Switch to JWK Thumbprints

Author: V02460

crates/config/src/sections/secrets.rs

@@ -9,13 +9,9 @@ use std::borrow::Cow;
 use anyhow::{Context, bail};
 use camino::Utf8PathBuf;
 use futures_util::future::{try_join, try_join_all};
-use mas_jose::jwk::{JsonWebKey, JsonWebKeySet};
+use mas_jose::jwk::{JsonWebKey, JsonWebKeySet, Thumbprint};
 use mas_keystore::{Encrypter, Keystore, PrivateKey};
-use rand::{
-    Rng, SeedableRng,
-    distributions::{Alphanumeric, DistString, Standard},
-    prelude::Distribution as _,
-};
+use rand::{Rng, SeedableRng, distributions::Standard, prelude::Distribution as _};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use serde_with::serde_as;
@@ -185,7 +181,7 @@ impl KeyConfig {
 
         let kid = match self.kid.clone() {
             Some(kid) => kid,
-            None => kid_from_key(&private_key)?,
+            None => private_key.thumbprint_sha256_base64(),
         };
 
         Ok(JsonWebKey::new(private_key)
@@ -194,13 +190,6 @@ impl KeyConfig {
     }
 }
 
-/// Returns a kid derived from the given key.
-fn kid_from_key(private_key: &PrivateKey) -> anyhow::Result<String> {
-    let fingerprint = private_key.fingerprint()?;
-    let head = fingerprint.first_chunk::<4>().unwrap();
-    Ok(hex::encode(head))
-}
-
 /// Encryption config option.
 #[derive(Debug, Clone)]
 pub enum Encryption {
@@ -494,7 +483,7 @@ mod tests {
 
                     let key_store = config.key_store().await.unwrap();
                     assert!(key_store.iter().any(|k| k.kid() == Some("lekid0")));
-                    assert!(key_store.iter().any(|k| k.kid() == Some("040b0ab8")));
+                    assert!(key_store.iter().any(|k| k.kid() == Some("ONUCn80fsiISFWKrVMEiirNVr-QEvi7uQI0QH9q9q4o")));
                 });
 
                 Ok(())

crates/jose/src/jwk/mod.rs

@@ -13,6 +13,7 @@ use mas_iana::jose::{
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use serde_with::skip_serializing_none;
+use sha2::{Digest, Sha256};
 use url::Url;
 
 use crate::{
@@ -239,6 +240,28 @@ impl<P> JsonWebKey<P> {
     }
 }
 
+/// Methods to calculate RFC 7638 JWK Thumbprints.
+pub trait Thumbprint {
+    /// Returns the RFC 7638 JWK Thumbprint JSON string.
+    fn thumbprint_prehashed(&self) -> String;
+
+    /// Returns the RFC 7638 SHA256-hashed JWK Thumbprint.
+    fn thumbprint_sha256(&self) -> [u8; 32] {
+        Sha256::digest(self.thumbprint_prehashed()).into()
+    }
+
+    /// Returns the RFC 7638 SHA256-hashed JWK Thumbprint as base64url string.
+    fn thumbprint_sha256_base64(&self) -> String {
+        Base64UrlNoPad::new(self.thumbprint_sha256().into()).encode()
+    }
+}
+
+impl<P: Thumbprint> Thumbprint for JsonWebKey<P> {
+    fn thumbprint_prehashed(&self) -> String {
+        self.parameters.thumbprint_prehashed()
+    }
+}
+
 impl<P> Constrainable for JsonWebKey<P>
 where
     P: ParametersInfo,

crates/jose/src/jwk/public_parameters.rs

@@ -11,7 +11,7 @@ use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
 use super::ParametersInfo;
-use crate::base64::Base64UrlNoPad;
+use crate::{base64::Base64UrlNoPad, jwk::Thumbprint};
 
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema)]
 #[serde(tag = "kty")]
@@ -52,6 +52,22 @@ impl JsonWebKeyPublicParameters {
     }
 }
 
+impl Thumbprint for JsonWebKeyPublicParameters {
+    fn thumbprint_prehashed(&self) -> String {
+        match self {
+            JsonWebKeyPublicParameters::Rsa(RsaPublicParameters { n, e }) => {
+                format!("{{\"e\":\"{e}\",\"kty\":\"RSA\",\"n\":\"{n}\"}}")
+            }
+            JsonWebKeyPublicParameters::Ec(EcPublicParameters { crv, x, y }) => {
+                format!("{{\"crv\":\"{crv}\",\"kty\":\"EC\",\"x\":\"{x}\",\"y\":\"{y}\"}}")
+            }
+            JsonWebKeyPublicParameters::Okp(OkpPublicParameters { crv, x }) => {
+                format!("{{\"crv\":\"{crv}\",\"kty\":\"OKP\",\"x\":\"{x}\"}}")
+            }
+        }
+    }
+}
+
 impl ParametersInfo for JsonWebKeyPublicParameters {
     fn kty(&self) -> JsonWebKeyType {
         match self {
@@ -300,3 +316,31 @@ mod ec_impls {
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_thumbprint_rfc_example() {
+        // From https://www.rfc-editor.org/rfc/rfc7638.html#section-3.1
+        let n = Base64UrlNoPad::parse(
+            "\
+            0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAt\
+            VT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn6\
+            4tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FD\
+            W2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n9\
+            1CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINH\
+            aQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+        )
+        .unwrap();
+        let e = Base64UrlNoPad::parse("AQAB").unwrap();
+
+        let jwkpps = JsonWebKeyPublicParameters::Rsa(RsaPublicParameters { n, e });
+
+        assert_eq!(
+            jwkpps.thumbprint_sha256_base64(),
+            "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs"
+        )
+    }
+}

crates/keystore/src/lib.rs

@@ -18,7 +18,7 @@ use mas_iana::jose::{JsonWebKeyType, JsonWebSignatureAlg};
 pub use mas_jose::jwk::{JsonWebKey, JsonWebKeySet};
 use mas_jose::{
     jwa::{AsymmetricSigningKey, AsymmetricVerifyingKey},
-    jwk::{JsonWebKeyPublicParameters, ParametersInfo, PublicJsonWebKeySet},
+    jwk::{JsonWebKeyPublicParameters, ParametersInfo, PublicJsonWebKeySet, Thumbprint},
 };
 use pem_rfc7468::PemLabel;
 use pkcs1::EncodeRsaPrivateKey;
@@ -621,6 +621,12 @@ impl ParametersInfo for PrivateKey {
     }
 }
 
+impl Thumbprint for PrivateKey {
+    fn thumbprint_prehashed(&self) -> String {
+        JsonWebKeyPublicParameters::from(self).thumbprint_prehashed()
+    }
+}
+
 /// A structure to store a list of [`PrivateKey`]. The keys are held in an
 /// [`Arc`] to ensure they are only loaded once in memory and allow cheap
 /// cloning