Closed backan10 closed 1 year ago
Hi. Sorry for the late reply.
"Manually" decode header. Is there a way to do this in josekit?
Yes. You can use a jwt::decode_header function.
Since the verifier in the closer returns a reference to a JwsVerifier, it need to be owned somewhere before. Could it be modified (or a new function added) that returns a box?
How about using OnceCell, for example? The following code seems to work.
let cell: OnceCell<Box<dyn JwsVerifier>> = OnceCell::new();
let (dst_payload, dst_header) = jws::deserialize_compact_with_selector(&jwt, |header| {
let public_keys = header.x509_certificate_chain().unwrap();
let verifier = alg.verifier_from_pem(&public_keys[0])?;
Ok(Some(cell.get_or_init(|| Box::new(verifier)).as_ref()))
})?;
Hi, thanks for your reply.
Yes, the jwt::decode_header function works for decoding the compact serialization. Unfortunately I need to support general JWS JSON Serialization as well.
The "OnceCell solution" works though! But for this I need to enable the nightly channel right?
One more thing, seems that the x509_certificate_chain functions for JwsHeaderSet uses URL_SAFE_NO_PAD, this should be STANDARD_NO_PAD according to the JWS spec right? I see that this has been corrected for the JwsHeader struct.
Thanks for you support.
I need to support general JWS JSON Serialization as well.
I got it. I will consider supporting it.
The "OnceCell solution" works though! But for this I need to enable the nightly channel right?
You can use OnceCell crate. This crate is not a core module and it is used in josekit too.
One more thing, seems that the x509_certificate_chain functions for JwsHeaderSet uses URL_SAFE_NO_PAD, this should be STANDARD_NO_PAD according to the JWS spec right?
That method uses STANDARD_NO_PAD. So There does not seem to be such a problem.
pub fn set_x509_certificate_chain(&mut self, values: &Vec<impl AsRef<[u8]>>) {
let key = "x5c";
let mut vec = Vec::with_capacity(values.len());
for val in values {
vec.push(Value::String(base64::encode_config(
val.as_ref(),
base64::STANDARD_NO_PAD,
)));
}
self.claims.insert(key.to_string(), Value::Array(vec));
}
Right. The OnceCell crate works. Thanks!
Yes, set_x509_certificate_chain in JwsHeader uses STANDARD_NO_PAD. But the x509_certificate_chain in JwsHeaderSet does not:
/// Return values for a X.509 certificate chain header claim (x5c).
pub fn x509_certificate_chain(&self) -> Option<Vec<Vec<u8>>> {
match self.claim("x5c") {
Some(Value::Array(vals)) => {
let mut vec = Vec::with_capacity(vals.len());
for val in vals {
match val {
Value::String(val2) => {
match base64::decode_config(val2, base64::URL_SAFE_NO_PAD) {
Ok(val3) => vec.push(val3.clone()),
Err(_) => return None,
}
}
_ => return None,
}
}
Some(vec)
}
_ => None,
}
}
I understand now. It's a bug and x509_certificate_chain must be encoded in STANDARD, not URL_SAFE_NO_PAD or STANDARD_NOPAD.
https://www.rfc-editor.org/rfc/rfc7515#page-54
Thank you for reporting. I will fix in a few days.
I released v0.8.2 which fixed a x509_certificate_chain problem. Try it out.
I need to support general JWS JSON Serialization as well.
I decided not to support this feature. Because there may be more than one header in the JWS JSON Serialization.
Thanks for your quick support!
Hi,
thanks for this great lib. Helps a lot for a project using JWS.
Have a question though, cannot figure it out, and that is how to use the x5c header parameter with JWS.
As far as I can see I get no help from the lib to parse out the header so that I can get a hold of the certificate(s) in the x5c parameter.
Now I do something like this:
But if I could use the deserialize_compact_with_selector function (https://docs.rs/josekit/0.8.1/josekit/jws/fn.deserialize_compact_with_selector.html) and use the closure to create the verifier, since in the closer I have the header, it would make life easier. This is not possible now though right? Since the verifier in the closer returns a reference to a JwsVerifier, it need to be owned somewhere before. Could it be modified (or a new function added) that returns a box?
Or is there a better way that I'm missing?
Thanks!