Open huguesBouvier opened 2 years ago
Hi! I'm not sure I understand what you are trying to accomplish when you say you trying to validate the trust bundle from the agent. The library provides methods to fetch trust bundles and use them to validate JWT tokens.
Could you provide some code snippets so I can understand better your scenario ?
Hey! This is the only thing I have in my client:
// fetch a set of jwt bundles (public keys for validating jwt token)
let jwt_bundles = client.fetch_jwt_bundles()?;
I am sorry for the confusion I meant fetching the trust bundle, not validating.
The important thing it this from the SPIFFE standard: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#422-public-key-use The "use" field in SPIFFE is only "jwt-svid" or "x509-svid". However because you use the dependency "jsonwebtoken" and "jsonwebkey" to validate a token, it rejects tokens that have "use" field different than "sig" or "enc". So all correctly crafted JWTSVID will be rejected.
Then having the jwt_bundles
you use them to validate a token using the parse_and_validate
method, like:
svid::jwt::JwtSvid::parse_and_validate(&token, &jwt_bundles, &expected_audience)?;
and that is giving you the error with the "use" field ?
No, this call is giving me the error: fetch_jwt_bundles I have nothing else in my client. This may Better illustrate it: I have made a fork and added a field "use": "jwt-svid" as per standard in the unit test for trust bundle. Now unit test are failing: See changes on my fork: https://github.com/huguesBouvier/rust-spiffe/commit/2d65a7a0aa63905dcf686f7bc3c116ac7ae65da6
Oh I see, thanks for catching that.
I'll open an issue on the repository for the jsonwebkey
crate asking to allow other values in the use
field, as per RFC7517, and in the meantime I'll explore other options.
Opened issue in jsonwebkey
: https://github.com/nhynes/jwk-rs/issues/8
Hi @huguesBouvier , I submitted a PR to the jsonwebkey
repo to address this.
Thanks a lot!
Hello,
I use the client library to validate a trust bundle from the agent, but I am getting the following error: unknown variant
jwt-svid
, expectedsig
orenc
However jwt-svid is actually a correct field as per SPIFFE standard: Please see: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#422-public-key-use