baseid_crypto/

jwt.rs

//! JWT (JSON Web Token) encode, decode, and verify.
//!
//! Provides compact JWT serialization used by JWT-VC and SD-JWT.

use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine as _};
use baseid_core::error::{CryptoError, SerializationError};
use baseid_core::types::SignatureAlgorithm;
use serde::{Deserialize, Serialize};
use serde_json::Value;

use crate::signer::{Signer, Verifier};

/// JWT header (JOSE header).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct JwtHeader {
    /// Signature algorithm (e.g., "EdDSA", "ES256").
    pub alg: String,
    /// Token type (typically "JWT").
    #[serde(skip_serializing_if = "Option::is_none")]
    pub typ: Option<String>,
    /// Key ID.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kid: Option<String>,
    /// Additional header parameters (for SD-JWT extensibility).
    #[serde(flatten)]
    pub additional: serde_json::Map<String, Value>,
}

/// Map a `SignatureAlgorithm` to its JWA string.
pub fn alg_to_str(alg: SignatureAlgorithm) -> &'static str {
    match alg {
        SignatureAlgorithm::EdDsa => "EdDSA",
        SignatureAlgorithm::Es256 => "ES256",
        SignatureAlgorithm::Es384 => "ES384",
        SignatureAlgorithm::Es256k => "ES256K",
        SignatureAlgorithm::BbsPlus => "BBS+",
    }
}

/// Map a JWA string to a `SignatureAlgorithm`.
pub fn str_to_alg(s: &str) -> baseid_core::Result<SignatureAlgorithm> {
    match s {
        "EdDSA" => Ok(SignatureAlgorithm::EdDsa),
        "ES256" => Ok(SignatureAlgorithm::Es256),
        "ES384" => Ok(SignatureAlgorithm::Es384),
        "ES256K" => Ok(SignatureAlgorithm::Es256k),
        _ => Err(CryptoError::UnsupportedAlgorithm.into()),
    }
}

/// Encode and sign a JWT, returning the compact serialization (`header.payload.signature`).
pub fn encode_jwt(
    header: &JwtHeader,
    claims: &Value,
    signer: &dyn Signer,
) -> baseid_core::Result<String> {
    let header_json = serde_json::to_vec(header).map_err(SerializationError::Json)?;
    let claims_json = serde_json::to_vec(claims).map_err(SerializationError::Json)?;

    let header_b64 = URL_SAFE_NO_PAD.encode(&header_json);
    let claims_b64 = URL_SAFE_NO_PAD.encode(&claims_json);

    let signing_input = format!("{header_b64}.{claims_b64}");
    let signature = signer.sign(signing_input.as_bytes())?;
    let sig_b64 = URL_SAFE_NO_PAD.encode(&signature);

    Ok(format!("{signing_input}.{sig_b64}"))
}

/// Decode a JWT without verifying the signature.
///
/// Returns the header and claims. Useful for inspecting tokens before
/// selecting the right verification key.
pub fn decode_jwt_unverified(jwt: &str) -> baseid_core::Result<(JwtHeader, Value)> {
    let parts: Vec<&str> = jwt.splitn(4, '.').collect();
    if parts.len() != 3 {
        return Err(CryptoError::VerificationFailed.into());
    }

    let header_bytes = URL_SAFE_NO_PAD
        .decode(parts[0])
        .map_err(|_| CryptoError::VerificationFailed)?;
    let claims_bytes = URL_SAFE_NO_PAD
        .decode(parts[1])
        .map_err(|_| CryptoError::VerificationFailed)?;

    let header: JwtHeader =
        serde_json::from_slice(&header_bytes).map_err(SerializationError::Json)?;
    let claims: Value = serde_json::from_slice(&claims_bytes).map_err(SerializationError::Json)?;

    Ok((header, claims))
}

/// Decode a JWT with signature verification.
///
/// Validates that the header `alg` matches the verifier's algorithm,
/// verifies the signature, then returns the header and claims.
pub fn decode_jwt(jwt: &str, verifier: &dyn Verifier) -> baseid_core::Result<(JwtHeader, Value)> {
    let parts: Vec<&str> = jwt.splitn(4, '.').collect();
    if parts.len() != 3 {
        return Err(CryptoError::VerificationFailed.into());
    }

    // Validate algorithm before verifying signature (prevents algorithm confusion)
    let header_bytes = URL_SAFE_NO_PAD
        .decode(parts[0])
        .map_err(|_| CryptoError::VerificationFailed)?;
    let header: JwtHeader =
        serde_json::from_slice(&header_bytes).map_err(SerializationError::Json)?;

    let expected_alg = alg_to_str(verifier.algorithm());
    if header.alg != expected_alg {
        return Err(CryptoError::VerificationFailed.into());
    }

    let signing_input = format!("{}.{}", parts[0], parts[1]);
    let signature = URL_SAFE_NO_PAD
        .decode(parts[2])
        .map_err(|_| CryptoError::VerificationFailed)?;

    let valid = verifier.verify(signing_input.as_bytes(), &signature)?;
    if !valid {
        return Err(CryptoError::VerificationFailed.into());
    }

    let claims_bytes = URL_SAFE_NO_PAD
        .decode(parts[1])
        .map_err(|_| CryptoError::VerificationFailed)?;
    let claims: Value = serde_json::from_slice(&claims_bytes).map_err(SerializationError::Json)?;

    Ok((header, claims))
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::key::KeyPair;
    use baseid_core::types::KeyType;

    fn roundtrip(key_type: KeyType) {
        let kp = KeyPair::generate(key_type).unwrap();
        let header = JwtHeader {
            alg: alg_to_str(kp.algorithm()).to_string(),
            typ: Some("JWT".to_string()),
            kid: Some("key-1".to_string()),
            additional: serde_json::Map::new(),
        };
        let claims = serde_json::json!({
            "sub": "did:key:z6Mk...",
            "iss": "did:key:z6Mk...",
            "exp": 9999999999u64,
        });

        let jwt = encode_jwt(&header, &claims, &kp).unwrap();
        let (decoded_header, decoded_claims) = decode_jwt(&jwt, &kp.public).unwrap();

        assert_eq!(decoded_header.alg, header.alg);
        assert_eq!(decoded_header.typ, header.typ);
        assert_eq!(decoded_header.kid, header.kid);
        assert_eq!(decoded_claims, claims);
    }

    #[test]
    fn roundtrip_ed25519() {
        roundtrip(KeyType::Ed25519);
    }

    #[test]
    fn roundtrip_p256() {
        roundtrip(KeyType::P256);
    }

    #[test]
    fn roundtrip_p384() {
        roundtrip(KeyType::P384);
    }

    #[test]
    fn roundtrip_secp256k1() {
        roundtrip(KeyType::Secp256k1);
    }

    #[test]
    fn unverified_decode() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let header = JwtHeader {
            alg: "EdDSA".to_string(),
            typ: Some("JWT".to_string()),
            kid: None,
            additional: serde_json::Map::new(),
        };
        let claims = serde_json::json!({"sub": "test"});
        let jwt = encode_jwt(&header, &claims, &kp).unwrap();

        let (h, c) = decode_jwt_unverified(&jwt).unwrap();
        assert_eq!(h.alg, "EdDSA");
        assert_eq!(c["sub"], "test");
    }

    #[test]
    fn wrong_key_rejected() {
        let kp1 = KeyPair::generate(KeyType::Ed25519).unwrap();
        let kp2 = KeyPair::generate(KeyType::Ed25519).unwrap();
        let header = JwtHeader {
            alg: "EdDSA".to_string(),
            typ: Some("JWT".to_string()),
            kid: None,
            additional: serde_json::Map::new(),
        };
        let claims = serde_json::json!({"sub": "test"});
        let jwt = encode_jwt(&header, &claims, &kp1).unwrap();

        let result = decode_jwt(&jwt, &kp2.public);
        assert!(result.is_err());
    }

    #[test]
    fn tampered_claims_rejected() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let header = JwtHeader {
            alg: "EdDSA".to_string(),
            typ: Some("JWT".to_string()),
            kid: None,
            additional: serde_json::Map::new(),
        };
        let claims = serde_json::json!({"sub": "test"});
        let jwt = encode_jwt(&header, &claims, &kp).unwrap();

        // Tamper with the claims part
        let parts: Vec<&str> = jwt.split('.').collect();
        let fake_claims = URL_SAFE_NO_PAD.encode(b"{\"sub\":\"hacked\"}");
        let tampered = format!("{}.{}.{}", parts[0], fake_claims, parts[2]);

        let result = decode_jwt(&tampered, &kp.public);
        assert!(result.is_err());
    }

    #[test]
    fn malformed_jwt_rejected() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        assert!(decode_jwt("not-a-jwt", &kp.public).is_err());
        assert!(decode_jwt("a.b", &kp.public).is_err());
        assert!(decode_jwt("a.b.c.d", &kp.public).is_err());
        assert!(decode_jwt_unverified("single").is_err());
    }

    #[test]
    fn alg_string_roundtrip() {
        for alg in [
            SignatureAlgorithm::EdDsa,
            SignatureAlgorithm::Es256,
            SignatureAlgorithm::Es384,
            SignatureAlgorithm::Es256k,
        ] {
            let s = alg_to_str(alg);
            let back = str_to_alg(s).unwrap();
            assert_eq!(back, alg);
        }
    }

    #[test]
    fn unknown_alg_rejected() {
        assert!(str_to_alg("RS256").is_err());
    }

    #[test]
    fn algorithm_confusion_rejected() {
        // Sign with Ed25519 but try to verify with P-256 key
        // (even if signature somehow matched, the alg mismatch should reject)
        let ed_kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let p256_kp = KeyPair::generate(KeyType::P256).unwrap();

        let header = JwtHeader {
            alg: "EdDSA".to_string(),
            typ: Some("JWT".to_string()),
            kid: None,
            additional: serde_json::Map::new(),
        };
        let claims = serde_json::json!({"sub": "test"});
        let jwt = encode_jwt(&header, &claims, &ed_kp).unwrap();

        // P-256 verifier expects ES256, but header says EdDSA → must reject
        let result = decode_jwt(&jwt, &p256_kp.public);
        assert!(result.is_err(), "Algorithm confusion should be rejected");
    }

    #[test]
    fn tampered_alg_header_rejected() {
        // Sign with Ed25519, tamper header to say ES256, verify with Ed25519 key
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let header = JwtHeader {
            alg: "ES256".to_string(), // WRONG: key is Ed25519
            typ: Some("JWT".to_string()),
            kid: None,
            additional: serde_json::Map::new(),
        };
        let claims = serde_json::json!({"sub": "test"});

        // encode_jwt will sign with Ed25519 regardless of header.alg
        let jwt = encode_jwt(&header, &claims, &kp).unwrap();

        // Ed25519 verifier expects EdDSA, but header says ES256 → must reject
        let result = decode_jwt(&jwt, &kp.public);
        assert!(result.is_err(), "Tampered alg header should be rejected");
    }

    // --- C1: Cross-library JWT interop with jsonwebtoken crate ---

    mod interop {
        use super::*;
        use base64::engine::general_purpose::URL_SAFE_NO_PAD;

        /// Sign a JWT with baseid-crypto, verify with jsonwebtoken.
        #[test]
        fn baseid_sign_jsonwebtoken_verify_ed25519() {
            let kp = KeyPair::generate(KeyType::Ed25519).unwrap();

            let header = JwtHeader {
                alg: "EdDSA".to_string(),
                typ: Some("JWT".to_string()),
                kid: None,
                additional: serde_json::Map::new(),
            };
            let claims = serde_json::json!({
                "sub": "user123",
                "iss": "baseid",
                "exp": 9999999999u64,
            });
            let jwt_str = encode_jwt(&header, &claims, &kp).unwrap();

            // Build jsonwebtoken DecodingKey from raw Ed25519 public key bytes
            let x_b64 = URL_SAFE_NO_PAD.encode(&kp.public.bytes);
            let dk = jsonwebtoken::DecodingKey::from_ed_components(&x_b64).unwrap();

            let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::EdDSA);
            validation.set_required_spec_claims::<String>(&[]);
            validation.validate_exp = false;

            let token_data: jsonwebtoken::TokenData<serde_json::Value> =
                jsonwebtoken::decode(&jwt_str, &dk, &validation).unwrap();

            assert_eq!(token_data.claims["sub"], "user123");
            assert_eq!(token_data.claims["iss"], "baseid");
        }

        /// Sign a JWT with jsonwebtoken, verify with baseid-crypto.
        #[test]
        fn jsonwebtoken_sign_baseid_verify_ed25519() {
            let kp = KeyPair::generate(KeyType::Ed25519).unwrap();

            // Build jsonwebtoken EncodingKey from raw Ed25519 secret bytes (PKCS8 DER)
            let signing_key =
                ed25519_dalek::SigningKey::from_bytes(kp.secret_bytes().try_into().unwrap());
            let pkcs8_der = build_ed25519_pkcs8_der(&signing_key);
            let ek = jsonwebtoken::EncodingKey::from_ed_der(&pkcs8_der);

            let jw_header = jsonwebtoken::Header::new(jsonwebtoken::Algorithm::EdDSA);
            let claims = serde_json::json!({
                "sub": "from_jsonwebtoken",
                "iss": "external",
                "exp": 9999999999u64,
            });
            let jwt_str = jsonwebtoken::encode(&jw_header, &claims, &ek).unwrap();

            // Verify with baseid-crypto
            let (decoded_header, decoded_claims) = decode_jwt(&jwt_str, &kp.public).unwrap();
            assert_eq!(decoded_header.alg, "EdDSA");
            assert_eq!(decoded_claims["sub"], "from_jsonwebtoken");
            assert_eq!(decoded_claims["iss"], "external");
        }

        /// Sign with baseid-crypto ES256, verify with jsonwebtoken.
        #[test]
        fn baseid_sign_jsonwebtoken_verify_p256() {
            let kp = KeyPair::generate(KeyType::P256).unwrap();

            let header = JwtHeader {
                alg: "ES256".to_string(),
                typ: Some("JWT".to_string()),
                kid: None,
                additional: serde_json::Map::new(),
            };
            let claims = serde_json::json!({"sub": "p256_test", "exp": 9999999999u64});
            let jwt_str = encode_jwt(&header, &claims, &kp).unwrap();

            // Decompress P-256 public key to get x,y coordinates
            let (x, y) = decompress_p256(&kp.public.bytes);
            let x_b64 = URL_SAFE_NO_PAD.encode(&x);
            let y_b64 = URL_SAFE_NO_PAD.encode(&y);

            let dk = jsonwebtoken::DecodingKey::from_ec_components(&x_b64, &y_b64).unwrap();
            let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::ES256);
            validation.set_required_spec_claims::<String>(&[]);
            validation.validate_exp = false;

            let token_data: jsonwebtoken::TokenData<serde_json::Value> =
                jsonwebtoken::decode(&jwt_str, &dk, &validation).unwrap();
            assert_eq!(token_data.claims["sub"], "p256_test");
        }

        /// Sign with baseid-crypto ES384, verify with jsonwebtoken.
        #[test]
        fn baseid_sign_jsonwebtoken_verify_p384() {
            let kp = KeyPair::generate(KeyType::P384).unwrap();

            let header = JwtHeader {
                alg: "ES384".to_string(),
                typ: Some("JWT".to_string()),
                kid: None,
                additional: serde_json::Map::new(),
            };
            let claims = serde_json::json!({"sub": "p384_test", "exp": 9999999999u64});
            let jwt_str = encode_jwt(&header, &claims, &kp).unwrap();

            let (x, y) = decompress_p384(&kp.public.bytes);
            let x_b64 = URL_SAFE_NO_PAD.encode(&x);
            let y_b64 = URL_SAFE_NO_PAD.encode(&y);

            let dk = jsonwebtoken::DecodingKey::from_ec_components(&x_b64, &y_b64).unwrap();
            let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::ES384);
            validation.set_required_spec_claims::<String>(&[]);
            validation.validate_exp = false;

            let token_data: jsonwebtoken::TokenData<serde_json::Value> =
                jsonwebtoken::decode(&jwt_str, &dk, &validation).unwrap();
            assert_eq!(token_data.claims["sub"], "p384_test");
        }

        /// Build a minimal PKCS#8 DER encoding for an Ed25519 private key.
        /// PKCS#8 wraps the 32-byte seed in an ASN.1 structure.
        fn build_ed25519_pkcs8_der(signing_key: &ed25519_dalek::SigningKey) -> Vec<u8> {
            // PKCS#8 for Ed25519: SEQUENCE { version, algorithm, key }
            // algorithm = SEQUENCE { OID 1.3.101.112 }
            // key = OCTET STRING containing OCTET STRING of 32-byte seed
            let seed = signing_key.to_bytes();
            let mut der = Vec::new();
            // Outer SEQUENCE
            der.push(0x30);
            der.push(0x2e); // length = 46
                            // Version INTEGER 0
            der.extend_from_slice(&[0x02, 0x01, 0x00]);
            // Algorithm SEQUENCE { OID }
            der.extend_from_slice(&[0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70]);
            // PrivateKey OCTET STRING wrapping OCTET STRING
            der.push(0x04); // outer OCTET STRING
            der.push(0x22); // length = 34
            der.push(0x04); // inner OCTET STRING
            der.push(0x20); // length = 32
            der.extend_from_slice(&seed);
            der
        }

        /// Decompress a P-256 compressed public key to (x, y).
        fn decompress_p256(compressed: &[u8]) -> (Vec<u8>, Vec<u8>) {
            use p256::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint};
            let point = p256::EncodedPoint::from_bytes(compressed).unwrap();
            let affine = p256::AffinePoint::from_encoded_point(&point).unwrap();
            let uncompressed = affine.to_encoded_point(false);
            (
                uncompressed.x().unwrap().to_vec(),
                uncompressed.y().unwrap().to_vec(),
            )
        }

        /// Decompress a P-384 compressed public key to (x, y).
        fn decompress_p384(compressed: &[u8]) -> (Vec<u8>, Vec<u8>) {
            use p384::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint};
            let point = p384::EncodedPoint::from_bytes(compressed).unwrap();
            let affine = p384::AffinePoint::from_encoded_point(&point).unwrap();
            let uncompressed = affine.to_encoded_point(false);
            (
                uncompressed.x().unwrap().to_vec(),
                uncompressed.y().unwrap().to_vec(),
            )
        }
    }
}