dpop 0.1.1

An implementation of DPoP for rust.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180

//! I define a type to represent dpop-proof jwts that are validated against their context.
//!

use std::ops::Deref;

use gdp_rs::{proven::ProvenError, Proven};

pub use self::predicate::{InvalidDPoPProof, IsValidDPoPProof};
use super::{context::DPoPProofContext, raw::RawDPoPProof};

/// Alias for type of context bounded dpop-proofs.
pub type ContextualDPoPProof = (RawDPoPProof<'static>, DPoPProofContext);

/// A struct for representing dpop-proofs that are validated against a given context.
///
pub struct ValidatedDPoPProof(Proven<ContextualDPoPProof, IsValidDPoPProof>);

impl Deref for ValidatedDPoPProof {
    type Target = RawDPoPProof<'static>;

    #[inline]
    fn deref(&self) -> &Self::Target {
        &self.0 .0
    }
}

impl ValidatedDPoPProof {
    /// Try to create a new [`ValidatedDPoPProof`] from given raw proof and context.
    #[inline]
    #[allow(clippy::result_large_err)]
    pub fn try_new(
        raw_proof: RawDPoPProof<'static>,
        context: DPoPProofContext,
    ) -> Result<Self, ProvenError<ContextualDPoPProof, InvalidDPoPProof>> {
        Ok(Self(Proven::try_new((raw_proof, context))?))
    }

    /// Get dpop proof context.
    #[inline]
    pub fn context(&self) -> &DPoPProofContext {
        &self.0 .1
    }
}

mod predicate {
    use gdp_rs::predicate::{Predicate, PurePredicate, SyncEvaluablePredicate};
    use picky::jose::{
        jwk::JwkError,
        jws::{verify_signature, JwsError},
    };

    use super::ContextualDPoPProof;
    use crate::proof::{
        context::KeyBoundAccessToken,
        payload::{ath::Ath, jkt::Jkt},
    };

    /// A predicate over [`ContextualDPoPProof`] asserting it to be valid.
    #[derive(Debug, Clone)]
    pub struct IsValidDPoPProof;

    impl Predicate<ContextualDPoPProof> for IsValidDPoPProof {
        fn label() -> std::borrow::Cow<'static, str> {
            "IsValidDPoPProof".into()
        }
    }

    impl SyncEvaluablePredicate<ContextualDPoPProof> for IsValidDPoPProof {
        type EvalError = InvalidDPoPProof;

        fn evaluate_for((raw_proof, context): &ContextualDPoPProof) -> Result<(), Self::EvalError> {
            let decoded_header = &raw_proof.decoded_essence().header;
            let decoded_claims = &raw_proof.decoded_essence().claims;

            // Get public key contained in `jwk` jose header field.
            let public_key = decoded_header.jwk().to_public_key()?;

            // Ensure that the JWT signature verifies with the contained public key.
            verify_signature(raw_proof.compact_repr(), &public_key, decoded_header.alg)
                .map_err(InvalidDPoPProof::InvalidSignature)?;

            // Ensure that the htm claim matches the HTTP method of the current request.
            if decoded_claims.htm != context.req_method {
                return Err(InvalidDPoPProof::HtmClaimMismatch);
            }

            // Ensure that the htu claim matches the HTTP URI value for the HTTP request
            if !decoded_claims.htu.matches(&context.req_uri) {
                return Err(InvalidDPoPProof::HtuClaimMismatch);
            }

            // Ensure that, if the server provided a nonce value to the client,
            // the nonce claim matches the server-provided nonce value,
            if context.active_nonce.is_some() && context.active_nonce != decoded_claims.nonce {
                return Err(InvalidDPoPProof::NonceClaimMismatch);
            }

            // Ensure that the creation time of the JWT, as determined by either the iat claim or
            // a server managed timestamp via the nonce claim,
            // is within an acceptable window,
            if (context.req_time - decoded_claims.iat).abs() >= context.time_leeway.into() {
                return Err(InvalidDPoPProof::TimestampOutOfWindow);
            }

            if let Some(nonce_timestamp) = context.nonce_timestamp {
                if (context.req_time - nonce_timestamp).abs() >= context.time_leeway.into() {
                    return Err(InvalidDPoPProof::TimestampOutOfWindow);
                }
            }

            // if presented to a protected resource in conjunction with an access token,
            if let Some(KeyBoundAccessToken {
                access_token,
                bound_key_jkt,
            }) = context.key_bound_access_token.as_ref()
            {
                let ath = Ath::new(access_token);

                let decoded_ath = decoded_claims
                    .ath
                    .as_ref()
                    // TODO MUST remove following feature and block.
                    .or_else(|| cfg!(feature = "unsafe-optional-ath-claim").then_some(&ath))
                    .ok_or(InvalidDPoPProof::AthClaimMismatch)?;

                // ensure that the value of the ath claim
                // equals the hash of that access token,
                if decoded_ath != &ath {
                    return Err(InvalidDPoPProof::AthClaimMismatch);
                }

                // confirm that the public key to which the access token is bound
                // matches the public key from the DPoP proof.
                if bound_key_jkt != &Jkt::new(&decoded_header.jwk()) {
                    return Err(InvalidDPoPProof::BindingKeyMisMatch);
                }
            }

            Ok(())
        }
    }

    impl PurePredicate<ContextualDPoPProof> for IsValidDPoPProof {}

    /// A type for representing errors of a dpop-proof beng invalid.
    #[derive(Debug, thiserror::Error)]
    pub enum InvalidDPoPProof {
        /// Invalid public key jwk.
        #[error("Invalid public key jwk.\n{0}")]
        InvalidPublicKeyJwk(#[from] JwkError),

        /// Invalid signature.
        #[error("Invalid signature.\n{0}")]
        InvalidSignature(JwsError),

        /// Htm claim mismatch.
        #[error("Htm claim mismatch.")]
        HtmClaimMismatch,

        /// Htu claim mismatch.
        #[error("Htu claim mismatch.")]
        HtuClaimMismatch,

        /// Nonce claim mismatch.
        #[error("Nonce claim mismatch.")]
        NonceClaimMismatch,

        /// Ath claim mismatch.
        #[error("Ath claim mismatch.")]
        AthClaimMismatch,

        /// Binding key mismatch.
        #[error("Binding key mismatch.")]
        BindingKeyMisMatch,

        /// Proof timestamp out of window.
        #[error("Proof timestamp out of window.")]
        TimestampOutOfWindow,
    }
}