Skip to content

rahatHSL/rust-assignment

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

Key Ownership Prover

A secure and efficient key ownership proof system implemented in Rust, using JWT (JSON Web Tokens) and ES256 (ECDSA with P-256 curve) for digital signatures. The system consists of a verifier service and a holder client that demonstrate cryptographic proof of key ownership.

Project Overview

The system implements a challenge-response protocol where:

  1. A holder requests a nonce from the verifier
  2. The holder signs the nonce with their private key
  3. The verifier validates the signature using the holder's public key

Components

  • Verifier Service (src/main.rs): A web service that:

    • Generates secure nonces
    • Validates JWT signatures
    • Prevents replay attacks
    • Exposes REST API endpoints

  • Holder Client (src/bin/holder.rs): A client that:

    • Generates ES256 key pairs
    • Requests nonces from the verifier
    • Creates and signs JWTs
    • Demonstrates key ownership

Prerequisites

  • Rust and Cargo (latest stable version)
  • Docker and Docker Compose (for containerized deployment)
  • OpenSSL development packages

Running the Project

Local Development

  1. Build the project:

    cargo build

  2. Start the verifier service:

    cargo run --bin verifier

    The service will start on http://0.0.0.0:8080

  3. Run the holder client:

    cargo run --bin holder

Docker Deployment

  1. Build and start the services: 
    docker-compose up --build
    This will start both the verifier and holder services in containers.

API Endpoints

Verifier Service

  • GET /api/nonce

    • Generates a new nonce for signing
    • Returns: {"nonce": "<uuid-v4>"}

  • POST /api/verify

    • Verifies a signed JWT and nonce
    • Request body: {"jwt": "<signed-token>", "public_key_pem": "<public-key>"}
    • Returns: {"verified": boolean, "message": "string"}

  • GET /api/list-nonces

    • Lists all used nonces (for debugging)
    • Returns: {"nonce_count": number, "nonces": ["string"]}

  • POST /api/clear-nonces

    • Clears the used nonces store
    • Returns: {"message": "string"}

Security Features

  1. Cryptographic Security

    • Uses ES256 (ECDSA with P-256 curve and SHA-256)
    • Implements industry-standard JWT format
    • Private keys never leave the holder

  2. Replay Attack Prevention

    • Tracks used nonces in memory
    • Rejects previously used nonces
    • Implements nonce clearing mechanism

Dependencies

Key dependencies from Cargo.toml:

  • actix-web: Web framework
  • jwt-simple: JWT implementation
  • jsonwebtoken: JWT validation
  • serde: Serialization
  • uuid: Nonce generation
  • reqwest: HTTP client

To generate ES256 (ECDSA with P-256 curve) key pairs locally using OpenSSL, follow these steps:

  1. Generate Private Key

    # Generate a private key using the P-256 curve
openssl ecparam -name prime256v1 -genkey -noout -out private.pem

  2. Extract Public Key

    # Derive the public key from the private key
openssl ec -in private.pem -pubout -out public.pem

  3. Convert to PKCS8 Format (for JWT.io compatibility)

    # Convert the EC private key to PKCS8 format
openssl pkcs8 -topk8 -nocrypt -in private.pem -out private_pkcs8.pem

  4. Verify Key Format

    # View the private key content (keep this secure!)
openssl ec -in private.pem -text -noout

# View the public key content
openssl ec -in public.pem -pubin -text -noout

The generated keys will be in PEM format. Use the PKCS8 format private key (private_pkcs8.pem) with JWT.io for manual testing, and the original EC private key (private.pem) with the holder client.

JWT Token Generation with JWT.io

You can use JWT.io to manually generate and verify JWTs for testing and understanding the token structure:

  1. Header Setup

    • Algorithm: Select "ES256" (ECDSA with P-256 and SHA-256)
    • The header will look like: {"alg": "ES256", "typ": "JWT"}

  2. Payload Configuration

    • Add the nonce received from the verifier
    • Example payload: {"nonce": "<received-nonce>", "exp": <170000000>}

  3. Signature Process

    • Paste your ES256 private key in PEM format
    • The public key will be used for verification
    • JWT.io will automatically generate the signature

  4. Token Verification

    • Paste the complete JWT token
    • Input the public key in PEM format
    • JWT.io will verify the signature integrity

Error Handling

The system implements comprehensive error handling:

  • JWT validation errors
  • Invalid public key format
  • Network communication errors
  • Nonce reuse attempts

Logging

Uses the env_logger crate for configurable logging:

  • Set RUST_LOG=info for standard logs
  • Set RUST_LOG=debug for detailed debugging

Logs include:

  • API request handling
  • Nonce generation and validation
  • JWT verification results
  • Error conditions

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages