Switch to JWK Thumbprints

V02460 · V02460 · commit a65c9afb29e7 · 2025-08-20T18:22:21.000+02:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -474,7 +474,7 @@ features = ["std"]
 # PKCS#8 encoding
 [workspace.dependencies.pkcs8]
 version = "0.10.2"
-features = ["alloc", "std", "pkcs5", "encryption"]
+features = ["std", "pkcs5", "encryption"]
 
 # Public Suffix List
 [workspace.dependencies.psl]
diff --git a/crates/config/src/sections/secrets.rs b/crates/config/src/sections/secrets.rs
@@ -9,13 +9,9 @@ use std::borrow::Cow;
 use anyhow::{Context, bail};
 use camino::Utf8PathBuf;
 use futures_util::future::{try_join, try_join_all};
-use mas_jose::jwk::{JsonWebKey, JsonWebKeySet};
+use mas_jose::jwk::{JsonWebKey, JsonWebKeySet, Thumbprint};
 use mas_keystore::{Encrypter, Keystore, PrivateKey};
-use rand::{
-    Rng, SeedableRng,
-    distributions::{Alphanumeric, DistString, Standard},
-    prelude::Distribution as _,
-};
+use rand::{Rng, SeedableRng, distributions::Standard, prelude::Distribution as _};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use serde_with::serde_as;
@@ -134,8 +130,7 @@ impl From<Key> for KeyRaw {
 pub struct KeyConfig {
     /// The key ID `kid` of the key as used by JWKs.
     ///
-    /// If not given, `kid` will be derived from the key by hex-encoding the
-    /// first four bytes of the key’s fingerprint.
+    /// If not given, `kid` will be the key’s RFC 7638 JWK Thumbprint.
     #[serde(skip_serializing_if = "Option::is_none")]
     kid: Option<String>,
 
@@ -185,7 +180,7 @@ impl KeyConfig {
 
         let kid = match self.kid.clone() {
             Some(kid) => kid,
-            None => kid_from_key(&private_key)?,
+            None => private_key.thumbprint_sha256_base64(),
         };
 
         Ok(JsonWebKey::new(private_key)
@@ -194,13 +189,6 @@ impl KeyConfig {
     }
 }
 
-/// Returns a kid derived from the given key.
-fn kid_from_key(private_key: &PrivateKey) -> anyhow::Result<String> {
-    let fingerprint = private_key.fingerprint()?;
-    let head = fingerprint.first_chunk::<4>().unwrap();
-    Ok(hex::encode(head))
-}
-
 /// Encryption config option.
 #[derive(Debug, Clone)]
 pub enum Encryption {
@@ -494,7 +482,7 @@ mod tests {
 
                     let key_store = config.key_store().await.unwrap();
                     assert!(key_store.iter().any(|k| k.kid() == Some("lekid0")));
-                    assert!(key_store.iter().any(|k| k.kid() == Some("040b0ab8")));
+                    assert!(key_store.iter().any(|k| k.kid() == Some("ONUCn80fsiISFWKrVMEiirNVr-QEvi7uQI0QH9q9q4o")));
                 });
 
                 Ok(())
diff --git a/crates/jose/src/jwk/mod.rs b/crates/jose/src/jwk/mod.rs
@@ -13,6 +13,7 @@ use mas_iana::jose::{
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use serde_with::skip_serializing_none;
+use sha2::{Digest, Sha256};
 use url::Url;
 
 use crate::{
@@ -239,6 +240,28 @@ impl<P> JsonWebKey<P> {
     }
 }
 
+/// Methods to calculate RFC 7638 JWK Thumbprints.
+pub trait Thumbprint {
+    /// Returns the RFC 7638 JWK Thumbprint JSON string.
+    fn thumbprint_prehashed(&self) -> String;
+
+    /// Returns the RFC 7638 SHA256-hashed JWK Thumbprint.
+    fn thumbprint_sha256(&self) -> [u8; 32] {
+        Sha256::digest(self.thumbprint_prehashed()).into()
+    }
+
+    /// Returns the RFC 7638 SHA256-hashed JWK Thumbprint as base64url string.
+    fn thumbprint_sha256_base64(&self) -> String {
+        Base64UrlNoPad::new(self.thumbprint_sha256().into()).encode()
+    }
+}
+
+impl<P: Thumbprint> Thumbprint for JsonWebKey<P> {
+    fn thumbprint_prehashed(&self) -> String {
+        self.parameters.thumbprint_prehashed()
+    }
+}
+
 impl<P> Constrainable for JsonWebKey<P>
 where
     P: ParametersInfo,
diff --git a/crates/jose/src/jwk/public_parameters.rs b/crates/jose/src/jwk/public_parameters.rs
@@ -11,7 +11,7 @@ use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
 use super::ParametersInfo;
-use crate::base64::Base64UrlNoPad;
+use crate::{base64::Base64UrlNoPad, jwk::Thumbprint};
 
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema)]
 #[serde(tag = "kty")]
@@ -52,6 +52,22 @@ impl JsonWebKeyPublicParameters {
     }
 }
 
+impl Thumbprint for JsonWebKeyPublicParameters {
+    fn thumbprint_prehashed(&self) -> String {
+        match self {
+            JsonWebKeyPublicParameters::Rsa(RsaPublicParameters { n, e }) => {
+                format!("{{\"e\":\"{e}\",\"kty\":\"RSA\",\"n\":\"{n}\"}}")
+            }
+            JsonWebKeyPublicParameters::Ec(EcPublicParameters { crv, x, y }) => {
+                format!("{{\"crv\":\"{crv}\",\"kty\":\"EC\",\"x\":\"{x}\",\"y\":\"{y}\"}}")
+            }
+            JsonWebKeyPublicParameters::Okp(OkpPublicParameters { crv, x }) => {
+                format!("{{\"crv\":\"{crv}\",\"kty\":\"OKP\",\"x\":\"{x}\"}}")
+            }
+        }
+    }
+}
+
 impl ParametersInfo for JsonWebKeyPublicParameters {
     fn kty(&self) -> JsonWebKeyType {
         match self {
@@ -300,3 +316,31 @@ mod ec_impls {
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_thumbprint_rfc_example() {
+        // From https://www.rfc-editor.org/rfc/rfc7638.html#section-3.1
+        let n = Base64UrlNoPad::parse(
+            "\
+            0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAt\
+            VT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn6\
+            4tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FD\
+            W2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n9\
+            1CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINH\
+            aQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+        )
+        .unwrap();
+        let e = Base64UrlNoPad::parse("AQAB").unwrap();
+
+        let jwkpps = JsonWebKeyPublicParameters::Rsa(RsaPublicParameters { n, e });
+
+        assert_eq!(
+            jwkpps.thumbprint_sha256_base64(),
+            "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs"
+        );
+    }
+}
diff --git a/crates/keystore/src/lib.rs b/crates/keystore/src/lib.rs
@@ -9,16 +9,12 @@
 use std::{ops::Deref, sync::Arc};
 
 use der::{Decode, Encode, EncodePem, zeroize::Zeroizing};
-use elliptic_curve::{
-    pkcs8::{EncodePrivateKey, EncodePublicKey},
-    sec1::ToEncodedPoint,
-};
-use k256::sha2::{Digest, Sha256};
+use elliptic_curve::{pkcs8::EncodePrivateKey, sec1::ToEncodedPoint};
 use mas_iana::jose::{JsonWebKeyType, JsonWebSignatureAlg};
 pub use mas_jose::jwk::{JsonWebKey, JsonWebKeySet};
 use mas_jose::{
     jwa::{AsymmetricSigningKey, AsymmetricVerifyingKey},
-    jwk::{JsonWebKeyPublicParameters, ParametersInfo, PublicJsonWebKeySet},
+    jwk::{JsonWebKeyPublicParameters, ParametersInfo, PublicJsonWebKeySet, Thumbprint},
 };
 use pem_rfc7468::PemLabel;
 use pkcs1::EncodeRsaPrivateKey;
@@ -183,24 +179,6 @@ impl PrivateKey {
         }
     }
 
-    /// Returns the fingerprint of the private key.
-    ///
-    /// The fingerprint is calculated as the SHA256 sum over the PKCS#8 ASN.1
-    /// DER-encoded bytes of the private key’s corresponding public key.
-    ///
-    /// # Errors
-    ///
-    /// Errors if the DER representation of the public key can’t be derived.
-    pub fn fingerprint(&self) -> pkcs8::spki::Result<[u8; 32]> {
-        let bytes = match self {
-            PrivateKey::Rsa(key) => key.to_public_key().to_public_key_der()?,
-            PrivateKey::EcP256(key) => key.public_key().to_public_key_der()?,
-            PrivateKey::EcP384(key) => key.public_key().to_public_key_der()?,
-            PrivateKey::EcK256(key) => key.public_key().to_public_key_der()?,
-        };
-        Ok(Sha256::digest(bytes).into())
-    }
-
     /// Serialize the key as a DER document
     ///
     /// It will use the most common format depending on the key type: PKCS1 for
@@ -621,6 +599,12 @@ impl ParametersInfo for PrivateKey {
     }
 }
 
+impl Thumbprint for PrivateKey {
+    fn thumbprint_prehashed(&self) -> String {
+        JsonWebKeyPublicParameters::from(self).thumbprint_prehashed()
+    }
+}
+
 /// A structure to store a list of [`PrivateKey`]. The keys are held in an
 /// [`Arc`] to ensure they are only loaded once in memory and allow cheap
 /// cloning
diff --git a/docs/config.schema.json b/docs/config.schema.json
@@ -1555,7 +1555,7 @@
       "type": "object",
       "properties": {
         "kid": {
-          "description": "The key ID `kid` of the key as used by JWKs.\n\nIf not given, `kid` will be derived from the key by hex-encoding the first four bytes of the key’s fingerprint.",
+          "description": "The key ID `kid` of the key as used by JWKs.\n\nIf not given, `kid` will be the key’s RFC 7638 JWK Thumbprint.",
           "type": "string"
         },
         "password_file": {
