add es256k

Author: deatil

README.md

@@ -110,6 +110,8 @@ pub fn main() !void {
     var validator = try jwt.Validator.init(token);
     defer validator.deinit();
 
+    // validator.withLeeway(3);
+
     // output: 
     // hasBeenIssuedBy: true
     std.debug.print("hasBeenIssuedBy: {} \n", .{validator.hasBeenIssuedBy("iss")});
@@ -140,6 +142,8 @@ The JWT library have signing methods:
 
  - `ES256`: jwt.SigningMethodES256
  - `ES384`: jwt.SigningMethodES384
+
+ - `ES256K`: jwt.SigningMethodES256K
 
  - `EdDSA`: jwt.SigningMethodEdDSA
  - `ED25519`: jwt.SigningMethodED25519
@@ -171,11 +175,17 @@ const p256_public_key = ecdsa.EcdsaP256Sha256.PublicKey;
 const p384_secret_key = ecdsa.EcdsaP384Sha384.SecretKey;
 const p384_public_key = ecdsa.EcdsaP384Sha384.PublicKey;
 
+const p256k_secret_key = ecdsa.EcdsaSecp256k1Sha256.SecretKey;
+const p256k_public_key = ecdsa.EcdsaSecp256k1Sha256.PublicKey;
+
 // generate p256 public key
 const p256_kp = ecdsa.EcdsaP256Sha256.KeyPair.generate();
 
 // generate p384 public key
 const p384_kp = ecdsa.EcdsaP384Sha384.KeyPair.generate();
+
+// generate p256k public key
+const p256k_kp = ecdsa.EcdsaSecp256k1Sha256.KeyPair.generate();
 ~~~
 
 EdDSA PublicKey:

build.zig.zon

@@ -1,7 +1,7 @@
 .{
     .name = "zig-jwt",
     .description = "A JWT (JSON Web Token) library for zig.",
-    .version = "1.0.9",
+    .version = "1.0.11",
     .paths = .{
         "build.zig",
         "build.zig.zon",

src/ecdsa.zig

@@ -9,6 +9,8 @@ pub const SigningES256 = SignECDSA(ecdsa.EcdsaP256Sha256, "ES256");
 pub const SigningES384 = SignECDSA(ecdsa.EcdsaP384Sha384, "ES384");
 // pub const SigningES512 = SignECDSA(ecdsa.EcdsaP512Sha512, "ES512");
 
+pub const SigningES256K = SignECDSA(ecdsa.EcdsaSecp256k1Sha256, "ES256K");
+
 pub fn SignECDSA(comptime EC: type, comptime name: []const u8) type {
     return struct {
         alloc: Allocator, 
@@ -110,4 +112,28 @@ test "SigningES384" {
 
     try testing.expectEqual(true, veri);
 
-}
+}
+
+test "SigningES256K" {
+    const alloc = std.heap.page_allocator;
+
+    const h = SigningES256K.init(alloc);
+
+    const alg = h.alg();
+    const signLength = h.signLength();
+    try testing.expectEqual(64, signLength);
+    try testing.expectEqualStrings("ES256K", alg);
+
+    const kp = ecdsa.EcdsaSecp256k1Sha256.KeyPair.generate();
+
+    const msg = "test-data";
+
+    const signed = try h.sign(msg, kp.secret_key);
+
+    try testing.expectEqual(64, signed.len);
+
+    const veri = h.verify(msg, signed, kp.public_key);
+
+    try testing.expectEqual(true, veri);
+
+}

src/jwt.zig

@@ -27,7 +27,9 @@ pub const SigningMethodPS512 = JWT(rsa_pss.SigningPS512, crypto_rsa.SecretKey, c
 
 pub const SigningMethodES256 = JWT(ecdsa.SigningES256, ecdsa.ecdsa.EcdsaP256Sha256.SecretKey, ecdsa.ecdsa.EcdsaP256Sha256.PublicKey);
 pub const SigningMethodES384 = JWT(ecdsa.SigningES384, ecdsa.ecdsa.EcdsaP384Sha384.SecretKey, ecdsa.ecdsa.EcdsaP384Sha384.PublicKey);
-// pub const SigningMethodES512 = JWT(ecdsa.SigningES512, ecdsa.ecdsa.SecretKey, ecdsa.ecdsa.PublicKey);
+// pub const SigningMethodES512 = JWT(ecdsa.SigningES512, ecdsa.ecdsa.EcdsaP521Sha512.SecretKey, ecdsa.ecdsa.EcdsaP521Sha512.PublicKey);
+
+pub const SigningMethodES256K = JWT(ecdsa.SigningES256K, ecdsa.ecdsa.EcdsaSecp256k1Sha256.SecretKey, ecdsa.ecdsa.EcdsaSecp256k1Sha256.PublicKey);
 
 pub const SigningMethodEdDSA = JWT(eddsa.SigningEdDSA, eddsa.Ed25519.SecretKey, eddsa.Ed25519.PublicKey);
 pub const SigningMethodED25519 = JWT(eddsa.SigningED25519, eddsa.Ed25519.SecretKey, eddsa.Ed25519.PublicKey);
@@ -406,6 +408,31 @@ test "SigningMethodES384" {
 
 }
 
+test "SigningMethodES256K" {
+    const alloc = std.heap.page_allocator;
+
+    const kp = ecdsa.ecdsa.EcdsaSecp256k1Sha256.KeyPair.generate();
+
+    const claims = .{
+        .aud = "example.com",
+        .sub = "foo",
+    };
+
+    const s = SigningMethodES256K.init(alloc);
+    const token_string = try s.sign(claims, kp.secret_key);
+    try testing.expectEqual(true, token_string.len > 0);
+
+    // ==========
+
+    const p = SigningMethodES256K.init(alloc);
+    var parsed = try p.parse(token_string, kp.public_key);
+
+    const claims2 = try parsed.getClaims();
+    try testing.expectEqualStrings(claims.aud, claims2.object.get("aud").?.string);
+    try testing.expectEqualStrings(claims.sub, claims2.object.get("sub").?.string);
+
+}
+
 test "SigningMethodHS256" {
     const alloc = std.heap.page_allocator;
 
@@ -608,6 +635,42 @@ test "SigningMethodES256 Check fail" {
 
 }
 
+test "SigningMethodES256K Check" {
+    const alloc = std.heap.page_allocator;
+
+    const pub_key = "04cbcc2ebfaf9f5e874b3cb7e1c66d77db2d51f26e1d92783bb477bb37eb142d5d84b61e80c445d07ddf84e27b9c791db550d0af40aab1898c02cd5c0829c1defc";
+    const pri_key = "c4e29dedecf2d4fef1bb300cce3fcfca3ec086066fd3d03ebc3cc7a36ee900dd";
+    const token_str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksifQ.eyJmb28iOiJiYXIifQ.Xe92dmU8MrI1d4edE2LEKqSmObZJpkIuz0fERihfn65ikTeeX5zjpyAdlHy9ZSBX8N8sqmJy5fxBTBzV26WvIQ";
+
+    const encoded_length = ecdsa.ecdsa.EcdsaSecp256k1Sha256.SecretKey.encoded_length;
+
+    var pri_key_buf: [encoded_length]u8 = undefined;
+    _ = try fmt.hexToBytes(&pri_key_buf, pri_key);
+
+    var pub_key_buf: [pub_key.len / 2]u8 = undefined;
+    const pub_key_bytes = try fmt.hexToBytes(&pub_key_buf, pub_key);
+
+    const secret_key = try ecdsa.ecdsa.EcdsaSecp256k1Sha256.SecretKey.fromBytes(pri_key_buf);
+    const public_key = try ecdsa.ecdsa.EcdsaSecp256k1Sha256.PublicKey.fromSec1(pub_key_bytes);
+
+    const claims = .{
+        .foo = "bar",
+    };
+
+    const s = SigningMethodES256K.init(alloc);
+    const token_string = try s.sign(claims, secret_key);
+    try testing.expectEqual(true, token_string.len > 0);
+
+    // ==========
+
+    const p = SigningMethodES256K.init(alloc);
+    var parsed = try p.parse(token_str, public_key);
+
+    const claims2 = try parsed.getClaims();
+    try testing.expectEqualStrings(claims.foo, claims2.object.get("foo").?.string);
+
+}
+
 test "SigningMethodEdDSA Check" {
     const alloc = std.heap.page_allocator;
 

src/validator.zig

@@ -9,6 +9,7 @@ const Token = @import("token.zig").Token;
 pub const Validator = struct {
     token: Token,
     claims: json.Value,
+    leeway: i64 = 0,
 
     const Self = @This();
 
@@ -19,13 +20,18 @@ pub const Validator = struct {
         return .{
             .token = token,
             .claims = claims,
+            .leeway = 0,
         };
     }
 
     pub fn deinit(self: *Self) void {
         self.token.deinit();
     }
 
+    pub fn withLeeway(self: *Self, leeway: i64) void {
+        self.leeway = leeway;
+    }
+
     pub fn isPermittedFor(self: *Self, audience: []const u8) bool {
         const claims = self.claims;
 
@@ -95,7 +101,7 @@ pub const Validator = struct {
 
         if (claims.object.get("iat")) |val| {
             if (val == .integer) {
-                if (now > val.integer) {
+                if (now + self.leeway >= val.integer) {
                     return true;
                 }
             }
@@ -111,7 +117,7 @@ pub const Validator = struct {
 
         if (claims.object.get("nbf")) |val| {
             if (val == .integer) {
-                if (now > val.integer) {
+                if (now + self.leeway >= val.integer) {
                     return true;
                 }
             }
@@ -127,7 +133,7 @@ pub const Validator = struct {
 
         if (claims.object.get("exp")) |val| {
             if (val == .integer) {
-                if (now <= val.integer) {
+                if (now - self.leeway < val.integer) {
                     return false;
                 }
             }
@@ -199,8 +205,34 @@ test "Validator" {
     try testing.expectEqual(true, validator.isIdentifiedBy("jti rrr"));
     try testing.expectEqual(true, validator.isPermittedFor("example.com"));
     try testing.expectEqual(true, validator.hasBeenIssuedBefore(now));
+    try testing.expectEqual(false, validator.isExpired(now));
 
     const claims = try token.getClaims();
     try testing.expectEqual(true, claims.object.get("nbf").?.integer > 0);
+
+    try testing.expectEqual(1567842388, claims.object.get("iat").?.integer);
+    try testing.expectEqual(1767842388, claims.object.get("exp").?.integer);
+    try testing.expectEqual(1567842388, claims.object.get("nbf").?.integer);
 
+    try testing.expectEqual(true, validator.hasBeenIssuedBefore(1567842389));
+    try testing.expectEqual(true, validator.isMinimumTimeBefore(1567842389));
+    try testing.expectEqual(true, validator.isExpired(1767842389));
+
+    // ======
+
+    var token2 = Token.init(alloc);
+    try token2.parse(check1);
+
+    var validator2 = try Validator.init(token2);
+    defer validator2.deinit();
+
+    validator2.withLeeway(3);
+
+    try testing.expectEqual(true, validator2.hasBeenIssuedBefore(1567842391));
+    try testing.expectEqual(false, validator2.hasBeenIssuedBefore(1567842384));
+    try testing.expectEqual(true, validator2.isMinimumTimeBefore(1567842391));
+    try testing.expectEqual(false, validator2.isMinimumTimeBefore(1567842384));
+    try testing.expectEqual(true, validator2.isExpired(1767842392));
+    try testing.expectEqual(false, validator2.isExpired(1767842389));
+
 }