Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for custom time validation X5Cs #119

Merged
merged 4 commits into from
Nov 11, 2023
Merged

Conversation

ptoffy
Copy link
Member

@ptoffy ptoffy commented Nov 9, 2023

This adds support for X5C chains to verify using custom time settings, which allows for app store receipts verification

Sources/JWTKit/Utilities/CustomizedJSONCoders.swift Outdated Show resolved Hide resolved
Sources/JWTKit/X5CVerifier.swift Outdated Show resolved Hide resolved
Sources/JWTKit/X5CVerifier.swift Outdated Show resolved Hide resolved
Sources/JWTKit/X5CVerifier.swift Show resolved Hide resolved
Sources/JWTKit/X5CVerifier.swift Outdated Show resolved Hide resolved
Tests/JWTKitTests/JWTKitTests.swift Outdated Show resolved Hide resolved
@ptoffy ptoffy requested a review from 0xTim November 9, 2023 17:29
Copy link
Member

@0xTim 0xTim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good

Tests/JWTKitTests/X5CTests.swift Outdated Show resolved Hide resolved
let date: Date
// Some JWT implementations have the sign date in the payload.
// If it's such a payload, we'll use that date for validation
if let validationTimePayload = payload as? ValidationTimePayload {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd still like to see if we can compare against Payload.Type here

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@0xTim I mean we can but to access the property afterwards we still need to cast it

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh of course

@ptoffy ptoffy merged commit e055580 into jwtkit-5 Nov 11, 2023
6 of 12 checks passed
@ptoffy ptoffy deleted the apple-receipts-x5c branch November 11, 2023 13:34
@ptoffy ptoffy mentioned this pull request Nov 11, 2023
Merged
16 tasks
@ptoffy ptoffy added this to the v5 milestone Feb 19, 2024
0xTim pushed a commit that referenced this pull request Feb 21, 2024
* Move away from BoringSSL (#99)

* Start moving away from BoringSSL

* Start converting RSA

* Update RSA signer

* Some fixes

* Add possible RSA pubkey creation algorithm

* Add prime number generator with Miller-Rabin test

* Prime generation performance improvement

* Attempt at private key calculation

* RSA prime generation take 2

* API tidy up

* Performance improvements

* Even more speed

* RSA tidy up

* Fix JWTSigner with new RSA impl

* Add RSA tests and polish some stuff

* Remove unused method

* Minor improvements

* Add GCD test

* Get ECDSA compiling

* Add key gen test + fixups

* Add RSA cert support + enforce bigger key sizes

* Start adding ECDSA tests

* Generify ECDSAKey

* Abstract more and add P384 and P521 keys

* Adapt curve sizes

* Fix some tests

* Base64URL decode raw key elements

* Update byteRange names

* Remove BoringSSL

* Update error description

* Fix wrong overload resolution

* Add padding option for RSA signer

* Update platform versions and start converting X5C

* Convert X5CVerifier and X5CTests (SHA256)

* Add certificate creation scripts

* Fix comment

* Address most requested issues

* Add docs and replace struct with tuple

* Remove valid X5C print statement

* Remove `rsa_oaep_misc_test` test vectors

* Performance improvements

* Remove unused files

* Apply suggestions

* 🤦‍♂️

* Minor fixes

* Refactor RSA init

* Make RSAKey a struct and update docs

* Implement `JWTKeyCollection` and hide `JWTSigner` (#111)

* Implement `JWTKeyCollection` and hide `JWTSigner`

* Make `JWTSigner` `Sendable`

* Add comments and remove unused method

* Add warning when overwriting kid

* Remove `JWTSigners`

* Make `JWKSigner` `Sendable`

* Cleanups

* Update DocC comments

* Minor improvements

* Add RSA pre-generated token test (#114)

Add RS256 pre-generated token test

* Enable full CI on the 5.x branch

* Skip API breakage check for 5.x branch for now

* Add `Sendable` support (#116)

* Add `Sendable` support

* Add Sendable conformance to tests

* Make X5CVerifier a struct

---------

Co-authored-by: Gwynne Raskind <gwynne@vapor.codes>

* Rename ES521 to ES512

* Rename signer to algorithm

* Add support for custom time validation X5Cs (#119)

* Add support for custom time validation X5Cs

* Clean up and move JSONDecoder settings out of X5C

* Add more assertions in new X5C test

* Refactor X5CTests

* Add ECDSAKey PEM export (#120)

* Add ECDSAKey PEM export

* Use public key from private when possible

* Refactor ECDSAKey init

* Remove exports (#121)

Start removing exports

* Adopt `package` access and add RSA key PEM export (#122)

* Adopt `package` access and add RSA key PEM export

* Remove unused code

* Make equatable conformance public

* Optimise RSAKey Equatable implementation

* Refactor RSAKey Equatable implementation

* Remove public enums (#123)

* Start removing enums

* Update JWTError

* Add custom decoding for new structs

* Adopt a more structured JWTError

* Minor improvements

* Test integration with v5 of JWT

* Make JWK use existing curves

* Nit: spacing

---------

Co-authored-by: Gwynne Raskind <gwynne@vapor.codes>

* Remove use of `Data(contentsOf:)`

* Add RSA-PSS signature algorithm support (#112)

* Add RSA-PSS signature algorithm support

* Add PSS signers and tests

* Replace `Data(contentsOf:)` with `URLSession`

* Remove Apple jwks test

* Fix keycollection's getSigner method

* Fix keycollection's getSigner method

---------

Co-authored-by: Paul <paultoffoloni@gmail.com>

* Adjust JWTError access modifiers

* Adjust JWTError access modifiers once again

* Add option to sign tokens with x5c chains (#126)

* Add option to sign tokens with x5c chains

* Add new test and fixes

* Add option to fetch RSA primitives (#127)

* Add option to fetch RSA primitives

* Typo

* Remove unused files

* Update NOTICES

* Split internal key structure into public and private (#128)

* Create first idea of split RSA keys

* Refactor signer and update docs

* Split ECDSA keys

* Remove useless parameter

* Update EdDSA

* Rename file

* Adjust spacing

* Remove useless implementations

* Clean up some access modifiers

* Move RSA to insecure namespace

* Add customisable fields to JWTHeader (#129)

* Add customisable fields to JWTHeader

* Remove unused field

* Fix en/decoding logic and add remove `package` use

* Make customFields not optional

* Add correct init to JWTHeader

* Fix CodingKey mismatch

* Remove `CaseIterable` conformance

* Fix

* Add `float` jwt header field type

* Allow for custom JWT de/serialisation (#130)

* Improve header structure

* Allow for custom JWT de/serialisation

* Make properties return nil instead of throwing

* Make the new API easier to use

* Add platform-agnostic de/compression algorithms

* Remove unnecessary test

* Update swift-certificates and add customisable policy to X5C verification

* Add key initialiser for SwiftCrypto key types

* Add `missingX5CHeader` error

* Add RSA size boundary (#135)

Add 2048 bits key size boundary for RSA keys

* Update README and DocC (#136)

* Start updating README

* Update badges in README

* Update CODEOWNERS

* Update README.md

Co-authored-by: Gwynne Raskind <gwynne@vapor.codes>

* Update DocC

* Update docs

* Un-fancy JSON...

* Revert README header upgrade

* Add custom parsing/serialising comments

---------

Co-authored-by: Gwynne Raskind <gwynne@vapor.codes>

* Add some tests to get coverage up (#139)

Add some test to get coverage up

* Merge branch 'main' into 'jwtkit-5'

---------

Co-authored-by: Gwynne Raskind <gwynne@vapor.codes>
Co-authored-by: Matteo Franceschi <matteo.franceschi@flowpay.it>
ptoffy added a commit that referenced this pull request Feb 24, 2024
* Add support for custom time validation X5Cs

* Clean up and move JSONDecoder settings out of X5C

* Add more assertions in new X5C test

* Refactor X5CTests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants