There are quite a few changes happening in the PRs: more input format for RSA (#69, #74), ECDSA signing & verification (#73) as well as some Validation changes.

I have already removed the iat check in the next branch since it isn't something that should be checked.

Right now, Validation::algorithms is a vec. I don't remember why but it shouldn't be the case, it should be an algorithm: Algorithm instead, I will accept a PR for that or do it myself later.

#69 also adds a standalone verify_rsa fn, which I'm wondering if we can somehow streamline it with the rest of the crate.

Since Rust doesn't have default parameters, we always have to pass a Validation struct currently. Maybe we can put the decoding onto this struct instead so you get something like:

// currently
let token = decode::<Claims>(&token, "secret".as_ref(), &Validation::default())?;

// possible
// `JwtDecoder` has the same fields as the current `Validation`
let token = JwtDecoder::default().decode_hs256::<Claims>(&token, "secret".as_ref())?;

This way we don't have a single function where we are trying to fit all arguments inside and the user has to select explicitely which decode fn to use. This solves the vec of algorithms at the same time and allows having better documentation for each. The downside is duplication of those functions/docs for the various digest values (decode_hs256, decode_hs384, decode_hs512 for each algo).

Any other ideas/criticisms/things missing?

ccing the people involved in various issues/PRs recently @AaronFriel @jbg @Jake-Shadle @matthew-nichols-westtel @greglearns

According to the RFC, the exp claim should be optional: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4

4.1.4. "exp" (Expiration Time) Claim ... Use of this claim is OPTIONAL.

I saw that you suggested that the user just set an expiration very far in the future. This works for new tokens, however it doesn't work for tokens created previously (e.g. if you're migrating tokens to a new service).

I'm having a hard time authenticating a token using a x5c. (MS OAuth/Azure)

Below is the code...

// Trying to isolate the problem by only checking the signature. 
let validation_config = jsonwebtoken::Validation {
            algorithms: vec![jsonwebtoken::Algorithm::RS256],
            leeway: 0,
            validate_exp: false,
            validate_iat: false,
            validate_nbf: false,
            aud: None,
            iss: None,
            sub: None
        };
let token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn...";
let x5c_cert = "MIIDBTCCAe2gAwIBAgIQKOfEJNDyDplBSXKYcM..."; 

let raw_der = base64::decode_config(der, base64::STANDARD).unwrap();
let d = jsonwebtoken::decode::<MsOAuthPayload>(&token, &raw_der, &validation_config);

The above always returns InvalidSignature.

• RS265 is the correct algo.
• The cert is correct. I tried it on jwt.io by adding a BEGIN/END cert and it validates fine.
• I used ssl to convert the BEGIN/END pem to DER and the bytes match up from the base 64 decode.
• The key URL is: https://login.microsoftonline.com/common/discovery/v2.0/keys but my specific tenant returns the same keys.

Anyone have some insight on what I'm doing wrong here?

Thanks

https://github.com/cmsd2/rust-jwt

As discussed briefly out-of-band, I've been working on some features.

Off the top of my head, rsa, arbitrary Json payloads like the other jwt libs, claims parsing, serde, jwk keys and sets.

Can we pool efforts?

• Add PEM support with pem and simple_asn1. Documentation TODO

• Make pkcs1 and pkcs8 versions of the RSA key, confirm they pass tests.

• Add documentation, simplify

• Update readme

• Bump pem version

• Remove extra print

Hello!

jsonwebtoken version: 7.2.0 rustc version: rustc 1.47.0 (18bf6b4f0 2020-10-07)

I have built a token validator for tokens served from AWS Cognito using their JWKS. The validation steps are

• fetch the JWKs
• find the appropriate JWK data for the token (decode_header, extract kid, look up corresponding key in JWKs)
• pass the modulus and exponent to DecodingKey::from_rsa_components
• validate as usual

Out of the box, validation fails with a rather obscure Error(Base64(InvalidByte(52, 43))). After digging into it for a while, I discovered that AWS Cognito JWKs are using the standard base64 character set, which trips up the b64_decode wrapper.

Here is a test case that demonstrates the same issue using the PKCS8 keypair in the test suite:

#[test]
fn rsa_modulus_exponent_standard_charset() {
    let privkey_pem = include_bytes!("private_rsa_key_pkcs8.pem");

    // modulus encoded as base64 from public_rsa_key_pkcs8.pem
    // $ openssl rsa -pubin -in public_rsa_key_pkcs8.pem -text -noout | egrep '^    ' | xxd -r -p | base64 | tr -d '\n'
    let n = "AMkROqx7jUdEGxztx9yrdqTihlYUKhmVyJznbkDcV87ipb0Ey1E7+JeLIIIefwmGIv3LyPkl1U/ZD1kil8SVwV3f+C5L3D7lGpAaAJH4fnohVTIdla1Mlso9zBZdB01RfSsEVywHMJERIkt56U4R0ciMbstGTHmX8VS+WqzIcNUkRCwfB6BnxvwLR/PQSBPYwwR2fXS3pSvWtfOMwH/C8KDy8byW9yJeZ53Kj3Enygw6HTBQSDHOJUMwyi+YL5oly1wdQBi5vCgY3xPLNy+caovslKHfo/DLbyI/NdnZEuEDIkVTf28tod2WPC2FRq6mV2U3IJ9ro5/Lio1y2VQ+U3U=";

    // $ openssl rsa -pubin -in public_rsa_key_pkcs8.pem -text -noout | awk '/Exponent/ { printf "0x%06x",$2 }' | xxd -r -p | base64
    let e = "AQAB";

    // transcoding the modulus into the URL safe charset allows the test to pass
    // let n = "AMkROqx7jUdEGxztx9yrdqTihlYUKhmVyJznbkDcV87ipb0Ey1E7-JeLIIIefwmGIv3LyPkl1U_ZD1kil8SVwV3f-C5L3D7lGpAaAJH4fnohVTIdla1Mlso9zBZdB01RfSsEVywHMJERIkt56U4R0ciMbstGTHmX8VS-WqzIcNUkRCwfB6BnxvwLR_PQSBPYwwR2fXS3pSvWtfOMwH_C8KDy8byW9yJeZ53Kj3Enygw6HTBQSDHOJUMwyi-YL5oly1wdQBi5vCgY3xPLNy-caovslKHfo_DLbyI_NdnZEuEDIkVTf28tod2WPC2FRq6mV2U3IJ9ro5_Lio1y2VQ-U3U=";

    let my_claims = Claims {
        sub: "[email protected]".to_string(),
        company: "ACME".to_string(),
        exp: Utc::now().timestamp() + 10000,
    };

    for &alg in RSA_ALGORITHMS {
        let token =
            encode(&Header::new(alg), &my_claims, &EncodingKey::from_rsa_pem(privkey_pem).unwrap())
                .unwrap();

        let token_data = decode::<Claims>(
            &token,
            &DecodingKey::from_rsa_components(n, e),
            &Validation::new(alg),
        )
        .unwrap();

        assert_eq!(my_claims, token_data.claims);
        assert!(token_data.header.kid.is_none());
    }
}

Test output:

$ cargo test
   Compiling jsonwebtoken v7.2.0 (/home/drocco/source/sandbox/rust/jsonwebtoken)
    Finished test [unoptimized + debuginfo] target(s) in 1.19s
     Running target/debug/deps/jsonwebtoken-a8164d7fdb367e8b
...
failures:

---- rsa::rsa_modulus_exponent_standard_charset stdout ----
thread 'rsa::rsa_modulus_exponent_standard_charset' panicked at 'called `Result::unwrap()` on an `Err` value: Error(Base64(InvalidByte(52, 43)))', tests/rsa/mod.rs:173:10
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

failures:
    rsa::rsa_modulus_exponent_standard_charset

test result: FAILED. 10 passed; 1 failed; 0 ignored; 0 measured; 0 filtered out

error: test failed, to rerun pass '--test lib'

Environment:

$ rustup show
Default host: x86_64-unknown-linux-gnu
rustup home:  /home/drocco/.rustup

installed toolchains
--------------------

stable-x86_64-unknown-linux-gnu (default)
nightly-x86_64-unknown-linux-gnu

active toolchain
----------------

stable-x86_64-unknown-linux-gnu (default)
rustc 1.47.0 (18bf6b4f0 2020-10-07)

impl<'a> DecodingKey<'a> {
    pub fn from_rsa_pem(key: &'a [u8]) -> Result<Self> {
        let pem_key = PemEncodedKey::new(key)?;
        let content = pem_key.as_rsa_key()?;
        Ok(DecodingKey {
            family: AlgorithmFamily::Rsa,
            kind: DecodingKeyKind::SecretOrDer(Cow::Owned(content.to_vec())),
        })
    }
}

This constructs a DecodingKey that owns all of its state, but the signature suggests that it borrows the input key. As a result, the only way to construct a DecodingKey<'static> for lazy_static or once_cell is to leak the input key (or unsafely transmute the lifetime of the input key and hope that DecodingKey never changes its implementation to actually.borrow the input).

Hi,

the provided example for custom chrono headers (https://github.com/Keats/jsonwebtoken/blob/master/examples/custom_chrono.rs) does not work, if the chrono timestamp contains milliseconds. I discovered this when implementing a test property for myself that ensured, encoding and decoding results in the identity.

One if my failures looked like this:

[src/auth.rs:131] cookie = DeviceCookie { 
    sub: "\u{0}",                                                                    
    nonce: "\u{0}",                       
    exp: 2020-04-22T13:42:23.284112768Z,                                             
}                                    
[src/auth.rs:131] parsed = DeviceCookie {                                            
    sub: "\u{0}",                                                                    
    nonce: "\u{0}",                                                                  
    exp: 2020-04-22T13:42:23Z,     
}

As you can see, cookie (the identity) has milliseconds set but since the serializer in the example serializes only the timestamp to the second, the milliseconds get lost and the tokens are no longer the same.

I updated the example to use Utc::timestamp_nanos for serializing and deserializing. This solves the issue. I also added a slightly modified version of my test property to the example to ensure, that everythink works as intended.

I also fixed the existing tests since the example didn't compile and after fixing it and running cargo test --example=custom_chrono, the round_trip test fails:

test jwt_numeric_date::tests::round_trip ... FAILED
test jwt_numeric_date::tests::should_fail_on_invalid_timestamp ... ok
test jwt_numeric_date::tests::to_token_and_parse_equals_identity ... ok

failures:

---- jwt_numeric_date::tests::round_trip stdout ----
thread 'jwt_numeric_date::tests::round_trip' panicked at 'attempt to multiply with overflow', /home/me/.cargo/registry/src/github.com-1ecc6299db9ec823/chrono-0.4.11/src/naive/datetime.rs:342:21

Running the tests in release mode (cargo test --release --example=custom_chrono) works fine since the overflow checks are disabled for release builds.

Adding the following to Cargo.toml would solve the problem, too, but I don't know if you want this.

[profile.test]
overflow-checks = false

After disabling overflow checks for tests and running the test again, it fails with an assertion error:

thread 'jwt_numeric_date::tests::round_trip' panicked at 'assertion failed: `(left == right)`
  left: `"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJDdXN0b20gRGF0ZVRpbWUgc2VyL2RlIiwiaWF0IjowLCJleHAiOi00Mzg5ODA4MTQ3NDE5MTAzMjMyfQ.P2cnrIjFilrosSMBZeI5KaNDZxkxVir8l_cpvZbAP30"`,
 right: `"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJDdXN0b20gRGF0ZVRpbWUgc2VyL2RlIiwiaWF0IjowLCJleHAiOjMyNTAzNjgwMDAwfQ.RTgha0S53MjPC2pMA4e2oMzaBxSY3DMjiYR2qFfV55A"`', examples/custom_chrono.rs:63:13

I'm not quite sure, what to to with this test...

I get this error when trying to encode() with RS256:

thread 'main' panicked at 'failed to encode(): Error(InvalidRsaKey)', src/main.rs:240:21`

Here's my line of code that uses encode() and it straight out of the /examples:

    let token = match encode(&Header::new(Algorithm::RS256), &set_jwt_payload(options.clone()), &private_key) {
        Ok(t) => t,
        Err(err) => panic!("failed to encode(): {:?}", err), // in practice you would return the error
    };

But when I use &Header::default() for encode's header parameter, it works fine. I'm using this function to convert a KEY to the DER format:

• https://github.com/cfsamson/azure-jwt/blob/c3d6239fed10b23e834f0e9f0cb0ae39618c4118/src/lib.rs#L636

Thank you for any insights.

exp and nbf could be added (see https://tools.ietf.org/html/rfc7519#section-4.1.1 for details on those fields).

The tricky thing without default args is how to handle the leeway. It seems the decode fn will need a struct of all the possible options, which means we could add verification for more fields that way

This adds support for the crit header parameter (RFC 7515), and additional header parameters via a params map.

I added logic for the crit header to check for invalid uses. Applications must do additional checking of crit to ensure they can understand any listed parameters.

To make the params map work, I removed Hash from the derive attribute of the Header struct. If this is a problem, I could try to find an alternative solution.

I added tests for the crit parameter checking and to show use of the params map flattened into the header struct.

I'm presently using the rsa crate and creating a private/public key pair, then creating an EncodingKey from that. For now, it seems that I must convert the private key to a PEM encoded string and then create EncodingKey from that. I would like to skip that step if I may. I took a brief look at the code and it seems that DecodingKey and EncodingKey are built up differently, so it's not obvious to me if adding an from_rsa_components() to EncodingKey is a good idea or not. But it sure would be convenient. If you have any suggestions, I can give it a try myself and submit a PR.

Hello @Keats
I have a problem with dependency: error: failed to select a version for the requirement time = "=0.3.17" How to fix it?

Cargo.toml:

[package]
name = "jwt_tests"
version = "0.1.0"
edition = "2018"

[dependencies]
jsonwebtoken = "8"
serde = {version = "1.0", features = ["derive"] }

My compiler: rust 1.54 (required by yocto).

log:

$ cargo +1.54 b
    Updating crates.io index
error: failed to select a version for the requirement `time = "=0.3.17"`
candidate versions found which didn't match: 0.3.15, 0.3.14, 0.3.13, ...
location searched: crates.io index
required by package `simple_asn1 v0.6.2`
    ... which is depended on by `jsonwebtoken v8.2.0`
    ... which is depended on by `speedy_tests v0.1.0 (/home/mhanusek/work/code/rnd/jwt_tests)`

Currently DecodingKey::as_bytes is crate public which means you can't even get the secret out of the DecodingKey that you originally put in.

Additionally it does not implement Debug or PartialEq so once you create a DecodingKey you cannot compare for testing purposes ever. This is really a pain point if you're trying to test your decoding logic to support many algorithms and keys using JWK as well as static secrets.

DecodingKey should really implement the std::cmp::PartialEq interface at the very least.

A similar issue exists with Algorithm where you have to resort to matching in order to implement Debug on types using it. Ideally the library would handle this case as well converting Algorithm back to a string.

Currently if you have

        let mut validation = Validation::default();
        validation.algorithms = vec![
            Algorithm::HS256,
            Algorithm::HS384,
            Algorithm::HS512,
            Algorithm::RS256,
            Algorithm::RS384,
            Algorithm::RS512,
        ];

and try to validate a RS256 signed token, you will get a Error::InvalidAlgorithm due to the section:

        for alg in &validation.algorithms {
            if key.family != alg.family() {
                return Err(new_error(ErrorKind::InvalidAlgorithm));
            }
        }

This section should check whether the key is one of the accepted families. Currently it checks if an algorithm is accepted with a different family, and if so rejects the key.