Fix EC token signature verification, add verify against JWKS URL, and more

[ulidtko]

Greetings @ticarpi !

I'm unshelving a bunch of fixes to the tool, please consider merging.

Most important first:

• EC JWT verification fixed. I'm sure you know, there are Elliptic Curve based JWT algos, EC256 EC384 EC521. They were not getting sig-verified correctly. The bug may be hard to see in the diff, but it's pretty simple, I'll just echo the commit message: With this fix, I got complete parity with https://jwt.io & other implementations.

I also added a straightforward "verify token against JWKS URL" mode, for UX speed reasons.

Some more bits and pieces too, I hope the rest will be obvious.

I tested the changes with real keys and tokens, mostly EC ones.

Feel free to question anything unclear in review; I'm hoping to get the PR landed, completely in the spirit of FOSS to make the tool ever a bit sharper :rocket:

Best regards

[ulidtko]

Yearly ping @ticarpi. EC token sigs are still broken, care to review?

[ulidtko]

Retested with RSA tokens, too.

[ulidtko]

Bump @ticarpi, any review comment?

[halfluke]

I find so annoying that an effort for the community has been ignored for so long. Just wanted to say that and express my sympathy

[ulidtko]

Thanks @halfluke for the kind words :pray:

What's most annoying to me, is that other PRs #101 #108 do get reviewed & merged, and releases come out every so often. But radio silence here, no feedback whatsoever. Ping @ticarpi @rbrown256 @JJK96 anything I should change to land this fix?..

FWIW, rebased once again to resolve the merge confict.

[rbrown256]

This looks like a worthwhile merge to me.

Thanks for your contribution. @ticarpi any chance of merging this in?