-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement decode_rsa, verify_rsa for using public key components instead of DER key. #69
Conversation
bec027f
to
ca13b50
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR!
Is it possible to get the modulus/exponent from a .pem file? I am guessing most people will have a .pem file so it would be nice to have it work automagically.
I am a bit busy with Tera and Zola currently but am planning to work on this crate afterwards (along with #66) so it will be merged at that time.
@Keats, the use case is not wider file format support than
We only have access to a base64url encoded modulus and exponent. In order for me to use this library with JWKS, I need to be able to decode tokens using the modulus and exponent tuple. |
…ead of DER key. Signed-off-by: Aaron Friel <aaron@twochairs.com>
ca13b50
to
8f02151
Compare
Another use case that I'm after is taking an RSA private key file from a Google Cloud service account JSON definition. It would be great to see RSA support added instead of having to extract the key using |
@Keats I addressed your requested changes. |
To be sure I don't forget anything, RSA keys can be set:
@jamwaffles I believe #74 fixes your issue no? Looks like it's for Google Cloud services as well |
No, PKCS #8 is typically base64 encoded in the standard
That's RFC 5208. This is to handle RFC 7517. |
@Keats Is there a blocker in this? This library isn't usable in a JWKS environment (like those configured by Istio, or Google's JWKS infrastructure, etc.) without the ability to decode based solely on the exponent and modulus. |
Not anything blocking this PR in particular, but the next version is blocked on #76 to avoid having to publish multiple major versions |
Nicely done. Thanks to all contributors on this line of work, and the
library itself! 🤸♂️
…On Tue, Feb 19, 2019, 03:58 Vincent Prouillet ***@***.***> wrote:
Not anything blocking this PR in particular, but the next version is
blocked on #76 <#76> to avoid
having to publish multiple major versions
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#69 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AlDziMeGsQA4Tk-VigSmmvGB3aYvTYjgks5vO7zLgaJpZM4Znofq>
.
|
@Keats this should be semver compatible as a "minor" bump, barring API changes right? |
@Keats We don't want to pass a PEM encoded or JWK encoded text representation of a binary key as an argument of |
I'm trying to understand if this feature somehow relates or blocks the feature with ES256 support. |
Have a look at the first post of #76, I think providing a function for each usecase is going to be easier in the end as we can see it's going to be too messy trying to make everything fit in a single function as we can already see. |
Ok, I see. Having decoder types seems as a good idea. |
Can someone look at the conflicts with after the ES support has been merged in |
@AaronFriel and @Keats I am using Aaron's branch as i'm working on a keycloak adaptor for a project i'm on. I am able to get things to work, and would like to see this merged. If needed i can look at resolving the merge conflicts. |
@mann-ed do you want to take a look first? |
@AaronFriel Yes, i'll take a look at it tomorrow. I'll get back to you by Friday April 5th as i have other obligations i need to attend to in the next few days. |
…nwebtoken into decode-from-public-key-parts
@AaronFriel Ok, i have it updated, and i created a pull request to your branch. I don't know if that is what you wanted me to do. Let me know if you have time to review, or if there is something else i should do. |
@mann-ed @AaronFriel I'll pull your changes directly next week unless there is an issue Close button is too close... |
Decode from public key parts
No worries @AaronFriel |
@Keats would it be acceptable to add a key format for "KeyFormat::RSAModulusExponentPair"? Or what would you call it? |
The name seems good to me. What do you think of this approach of using a KeyFormat enum? |
I'm not sure, to be honest, because it looks like it's assumed that the Key I think the trait structure needs reworking, but I haven't dug into it enough to make a specific comment on how. It seems like instead maybe |
Sounds like a good idea. |
I'm thinking an enum would be better than a trait in the end, any reason to prefer a trait other than adding one being a breaking change? cc @Jake-Shadle |
@AaronFriel I pushed an enum version to #91 Another thing I'm thinking is to maybe keep your |
I've integrated that PR in 10105af Can anyone try the |
Closing in favour of #91 |
This addresses #68 and enables supporting JWTs from JSON Web Key sets where the JWK set exposes the
(n, e)
tuple.