JWT issuer validation

CMakeLists.txt

@@ -1022,6 +1022,12 @@ if(BUILD_TESTS)
     )
     target_link_libraries(endpoint_registry_test PRIVATE ccf_endpoints.host)
 
+    add_unit_test(
+      jwt_auth_test
+      ${CMAKE_CURRENT_SOURCE_DIR}/src/endpoints/test/test_jwt_auth.cpp
+    )
+    target_link_libraries(jwt_auth_test PRIVATE ccf_endpoints.host)
+
     add_unit_test(
       tx_status_test
       ${CMAKE_CURRENT_SOURCE_DIR}/src/node/rpc/test/tx_status_test.cpp

doc/audit/builtin_maps.rst

@@ -366,7 +366,7 @@ JWT issuers.
 ``jwt.public_signing_keys``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-JWT signing keys.
+JWT signing keys, used until 5.0.
 
 **Key** JWT Key ID, represented as a string.
 
@@ -375,12 +375,21 @@ JWT signing keys.
 ``jwt.public_signing_key_issuer``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-JWT signing key to Issuer mapping.
+JWT signing key to Issuer mapping, used until 5.0.
 
 **Key** JWT Key ID, represented as a string.
 
 **Value** JWT issuer URL, represented as a string.
 
+``jwt.public_signing_keys_metadata``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JWT signing keys.
+
+**Key** JWT Key ID, represented as a string.
+
+**Value** List of (DER-encoded key/certificate, issuer, constraint) used to validate the Issuer during authorization, represented as JSON.
+
 ``constitution``
 ~~~~~~~~~~~~~~~~
 

doc/schemas/gov_openapi.json

@@ -409,6 +409,36 @@
         ],
         "type": "object"
       },
+      "KeyIdInfo_array": {
+        "items": {
+          "$ref": "#/components/schemas/KeyIdInfo"
+        },
+        "type": "array"
+      },
+      "OpenIDJWKMetadata": {
+        "properties": {
+          "cert": {
+            "$ref": "#/components/schemas/base64string"
+          },
+          "constraint": {
+            "$ref": "#/components/schemas/string"
+          },
+          "issuer": {
+            "$ref": "#/components/schemas/string"
+          }
+        },
+        "required": [
+          "cert",
+          "issuer"
+        ],
+        "type": "object"
+      },
+      "OpenIDJWKMetadata_array": {
+        "items": {
+          "$ref": "#/components/schemas/OpenIDJWKMetadata"
+        },
+        "type": "array"
+      },
       "MDType": {
         "enum": [
           "NONE",
@@ -1262,9 +1292,15 @@
         },
         "type": "object"
       },
-      "string_to_KeyIdInfo": {
+      "string_to_KeyIdInfo_array": {
         "additionalProperties": {
-          "$ref": "#/components/schemas/KeyIdInfo"
+          "$ref": "#/components/schemas/KeyIdInfo_array"
+        },
+        "type": "object"
+      },
+      "string_to_OpenIDJWKMetadata_array": {
+        "additionalProperties": {
+          "$ref": "#/components/schemas/OpenIDJWKMetadata_array"
         },
         "type": "object"
       },
@@ -1335,7 +1371,7 @@
   "info": {
     "description": "This API is used to submit and query proposals which affect CCF's public governance tables.",
     "title": "CCF Governance API",
-    "version": "4.1.6"
+    "version": "4.1.7"
   },
   "openapi": "3.0.0",
   "paths": {
@@ -1552,7 +1588,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "#/components/schemas/string_to_KeyIdInfo"
+                  "$ref": "#/components/schemas/string_to_KeyIdInfo_array"
                 }
               }
             },
@@ -1562,7 +1598,7 @@
             "$ref": "#/components/responses/default"
           }
         },
-        "summary": "This endpoint is deprecated. It is replaced by /gov/kv/jwt/public_signing_keys, /gov/kv/jwt/public_signing_key_issue, and /gov/kv/jwt/issuers endpoints.",
+        "summary": "This endpoint is deprecated. It is replaced by /gov/kv/jwt/public_signing_keys_metadata and /gov/kv/jwt/issuers endpoints.",
         "x-ccf-forwarding": {
           "$ref": "#/components/x-ccf-forwarding/always"
         }
@@ -1744,6 +1780,28 @@
         }
       }
     },
+    "/gov/kv/jwt/public_signing_key": {
+      "get": {
+        "responses": {
+          "200": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/string_to_base64string"
+                }
+              }
+            },
+            "description": "Default response description"
+          },
+          "default": {
+            "$ref": "#/components/responses/default"
+          }
+        },
+        "x-ccf-forwarding": {
+          "$ref": "#/components/x-ccf-forwarding/sometimes"
+        }
+      }
+    },
     "/gov/kv/jwt/public_signing_key_issuer": {
       "get": {
         "responses": {
@@ -1766,14 +1824,14 @@
         }
       }
     },
-    "/gov/kv/jwt/public_signing_keys": {
+    "/gov/kv/jwt/public_signing_keys_metadata": {
       "get": {
         "responses": {
           "200": {
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "#/components/schemas/string_to_base64string"
+                  "$ref": "#/components/schemas/string_to_OpenIDJWKMetadata_array"
                 }
               }
             },

include/ccf/common_auth_policies.h

@@ -32,8 +32,7 @@ namespace ccf
     std::make_shared<MemberCertAuthnPolicy>();
 
   /** Authenticate using JWT, validating the token using the
-   * @c public:ccf.gov.jwt.public_signing_key_issuer and
-   * @c public:ccf.gov.jwt.public_signing_keys tables */
+   * @c public:ccf.gov.jwt.public_signing_keys_metadata table */
   static std::shared_ptr<JwtAuthnPolicy> jwt_auth_policy =
     std::make_shared<JwtAuthnPolicy>();
 

include/ccf/crypto/jwk.h

@@ -27,12 +27,13 @@ namespace crypto
     JsonWebKeyType kty;
     std::optional<std::string> kid = std::nullopt;
     std::optional<std::vector<std::string>> x5c = std::nullopt;
+    std::optional<std::string> issuer = std::nullopt;
 
     bool operator==(const JsonWebKey&) const = default;
   };
   DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(JsonWebKey);
   DECLARE_JSON_REQUIRED_FIELDS(JsonWebKey, kty);
-  DECLARE_JSON_OPTIONAL_FIELDS(JsonWebKey, kid, x5c);
+  DECLARE_JSON_OPTIONAL_FIELDS(JsonWebKey, kid, x5c, issuer);
 
   enum class JsonWebKeyECCurve
   {

include/ccf/endpoints/authentication/jwt_auth.h

@@ -19,6 +19,11 @@ namespace ccf
 
   struct VerifiersCache;
 
+  bool validate_issuer(
+    const std::string& iss,
+    const std::optional<std::string>& tid,
+    std::string constraint);
+
   class JwtAuthnPolicy : public AuthnPolicy
   {
   protected:

include/ccf/service/tables/jwt.h

@@ -58,18 +58,38 @@ namespace ccf
   using JwtKeyId = std::string;
   using Cert = std::vector<uint8_t>;
 
+  struct OpenIDJWKMetadata
+  {
+    Cert cert;
+    JwtIssuer issuer;
+    std::optional<JwtIssuer> constraint;
+  };
+  DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(OpenIDJWKMetadata);
+  DECLARE_JSON_REQUIRED_FIELDS(OpenIDJWKMetadata, cert, issuer);
+  DECLARE_JSON_OPTIONAL_FIELDS(OpenIDJWKMetadata, constraint);
+
   using JwtIssuers = ServiceMap<JwtIssuer, JwtIssuerMetadata>;
-  using JwtPublicSigningKeys = kv::RawCopySerialisedMap<JwtKeyId, Cert>;
-  using JwtPublicSigningKeyIssuer =
-    kv::RawCopySerialisedMap<JwtKeyId, JwtIssuer>;
+  using JwtPublicSigningKeys =
+    ServiceMap<JwtKeyId, std::vector<OpenIDJWKMetadata>>;
 
   namespace Tables
   {
     static constexpr auto JWT_ISSUERS = "public:ccf.gov.jwt.issuers";
-    static constexpr auto JWT_PUBLIC_SIGNING_KEYS =
-      "public:ccf.gov.jwt.public_signing_keys";
-    static constexpr auto JWT_PUBLIC_SIGNING_KEY_ISSUER =
-      "public:ccf.gov.jwt.public_signing_key_issuer";
+
+    static constexpr auto JWT_PUBLIC_SIGNING_KEYS_METADATA =
+      "public:ccf.gov.jwt.public_signing_keys_metadata";
+
+    namespace Legacy
+    {
+      static constexpr auto JWT_PUBLIC_SIGNING_KEYS =
+        "public:ccf.gov.jwt.public_signing_key";
+      static constexpr auto JWT_PUBLIC_SIGNING_KEY_ISSUER =
+        "public:ccf.gov.jwt.public_signing_key_issuer";
+
+      using JwtPublicSigningKeys = kv::RawCopySerialisedMap<JwtKeyId, Cert>;
+      using JwtPublicSigningKeyIssuer =
+        kv::RawCopySerialisedMap<JwtKeyId, JwtIssuer>;
+    }
   }
 
   struct JsonWebKeySet