CHANGELOG.md

Changelog

v0.12.0 - 2024-12-17

Documentation

• update documentation for how to run the Haskell FFI tests (92184e1)
• README.md: just push the relevant tag (286a0f7)

Testing

• e2e-identity: increase the validity period of the intermediate CA cert (69a414c)

v0.11.0 - 2024-10-18

Highlights

• Fixed intermediate CA's certificate generation in the E2EI workflow test to have X.509 name constraints, so that it reflects real-world usage.
• Fixed signature verification in the E2EI workflow test.
• Added documentation on how to build, test, develop and release rusty-jwt-tools.

Bug Fixes

• jwt: fix wrong comment (a388a50)
• improve validation of certificate response [WPB-10104] (#237) (8a78a96)
• failing haskell ffi test due to expired dpop proof (#240) (031efbe)
• ffi: fix Haskell bindings and test (5d594b9)
• acme: invert check for valid (identifier, challenge type) pairs [WPB-10103] (c78df0e)

Documentation

• update README (b98f60d)
• add CHANGELOG.md (922c96d)
• add documentation about flaky tests (bef7ca8)
• add comments to explain wiremock stubs (c8c114e)
• document project structure (49f05af)
• how to release (1189957)

Testing

• e2e-identity: fix ACME server PKI configuration (63d608a)
• e2e-identity: only pick the signing key (47f0c01)
• e2e-identity: explain why the refresh token from Keycloak shows up as invalid (81dc3a7)
• e2e-identity: fix token verification in tests (957e99a)
• e2e-identity: don't clobber existing README.md (0183a41)
• e2e-identity: copy code for access token verification from cli (a658d37)
• update testcontainers image to keycloak 25.0.2 (d502b67)
• update test code to new reqwest version (e29682b)
• update test code to new helper api (9c0d3ca)
• move asserhttp features to helper code (9f120d8)
• update test code to new http and hyper APIs (0506659)
• build: update http crate, add http-body-util and hyper-util crates (cf3f9b1)
• correct image for smallstep, stable ready conditions (37023ff)
• execute e2e identity tests sequentially (0cd0fae)
• refactor: more struct fields instead of env vars (acf86b6)
• use keycloak in ed25519 test (d90e618)
• improve error message when fetching of oidc config fails (2ba8ed4)
• upgrade testcontainers images to new api (9b0a080)
• upgrade tests to new testcontainers api (f411bb8)
• update testcontainers crate (f9c156b)

v0.10.0 - 2024-05-02

Features

• Turn off default features on crates (c92f5cd)
• Support p521 x509 validations (ca07225)
• Add method to parse raw JWK into a public key (90f6be7)
• [breaking] Add support for SHA-512 and stop hardcoding SHA-256 for MLS thumbprint (87fb283)
• Add method to compute a JWK thumbprint from a raw key (03278c3)
• Add ability to list in-store CRLs & update certval (a129833)
• Add serial number, not before & not after in the identity object (d2ba6d6)

Bug Fixes

• Jwk parse_from_json not supporting es512 (05441e9)
• Generate_jwk test util not compatible with P521 (734a2d3)
• Point to correct certval branch (711c1a6)
• JWK thumbprint was failing for NIST P-curves (f3386be)
• Fixed revocation cache not working properly (fdf1538)
• Revocation tweak + update certval (b2dca84)
• Add support in CrlInfo for CRL DP as URI (b1c0b9a)
• get_dps_from_cert was not returning a result when found (f2ae64f)
• Verify revocation when checking the status (89c1a2d)
• Use vendored OpenSSL for testing (f8c29ac)
• Add a Keycloak ClientPolicyExecutor to alter the idToken generated by a refreshToken (f10accb)
• Rework x509 verification to be sturdier (8d877a0)

Testing

• Fix/remove invalid/irrelevant e2e tests (b43514b)
• Tryout latest Smallstep version (b854ad8)
• Fix compilation (894c7ef)

v0.9.0 - 2024-02-19

Features

• Validate display name in dpop challenge (919fdef)
• Reexport certval in the e2e_identity::prelude::x509 namespace (603da43)
• Export x509 handle struct (12cc016)

Bug Fixes

• Update Cargo.lock for certval bugfix (eff780d)
• Forgotten call on PKI env init (0831d7b)
• Fail on empty PKI path (048e8dc)
• Forbid self-signed end-identity certificates (98d43e2)
• We were trying to decode ski & aki as utf-8 (a6da7d2)
• Fix missed code path bail on no CRL availability (32923ab)
• Correctly initialize Intermediate CA store (bc6c5c1)

v0.8.6 - 2024-01-22

Features

• [breaking] Use 2 authorizations instead of 1 (5462725)

Bug Fixes

• Prepare the fix for validating uniqueness of the ACME challenge tokens (1d73f10)
• Verify challenge tokens are base64Url encoded and have enough entropy (3a27be4)
• Verify that ACME server only returns certificates and not keys (4d911b5)

Testing

• Test smallstep's upstream branch and add a couple more e2e tests (b8f1850)
• Fix some failing unit tests (2075fab)

v0.8.5 - 2024-01-17

Features

• Add audience in access token & id token matching acme challenge url (09b9245)

Bug Fixes

• Seal keyauth in OIDC id token by using Keycloak. Also test the whole flow with Keycloak (6ff52d5)

v0.8.4 - 2024-01-16

Bug Fixes

• Wrong keypair was used for signing the client dpop token (0d3cc9f)

v0.8.2 - 2024-01-15

Bug Fixes

• Enrollment JWK was not the ACME one (c4acab1)

v0.8.1 - 2024-01-15

Bug Fixes

• Haskell FFI tests (#132) (c79df24)

Documentation

• Regenerate e2e-identity/README.md (4b1a850)

v0.8.0 - 2024-01-10

Features

• Add support for CRL-based revocation (02992d2)
• Change ClientId & Handle format to URIs and use '!' as delimiter between userId & deviceId (cafabb5)

Bug Fixes

• Use different keys for CSR signing and ACME account as recommended by RFC8555 Section 11.1 (7a25230)

v0.7.1 - 2024-01-09

Testing

• Turn stepca registry image configurable (788d55d)

v0.7.0 - 2024-01-09

Features

• Use Team newtype struct in more places (8282015)

Documentation

• Don't reach outside of crate boundary (3d93499)

Testing

• Fix openssl command for verifying certificates in tests and this time verify the whole certificate chain and not each certificate individually (690ce12)

v0.6.1 - 2023-11-23

Bug Fixes

• WireIdentityBuilder was not tested. Now supports unqualified handle (a66f41d)

v0.6.0 - 2023-11-23

Features

• [breaking] Add 'handle' & 'team' to the client DPoP token and verify these in the ACME server & wire-server (9b0cb29)

Testing

• Use stepca image '0.0.42-test.95' (911170f)

v0.5.2 - 2023-11-16

Bug Fixes

• Add 1h leeway to "iat" & "nbf" claims in dpop token (6003c67)

Testing

• Fix tests regarding ciphersuite agility and those without the demo context because of domain validation in certificates (bb94548)

v0.5.0 - 2023-08-29

Features

• Have access token expiry configured by wire-server (4521e29)
• Map 'revokeCert' in ACME directory response (db72c16)
• Change default contact in ACME account request (acf4a21)
• Have 'api_version' in dpop token value injected by wire-server and change default value in tests from 3 to 5 (af30d32)

Bug Fixes

• UserId is simply base 64 encoding of the uuid byte representation instead of encoding the hyphenated string representation (0b46c0e)
• Change dpop access token 'cnf' from self JWK to client dpop token JWK (b4c04c6)

Testing

• Update e2e test with latest refinements (2094eae)
• Fix new clippy lints (0b09497)

v0.4.5 - 2023-07-04

Features

• Add helper to extract public key from a certificate (4c725c4)
• Better error mapping in certificate validation (52b1360)
• Simplify x509 certificate builder (cd2a1ee)
• Add extract_created_at to parse a certificate and get the 'Not Before' claim (1d7d56f)

v0.4.4 - 2023-06-09

Features

• Map all errors in Haskell FFI (c8a08ed)
• [breaking] Test templating the generated x509 certificate and add verifications in the certificate parsing step that the generated certificate contains the expected identity claims (afd63aa)

Bug Fixes

• Nominal e2e test was failing due to an incorrect OID for display name in CSR used in ACME server (91d49fb)

Testing

• Some tests were not on wasm-bindgen (7f5e65b)

v0.4.3 - 2023-05-17

Bug Fixes

• Accidentally made the "identity-builder" feature default, bringing in "ring" transitively (f213196)

v0.4.2 - 2023-05-12

Features

• Turn enrollment instance serializable (21366a8)

v0.4.1 - 2023-05-09

Bug Fixes

• Return order & finalize urls (a449a34)

v0.4.0 - 2023-05-09

Features

• Add "target" field in acme challenge to indicate the proof origin (50db02e)
• Add more helpers to WireIdentityBuilder (8e2a911)

Bug Fixes

• Generate JWTs with "nbf" claim slightly in past to prevent any clock drift issue (5a13a00)

v0.3.6 - 2023-04-12

Features

• Add helpers to extract identity & fix lowercase SAN URIs (a65f16f)

v0.3.5 - 2023-04-03

Bug Fixes

• Prepend URI prefix to user handle instead of requiring it to be supplied by implementers (4cbb6b8)
• Stop pinning indexmap to version 1.6.1 in order to fix a circular dependency issue. It came transitively from reqwest which is now a dev-only dependency (102efee)

Testing

• Verify that 'aud' claim is verified by acme server as part of the oidc challenge (60a7b60)
• Verify integration with Google OIDC provider (32299e3)
• Have sign in part submit the login form on the client side (1195c1b)

v0.3.2 - 2023-03-28

Features

• Replace 'x509-parser' & 'rcgen' by 'x509-cert' from RustCrypto (39d56d5)
• Hide jwe under a feature since unused for the moment. Helps getting rif of ring (4f25537)

Testing

• Also test acme & e2e-identity crates in CI (678fd63)
• More e2e tests of the oidc challenge (88cacda)

v0.3.1 - 2023-03-17

Features

• Return DER encoded certificate instead of PEM (5c02e73)

Bug Fixes

• Zeroize private signature key (a05a647)

Testing

• More e2e tests for non-nominal cases (a11b581)

v0.3.0 - 2023-03-10

Features

• Support qualified client id from wire clients with : as delimiter (aa1a6c7)
• Test integration with OIDC provider and few protocol changes (081f0e4)

Bug Fixes

• Haskell FFI 'get_error' returns an u8 instead of a raw pointer to an u8 (c213978)
• Haskell test (#45) (74db200)
• Haskell FFI tests (5810bc7)
• Allow passing the userId as a string over Haskell FFI then convert it back into uuid bytes on Rust side (a68ed48)
• Use the correct Result in Haskell FFI used as pointer to free the allocated access token (27cf40e)
• Haskell FFI was not built because a dangling "haskell" feature remained (a82e68b)

v0.2.0 - 2023-02-10

Features

• Test against our fork of stepca acme server (12f87bb)
• Implement acme enrollment and end-to-end identity (17d9d33)
• Expose verify-access command (b1a7403)
• [breaking] Replace 'cnf.jkt' by 'cnf.kid' (523075f)
• Uppercase Htm (70b874a)
• Initial support for JWE (a40f94e)
• Add structs for representing oidc verifiable credentials & presentations (29e838b)
• Generate access token (bf3277a)
• Implement access token generation (d1da12e)
• Haskell FFI returns errors (558051d)
• Implement DPoP claims (d0b254d)
• Support P384 (3a52b4f)
• Generating a dpop token works, even on WASM (2d0fb2f)
• Adding stub for generating DPoP tokens [CL-82] (7b796a7)

Bug Fixes

• QualifiedClientId parsing was incorrect regarding user & client (ca7e76d)
• Return a c string from ffi (#13) (6370cd5)