keygate_jwt/
common.rs

1use std::collections::HashSet;
2
3use base64ct::{Base64UrlUnpadded, Encoding};
4use coarsetime::{Duration, UnixTimeStamp};
5
6use crate::{claims::DEFAULT_TIME_TOLERANCE_SECS, ensure, JWTError};
7
8pub const DEFAULT_MAX_TOKEN_LENGTH: usize = 1_000_000;
9
10/// Additional features to enable during verification.
11/// Signatures and token expiration are already automatically verified.
12#[derive(Clone, Debug, PartialEq, Eq)]
13pub struct VerificationOptions {
14    /// Reject tokens created before the given date
15    ///
16    /// For a given user, the time of the last successful authentication can be
17    /// kept in a database, and `reject_before` can then be used to reject
18    /// older (replayed) tokens.
19    pub reject_before: Option<UnixTimeStamp>,
20
21    /// Accept tokens created with a date in the future
22    pub accept_future: bool,
23
24    /// Require a specific subject to be present
25    pub required_subject: Option<String>,
26
27    /// Require a specific key identifier to be present
28    pub required_key_id: Option<String>,
29
30    /// Require a specific public key to be present
31    pub required_public_key: Option<String>,
32
33    /// Require a specific nonce to be present
34    pub required_nonce: Option<String>,
35
36    /// Require the issuer to be present in the set
37    pub allowed_issuers: Option<HashSet<String>>,
38
39    /// Require the audience to be present in the set
40    pub allowed_audiences: Option<HashSet<String>>,
41
42    /// How much clock drift to tolerate when verifying token timestamps
43    pub time_tolerance: Option<Duration>,
44
45    /// Reject tokens created more than `max_validity` ago
46    pub max_validity: Option<Duration>,
47
48    /// Maximum token length to accept
49    pub max_token_length: Option<usize>,
50
51    /// Maximum unsafe, untrusted, unverified JWT header length to accept
52    pub max_header_length: Option<usize>,
53}
54
55impl Default for VerificationOptions {
56    fn default() -> Self {
57        Self {
58            reject_before: None,
59            accept_future: false,
60            required_subject: None,
61            required_key_id: None,
62            required_public_key: None,
63            required_nonce: None,
64            allowed_issuers: None,
65            allowed_audiences: None,
66            time_tolerance: Some(Duration::from_secs(DEFAULT_TIME_TOLERANCE_SECS)),
67            max_validity: None,
68            max_token_length: Some(DEFAULT_MAX_TOKEN_LENGTH),
69            max_header_length: None,
70        }
71    }
72}
73
74/// Unsigned metadata about a key to be attached to tokens.
75/// This information can be freely tampered with by an intermediate party.
76/// Most applications should not need to use this.
77#[derive(Debug, Clone, Default)]
78pub struct KeyMetadata {
79    pub(crate) key_set_url: Option<String>,
80    pub(crate) public_key: Option<String>,
81    pub(crate) certificate_url: Option<String>,
82    pub(crate) certificate_sha256_thumbprint: Option<String>,
83}
84
85impl KeyMetadata {
86    /// Add a key set URL to the metadata ("jku")
87    pub fn with_key_set_url(mut self, key_set_url: impl ToString) -> Self {
88        self.key_set_url = Some(key_set_url.to_string());
89        self
90    }
91
92    /// Add a public key to the metadata ("jwk")
93    pub fn with_public_key(mut self, public_key: impl ToString) -> Self {
94        self.public_key = Some(public_key.to_string());
95        self
96    }
97
98    /// Add a certificate URL to the metadata ("x5u")
99    pub fn with_certificate_url(mut self, certificate_url: impl ToString) -> Self {
100        self.certificate_url = Some(certificate_url.to_string());
101        self
102    }
103
104    /// Add a certificate SHA-256 thumbprint to the metadata ("x5t#256")
105    pub fn with_certificate_sha256_thumbprint(
106        mut self,
107        certificate_sha256_thumbprint: impl ToString,
108    ) -> Result<Self, JWTError> {
109        let thumbprint = certificate_sha256_thumbprint.to_string();
110        let mut bin = [0u8; 32];
111        if thumbprint.len() == 64 {
112            hex::decode_to_slice(&thumbprint, &mut bin)?;
113            let thumbprint = Base64UrlUnpadded::encode_string(&bin);
114            self.certificate_sha256_thumbprint = Some(thumbprint);
115            return Ok(self);
116        }
117        ensure!(
118            Base64UrlUnpadded::decode(&thumbprint, &mut bin)?.len() == bin.len(),
119            JWTError::InvalidCertThumprint
120        );
121        self.certificate_sha256_thumbprint = Some(thumbprint);
122        Ok(self)
123    }
124}
125
126#[cfg(feature = "hmac")]
127#[inline(never)]
128pub(crate) fn timingsafe_eq(a: &[u8], b: &[u8]) -> bool {
129    if a.len() != b.len() {
130        return false;
131    }
132    a.iter().zip(b.iter()).fold(0, |c, (x, y)| c | (x ^ y)) == 0
133}
keygate_jwt/common.rs

keygate_jwt/
common.rs
