letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Automatically derive the kid from the key fingerprint if missing (#4876)

Browse Source
This commit is contained in:
Quentin Gliech
2025-09-02 17:04:35 +02:00
committed by GitHub
parent e2d17a1252 897d6de572
commit bdb44498b8
6 changed files with 169 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
crates/config/src/sections/secrets.rs
View File

@@ -9,13 +9,9 @@ use std::borrow::Cow;
use anyhow::{Context, bail};
use camino::Utf8PathBuf;
use futures_util::future::{try_join, try_join_all};
use mas_jose::jwk::{JsonWebKey, JsonWebKeySet};
use mas_jose::jwk::{JsonWebKey, JsonWebKeySet, Thumbprint};
use mas_keystore::{Encrypter, Keystore, PrivateKey};
use rand::{
Rng, SeedableRng,
distributions::{Alphanumeric, DistString, Standard},
prelude::Distribution as _,
};
use rand::{Rng, SeedableRng, distributions::Standard, prelude::Distribution as _};
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use serde_with::serde_as;
@@ -132,7 +128,11 @@ impl From<Key> for KeyRaw {
#[serde_as]
#[derive(JsonSchema, Serialize, Deserialize, Clone, Debug)]
pub struct KeyConfig {
kid: String,
/// The key ID `kid` of the key as used by JWKs.
///
/// If not given, `kid` will be the keys RFC 7638 JWK Thumbprint.
#[serde(skip_serializing_if = "Option::is_none")]
kid: Option<String>,
#[schemars(with = "PasswordRaw")]
#[serde_as(as = "serde_with::TryFromInto<PasswordRaw>")]
@@ -178,8 +178,13 @@ impl KeyConfig {
None => PrivateKey::load(&key)?,
};
let kid = match self.kid.clone() {
Some(kid) => kid,
None => private_key.thumbprint_sha256_base64(),
};
Ok(JsonWebKey::new(private_key)
.with_kid(self.kid.clone())
.with_kid(kid)
.with_use(mas_iana::jose::JsonWebKeyUse::Sig))
}
}
@@ -322,7 +327,7 @@ impl SecretsConfig {
.await
.context("could not join blocking task")?;
let rsa_key = KeyConfig {
kid: Alphanumeric.sample_string(&mut rng, 10),
kid: None,
password: None,
key: Key::Value(rsa_key.to_pem(pem_rfc7468::LineEnding::LF)?.to_string()),
};
@@ -338,7 +343,7 @@ impl SecretsConfig {
.await
.context("could not join blocking task")?;
let ec_p256_key = KeyConfig {
kid: Alphanumeric.sample_string(&mut rng, 10),
kid: None,
password: None,
key: Key::Value(ec_p256_key.to_pem(pem_rfc7468::LineEnding::LF)?.to_string()),
};
@@ -354,7 +359,7 @@ impl SecretsConfig {
.await
.context("could not join blocking task")?;
let ec_p384_key = KeyConfig {
kid: Alphanumeric.sample_string(&mut rng, 10),
kid: None,
password: None,
key: Key::Value(ec_p384_key.to_pem(pem_rfc7468::LineEnding::LF)?.to_string()),
};
@@ -370,7 +375,7 @@ impl SecretsConfig {
.await
.context("could not join blocking task")?;
let ec_k256_key = KeyConfig {
kid: Alphanumeric.sample_string(&mut rng, 10),
kid: None,
password: None,
key: Key::Value(ec_k256_key.to_pem(pem_rfc7468::LineEnding::LF)?.to_string()),
};
@@ -383,7 +388,7 @@ impl SecretsConfig {
pub(crate) fn test() -> Self {
let rsa_key = KeyConfig {
kid: "abcdef".to_owned(),
kid: None,
password: None,
key: Key::Value(
indoc::indoc! {r"
@@ -402,7 +407,7 @@ impl SecretsConfig {
),
};
let ecdsa_key = KeyConfig {
kid: "ghijkl".to_owned(),
kid: None,
password: None,
key: Key::Value(
indoc::indoc! {r"
@@ -422,3 +427,68 @@ impl SecretsConfig {
}
}
}
#[cfg(test)]
mod tests {
use figment::{
Figment, Jail,
providers::{Format, Yaml},
};
use mas_jose::constraints::Constrainable;
use tokio::{runtime::Handle, task};
use super::*;
#[tokio::test]
async fn load_config_inline_secrets() {
task::spawn_blocking(|| {
Jail::expect_with(|jail| {
jail.create_file(
"config.yaml",
indoc::indoc! {r"
secrets:
encryption: >-
0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff
keys:
- kid: lekid0
key: |
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOtZfDuXZr/NC0V3sisR4Chf7RZg6a2dpZesoXMlsPeRoAoGCCqGSM49
AwEHoUQDQgAECfpqx64lrR85MOhdMxNmIgmz8IfmM5VY9ICX9aoaArnD9FjgkBIl
fGmQWxxXDSWH6SQln9tROVZaduenJqDtDw==
-----END EC PRIVATE KEY-----
- key: |
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIKlZz/GnH0idVH1PnAF4HQNwRafgBaE2tmyN1wjfdOQqoAoGCCqGSM49
AwEHoUQDQgAEHrgPeG+Mt8eahih1h4qaPjhl7jT25cdzBkg3dbVks6gBR2Rx4ug9
h27LAir5RqxByHvua2XsP46rSTChof78uw==
-----END EC PRIVATE KEY-----
"},
)?;
let config = Figment::new()
.merge(Yaml::file("config.yaml"))
.extract_inner::<SecretsConfig>("secrets")?;
Handle::current().block_on(async move {
assert_eq!(
config.encryption().await.unwrap(),
[
0, 0, 17, 17, 34, 34, 51, 51, 68, 68, 85, 85, 102, 102, 119, 119, 136,
136, 153, 153, 170, 170, 187, 187, 204, 204, 221, 221, 238, 238, 255,
255
]
);
let key_store = config.key_store().await.unwrap();
assert!(key_store.iter().any(|k| k.kid() == Some("lekid0")));
assert!(key_store.iter().any(|k| k.kid() == Some("ONUCn80fsiISFWKrVMEiirNVr-QEvi7uQI0QH9q9q4o")));
});
Ok(())
});
})
.await
.unwrap();
}
}

23
crates/jose/src/jwk/mod.rs
View File

@@ -13,6 +13,7 @@ use mas_iana::jose::{
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use serde_with::skip_serializing_none;
use sha2::{Digest, Sha256};
use url::Url;
use crate::{
@@ -239,6 +240,28 @@ impl<P> JsonWebKey<P> {
}
}
/// Methods to calculate RFC 7638 JWK Thumbprints.
pub trait Thumbprint {
/// Returns the RFC 7638 JWK Thumbprint JSON string.
fn thumbprint_prehashed(&self) -> String;
/// Returns the RFC 7638 SHA256-hashed JWK Thumbprint.
fn thumbprint_sha256(&self) -> [u8; 32] {
Sha256::digest(self.thumbprint_prehashed()).into()
}
/// Returns the RFC 7638 SHA256-hashed JWK Thumbprint as base64url string.
fn thumbprint_sha256_base64(&self) -> String {
Base64UrlNoPad::new(self.thumbprint_sha256().into()).encode()
}
}
impl<P: Thumbprint> Thumbprint for JsonWebKey<P> {
fn thumbprint_prehashed(&self) -> String {
self.parameters.thumbprint_prehashed()
}
}
impl<P> Constrainable for JsonWebKey<P>
where
P: ParametersInfo,

46
crates/jose/src/jwk/public_parameters.rs
View File

@@ -11,7 +11,7 @@ use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use super::ParametersInfo;
use crate::base64::Base64UrlNoPad;
use crate::{base64::Base64UrlNoPad, jwk::Thumbprint};
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema)]
#[serde(tag = "kty")]
@@ -52,6 +52,22 @@ impl JsonWebKeyPublicParameters {
}
}
impl Thumbprint for JsonWebKeyPublicParameters {
fn thumbprint_prehashed(&self) -> String {
match self {
JsonWebKeyPublicParameters::Rsa(RsaPublicParameters { n, e }) => {
format!("{{\"e\":\"{e}\",\"kty\":\"RSA\",\"n\":\"{n}\"}}")
}
JsonWebKeyPublicParameters::Ec(EcPublicParameters { crv, x, y }) => {
format!("{{\"crv\":\"{crv}\",\"kty\":\"EC\",\"x\":\"{x}\",\"y\":\"{y}\"}}")
}
JsonWebKeyPublicParameters::Okp(OkpPublicParameters { crv, x }) => {
format!("{{\"crv\":\"{crv}\",\"kty\":\"OKP\",\"x\":\"{x}\"}}")
}
}
}
}
impl ParametersInfo for JsonWebKeyPublicParameters {
fn kty(&self) -> JsonWebKeyType {
match self {
@@ -300,3 +316,31 @@ mod ec_impls {
}
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_thumbprint_rfc_example() {
// From https://www.rfc-editor.org/rfc/rfc7638.html#section-3.1
let n = Base64UrlNoPad::parse(
"\
0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAt\
VT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn6\
4tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FD\
W2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n9\
1CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINH\
aQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
)
.unwrap();
let e = Base64UrlNoPad::parse("AQAB").unwrap();
let jwkpps = JsonWebKeyPublicParameters::Rsa(RsaPublicParameters { n, e });
assert_eq!(
jwkpps.thumbprint_sha256_base64(),
"NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs"
);
}
}

8
crates/keystore/src/lib.rs
View File

@@ -14,7 +14,7 @@ use mas_iana::jose::{JsonWebKeyType, JsonWebSignatureAlg};
pub use mas_jose::jwk::{JsonWebKey, JsonWebKeySet};
use mas_jose::{
jwa::{AsymmetricSigningKey, AsymmetricVerifyingKey},
jwk::{JsonWebKeyPublicParameters, ParametersInfo, PublicJsonWebKeySet},
jwk::{JsonWebKeyPublicParameters, ParametersInfo, PublicJsonWebKeySet, Thumbprint},
};
use pem_rfc7468::PemLabel;
use pkcs1::EncodeRsaPrivateKey;
@@ -599,6 +599,12 @@ impl ParametersInfo for PrivateKey {
}
}
impl Thumbprint for PrivateKey {
fn thumbprint_prehashed(&self) -> String {
JsonWebKeyPublicParameters::from(self).thumbprint_prehashed()
}
}
/// A structure to store a list of [`PrivateKey`]. The keys are held in an
/// [`Arc`] to ensure they are only loaded once in memory and allow cheap
/// cloning

4
docs/config.schema.json
View File

@@ -1553,11 +1553,9 @@
"KeyConfig": {
"description": "A single key with its key ID and optional password.",
"type": "object",
"required": [
"kid"
],
"properties": {
"kid": {
"description": "The key ID `kid` of the key as used by JWKs.\n\nIf not given, `kid` will be the keys RFC 7638 JWK Thumbprint.",
"type": "string"
},
"password_file": {

41
docs/reference/configuration.md
View File

@@ -197,35 +197,7 @@ secrets:
# Signing keys
keys:
# It needs at least an RSA key to work properly
- kid: "ahM2bien"
key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuf28zPUp574jDRdX6uN0d7niZCIUpACFo+Po/13FuIGsrpze
yMX6CYWVPalgXW9FCrhxL+4toJRy5npjkgsLFsknL5/zXbWKFgt69cMwsWJ9Ra57
bonSlI7SoCuHhtw7j+sAlHAlqTOCAVz6P039Y/AGvO6xbC7f+9XftWlbbDcjKFcb
pQilkN9qtkdEH7TLayMAFOsgNvBlwF9+oj9w5PIk3veRTdBXI4GlHjhhzqGZKiRp
oP9HnycHHveyT+C33vuhQso5a3wcUNuvDVOixSqR4kvSt4UVWNK/KmEQmlWU1/m9
ClIwrs8Q79q0xkGaSa0iuG60nvm7tZez9TFkxwIDAQABAoIBAHA5YkppQ7fJSm0D
wNDCHeyABNJWng23IuwZAOXVNxB1bjSOAv8yNgS4zaw/Hx5BnW8yi1lYZb+W0x2u
i5X7g91j0nkyEi5g88kJdFAGTsM5ok0BUwkHsEBjTUPIACanjGjya48lfBP0OGWK
LJU2Acbjda1aeUPFpPDXw/w6bieEthQwroq3DHCMnk6i9bsxgIOXeN04ij9XBmsH
KPCP2hAUnZSlx5febYfHK7/W95aJp22qa//eHS8cKQZCJ0+dQuZwLhlGosTFqLUm
qhPlt/b1EvPPY0cq5rtUc2W31L0YayVEHVOQx1fQIkH2VIUNbAS+bfVy+o6WCRk6
s1XDhsECgYEA30tykVTN5LncY4eQIww2mW8v1j1EG6ngVShN3GuBTuXXaEOB8Duc
yT7yJt1ZhmaJwMk4agmZ1/f/ZXBtfLREGVzVvuwqRZ+LHbqIyhi0wQJA0aezPote
uTQnFn+IveHGtpQNDYGL/UgkexuCxbc2HOZG51JpunCK0TdtVfO/9OUCgYEA1TuS
2WAXzNudRG3xd/4OgtkLD9AvfSvyjw2LkwqCMb3A5UEqw7vubk/xgnRvqrAgJRWo
jndgRrRnikHCavDHBO0GAO/kzrFRfw+e+r4jcLl0Yadke8ndCc7VTnx4wQCrMi5H
7HEeRwaZONoj5PAPyA5X+N/gT0NNDA7KoQT45DsCgYBt+QWa6A5jaNpPNpPZfwlg
9e60cAYcLcUri6cVOOk9h1tYoW7cdy+XueWfGIMf+1460Z90MfhP8ncZaY6yzUGA
0EUBO+Tx10q3wIfgKNzU9hwgZZyU4CUtx668mOEqy4iHoVDwZu4gNyiobPsyDzKa
dxtSkDc8OHNV6RtzKpJOtQKBgFoRGcwbnLH5KYqX7eDDPRnj15pMU2LJx2DJVeU8
ERY1kl7Dke6vWNzbg6WYzPoJ/unrJhFXNyFmXj213QsSvN3FyD1pFvp/R28mB/7d
hVa93vzImdb3wxe7d7n5NYBAag9+IP8sIJ/bl6i9619uTxwvgtUqqzKPuOGY9dnh
oce1AoGBAKZyZc/NVgqV2KgAnnYlcwNn7sRSkM8dcq0/gBMNuSZkfZSuEd4wwUzR
iFlYp23O2nHWggTkzimuBPtD7Kq4jBey3ZkyGye+sAdmnKkOjNILNbpIZlT6gK3z
fBaFmJGRJinKA+BJeH79WFpYN6SBZ/c3s5BusAbEU7kE5eInyazP
-----END RSA PRIVATE KEY-----
- key_file: keys/rsa_key
- kid: "iv1aShae"
key: |
-----BEGIN EC PRIVATE KEY-----
@@ -260,9 +232,7 @@ The following key types are supported:
- ECDSA with the P-384 (`secp384r1`) curve
- ECDSA with the K-256 (`secp256k1`) curve
Each entry must have a unique `kid`, plus the key itself.
The `kid` can be any case-sensitive string value as long as it is unique to this list;
a keys `kid` value must be stable across restarts.
Each entry in the list corresponds to one signing key used by MAS.
The key can either be specified inline (with the `key` property),
or loaded from a file (with the `key_file` property).
The following key formats are supported:
@@ -271,8 +241,15 @@ The following key formats are supported:
- PKCS#8 PEM or DER-encoded RSA or ECDSA private key, encrypted or not
- SEC1 PEM or DER-encoded ECDSA private key
A [JWK Key ID] is automatically derived from each key.
To override this default, set `kid` to a custom value.
The `kid` can be any case-sensitive string value as long as it is unique to this list;
a keys `kid` value must be stable across restarts.
For PKCS#8 encoded keys, the `password` or `password_file` properties can be used to decrypt the key.
[JWK Key ID]: <https://datatracker.ietf.org/doc/html/rfc7517#section-4.5>
## `passwords`
Settings related to the local password database