVb2Ar+Q2eucv0fw/6lh+PuOpQ\ + n+CWaCoyy8GyFtsPYWHHK1JLSaGxuHpDFSGVqfKY9xJRTIoEPq/tbQIZSFLmW4eW\ + wIWfjKyUWTilq9wG0ZqnQNNRzzLPSP/GeZJBt2NaCbRrBsc3jy4i1E7dSEsA560b\ + 4HOVYJHxixNrmmJXwqAmkb+vBhMZe67eVwKadbCOZt4OrXMUWsIMNWRogeQYmBG4\ + UgM9dofJTDkfYe8qU/3jJJu9MMtdZmPpPLMcQcNuy2qzgOC+6sH9siGL91DvMrcQ\ + hcvwpEGHAgMBAAECggEAZJZ5Fq6HkyLhrQRusFBUVeLnKDXJ8lsyGYCVafdNL3BU\ + RR0DXjbqTkAH5SjUkfc48N4MjlPl6oZhcIgwgk3BCZw+RtzB5rp4KLgcRo+L8UBF\ + H3yfQcGjQjHo235uRjbXTqGy1dokjnXAKZDvebzvbVVqHf7J1HQuFmW5sK9rVJvP\ + CstC7HqJL15iYTshObnlskB+bnhhBc3LA+UpwyRmvOxPd60XOSxLJ8PMvwki5Qsx\ + afFCOFpT17474199SxmZtnVpcan7xf9dET8AENTIg8iUAFzLIsl5YekyRAeXj0QW\ + p9ln6Sl/TsWF+0yJPbeZ1kmvk52MMW7G56SqWt3bAQKBgQDy9mi9hRyfpfBMGrrk\ + MFDAo1cUvkfuFfBLAfUE9HoEpnQYBqAVFRWCqy6vAa5WdNpVMCDhZkGrn1KDDd/n\ + ZE/26WBTL95BzXQIO3Laiqmifnio01K2zvjvJt7aGMQOFUEJj8Ts8hUTbRMXfmXz\ + wbueKeHmcvAUOXbZb5ylC/gkgQKBgQDVovBSib6FnJdv5Clxf1t4gyIbOYWTUPj3\ + nmkFguBpTLwprzkYjyhyhrGuRaFbcqOVNopgt4KC6enpLtaAMffXwduge+TDKqsS\ + X1o3OhSzpsya3TrWQMDXKszKTTlNogESOejHxj7LIzts4JmKJcRN4dEVEKhP/CxA\ + 2b05YnJCBwKBgEiAuc7ceyc1GJlNXLodpOtnkuPwyHxG9bccdWauIf9jQL+usnS4\ + HvwoYzz8Tm8kXccQHq/EmRJC8BeFu2xMpgQzrngEj9mpGtgeDW8j8+02uoD+1u8Q\ + on6TZetFerQNKaRVz9k5gIqUgR8ArCHqjTdsninr4LLYVxwZz2/9O2aBAoGBAISQ\ + ziW5ebL5P3NcFmdqSv1WCeTw5bVLSqKE9tBHrS9KQXxwUbKuqr+eW0UzyfOwCFf/\ + 9xAa726C7fYXbV0xJIUKs1k7Z/G/WVZWOuoILW5pM49pdigbGE6sLVXfY46L17RS\ + oOLOXoq4+xgNqtjxpIVbed1jb73qUh+PvX6NWy8jAoGBAOvE6mhHBig5YYdidAGG\ + kF2oYp06+JG5ZpOu+MFT34ZDbgTwxx3+yuzfxPyBS68RHFfz+vG4BqX3P+pDOJQS\ + FeGjkLHWEoW7ol5rh1D1ubhWf1MAVOd7O8vp9APnAwd11uraVky2xAVXvplgmSpT\ + vHSUrqBuEFZ5mIWJxwkGElKN\ + -----END PRIVATE KEY-----"; + + const ALICE_PUBLIC_KEY: &str = "-----BEGIN PUBLIC KEY-----\ + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAysGpKU+I9i9b+QZSANu/\ + ExaA6w4qiQdFZaXeReiz49r1oDfABwKIFW9gK/kNnrnL9H8P+pYfj7jqUJ/glmgq\ + MsvBshbbD2FhxytSS0mhsbh6QxUhlanymPcSUUyKBD6v7W0CGUhS5luHlsCFn4ys\ + lFk4pavcBtGap0DTUc8yz0j/xnmSQbdjWgm0awbHN48uItRO3UhLAOetG+BzlWCR\ + 8YsTa5piV8KgJpG/rwYTGXuu3lcCmnWwjmbeDq1zFFrCDDVkaIHkGJgRuFIDPXaH\ + yUw5H2HvKlP94ySbvTDLXWZj6TyzHEHDbstqs4DgvurB/bIhi/dQ7zK3EIXL8KRB\ + hwIDAQAB\ + -----END PUBLIC KEY-----"; + + const BOB_PRIVATE_KEY: &str = "-----BEGIN PRIVATE KEY----- + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC77KWE/VUi7QTc\ + odlj5yRaawPO4z+Ik4c2r2W1BaivIn2dkeTYKT9cQUEcU3sP/i4bQ/DnSuOWAmmG\ + yaR4NvUvJyGxm6PSBf/kgzDbfvf/8sCi9OEpJEe/xYOhLFaPumtcJAB5mKrdaKsH\ + XBKJaxJInJsiA6eB67d6SESXG/q1H8f00VLxIAKLK32z5Uahuzc9HQvl4dya+dAI\ + Xcw0TJg+JoBIqv5ATlcoXKqguiAyQdG2nW5nRnArhvCl9blKjg26cjbhiJcVEZCf\ + z8vv56IEPhvYEtA8OaiP6vEquqA+vwNipKxqhLzfsjgqYMf18PtrftHjn7nkIvlW\ + RMnG4+IbAgMBAAECggEAXZf+171UKZDiWwBAxQDZmi6yNtf3TI4tSY8RmJa47IDB\ + DzkaQI5KgCf/xZvOLqjpTasI0Cj8MDoDVJ4Yy8aTVmim304kyPUz/RtZufgCi/ba\ + +k371gG7ukckx6DNe8fcsIc9tVHTx3HZvFCe6tHoyUE2AjrPsmUzfDOB9cB5nLrc\ + JFyKVRUwByeG76AgDJaYMq6cK53+GZih3F9e2exxdnlBuk11R2yJMr638yOfgYbY\ + 9vzq49OvleLEH1AdAxkcNYuUiPNC7KUeS84MAn+Ok65WvSlyJC3IjVS+swv4p/SB\ + u0S38ljqisqr0qgfupEJJA/VQaXXo5NJDw48TDuEAQKBgQDuFt7sCoDyqm7XwzWf\ + f9t9VFnPrLjJbNF7ll2zNlzfArzwk6cDrps2sXoNY0r37ObAdK+awWYRDyoCXJCe\ + t1wP/leYMp8opn2axQVHSJCq8K2fZO3xRn98p6jy9Hub0l2r9EN6v3JGQmPffl03\ + qrtYvU8as1ppUXj8Rgw4EGOWRQKBgQDKD7LJ5l/GXotYdOW93y/AXKmEzUjfi1gN\ + QMxu4TxvK4Q5+CjALYtXb0swbOd7ThcYTU1vgD2Vf5t4z8L/0gSRssGxmMOw8UaS\ + lay3ONFPRUhffzCMB4wkaomt1km3t9J1LJJ8h8131x2604MrIKmPMIAU6wnikdNN\ + G5VXx6HM3wKBgQCBzqBdiuCA7WEfa8PJoTj23M1Wh7H7x8NyoSmW8tWxlNmURLwz\ + KrhfGmYT9IXEJDouxa+ULUtLk7vwq60Bi7C6243AYiEaVaN3hWF6WtrdB/lxROLh\ + v/Dz8qkPRTI7Y3dEsBk2TDiui7XN/SQvnHsmR5hgU1bAwvW2fS5eRrk1DQKBgQCf\ + Dq55ukwoNiJQtmxnA3puXULgFEzKE8FzZU/H9KuDA2lpzIwfg3qNkEFK1F9/s+AA\ + NFHBdNyFg1baSgnBIQyRuHo6l/trnPIlz4aPED3LvckTy2ZmxEYwIGFSoz2STjRw\ + Im8JcklujbqMZ5V4bJSs78vTK5WzcYE40H7GA5K9VwKBgQCMNL9R7GUGxfQaOxiI\ + 4mjwus2eQ0fEodIXfU5XFppScHgtKhPWNWNfbrSICyFkfvGBBgQDLCZgt/fO+GAK\ + r0kIP0GD3KvsLVHsSTR6Fsnz+05HYUEwbc6ebjOegJu+ZO9C4MXnWIaiOzd6vxUz\ + UIOZiBd7mcNJ6ccxdZ39YIPTew==\ + -----END PRIVATE KEY-----"; + + fn create_token(encoding_key: &str, claims: T) -> String { + use jsonwebtoken::{encode, Algorithm, EncodingKey, Header}; + let valid_encoding_key = EncodingKey::from_rsa_pem(encoding_key.as_bytes()) + .expect("Failed to create Encoding Key."); + encode(&Header::new(Algorithm::RS256), &claims, &valid_encoding_key).unwrap() } #[tokio::test] async fn test_valid_jwt_token() -> Result<(), VssError> { - let now = - SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs() as i64; + let now = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs(); let user_id = "valid_user_id"; - let claims = TestClaims { - sub: user_id.to_owned(), - iat: now, - nbf: now, - exp: now + 30556889864403199, - }; - - let valid_encoding_key = EncodingKey::from_rsa_pem( - "-----BEGIN PRIVATE KEY-----\ - MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKwakpT4j2L1v5\ - BlIA278TFoDrDiqJB0Vlpd5F6LPj2vWgN8AHAogVb2Ar+Q2eucv0fw/6lh+PuOpQ\ - n+CWaCoyy8GyFtsPYWHHK1JLSaGxuHpDFSGVqfKY9xJRTIoEPq/tbQIZSFLmW4eW\ - wIWfjKyUWTilq9wG0ZqnQNNRzzLPSP/GeZJBt2NaCbRrBsc3jy4i1E7dSEsA560b\ - 4HOVYJHxixNrmmJXwqAmkb+vBhMZe67eVwKadbCOZt4OrXMUWsIMNWRogeQYmBG4\ - UgM9dofJTDkfYe8qU/3jJJu9MMtdZmPpPLMcQcNuy2qzgOC+6sH9siGL91DvMrcQ\ - hcvwpEGHAgMBAAECggEAZJZ5Fq6HkyLhrQRusFBUVeLnKDXJ8lsyGYCVafdNL3BU\ - RR0DXjbqTkAH5SjUkfc48N4MjlPl6oZhcIgwgk3BCZw+RtzB5rp4KLgcRo+L8UBF\ - H3yfQcGjQjHo235uRjbXTqGy1dokjnXAKZDvebzvbVVqHf7J1HQuFmW5sK9rVJvP\ - CstC7HqJL15iYTshObnlskB+bnhhBc3LA+UpwyRmvOxPd60XOSxLJ8PMvwki5Qsx\ - afFCOFpT17474199SxmZtnVpcan7xf9dET8AENTIg8iUAFzLIsl5YekyRAeXj0QW\ - p9ln6Sl/TsWF+0yJPbeZ1kmvk52MMW7G56SqWt3bAQKBgQDy9mi9hRyfpfBMGrrk\ - MFDAo1cUvkfuFfBLAfUE9HoEpnQYBqAVFRWCqy6vAa5WdNpVMCDhZkGrn1KDDd/n\ - ZE/26WBTL95BzXQIO3Laiqmifnio01K2zvjvJt7aGMQOFUEJj8Ts8hUTbRMXfmXz\ - wbueKeHmcvAUOXbZb5ylC/gkgQKBgQDVovBSib6FnJdv5Clxf1t4gyIbOYWTUPj3\ - nmkFguBpTLwprzkYjyhyhrGuRaFbcqOVNopgt4KC6enpLtaAMffXwduge+TDKqsS\ - X1o3OhSzpsya3TrWQMDXKszKTTlNogESOejHxj7LIzts4JmKJcRN4dEVEKhP/CxA\ - 2b05YnJCBwKBgEiAuc7ceyc1GJlNXLodpOtnkuPwyHxG9bccdWauIf9jQL+usnS4\ - HvwoYzz8Tm8kXccQHq/EmRJC8BeFu2xMpgQzrngEj9mpGtgeDW8j8+02uoD+1u8Q\ - on6TZetFerQNKaRVz9k5gIqUgR8ArCHqjTdsninr4LLYVxwZz2/9O2aBAoGBAISQ\ - ziW5ebL5P3NcFmdqSv1WCeTw5bVLSqKE9tBHrS9KQXxwUbKuqr+eW0UzyfOwCFf/\ - 9xAa726C7fYXbV0xJIUKs1k7Z/G/WVZWOuoILW5pM49pdigbGE6sLVXfY46L17RS\ - oOLOXoq4+xgNqtjxpIVbed1jb73qUh+PvX6NWy8jAoGBAOvE6mhHBig5YYdidAGG\ - kF2oYp06+JG5ZpOu+MFT34ZDbgTwxx3+yuzfxPyBS68RHFfz+vG4BqX3P+pDOJQS\ - FeGjkLHWEoW7ol5rh1D1ubhWf1MAVOd7O8vp9APnAwd11uraVky2xAVXvplgmSpT\ - vHSUrqBuEFZ5mIWJxwkGElKN\ - -----END PRIVATE KEY-----" - .as_bytes(), - ) - .expect("Failed to create Encoding Key."); - - let decoding_key = String::from( - "-----BEGIN PUBLIC KEY-----\ - MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAysGpKU+I9i9b+QZSANu/\ - ExaA6w4qiQdFZaXeReiz49r1oDfABwKIFW9gK/kNnrnL9H8P+pYfj7jqUJ/glmgq\ - MsvBshbbD2FhxytSS0mhsbh6QxUhlanymPcSUUyKBD6v7W0CGUhS5luHlsCFn4ys\ - lFk4pavcBtGap0DTUc8yz0j/xnmSQbdjWgm0awbHN48uItRO3UhLAOetG+BzlWCR\ - 8YsTa5piV8KgJpG/rwYTGXuu3lcCmnWwjmbeDq1zFFrCDDVkaIHkGJgRuFIDPXaH\ - yUw5H2HvKlP94ySbvTDLXWZj6TyzHEHDbstqs4DgvurB/bIhi/dQ7zK3EIXL8KRB\ - hwIDAQAB\ - -----END PUBLIC KEY-----", - ); + let claims = Claims { sub: user_id.to_owned(), exp: Some(now + 30556889864403199) }; - let jwt_authorizer = JWTAuthorizer::new(&decoding_key).await.unwrap(); + let alice_jwt_token = create_token(ALICE_PRIVATE_KEY, claims.clone()); - let valid_jwt_token = - encode(&Header::new(Algorithm::RS256), &claims, &valid_encoding_key).unwrap(); let mut headers_map: HashMap = HashMap::new(); - let header_value = format!("Bearer {}", valid_jwt_token); + let header_value = format!("Bearer {}", alice_jwt_token); headers_map.insert("authorization".to_string(), header_value.clone()); - println!("headers_map: {:?}", headers_map); + + let decoding_key = String::from(ALICE_PUBLIC_KEY); + let jwt_authorizer = JWTAuthorizer::new(&decoding_key).await.unwrap(); // JWT signed by valid key results in authenticated user. assert_eq!(jwt_authorizer.verify(&headers_map).await?.user_token, user_id); - let invalid_encoding_key = EncodingKey::from_rsa_pem( - "-----BEGIN PRIVATE KEY----- - MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC77KWE/VUi7QTc\ - odlj5yRaawPO4z+Ik4c2r2W1BaivIn2dkeTYKT9cQUEcU3sP/i4bQ/DnSuOWAmmG\ - yaR4NvUvJyGxm6PSBf/kgzDbfvf/8sCi9OEpJEe/xYOhLFaPumtcJAB5mKrdaKsH\ - XBKJaxJInJsiA6eB67d6SESXG/q1H8f00VLxIAKLK32z5Uahuzc9HQvl4dya+dAI\ - Xcw0TJg+JoBIqv5ATlcoXKqguiAyQdG2nW5nRnArhvCl9blKjg26cjbhiJcVEZCf\ - z8vv56IEPhvYEtA8OaiP6vEquqA+vwNipKxqhLzfsjgqYMf18PtrftHjn7nkIvlW\ - RMnG4+IbAgMBAAECggEAXZf+171UKZDiWwBAxQDZmi6yNtf3TI4tSY8RmJa47IDB\ - DzkaQI5KgCf/xZvOLqjpTasI0Cj8MDoDVJ4Yy8aTVmim304kyPUz/RtZufgCi/ba\ - +k371gG7ukckx6DNe8fcsIc9tVHTx3HZvFCe6tHoyUE2AjrPsmUzfDOB9cB5nLrc\ - JFyKVRUwByeG76AgDJaYMq6cK53+GZih3F9e2exxdnlBuk11R2yJMr638yOfgYbY\ - 9vzq49OvleLEH1AdAxkcNYuUiPNC7KUeS84MAn+Ok65WvSlyJC3IjVS+swv4p/SB\ - u0S38ljqisqr0qgfupEJJA/VQaXXo5NJDw48TDuEAQKBgQDuFt7sCoDyqm7XwzWf\ - f9t9VFnPrLjJbNF7ll2zNlzfArzwk6cDrps2sXoNY0r37ObAdK+awWYRDyoCXJCe\ - t1wP/leYMp8opn2axQVHSJCq8K2fZO3xRn98p6jy9Hub0l2r9EN6v3JGQmPffl03\ - qrtYvU8as1ppUXj8Rgw4EGOWRQKBgQDKD7LJ5l/GXotYdOW93y/AXKmEzUjfi1gN\ - QMxu4TxvK4Q5+CjALYtXb0swbOd7ThcYTU1vgD2Vf5t4z8L/0gSRssGxmMOw8UaS\ - lay3ONFPRUhffzCMB4wkaomt1km3t9J1LJJ8h8131x2604MrIKmPMIAU6wnikdNN\ - G5VXx6HM3wKBgQCBzqBdiuCA7WEfa8PJoTj23M1Wh7H7x8NyoSmW8tWxlNmURLwz\ - KrhfGmYT9IXEJDouxa+ULUtLk7vwq60Bi7C6243AYiEaVaN3hWF6WtrdB/lxROLh\ - v/Dz8qkPRTI7Y3dEsBk2TDiui7XN/SQvnHsmR5hgU1bAwvW2fS5eRrk1DQKBgQCf\ - Dq55ukwoNiJQtmxnA3puXULgFEzKE8FzZU/H9KuDA2lpzIwfg3qNkEFK1F9/s+AA\ - NFHBdNyFg1baSgnBIQyRuHo6l/trnPIlz4aPED3LvckTy2ZmxEYwIGFSoz2STjRw\ - Im8JcklujbqMZ5V4bJSs78vTK5WzcYE40H7GA5K9VwKBgQCMNL9R7GUGxfQaOxiI\ - 4mjwus2eQ0fEodIXfU5XFppScHgtKhPWNWNfbrSICyFkfvGBBgQDLCZgt/fO+GAK\ - r0kIP0GD3KvsLVHsSTR6Fsnz+05HYUEwbc6ebjOegJu+ZO9C4MXnWIaiOzd6vxUz\ - UIOZiBd7mcNJ6ccxdZ39YIPTew==\ - -----END PRIVATE KEY-----" - .as_bytes(), - ) - .expect("Failed to create Encoding Key."); - - let invalid_jwt_token = - encode(&Header::new(Algorithm::RS256), &claims, &invalid_encoding_key).unwrap(); - headers_map.insert("authorization".to_string(), format!("Bearer {}", invalid_jwt_token)); + let bob_jwt_token = create_token(BOB_PRIVATE_KEY, claims); + headers_map + .insert("authorization".to_string(), format!("Bearer {}", bob_jwt_token)) + .unwrap(); // JWT signed by invalid key results in AuthError. assert!(matches!( jwt_authorizer.verify(&headers_map).await.unwrap_err(), VssError::AuthError(_) )); + + Ok(()) + } + + fn jsonwebtoken_decode(token: &str, rsa_pem: &str) -> Result { + use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation}; + let jwt_issuer_key = DecodingKey::from_rsa_pem(rsa_pem.as_bytes()).unwrap(); + let mut validation = Validation::new(Algorithm::RS256); + // If `jsonwebtoken` decodes to a struct that has a member called `exp`, + // `jsonwebtoken` enforces that it is set in the claims, regardless of whether it + // is an `Option` in the struct. + // + // We use a `Claims` struct that uses an `Option` for its `exp` member to accept + // claims that only have the `sub` member set. + // + // Thus, we ask `jsonwebtoken` to not complain if `exp` is not set when it decodes + // to our `Claims` struct in tests. This aligns our behavior with the behavior of + // `jsonwebtoken`. + validation.required_spec_claims.clear(); + let claims = decode::(token, &jwt_issuer_key, &validation) + .map_err(|e| VssError::AuthError(format!("Authentication failure. {}", e)))? + .claims; + Ok(claims) + } + + async fn openssl_decode(token: &str, rsa_pem: &str) -> Result { + let verifier = JWTAuthorizer::new(rsa_pem).await.unwrap(); + verifier.decode_claims(token) + } + + // We formerly used `jsonwebtoken` to decode and validate claims, check that our new + // behavior still matches that library. + #[tokio::test] + async fn test_against_jsonwebtoken_lib() -> Result<(), VssError> { + let now = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs(); + let sub = String::from("valid_user_id"); + + // Expiry is not set + let claims = Claims { sub: sub.clone(), exp: None }; + let token = create_token(ALICE_PRIVATE_KEY, claims); + let claims_a = jsonwebtoken_decode::(&token, ALICE_PUBLIC_KEY).unwrap(); + let claims_b = openssl_decode(&token, ALICE_PUBLIC_KEY).await.unwrap(); + assert_eq!(claims_a, claims_b); + + // Expiry is right now, because of `CLOCK_SKEW_TOLERANCE_SEC`, we accept + let claims = Claims { sub: sub.clone(), exp: Some(now) }; + let token = create_token(ALICE_PRIVATE_KEY, claims); + let claims_a = jsonwebtoken_decode::(&token, ALICE_PUBLIC_KEY).unwrap(); + let claims_b = openssl_decode(&token, ALICE_PUBLIC_KEY).await.unwrap(); + assert_eq!(claims_a, claims_b); + + // Expiry is at `u64::MAX`, we accept, and make sure we saturate when we add + // `CLOCK_SKEW_TOLERANCE_SEC` + let claims = Claims { sub: sub.clone(), exp: Some(u64::MAX) }; + let token = create_token(ALICE_PRIVATE_KEY, claims); + let claims_a = jsonwebtoken_decode::(&token, ALICE_PUBLIC_KEY).unwrap(); + let claims_b = openssl_decode(&token, ALICE_PUBLIC_KEY).await.unwrap(); + assert_eq!(claims_a, claims_b); + + // Expiry is in the past, we reject + let claims = Claims { sub: sub.clone(), exp: Some(now - 90) }; + let token = create_token(ALICE_PRIVATE_KEY, claims); + let _ = jsonwebtoken_decode::(&token, ALICE_PUBLIC_KEY).unwrap_err(); + let _ = openssl_decode(&token, ALICE_PUBLIC_KEY).await.unwrap_err(); + + // Expiry is at 0, we reject + let claims = Claims { sub: sub.clone(), exp: Some(0) }; + let token = create_token(ALICE_PRIVATE_KEY, claims); + let _ = jsonwebtoken_decode::(&token, ALICE_PUBLIC_KEY).unwrap_err(); + let _ = openssl_decode(&token, ALICE_PUBLIC_KEY).await.unwrap_err(); + + #[derive(Serialize, Deserialize)] + struct SimpleClaims { + sub: String, + } + + // Serialize an object with no expiry claim, we accept + let simple_claims = SimpleClaims { sub: sub.clone() }; + let token = create_token(ALICE_PRIVATE_KEY, simple_claims); + let claims_a: Claims = jsonwebtoken_decode(&token, ALICE_PUBLIC_KEY).unwrap(); + let claims_b = openssl_decode(&token, ALICE_PUBLIC_KEY).await.unwrap(); + assert_eq!(claims_a, claims_b); + + #[derive(Serialize, Deserialize)] + struct ManyClaims { + sub: String, + iat: u64, + nbf: u64, + // The expiry is now a required field instead of an `Option` + exp: u64, + } + + // Serialize an object with many claims, we accept + let many_claims = ManyClaims { sub: sub.clone(), iat: now, nbf: now, exp: now }; + + let token = create_token(ALICE_PRIVATE_KEY, many_claims); + let claims_a: Claims = jsonwebtoken_decode(&token, ALICE_PUBLIC_KEY).unwrap(); + let claims_b = openssl_decode(&token, ALICE_PUBLIC_KEY).await.unwrap(); + assert_eq!(claims_a, claims_b); + + // Serialize an object with many claims, we accept + let many_claims = ManyClaims { sub: sub.clone(), iat: now, nbf: now, exp: u64::MAX }; + + let token = create_token(ALICE_PRIVATE_KEY, many_claims); + let claims_a: Claims = jsonwebtoken_decode(&token, ALICE_PUBLIC_KEY).unwrap(); + let claims_b = openssl_decode(&token, ALICE_PUBLIC_KEY).await.unwrap(); + assert_eq!(claims_a, claims_b); + + // Serialize an object with many claims, we reject + let many_claims = ManyClaims { sub: sub.clone(), iat: now, nbf: now, exp: 0 }; + + let token = create_token(ALICE_PRIVATE_KEY, many_claims); + let _ = jsonwebtoken_decode::(&token, ALICE_PUBLIC_KEY).unwrap_err(); + let _ = openssl_decode(&token, ALICE_PUBLIC_KEY).await.unwrap_err(); + Ok(()) } }