diff --git a/config/README.md b/config/README.md index 4f3f8d6..7e3ee01 100644 --- a/config/README.md +++ b/config/README.md @@ -9,9 +9,11 @@ curve name: prime256v1 (secp256r1, secp384r1) -> openssl ecparam -genkey -noout -name prime256v1 | openssl pkcs8 -topk8 -nocrypt -out ec-private.pem +> openssl ecparam -genkey -noout -name prime256v1 | openssl pkcs8 -topk8 -nocrypt -out ec-private1.pem +> openssl ecparam -genkey -noout -name secp384r1 | openssl pkcs8 -topk8 -nocrypt -out ec384-private1.pem -> openssl ec -in ec-private.pem -pubout -out ec-public-key.pem +> openssl ec -in ec-private1.pem -pubout -out ec-public1.pem +> openssl ec -in ec384-private1.pem -pubout -out ec384-public1.pem ## EdDSA - Edwards-curve Digital Signature Algorithm diff --git a/config/ecdsa-private1.pem b/config/ec256-private1.pem similarity index 100% rename from config/ecdsa-private1.pem rename to config/ec256-private1.pem diff --git a/config/ecdsa-private2.pem b/config/ec256-private2.pem similarity index 100% rename from config/ecdsa-private2.pem rename to config/ec256-private2.pem diff --git a/config/ec384-private1.pem b/config/ec384-private1.pem new file mode 100644 index 0000000..9d73134 --- /dev/null +++ b/config/ec384-private1.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCEPIELj6Yh/C7YPArh +GlU1Hnv85nYTrRKozX4qONvS9RgDHDXalK9yFgUDh7jkIi+hZANiAAQTrPmB0t7h +qDNsoQsDdI6Vx9f07PV3QcKNxbn6/Rs4HcRE3rERUFqinPBdUqTyJ+W/HFbjTkDU +9JnNRU68B7KVzCMKL/yw+bavLja+a8pBjH+MHVTR+cslxDlD2svexSA= +-----END PRIVATE KEY----- diff --git a/config/ec384-public1.pem b/config/ec384-public1.pem new file mode 100644 index 0000000..5a8f415 --- /dev/null +++ b/config/ec384-public1.pem @@ -0,0 +1,5 @@ +-----BEGIN PUBLIC KEY----- +MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEE6z5gdLe4agzbKELA3SOlcfX9Oz1d0HC +jcW5+v0bOB3ERN6xEVBaopzwXVKk8iflvxxW405A1PSZzUVOvAeylcwjCi/8sPm2 +ry42vmvKQYx/jB1U0fnLJcQ5Q9rL3sUg +-----END PUBLIC KEY----- diff --git a/demo-server/src/oidc_provider/mod.rs b/demo-server/src/oidc_provider/mod.rs index 8c5db5d..c186d88 100644 --- a/demo-server/src/oidc_provider/mod.rs +++ b/demo-server/src/oidc_provider/mod.rs @@ -50,20 +50,27 @@ async fn jwks() -> Json { pk.set_key_use("sig"); kset.keys.push(pk); - let keypair = EcKeyPair::from_pem(include_bytes!("../../../config/ecdsa-private1.pem"), Some(EcCurve::P256)).unwrap(); + let keypair = EcKeyPair::from_pem(include_bytes!("../../../config/ec256-private1.pem"), Some(EcCurve::P256)).unwrap(); let mut pk = keypair.to_jwk_public_key(); pk.set_key_id("ec01"); pk.set_algorithm("ES256"); pk.set_key_use("sig"); kset.keys.push(pk); - let keypair = EcKeyPair::from_pem(include_bytes!("../../../config/ecdsa-private2.pem"), Some(EcCurve::P256)).unwrap(); + let keypair = EcKeyPair::from_pem(include_bytes!("../../../config/ec256-private2.pem"), Some(EcCurve::P256)).unwrap(); let mut pk = keypair.to_jwk_public_key(); pk.set_key_id("ec02"); pk.set_algorithm("ES256"); pk.set_key_use("sig"); kset.keys.push(pk); + let keypair = EcKeyPair::from_pem(include_bytes!("../../../config/ec384-private1.pem"), Some(EcCurve::P384)).unwrap(); + let mut pk = keypair.to_jwk_public_key(); + pk.set_key_id("ec01-es384"); + pk.set_algorithm("ES384"); + pk.set_key_use("sig"); + kset.keys.push(pk); + let keypair = EdKeyPair::from_pem(include_bytes!("../../../config/ed25519-private1.pem")).unwrap(); let mut pk = keypair.to_jwk_public_key(); pk.set_key_id("ed01"); @@ -127,8 +134,9 @@ pub async fn tokens() -> Json { let rsa1_key = EncodingKey::from_rsa_pem(include_bytes!("../../../config/rsa-private1.pem")).unwrap(); let rsa2_key = EncodingKey::from_rsa_pem(include_bytes!("../../../config/rsa-private2.pem")).unwrap(); - let ec1_key = EncodingKey::from_ec_pem(include_bytes!("../../../config/ecdsa-private1.pem")).unwrap(); - let ec2_key = EncodingKey::from_ec_pem(include_bytes!("../../../config/ecdsa-private2.pem")).unwrap(); + let ec1_key = EncodingKey::from_ec_pem(include_bytes!("../../../config/ec256-private1.pem")).unwrap(); + let ec2_key = EncodingKey::from_ec_pem(include_bytes!("../../../config/ec256-private2.pem")).unwrap(); + let ec1_es384_key = EncodingKey::from_ec_pem(include_bytes!("../../../config/ec384-private1.pem")).unwrap(); let ed1_key = EncodingKey::from_ed_pem(include_bytes!("../../../config/ed25519-private1.pem")).unwrap(); let ed2_key = EncodingKey::from_ed_pem(include_bytes!("../../../config/ed25519-private2.pem")).unwrap(); @@ -138,6 +146,7 @@ pub async fn tokens() -> Json { let ec1_token_aud = encode(&build_header(Algorithm::ES256, "ec01"), &claims_with_aud, &ec1_key).unwrap(); let ec1_token = encode(&build_header(Algorithm::ES256, "ec01"), &claims, &ec1_key).unwrap(); let ec2_token = encode(&build_header(Algorithm::ES256, "ec02"), &claims, &ec2_key).unwrap(); + let ec1_es384_token = encode(&build_header(Algorithm::ES384, "ec01-es384"), &claims, &ec1_es384_key).unwrap(); let ed1_token = encode(&build_header(Algorithm::EdDSA, "ed01"), &claims, &ed1_key).unwrap(); let ed2_token = encode(&build_header(Algorithm::EdDSA, "ed02"), &claims, &ed2_key).unwrap(); @@ -148,6 +157,7 @@ pub async fn tokens() -> Json { "ec01": ec1_token, "ec01_aud": ec1_token_aud, "ec02": ec2_token, + "ec01_es384": ec1_es384_token, "ed01": ed1_token, "ed02": ed2_token, })) diff --git a/jwt-authorizer/tests/common/mod.rs b/jwt-authorizer/tests/common/mod.rs index b38237d..aea3948 100644 --- a/jwt-authorizer/tests/common/mod.rs +++ b/jwt-authorizer/tests/common/mod.rs @@ -35,12 +35,24 @@ lazy_static! { "use": "sig" }] }); + pub static ref JWKS_EC1_ES384: Value = json!({ + "keys": [{ + "kty": "EC", + "crv": "P-384", + "x": "E6z5gdLe4agzbKELA3SOlcfX9Oz1d0HCjcW5-v0bOB3ERN6xEVBaopzwXVKk8ifl", + "y": "vxxW405A1PSZzUVOvAeylcwjCi_8sPm2ry42vmvKQYx_jB1U0fnLJcQ5Q9rL3sUg", + "kid": "ec01-es384", + "alg": "ES384", + "use": "sig" + }] + }); } pub const JWT_RSA1_OK: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6InJzYTAxIn0.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJzdWIiOiJiQGIuY29tIiwiZXhwIjoyMDAwMDAwMDAwLCJuYmYiOjE1MTYyMzkwMjJ9.pmm8Kdk-SvycXIGpWb1R0DuP5nlB7w4QQS7trhN_OjOpbk0A8F_lC4BdClz3rol2Pgo61lcFckJgjNBj34DQGeTGOtvxdiUXNgi1aKiXH4AyPzZeZx30PgFxa1fxhuZhBAj6xIZKBSBQvVyjeVQzAScINRCBX8zfCaXSU1ZCUkJl5vbD7zT-cYIFU76we9HcIYKRXwTiAyoNn3Lixa1H3_t5sbx3om2WlIB2x-sGpoDFDjorcuJT1yQx3grTRTBzHyRBRjZ3e8wrMbiacy-m3WoEFdkssQgYi_dSQH0hvxgacvGWayK0UqD7O5UL6EzTA2feXbgA_68o5gfvSnM8CUsPut5gZr-gwVbQKPbBdCQtl_wXIMot7UNKYEiFV38x5EmUr-ShzQcditW6fciguuY1Qav502UE1UMXvt5p8-kYxw2AaaVd6iTgQBzkBrtvywMYWzIwzGNA70RvUhI2rlgcn8GEU_51Tv_NMHjp6CjDbAxQVKa0PlcRE4pd6yk_IJSR4Nska_8BQZdPbsFn--z_XHEDoRZQ1C1M6m77xVndg3zX0sNQPXfWsttCbBmaHvMKTOp0cH9rlWB9r9nTo9fn8jcfqlak2O2IAzfzsOdVfUrES6T1UWkWobs9usGgqJuIkZHbDd4tmXyPRT4wrU7hxEyE9cuvuZPAi8GYt80"; pub const JWT_RSA1_AUD1_OK: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6InJzYTAxIn0.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJzdWIiOiJiQGIuY29tIiwiYXVkIjpbImF1ZDEiLCJhdWQyIl0sImV4cCI6MjAwMDAwMDAwMCwibmJmIjoxNTE2MjM5MDIyfQ.Wzf2NZWdngKEGGkSP42sWxD9zw8rjarslbjtflQ1UQ4TsbhDgasoLUhL6D483xmt30vRQIjzLeTWlsERva1rhyeZuif0sr9wqsQge5VEBDEt5CUwwi2KVpNhC75leChCN1VcA9IKJ3LodICaCw4ks6wrAM_29AbbH8jxlyZc25d0uAGdbc99c6-aQhfRmW68GMN7dryGTXfAoIsl70AHrMOt-1Csn8qoMsBUE1uKOFsnA6c8rGzVeeHx5N6dvCpXEsE7_rP6GClGa0qBkb2v8llgSPpPZlIklf2NnZYr3WW_hy__-VGitJXiniUfhzWqqDv-K773aQ0532V8SdBHZ9r6Ib7gtRCUqRX7VcK-HdMM9SPyGCXb1qSwOD_XuqGJ58IInzb-B7zde4d18Fy6jVmf27FXRZYAMX4YMVeEZgXnurGtghRqboxGy9nFznOK_uK9XSJmDjsHrLSIKqat158OhDvPj0tDCz_a7fn3fk2Yd8-QPSJIFQanInHahlBMlSLS4F2p5QM48ynoIl56bjam7XOO8A6hQipBQDHkQ5IWJaKtckRIf7wzhfp9ptOsB2MYqVO9mX0IcOQB7ydpxuj0AWacp7Z5JjdrZDekKJIEoBEEIzoxGqnJsg9fu8jkx287jy8WxaJ13uMm7ql1zqDLWXQb_PCVwW9t-99hDyM"; pub const JWT_RSA2_OK: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6InJzYTAyIn0.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJzdWIiOiJiQGIuY29tIiwiZXhwIjoyMDAwMDAwMDAwLCJuYmYiOjE1MTYyMzkwMjJ9.tWyA4ve2CY6GruBch_qIf8f1PgCEhqmrZ1J5XBuwO_v-P-PSLe3MWpkPAMdIDE5QE19ItUcGdJblhiyPb0tJJtrDHVYER7q8X4fOjQjY_NlFK6Bd1GtZS2DCA5EPxIX8l7Jpn8fPvbyamagLwnB_waQaYBteTGnOkLmz3F3sqC8KdO9lyu5v7BknC1f56ZOvr_DiInkTiAsTWqX4nS2KYRjcz4HcxcPO7O0CFXqcOTF_e3ntmq4rQV9LHCaEnuXj2WZtnX423CMkcG0uYzsnmWAMPB6IlDKejPnAJThMjjuJhze1gGbP1U8c53UbEhfHEZgJ2N634YEXMfsojZ5VzQ"; pub const JWT_EC1_OK: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImVjMDEifQ.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJzdWIiOiJiQGIuY29tIiwiZXhwIjoyMDAwMDAwMDAwLCJuYmYiOjE1MTYyMzkwMjJ9.MvZm3Cxf78OQYpPkVGPAHaNf7GasHcvlF7ONJRxKVAntXbTru_dIdTRH0gz4xMIDg3a7HyfHWRLRhdxSNPjMPQ"; +pub const JWT_EC1_ES384_OK: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzM4NCIsImtpZCI6ImVjMDEtZXMzODQifQ.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJzdWIiOiJiQGIuY29tIiwiZXhwIjoyMDAwMDAwMDAwLCJuYmYiOjE1MTYyMzkwMjJ9.IsGT5Zw4V_igQOGnk5KqyHDIUnEaqNU-1TEWFG0GDXf-vqkUqHg9iX0OJpt6iCJoio8srzNHivJ-JXoYG33olE71uv7AITPYEHS8yMMs53uIKP7LT-oq13-eHSmA9lIV"; pub const JWT_EC1_AUD1_OK: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImVjMDEifQ.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJzdWIiOiJiQGIuY29tIiwiYXVkIjpbImF1ZDEiLCJhdWQyIl0sImV4cCI6MjAwMDAwMDAwMCwibmJmIjoxNTE2MjM5MDIyfQ.mFveRLl0SiceOPmv2UKZwaUUqVO-q7NcDkjcEUU4aoBz_YR2UuHtKnYw_TsYIkCz5uCCuwGgGRUeC9_-14GrWQ"; pub const JWT_EC2_OK: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImVjMDIifQ.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJzdWIiOiJiQGIuY29tIiwiZXhwIjoyMDAwMDAwMDAwLCJuYmYiOjE1MTYyMzkwMjJ9.IRW3iOr-pwlDW-rFH_WRAwXZlk4qbxRRqrdJfm0XsGYmvp1Beqnj8L8jsMHtsJzs9PDsCEbwYXiU_u5vnOsIJA"; pub const JWT_EC1_EXP_KO: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImVjMDEifQ.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJzdWIiOiJib2IiLCJleHAiOjE1MTYyMzkwMjIsIm5iZiI6MTUxNjIzOTAyMn0.MNmY66S3NgSAbWwZP0hfC5pme3SM7B3yvFhBFLQH-cU3enP0G8bBzDOhpjmli9uKQitkIQxffwu2Au9wTUraTQ"; diff --git a/jwt-authorizer/tests/tests.rs b/jwt-authorizer/tests/tests.rs index 75b3d5b..cc3be44 100644 --- a/jwt-authorizer/tests/tests.rs +++ b/jwt-authorizer/tests/tests.rs @@ -386,6 +386,14 @@ mod tests { .await; assert_eq!(response.status(), StatusCode::OK); + let response = make_proteced_request( + JwtAuthorizer::from_ec_pem("../config/ec384-public1.pem") + .validation(Validation::new().algs(vec![Algorithm::ES256, Algorithm::ES384])), + common::JWT_EC1_ES384_OK, + ) + .await; + assert_eq!(response.status(), StatusCode::OK); + // NOK - Invalid Alg let response = make_proteced_request( JwtAuthorizer::from_rsa_pem("../config/rsa-public1.pem") @@ -393,7 +401,7 @@ mod tests { common::JWT_RSA1_OK, ) .await; - assert_eq!(response.status(), StatusCode::OK); + assert_eq!(response.status(), StatusCode::UNAUTHORIZED); } // --------------------