feat: make openssl optional, add RustCrypto RSA backend

.github/workflows/ci.yml

@@ -7,30 +7,46 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        features:
+          - ""
+          - "rsa"
+          - "openssl"
+          - "rsa,openssl"
+          - "rsa,remote-jwks"
+          - "openssl,remote-jwks"
+          - "rsa,openssl,remote-jwks"
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions-rs/toolchain@v1
+    - uses: actions/checkout@v4
+    - uses: dtolnay/rust-toolchain@stable
       with:
         toolchain: 1.85.0
-        default: true
-        profile: minimal
         components: rustfmt, clippy
 
-    - uses: actions-rs/toolchain@v1
-      with:
-        toolchain: nightly
-        profile: minimal
+    - name: cargo test (features=${{ matrix.features || 'none' }})
+      env:
+        RUSTFLAGS: -D warnings
+      run: cargo test --no-default-features --features "${{ matrix.features }}"
+
+    - name: cargo clippy (features=${{ matrix.features || 'none' }})
+      run: cargo clippy --no-default-features --features "${{ matrix.features }}" -- -D clippy::all
 
+  fmt:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: dtolnay/rust-toolchain@stable
+      with:
+        toolchain: 1.85.0
+        components: rustfmt
     - name: cargo fmt
       run: cargo fmt -- --check
 
-    - name: cargo test --benches
-      run: cargo +nightly test --benches && rm -r benches
-
-    - name: cargo test
-      env:
-        RUSTFLAGS: -D warnings
-      run: cargo test --all-targets
-
-    - name: cargo clippy
-      run: cargo clippy --all-targets -- -D clippy::all && cargo clippy --no-default-features --all-targets -- -D clippy::all
+  bench:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: dtolnay/rust-toolchain@nightly
+    - name: cargo test --benches (openssl)
+      run: cargo +nightly test --no-default-features --features openssl --benches

Cargo.toml

@@ -1,28 +1,38 @@
 [package]
 name = "jwtk"
-version = "0.4.0"
-edition = "2018"
+version = "0.5.0"
+edition = "2021"
 repository = "https://github.com/blckngm/jwtk"
 license = "MIT"
 description = "JWT signing (JWS) and verification, with first class JWK and JWK Set (JWKS) support."
 
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
 [features]
-default = ["remote-jwks"]
-remote-jwks = ["reqwest", "tokio"]
+default = ["rsa", "remote-jwks"]
+rsa = ["dep:rsa_crt", "dep:signature", "dep:rand_core"]
+openssl = ["dep:openssl", "dep:openssl-sys", "dep:foreign-types"]
+remote-jwks = ["dep:reqwest", "dep:tokio"]
 
 [dependencies]
 base64 = "0.22.1"
-openssl = "0.10.64"
 serde = { version = "1.0.200", features = ["derive"] }
 serde_json = "1.0.116"
 smallvec = "1.13.2"
+serde_with = "3.1.0"
+sha2 = { version = "0.10", features = ["oid"] }
+
+# RSA (RustCrypto fallback when openssl is not enabled)
+rsa_crt = { package = "rsa", version = "0.9", optional = true, default-features = false, features = ["std", "getrandom"] }
+signature = { version = "2", optional = true }
+rand_core = { version = "0.6", features = ["std"], optional = true }
+
+# OpenSSL
+openssl = { version = "0.10.64", optional = true }
+openssl-sys = { version = "0.9.102", optional = true }
+foreign-types = { version = "0.3.2", optional = true }
+
+# Remote JWKS
 reqwest = { version = "0.12.4", features = ["json"], optional = true }
 tokio = { version = "1.37.0", features = ["sync"], optional = true }
-openssl-sys = "0.9.102"
-foreign-types = "0.3.2"
-serde_with = "3.1.0"
 
 [dev-dependencies]
 axum = "0.7"

README.md

@@ -1,22 +1,33 @@
 JWT signing (JWS) and verification, with first class JWK and JWK Set (JWKS)
 support.
 
-Supports almost all JWS algorithms:
+## Algorithms
 
-* HS256, HS384, HS512
-* Ed25519
-* ES256, ES384, ES512, ES256K
-* RS256, RS384, RS512
-* PS256, PS384, PS512
+* RS256, RS384, RS512, PS256, PS384, PS512 (feature: `rsa` or `openssl`)
+* HS256, HS384, HS512 (feature: `openssl`)
+* ES256, ES384, ES512, ES256K (feature: `openssl`)
+* Ed25519 (feature: `openssl`)
 
 Supports `exp` and `nbf` validations. (Other validations will not be supported,
 because they are mostly application specific and can be easily implemented by
 applications.)
 
-Supports converting public/private keys to/from PEM/JWK. Supports working with
-generic keys (where the algorithm is determined at runtime), i.e.
+Supports converting public/private keys to/from JWK. PEM support is available
+when the `openssl` feature is enabled. Supports working with generic keys
+(where the algorithm is determined at runtime), i.e.
 `SomePrivateKey`/`SomePublicKey`.
 
-Uses good old openssl for crypto.
+## Features
 
-See the `examples` folder for some examples.
+| Feature | Default | Description |
+|---------|---------|-------------|
+| `rsa` | Yes | RSA signing/verification via [RustCrypto](https://github.com/RustCrypto). No C dependencies. |
+| `openssl` | No | Full algorithm support (RSA, HMAC, ECDSA, EdDSA) via OpenSSL. When enabled, RSA uses OpenSSL instead of RustCrypto. |
+| `remote-jwks` | Yes | `RemoteJwksVerifier` for fetching and caching remote JWK Sets. |
+
+With the default features (`rsa` + `remote-jwks`), RS256 JWT verification
+works out of the box with no C dependencies.
+
+## Examples
+
+See the `examples` folder for usage examples.

benches/sig.rs

@@ -2,18 +2,15 @@
 
 use std::time::Duration;
 
-use jwtk::{
-    ecdsa::{EcdsaAlgorithm, EcdsaPrivateKey},
-    eddsa::Ed25519PrivateKey,
-    hmac::{HmacAlgorithm, HmacKey},
-    rsa::RsaPrivateKey,
-    HeaderAndClaims,
-};
+use jwtk::HeaderAndClaims;
 
 extern crate test;
 
+#[cfg(feature = "openssl")]
 #[bench]
 fn bench_sig_es256(b: &mut test::Bencher) {
+    use jwtk::ecdsa::{EcdsaAlgorithm, EcdsaPrivateKey};
+
     let k = EcdsaPrivateKey::generate(EcdsaAlgorithm::ES256).unwrap();
 
     b.iter(|| {
@@ -29,8 +26,11 @@ fn bench_sig_es256(b: &mut test::Bencher) {
     });
 }
 
+#[cfg(any(feature = "rsa", feature = "openssl"))]
 #[bench]
 fn bench_sig_rs256(b: &mut test::Bencher) {
+    use jwtk::rsa::RsaPrivateKey;
+
     let k = RsaPrivateKey::generate(2048, jwtk::rsa::RsaAlgorithm::RS256).unwrap();
 
     b.iter(|| {
@@ -46,8 +46,11 @@ fn bench_sig_rs256(b: &mut test::Bencher) {
     });
 }
 
+#[cfg(any(feature = "rsa", feature = "openssl"))]
 #[bench]
 fn bench_sig_ps256(b: &mut test::Bencher) {
+    use jwtk::rsa::RsaPrivateKey;
+
     let k = RsaPrivateKey::generate(2048, jwtk::rsa::RsaAlgorithm::PS256).unwrap();
 
     b.iter(|| {
@@ -63,8 +66,11 @@ fn bench_sig_ps256(b: &mut test::Bencher) {
     });
 }
 
+#[cfg(feature = "openssl")]
 #[bench]
 fn bench_sig_hs256(b: &mut test::Bencher) {
+    use jwtk::hmac::{HmacAlgorithm, HmacKey};
+
     let k = HmacKey::generate(HmacAlgorithm::HS256).unwrap();
 
     b.iter(|| {
@@ -80,8 +86,11 @@ fn bench_sig_hs256(b: &mut test::Bencher) {
     });
 }
 
+#[cfg(feature = "openssl")]
 #[bench]
 fn bench_sig_ed25519(b: &mut test::Bencher) {
+    use jwtk::eddsa::Ed25519PrivateKey;
+
     let k = Ed25519PrivateKey::generate().unwrap();
 
     b.iter(|| {

examples/jwks.rs

@@ -7,28 +7,34 @@
 //!
 //! Tokens will be issued at http://127.0.0.1:3000/token
 
+#[cfg(feature = "openssl")]
 use axum::{
     extract::State,
     response::{IntoResponse, Json},
     routing::get,
     Router,
 };
+#[cfg(feature = "openssl")]
 use jwtk::{
     jwk::{JwkSet, WithKid},
     rsa::RsaAlgorithm,
     sign, HeaderAndClaims, PublicKeyToJwk, SomePrivateKey,
 };
+#[cfg(feature = "openssl")]
 use std::{sync::Arc, time::Duration};
 
+#[cfg(feature = "openssl")]
 struct AppState {
     k: WithKid<SomePrivateKey>,
     jwks: JwkSet,
 }
 
+#[cfg(feature = "openssl")]
 async fn jwks_handler(state: State<Arc<AppState>>) -> impl IntoResponse {
     Json(&state.jwks).into_response()
 }
 
+#[cfg(feature = "openssl")]
 async fn token_handler(state: State<Arc<AppState>>) -> impl IntoResponse {
     let mut token = HeaderAndClaims::new_dynamic();
     token
@@ -43,6 +49,7 @@ async fn token_handler(state: State<Arc<AppState>>) -> impl IntoResponse {
     }))
 }
 
+#[cfg(feature = "openssl")]
 #[tokio::main]
 async fn main() -> jwtk::Result<()> {
     let k = std::fs::read("key.pem")?;
@@ -74,3 +81,8 @@ async fn main() -> jwtk::Result<()> {
 
     Ok(())
 }
+
+#[cfg(not(feature = "openssl"))]
+fn main() {
+    eprintln!("This example requires the 'openssl' feature");
+}

examples/signing_and_verification.rs

@@ -1,11 +1,12 @@
-use jwtk::{
-    ecdsa::{EcdsaAlgorithm, EcdsaPrivateKey, EcdsaPublicKey},
-    sign, verify, HeaderAndClaims,
-};
-use serde_json::{Map, Value};
-use std::time::Duration;
-
+#[cfg(feature = "openssl")]
 fn main() -> jwtk::Result<()> {
+    use jwtk::{
+        ecdsa::{EcdsaAlgorithm, EcdsaPrivateKey, EcdsaPublicKey},
+        sign, verify, HeaderAndClaims,
+    };
+    use serde_json::{Map, Value};
+    use std::time::Duration;
+
     let k = EcdsaPrivateKey::generate(EcdsaAlgorithm::ES256)?;
 
     let pem = k.public_key_to_pem()?;
@@ -26,3 +27,8 @@ fn main() -> jwtk::Result<()> {
 
     Ok(())
 }
+
+#[cfg(not(feature = "openssl"))]
+fn main() {
+    eprintln!("This example requires the 'openssl' feature");
+}