wip RS256 jwt

Author: eltorio

.vscode/launch.json

@@ -99,9 +99,9 @@
             "cargo": {
                 "args": [
                     "test",
-                    "--no-run",
-                    "--lib",
-                    "--package=rust-photoacoustic"
+                    "--test", 
+                    "rs256_jwt_test",
+                    "test_rs256_jwt_token_generation_and_validation"
                 ],
                 "filter": {
                     "name": "rust-photoacoustic",

Cargo.lock

@@ -50,7 +50,7 @@ serde_urlencoded = "0.7.1"
 url = "2.5.4"                                                                           # URL parsing
 rcgen = "0.13.2"                                                                        # Certificate generation
 time = "0.3.41"                                                                          # Time handling for certificates
-rsa = "0.9.8"
+rsa = {version = "0.9.8", features=["pem","sha2"]}
 tokio = { version = "1.45.0", features = ["rt", "macros", "rt-multi-thread", "time"] }
 tokio-modbus = { version = "0.16.1", features = ["tcp", "tcp-server", "server"] }
 

Cargo.toml

@@ -30,12 +30,10 @@ macro_rules! include_png_as_base64 {
 /// It is useful for embedding SVG images directly into web pages or stylesheets.
 #[macro_export]
 macro_rules! include_svg_as_base64 {
-    ($path:expr) => {
-        {
-            use ::base64::prelude::{Engine as _, BASE64_STANDARD};
-            let svg_data = include_bytes!($path);
-            let base64 = BASE64_STANDARD.encode(svg_data);
-            format!("data:image/svg+xml;base64,{}", base64)
-        }
-    };
+    ($path:expr) => {{
+        use ::base64::prelude::{Engine as _, BASE64_STANDARD};
+        let svg_data = include_bytes!($path);
+        let base64 = BASE64_STANDARD.encode(svg_data);
+        format!("data:image/svg+xml;base64,{}", base64)
+    }};
 }

src/utility/mod.rs

@@ -276,6 +276,36 @@ impl JwtTokenMap {
         }
     }
 
+    /// Create a new JWT token issuer with RS256 algorithm using PEM encoded keys
+    ///
+    /// # Parameters
+    ///
+    /// * `private_key_pem` - PEM encoded private key
+    /// * `public_key_pem` - PEM encoded public key
+    ///
+    /// # Returns
+    ///
+    /// A new JwtTokenMap configured to use RS256 algorithm with the provided keys
+    pub fn with_rs256_pem(
+        private_key_pem: &[u8],
+        public_key_pem: &[u8],
+    ) -> Result<Self, jsonwebtoken::errors::Error> {
+        let encoding_key = EncodingKey::from_rsa_pem(private_key_pem)?;
+        let decoding_key = DecodingKey::from_rsa_pem(public_key_pem)?;
+
+        Ok(JwtTokenMap {
+            access_tokens: HashMap::new(),
+            refresh_tokens: HashMap::new(),
+            signing_key: encoding_key,
+            verification_key: decoding_key,
+            refresh_generator: RandomGenerator::new(16),
+            token_duration: Some(Duration::hours(1)), // Default 1 hour
+            issuer: "rust-photoacoustic".to_string(),
+            usage_counter: 0,
+            algorithm: Algorithm::RS256,
+        })
+    }
+
     /// Sets the JWT signing algorithm
     pub fn with_algorithm(mut self, algorithm: Algorithm) -> Self {
         self.algorithm = algorithm;
@@ -542,6 +572,24 @@ impl JwtIssuer {
         JwtIssuer(Arc::new(Mutex::new(JwtTokenMap::new(secret))))
     }
 
+    /// Create a new JwtIssuer with RS256 algorithm using PEM encoded keys
+    ///
+    /// # Parameters
+    ///
+    /// * `private_key_pem` - PEM encoded private key
+    /// * `public_key_pem` - PEM encoded public key
+    ///
+    /// # Returns
+    ///
+    /// A new JwtIssuer configured to use RS256 algorithm with the provided keys
+    pub fn with_rs256_pem(
+        private_key_pem: &[u8],
+        public_key_pem: &[u8],
+    ) -> Result<Self, jsonwebtoken::errors::Error> {
+        let token_map = JwtTokenMap::with_rs256_pem(private_key_pem, public_key_pem)?;
+        Ok(JwtIssuer(Arc::new(Mutex::new(token_map))))
+    }
+
     /// Sets the JWT signing algorithm
     pub fn with_algorithm(&mut self, algorithm: Algorithm) -> &mut Self {
         // Create a closure to modify the map

src/visualization/jwt.rs

@@ -59,8 +59,18 @@
 //! ).unwrap();
 //! ```
 
-use anyhow::{anyhow, Result};
+use anyhow::{anyhow, Context, Result};
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use base64::prelude::*;
+use jsonwebtoken::jwk::{Jwk, PublicKeyUse};
 use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey};
+use rsa::pkcs1::DecodeRsaPublicKey;
+use rsa::traits::PublicKeyParts;
+use rsa::RsaPublicKey;
+use rsa::sha2::Sha256;
+use rsa::sha2::Digest;
+use serde::{Deserialize, Serialize};
+use serde_json::json;
 use std::fs::File;
 use std::io::Read;
 use std::path::Path;
@@ -506,3 +516,115 @@ impl JwtKeyConfig {
         )
     }
 }
+
+/// JSON Web Key Set
+///
+/// This structure represents a set of JSON Web Keys (JWKs) as defined in RFC 7517.
+/// It can be used to generate and manipulate JWK representations of RSA keys for
+/// use with OpenID Connect discovery endpoints.
+#[derive(Debug, Serialize, Deserialize)]
+pub struct JwkKeySet {
+    /// The set of JWKs
+    pub keys: Vec<Jwk>,
+}
+
+impl JwkKeySet {
+    /// Create a new JWK from a PEM encoded RSA public key
+    ///
+    /// This function converts a PEM encoded RSA public key to a JWK (JSON Web Key)
+    /// representation suitable for use with OpenID Connect discovery endpoints.
+    ///
+    /// # Parameters
+    ///
+    /// * `pem_data` - The PEM encoded RSA public key as bytes
+    ///
+    /// # Returns
+    ///
+    /// A JWK representing the RSA public key, or an error if parsing fails
+    pub fn create_jwk_from_pem(pem_data: &[u8]) -> Result<Jwk> {
+        // Parse the PEM key
+        let public_key = DecodeRsaPublicKey::from_pkcs1_pem(std::str::from_utf8(pem_data)?)
+            .context("Failed to parse RSA public key from PEM")?;
+
+        // Convert to JWK
+        Self::create_jwk_from_public_key(&public_key)
+    }
+
+    /// Create a JWK from an RSA public key
+    ///
+    /// Converts an RSA public key to a JWK representation with the necessary
+    /// parameters for use with OpenID Connect.
+    ///
+    /// # Parameters
+    ///
+    /// * `public_key` - The RSA public key
+    ///
+    /// # Returns
+    ///
+    /// A JWK representing the RSA public key
+    pub fn create_jwk_from_public_key(public_key: &RsaPublicKey) -> Result<Jwk> {
+        // Get the modulus (n) and exponent (e) from the public key
+        let n = public_key.n();
+        let n = BASE64_STANDARD.encode(&public_key.n().to_bytes_be());
+        let e = BASE64_STANDARD.encode(&public_key.e().to_bytes_be());
+
+        // Calculate the key ID (kid) as a SHA-256 thumbprint
+        let jwk_thumbprint = Self::calculate_jwk_thumbprint(&n, &e)?;
+
+        // Build the JWK
+        let jwk = Jwk {
+            common: jsonwebtoken::jwk::CommonParameters {
+                public_key_use: Some(PublicKeyUse::Signature),
+                key_id: Some(jwk_thumbprint),
+                key_algorithm: Some(jsonwebtoken::jwk::KeyAlgorithm::RS256), // Correct field name and type
+                ..Default::default()
+            },
+            algorithm: jsonwebtoken::jwk::AlgorithmParameters::RSA(
+                jsonwebtoken::jwk::RSAKeyParameters {
+                    key_type: jsonwebtoken::jwk::RSAKeyType::RSA,
+                    n,
+                    e,
+                    ..Default::default()
+                },
+            ),
+        };
+
+        Ok(jwk)
+    }
+
+    /// Calculate a JWK thumbprint according to RFC 7638
+    ///
+    /// This function calculates a thumbprint for a JWK which can be used as
+    /// a key ID (kid) parameter. The thumbprint is a SHA-256 hash of the
+    /// canonical JSON representation of the JWK.
+    ///
+    /// # Parameters
+    ///
+    /// * `n` - Base64URL encoded modulus
+    /// * `e` - Base64URL encoded exponent
+    ///
+    /// # Returns
+    ///
+    /// Base64URL encoded SHA-256 thumbprint
+    fn calculate_jwk_thumbprint(n: &str, e: &str) -> Result<String> {
+        // Create canonical JWK representation
+        let canonical = json!({
+            "e": e,
+            "kty": "RSA",
+            "n": n
+        });
+
+        // Serialize to bytes in lexicographic order
+        let canonical_bytes = serde_json::to_vec(&canonical)?;
+
+        // Calculate SHA-256 hash
+        let mut hasher = Sha256::new();
+        hasher.update(&canonical_bytes);
+        let hash = hasher.finalize();
+
+        // Encode as Base64URL
+        let thumbprint = URL_SAFE_NO_PAD.encode(hash);
+
+        Ok(thumbprint)
+    }
+}

src/visualization/jwt_keys.rs

@@ -132,6 +132,9 @@ pub mod oxide_auth;
 /// Web server implementation
 pub mod server;
 
+/// OIDC discovery and configuration
+pub mod oidc;
+
 use crate::{config::Config, AnalysisResult};
 use anyhow::Result;
 use base64::{self, Engine};