matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-08-09 04:22:45 +03:00
Code Activity

Bump Crypto crates

Browse Source
This commit is contained in:
Quentin Gliech
2022-09-27 18:07:16 +02:00
parent 19721959f8
commit 348912b3fb
26 changed files with 430 additions and 626 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
crates/jose/src/jwa/asymmetric.rs
View File

@@ -13,6 +13,8 @@
// limitations under the License.
use mas_iana::jose::{JsonWebKeyEcEllipticCurve, JsonWebSignatureAlg};
use rand::thread_rng;
use signature::RandomizedSigner;
use thiserror::Error;
use super::signature::Signature;
@@ -60,18 +62,15 @@ impl AsymmetricSigningKey {
alg: JsonWebSignatureAlg,
) -> Result<Self, AsymmetricKeyFromJwkError> {
match (params, alg) {
(JsonWebKeyPrivateParameters::Rsa(params), alg) => {
let key = rsa::RsaPrivateKey::try_from(params)?;
match alg {
JsonWebSignatureAlg::Rs256 => Ok(Self::Rs256(key.into())),
JsonWebSignatureAlg::Rs384 => Ok(Self::Rs384(key.into())),
JsonWebSignatureAlg::Rs512 => Ok(Self::Rs512(key.into())),
JsonWebSignatureAlg::Ps256 => Ok(Self::Ps256(key.into())),
JsonWebSignatureAlg::Ps384 => Ok(Self::Ps384(key.into())),
JsonWebSignatureAlg::Ps512 => Ok(Self::Ps512(key.into())),
_ => Err(AsymmetricKeyFromJwkError::KeyNotSuitable { alg }),
}
}
(JsonWebKeyPrivateParameters::Rsa(params), alg) => match alg {
JsonWebSignatureAlg::Rs256 => Ok(Self::Rs256(params.try_into()?)),
JsonWebSignatureAlg::Rs384 => Ok(Self::Rs384(params.try_into()?)),
JsonWebSignatureAlg::Rs512 => Ok(Self::Rs512(params.try_into()?)),
JsonWebSignatureAlg::Ps256 => Ok(Self::Ps256(params.try_into()?)),
JsonWebSignatureAlg::Ps384 => Ok(Self::Ps384(params.try_into()?)),
JsonWebSignatureAlg::Ps512 => Ok(Self::Ps512(params.try_into()?)),
_ => Err(AsymmetricKeyFromJwkError::KeyNotSuitable { alg }),
},
(JsonWebKeyPrivateParameters::Ec(params), JsonWebSignatureAlg::Es256)
if params.crv == JsonWebKeyEcEllipticCurve::P256 =>
@@ -176,15 +175,15 @@ impl signature::Signer<Signature> for AsymmetricSigningKey {
Ok(Signature::from_signature(&signature))
}
Self::Ps256(key) => {
let signature = key.try_sign(msg)?;
let signature = key.try_sign_with_rng(thread_rng(), msg)?;
Ok(Signature::from_signature(&signature))
}
Self::Ps384(key) => {
let signature = key.try_sign(msg)?;
let signature = key.try_sign_with_rng(thread_rng(), msg)?;
Ok(Signature::from_signature(&signature))
}
Self::Ps512(key) => {
let signature = key.try_sign(msg)?;
let signature = key.try_sign_with_rng(thread_rng(), msg)?;
Ok(Signature::from_signature(&signature))
}
Self::Es256(key) => {
@@ -223,18 +222,15 @@ impl AsymmetricVerifyingKey {
alg: JsonWebSignatureAlg,
) -> Result<Self, AsymmetricKeyFromJwkError> {
match (params, alg) {
(JsonWebKeyPublicParameters::Rsa(params), alg) => {
let key = rsa::RsaPublicKey::try_from(params)?;
match alg {
JsonWebSignatureAlg::Rs256 => Ok(Self::Rs256(key.into())),
JsonWebSignatureAlg::Rs384 => Ok(Self::Rs384(key.into())),
JsonWebSignatureAlg::Rs512 => Ok(Self::Rs512(key.into())),
JsonWebSignatureAlg::Ps256 => Ok(Self::Ps256(key.into())),
JsonWebSignatureAlg::Ps384 => Ok(Self::Ps384(key.into())),
JsonWebSignatureAlg::Ps512 => Ok(Self::Ps512(key.into())),
_ => Err(AsymmetricKeyFromJwkError::KeyNotSuitable { alg }),
}
}
(JsonWebKeyPublicParameters::Rsa(params), alg) => match alg {
JsonWebSignatureAlg::Rs256 => Ok(Self::Rs256(params.try_into()?)),
JsonWebSignatureAlg::Rs384 => Ok(Self::Rs384(params.try_into()?)),
JsonWebSignatureAlg::Rs512 => Ok(Self::Rs512(params.try_into()?)),
JsonWebSignatureAlg::Ps256 => Ok(Self::Ps256(params.try_into()?)),
JsonWebSignatureAlg::Ps384 => Ok(Self::Ps384(params.try_into()?)),
JsonWebSignatureAlg::Ps512 => Ok(Self::Ps512(params.try_into()?)),
_ => Err(AsymmetricKeyFromJwkError::KeyNotSuitable { alg }),
},
(JsonWebKeyPublicParameters::Ec(params), JsonWebSignatureAlg::Es256)
if params.crv == JsonWebKeyEcEllipticCurve::P256 =>

25
crates/jose/src/jwa/mod.rs
View File

@@ -17,7 +17,6 @@ use sha2::{Sha256, Sha384, Sha512};
mod asymmetric;
pub(crate) mod hmac;
pub(crate) mod rsa;
pub(self) mod signature;
mod symmetric;
@@ -30,19 +29,19 @@ pub type Hs256Key = self::hmac::Hmac<Sha256>;
pub type Hs384Key = self::hmac::Hmac<Sha384>;
pub type Hs512Key = self::hmac::Hmac<Sha512>;
pub type Rs256SigningKey = self::rsa::pkcs1v15::SigningKey<Sha256>;
pub type Rs256VerifyingKey = self::rsa::pkcs1v15::VerifyingKey<Sha256>;
pub type Rs384SigningKey = self::rsa::pkcs1v15::SigningKey<Sha384>;
pub type Rs384VerifyingKey = self::rsa::pkcs1v15::VerifyingKey<Sha384>;
pub type Rs512SigningKey = self::rsa::pkcs1v15::SigningKey<Sha512>;
pub type Rs512VerifyingKey = self::rsa::pkcs1v15::VerifyingKey<Sha512>;
pub type Rs256SigningKey = rsa::pkcs1v15::SigningKey<Sha256>;
pub type Rs256VerifyingKey = rsa::pkcs1v15::VerifyingKey<Sha256>;
pub type Rs384SigningKey = rsa::pkcs1v15::SigningKey<Sha384>;
pub type Rs384VerifyingKey = rsa::pkcs1v15::VerifyingKey<Sha384>;
pub type Rs512SigningKey = rsa::pkcs1v15::SigningKey<Sha512>;
pub type Rs512VerifyingKey = rsa::pkcs1v15::VerifyingKey<Sha512>;
pub type Ps256SigningKey = self::rsa::pss::SigningKey<Sha256>;
pub type Ps256VerifyingKey = self::rsa::pss::VerifyingKey<Sha256>;
pub type Ps384SigningKey = self::rsa::pss::SigningKey<Sha384>;
pub type Ps384VerifyingKey = self::rsa::pss::VerifyingKey<Sha384>;
pub type Ps512SigningKey = self::rsa::pss::SigningKey<Sha512>;
pub type Ps512VerifyingKey = self::rsa::pss::VerifyingKey<Sha512>;
pub type Ps256SigningKey = rsa::pss::SigningKey<Sha256>;
pub type Ps256VerifyingKey = rsa::pss::VerifyingKey<Sha256>;
pub type Ps384SigningKey = rsa::pss::SigningKey<Sha384>;
pub type Ps384VerifyingKey = rsa::pss::VerifyingKey<Sha384>;
pub type Ps512SigningKey = rsa::pss::SigningKey<Sha512>;
pub type Ps512VerifyingKey = rsa::pss::VerifyingKey<Sha512>;
pub type Es256SigningKey = ecdsa::SigningKey<p256::NistP256>;
pub type Es256VerifyingKey = ecdsa::VerifyingKey<p256::NistP256>;

167
crates/jose/src/jwa/rsa.rs
View File

@@ -1,167 +0,0 @@
// Copyright 2022 The Matrix.org Foundation C.I.C.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// This is a temporary wrapper until the RSA crate actually hashes the input
// See <https://github.com/RustCrypto/RSA/pull/174#issuecomment-1227330296>
use super::signature::Signature;
pub(crate) trait RsaHashIdentifier {
const HASH: rsa::Hash;
}
impl RsaHashIdentifier for sha2::Sha224 {
const HASH: rsa::Hash = rsa::Hash::SHA2_224;
}
impl RsaHashIdentifier for sha2::Sha256 {
const HASH: rsa::Hash = rsa::Hash::SHA2_256;
}
impl RsaHashIdentifier for sha2::Sha384 {
const HASH: rsa::Hash = rsa::Hash::SHA2_384;
}
impl RsaHashIdentifier for sha2::Sha512 {
const HASH: rsa::Hash = rsa::Hash::SHA2_512;
}
pub(crate) mod pkcs1v15 {
use std::marker::PhantomData;
use digest::Digest;
use rsa::{PaddingScheme, PublicKey, RsaPrivateKey, RsaPublicKey};
use super::{RsaHashIdentifier, Signature};
pub struct VerifyingKey<H> {
inner: RsaPublicKey,
hash: PhantomData<H>,
}
impl<H> From<RsaPublicKey> for VerifyingKey<H> {
fn from(inner: RsaPublicKey) -> Self {
Self {
inner,
hash: PhantomData,
}
}
}
impl<H> signature::Verifier<Signature> for VerifyingKey<H>
where
H: Digest + RsaHashIdentifier,
{
fn verify(&self, msg: &[u8], signature: &Signature) -> Result<(), signature::Error> {
let digest = H::digest(msg);
let padding = PaddingScheme::new_pkcs1v15_sign(Some(H::HASH));
self.inner
.verify(padding, &digest, signature.as_ref())
.map_err(signature::Error::from_source)
}
}
pub struct SigningKey<H> {
inner: RsaPrivateKey,
hash: PhantomData<H>,
}
impl<H> From<RsaPrivateKey> for SigningKey<H> {
fn from(inner: RsaPrivateKey) -> Self {
Self {
inner,
hash: PhantomData,
}
}
}
impl<H> signature::Signer<Signature> for SigningKey<H>
where
H: Digest + RsaHashIdentifier,
{
fn try_sign(&self, msg: &[u8]) -> Result<Signature, signature::Error> {
let digest = H::digest(msg);
let padding = PaddingScheme::new_pkcs1v15_sign(Some(H::HASH));
self.inner
.sign(padding, &digest)
.map_err(signature::Error::from_source)
.map(Signature::new)
}
}
}
pub(crate) mod pss {
use std::marker::PhantomData;
use digest::{Digest, DynDigest};
use rand::thread_rng;
use rsa::{PaddingScheme, PublicKey, RsaPrivateKey, RsaPublicKey};
use super::Signature;
pub struct VerifyingKey<H> {
inner: RsaPublicKey,
hash: PhantomData<H>,
}
impl<H> From<RsaPublicKey> for VerifyingKey<H> {
fn from(inner: RsaPublicKey) -> Self {
Self {
inner,
hash: PhantomData,
}
}
}
impl<H> signature::Verifier<Signature> for VerifyingKey<H>
where
H: Digest + DynDigest + 'static,
{
fn verify(&self, msg: &[u8], signature: &Signature) -> Result<(), signature::Error> {
let digest = H::digest(msg);
let padding = PaddingScheme::new_pss::<H, _>(thread_rng());
self.inner
.verify(padding, &digest, signature.as_ref())
.map_err(signature::Error::from_source)
}
}
pub struct SigningKey<H> {
inner: RsaPrivateKey,
hash: PhantomData<H>,
}
impl<H> From<RsaPrivateKey> for SigningKey<H> {
fn from(inner: RsaPrivateKey) -> Self {
Self {
inner,
hash: PhantomData,
}
}
}
impl<H> signature::Signer<Signature> for SigningKey<H>
where
H: Digest + DynDigest + 'static,
{
fn try_sign(&self, msg: &[u8]) -> Result<Signature, signature::Error> {
let digest = H::digest(msg);
let padding = PaddingScheme::new_pss::<H, _>(thread_rng());
self.inner
.sign(padding, &digest)
.map_err(signature::Error::from_source)
.map(Signature::new)
}
}
}

25
crates/jose/src/jwk/private_parameters.rs
View File

@@ -228,15 +228,14 @@ struct RsaOtherPrimeInfo {
}
mod rsa_impls {
use digest::DynDigest;
use digest::{const_oid::AssociatedOid, Digest};
use rsa::{BigUint, RsaPrivateKey};
use super::RsaPrivateParameters;
use crate::jwa::rsa::RsaHashIdentifier;
impl<H> TryFrom<RsaPrivateParameters> for crate::jwa::rsa::pkcs1v15::SigningKey<H>
impl<H> TryFrom<RsaPrivateParameters> for rsa::pkcs1v15::SigningKey<H>
where
H: RsaHashIdentifier,
H: Digest + AssociatedOid,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPrivateParameters) -> Result<Self, Self::Error> {
@@ -244,20 +243,20 @@ mod rsa_impls {
}
}
impl<H> TryFrom<&RsaPrivateParameters> for crate::jwa::rsa::pkcs1v15::SigningKey<H>
impl<H> TryFrom<&RsaPrivateParameters> for rsa::pkcs1v15::SigningKey<H>
where
H: RsaHashIdentifier,
H: Digest + AssociatedOid,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPrivateParameters) -> Result<Self, Self::Error> {
let key: RsaPrivateKey = value.try_into()?;
Ok(Self::from(key))
Ok(Self::new_with_prefix(key))
}
}
impl<H> TryFrom<RsaPrivateParameters> for crate::jwa::rsa::pss::SigningKey<H>
impl<H> TryFrom<RsaPrivateParameters> for rsa::pss::SigningKey<H>
where
H: DynDigest + Default + 'static,
H: Digest,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPrivateParameters) -> Result<Self, Self::Error> {
@@ -265,14 +264,14 @@ mod rsa_impls {
}
}
impl<H> TryFrom<&RsaPrivateParameters> for crate::jwa::rsa::pss::SigningKey<H>
impl<H> TryFrom<&RsaPrivateParameters> for rsa::pss::SigningKey<H>
where
H: DynDigest + Default + 'static,
H: Digest,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPrivateParameters) -> Result<Self, Self::Error> {
let key: RsaPrivateKey = value.try_into()?;
Ok(Self::from(key))
Ok(Self::new(key))
}
}
@@ -298,7 +297,7 @@ mod rsa_impls {
.map(|i| BigUint::from_bytes_be(i))
.collect();
let key = RsaPrivateKey::from_components(n, e, d, primes);
let key = RsaPrivateKey::from_components(n, e, d, primes)?;
key.validate()?;

23
crates/jose/src/jwk/public_parameters.rs
View File

@@ -188,11 +188,10 @@ impl OkpPublicParameters {
}
mod rsa_impls {
use digest::DynDigest;
use digest::{const_oid::AssociatedOid, Digest};
use rsa::{BigUint, PublicKeyParts, RsaPublicKey};
use super::{JsonWebKeyPublicParameters, RsaPublicParameters};
use crate::jwa::rsa::RsaHashIdentifier;
impl From<RsaPublicKey> for JsonWebKeyPublicParameters {
fn from(key: RsaPublicKey) -> Self {
@@ -221,9 +220,9 @@ mod rsa_impls {
}
}
impl<H> TryFrom<RsaPublicParameters> for crate::jwa::rsa::pkcs1v15::VerifyingKey<H>
impl<H> TryFrom<RsaPublicParameters> for rsa::pkcs1v15::VerifyingKey<H>
where
H: RsaHashIdentifier,
H: Digest + AssociatedOid,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPublicParameters) -> Result<Self, Self::Error> {
@@ -231,20 +230,20 @@ mod rsa_impls {
}
}
impl<H> TryFrom<&RsaPublicParameters> for crate::jwa::rsa::pkcs1v15::VerifyingKey<H>
impl<H> TryFrom<&RsaPublicParameters> for rsa::pkcs1v15::VerifyingKey<H>
where
H: RsaHashIdentifier,
H: Digest + AssociatedOid,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPublicParameters) -> Result<Self, Self::Error> {
let key: RsaPublicKey = value.try_into()?;
Ok(Self::from(key))
Ok(Self::new_with_prefix(key))
}
}
impl<H> TryFrom<RsaPublicParameters> for crate::jwa::rsa::pss::VerifyingKey<H>
impl<H> TryFrom<RsaPublicParameters> for rsa::pss::VerifyingKey<H>
where
H: DynDigest + Default + 'static,
H: Digest,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPublicParameters) -> Result<Self, Self::Error> {
@@ -252,14 +251,14 @@ mod rsa_impls {
}
}
impl<H> TryFrom<&RsaPublicParameters> for crate::jwa::rsa::pss::VerifyingKey<H>
impl<H> TryFrom<&RsaPublicParameters> for rsa::pss::VerifyingKey<H>
where
H: DynDigest + Default + 'static,
H: Digest,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPublicParameters) -> Result<Self, Self::Error> {
let key: RsaPublicKey = value.try_into()?;
Ok(Self::from(key))
Ok(Self::new(key))
}
}