Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spiffe standard specifies jwt_svid or x509_svid for the 'use' field in JWK #19

Open
huguesBouvier opened this issue Mar 4, 2022 · 8 comments
Open

Spiffe standard specifies jwt_svid or x509_svid for the 'use' field in JWK #19

huguesBouvier opened this issue Mar 4, 2022 · 8 comments

Comments

@huguesBouvier
Copy link

huguesBouvier commented Mar 4, 2022
edited
Loading

Hello,

I use the client library to validate a trust bundle from the agent, but I am getting the following error:
unknown variant jwt-svid, expected sig or enc

However jwt-svid is actually a correct field as per SPIFFE standard:
Please see: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#422-public-key-use
@huguesBouvier huguesBouvier changed the title Spiffe standard specifies jwt_svid or x509_svid for the use field Spiffe standard specifies jwt_svid or x509_svid for the 'use' field in JWK Mar 4, 2022
@maxlambrecht
Copy link
Owner

Hi! I'm not sure I understand what you are trying to accomplish when you say you trying to validate the trust bundle from the agent. The library provides methods to fetch trust bundles and use them to validate JWT tokens.

Could you provide some code snippets so I can understand better your scenario ?

@huguesBouvier
Copy link
Author

huguesBouvier commented Mar 7, 2022
edited
Loading

Hey! This is the only thing I have in my client:

// fetch a set of jwt bundles (public keys for validating jwt token)
let jwt_bundles = client.fetch_jwt_bundles()?;

I am sorry for the confusion I meant fetching the trust bundle, not validating.

The important thing it this from the SPIFFE standard: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#422-public-key-use
The "use" field in SPIFFE is only "jwt-svid" or "x509-svid". However because you use the dependency "jsonwebtoken" and "jsonwebkey" to validate a token, it rejects tokens that have "use" field different than "sig" or "enc".
So all correctly crafted JWTSVID will be rejected.

@maxlambrecht
Copy link
Owner

Then having the jwt_bundles you use them to validate a token using the parse_and_validate method, like:

svid::jwt::JwtSvid::parse_and_validate(&token, &jwt_bundles, &expected_audience)?;

and that is giving you the error with the "use" field ?

@huguesBouvier
Copy link
Author

huguesBouvier commented Mar 8, 2022
edited
Loading

No, this call is giving me the error: fetch_jwt_bundles
I have nothing else in my client.
This may Better illustrate it: I have made a fork and added a field "use": "jwt-svid" as per standard in the unit test for trust bundle. Now unit test are failing:
image
See changes on my fork:
huguesBouvier@2d65a7a
image

@maxlambrecht
Copy link
Owner

maxlambrecht commented Mar 8, 2022
edited
Loading

Oh I see, thanks for catching that.

I'll open an issue on the repository for the jsonwebkey crate asking to allow other values in the use field, as per RFC7517, and in the meantime I'll explore other options.

@maxlambrecht
Copy link
Owner

Opened issue in jsonwebkey: nhynes/jwk-rs#8

@maxlambrecht
Copy link
Owner

Hi @huguesBouvier , I submitted a PR to the jsonwebkey repo to address this.

@huguesBouvier
Copy link
Author

Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maxlambrecht @huguesBouvier