wireapp · battermann · Sep 28, 2022 · Aug 24, 2022 · Aug 25, 2022 · Aug 25, 2022
@@ -19,7 +19,7 @@ RUN cd /tmp && \
     git checkout 6370cd556f03f6834d0b8043615ffaf0044ef1fa && \
     git rev-parse HEAD
 
-RUN cd /tmp/rusty-jwt-tools && cargo build --release --target x86_64-unknown-linux-gnu
+RUN cd /tmp/rusty-jwt-tools && cargo build --features haskell --release --target x86_64-unknown-linux-gnu
 
 FROM ${prebuilder}
 

@@ -29,7 +29,7 @@ RUN cd /tmp && \
     git checkout 6370cd556f03f6834d0b8043615ffaf0044ef1fa && \
     git rev-parse HEAD
 
-RUN cd /tmp/rusty-jwt-tools && cargo build --release --target x86_64-unknown-linux-gnu
+RUN cd /tmp/rusty-jwt-tools && cargo build --features haskell --release --target x86_64-unknown-linux-gnu
 
 
 # Minimal dependencies for ubuntu-compiled, dynamically linked wire-server Haskell services

@@ -16,6 +16,7 @@ packages:
   , libs/gundeck-types/
   , libs/hscim/
   , libs/imports/
+  , libs/jwt-tools/
   , libs/metrics-core/
   , libs/metrics-wai/
   , libs/polysemy-wire-zoo/
@@ -219,6 +220,8 @@ package hscim
     ghc-options: -Werror
 package imports
     ghc-options: -Werror
+package jwt-tools
+    ghc-options: -Werror
 package metrics-core
     ghc-options: -Werror
 package metrics-wai

@@ -0,0 +1 @@
+Skeleton implementation of new endpoint for JWT DPoP access token generation (#2652, #2686)
@@ -287,5 +287,14 @@ data:
       {{- if .setNonceTtlSecs }}
       setNonceTtlSecs: {{ .setNonceTtlSecs }}
       {{- end }}
+      {{- if .setDpopMaxSkewSecs }}
+      setDpopMaxSkewSecs: {{ .setDpopMaxSkewSecs }}
+      {{- end }}
+      {{- if .setDpopTokenExpirationTimeSecs }}
+      setDpopTokenExpirationTimeSecs: {{ .setDpopTokenExpirationTimeSecs }}
+      {{- end }}
+      {{- if $.Values.secrets.dpopSigKeyBundle }}
+      setPublicKeyBundle: /etc/wire/brig/secrets/dpop_sig_key_bundle.pem
+      {{- end }}
     {{- end }}
   {{- end }}
@@ -25,4 +25,8 @@ data:
   {{- if (not $.Values.config.useSES) }}
   smtp-password.txt: {{ .smtpPassword | b64enc | quote }}
   {{- end }}
+  {{- if .dpopSigKeyBundle }}
+  dpop_sig_key_bundle.pem: {{ .dpopSigKeyBundle | b64enc | quote }}
   {{- end }}
+  {{- end }}
+
@@ -85,6 +85,8 @@ config:
     #   - example.com
     set2FACodeGenerationDelaySecs: 300 # 5 minutes
     setNonceTtlSecs: 300 # 5 minutes
+    setDpopMaxSkewSecs: 1
+    setDpopTokenExpirationTimeSecs: 300 # 5 minutes
   smtp:
     passwordFile: /etc/wire/brig/secrets/smtp-password.txt
   proxy: {}

@@ -484,9 +484,6 @@ nginx_conf:
     - path: /mls/public-keys
       envs:
       - all
-    - path: /nonce/clients
-      envs:
-      - all
     gundeck:
     - path: /push/api-docs$
       envs:

@@ -116,6 +116,8 @@ optSettings:
   setEmailVisibility: visible_to_self
   setFederationDomain: example.com
   setNonceTtlSecs: 300 # 5 minutes
+  setDpopMaxSkewSecs: 1
+  setDpopTokenExpirationTimeSecs: 300 # 5 minutes
 
 logLevel: Debug
 logNetStrings: false
@@ -117,6 +117,9 @@ optSettings:
   setEmailVisibility: visible_to_self
   setFederationDomain: example.com
   setNonceTtlSecs: 300 # 5 minutes
+  setDpopMaxSkewSecs: 1
+  setDpopTokenExpirationTimeSecs: 300 # 5 minutes
+  setPublicKeyBundle: conf/jwt/ed25519_bundle.pem
 
 logLevel: Debug
 logNetStrings: false
@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIFANnxZLNE4p+GDzWzR3wm/v8x/0bxZYkCyke1aTRucX
+-----END PRIVATE KEY-----
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEACPvhIdimF20tOPjbb+fXJrwS2RKDp7686T90AZ0+Th8=
+-----END PUBLIC KEY-----
@@ -286,11 +286,6 @@ http {
         proxy_pass http://brig;
     }
 
-    location /nonce/clients {
-      include common_response_with_zauth.conf;
-      proxy_pass http://brig;
-    }    
-
     # Cargohold Endpoints
 
     rewrite ^/api-docs/assets  /assets/api-docs?base_url=http://127.0.0.1:8080/ break;

@@ -83,6 +83,8 @@ brig:
           search_policy: full_search
       set2FACodeGenerationDelaySecs: 5
       setNonceTtlSecs: 300
+      setDpopMaxSkewSecs: 1
+      setDpopTokenExpirationTimeSecs: 300
     aws:
       sesEndpoint: http://fake-aws-ses:4569
       sqsEndpoint: http://fake-aws-sqs:4568
@@ -111,6 +113,13 @@ brig:
       key: "dummy"
       secret: "dummy"
     smtpPassword: dummy-smtp-password
+    dpopSigKeyBundle: |
+      -----BEGIN PRIVATE KEY-----
+      MC4CAQAwBQYDK2VwBCIEIFANnxZLNE4p+GDzWzR3wm/v8x/0bxZYkCyke1aTRucX
+      -----END PRIVATE KEY-----
+      -----BEGIN PUBLIC KEY-----
+      MCowBQYDK2VwAyEACPvhIdimF20tOPjbb+fXJrwS2RKDp7686T90AZ0+Th8=
+      -----END PUBLIC KEY-----
   tests:
     enableFederationTests: true
 cannon:
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Skeleton implementation of new endpoint for JWT DPoP access token generation (#2652, #2686)