WebCipher - JWT encryption/decryption algorithms + a JWK Store implementation

Last update: May 1, 2022

WebCipher

webcipher provides JWT authentication utilities and storage mechanism for caching keys and optimizing decryption/encryption processes.

Overview

The primary abstraction provided by webcipher is the KeyRegistry struct. This struct caches all keys for various OAuth2 service providers, such as Google, Facebook, etc. Public keys can be stored internally, and JWT tokens can be decrypted by its according OAuth2 provider.

Third Party Auth Providers

An example of using a KeyRegistry instance to decrypt (and verify) an incoming JWT can be seen below:

= registry.decrypt_remote::(ThirdPartyAuthProviders::Google)?; let jsonwebtoken::TokenData { claims: GoogleClaims { /* access to all of Google's claims! */ .. }, .. } = data;">
enum ThirdPartyAuthProviders {
    Google,
    Facebook,
    ExampleProvider,
}

let registry = KeyRegistry::builder()
    .add_remote(ThirdPartyAuthProviders::Google, "https://www.googleapis.com/oauth2/v2/certs")
    .finish()
    .await?;

// Now assume that we receive some token that we wish to decrypt.
// Furthermore, let's assume that the token is claimed to be signed by `Google`.
// The claims made by `Google` are located in some arbitrary struct named `GoogleClaims` (defined elsewhere).
let received_jwt_token = "a.b.c";

let data: jsonwebtoken::TokenData<GoogleClaims> = registry.decrypt_remote::(ThirdPartyAuthProviders::Google)?;

let jsonwebtoken::TokenData { claims: GoogleClaims { /* access to all of Google's claims! */ .. }, .. } = data;

Local Auth Services

It may be the case that your own application wants to perform JWT encryption/decryption using locally defined secrets/keypairs. webcipher also contains a LocalCache, which, for the most part, behaves as the above RemoteCache, except that it also provides encryption services.

= registry.decrypt_local::()?; let jsonwebtoken::TokenData { claims: OurClaims { /* access to all of our claims! */ .. }, .. } = data;">
struct OurClaims {
    // Public Claims:
    exp: u64,
    iat: u64,
    iss: String,
    // ...

    // Private Claims:
    user_id: Uuid,
    name: String,
    age: u8,
    // ...
}

// Assume some `read_file` function which reads a file at some path and returns the read bytes.
let bytes: &[u8] = read_file("path/to/priv_file.pem");
let encoding_key = EncodingKey::from_rsa_pem(bytes);

let bytes: &[u8] = read_file("path/to/pub_file.pem");
let decoding_key = DecodingKey::from_rsa_pem(bytes);

let registry = KeyRegistry::builder()
    .add_local(jsonwebtoken::Algorithm::RS256, encoding_key, decoding_key);

// Once again, assume that we receive some token that we wish to decrypt.
// Furthermore, let's assume that the token is claimed to be signed by us!
// The claims we made are located in some arbitrary struct named `OurClaims`.
let received_jwt_token = "a.b.c";

let data: jsonwebtoken::TokenData<OurClaims> = registry.decrypt_local::()?;

let jsonwebtoken::TokenData { claims: OurClaims { /* access to all of our claims! */ .. }, .. } = data;

We can also sign outgoing messages using our public key.

let our_claims = OurClaims::default(); // in reality, we would use some actual data, not default data.
let token = register.encode_local::(); // we can now send this token to someone else!

Limitations

This library is not very... "generic". It does enforce that remotes send back Key's which have a kty == "RSA", as well as an e (i.e., exponent) and m (i.e., modulus) element. If they do not, then those keys are rejected from being stored in the RemoteCache.

Lastly, I am still working on multithreaded access to this store and the best practices for which to perform some of these operations. The refreshing mechanism is still manual. Namely, the user of this library will need to remember to refresh the cache of their own accord. This will (hopefully) be fixed in a future release.

Ending Remarks

PRs are always welcome. Please take a look at the CONTRIBUTING.MD for Wavy's policy on contributing to our Open Source Software.

This work is released under the MIT license. The claims of this license can be found in LICENSE.MD.

Lastly, this project has still yet to undergo major testing.

GitHub

https://github.com/wavy-app/webcipher
You might also like...

RSA implementation in pure Rust

RSA A portable RSA implementation in pure Rust. ⚠️ WARNING: This crate has been audited by a 3rd party, but a full blog post with the results and the

May 14, 2022

Authenticated Encryption with Associated Data Algorithms: high-level encryption ciphers

RustCrypto: Authenticated Encryption with Associated Data (AEAD) Algorithms Collection of Authenticated Encryption with Associated Data (AEAD) algorit

May 25, 2022

A set of cryptographic primitives for building a multi-hop Proxy Re-encryption scheme, known as Transform Encryption.

recrypt A pure-Rust library that implements a set of cryptographic primitives for building a multi-hop Proxy Re-encryption scheme, known as Transform

May 19, 2022

A pairing-based threshold cryptosystem for collaborative decryption and signatures used in HoneybadgerBFT implementation

threshold_crypto A pairing-based threshold cryptosystem for collaborative decryption and signatures. The threshold_crypto crate provides cryptographic

Apr 15, 2022

Decryption utility for Yaesu ham radio firmware images

porkchop Decryption utility for Yaesu ham radio firmware images. Background Yaesu provides a firmware update utility for their ham radios that contain

Apr 25, 2022

A Rust Library of China's Standards of Encryption Algorithms (SM2/3/4)

Libsm Libsm is an open source pure rust library of China Cryptographic Algorithm Standards. It is completed by a collaborative effort between the Cryp

May 16, 2022

A minimal jwt implementation for OIDC

Compact JWT Json Web Tokens (JWT) are a popular method for creating signed transparent tokens that can be verified by clients and servers. They are en

Dec 29, 2021

This repository contains the Rust source code for the algorithms in the textbook Algorithms, 4th Edition

Overview This repository contains the Rust source code for the algorithms in the textbook Algorithms, 4th Edition by Robert Sedgewick and Kevin Wayne.

May 21, 2022

JWT lib in rust

jsonwebtoken API documentation on docs.rs See JSON Web Tokens for more information on what JSON Web Tokens are. Installation Add the following to Carg

May 26, 2022

Highly flexible library to manage and orchestrate JWT workflow

JWT Vault Highly flexible library to manage and orchestrate JWT workflow Examples | Website | Chat TODO Add more examples Improve coverage Features Ma

May 17, 2022

vault client using jwt authentication that define environment variables from vault secrets before executing into something else

envlt envlt, like env, allows you to define environment variables and then execute into something else, but instead of static values, it uses using si

Dec 23, 2021

Simple backend app with Actix-web, JWT and MongoDB

Actix Web JWT Example Simple backend app with Actix-web, JWT and MongoDB (JWT Token, Protect Route, Login & Register) While developing the web service

May 16, 2022

A Rust Boilerplate server with GraphQL API, Diesel, PostgreSQL, session authentication and JWT

A Rust Boilerplate server with GraphQL API, Diesel, PostgreSQL, session authentication and JWT

Canduma rust Graphql A Rust authentication server with GraphQL API, Diesel, PostgreSQL session authentication and JWT This repository contains a Graph

May 13, 2022

CRUD system of book-management with ORM and JWT for educational purposes.

Book management English | 中文 Required Rust MySQL 5.7 Usage Execute init.sql to create tables. Set environment variable DATABASE_URL and JWT_SECRET in

Apr 29, 2022

A simple implementation of Conway's Game of Life using Fully homomorphic Encryption

Game of life using Fully homomorphic encryption A simple implementation of Conway's Game of Life built using Zama's concrete-boolean library. Build Ju

May 13, 2022

In addition to encryption library, pure RUST implementation of SSH-2.0 client protocol

In addition to encryption library, pure RUST implementation of SSH-2.0 client protocol

Apr 13, 2022

rabe is an Attribute Based Encryption library, written in Rust

Rabe rabe is a rust library implementing several Attribute Based Encryption (ABE) schemes using a modified version of the bn library of zcash (type-3

Apr 10, 2022

WebAssembly wrapper of the rage encryption library

rage-wasm: WebAssembly wrapper of rage rage is a simple, modern, and secure file encryption tool, using the age format. It features small explicit key

Apr 17, 2022

A Rust library for lattice-based additive homomorphic encryption.

Cupcake Cupcake is an efficient Rust library for the (additive version of) Fan-Vercauteren homomorphic encryption scheme, offering capabilities to enc

May 17, 2022
Comments
  • 1. Add ability to give `kid` when instantiating

    • A local cache should allow the user to specify the kid of the key that they want to use
      • now a local cache can only be created by passing a kid, DecodingKey, and an EncodingKey
    Reviewed by raunakab at 2022-05-04 00:42
  • 2. Make call to RemoteCache::new not async

    • Instead, the call just instantiates the URI and an empty BTreeMap

      • However, the next call to decrypt_unchecked should check whether or not the cache is stale.
        • Right after instantiation, is_cache_fresh will immediately return false
        • therefore, we perform a network call THEN
    • This change was made so that we can bind an instance of RemoteCache to a lazy_static without having to make an asynchronous call!

    • edited the doc examples that I found...

      • there may be more remaining, idk...
    Reviewed by raunakab at 2022-05-03 18:12
Related tags
JWT lib in rust

jsonwebtoken API documentation on docs.rs See JSON Web Tokens for more information on what JSON Web Tokens are. Installation Add the following to Carg

May 26, 2022
Highly flexible library to manage and orchestrate JWT workflow

JWT Vault Highly flexible library to manage and orchestrate JWT workflow Examples | Website | Chat TODO Add more examples Improve coverage Features Ma

May 17, 2022
vault client using jwt authentication that define environment variables from vault secrets before executing into something else

envlt envlt, like env, allows you to define environment variables and then execute into something else, but instead of static values, it uses using si

Dec 23, 2021
Simple backend app with Actix-web, JWT and MongoDB

Actix Web JWT Example Simple backend app with Actix-web, JWT and MongoDB (JWT Token, Protect Route, Login & Register) While developing the web service

May 16, 2022
An oauth2 client implementation providing the Device, Installed and Service Account flows.
An oauth2 client implementation providing the Device, Installed and Service Account flows.

yup-oauth2 is a utility library which implements several OAuth 2.0 flows. It's mainly used by google-apis-rs, to authenticate against Google services.

May 17, 2022
An implementation for an authentication API for Rocket applications.

rocket_auth rocket_auth provides a ready-to-use backend agnostic API for authentication management. For more information visit the documentation at ht

May 20, 2022
A paseto implementation in rust.

Paseto Rust Paseto is everything you love about JOSE (JWT, JWE, JWS) without any of the many design deficits that plague the JOSE standards. This is d

May 12, 2022
An implementation of webauthn components for Rustlang servers

Webauthn-rs Webauthn is a modern approach to hardware based authentication, consisting of a user with an authenticator device, a browser or client tha

May 26, 2022
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

OpenSK This repository contains a Rust implementation of a FIDO2 authenticator. We developed this as a Tock OS application and it has been successfull

May 21, 2022
ROCCA cipher implementation for Rust.

ROCCA for Rust This is a Rust implementation of the ROCCA authenticated cipher, ported from the Zig implementation. ROCCA is key committing, has a 256

Oct 27, 2021