Spiffe standard specifies jwt_svid or x509_svid for the 'use' field in JWK

maxlambrecht / rust-spiffe

Rust library for SPIFFE support.

Apache License 2.0

17 stars 10 forks source link

Spiffe standard specifies jwt_svid or x509_svid for the 'use' field in JWK #19

Open huguesBouvier opened 2 years ago

huguesBouvier commented 2 years ago

Hello,

I use the client library to validate a trust bundle from the agent, but I am getting the following error: unknown variant jwt-svid, expected sig or enc

However jwt-svid is actually a correct field as per SPIFFE standard: Please see: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#422-public-key-use

maxlambrecht commented 2 years ago

Hi! I'm not sure I understand what you are trying to accomplish when you say you trying to validate the trust bundle from the agent. The library provides methods to fetch trust bundles and use them to validate JWT tokens.

Could you provide some code snippets so I can understand better your scenario ?

huguesBouvier commented 2 years ago

Hey! This is the only thing I have in my client:

// fetch a set of jwt bundles (public keys for validating jwt token)
let jwt_bundles = client.fetch_jwt_bundles()?;

I am sorry for the confusion I meant fetching the trust bundle, not validating.

The important thing it this from the SPIFFE standard: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#422-public-key-use The "use" field in SPIFFE is only "jwt-svid" or "x509-svid". However because you use the dependency "jsonwebtoken" and "jsonwebkey" to validate a token, it rejects tokens that have "use" field different than "sig" or "enc". So all correctly crafted JWTSVID will be rejected.

maxlambrecht commented 2 years ago

Then having the jwt_bundles you use them to validate a token using the parse_and_validate method, like:

svid::jwt::JwtSvid::parse_and_validate(&token, &jwt_bundles, &expected_audience)?;

and that is giving you the error with the "use" field ?

huguesBouvier commented 2 years ago

No, this call is giving me the error: fetch_jwt_bundles I have nothing else in my client. This may Better illustrate it: I have made a fork and added a field "use": "jwt-svid" as per standard in the unit test for trust bundle. Now unit test are failing: See changes on my fork: https://github.com/huguesBouvier/rust-spiffe/commit/2d65a7a0aa63905dcf686f7bc3c116ac7ae65da6

maxlambrecht commented 2 years ago

Oh I see, thanks for catching that.

I'll open an issue on the repository for the jsonwebkey crate asking to allow other values in the use field, as per RFC7517, and in the meantime I'll explore other options.

maxlambrecht commented 2 years ago

Opened issue in jsonwebkey: https://github.com/nhynes/jwk-rs/issues/8

maxlambrecht commented 2 years ago

Hi @huguesBouvier , I submitted a PR to the jsonwebkey repo to address this.

huguesBouvier commented 2 years ago

Thanks a lot!