matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-08-09 04:22:45 +03:00
Code Activity

Reorganise algorithms under the jwa module

Browse Source
This commit is contained in:
Quentin Gliech
2022-08-29 16:41:57 +02:00
parent 945719a5a1
commit 84c793dae0
10 changed files with 309 additions and 294 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
crates/jose/src/hmac.rs → crates/jose/src/jwa/hmac.rs
View File

43
crates/jose/src/jwa/mod.rs Normal file
View File

@@ -0,0 +1,43 @@
// Copyright 2022 The Matrix.org Foundation C.I.C.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
use sha2::{Sha256, Sha384, Sha512};
pub(crate) mod hmac;
pub(crate) mod rsa;
pub type Hs256Key = self::hmac::Hmac<Sha256>;
pub type Hs384Key = self::hmac::Hmac<Sha384>;
pub type Hs512Key = self::hmac::Hmac<Sha512>;
pub type Rs256SigningKey = self::rsa::pkcs1v15::SigningKey<Sha256>;
pub type Rs256VerifyingKey = self::rsa::pkcs1v15::VerifyingKey<Sha256>;
pub type Rs384SigningKey = self::rsa::pkcs1v15::SigningKey<Sha384>;
pub type Rs384VerifyingKey = self::rsa::pkcs1v15::VerifyingKey<Sha384>;
pub type Rs512SigningKey = self::rsa::pkcs1v15::SigningKey<Sha512>;
pub type Rs512VerifyingKey = self::rsa::pkcs1v15::VerifyingKey<Sha512>;
pub type Ps256SigningKey = self::rsa::pss::SigningKey<Sha256>;
pub type Ps256VerifyingKey = self::rsa::pss::VerifyingKey<Sha256>;
pub type Ps384SigningKey = self::rsa::pss::SigningKey<Sha384>;
pub type Ps384VerifyingKey = self::rsa::pss::VerifyingKey<Sha384>;
pub type Ps512SigningKey = self::rsa::pss::SigningKey<Sha512>;
pub type Ps512VerifyingKey = self::rsa::pss::VerifyingKey<Sha512>;
pub type Es256SigningKey = ecdsa::SigningKey<p256::NistP256>;
pub type Es256VerifyingKey = ecdsa::VerifyingKey<p256::NistP256>;
pub type Es384SigningKey = ecdsa::SigningKey<p384::NistP384>;
pub type Es384VerifyingKey = ecdsa::VerifyingKey<p384::NistP384>;
pub type Es256KSigningKey = ecdsa::SigningKey<k256::Secp256k1>;
pub type Es256KVerifyingKey = ecdsa::VerifyingKey<k256::Secp256k1>;

198
crates/jose/src/rsa.rs → crates/jose/src/jwa/rsa.rs
View File

@@ -15,54 +15,50 @@
// This is a temporary wrapper until the RSA crate actually hashes the input // This is a temporary wrapper until the RSA crate actually hashes the input
// See <https://github.com/RustCrypto/RSA/pull/174#issuecomment-1227330296> // See <https://github.com/RustCrypto/RSA/pull/174#issuecomment-1227330296>
pub trait RsaHashIdentifier {
const HASH: rsa::Hash;
}
impl RsaHashIdentifier for sha2::Sha224 {
const HASH: rsa::Hash = rsa::Hash::SHA2_224;
}
impl RsaHashIdentifier for sha2::Sha256 {
const HASH: rsa::Hash = rsa::Hash::SHA2_256;
}
impl RsaHashIdentifier for sha2::Sha384 {
const HASH: rsa::Hash = rsa::Hash::SHA2_384;
}
impl RsaHashIdentifier for sha2::Sha512 {
const HASH: rsa::Hash = rsa::Hash::SHA2_512;
}
pub(crate) mod pkcs1v15 { pub(crate) mod pkcs1v15 {
use std::marker::PhantomData; use std::marker::PhantomData;
use digest::Digest; use digest::Digest;
use rsa::{RsaPrivateKey, RsaPublicKey}; use rsa::{RsaPrivateKey, RsaPublicKey};
use sha2::{Sha256, Sha384, Sha512};
use super::RsaHashIdentifier;
pub struct VerifyingKey<H> { pub struct VerifyingKey<H> {
inner: rsa::pkcs1v15::VerifyingKey, inner: rsa::pkcs1v15::VerifyingKey,
hash: PhantomData<H>, hash: PhantomData<H>,
} }
impl From<RsaPublicKey> for VerifyingKey<Sha256> { impl<H> From<RsaPublicKey> for VerifyingKey<H>
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pkcs1v15::VerifyingKey::new_with_hash(key, rsa::Hash::SHA2_256);
ensure_verifier(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPublicKey> for VerifyingKey<Sha384> {
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pkcs1v15::VerifyingKey::new_with_hash(key, rsa::Hash::SHA2_384);
ensure_verifier(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPublicKey> for VerifyingKey<Sha512> {
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pkcs1v15::VerifyingKey::new_with_hash(key, rsa::Hash::SHA2_512);
ensure_verifier(Self {
inner,
hash: PhantomData::default(),
})
}
}
#[inline]
fn ensure_verifier<T>(t: T) -> T
where where
T: signature::Verifier<rsa::pkcs1v15::Signature>, H: RsaHashIdentifier,
{ {
t fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pkcs1v15::VerifyingKey::new_with_hash(key, H::HASH);
Self {
inner,
hash: PhantomData::default(),
}
}
} }
impl<H> signature::Verifier<rsa::pkcs1v15::Signature> for VerifyingKey<H> impl<H> signature::Verifier<rsa::pkcs1v15::Signature> for VerifyingKey<H>
@@ -84,42 +80,17 @@ pub(crate) mod pkcs1v15 {
hash: PhantomData<H>, hash: PhantomData<H>,
} }
impl From<RsaPrivateKey> for SigningKey<Sha256> { impl<H> From<RsaPrivateKey> for SigningKey<H>
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pkcs1v15::SigningKey::new_with_hash(key, rsa::Hash::SHA2_256);
ensure_signer(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPrivateKey> for SigningKey<Sha384> {
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pkcs1v15::SigningKey::new_with_hash(key, rsa::Hash::SHA2_384);
ensure_signer(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPrivateKey> for SigningKey<Sha512> {
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pkcs1v15::SigningKey::new_with_hash(key, rsa::Hash::SHA2_512);
ensure_signer(Self {
inner,
hash: PhantomData::default(),
})
}
}
#[inline]
fn ensure_signer<T>(t: T) -> T
where where
T: signature::Signer<rsa::pkcs1v15::Signature>, H: RsaHashIdentifier,
{ {
t fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pkcs1v15::SigningKey::new_with_hash(key, H::HASH);
Self {
inner,
hash: PhantomData::default(),
}
}
} }
impl<H> signature::Signer<rsa::pkcs1v15::Signature> for SigningKey<H> impl<H> signature::Signer<rsa::pkcs1v15::Signature> for SigningKey<H>
@@ -136,10 +107,9 @@ pub(crate) mod pkcs1v15 {
pub(crate) mod pss { pub(crate) mod pss {
use std::marker::PhantomData; use std::marker::PhantomData;
use digest::Digest; use digest::{Digest, DynDigest};
use rand::thread_rng; use rand::thread_rng;
use rsa::{RsaPrivateKey, RsaPublicKey}; use rsa::{RsaPrivateKey, RsaPublicKey};
use sha2::{Sha256, Sha384, Sha512};
use signature::RandomizedSigner; use signature::RandomizedSigner;
pub struct VerifyingKey<H> { pub struct VerifyingKey<H> {
@@ -147,42 +117,17 @@ pub(crate) mod pss {
hash: PhantomData<H>, hash: PhantomData<H>,
} }
impl From<RsaPublicKey> for VerifyingKey<Sha256> { impl<H> From<RsaPublicKey> for VerifyingKey<H>
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pss::VerifyingKey::new(key, Box::new(Sha256::new()));
ensure_verifier(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPublicKey> for VerifyingKey<Sha384> {
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pss::VerifyingKey::new(key, Box::new(Sha384::new()));
ensure_verifier(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPublicKey> for VerifyingKey<Sha512> {
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pss::VerifyingKey::new(key, Box::new(Sha512::new()));
ensure_verifier(Self {
inner,
hash: PhantomData::default(),
})
}
}
#[inline]
fn ensure_verifier<T>(t: T) -> T
where where
T: signature::Verifier<rsa::pss::Signature>, H: DynDigest + Default + 'static,
{ {
t fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pss::VerifyingKey::new(key, Box::new(H::default()));
Self {
inner,
hash: PhantomData::default(),
}
}
} }
impl<H> signature::Verifier<rsa::pss::Signature> for VerifyingKey<H> impl<H> signature::Verifier<rsa::pss::Signature> for VerifyingKey<H>
@@ -204,42 +149,17 @@ pub(crate) mod pss {
hash: PhantomData<H>, hash: PhantomData<H>,
} }
impl From<RsaPrivateKey> for SigningKey<Sha256> { impl<H> From<RsaPrivateKey> for SigningKey<H>
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pss::SigningKey::new(key, Box::new(Sha256::new()));
ensure_signer(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPrivateKey> for SigningKey<Sha384> {
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pss::SigningKey::new(key, Box::new(Sha384::new()));
ensure_signer(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPrivateKey> for SigningKey<Sha512> {
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pss::SigningKey::new(key, Box::new(Sha512::new()));
ensure_signer(Self {
inner,
hash: PhantomData::default(),
})
}
}
#[inline]
fn ensure_signer<T>(t: T) -> T
where where
T: signature::Signer<rsa::pss::Signature>, H: DynDigest + Default + 'static,
{ {
t fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pss::SigningKey::new(key, Box::new(H::default()));
Self {
inner,
hash: PhantomData::default(),
}
}
} }
impl<H> signature::Signer<rsa::pss::Signature> for SigningKey<H> impl<H> signature::Signer<rsa::pss::Signature> for SigningKey<H>

4
crates/jose/src/jwk/mod.rs
View File

@@ -33,7 +33,9 @@ pub(crate) mod private_parameters;
pub(crate) mod public_parameters; pub(crate) mod public_parameters;
use self::private_parameters::SymetricKeyError; use self::private_parameters::SymetricKeyError;
pub use self::public_parameters::JsonWebKeyPublicParameters as JsonWebKeyParameters; pub use self::{
private_parameters::JsonWebKeyPrivateParameters, public_parameters::JsonWebKeyPublicParameters,
};
pub trait ParametersInfo { pub trait ParametersInfo {
fn kty(&self) -> JsonWebKeyType; fn kty(&self) -> JsonWebKeyType;

44
crates/jose/src/jwk/private_parameters.rs
View File

@@ -194,9 +194,53 @@ struct RsaOtherPrimeInfo {
} }
mod rsa_impls { mod rsa_impls {
use digest::DynDigest;
use rsa::{BigUint, RsaPrivateKey}; use rsa::{BigUint, RsaPrivateKey};
use super::RsaPrivateParameters; use super::RsaPrivateParameters;
use crate::jwa::rsa::RsaHashIdentifier;
impl<H> TryFrom<RsaPrivateParameters> for crate::jwa::rsa::pkcs1v15::SigningKey<H>
where
H: RsaHashIdentifier,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPrivateParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<H> TryFrom<&RsaPrivateParameters> for crate::jwa::rsa::pkcs1v15::SigningKey<H>
where
H: RsaHashIdentifier,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPrivateParameters) -> Result<Self, Self::Error> {
let key: RsaPrivateKey = value.try_into()?;
Ok(Self::from(key))
}
}
impl<H> TryFrom<RsaPrivateParameters> for crate::jwa::rsa::pss::SigningKey<H>
where
H: DynDigest + Default + 'static,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPrivateParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<H> TryFrom<&RsaPrivateParameters> for crate::jwa::rsa::pss::SigningKey<H>
where
H: DynDigest + Default + 'static,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPrivateParameters) -> Result<Self, Self::Error> {
let key: RsaPrivateKey = value.try_into()?;
Ok(Self::from(key))
}
}
impl TryFrom<RsaPrivateParameters> for RsaPrivateKey { impl TryFrom<RsaPrivateParameters> for RsaPrivateKey {
type Error = rsa::errors::Error; type Error = rsa::errors::Error;

44
crates/jose/src/jwk/public_parameters.rs
View File

@@ -162,9 +162,53 @@ impl OkpPublicParameters {
} }
mod rsa_impls { mod rsa_impls {
use digest::DynDigest;
use rsa::{BigUint, RsaPublicKey}; use rsa::{BigUint, RsaPublicKey};
use super::RsaPublicParameters; use super::RsaPublicParameters;
use crate::jwa::rsa::RsaHashIdentifier;
impl<H> TryFrom<RsaPublicParameters> for crate::jwa::rsa::pkcs1v15::VerifyingKey<H>
where
H: RsaHashIdentifier,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPublicParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<H> TryFrom<&RsaPublicParameters> for crate::jwa::rsa::pkcs1v15::VerifyingKey<H>
where
H: RsaHashIdentifier,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPublicParameters) -> Result<Self, Self::Error> {
let key: RsaPublicKey = value.try_into()?;
Ok(Self::from(key))
}
}
impl<H> TryFrom<RsaPublicParameters> for crate::jwa::rsa::pss::VerifyingKey<H>
where
H: DynDigest + Default + 'static,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPublicParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<H> TryFrom<&RsaPublicParameters> for crate::jwa::rsa::pss::VerifyingKey<H>
where
H: DynDigest + Default + 'static,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPublicParameters) -> Result<Self, Self::Error> {
let key: RsaPublicKey = value.try_into()?;
Ok(Self::from(key))
}
}
impl TryFrom<RsaPublicParameters> for RsaPublicKey { impl TryFrom<RsaPublicParameters> for RsaPublicKey {
type Error = rsa::errors::Error; type Error = rsa::errors::Error;

3
crates/jose/src/lib.rs
View File

@@ -19,11 +19,10 @@
pub mod claims; pub mod claims;
pub mod constraints; pub mod constraints;
pub mod hmac; pub(crate) mod jwa;
pub mod jwk; pub mod jwk;
pub(crate) mod jwt; pub(crate) mod jwt;
mod keystore; mod keystore;
pub(crate) mod rsa;
pub mod signer; pub mod signer;
pub mod verifier; pub mod verifier;

105
crates/jose/src/signer.rs
View File

@@ -13,49 +13,27 @@
// limitations under the License. // limitations under the License.
use mas_iana::jose::{JsonWebKeyEcEllipticCurve, JsonWebSignatureAlg}; use mas_iana::jose::{JsonWebKeyEcEllipticCurve, JsonWebSignatureAlg};
use sha2::{Sha256, Sha384, Sha512};
use signature::Signature; use signature::Signature;
use thiserror::Error; use thiserror::Error;
use crate::jwk::private_parameters::{EcPrivateParameters, JsonWebKeyPrivateParameters}; use crate::{
jwa,
jwk::private_parameters::{EcPrivateParameters, JsonWebKeyPrivateParameters},
};
pub enum Signer { pub enum Signer {
Hs256 { Hs256 { key: jwa::Hs256Key },
key: crate::hmac::Hmac<Sha256>, Hs384 { key: jwa::Hs384Key },
}, Hs512 { key: jwa::Hs512Key },
Hs384 { Rs256 { key: jwa::Rs256SigningKey },
key: crate::hmac::Hmac<Sha384>, Rs384 { key: jwa::Rs384SigningKey },
}, Rs512 { key: jwa::Rs512SigningKey },
Hs512 { Ps256 { key: jwa::Ps256SigningKey },
key: crate::hmac::Hmac<Sha512>, Ps384 { key: jwa::Ps384SigningKey },
}, Ps512 { key: jwa::Ps512SigningKey },
Rs256 { Es256 { key: jwa::Es256SigningKey },
key: crate::rsa::pkcs1v15::SigningKey<Sha256>, Es384 { key: jwa::Es384SigningKey },
}, Es256K { key: jwa::Es256KSigningKey },
Rs384 {
key: crate::rsa::pkcs1v15::SigningKey<Sha384>,
},
Rs512 {
key: crate::rsa::pkcs1v15::SigningKey<Sha512>,
},
Ps256 {
key: crate::rsa::pss::SigningKey<Sha256>,
},
Ps384 {
key: crate::rsa::pss::SigningKey<Sha384>,
},
Ps512 {
key: crate::rsa::pss::SigningKey<Sha512>,
},
Es256 {
key: ecdsa::SigningKey<p256::NistP256>,
},
Es384 {
key: ecdsa::SigningKey<p384::NistP384>,
},
Es256K {
key: ecdsa::SigningKey<k256::Secp256k1>,
},
} }
#[derive(Debug, Error)] #[derive(Debug, Error)]
@@ -104,33 +82,39 @@ impl Signer {
) -> Result<Self, SignerFromJwkError> { ) -> Result<Self, SignerFromJwkError> {
match (key, alg) { match (key, alg) {
(JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Rs256) => { (JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Rs256) => {
let key: rsa::RsaPrivateKey = params.try_into()?; Ok(Self::Rs256 {
Ok(Self::Rs256 { key: key.into() }) key: params.try_into()?,
})
} }
(JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Rs384) => { (JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Rs384) => {
let key: rsa::RsaPrivateKey = params.try_into()?; Ok(Self::Rs384 {
Ok(Self::Rs384 { key: key.into() }) key: params.try_into()?,
})
} }
(JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Rs512) => { (JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Rs512) => {
let key: rsa::RsaPrivateKey = params.try_into()?; Ok(Self::Rs512 {
Ok(Self::Rs512 { key: key.into() }) key: params.try_into()?,
})
} }
(JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Ps256) => { (JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Ps256) => {
let key: rsa::RsaPrivateKey = params.try_into()?; Ok(Self::Ps256 {
Ok(Self::Ps256 { key: key.into() }) key: params.try_into()?,
})
} }
(JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Ps384) => { (JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Ps384) => {
let key: rsa::RsaPrivateKey = params.try_into()?; Ok(Self::Ps384 {
Ok(Self::Ps384 { key: key.into() }) key: params.try_into()?,
})
} }
(JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Ps512) => { (JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Ps512) => {
let key: rsa::RsaPrivateKey = params.try_into()?; Ok(Self::Ps512 {
Ok(Self::Ps512 { key: key.into() }) key: params.try_into()?,
})
} }
( (
@@ -141,10 +125,9 @@ impl Signer {
}, },
), ),
JsonWebSignatureAlg::Es256, JsonWebSignatureAlg::Es256,
) => { ) => Ok(Self::Es256 {
let key = ecdsa::SigningKey::try_from(params)?; key: params.try_into()?,
Ok(Self::Es256 { key }) }),
}
( (
JsonWebKeyPrivateParameters::Ec( JsonWebKeyPrivateParameters::Ec(
@@ -154,10 +137,9 @@ impl Signer {
}, },
), ),
JsonWebSignatureAlg::Es384, JsonWebSignatureAlg::Es384,
) => { ) => Ok(Self::Es384 {
let key = ecdsa::SigningKey::try_from(params)?; key: params.try_into()?,
Ok(Self::Es384 { key }) }),
}
( (
JsonWebKeyPrivateParameters::Ec(EcPrivateParameters { JsonWebKeyPrivateParameters::Ec(EcPrivateParameters {
@@ -177,10 +159,9 @@ impl Signer {
}, },
), ),
JsonWebSignatureAlg::Es256K, JsonWebSignatureAlg::Es256K,
) => { ) => Ok(Self::Es256K {
let key = ecdsa::SigningKey::try_from(params)?; key: params.try_into()?,
Ok(Self::Es256K { key }) }),
}
(JsonWebKeyPrivateParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => { (JsonWebKeyPrivateParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => {
Err(SignerFromJwkError::UnsupportedAlgorithm { Err(SignerFromJwkError::UnsupportedAlgorithm {

153
crates/jose/src/verifier.rs
View File

@@ -13,49 +13,27 @@
// limitations under the License. // limitations under the License.
use mas_iana::jose::{JsonWebKeyEcEllipticCurve, JsonWebSignatureAlg}; use mas_iana::jose::{JsonWebKeyEcEllipticCurve, JsonWebSignatureAlg};
use sha2::{Sha256, Sha384, Sha512};
use signature::Signature; use signature::Signature;
use thiserror::Error; use thiserror::Error;
use crate::jwk::{public_parameters::EcPublicParameters, JsonWebKeyParameters}; use crate::{
jwa,
jwk::{public_parameters::EcPublicParameters, JsonWebKeyPublicParameters},
};
pub enum Verifier { pub enum Verifier {
Hs256 { Hs256 { key: jwa::Hs256Key },
key: crate::hmac::Hmac<Sha256>, Hs384 { key: jwa::Hs384Key },
}, Hs512 { key: jwa::Hs512Key },
Hs384 { Rs256 { key: jwa::Rs256VerifyingKey },
key: crate::hmac::Hmac<Sha384>, Rs384 { key: jwa::Rs384VerifyingKey },
}, Rs512 { key: jwa::Rs512VerifyingKey },
Hs512 { Ps256 { key: jwa::Ps256VerifyingKey },
key: crate::hmac::Hmac<Sha512>, Ps384 { key: jwa::Ps384VerifyingKey },
}, Ps512 { key: jwa::Ps512VerifyingKey },
Rs256 { Es256 { key: jwa::Es256VerifyingKey },
key: crate::rsa::pkcs1v15::VerifyingKey<Sha256>, Es384 { key: jwa::Es384VerifyingKey },
}, Es256K { key: jwa::Es256KVerifyingKey },
Rs384 {
key: crate::rsa::pkcs1v15::VerifyingKey<Sha384>,
},
Rs512 {
key: crate::rsa::pkcs1v15::VerifyingKey<Sha512>,
},
Ps256 {
key: crate::rsa::pss::VerifyingKey<Sha256>,
},
Ps384 {
key: crate::rsa::pss::VerifyingKey<Sha384>,
},
Ps512 {
key: crate::rsa::pss::VerifyingKey<Sha512>,
},
Es256 {
key: ecdsa::VerifyingKey<p256::NistP256>,
},
Es384 {
key: ecdsa::VerifyingKey<p384::NistP384>,
},
Es256K {
key: ecdsa::VerifyingKey<k256::Secp256k1>,
},
} }
#[derive(Debug, Error)] #[derive(Debug, Error)]
@@ -99,68 +77,72 @@ impl Verifier {
} }
pub fn for_jwk_and_alg( pub fn for_jwk_and_alg(
key: &JsonWebKeyParameters, key: &JsonWebKeyPublicParameters,
alg: JsonWebSignatureAlg, alg: JsonWebSignatureAlg,
) -> Result<Self, VerifierFromJwkError> { ) -> Result<Self, VerifierFromJwkError> {
match (key, alg) { match (key, alg) {
(JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Rs256) => { (JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Rs256) => {
let key = rsa::RsaPublicKey::try_from(params)?; Ok(Self::Rs256 {
Ok(Self::Rs256 { key: key.into() }) key: params.try_into()?,
})
} }
(JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Rs384) => { (JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Rs384) => {
let key = rsa::RsaPublicKey::try_from(params)?; Ok(Self::Rs384 {
Ok(Self::Rs384 { key: key.into() }) key: params.try_into()?,
})
} }
(JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Rs512) => { (JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Rs512) => {
let key = rsa::RsaPublicKey::try_from(params)?; Ok(Self::Rs512 {
Ok(Self::Rs512 { key: key.into() }) key: params.try_into()?,
})
} }
(JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Ps256) => { (JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Ps256) => {
let key = rsa::RsaPublicKey::try_from(params)?; Ok(Self::Ps256 {
Ok(Self::Ps256 { key: key.into() }) key: params.try_into()?,
})
} }
(JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Ps384) => { (JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Ps384) => {
let key = rsa::RsaPublicKey::try_from(params)?; Ok(Self::Ps384 {
Ok(Self::Ps384 { key: key.into() }) key: params.try_into()?,
})
} }
(JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Ps512) => { (JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Ps512) => {
let key = rsa::RsaPublicKey::try_from(params)?; Ok(Self::Ps512 {
Ok(Self::Ps512 { key: key.into() }) key: params.try_into()?,
})
} }
( (
JsonWebKeyParameters::Ec( JsonWebKeyPublicParameters::Ec(
params @ EcPublicParameters { params @ EcPublicParameters {
crv: JsonWebKeyEcEllipticCurve::P256, crv: JsonWebKeyEcEllipticCurve::P256,
.. ..
}, },
), ),
JsonWebSignatureAlg::Es256, JsonWebSignatureAlg::Es256,
) => { ) => Ok(Self::Es256 {
let key = ecdsa::VerifyingKey::try_from(params)?; key: params.try_into()?,
Ok(Self::Es256 { key }) }),
}
( (
JsonWebKeyParameters::Ec( JsonWebKeyPublicParameters::Ec(
params @ EcPublicParameters { params @ EcPublicParameters {
crv: JsonWebKeyEcEllipticCurve::P384, crv: JsonWebKeyEcEllipticCurve::P384,
.. ..
}, },
), ),
JsonWebSignatureAlg::Es384, JsonWebSignatureAlg::Es384,
) => { ) => Ok(Self::Es384 {
let key = ecdsa::VerifyingKey::try_from(params)?; key: params.try_into()?,
Ok(Self::Es384 { key }) }),
}
( (
JsonWebKeyParameters::Ec(EcPublicParameters { JsonWebKeyPublicParameters::Ec(EcPublicParameters {
crv: JsonWebKeyEcEllipticCurve::P521, crv: JsonWebKeyEcEllipticCurve::P521,
.. ..
}), }),
@@ -170,19 +152,18 @@ impl Verifier {
}), }),
( (
JsonWebKeyParameters::Ec( JsonWebKeyPublicParameters::Ec(
params @ EcPublicParameters { params @ EcPublicParameters {
crv: JsonWebKeyEcEllipticCurve::Secp256K1, crv: JsonWebKeyEcEllipticCurve::Secp256K1,
.. ..
}, },
), ),
JsonWebSignatureAlg::Es256K, JsonWebSignatureAlg::Es256K,
) => { ) => Ok(Self::Es256K {
let key = ecdsa::VerifyingKey::try_from(params)?; key: params.try_into()?,
Ok(Self::Es256K { key }) }),
}
(JsonWebKeyParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => { (JsonWebKeyPublicParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => {
Err(VerifierFromJwkError::UnsupportedAlgorithm { Err(VerifierFromJwkError::UnsupportedAlgorithm {
algorithm: JsonWebSignatureAlg::EdDsa, algorithm: JsonWebSignatureAlg::EdDsa,
}) })
@@ -216,62 +197,62 @@ impl signature::Verifier<GenericSignature> for Verifier {
fn verify(&self, msg: &[u8], signature: &GenericSignature) -> Result<(), signature::Error> { fn verify(&self, msg: &[u8], signature: &GenericSignature) -> Result<(), signature::Error> {
match self { match self {
Verifier::Hs256 { key } => { Verifier::Hs256 { key } => {
let signature = crate::hmac::Signature::from_bytes(signature.as_bytes())?; let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?; key.verify(msg, &signature)?;
Ok(()) Ok(())
} }
Verifier::Hs384 { key } => { Verifier::Hs384 { key } => {
let signature = crate::hmac::Signature::from_bytes(signature.as_bytes())?; let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?; key.verify(msg, &signature)?;
Ok(()) Ok(())
} }
Verifier::Hs512 { key } => { Verifier::Hs512 { key } => {
let signature = crate::hmac::Signature::from_bytes(signature.as_bytes())?; let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?; key.verify(msg, &signature)?;
Ok(()) Ok(())
} }
Verifier::Rs256 { key } => { Verifier::Rs256 { key } => {
let signature = rsa::pkcs1v15::Signature::from_bytes(signature.as_bytes())?; let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?; key.verify(msg, &signature)?;
Ok(()) Ok(())
} }
Verifier::Rs384 { key } => { Verifier::Rs384 { key } => {
let signature = rsa::pkcs1v15::Signature::from_bytes(signature.as_bytes())?; let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?; key.verify(msg, &signature)?;
Ok(()) Ok(())
} }
Verifier::Rs512 { key } => { Verifier::Rs512 { key } => {
let signature = rsa::pkcs1v15::Signature::from_bytes(signature.as_bytes())?; let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?; key.verify(msg, &signature)?;
Ok(()) Ok(())
} }
Verifier::Ps256 { key } => { Verifier::Ps256 { key } => {
let signature = rsa::pss::Signature::from_bytes(signature.as_bytes())?; let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?; key.verify(msg, &signature)?;
Ok(()) Ok(())
} }
Verifier::Ps384 { key } => { Verifier::Ps384 { key } => {
let signature = rsa::pss::Signature::from_bytes(signature.as_bytes())?; let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?; key.verify(msg, &signature)?;
Ok(()) Ok(())
} }
Verifier::Ps512 { key } => { Verifier::Ps512 { key } => {
let signature = rsa::pss::Signature::from_bytes(signature.as_bytes())?; let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?; key.verify(msg, &signature)?;
Ok(()) Ok(())
} }
Verifier::Es256 { key } => { Verifier::Es256 { key } => {
let signature = ecdsa::Signature::from_bytes(signature.as_bytes())?; let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?; key.verify(msg, &signature)?;
Ok(()) Ok(())
} }
Verifier::Es384 { key } => { Verifier::Es384 { key } => {
let signature = ecdsa::Signature::from_bytes(signature.as_bytes())?; let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?; key.verify(msg, &signature)?;
Ok(()) Ok(())
} }
Verifier::Es256K { key } => { Verifier::Es256K { key } => {
let signature = ecdsa::Signature::from_bytes(signature.as_bytes())?; let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?; key.verify(msg, &signature)?;
Ok(()) Ok(())
} }

9
crates/jose/tests/jws.rs
View File

@@ -170,10 +170,11 @@ macro_rules! symetric_jwt_test {
#[test] #[test]
fn verify_jwt() { fn verify_jwt() {
let jwt: Jwt<'_, Payload> = Jwt::try_from($jwt).unwrap(); let jwt: Jwt<'_, Payload> = Jwt::try_from($jwt).unwrap();
let verifier = let verifier = mas_jose::verifier::Verifier::for_oct_and_alg(
mas_jose::verifier::Verifier::for_oct_and_alg(oct_key(), jwt.header().alg()) oct_key(),
.unwrap(); JsonWebSignatureAlg::$alg,
assert_eq!(jwt.payload().hello, "world"); )
.unwrap();
jwt.verify(&verifier).unwrap(); jwt.verify(&verifier).unwrap();
} }