Add EdDSA support to JWT login (fixes #258).

Signed-off-by: Jason Volk <jason@zemos.net>

src/api/client/session/jwt.rs

@@ -66,16 +66,19 @@ fn validate(config: &JwtConfig, token: &str) -> Result<Claim> {
 
 fn init_verifier(config: &JwtConfig) -> Result<DecodingKey> {
 	let key = &config.key;
-	let format = config.format.as_str();
+	let format = config.format.to_uppercase();
 
-	Ok(match format {
+	Ok(match format.as_str() {
 		| "HMAC" => DecodingKey::from_secret(key.as_bytes()),
 
 		| "HMACB64" => DecodingKey::from_base64_secret(key.as_str())
 			.map_err(|e| err!(Config("jwt.key", "JWT key is not valid base64: {e}")))?,
 
 		| "ECDSA" => DecodingKey::from_ec_pem(key.as_bytes())
-			.map_err(|e| err!(Config("jwt.key", "JWT key is not valid PEM: {e}")))?,
+			.map_err(|e| err!(Config("jwt.key", "JWT key is not valid ECDSA PEM: {e}")))?,
+
+		| "EDDSA" => DecodingKey::from_ed_pem(key.as_bytes())
+			.map_err(|e| err!(Config("jwt.key", "JWT key is not valid EDDSA PEM: {e}")))?,
 
 		| _ => return Err!(Config("jwt.format", "Key format {format:?} is not supported.")),
 	})

src/core/config/mod.rs

@@ -2422,6 +2422,7 @@ pub struct JwtConfig {
 	/// - HMAC is a plaintext shared-secret private-key.
 	/// - B64HMAC is a base64-encoded version of HMAC.
 	/// - ECDSA is a PEM-encoded public-key.
+	/// - EDDSA is a PEM-encoded Ed25519 public-key.
 	///
 	/// default: "HMAC"
 	#[serde(default = "default_jwt_format")]

tuwunel-example.toml

@@ -2064,6 +2064,7 @@
 # - HMAC is a plaintext shared-secret private-key.
 # - B64HMAC is a base64-encoded version of HMAC.
 # - ECDSA is a PEM-encoded public-key.
+# - EDDSA is a PEM-encoded Ed25519 public-key.
 #
 #format = "HMAC"