v0.11.0

v0.11.0 - 2024-10-18

Highlights

• Fixed intermediate CA's certificate generation in the E2EI workflow test to have
  X.509 name constraints, so that it reflects real-world usage.
• Fixed signature verification in the E2EI workflow test.
• Added documentation on how to build, test, develop and release rusty-jwt-tools.

Bug Fixes

• jwt: fix wrong comment (a388a50)
• improve validation of certificate response [WPB-10104] (#237) (8a78a96)
• failing haskell ffi test due to expired dpop proof (#240) (031efbe)
• ffi: fix Haskell bindings and test (5d594b9)
• acme: invert check for valid (identifier, challenge type) pairs [WPB-10103] (c78df0e)

Documentation

• update README (b98f60d)
• add CHANGELOG.md (922c96d)
• add documentation about flaky tests (bef7ca8)
• add comments to explain wiremock stubs (c8c114e)
• document project structure (49f05af)
• how to release (1189957)

Testing

• e2e-identity: fix ACME server PKI configuration (63d608a)
• e2e-identity: only pick the signing key (47f0c01)
• e2e-identity: explain why the refresh token from Keycloak shows up as invalid (81dc3a7)
• e2e-identity: fix token verification in tests (957e99a)
• e2e-identity: don't clobber existing README.md (0183a41)
• e2e-identity: copy code for access token verification from cli (a658d37)
• update testcontainers image to keycloak 25.0.2 (d502b67)
• update test code to new reqwest version (e29682b)
• update test code to new helper api (9c0d3ca)
• move asserhttp features to helper code (9f120d8)
• update test code to new http and hyper APIs (0506659)
• build: update http crate, add http-body-util and hyper-util crates (cf3f9b1)
• correct image for smallstep, stable ready conditions (37023ff)
• execute e2e identity tests sequentially (0cd0fae)
• refactor: more struct fields instead of env vars (acf86b6)
• use keycloak in ed25519 test (d90e618)
• improve error message when fetching of oidc config fails (2ba8ed4)
• upgrade testcontainers images to new api (9b0a080)
• upgrade tests to new testcontainers api (f411bb8)
• update testcontainers crate (f9c156b)

v0.3.1

Features

• return DER encoded certificates instead of PEM
• zeroize private key material

v0.3.0

Features

• end-to-end test are now made against the real OIDC provider: Dex.
• The API is a bit more pragmatic, requiring a single ClientId as String when it needs to instead of parts of it
• Many other miscellaneous changes, too many to remember all of them

This project is still under heavy development and not suitable yet for production use

v0.2.0

Initial release ! 🥳

You mostly want to use wire-e2e-identity crate which contains all the client methods for requesting a x509 certificate from an ACME server. This certificate proves the identity of the user/client through its clientId, userId, displayName and domain.

Features

• JWT utils to create a Dpop client token, an access token and validate the latter
• Generic utilities to create and validitate a JWT token. Can be used in other contexts.
• Utilities to create/parse JWKs
• Create a JWK thumbprint
• Opinionated ACME client library only suited to our usage and currently only supports requesting a x509 certificate (no refresh or revocation flow)
• Haskell FFI to use the method to generate an access token in wire-server
• A cli for using the access token validation method in the acme server written in Go