2 files changed, 37 insertions, 42 deletions

diff --git a/crates/common/src/config/jmap/settings.rs b/crates/common/src/config/jmap/settings.rs
index 700a5464..78f4c4a0 100644
--- a/crates/common/src/config/jmap/settings.rs
+++ b/crates/common/src/config/jmap/settings.rs
@@ -9,7 +9,6 @@ use std::{str::FromStr, time::Duration};
 use jmap_proto::request::capability::BaseCapabilities;
 use mail_parser::HeaderName;
 use nlp::language::Language;
-use store::rand::{distributions::Alphanumeric, thread_rng, Rng};
 use utils::config::{cron::SimpleCron, utils::ParseValue, Config, Rate};
 
 #[derive(Default, Clone)]
@@ -63,13 +62,6 @@ pub struct JmapConfig {
     pub web_socket_timeout: Duration,
     pub web_socket_heartbeat: Duration,
 
-    pub oauth_key: String,
-    pub oauth_expiry_user_code: u64,
-    pub oauth_expiry_auth_code: u64,
-    pub oauth_expiry_token: u64,
-    pub oauth_expiry_refresh_token: u64,
-    pub oauth_expiry_refresh_token_renew: u64,
-    pub oauth_max_auth_attempts: u32,
     pub fallback_admin: Option<(String, String)>,
     pub master_user: Option<(String, String)>,
 
@@ -321,39 +313,6 @@ impl JmapConfig {
             rate_anonymous: config
                 .property_or_default::<Option<Rate>>("jmap.rate-limit.anonymous", "100/1m")
                 .unwrap_or_default(),
-            oauth_key: config
-                .value("oauth.key")
-                .map(|s| s.to_string())
-                .unwrap_or_else(|| {
-                    thread_rng()
-                        .sample_iter(Alphanumeric)
-                        .take(64)
-                        .map(char::from)
-                        .collect::<String>()
-                }),
-            oauth_expiry_user_code: config
-                .property_or_default::<Duration>("oauth.expiry.user-code", "30m")
-                .unwrap_or_else(|| Duration::from_secs(30 * 60))
-                .as_secs(),
-            oauth_expiry_auth_code: config
-                .property_or_default::<Duration>("oauth.expiry.auth-code", "10m")
-                .unwrap_or_else(|| Duration::from_secs(10 * 60))
-                .as_secs(),
-            oauth_expiry_token: config
-                .property_or_default::<Duration>("oauth.expiry.token", "1h")
-                .unwrap_or_else(|| Duration::from_secs(60 * 60))
-                .as_secs(),
-            oauth_expiry_refresh_token: config
-                .property_or_default::<Duration>("oauth.expiry.refresh-token", "30d")
-                .unwrap_or_else(|| Duration::from_secs(30 * 24 * 60 * 60))
-                .as_secs(),
-            oauth_expiry_refresh_token_renew: config
-                .property_or_default::<Duration>("oauth.expiry.refresh-token-renew", "4d")
-                .unwrap_or_else(|| Duration::from_secs(4 * 24 * 60 * 60))
-                .as_secs(),
-            oauth_max_auth_attempts: config
-                .property_or_default("oauth.auth.max-attempts", "3")
-                .unwrap_or(10),
             event_source_throttle: config
                 .property_or_default("jmap.event-source.throttle", "1s")
                 .unwrap_or_else(|| Duration::from_secs(1)),
diff --git a/crates/common/src/config/mod.rs b/crates/common/src/config/mod.rs
index 79b7c059..443f5253 100644
--- a/crates/common/src/config/mod.rs
+++ b/crates/common/src/config/mod.rs
@@ -8,12 +8,14 @@ use std::sync::Arc;
 
 use arc_swap::ArcSwap;
 use directory::{Directories, Directory};
+use ring::signature::{EcdsaKeyPair, RsaKeyPair};
 use store::{BlobBackend, BlobStore, FtsStore, LookupStore, Store, Stores};
 use telemetry::Metrics;
 use utils::config::Config;
 
 use crate::{
-    expr::*, listener::tls::AcmeProviders, manager::config::ConfigManager, Core, Network, Security,
+    auth::oauth::config::OAuthConfig, expr::*, listener::tls::AcmeProviders,
+    manager::config::ConfigManager, Core, Network, Security,
 };
 
 use self::{
@@ -163,6 +165,7 @@ impl Core {
             smtp: SmtpConfig::parse(config).await,
             jmap: JmapConfig::parse(config),
             imap: ImapConfig::parse(config),
+            oauth: OAuthConfig::parse(config),
             acme: AcmeProviders::parse(config),
             metrics: Metrics::parse(config),
             storage: Storage {
@@ -186,3 +189,36 @@ impl Core {
         ArcSwap::from_pointee(self)
     }
 }
+
+pub fn build_rsa_keypair(pem: &str) -> Result<RsaKeyPair, String> {
+    match rustls_pemfile::read_one(&mut pem.as_bytes()) {
+        Ok(Some(rustls_pemfile::Item::Pkcs1Key(key))) => {
+            RsaKeyPair::from_der(key.secret_pkcs1_der())
+                .map_err(|err| format!("Failed to parse PKCS1 RSA key: {err}"))
+        }
+        Ok(Some(rustls_pemfile::Item::Pkcs8Key(key))) => {
+            RsaKeyPair::from_pkcs8(key.secret_pkcs8_der())
+                .map_err(|err| format!("Failed to parse PKCS8 RSA key: {err}"))
+        }
+        Err(err) => Err(format!("Failed to read PEM: {err}")),
+        Ok(Some(key)) => Err(format!("Unsupported key type: {key:?}")),
+        Ok(None) => Err("No RSA key found in PEM".to_string()),
+    }
+}
+
+pub fn build_ecdsa_pem(
+    alg: &'static ring::signature::EcdsaSigningAlgorithm,
+    pem: &str,
+) -> Result<EcdsaKeyPair, String> {
+    match rustls_pemfile::read_one(&mut pem.as_bytes()) {
+        Ok(Some(rustls_pemfile::Item::Pkcs8Key(key))) => EcdsaKeyPair::from_pkcs8(
+            alg,
+            key.secret_pkcs8_der(),
+            &ring::rand::SystemRandom::new(),
+        )
+        .map_err(|err| format!("Failed to parse PKCS8 ECDSA key: {err}")),
+        Err(err) => Err(format!("Failed to read PEM: {err}")),
+        Ok(Some(key)) => Err(format!("Unsupported key type: {key:?}")),
+        Ok(None) => Err("No ECDSA key found in PEM".to_string()),
+    }
+}