From 6f4b394265b98c76979dfc0529bfe1877b35f99f Mon Sep 17 00:00:00 2001
From: Leif Battermann <leif.battermann@wire.com>
Date: Thu, 2 May 2024 14:07:38 +0000
Subject: [PATCH 1/5] upgrade rusty-jwt-tools

---
 libs/jwt-tools/default.nix                    |  9 +--
 libs/jwt-tools/jwt-tools.cabal                |  4 +-
 libs/jwt-tools/test/Spec.hs                   | 57 +++++++------------
 nix/pkgs/rusty_jwt_tools_ffi/default.nix      | 11 ++--
 services/brig/brig.integration.yaml           |  2 +-
 .../brig/test/integration/API/User/Client.hs  | 26 ++++++++-
 .../jwt/ecdsa_secp256r1_sha256_key.pem        |  5 ++
 .../{ed25519_bundle.pem => ed25519_key.pem}   |  3 -
 8 files changed, 60 insertions(+), 57 deletions(-)
 create mode 100644 services/brig/test/resources/jwt/ecdsa_secp256r1_sha256_key.pem
 rename services/brig/test/resources/jwt/{ed25519_bundle.pem => ed25519_key.pem} (51%)

diff --git a/libs/jwt-tools/default.nix b/libs/jwt-tools/default.nix
index 1314bde5186..26a5f5f455d 100644
--- a/libs/jwt-tools/default.nix
+++ b/libs/jwt-tools/default.nix
@@ -4,7 +4,6 @@
 # dependencies are added or removed.
 { mkDerivation
 , base
-, bytestring
 , bytestring-conversion
 , gitignoreSource
 , hspec
@@ -29,13 +28,7 @@ mkDerivation {
     utf8-string
   ];
   librarySystemDepends = [ rusty_jwt_tools_ffi ];
-  testHaskellDepends = [
-    bytestring
-    hspec
-    imports
-    string-conversions
-    transformers
-  ];
+  testHaskellDepends = [ hspec imports string-conversions ];
   description = "FFI to rusty-jwt-tools";
   license = lib.licenses.agpl3Only;
 }
diff --git a/libs/jwt-tools/jwt-tools.cabal b/libs/jwt-tools/jwt-tools.cabal
index e2f12a9b352..4cc7800ef9d 100644
--- a/libs/jwt-tools/jwt-tools.cabal
+++ b/libs/jwt-tools/jwt-tools.cabal
@@ -80,12 +80,10 @@ test-suite jwt-tools-tests
   main-is:            Spec.hs
   type:               exitcode-stdio-1.0
   build-depends:
-      bytestring
-    , hspec
+      hspec
     , imports
     , jwt-tools
     , string-conversions
-    , transformers
 
   hs-source-dirs:     test
   default-language:   GHC2021
diff --git a/libs/jwt-tools/test/Spec.hs b/libs/jwt-tools/test/Spec.hs
index 664c18d3874..6a5a2474f8d 100644
--- a/libs/jwt-tools/test/Spec.hs
+++ b/libs/jwt-tools/test/Spec.hs
@@ -15,8 +15,6 @@
 -- You should have received a copy of the GNU Affero General Public License along
 -- with this program. If not, see <https://www.gnu.org/licenses/>.
 
-import Control.Monad.Trans.Except
-import Data.ByteString.Char8 (split)
 import Data.Jwt.Tools
 import Data.String.Conversions
 import Imports
@@ -24,18 +22,6 @@ import Test.Hspec
 
 main :: IO ()
 main = hspec $ do
-  describe "generateDpopToken FFI when passing valid inputs" $ do
-    it "should return an access token with the correct header" $ do
-      actual <- runExceptT $ generateDpopToken proof uid cid handle displayName tid domain nonce uri method maxSkewSecs expires now pem
-      -- The actual payload of the DPoP token is not deterministic as it depends on the current time.
-      -- We therefore only check the header, because if the header is correct, it means the token creation was successful.s
-      let expectedHeader = "eyJhbGciOiJFZERTQSIsInR5cCI6ImF0K2p3dCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6ImRZSTM4VWR4a3NDMEs0UXg2RTlKSzlZZkdtLWVoblkxOG9LbUhMMllzWmsifX0"
-      let actualHeader = either (const "") (head . split '.') actual
-      actualHeader `shouldBe` expectedHeader
-  describe "generateDpopToken FFI when passing a wrong nonce value" $ do
-    it "should return BackendNonceMismatchError" $ do
-      actual <- runExceptT $ generateDpopToken proof uid cid handle displayName tid domain (Nonce "foobar") uri method maxSkewSecs expires now pem
-      actual `shouldBe` Left BackendNonceMismatchError
   describe "toResult" $ do
     it "should convert to correct error" $ do
       toResult Nothing (Just token) `shouldBe` Right (cs token)
@@ -103,25 +89,26 @@ main = hspec $ do
       toResult Nothing Nothing `shouldBe` Left UnknownError
   where
     token = ""
-    proof = Proof "eyJhbGciOiJFZERTQSIsImp3ayI6eyJjcnYiOiJFZDI1NTE5Iiwia3R5IjoiT0tQIiwieCI6Im5MSkdOLU9hNkpzcTNLY2xaZ2dMbDdVdkFWZG1CMFE2QzNONUJDZ3BoSHcifSwidHlwIjoiZHBvcCtqd3QifQ.eyJhdWQiOiJodHRwczovL3dpcmUuY29tL2FjbWUvY2hhbGxlbmdlL2FiY2QiLCJjaGFsIjoid2EyVnJrQ3RXMXNhdUoyRDN1S1k4cmM3eTRrbDR1c0giLCJleHAiOjE3Mzk4ODA2NzQsImhhbmRsZSI6IndpcmVhcHA6Ly8lNDB5d2Z5ZG5pZ2Jud2h1b3pldGphZ3FAZXhhbXBsZS5jb20iLCJodG0iOiJQT1NUIiwiaHR1IjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9jbGllbnRzL2NjNmU2NDBlMjk2ZThiYmEvYWNjZXNzLXRva2VuIiwiaWF0IjoxNzA4MzQ0Njc0LCJqdGkiOiI2ZmM1OWU3Zi1iNjY2LTRmZmMtYjczOC00ZjQ3NjBjODg0Y2EiLCJuYW1lIjoi5reB4qqu5KSq5rK255Kh4bKV6re14Y2q6omE6Jy16Iu17ICV54Kb66-v56qp5KqW766M6bGw6oOy6b6m57m15pWJ4LqH54et6rOj54KHIiwibmJmIjoxNzA4MzQ0Njc0LCJub25jZSI6IllWZ2dHdWlTUTZlamhQNTNFX0tPS3ciLCJzdWIiOiJ3aXJlYXBwOi8vSWZ0VzBLeFVSb2F1QWVockRremJiQSFjYzZlNjQwZTI5NmU4YmJhQGV4YW1wbGUuY29tIiwidGVhbSI6ImMxNTE5NzVlLWIxOTMtNDAwOS1hM2QyLTc0N2M5NjFmMjMzMyJ9.SHxpMzOe2yC3y6DP7lEH0l7_eOKrUZZI0OjgtnCKjO4OBD0XqKOi0y_z07-7FWc-KtThlsaZatnBNTB67GhQBw"
-    uid = UserId "21fb56d0-ac54-4686-ae01-e86b0e4cdb6c"
-    nonce = Nonce "YVggGuiSQ6ejhP53E_KOKw"
-    expires = ExpiryEpoch 1739967074
-    handle = Handle "ywfydnigbnwhuozetjagq"
-    displayName = DisplayName "\230\183\129\226\170\174\228\164\170\230\178\182\231\146\161\225\178\149\234\183\181\225\141\170\234\137\132\232\156\181\232\139\181\236\128\149\231\130\155\235\175\175\231\170\169\228\170\150\239\174\140\233\177\176\234\131\178\233\190\166\231\185\181\230\149\137\224\186\135\231\135\173\234\179\163\231\130\135"
-    tid = TeamId "c151975e-b193-4009-a3d2-747c961f2333"
 
-    now = NowEpoch 1704982162
-    cid = ClientId 14730821443162901434
-    domain = Domain "example.com"
-    uri = Uri "https://example.com/clients/cc6e640e296e8bba/access-token"
-    method = POST
-    maxSkewSecs = MaxSkewSecs 1
-    pem =
-      PemBundle $
-        "-----BEGIN PRIVATE KEY-----\n\
-        \MC4CAQAwBQYDK2VwBCIEIMkvahkqR9sHJSmFeCl3B7aJjsQGgwy++cccWTbuDyy+\n\
-        \-----END PRIVATE KEY-----\n\
-        \-----BEGIN PUBLIC KEY-----\n\
-        \MCowBQYDK2VwAyEAdYI38UdxksC0K4Qx6E9JK9YfGm+ehnY18oKmHL2YsZk=\n\
-        \-----END PUBLIC KEY-----\n"
+-- tid = TeamId "1c92362d-620c-4ec3-b240-664d37037ea1"
+-- proof = Proof "eyJhbGciOiJFUzI1NiIsImp3ayI6eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia3R5IjoiRUMiLCJ4IjoiaGNZamxvTm9keUNMRl9yUWRfSElzelNwYTJKLXZ6cmdudG5lQUpXNXBBOCIsInkiOiI2TVh4bkhxMUZtQVdDYzZBN1lWYWx4dmVraWNCdjUzQVJUUU8zNW1SS0o4In0sInR5cCI6ImRwb3Arand0In0.eyJhdWQiOiJodHRwczovL3dpcmUuY29tL2FjbWUvY2hhbGxlbmdlL2FiY2QiLCJjaGFsIjoid2EyVnJrQ3RXMXNhdUoyRDN1S1k4cmM3eTRrbDR1c0giLCJleHAiOjE3MTQ2NTgxMTIsImhhbmRsZSI6IndpcmVhcHA6Ly8lNDBndWhrdHhncHlpcnhncHZlY2pxeHhAZXhhbXBsZS5jb20iLCJodG0iOiJQT1NUIiwiaHR1IjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9jbGllbnRzL2NjNmU2NDBlMjk2ZThiYmEvYWNjZXNzLXRva2VuIiwiaWF0IjoxNzE0NjU4MTAyLCJqdGkiOiI2ZmM1OWU3Zi1iNjY2LTRmZmMtYjczOC00ZjQ3NjBjODg0Y2EiLCJuYW1lIjoi54SQ6Jy967aH6Lic6rSb7IyE5K-s5qmp6KSy7Luc4bKe5oKd5bWU5Yq5776s4Zuq6pe15a-05LeF45aY7Yim1KDrgbDrsrDgoIDlmKrlhYHrkbrkvqDhvI3ompnro6bjgJDth4Xkt7DtjprsqaLkv6fnvYPZpuy2nOy3le-xt-KKhe2Cj-yOueq2g-eVu-y2p-WMpOGenuq-nOe5qO-wsuOWouOrkuyrreqQsuycvOqqruyjneymsOG_vOi9iuWrnuOaou2JpeOlnOO2oOKYqueAq-aTrOWEteuXjeyFj-qejeyjseKeruyPpOqdnuGYqOGxjuSOieKPrSIsIm5iZiI6MTcxNDY1ODEwMiwibm9uY2UiOiJwd2g2TWtPMFN0V1VJUWw1UllmT1BnIiwic3ViIjoid2lyZWFwcDovL1hhQ1NPbUlyUkN1QXVFTEtTMF9rNVEhY2M2ZTY0MGUyOTZlOGJiYUBleGFtcGxlLmNvbSIsInRlYW0iOiIxYzkyMzYyZC02MjBjLTRlYzMtYjI0MC02NjRkMzcwMzdlYTEifQ.souod7zzskm35erMb5hup3LRE2I2-N2RPyWYVKyYTS-3T4tiFO-4QHe-QMfSrGHc_TXlZK72mDN-sXfEvsDuqg"
+-- uid = UserId "5da0923a-622b-442b-80b8-42ca4b4fe4e5"
+-- nonce = Nonce "pwh6MkO0StWUIQl5RYfOPg"
+-- expires = ExpiryEpoch 1714658401
+-- handle = Handle "guhktxgpyirxgpvecjqxx"
+-- displayName = DisplayName "\231\132\144\232\156\189\235\182\135\232\184\156\234\180\155\236\140\132\228\175\172\230\169\169\232\164\178\236\187\156\225\178\158\230\130\157\229\181\148\229\138\185\239\190\172\225\155\170\234\151\181\229\175\180\228\183\133\227\150\152\237\136\166\212\160\235\129\176\235\178\176\224\160\128\229\152\170\229\133\129\235\145\186\228\190\160\225\188\141\232\154\153\235\163\166\227\128\144\237\135\133\228\183\176\237\142\154\236\169\162\228\191\167\231\189\131\217\166\236\182\156\236\183\149\239\177\183\226\138\133\237\130\143\236\142\185\234\182\131\231\149\187\236\182\167\229\140\164\225\158\158\234\190\156\231\185\168\239\176\178\227\150\162\227\171\146\236\171\173\234\144\178\236\156\188\234\170\174\236\163\157\236\166\176\225\191\188\232\189\138\229\171\158\227\154\162\237\137\165\227\165\156\227\182\160\226\152\170\231\128\171\230\147\172\229\132\181\235\151\141\236\133\143\234\158\141\236\163\177\226\158\174\236\143\164\234\157\158\225\152\168\225\177\142\228\142\137\226\143\173"
+
+-- now = NowEpoch 1704982162
+-- cid = ClientId 14730821443162901434
+-- domain = Domain "example.com"
+-- uri = Uri "https://example.com/clients/cc6e640e296e8bba/access-token"
+-- method = POST
+-- maxSkewSecs = MaxSkewSecs 1
+-- pem =
+--   PemBundle $
+--     "-----BEGIN PRIVATE KEY-----\n\
+--     \MC4CAQAwBQYDK2VwBCIEIMkvahkqR9sHJSmFeCl3B7aJjsQGgwy++cccWTbuDyy+\n\
+--     \-----END PRIVATE KEY-----\n\
+--     \-----BEGIN PUBLIC KEY-----\n\
+--     \MCowBQYDK2VwAyEAdYI38UdxksC0K4Qx6E9JK9YfGm+ehnY18oKmHL2YsZk=\n\
+--     \-----END PUBLIC KEY-----\n"
diff --git a/nix/pkgs/rusty_jwt_tools_ffi/default.nix b/nix/pkgs/rusty_jwt_tools_ffi/default.nix
index 32e735bc849..adb3ef3b800 100644
--- a/nix/pkgs/rusty_jwt_tools_ffi/default.nix
+++ b/nix/pkgs/rusty_jwt_tools_ffi/default.nix
@@ -14,8 +14,8 @@ let
   src = fetchFromGitHub {
     owner = "wireapp";
     repo = "rusty-jwt-tools";
-    rev = "60424bf7031e2fa535aac658d0b5643624d19537";
-    sha256 = "sha256-kdubK9FruZT8pbIwCHyAkxYj9yVM0q7ivNhNUNtNQCY=";
+    rev = "05441e98d9c7c5ec9bfcfba84e885988278f10e6";
+    sha256 = "sha256-HVq2BpPKp3cfdlKrS1AYWQ+a5VigFsYfSecZ60SFATI=";
   };
   cargoLockFile = builtins.toFile "cargo.lock" (builtins.readFile "${src}/Cargo.lock");
 
@@ -29,8 +29,11 @@ rustPlatform.buildRustPackage {
     outputHashes = {
       # if any of these need updating, replace / create new key with
       # lib.fakeSha256, rebuild, and replace with actual hash.
-      "certval-0.1.4" = "sha256-gzkRC7/u/rARGPy3d37eBrAVml4XSDb6bRPpsESmttY=";
-      "jwt-simple-0.12.1" = "sha256-5PAOwulL8j6f4Ycoa5Q+1dqEA24uN8rJt+i2RebL6eo=";
+      "certval-0.1.4" = "sha256-4BWvSzFZhlA+mKj+Y6GNEwNSKikNGVjDoPxyxiw9TFE=";
+      "biscuit-0.6.0-beta1" = "sha256-no7b4Un+7AES7EwWdZh/oeIa4w0caKLAUFsHWqgJOrg=";
+      "jwt-simple-0.13.0" = "sha256-QkVi7EGrU3nF+/32tNjTtAILo8sjasR27nyRgBH+xoA=";
+      "rcgen-0.9.2" = "sha256-3jFzInwdzFBot+L2Vm5NLF1ml33GH2+Iv3LqqGhLxFs=";
+      "ring-0.17.0-not-released-yet" = "sha256-TP8yZo64J/d1fw8l2J4+ol70EcHvpvHJBdpF3A+6Dgo=";
     };
   };
 
diff --git a/services/brig/brig.integration.yaml b/services/brig/brig.integration.yaml
index 38f0208b31c..1723ec9f1e5 100644
--- a/services/brig/brig.integration.yaml
+++ b/services/brig/brig.integration.yaml
@@ -209,7 +209,7 @@ optSettings:
   setNonceTtlSecs: 5
   setDpopMaxSkewSecs: 1
   setDpopTokenExpirationTimeSecs: 300 # 5 minutes
-  setPublicKeyBundle: test/resources/jwt/ed25519_bundle.pem
+  setPublicKeyBundle: test/resources/jwt/ecdsa_secp256r1_sha256_key.pem
   setEnableMLS: true
   # To only allow specific email address domains to register, uncomment and update the setting below
   # setAllowlistEmailDomains:
diff --git a/services/brig/test/integration/API/User/Client.hs b/services/brig/test/integration/API/User/Client.hs
index df4b7c5faaa..8cbe78f01ef 100644
--- a/services/brig/test/integration/API/User/Client.hs
+++ b/services/brig/test/integration/API/User/Client.hs
@@ -1472,7 +1472,7 @@ testCreateAccessToken opts n brig = do
           handle
           (fromName u.userDisplayName)
           (UUID.toText (toUUID tid))
-  signedOrError <- fmap encodeCompact <$> liftIO (signAccessToken dpopClaims)
+  signedOrError <- fmap encodeCompact <$> liftIO (signProofEcdasaP256 dpopClaims)
   case signedOrError of
     Left err -> liftIO $ assertFailure $ "failed to sign claims: " <> show err
     Right signed -> do
@@ -1483,8 +1483,9 @@ testCreateAccessToken opts n brig = do
       let accessToken = fromRight (error $ "failed to create token: " <> show response) $ responseJsonEither response
       liftIO $ datrType accessToken @?= DPoP
   where
-    signAccessToken :: DPoPClaimsSet -> IO (Either JWTError SignedJWT)
-    signAccessToken claims = runJOSE $ do
+    -- FUTUREWORK: parameterize the signing algorithm
+    _signProof :: DPoPClaimsSet -> IO (Either JWTError SignedJWT)
+    _signProof claims = runJOSE $ do
       algo <- bestJWSAlg jwkKey
       let h =
             newJWSHeader ((), algo)
@@ -1492,6 +1493,15 @@ testCreateAccessToken opts n brig = do
               & (typ ?~ HeaderParam () "dpop+jwt")
       signJWT jwkKey h claims
 
+    signProofEcdasaP256 :: DPoPClaimsSet -> IO (Either JWTError SignedJWT)
+    signProofEcdasaP256 claims = runJOSE $ do
+      algo <- bestJWSAlg jwkKeyBundleEcdsaP256
+      let h =
+            newJWSHeader ((), algo)
+              & (jwk ?~ HeaderParam () jwkPublicKeyEcdsaP256)
+              & (typ ?~ HeaderParam () "dpop+jwt")
+      signJWT jwkKeyBundleEcdsaP256 h claims
+
     jwkKey :: JWK
     jwkKey = do
       fromMaybe (error "invalid jwk") . A.decode $
@@ -1502,6 +1512,16 @@ testCreateAccessToken opts n brig = do
       fromMaybe (error "invalid jwk") . A.decode $
         "{\"kty\":\"OKP\",\"crv\":\"Ed25519\",\"x\":\"nLJGN-Oa6Jsq3KclZggLl7UvAVdmB0Q6C3N5BCgphHw\"}"
 
+    jwkKeyBundleEcdsaP256 :: JWK
+    jwkKeyBundleEcdsaP256 = do
+      fromMaybe (error "invalid jwk") . A.decode $
+        "{\"kty\":\"EC\",\"alg\":\"ES256\",\"crv\":\"P-256\",\"x\":\"hcYjloNodyCLF_rQd_HIszSpa2J-vzrgntneAJW5pA8\",\"y\":\"6MXxnHq1FmAWCc6A7YValxvekicBv53ARTQO35mRKJ8\",\"d\":\"yz1weEXJbJao6wLiml8fahLt3BnJxdHWfbpUB0i8GLo\"}"
+
+    jwkPublicKeyEcdsaP256 :: JWK
+    jwkPublicKeyEcdsaP256 = do
+      fromMaybe (error "invalid jwk") . A.decode $
+        "{\"kty\":\"EC\",\"alg\":\"ES256\",\"crv\":\"P-256\",\"x\":\"hcYjloNodyCLF_rQd_HIszSpa2J-vzrgntneAJW5pA8\",\"y\":\"6MXxnHq1FmAWCc6A7YValxvekicBv53ARTQO35mRKJ8\"}"
+
 testCreateAccessTokenMissingProof :: Brig -> Http ()
 testCreateAccessTokenMissingProof brig = do
   uid <- userId <$> randomUser brig
diff --git a/services/brig/test/resources/jwt/ecdsa_secp256r1_sha256_key.pem b/services/brig/test/resources/jwt/ecdsa_secp256r1_sha256_key.pem
new file mode 100644
index 00000000000..290e7d7019e
--- /dev/null
+++ b/services/brig/test/resources/jwt/ecdsa_secp256r1_sha256_key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgokD9kGYErMooLqpv
+IRUVCtV1l6HmtqTJUFun0/4XLuahRANCAASWH/qkgOLwZz1GvEt0ch4HPRQUoj9U
+TL8L7QANF9JztsEQ2omrX9l7RoosjAm+PKwrL+c3GiT63CSd1qrUpoZa
+-----END PRIVATE KEY-----
diff --git a/services/brig/test/resources/jwt/ed25519_bundle.pem b/services/brig/test/resources/jwt/ed25519_key.pem
similarity index 51%
rename from services/brig/test/resources/jwt/ed25519_bundle.pem
rename to services/brig/test/resources/jwt/ed25519_key.pem
index afbd4dfb0ec..a9d04d69b8c 100644
--- a/services/brig/test/resources/jwt/ed25519_bundle.pem
+++ b/services/brig/test/resources/jwt/ed25519_key.pem
@@ -1,6 +1,3 @@
 -----BEGIN PRIVATE KEY-----
 MC4CAQAwBQYDK2VwBCIEIFANnxZLNE4p+GDzWzR3wm/v8x/0bxZYkCyke1aTRucX
 -----END PRIVATE KEY-----
------BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEACPvhIdimF20tOPjbb+fXJrwS2RKDp7686T90AZ0+Th8=
------END PUBLIC KEY-----

From 01185d5f15e1767160b6f8296741621dedd122bb Mon Sep 17 00:00:00 2001
From: Leif Battermann <leif.battermann@wire.com>
Date: Thu, 2 May 2024 14:10:43 +0000
Subject: [PATCH 2/5] changelog

---
 changelog.d/2-features/WPB-8988 | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/2-features/WPB-8988

diff --git a/changelog.d/2-features/WPB-8988 b/changelog.d/2-features/WPB-8988
new file mode 100644
index 00000000000..fa19b506056
--- /dev/null
+++ b/changelog.d/2-features/WPB-8988
@@ -0,0 +1 @@
+Upgrade `rusty-jwt-tools` to support `ecdsa_secp256r1_sha256`

From d83af7a274d256cc612478f353a891ab421c0d75 Mon Sep 17 00:00:00 2001
From: Leif Battermann <leif.battermann@wire.com>
Date: Thu, 2 May 2024 14:12:32 +0000
Subject: [PATCH 3/5] remove comment

---
 libs/jwt-tools/test/Spec.hs | 23 -----------------------
 1 file changed, 23 deletions(-)

diff --git a/libs/jwt-tools/test/Spec.hs b/libs/jwt-tools/test/Spec.hs
index 6a5a2474f8d..03c9e53ba79 100644
--- a/libs/jwt-tools/test/Spec.hs
+++ b/libs/jwt-tools/test/Spec.hs
@@ -89,26 +89,3 @@ main = hspec $ do
       toResult Nothing Nothing `shouldBe` Left UnknownError
   where
     token = ""
-
--- tid = TeamId "1c92362d-620c-4ec3-b240-664d37037ea1"
--- proof = Proof "eyJhbGciOiJFUzI1NiIsImp3ayI6eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia3R5IjoiRUMiLCJ4IjoiaGNZamxvTm9keUNMRl9yUWRfSElzelNwYTJKLXZ6cmdudG5lQUpXNXBBOCIsInkiOiI2TVh4bkhxMUZtQVdDYzZBN1lWYWx4dmVraWNCdjUzQVJUUU8zNW1SS0o4In0sInR5cCI6ImRwb3Arand0In0.eyJhdWQiOiJodHRwczovL3dpcmUuY29tL2FjbWUvY2hhbGxlbmdlL2FiY2QiLCJjaGFsIjoid2EyVnJrQ3RXMXNhdUoyRDN1S1k4cmM3eTRrbDR1c0giLCJleHAiOjE3MTQ2NTgxMTIsImhhbmRsZSI6IndpcmVhcHA6Ly8lNDBndWhrdHhncHlpcnhncHZlY2pxeHhAZXhhbXBsZS5jb20iLCJodG0iOiJQT1NUIiwiaHR1IjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9jbGllbnRzL2NjNmU2NDBlMjk2ZThiYmEvYWNjZXNzLXRva2VuIiwiaWF0IjoxNzE0NjU4MTAyLCJqdGkiOiI2ZmM1OWU3Zi1iNjY2LTRmZmMtYjczOC00ZjQ3NjBjODg0Y2EiLCJuYW1lIjoi54SQ6Jy967aH6Lic6rSb7IyE5K-s5qmp6KSy7Luc4bKe5oKd5bWU5Yq5776s4Zuq6pe15a-05LeF45aY7Yim1KDrgbDrsrDgoIDlmKrlhYHrkbrkvqDhvI3ompnro6bjgJDth4Xkt7DtjprsqaLkv6fnvYPZpuy2nOy3le-xt-KKhe2Cj-yOueq2g-eVu-y2p-WMpOGenuq-nOe5qO-wsuOWouOrkuyrreqQsuycvOqqruyjneymsOG_vOi9iuWrnuOaou2JpeOlnOO2oOKYqueAq-aTrOWEteuXjeyFj-qejeyjseKeruyPpOqdnuGYqOGxjuSOieKPrSIsIm5iZiI6MTcxNDY1ODEwMiwibm9uY2UiOiJwd2g2TWtPMFN0V1VJUWw1UllmT1BnIiwic3ViIjoid2lyZWFwcDovL1hhQ1NPbUlyUkN1QXVFTEtTMF9rNVEhY2M2ZTY0MGUyOTZlOGJiYUBleGFtcGxlLmNvbSIsInRlYW0iOiIxYzkyMzYyZC02MjBjLTRlYzMtYjI0MC02NjRkMzcwMzdlYTEifQ.souod7zzskm35erMb5hup3LRE2I2-N2RPyWYVKyYTS-3T4tiFO-4QHe-QMfSrGHc_TXlZK72mDN-sXfEvsDuqg"
--- uid = UserId "5da0923a-622b-442b-80b8-42ca4b4fe4e5"
--- nonce = Nonce "pwh6MkO0StWUIQl5RYfOPg"
--- expires = ExpiryEpoch 1714658401
--- handle = Handle "guhktxgpyirxgpvecjqxx"
--- displayName = DisplayName "\231\132\144\232\156\189\235\182\135\232\184\156\234\180\155\236\140\132\228\175\172\230\169\169\232\164\178\236\187\156\225\178\158\230\130\157\229\181\148\229\138\185\239\190\172\225\155\170\234\151\181\229\175\180\228\183\133\227\150\152\237\136\166\212\160\235\129\176\235\178\176\224\160\128\229\152\170\229\133\129\235\145\186\228\190\160\225\188\141\232\154\153\235\163\166\227\128\144\237\135\133\228\183\176\237\142\154\236\169\162\228\191\167\231\189\131\217\166\236\182\156\236\183\149\239\177\183\226\138\133\237\130\143\236\142\185\234\182\131\231\149\187\236\182\167\229\140\164\225\158\158\234\190\156\231\185\168\239\176\178\227\150\162\227\171\146\236\171\173\234\144\178\236\156\188\234\170\174\236\163\157\236\166\176\225\191\188\232\189\138\229\171\158\227\154\162\237\137\165\227\165\156\227\182\160\226\152\170\231\128\171\230\147\172\229\132\181\235\151\141\236\133\143\234\158\141\236\163\177\226\158\174\236\143\164\234\157\158\225\152\168\225\177\142\228\142\137\226\143\173"
-
--- now = NowEpoch 1704982162
--- cid = ClientId 14730821443162901434
--- domain = Domain "example.com"
--- uri = Uri "https://example.com/clients/cc6e640e296e8bba/access-token"
--- method = POST
--- maxSkewSecs = MaxSkewSecs 1
--- pem =
---   PemBundle $
---     "-----BEGIN PRIVATE KEY-----\n\
---     \MC4CAQAwBQYDK2VwBCIEIMkvahkqR9sHJSmFeCl3B7aJjsQGgwy++cccWTbuDyy+\n\
---     \-----END PRIVATE KEY-----\n\
---     \-----BEGIN PUBLIC KEY-----\n\
---     \MCowBQYDK2VwAyEAdYI38UdxksC0K4Qx6E9JK9YfGm+ehnY18oKmHL2YsZk=\n\
---     \-----END PUBLIC KEY-----\n"

From 33c6047569cddf294d24ca87128282aa854da8f7 Mon Sep 17 00:00:00 2001
From: Leif Battermann <leif.battermann@wire.com>
Date: Thu, 2 May 2024 14:14:34 +0000
Subject: [PATCH 4/5] typo

---
 services/brig/test/integration/API/User/Client.hs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/services/brig/test/integration/API/User/Client.hs b/services/brig/test/integration/API/User/Client.hs
index 8cbe78f01ef..0fb44b9063f 100644
--- a/services/brig/test/integration/API/User/Client.hs
+++ b/services/brig/test/integration/API/User/Client.hs
@@ -1472,7 +1472,7 @@ testCreateAccessToken opts n brig = do
           handle
           (fromName u.userDisplayName)
           (UUID.toText (toUUID tid))
-  signedOrError <- fmap encodeCompact <$> liftIO (signProofEcdasaP256 dpopClaims)
+  signedOrError <- fmap encodeCompact <$> liftIO (signProofEcdsaP256 dpopClaims)
   case signedOrError of
     Left err -> liftIO $ assertFailure $ "failed to sign claims: " <> show err
     Right signed -> do
@@ -1493,8 +1493,8 @@ testCreateAccessToken opts n brig = do
               & (typ ?~ HeaderParam () "dpop+jwt")
       signJWT jwkKey h claims
 
-    signProofEcdasaP256 :: DPoPClaimsSet -> IO (Either JWTError SignedJWT)
-    signProofEcdasaP256 claims = runJOSE $ do
+    signProofEcdsaP256 :: DPoPClaimsSet -> IO (Either JWTError SignedJWT)
+    signProofEcdsaP256 claims = runJOSE $ do
       algo <- bestJWSAlg jwkKeyBundleEcdsaP256
       let h =
             newJWSHeader ((), algo)

From 75bfe986d0ac996bbba37f4634e18cc8a02bcb5a Mon Sep 17 00:00:00 2001
From: Leif Battermann <leif.battermann@wire.com>
Date: Thu, 2 May 2024 15:01:17 +0000
Subject: [PATCH 5/5] correct key for ci

---
 hack/helm_vars/wire-server/values.yaml.gotmpl | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hack/helm_vars/wire-server/values.yaml.gotmpl b/hack/helm_vars/wire-server/values.yaml.gotmpl
index 614b83441be..11cf79753cd 100644
--- a/hack/helm_vars/wire-server/values.yaml.gotmpl
+++ b/hack/helm_vars/wire-server/values.yaml.gotmpl
@@ -151,11 +151,10 @@ brig:
     smtpPassword: dummy-smtp-password
     dpopSigKeyBundle: |
       -----BEGIN PRIVATE KEY-----
-      MC4CAQAwBQYDK2VwBCIEIFANnxZLNE4p+GDzWzR3wm/v8x/0bxZYkCyke1aTRucX
+      MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgokD9kGYErMooLqpv
+      IRUVCtV1l6HmtqTJUFun0/4XLuahRANCAASWH/qkgOLwZz1GvEt0ch4HPRQUoj9U
+      TL8L7QANF9JztsEQ2omrX9l7RoosjAm+PKwrL+c3GiT63CSd1qrUpoZa
       -----END PRIVATE KEY-----
-      -----BEGIN PUBLIC KEY-----
-      MCowBQYDK2VwAyEACPvhIdimF20tOPjbb+fXJrwS2RKDp7686T90AZ0+Th8=
-      -----END PUBLIC KEY-----
     oauthJwkKeyPair: |
       {
         "kty": "OKP",