defmodule Charon.TokenFactory.Jwt do
@moduledoc """
JWT's with either symmetric (HMAC) or asymmetric (EDDSA) signatures.
The default, simplest and most performant option is symmetric signatures (MAC),
with the key derived from the Charon base secret.
Asymmetric tokens can be used when it is desirable for an external party
to be able to verify a token's integrity,
in which case distributing symmetric keys can be a hassle and a security risk.
## Keysets
In order to sign and verify JWT's, a keyset is used.
A keyset is a map of key ID's to keys.
A key is a tuple of the signing algorithm and the actual secret(s).
To simplify things and discourage key reuse,
a key can only be used with a single signing algorithm.
The default keyset looks like this, for example:
%{"default" => {:hmac_sha256, <<0, ...>>}}
Every token that is signed gets a `"kid"` claim in its header, allowing it to
be verified with the specific key and algorithm that it was signed with.
### Key cycling
It is possible to transition to a new signing key by adding a new key to the keyset
and setting it as the new signing key using the `:signing_key` config option:
%{
"default" => {:hmac_sha256, <<0, ...>>},
"new!" => {:hmac_sha512, <<1, ...>>}
}
Older tokens will be verified using the older key, based on their `"kid"` header claim.
### Tokens without a `"kid"` header claim
Legacy or external tokens may not have a `"kid"` header claim.
Such tokens can still be verified by adding
a `"kid_not_set.<alg>"` (for example "kid_not_set.HS256")
key to the keyset.
## Symmetric signatures
Symmetric signatures are message authentication codes or MACs,
either HMACs based on SHA256, 384 or 512,
or a MAC generated using Blake3's [keyed-hashing mode](https://docs.rs/blake3/latest/blake3/fn.keyed_hash.html),
which can be used directly without using a HMAC wrapper.
Using Blake3 requires the optional dependency [Blake3](https://hex.pm/packages/blake3)
and a key of exactly 256 bits.
By default, a SHA256-based HMAC is used.
## Asymmetric signatures
Asymmetric signatures are created using EDDSA (Edwards-curve Digital Signature Algorithm)
based on Curve25519 or Curve448.
Use in JWTs is standardized (pending) in [RFC 8073](https://datatracker.ietf.org/doc/rfc8037/).
These algorithms were chosen for performance and implementation ease,
since they offer built-in protection against many side-channel (timing) attacks and are
not susceptible to nonce-reuse (technically, they are, but not on the part of the implementation,
which means they are safe to use in your [PlayStation](https://en.wikipedia.org/wiki/EdDSA#Secure_coding)).
Unless you are paranoid, use Curve25519, which offers about 128 bits of security.
Curve448 offers about 224 bits, but is significantly slower.
In order to use asymmetric signatures, generate a key using `gen_keypair/1`.
Create a publishable JWK using `keypair_to_pub_jwk/1`.
iex> keypair = Jwt.gen_keypair(:eddsa_ed25519)
iex> {:eddsa_ed25519, {_pubkey, _privkey}} = keypair
iex> %{"crv" => "Ed25519", "kty" => "OKP", "x" => <<_::binary>>} = Jwt.keypair_to_pub_jwk(keypair)
## Config
Additional config is required for this module (see `Charon.TokenFactory.Jwt.Config`):
Charon.Config.from_enum(
...,
optional_modules: %{
Charon.TokenFactory.Jwt => %{
get_keyset: fn -> %{"key1" => {:hmac_sha256, "my_key"}} end,
signing_key: "key1"
}
}
)
The following options are supported:
- `:get_keyset` (optional, default `default_keyset/1`). The keyset used to sign and verify JWTs. If not specified, a default keyset with a single key called "default" is used, which is derived from Charon's base secret.
- `:signing_key` (optional, default "default"). The ID of the key in the keyset that is used to sign new tokens.
## Examples / doctests
# gracefully handles malformed tokens / unsupported algo's / invalid signature
iex> verify("a", @charon_config)
{:error, "malformed token"}
iex> verify("a.b.c", @charon_config)
{:error, "encoding invalid"}
iex> header = "notjson" |> url_encode()
iex> verify(header <> ".YQ.YQ", @charon_config)
{:error, "json invalid"}
iex> header = %{"missing" => "alg"} |> Jason.encode!() |> url_encode()
iex> verify(header <> ".YQ.YQ", @charon_config)
{:error, "malformed header"}
iex> header = %{"alg" => "boom"} |> Jason.encode!() |> url_encode()
iex> verify(header <> ".YQ.YQ", @charon_config)
{:error, "key not found"}
iex> header = %{"alg" => "HS256", "kid" => "default"} |> Jason.encode!() |> url_encode()
iex> verify(header <> ".YQ.YQ", @charon_config)
{:error, "signature invalid"}
# supports cycling to a new signing key, while still verifying old tokens
iex> {:ok, token} = sign(%{}, @charon_config)
iex> keyset = Jwt.default_keyset(@charon_config)
iex> keyset = Map.put(keyset, "ed25519_1", Jwt.gen_keypair(:eddsa_ed25519))
iex> config = override_opt_mod_conf(@charon_config, Jwt, get_keyset: fn _ -> keyset end, signing_key: "ed25519_1")
iex> {:ok, _} = verify(token, config)
iex> {:ok, new_token} = sign(%{}, config)
iex> new_token == token
false
# an old / external / legacy token without a "kid" claim can still be verified
# by adding a "kid_not_set.<alg>" key to the keyset
# a token MUST have an alg claim, which is mandatory according to the JWT spec
iex> [header, pl] = [%{"alg" => "HS256"}, %{}] |> Enum.map(&Jason.encode!/1) |> Enum.map(&url_encode/1)
iex> base = "\#{header}.\#{pl}"
iex> key = :crypto.strong_rand_bytes(32)
iex> signature = :crypto.mac(:hmac, :sha256, key, base) |> url_encode()
iex> token = "\#{base}.\#{signature}"
iex> {:error, "key not found"} = verify(token, @charon_config)
iex> keyset = %{"kid_not_set.HS256" => {:hmac_sha256, key}}
iex> config = override_opt_mod_conf(@charon_config, Jwt, get_keyset: fn _ -> keyset end)
iex> {:ok, _} = verify(token, config)
"""
import Charon.Utils.KeyGenerator
import __MODULE__.Config, only: [get_mod_config: 1]
import Charon.Internal
import Charon.Internal.Crypto
@behaviour Charon.TokenFactory.Behaviour
@sign_alg_to_header_alg %{
hmac_sha256: "HS256",
hmac_sha384: "HS384",
hmac_sha512: "HS512",
eddsa_ed25519: "EdDSA",
eddsa_ed448: "EdDSA",
blake3_256: "Bl3_256"
}
@type hmac_alg :: :hmac_sha256 | :hmac_sha384 | :hmac_sha512
@type eddsa_alg :: :eddsa_ed25519 | :eddsa_ed448
@type mac_alg :: :blake3_256
@type eddsa_keypair :: {eddsa_alg(), {binary(), binary()}}
@type symmetric_key :: {hmac_alg() | mac_alg(), binary()}
@type key :: symmetric_key() | eddsa_keypair()
@type keyset :: %{required(String.t()) => key()}
@impl true
def sign(payload, config) do
jmod = config.json_module
%{get_keyset: get_keyset, signing_key: kid} = get_mod_config(config)
with {:ok, key = {alg, _secret}} <- config |> get_keyset.() |> get_key(kid),
{:ok, json_payload} <- jmod.encode(payload) do
payload = url_encode(json_payload)
header = gen_header(alg, kid, jmod)
data = [header, ?., payload]
signature = data |> do_sign(key) |> url_encode()
token = [data, ?., signature] |> IO.iodata_to_binary()
{:ok, token}
else
_ -> {:error, "could not create jwt"}
end
end
@impl true
def verify(token, config) do
jmod = config.json_module
%{get_keyset: get_keyset} = get_mod_config(config)
with [header, payload, signature] <- String.split(token, ".", parts: 3),
{:ok, kid} <- process_header(header, jmod),
data = [header, ?., payload],
{:ok, key} <- config |> get_keyset.() |> get_key(kid),
{:ok, signature} <- url_decode(signature),
{_, true} <- {:signature_valid, do_verify(data, key, signature)},
{:ok, payload} <- to_map(payload, jmod) do
{:ok, payload}
else
{:signature_valid, _} -> {:error, "signature invalid"}
error = {:error, _msg} -> error
_ -> {:error, "malformed token"}
end
end
@doc false
def init_config(enum), do: __MODULE__.Config.from_enum(enum)
@doc """
Generate a new keypair for an asymmetrically signed JWT.
"""
@spec gen_keypair(eddsa_alg) :: eddsa_keypair
def gen_keypair(alg = :eddsa_ed25519), do: {alg, :crypto.generate_key(:eddsa, :ed25519)}
def gen_keypair(alg = :eddsa_ed448), do: {alg, :crypto.generate_key(:eddsa, :ed448)}
@doc """
Convert a keypair generated by `gen_keypair/1` to a publishable JWK
containing only the public key.
"""
@spec keypair_to_pub_jwk(eddsa_keypair) :: map()
def keypair_to_pub_jwk(_keypair = {eddsa_alg, {pubkey, _}}) do
crv = Map.fetch!(%{eddsa_ed25519: "Ed25519", eddsa_ed448: "Ed448"}, eddsa_alg)
%{"kty" => "OKP", "crv" => crv, "x" => url_encode(pubkey)}
end
@doc """
Get the default keyset that is used if config option `:get_keyset` is not set explicitly.
"""
@spec default_keyset(Charon.Config.t()) :: keyset()
def default_keyset(config) do
%{"default" => {:hmac_sha256, derive_key(config.get_base_secret.(), "charon_jwt_default")}}
end
###########
# Private #
###########
defp get_key(keyset, kid) do
if key = Map.get(keyset, kid) do
{:ok, key}
else
{:error, "key not found"}
end
end
defp calc_hmac(data, key, alg), do: :crypto.mac(:hmac, alg, key, data)
# Sign #
defp do_sign(data, {:hmac_sha256, key}), do: calc_hmac(data, key, :sha256)
defp do_sign(data, {:hmac_sha384, key}), do: calc_hmac(data, key, :sha384)
defp do_sign(data, {:hmac_sha512, key}), do: calc_hmac(data, key, :sha512)
defp do_sign(data, {:blake3_256, key}), do: __MODULE__.Blake3.keyed_hash(key, data)
defp do_sign(data, {:eddsa_ed25519, {_, privkey}}),
do: :crypto.sign(:eddsa, nil, data, [privkey, :ed25519])
defp do_sign(data, {:eddsa_ed448, {_, privkey}}),
do: :crypto.sign(:eddsa, nil, data, [privkey, :ed448])
# Verify #
defp do_verify(data, {:hmac_sha256, key}, signature),
do: data |> calc_hmac(key, :sha256) |> constant_time_compare(signature)
defp do_verify(data, {:hmac_sha384, key}, signature),
do: data |> calc_hmac(key, :sha384) |> constant_time_compare(signature)
defp do_verify(data, {:hmac_sha512, key}, signature),
do: data |> calc_hmac(key, :sha512) |> constant_time_compare(signature)
defp do_verify(data, {:blake3_256, key}, sig),
do: __MODULE__.Blake3.keyed_hash(key, data) |> constant_time_compare(sig)
defp do_verify(data, {:eddsa_ed25519, {pubkey, _privkey}}, signature),
do: :crypto.verify(:eddsa, nil, data, signature, [pubkey, :ed25519])
defp do_verify(data, {:eddsa_ed448, {pubkey, _privkey}}, signature),
do: :crypto.verify(:eddsa, nil, data, signature, [pubkey, :ed448])
# header stuff #
defp gen_header(alg, kid, jmod) do
%{alg: Map.get(@sign_alg_to_header_alg, alg), typ: "JWT", kid: kid}
|> jmod.encode!()
|> url_encode()
end
defp to_map(encoded, json_mod) do
with {_, {:ok, json}} <- {:enc, url_decode(encoded)},
{:ok, payload} <- json_mod.decode(json) do
{:ok, payload}
else
{:enc, _} -> {:error, "encoding invalid"}
_ -> {:error, "json invalid"}
end
end
defp process_header(header, json_mod) do
with {:ok, payload} <- to_map(header, json_mod),
{_, %{"alg" => alg}} <- {:payload, payload} do
{:ok, Map.get(payload, "kid", "kid_not_set.#{alg}")}
else
{:payload, _} -> {:error, "malformed header"}
error -> error
end
end
end