WebCipher - JWT encryption/decryption algorithms + a JWK Store implementation

Related tags

Authentication jwt jws
Overview

WebCipher

webcipher provides JWT authentication utilities and storage mechanism for caching keys and optimizing decryption/encryption processes.

Overview

The primary abstraction provided by webcipher is the KeyRegistry struct. This struct caches all keys for various OAuth2 service providers, such as Google, Facebook, etc. Public keys can be stored internally, and JWT tokens can be decrypted by its according OAuth2 provider.

Third Party Auth Providers

An example of using a KeyRegistry instance to decrypt (and verify) an incoming JWT can be seen below:

= registry.decrypt_remote::(ThirdPartyAuthProviders::Google)?; let jsonwebtoken::TokenData { claims: GoogleClaims { /* access to all of Google's claims! */ .. }, .. } = data;"> 
enum ThirdPartyAuthProviders {
    Google,
    Facebook,
    ExampleProvider,
}

let registry = KeyRegistry::builder()
    .add_remote(ThirdPartyAuthProviders::Google, "https://www.googleapis.com/oauth2/v2/certs")
    .finish()
    .await?;

// Now assume that we receive some token that we wish to decrypt.
// Furthermore, let's assume that the token is claimed to be signed by `Google`.
// The claims made by `Google` are located in some arbitrary struct named `GoogleClaims` (defined elsewhere).
let received_jwt_token = "a.b.c";

let data: jsonwebtoken::TokenData<GoogleClaims> = registry.decrypt_remote::(ThirdPartyAuthProviders::Google)?;

let jsonwebtoken::TokenData { claims: GoogleClaims { /* access to all of Google's claims! */ .. }, .. } = data;

Local Auth Services

It may be the case that your own application wants to perform JWT encryption/decryption using locally defined secrets/keypairs. webcipher also contains a LocalCache, which, for the most part, behaves as the above RemoteCache, except that it also provides encryption services.

= registry.decrypt_local::()?; let jsonwebtoken::TokenData { claims: OurClaims { /* access to all of our claims! */ .. }, .. } = data;"> 
struct OurClaims {
    // Public Claims:
    exp: u64,
    iat: u64,
    iss: String,
    // ...

    // Private Claims:
    user_id: Uuid,
    name: String,
    age: u8,
    // ...
}

// Assume some `read_file` function which reads a file at some path and returns the read bytes.
let bytes: &[u8] = read_file("path/to/priv_file.pem");
let encoding_key = EncodingKey::from_rsa_pem(bytes);

let bytes: &[u8] = read_file("path/to/pub_file.pem");
let decoding_key = DecodingKey::from_rsa_pem(bytes);

let registry = KeyRegistry::builder()
    .add_local(jsonwebtoken::Algorithm::RS256, encoding_key, decoding_key);

// Once again, assume that we receive some token that we wish to decrypt.
// Furthermore, let's assume that the token is claimed to be signed by us!
// The claims we made are located in some arbitrary struct named `OurClaims`.
let received_jwt_token = "a.b.c";

let data: jsonwebtoken::TokenData<OurClaims> = registry.decrypt_local::()?;

let jsonwebtoken::TokenData { claims: OurClaims { /* access to all of our claims! */ .. }, .. } = data;

We can also sign outgoing messages using our public key.

let our_claims = OurClaims::default(); // in reality, we would use some actual data, not default data.
let token = register.encode_local::(); // we can now send this token to someone else!

Limitations

This library is not very... "generic". It does enforce that remotes send back Key's which have a kty == "RSA", as well as an e (i.e., exponent) and m (i.e., modulus) element. If they do not, then those keys are rejected from being stored in the RemoteCache.

Lastly, I am still working on multithreaded access to this store and the best practices for which to perform some of these operations. The refreshing mechanism is still manual. Namely, the user of this library will need to remember to refresh the cache of their own accord. This will (hopefully) be fixed in a future release.

Ending Remarks

PRs are always welcome. Please take a look at the CONTRIBUTING.MD for Wavy's policy on contributing to our Open Source Software.

This work is released under the MIT license. The claims of this license can be found in LICENSE.MD.

Lastly, this project has still yet to undergo major testing.

You might also like...
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

OpenSK This repository contains a Rust implementation of a FIDO2 authenticator. We developed this as a Tock OS application and it has been successfull

Google 2.4k Jan 2, 2023
ROCCA cipher implementation for Rust.

ROCCA for Rust This is a Rust implementation of the ROCCA authenticated cipher, ported from the Zig implementation. ROCCA is key committing, has a 256

Frank Denis 6 Sep 30, 2022
RSA implementation in pure Rust

RSA A portable RSA implementation in pure Rust. ⚠️ WARNING: This crate has been audited by a 3rd party, but a full blog post with the results and the

Rust Crypto 346 Jan 4, 2023
Chargo is a tool for file encryption/decryption. It's based on Argon2 and ChaCha20Poly1305 algorithms.

| Documentation Chargo is a tool for file encryption/decryption with password. It's based on Argon2 and ChaCha20Poly1305 algorithms. From arg2u with ♥

Airat Galiullin 7 Jan 1, 2023
Authenticated Encryption with Associated Data Algorithms: high-level encryption ciphers

RustCrypto: Authenticated Encryption with Associated Data (AEAD) Algorithms Collection of Authenticated Encryption with Associated Data (AEAD) algorit

Rust Crypto 457 Jan 4, 2023
Save decryption/encryption and transfer utility for Automachef

automachef-save Automachef by HermesInteractive encrypts it's save files with the user's account ID (Steam, Epic) or a static key (GOG, Twitch). The I

null 2 Jul 2, 2022
Tools for manipulating JSON Web Tokens, JWS, JWE, and JWK in Rust
Tools for manipulating JSON Web Tokens, JWS, JWE, and JWK in Rust

Rusty JWT Tools A collection of JWT utilities. This repository is part of the source code of Wire. You can find more information at wire.com or by con

Wire Swiss GmbH 4 Nov 22, 2022
A Rust Implementation of China's Standards of Encryption Algorithms(SM2/SM3/SM4)

gm-rs A Pure Rust High-Performance Implementation of China's Standards of Encryption Algorithms(SM2/SM3/SM4) Usage Add this to your Cargo.toml: [depen

null 2 Oct 27, 2022
A pairing-based threshold cryptosystem for collaborative decryption and signatures used in HoneybadgerBFT implementation

threshold_crypto A pairing-based threshold cryptosystem for collaborative decryption and signatures. The threshold_crypto crate provides cryptographic

null 166 Dec 29, 2022
A set of cryptographic primitives for building a multi-hop Proxy Re-encryption scheme, known as Transform Encryption.

recrypt A pure-Rust library that implements a set of cryptographic primitives for building a multi-hop Proxy Re-encryption scheme, known as Transform

IronCore Labs 122 Dec 30, 2022
Rust encryption library for practical time-lock encryption.

tlock_age: Hybrid Timelock Encryption/Decryption in Rust tlock_age is a library to encrypt and decrypt age filekey using tlock scheme. It provides an

Thibault 5 Mar 29, 2023
A simple command-line application to securely store secrets using encryption

rust-secret-vault A simple yet robust command-line tool designed to safely encrypt and store your sensitive information. Harnessing the power of AES-2

Luis Soares 4 Nov 22, 2023
A Rust Library of China's Standards of Encryption Algorithms (SM2/3/4)

Libsm Libsm is an open source pure rust library of China Cryptographic Algorithm Standards. It is completed by a collaborative effort between the Cryp

CITAHub 149 Dec 23, 2022
Decryption utility for Yaesu ham radio firmware images

porkchop Decryption utility for Yaesu ham radio firmware images. Background Yaesu provides a firmware update utility for their ham radios that contain

Lander Brandt 20 Dec 29, 2022
Decryption tool for assets.pie from Teenage Mutant Ninja Turtles: The Cowabunga Collection. This tool was made in its entirety by SowwyItsAnAlt.

Cowabunga Decryption tool for assets.pie from Teenage Mutant Ninja Turtles: The Cowabunga Collection. This tool was made in its entirety by SowwyItsAn

Masquerade 8 Dec 22, 2022
A minimal jwt implementation for OIDC

Compact JWT Json Web Tokens (JWT) are a popular method for creating signed transparent tokens that can be verified by clients and servers. They are en

Kanidm 4 Dec 29, 2021
SD-JWT Rust Reference Implementation

SD-JWT Rust Reference Implementation This is the reference implementation of the IETF SD-JWT specification written in Rust. Supported version: 6. Note

OpenWallet Foundation Labs 4 Dec 19, 2023
This repository contains the Rust source code for the algorithms in the textbook Algorithms, 4th Edition

Overview This repository contains the Rust source code for the algorithms in the textbook Algorithms, 4th Edition by Robert Sedgewick and Kevin Wayne.

chuan 549 Dec 26, 2022
JWT lib in rust

jsonwebtoken API documentation on docs.rs See JSON Web Tokens for more information on what JSON Web Tokens are. Installation Add the following to Carg

Vincent Prouillet 1.1k Jan 3, 2023
Comments
  • Add ability to give `kid` when instantiating

    Add ability to give `kid` when instantiating

    • A local cache should allow the user to specify the kid of the key that they want to use
      • now a local cache can only be created by passing a kid, DecodingKey, and an EncodingKey
    opened by raunakab 0
  • Make call to RemoteCache::new not async

    Make call to RemoteCache::new not async

    • Instead, the call just instantiates the URI and an empty BTreeMap

      • However, the next call to decrypt_unchecked should check whether or not the cache is stale.
        • Right after instantiation, is_cache_fresh will immediately return false
        • therefore, we perform a network call THEN

    • This change was made so that we can bind an instance of RemoteCache to a lazy_static without having to make an asynchronous call!

    • edited the doc examples that I found...

      • there may be more remaining, idk...
    opened by raunakab 0
Owner
Wavy
We are a UBC-sourced engineering team designing an events+friends finder application for UBC students, staff, and personnel.
Wavy
GitHub
A minimal jwt implementation for OIDC

Compact JWT Json Web Tokens (JWT) are a popular method for creating signed transparent tokens that can be verified by clients and servers. They are en

Kanidm 4 Dec 29, 2021
SD-JWT Rust Reference Implementation

SD-JWT Rust Reference Implementation This is the reference implementation of the IETF SD-JWT specification written in Rust. Supported version: 6. Note

OpenWallet Foundation Labs 4 Dec 19, 2023
JWT lib in rust

jsonwebtoken API documentation on docs.rs See JSON Web Tokens for more information on what JSON Web Tokens are. Installation Add the following to Carg

Vincent Prouillet 1.1k Jan 3, 2023
Highly flexible library to manage and orchestrate JWT workflow

JWT Vault Highly flexible library to manage and orchestrate JWT workflow Examples | Website | Chat TODO Add more examples Improve coverage Features Ma

Saurav Gupta 65 Nov 8, 2022
vault client using jwt authentication that define environment variables from vault secrets before executing into something else

envlt envlt, like env, allows you to define environment variables and then execute into something else, but instead of static values, it uses using si

Eric Burghard 6 Nov 13, 2022
Simple backend app with Actix-web, JWT and MongoDB

Actix Web JWT Example Simple backend app with Actix-web, JWT and MongoDB (JWT Token, Protect Route, Login & Register) While developing the web service

Emre 124 Dec 31, 2022
An oauth2 client implementation providing the Device, Installed and Service Account flows.

yup-oauth2 is a utility library which implements several OAuth 2.0 flows. It's mainly used by google-apis-rs, to authenticate against Google services.

Lewin Bormann 174 Dec 30, 2022
An implementation for an authentication API for Rocket applications.

rocket_auth rocket_auth provides a ready-to-use backend agnostic API for authentication management. For more information visit the documentation at ht

null 62 Dec 19, 2022
A paseto implementation in rust.

Paseto Rust Paseto is everything you love about JOSE (JWT, JWE, JWS) without any of the many design deficits that plague the JOSE standards. This is d

Instructure, Inc. 145 Nov 7, 2022
An implementation of webauthn components for Rustlang servers

Webauthn-rs Webauthn is a modern approach to hardware based authentication, consisting of a user with an authenticator device, a browser or client tha

Kanidm 232 Jan 8, 2023