jwk_simple/lib.rs
1//! # jwk-simple
2//!
3//! A Rust library for working with JSON Web Keys (JWK) and JWK Sets (JWKS) as
4//! defined in RFC 7517, with full support for WASM environments and optional
5//! jwt-simple integration.
6//!
7//! ## Features
8//!
9//! - **Full RFC compliance**: Supports RFC 7517 (JWK), RFC 7518 (algorithms),
10//! RFC 8037 (EdDSA), and RFC 7638 (thumbprints)
11//! - **Multiple key types**: RSA, EC (P-256, P-384, P-521, secp256k1),
12//! Symmetric (HMAC), and OKP (Ed25519, Ed448, X25519, X448)
13//! - **WASM compatible**: Core functionality works in WebAssembly environments
14//! - **Security-first**: Zeroize support for sensitive data, constant-time comparisons
15//! - **jwt-simple integration**: Optional feature for converting JWKs to jwt-simple key types
16//! - **Remote fetching**: Load JWKS from HTTP endpoints with caching support
17//!
18//! ## Quick Start
19//!
20//! Parse a JWKS and find a key:
21//!
22//! ```
23//! use jwk_simple::KeySet;
24//!
25//! let json = r#"{
26//! "keys": [{
27//! "kty": "RSA",
28//! "kid": "my-key-id",
29//! "use": "sig",
30//! "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
31//! "e": "AQAB"
32//! }]
33//! }"#;
34//!
35//! let jwks = serde_json::from_str::<KeySet>(json).unwrap();
36//! let key = jwks.find_by_kid("my-key-id").expect("key not found");
37//! assert!(key.is_public_key_only());
38//! ```
39//!
40//! ## Feature Flags
41//!
42//! | Feature | Description |
43//! |---------|-------------|
44//! | `jwt-simple` | Integration with the jwt-simple crate |
45//! | `http` | Async HTTP fetching with `RemoteKeySet` |
46//! | `cache-inmemory` | In-memory `KeyCache` implementation using Tokio |
47//! | `cloudflare` | Cloudflare Workers support (Fetch API + KV cache) |
48//!
49//! ## Converting to jwt-simple keys
50//!
51//! With the `jwt-simple` feature enabled, you can convert JWKs to jwt-simple key types:
52//!
53//! ```ignore
54//! use jwk_simple::KeySet;
55//! use jwt_simple::prelude::*;
56//!
57//! let jwks = serde_json::from_str::<KeySet>(json)?;
58//! let jwk = jwks.find_by_kid("my-key-id").unwrap();
59//!
60//! // Convert to jwt-simple key
61//! let key: RS256PublicKey = jwk.try_into()?;
62//!
63//! // Use for JWT verification
64//! let claims = key.verify_token::<NoCustomClaims>(&token, None)?;
65//! ```
66//!
67//! ## Security
68//!
69//! This crate prioritizes security:
70//!
71//! - Private key parameters are zeroed from memory on drop via `zeroize`
72//! - Base64 encoding uses constant-time operations via `base64ct`
73//! - Debug output redacts sensitive key material
74//! - All public functions return `Result` types (no panics)
75
76#![cfg_attr(docsrs, feature(doc_cfg))]
77#![deny(missing_docs)]
78#![forbid(unsafe_code)]
79#![warn(clippy::all)]
80
81pub mod encoding;
82pub mod error;
83pub mod jwk;
84pub mod jwks;
85
86pub mod integrations;
87
88// Re-exports for convenience
89pub use error::{Error, Result};
90pub use jwk::{
91 Algorithm, EcCurve, Key, KeyOperation, KeyParams, KeyType, KeyUse, OkpCurve, RsaOtherPrime,
92};
93pub use jwks::{CachedKeySet, KeyCache, KeySet, KeySource};
94
95#[cfg(feature = "http")]
96#[cfg_attr(docsrs, doc(cfg(feature = "http")))]
97pub use jwks::RemoteKeySet;
98
99#[cfg(feature = "cache-inmemory")]
100#[cfg_attr(docsrs, doc(cfg(feature = "cache-inmemory")))]
101pub use jwks::{InMemoryCachedKeySet, InMemoryKeyCache, DEFAULT_CACHE_TTL};
102
103#[cfg(all(feature = "cloudflare", target_arch = "wasm32"))]
104#[cfg_attr(docsrs, doc(cfg(feature = "cloudflare")))]
105pub use jwks::cloudflare;