From 84c793dae0152a0ea9be1664ecca78ac2f529c11 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Mon, 29 Aug 2022 16:41:57 +0200 Subject: [PATCH] Reorganise algorithms under the `jwa` module --- crates/jose/src/{ => jwa}/hmac.rs | 0 crates/jose/src/jwa/mod.rs | 43 +++++ crates/jose/src/{ => jwa}/rsa.rs | 198 +++++++--------------- crates/jose/src/jwk/mod.rs | 4 +- crates/jose/src/jwk/private_parameters.rs | 44 +++++ crates/jose/src/jwk/public_parameters.rs | 44 +++++ crates/jose/src/lib.rs | 3 +- crates/jose/src/signer.rs | 105 +++++------- crates/jose/src/verifier.rs | 153 ++++++++--------- crates/jose/tests/jws.rs | 9 +- 10 files changed, 309 insertions(+), 294 deletions(-) rename crates/jose/src/{ => jwa}/hmac.rs (100%) create mode 100644 crates/jose/src/jwa/mod.rs rename crates/jose/src/{ => jwa}/rsa.rs (50%) diff --git a/crates/jose/src/hmac.rs b/crates/jose/src/jwa/hmac.rs similarity index 100% rename from crates/jose/src/hmac.rs rename to crates/jose/src/jwa/hmac.rs diff --git a/crates/jose/src/jwa/mod.rs b/crates/jose/src/jwa/mod.rs new file mode 100644 index 00000000..c183e199 --- /dev/null +++ b/crates/jose/src/jwa/mod.rs @@ -0,0 +1,43 @@ +// Copyright 2022 The Matrix.org Foundation C.I.C. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +use sha2::{Sha256, Sha384, Sha512}; + +pub(crate) mod hmac; +pub(crate) mod rsa; + +pub type Hs256Key = self::hmac::Hmac; +pub type Hs384Key = self::hmac::Hmac; +pub type Hs512Key = self::hmac::Hmac; + +pub type Rs256SigningKey = self::rsa::pkcs1v15::SigningKey; +pub type Rs256VerifyingKey = self::rsa::pkcs1v15::VerifyingKey; +pub type Rs384SigningKey = self::rsa::pkcs1v15::SigningKey; +pub type Rs384VerifyingKey = self::rsa::pkcs1v15::VerifyingKey; +pub type Rs512SigningKey = self::rsa::pkcs1v15::SigningKey; +pub type Rs512VerifyingKey = self::rsa::pkcs1v15::VerifyingKey; + +pub type Ps256SigningKey = self::rsa::pss::SigningKey; +pub type Ps256VerifyingKey = self::rsa::pss::VerifyingKey; +pub type Ps384SigningKey = self::rsa::pss::SigningKey; +pub type Ps384VerifyingKey = self::rsa::pss::VerifyingKey; +pub type Ps512SigningKey = self::rsa::pss::SigningKey; +pub type Ps512VerifyingKey = self::rsa::pss::VerifyingKey; + +pub type Es256SigningKey = ecdsa::SigningKey; +pub type Es256VerifyingKey = ecdsa::VerifyingKey; +pub type Es384SigningKey = ecdsa::SigningKey; +pub type Es384VerifyingKey = ecdsa::VerifyingKey; +pub type Es256KSigningKey = ecdsa::SigningKey; +pub type Es256KVerifyingKey = ecdsa::VerifyingKey; diff --git a/crates/jose/src/rsa.rs b/crates/jose/src/jwa/rsa.rs similarity index 50% rename from crates/jose/src/rsa.rs rename to crates/jose/src/jwa/rsa.rs index 2d9bdd0a..f8e7ea99 100644 --- a/crates/jose/src/rsa.rs +++ b/crates/jose/src/jwa/rsa.rs @@ -15,54 +15,50 @@ // This is a temporary wrapper until the RSA crate actually hashes the input // See +pub trait RsaHashIdentifier { + const HASH: rsa::Hash; +} + +impl RsaHashIdentifier for sha2::Sha224 { + const HASH: rsa::Hash = rsa::Hash::SHA2_224; +} + +impl RsaHashIdentifier for sha2::Sha256 { + const HASH: rsa::Hash = rsa::Hash::SHA2_256; +} + +impl RsaHashIdentifier for sha2::Sha384 { + const HASH: rsa::Hash = rsa::Hash::SHA2_384; +} + +impl RsaHashIdentifier for sha2::Sha512 { + const HASH: rsa::Hash = rsa::Hash::SHA2_512; +} + pub(crate) mod pkcs1v15 { use std::marker::PhantomData; use digest::Digest; use rsa::{RsaPrivateKey, RsaPublicKey}; - use sha2::{Sha256, Sha384, Sha512}; + + use super::RsaHashIdentifier; pub struct VerifyingKey { inner: rsa::pkcs1v15::VerifyingKey, hash: PhantomData, } - impl From for VerifyingKey { - fn from(key: RsaPublicKey) -> Self { - let inner = rsa::pkcs1v15::VerifyingKey::new_with_hash(key, rsa::Hash::SHA2_256); - ensure_verifier(Self { - inner, - hash: PhantomData::default(), - }) - } - } - - impl From for VerifyingKey { - fn from(key: RsaPublicKey) -> Self { - let inner = rsa::pkcs1v15::VerifyingKey::new_with_hash(key, rsa::Hash::SHA2_384); - ensure_verifier(Self { - inner, - hash: PhantomData::default(), - }) - } - } - - impl From for VerifyingKey { - fn from(key: RsaPublicKey) -> Self { - let inner = rsa::pkcs1v15::VerifyingKey::new_with_hash(key, rsa::Hash::SHA2_512); - ensure_verifier(Self { - inner, - hash: PhantomData::default(), - }) - } - } - - #[inline] - fn ensure_verifier(t: T) -> T + impl From for VerifyingKey where - T: signature::Verifier, + H: RsaHashIdentifier, { - t + fn from(key: RsaPublicKey) -> Self { + let inner = rsa::pkcs1v15::VerifyingKey::new_with_hash(key, H::HASH); + Self { + inner, + hash: PhantomData::default(), + } + } } impl signature::Verifier for VerifyingKey @@ -84,42 +80,17 @@ pub(crate) mod pkcs1v15 { hash: PhantomData, } - impl From for SigningKey { - fn from(key: RsaPrivateKey) -> Self { - let inner = rsa::pkcs1v15::SigningKey::new_with_hash(key, rsa::Hash::SHA2_256); - ensure_signer(Self { - inner, - hash: PhantomData::default(), - }) - } - } - - impl From for SigningKey { - fn from(key: RsaPrivateKey) -> Self { - let inner = rsa::pkcs1v15::SigningKey::new_with_hash(key, rsa::Hash::SHA2_384); - ensure_signer(Self { - inner, - hash: PhantomData::default(), - }) - } - } - - impl From for SigningKey { - fn from(key: RsaPrivateKey) -> Self { - let inner = rsa::pkcs1v15::SigningKey::new_with_hash(key, rsa::Hash::SHA2_512); - ensure_signer(Self { - inner, - hash: PhantomData::default(), - }) - } - } - - #[inline] - fn ensure_signer(t: T) -> T + impl From for SigningKey where - T: signature::Signer, + H: RsaHashIdentifier, { - t + fn from(key: RsaPrivateKey) -> Self { + let inner = rsa::pkcs1v15::SigningKey::new_with_hash(key, H::HASH); + Self { + inner, + hash: PhantomData::default(), + } + } } impl signature::Signer for SigningKey @@ -136,10 +107,9 @@ pub(crate) mod pkcs1v15 { pub(crate) mod pss { use std::marker::PhantomData; - use digest::Digest; + use digest::{Digest, DynDigest}; use rand::thread_rng; use rsa::{RsaPrivateKey, RsaPublicKey}; - use sha2::{Sha256, Sha384, Sha512}; use signature::RandomizedSigner; pub struct VerifyingKey { @@ -147,42 +117,17 @@ pub(crate) mod pss { hash: PhantomData, } - impl From for VerifyingKey { - fn from(key: RsaPublicKey) -> Self { - let inner = rsa::pss::VerifyingKey::new(key, Box::new(Sha256::new())); - ensure_verifier(Self { - inner, - hash: PhantomData::default(), - }) - } - } - - impl From for VerifyingKey { - fn from(key: RsaPublicKey) -> Self { - let inner = rsa::pss::VerifyingKey::new(key, Box::new(Sha384::new())); - ensure_verifier(Self { - inner, - hash: PhantomData::default(), - }) - } - } - - impl From for VerifyingKey { - fn from(key: RsaPublicKey) -> Self { - let inner = rsa::pss::VerifyingKey::new(key, Box::new(Sha512::new())); - ensure_verifier(Self { - inner, - hash: PhantomData::default(), - }) - } - } - - #[inline] - fn ensure_verifier(t: T) -> T + impl From for VerifyingKey where - T: signature::Verifier, + H: DynDigest + Default + 'static, { - t + fn from(key: RsaPublicKey) -> Self { + let inner = rsa::pss::VerifyingKey::new(key, Box::new(H::default())); + Self { + inner, + hash: PhantomData::default(), + } + } } impl signature::Verifier for VerifyingKey @@ -204,42 +149,17 @@ pub(crate) mod pss { hash: PhantomData, } - impl From for SigningKey { - fn from(key: RsaPrivateKey) -> Self { - let inner = rsa::pss::SigningKey::new(key, Box::new(Sha256::new())); - ensure_signer(Self { - inner, - hash: PhantomData::default(), - }) - } - } - - impl From for SigningKey { - fn from(key: RsaPrivateKey) -> Self { - let inner = rsa::pss::SigningKey::new(key, Box::new(Sha384::new())); - ensure_signer(Self { - inner, - hash: PhantomData::default(), - }) - } - } - - impl From for SigningKey { - fn from(key: RsaPrivateKey) -> Self { - let inner = rsa::pss::SigningKey::new(key, Box::new(Sha512::new())); - ensure_signer(Self { - inner, - hash: PhantomData::default(), - }) - } - } - - #[inline] - fn ensure_signer(t: T) -> T + impl From for SigningKey where - T: signature::Signer, + H: DynDigest + Default + 'static, { - t + fn from(key: RsaPrivateKey) -> Self { + let inner = rsa::pss::SigningKey::new(key, Box::new(H::default())); + Self { + inner, + hash: PhantomData::default(), + } + } } impl signature::Signer for SigningKey diff --git a/crates/jose/src/jwk/mod.rs b/crates/jose/src/jwk/mod.rs index aacd6155..dfb59b95 100644 --- a/crates/jose/src/jwk/mod.rs +++ b/crates/jose/src/jwk/mod.rs @@ -33,7 +33,9 @@ pub(crate) mod private_parameters; pub(crate) mod public_parameters; use self::private_parameters::SymetricKeyError; -pub use self::public_parameters::JsonWebKeyPublicParameters as JsonWebKeyParameters; +pub use self::{ + private_parameters::JsonWebKeyPrivateParameters, public_parameters::JsonWebKeyPublicParameters, +}; pub trait ParametersInfo { fn kty(&self) -> JsonWebKeyType; diff --git a/crates/jose/src/jwk/private_parameters.rs b/crates/jose/src/jwk/private_parameters.rs index c6835419..2f182abe 100644 --- a/crates/jose/src/jwk/private_parameters.rs +++ b/crates/jose/src/jwk/private_parameters.rs @@ -194,9 +194,53 @@ struct RsaOtherPrimeInfo { } mod rsa_impls { + use digest::DynDigest; use rsa::{BigUint, RsaPrivateKey}; use super::RsaPrivateParameters; + use crate::jwa::rsa::RsaHashIdentifier; + + impl TryFrom for crate::jwa::rsa::pkcs1v15::SigningKey + where + H: RsaHashIdentifier, + { + type Error = rsa::errors::Error; + fn try_from(value: RsaPrivateParameters) -> Result { + Self::try_from(&value) + } + } + + impl TryFrom<&RsaPrivateParameters> for crate::jwa::rsa::pkcs1v15::SigningKey + where + H: RsaHashIdentifier, + { + type Error = rsa::errors::Error; + fn try_from(value: &RsaPrivateParameters) -> Result { + let key: RsaPrivateKey = value.try_into()?; + Ok(Self::from(key)) + } + } + + impl TryFrom for crate::jwa::rsa::pss::SigningKey + where + H: DynDigest + Default + 'static, + { + type Error = rsa::errors::Error; + fn try_from(value: RsaPrivateParameters) -> Result { + Self::try_from(&value) + } + } + + impl TryFrom<&RsaPrivateParameters> for crate::jwa::rsa::pss::SigningKey + where + H: DynDigest + Default + 'static, + { + type Error = rsa::errors::Error; + fn try_from(value: &RsaPrivateParameters) -> Result { + let key: RsaPrivateKey = value.try_into()?; + Ok(Self::from(key)) + } + } impl TryFrom for RsaPrivateKey { type Error = rsa::errors::Error; diff --git a/crates/jose/src/jwk/public_parameters.rs b/crates/jose/src/jwk/public_parameters.rs index 2366a334..2771ca4d 100644 --- a/crates/jose/src/jwk/public_parameters.rs +++ b/crates/jose/src/jwk/public_parameters.rs @@ -162,9 +162,53 @@ impl OkpPublicParameters { } mod rsa_impls { + use digest::DynDigest; use rsa::{BigUint, RsaPublicKey}; use super::RsaPublicParameters; + use crate::jwa::rsa::RsaHashIdentifier; + + impl TryFrom for crate::jwa::rsa::pkcs1v15::VerifyingKey + where + H: RsaHashIdentifier, + { + type Error = rsa::errors::Error; + fn try_from(value: RsaPublicParameters) -> Result { + Self::try_from(&value) + } + } + + impl TryFrom<&RsaPublicParameters> for crate::jwa::rsa::pkcs1v15::VerifyingKey + where + H: RsaHashIdentifier, + { + type Error = rsa::errors::Error; + fn try_from(value: &RsaPublicParameters) -> Result { + let key: RsaPublicKey = value.try_into()?; + Ok(Self::from(key)) + } + } + + impl TryFrom for crate::jwa::rsa::pss::VerifyingKey + where + H: DynDigest + Default + 'static, + { + type Error = rsa::errors::Error; + fn try_from(value: RsaPublicParameters) -> Result { + Self::try_from(&value) + } + } + + impl TryFrom<&RsaPublicParameters> for crate::jwa::rsa::pss::VerifyingKey + where + H: DynDigest + Default + 'static, + { + type Error = rsa::errors::Error; + fn try_from(value: &RsaPublicParameters) -> Result { + let key: RsaPublicKey = value.try_into()?; + Ok(Self::from(key)) + } + } impl TryFrom for RsaPublicKey { type Error = rsa::errors::Error; diff --git a/crates/jose/src/lib.rs b/crates/jose/src/lib.rs index 0d68f5ef..033874a3 100644 --- a/crates/jose/src/lib.rs +++ b/crates/jose/src/lib.rs @@ -19,11 +19,10 @@ pub mod claims; pub mod constraints; -pub mod hmac; +pub(crate) mod jwa; pub mod jwk; pub(crate) mod jwt; mod keystore; -pub(crate) mod rsa; pub mod signer; pub mod verifier; diff --git a/crates/jose/src/signer.rs b/crates/jose/src/signer.rs index 0a65556e..080f0d7e 100644 --- a/crates/jose/src/signer.rs +++ b/crates/jose/src/signer.rs @@ -13,49 +13,27 @@ // limitations under the License. use mas_iana::jose::{JsonWebKeyEcEllipticCurve, JsonWebSignatureAlg}; -use sha2::{Sha256, Sha384, Sha512}; use signature::Signature; use thiserror::Error; -use crate::jwk::private_parameters::{EcPrivateParameters, JsonWebKeyPrivateParameters}; +use crate::{ + jwa, + jwk::private_parameters::{EcPrivateParameters, JsonWebKeyPrivateParameters}, +}; pub enum Signer { - Hs256 { - key: crate::hmac::Hmac, - }, - Hs384 { - key: crate::hmac::Hmac, - }, - Hs512 { - key: crate::hmac::Hmac, - }, - Rs256 { - key: crate::rsa::pkcs1v15::SigningKey, - }, - Rs384 { - key: crate::rsa::pkcs1v15::SigningKey, - }, - Rs512 { - key: crate::rsa::pkcs1v15::SigningKey, - }, - Ps256 { - key: crate::rsa::pss::SigningKey, - }, - Ps384 { - key: crate::rsa::pss::SigningKey, - }, - Ps512 { - key: crate::rsa::pss::SigningKey, - }, - Es256 { - key: ecdsa::SigningKey, - }, - Es384 { - key: ecdsa::SigningKey, - }, - Es256K { - key: ecdsa::SigningKey, - }, + Hs256 { key: jwa::Hs256Key }, + Hs384 { key: jwa::Hs384Key }, + Hs512 { key: jwa::Hs512Key }, + Rs256 { key: jwa::Rs256SigningKey }, + Rs384 { key: jwa::Rs384SigningKey }, + Rs512 { key: jwa::Rs512SigningKey }, + Ps256 { key: jwa::Ps256SigningKey }, + Ps384 { key: jwa::Ps384SigningKey }, + Ps512 { key: jwa::Ps512SigningKey }, + Es256 { key: jwa::Es256SigningKey }, + Es384 { key: jwa::Es384SigningKey }, + Es256K { key: jwa::Es256KSigningKey }, } #[derive(Debug, Error)] @@ -104,33 +82,39 @@ impl Signer { ) -> Result { match (key, alg) { (JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Rs256) => { - let key: rsa::RsaPrivateKey = params.try_into()?; - Ok(Self::Rs256 { key: key.into() }) + Ok(Self::Rs256 { + key: params.try_into()?, + }) } (JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Rs384) => { - let key: rsa::RsaPrivateKey = params.try_into()?; - Ok(Self::Rs384 { key: key.into() }) + Ok(Self::Rs384 { + key: params.try_into()?, + }) } (JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Rs512) => { - let key: rsa::RsaPrivateKey = params.try_into()?; - Ok(Self::Rs512 { key: key.into() }) + Ok(Self::Rs512 { + key: params.try_into()?, + }) } (JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Ps256) => { - let key: rsa::RsaPrivateKey = params.try_into()?; - Ok(Self::Ps256 { key: key.into() }) + Ok(Self::Ps256 { + key: params.try_into()?, + }) } (JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Ps384) => { - let key: rsa::RsaPrivateKey = params.try_into()?; - Ok(Self::Ps384 { key: key.into() }) + Ok(Self::Ps384 { + key: params.try_into()?, + }) } (JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Ps512) => { - let key: rsa::RsaPrivateKey = params.try_into()?; - Ok(Self::Ps512 { key: key.into() }) + Ok(Self::Ps512 { + key: params.try_into()?, + }) } ( @@ -141,10 +125,9 @@ impl Signer { }, ), JsonWebSignatureAlg::Es256, - ) => { - let key = ecdsa::SigningKey::try_from(params)?; - Ok(Self::Es256 { key }) - } + ) => Ok(Self::Es256 { + key: params.try_into()?, + }), ( JsonWebKeyPrivateParameters::Ec( @@ -154,10 +137,9 @@ impl Signer { }, ), JsonWebSignatureAlg::Es384, - ) => { - let key = ecdsa::SigningKey::try_from(params)?; - Ok(Self::Es384 { key }) - } + ) => Ok(Self::Es384 { + key: params.try_into()?, + }), ( JsonWebKeyPrivateParameters::Ec(EcPrivateParameters { @@ -177,10 +159,9 @@ impl Signer { }, ), JsonWebSignatureAlg::Es256K, - ) => { - let key = ecdsa::SigningKey::try_from(params)?; - Ok(Self::Es256K { key }) - } + ) => Ok(Self::Es256K { + key: params.try_into()?, + }), (JsonWebKeyPrivateParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => { Err(SignerFromJwkError::UnsupportedAlgorithm { diff --git a/crates/jose/src/verifier.rs b/crates/jose/src/verifier.rs index 2cc8b99b..166e7cbd 100644 --- a/crates/jose/src/verifier.rs +++ b/crates/jose/src/verifier.rs @@ -13,49 +13,27 @@ // limitations under the License. use mas_iana::jose::{JsonWebKeyEcEllipticCurve, JsonWebSignatureAlg}; -use sha2::{Sha256, Sha384, Sha512}; use signature::Signature; use thiserror::Error; -use crate::jwk::{public_parameters::EcPublicParameters, JsonWebKeyParameters}; +use crate::{ + jwa, + jwk::{public_parameters::EcPublicParameters, JsonWebKeyPublicParameters}, +}; pub enum Verifier { - Hs256 { - key: crate::hmac::Hmac, - }, - Hs384 { - key: crate::hmac::Hmac, - }, - Hs512 { - key: crate::hmac::Hmac, - }, - Rs256 { - key: crate::rsa::pkcs1v15::VerifyingKey, - }, - Rs384 { - key: crate::rsa::pkcs1v15::VerifyingKey, - }, - Rs512 { - key: crate::rsa::pkcs1v15::VerifyingKey, - }, - Ps256 { - key: crate::rsa::pss::VerifyingKey, - }, - Ps384 { - key: crate::rsa::pss::VerifyingKey, - }, - Ps512 { - key: crate::rsa::pss::VerifyingKey, - }, - Es256 { - key: ecdsa::VerifyingKey, - }, - Es384 { - key: ecdsa::VerifyingKey, - }, - Es256K { - key: ecdsa::VerifyingKey, - }, + Hs256 { key: jwa::Hs256Key }, + Hs384 { key: jwa::Hs384Key }, + Hs512 { key: jwa::Hs512Key }, + Rs256 { key: jwa::Rs256VerifyingKey }, + Rs384 { key: jwa::Rs384VerifyingKey }, + Rs512 { key: jwa::Rs512VerifyingKey }, + Ps256 { key: jwa::Ps256VerifyingKey }, + Ps384 { key: jwa::Ps384VerifyingKey }, + Ps512 { key: jwa::Ps512VerifyingKey }, + Es256 { key: jwa::Es256VerifyingKey }, + Es384 { key: jwa::Es384VerifyingKey }, + Es256K { key: jwa::Es256KVerifyingKey }, } #[derive(Debug, Error)] @@ -99,68 +77,72 @@ impl Verifier { } pub fn for_jwk_and_alg( - key: &JsonWebKeyParameters, + key: &JsonWebKeyPublicParameters, alg: JsonWebSignatureAlg, ) -> Result { match (key, alg) { - (JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Rs256) => { - let key = rsa::RsaPublicKey::try_from(params)?; - Ok(Self::Rs256 { key: key.into() }) + (JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Rs256) => { + Ok(Self::Rs256 { + key: params.try_into()?, + }) } - (JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Rs384) => { - let key = rsa::RsaPublicKey::try_from(params)?; - Ok(Self::Rs384 { key: key.into() }) + (JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Rs384) => { + Ok(Self::Rs384 { + key: params.try_into()?, + }) } - (JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Rs512) => { - let key = rsa::RsaPublicKey::try_from(params)?; - Ok(Self::Rs512 { key: key.into() }) + (JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Rs512) => { + Ok(Self::Rs512 { + key: params.try_into()?, + }) } - (JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Ps256) => { - let key = rsa::RsaPublicKey::try_from(params)?; - Ok(Self::Ps256 { key: key.into() }) + (JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Ps256) => { + Ok(Self::Ps256 { + key: params.try_into()?, + }) } - (JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Ps384) => { - let key = rsa::RsaPublicKey::try_from(params)?; - Ok(Self::Ps384 { key: key.into() }) + (JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Ps384) => { + Ok(Self::Ps384 { + key: params.try_into()?, + }) } - (JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Ps512) => { - let key = rsa::RsaPublicKey::try_from(params)?; - Ok(Self::Ps512 { key: key.into() }) + (JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Ps512) => { + Ok(Self::Ps512 { + key: params.try_into()?, + }) } ( - JsonWebKeyParameters::Ec( + JsonWebKeyPublicParameters::Ec( params @ EcPublicParameters { crv: JsonWebKeyEcEllipticCurve::P256, .. }, ), JsonWebSignatureAlg::Es256, - ) => { - let key = ecdsa::VerifyingKey::try_from(params)?; - Ok(Self::Es256 { key }) - } + ) => Ok(Self::Es256 { + key: params.try_into()?, + }), ( - JsonWebKeyParameters::Ec( + JsonWebKeyPublicParameters::Ec( params @ EcPublicParameters { crv: JsonWebKeyEcEllipticCurve::P384, .. }, ), JsonWebSignatureAlg::Es384, - ) => { - let key = ecdsa::VerifyingKey::try_from(params)?; - Ok(Self::Es384 { key }) - } + ) => Ok(Self::Es384 { + key: params.try_into()?, + }), ( - JsonWebKeyParameters::Ec(EcPublicParameters { + JsonWebKeyPublicParameters::Ec(EcPublicParameters { crv: JsonWebKeyEcEllipticCurve::P521, .. }), @@ -170,19 +152,18 @@ impl Verifier { }), ( - JsonWebKeyParameters::Ec( + JsonWebKeyPublicParameters::Ec( params @ EcPublicParameters { crv: JsonWebKeyEcEllipticCurve::Secp256K1, .. }, ), JsonWebSignatureAlg::Es256K, - ) => { - let key = ecdsa::VerifyingKey::try_from(params)?; - Ok(Self::Es256K { key }) - } + ) => Ok(Self::Es256K { + key: params.try_into()?, + }), - (JsonWebKeyParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => { + (JsonWebKeyPublicParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => { Err(VerifierFromJwkError::UnsupportedAlgorithm { algorithm: JsonWebSignatureAlg::EdDsa, }) @@ -216,62 +197,62 @@ impl signature::Verifier for Verifier { fn verify(&self, msg: &[u8], signature: &GenericSignature) -> Result<(), signature::Error> { match self { Verifier::Hs256 { key } => { - let signature = crate::hmac::Signature::from_bytes(signature.as_bytes())?; + let signature = signature::Signature::from_bytes(signature.as_bytes())?; key.verify(msg, &signature)?; Ok(()) } Verifier::Hs384 { key } => { - let signature = crate::hmac::Signature::from_bytes(signature.as_bytes())?; + let signature = signature::Signature::from_bytes(signature.as_bytes())?; key.verify(msg, &signature)?; Ok(()) } Verifier::Hs512 { key } => { - let signature = crate::hmac::Signature::from_bytes(signature.as_bytes())?; + let signature = signature::Signature::from_bytes(signature.as_bytes())?; key.verify(msg, &signature)?; Ok(()) } Verifier::Rs256 { key } => { - let signature = rsa::pkcs1v15::Signature::from_bytes(signature.as_bytes())?; + let signature = signature::Signature::from_bytes(signature.as_bytes())?; key.verify(msg, &signature)?; Ok(()) } Verifier::Rs384 { key } => { - let signature = rsa::pkcs1v15::Signature::from_bytes(signature.as_bytes())?; + let signature = signature::Signature::from_bytes(signature.as_bytes())?; key.verify(msg, &signature)?; Ok(()) } Verifier::Rs512 { key } => { - let signature = rsa::pkcs1v15::Signature::from_bytes(signature.as_bytes())?; + let signature = signature::Signature::from_bytes(signature.as_bytes())?; key.verify(msg, &signature)?; Ok(()) } Verifier::Ps256 { key } => { - let signature = rsa::pss::Signature::from_bytes(signature.as_bytes())?; + let signature = signature::Signature::from_bytes(signature.as_bytes())?; key.verify(msg, &signature)?; Ok(()) } Verifier::Ps384 { key } => { - let signature = rsa::pss::Signature::from_bytes(signature.as_bytes())?; + let signature = signature::Signature::from_bytes(signature.as_bytes())?; key.verify(msg, &signature)?; Ok(()) } Verifier::Ps512 { key } => { - let signature = rsa::pss::Signature::from_bytes(signature.as_bytes())?; + let signature = signature::Signature::from_bytes(signature.as_bytes())?; key.verify(msg, &signature)?; Ok(()) } Verifier::Es256 { key } => { - let signature = ecdsa::Signature::from_bytes(signature.as_bytes())?; + let signature = signature::Signature::from_bytes(signature.as_bytes())?; key.verify(msg, &signature)?; Ok(()) } Verifier::Es384 { key } => { - let signature = ecdsa::Signature::from_bytes(signature.as_bytes())?; + let signature = signature::Signature::from_bytes(signature.as_bytes())?; key.verify(msg, &signature)?; Ok(()) } Verifier::Es256K { key } => { - let signature = ecdsa::Signature::from_bytes(signature.as_bytes())?; + let signature = signature::Signature::from_bytes(signature.as_bytes())?; key.verify(msg, &signature)?; Ok(()) } diff --git a/crates/jose/tests/jws.rs b/crates/jose/tests/jws.rs index d82249a8..bdd8fd8d 100644 --- a/crates/jose/tests/jws.rs +++ b/crates/jose/tests/jws.rs @@ -170,10 +170,11 @@ macro_rules! symetric_jwt_test { #[test] fn verify_jwt() { let jwt: Jwt<'_, Payload> = Jwt::try_from($jwt).unwrap(); - let verifier = - mas_jose::verifier::Verifier::for_oct_and_alg(oct_key(), jwt.header().alg()) - .unwrap(); - assert_eq!(jwt.payload().hello, "world"); + let verifier = mas_jose::verifier::Verifier::for_oct_and_alg( + oct_key(), + JsonWebSignatureAlg::$alg, + ) + .unwrap(); jwt.verify(&verifier).unwrap(); }