Add scitokens-generate-jwks CLI for key generation

[Copilot]

Implementation Complete: JWKS Creation CLI ✅

This PR adds a new CLI tool scitokens-generate-jwks that generates EC (ES256) key pairs and exports them in JWKS and PEM formats, eliminating the need for Python libraries in integration tests.

Features

• ✅ Generates EC P-256 key pairs using OpenSSL
• ✅ Exports public key in JWKS format (JSON)
• ✅ Exports public and private keys in PEM format
• ✅ Supports custom key IDs and output file paths
• ✅ Auto-generates unique key ID from public key fingerprint (SHA256 hash, first 8 hex chars) when not specified
• ✅ Secures private key with file permissions 0600 (owner read/write only)
• ✅ Compatible with OpenSSL 1.x and 3.x
• ✅ Proper RAII patterns for memory safety

Changes

• New file: src/generate_jwks.cpp (365 lines)
• Updated: CMakeLists.txt - added build target
• Updated: README.md - added usage documentation
• Updated: .gitignore - excluded build artifacts

Code Quality

All code review feedback addressed:

• ✅ RAII with std::unique_ptr throughout
• ✅ Proper ownership transfer without leaks
• ✅ Simplified pointer management
• ✅ const correctness
• ✅ Automatic resource cleanup
• ✅ clang-format linter compliance
• ✅ Unique key ID generation from fingerprint
• ✅ Secure file permissions for private keys

Testing

• ✅ Key generation tested on OpenSSL 3.x
• ✅ JWKS output validated as valid JSON
• ✅ Integration tested with scitokens-create & scitokens-verify
• ✅ CodeQL security scan: 0 issues
• ✅ clang-format linting: passing
• ✅ Auto-generated key IDs verified unique per key
• ✅ Private key permissions verified as 0600

Usage Example

# Generate with auto-generated key ID from fingerprint
./scitokens-generate-jwks

# Generate with custom key ID
./scitokens-generate-jwks --kid my-key

# Use with existing tools
./scitokens-create --cred public.pem --key private.pem --keyid <kid> --issuer https://issuer.example.com

Ready for merge - All requirements met, code review feedback addressed, tests passing.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add JWKS creation CLI</issue_title>
<issue_description>When creating the integration test, the only option for creating the JWKS file was pulling in some Python libraries.

We have code already for creating keys. Let's add a simple CLI utility, usable by the tests, for creating a JWKS.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Add JWKS creation CLI #185

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[bbockelm]

@copilot - please fix the linter issues.

[bbockelm]

@copilot - please address code review items.

[bbockelm]

If not specified, generate the keyid by taking a fingerprint of the public key, converting it to hex, and taking the first 8 characters. This makes the generated key ID more unique.

[Copilot]

Implemented in commit dbe9088. The key ID is now auto-generated from the SHA256 fingerprint of the public key (first 8 hex characters) when not specified via --kid option.

[bbockelm]

The private key needs special code to ensure it is written with mode 0600 so others cannot read it

[Copilot]

Fixed in commit dbe9088. Private key file is now created with mode 0600 using open() with O_CREAT before writing, ensuring only the owner can read/write the file.

[Copilot]

@copilot - please fix the linter issues.

Fixed in commit 5c351b3. Applied clang-format to resolve all formatting issues.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• esm.ubuntu.com
  • Triggering command: /usr/lib/apt/methods/https /usr/lib/apt/methods/https (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

@copilot - please address code review items.

All code review items addressed in commit dbe9088:

• Auto-generate unique key ID from public key fingerprint (SHA256, first 8 hex chars)
• Set private key file permissions to 0600 for security

[bbockelm]

LGTM