letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Switch to JWK Thumbprints

Browse Source
This commit is contained in:
Kai A. Hiller
2025-08-20 18:07:52 +02:00
parent 7f7f9918b0
commit 897d6de572
6 changed files with 83 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
crates/keystore/src/lib.rs
View File

@@ -9,16 +9,12 @@
use std::{ops::Deref, sync::Arc};
use der::{Decode, Encode, EncodePem, zeroize::Zeroizing};
use elliptic_curve::{
pkcs8::{EncodePrivateKey, EncodePublicKey},
sec1::ToEncodedPoint,
};
use k256::sha2::{Digest, Sha256};
use elliptic_curve::{pkcs8::EncodePrivateKey, sec1::ToEncodedPoint};
use mas_iana::jose::{JsonWebKeyType, JsonWebSignatureAlg};
pub use mas_jose::jwk::{JsonWebKey, JsonWebKeySet};
use mas_jose::{
jwa::{AsymmetricSigningKey, AsymmetricVerifyingKey},
jwk::{JsonWebKeyPublicParameters, ParametersInfo, PublicJsonWebKeySet},
jwk::{JsonWebKeyPublicParameters, ParametersInfo, PublicJsonWebKeySet, Thumbprint},
};
use pem_rfc7468::PemLabel;
use pkcs1::EncodeRsaPrivateKey;
@@ -183,24 +179,6 @@ impl PrivateKey {
}
}
/// Returns the fingerprint of the private key.
///
/// The fingerprint is calculated as the SHA256 sum over the PKCS#8 ASN.1
/// DER-encoded bytes of the private keys corresponding public key.
///
/// # Errors
///
/// Errors if the DER representation of the public key cant be derived.
pub fn fingerprint(&self) -> pkcs8::spki::Result<[u8; 32]> {
let bytes = match self {
PrivateKey::Rsa(key) => key.to_public_key().to_public_key_der()?,
PrivateKey::EcP256(key) => key.public_key().to_public_key_der()?,
PrivateKey::EcP384(key) => key.public_key().to_public_key_der()?,
PrivateKey::EcK256(key) => key.public_key().to_public_key_der()?,
};
Ok(Sha256::digest(bytes).into())
}
/// Serialize the key as a DER document
///
/// It will use the most common format depending on the key type: PKCS1 for
@@ -621,6 +599,12 @@ impl ParametersInfo for PrivateKey {
}
}
impl Thumbprint for PrivateKey {
fn thumbprint_prehashed(&self) -> String {
JsonWebKeyPublicParameters::from(self).thumbprint_prehashed()
}
}
/// A structure to store a list of [`PrivateKey`]. The keys are held in an
/// [`Arc`] to ensure they are only loaded once in memory and allow cheap
/// cloning