matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-08-09 04:22:45 +03:00
Code Activity

Reorganise algorithms under the jwa module

Browse Source
This commit is contained in:
Quentin Gliech
2022-08-29 16:41:57 +02:00
parent 945719a5a1
commit 84c793dae0
10 changed files with 309 additions and 294 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
crates/jose/src/hmac.rs → crates/jose/src/jwa/hmac.rs
View File

43
crates/jose/src/jwa/mod.rs Normal file
View File

@@ -0,0 +1,43 @@
// Copyright 2022 The Matrix.org Foundation C.I.C.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
use sha2::{Sha256, Sha384, Sha512};
pub(crate) mod hmac;
pub(crate) mod rsa;
pub type Hs256Key = self::hmac::Hmac<Sha256>;
pub type Hs384Key = self::hmac::Hmac<Sha384>;
pub type Hs512Key = self::hmac::Hmac<Sha512>;
pub type Rs256SigningKey = self::rsa::pkcs1v15::SigningKey<Sha256>;
pub type Rs256VerifyingKey = self::rsa::pkcs1v15::VerifyingKey<Sha256>;
pub type Rs384SigningKey = self::rsa::pkcs1v15::SigningKey<Sha384>;
pub type Rs384VerifyingKey = self::rsa::pkcs1v15::VerifyingKey<Sha384>;
pub type Rs512SigningKey = self::rsa::pkcs1v15::SigningKey<Sha512>;
pub type Rs512VerifyingKey = self::rsa::pkcs1v15::VerifyingKey<Sha512>;
pub type Ps256SigningKey = self::rsa::pss::SigningKey<Sha256>;
pub type Ps256VerifyingKey = self::rsa::pss::VerifyingKey<Sha256>;
pub type Ps384SigningKey = self::rsa::pss::SigningKey<Sha384>;
pub type Ps384VerifyingKey = self::rsa::pss::VerifyingKey<Sha384>;
pub type Ps512SigningKey = self::rsa::pss::SigningKey<Sha512>;
pub type Ps512VerifyingKey = self::rsa::pss::VerifyingKey<Sha512>;
pub type Es256SigningKey = ecdsa::SigningKey<p256::NistP256>;
pub type Es256VerifyingKey = ecdsa::VerifyingKey<p256::NistP256>;
pub type Es384SigningKey = ecdsa::SigningKey<p384::NistP384>;
pub type Es384VerifyingKey = ecdsa::VerifyingKey<p384::NistP384>;
pub type Es256KSigningKey = ecdsa::SigningKey<k256::Secp256k1>;
pub type Es256KVerifyingKey = ecdsa::VerifyingKey<k256::Secp256k1>;

198
crates/jose/src/rsa.rs → crates/jose/src/jwa/rsa.rs
View File

@@ -15,54 +15,50 @@
// This is a temporary wrapper until the RSA crate actually hashes the input
// See <https://github.com/RustCrypto/RSA/pull/174#issuecomment-1227330296>
pub trait RsaHashIdentifier {
const HASH: rsa::Hash;
}
impl RsaHashIdentifier for sha2::Sha224 {
const HASH: rsa::Hash = rsa::Hash::SHA2_224;
}
impl RsaHashIdentifier for sha2::Sha256 {
const HASH: rsa::Hash = rsa::Hash::SHA2_256;
}
impl RsaHashIdentifier for sha2::Sha384 {
const HASH: rsa::Hash = rsa::Hash::SHA2_384;
}
impl RsaHashIdentifier for sha2::Sha512 {
const HASH: rsa::Hash = rsa::Hash::SHA2_512;
}
pub(crate) mod pkcs1v15 {
use std::marker::PhantomData;
use digest::Digest;
use rsa::{RsaPrivateKey, RsaPublicKey};
use sha2::{Sha256, Sha384, Sha512};
use super::RsaHashIdentifier;
pub struct VerifyingKey<H> {
inner: rsa::pkcs1v15::VerifyingKey,
hash: PhantomData<H>,
}
impl From<RsaPublicKey> for VerifyingKey<Sha256> {
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pkcs1v15::VerifyingKey::new_with_hash(key, rsa::Hash::SHA2_256);
ensure_verifier(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPublicKey> for VerifyingKey<Sha384> {
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pkcs1v15::VerifyingKey::new_with_hash(key, rsa::Hash::SHA2_384);
ensure_verifier(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPublicKey> for VerifyingKey<Sha512> {
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pkcs1v15::VerifyingKey::new_with_hash(key, rsa::Hash::SHA2_512);
ensure_verifier(Self {
inner,
hash: PhantomData::default(),
})
}
}
#[inline]
fn ensure_verifier<T>(t: T) -> T
impl<H> From<RsaPublicKey> for VerifyingKey<H>
where
T: signature::Verifier<rsa::pkcs1v15::Signature>,
H: RsaHashIdentifier,
{
t
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pkcs1v15::VerifyingKey::new_with_hash(key, H::HASH);
Self {
inner,
hash: PhantomData::default(),
}
}
}
impl<H> signature::Verifier<rsa::pkcs1v15::Signature> for VerifyingKey<H>
@@ -84,42 +80,17 @@ pub(crate) mod pkcs1v15 {
hash: PhantomData<H>,
}
impl From<RsaPrivateKey> for SigningKey<Sha256> {
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pkcs1v15::SigningKey::new_with_hash(key, rsa::Hash::SHA2_256);
ensure_signer(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPrivateKey> for SigningKey<Sha384> {
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pkcs1v15::SigningKey::new_with_hash(key, rsa::Hash::SHA2_384);
ensure_signer(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPrivateKey> for SigningKey<Sha512> {
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pkcs1v15::SigningKey::new_with_hash(key, rsa::Hash::SHA2_512);
ensure_signer(Self {
inner,
hash: PhantomData::default(),
})
}
}
#[inline]
fn ensure_signer<T>(t: T) -> T
impl<H> From<RsaPrivateKey> for SigningKey<H>
where
T: signature::Signer<rsa::pkcs1v15::Signature>,
H: RsaHashIdentifier,
{
t
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pkcs1v15::SigningKey::new_with_hash(key, H::HASH);
Self {
inner,
hash: PhantomData::default(),
}
}
}
impl<H> signature::Signer<rsa::pkcs1v15::Signature> for SigningKey<H>
@@ -136,10 +107,9 @@ pub(crate) mod pkcs1v15 {
pub(crate) mod pss {
use std::marker::PhantomData;
use digest::Digest;
use digest::{Digest, DynDigest};
use rand::thread_rng;
use rsa::{RsaPrivateKey, RsaPublicKey};
use sha2::{Sha256, Sha384, Sha512};
use signature::RandomizedSigner;
pub struct VerifyingKey<H> {
@@ -147,42 +117,17 @@ pub(crate) mod pss {
hash: PhantomData<H>,
}
impl From<RsaPublicKey> for VerifyingKey<Sha256> {
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pss::VerifyingKey::new(key, Box::new(Sha256::new()));
ensure_verifier(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPublicKey> for VerifyingKey<Sha384> {
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pss::VerifyingKey::new(key, Box::new(Sha384::new()));
ensure_verifier(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPublicKey> for VerifyingKey<Sha512> {
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pss::VerifyingKey::new(key, Box::new(Sha512::new()));
ensure_verifier(Self {
inner,
hash: PhantomData::default(),
})
}
}
#[inline]
fn ensure_verifier<T>(t: T) -> T
impl<H> From<RsaPublicKey> for VerifyingKey<H>
where
T: signature::Verifier<rsa::pss::Signature>,
H: DynDigest + Default + 'static,
{
t
fn from(key: RsaPublicKey) -> Self {
let inner = rsa::pss::VerifyingKey::new(key, Box::new(H::default()));
Self {
inner,
hash: PhantomData::default(),
}
}
}
impl<H> signature::Verifier<rsa::pss::Signature> for VerifyingKey<H>
@@ -204,42 +149,17 @@ pub(crate) mod pss {
hash: PhantomData<H>,
}
impl From<RsaPrivateKey> for SigningKey<Sha256> {
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pss::SigningKey::new(key, Box::new(Sha256::new()));
ensure_signer(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPrivateKey> for SigningKey<Sha384> {
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pss::SigningKey::new(key, Box::new(Sha384::new()));
ensure_signer(Self {
inner,
hash: PhantomData::default(),
})
}
}
impl From<RsaPrivateKey> for SigningKey<Sha512> {
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pss::SigningKey::new(key, Box::new(Sha512::new()));
ensure_signer(Self {
inner,
hash: PhantomData::default(),
})
}
}
#[inline]
fn ensure_signer<T>(t: T) -> T
impl<H> From<RsaPrivateKey> for SigningKey<H>
where
T: signature::Signer<rsa::pss::Signature>,
H: DynDigest + Default + 'static,
{
t
fn from(key: RsaPrivateKey) -> Self {
let inner = rsa::pss::SigningKey::new(key, Box::new(H::default()));
Self {
inner,
hash: PhantomData::default(),
}
}
}
impl<H> signature::Signer<rsa::pss::Signature> for SigningKey<H>

4
crates/jose/src/jwk/mod.rs
View File

@@ -33,7 +33,9 @@ pub(crate) mod private_parameters;
pub(crate) mod public_parameters;
use self::private_parameters::SymetricKeyError;
pub use self::public_parameters::JsonWebKeyPublicParameters as JsonWebKeyParameters;
pub use self::{
private_parameters::JsonWebKeyPrivateParameters, public_parameters::JsonWebKeyPublicParameters,
};
pub trait ParametersInfo {
fn kty(&self) -> JsonWebKeyType;

44
crates/jose/src/jwk/private_parameters.rs
View File

@@ -194,9 +194,53 @@ struct RsaOtherPrimeInfo {
}
mod rsa_impls {
use digest::DynDigest;
use rsa::{BigUint, RsaPrivateKey};
use super::RsaPrivateParameters;
use crate::jwa::rsa::RsaHashIdentifier;
impl<H> TryFrom<RsaPrivateParameters> for crate::jwa::rsa::pkcs1v15::SigningKey<H>
where
H: RsaHashIdentifier,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPrivateParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<H> TryFrom<&RsaPrivateParameters> for crate::jwa::rsa::pkcs1v15::SigningKey<H>
where
H: RsaHashIdentifier,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPrivateParameters) -> Result<Self, Self::Error> {
let key: RsaPrivateKey = value.try_into()?;
Ok(Self::from(key))
}
}
impl<H> TryFrom<RsaPrivateParameters> for crate::jwa::rsa::pss::SigningKey<H>
where
H: DynDigest + Default + 'static,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPrivateParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<H> TryFrom<&RsaPrivateParameters> for crate::jwa::rsa::pss::SigningKey<H>
where
H: DynDigest + Default + 'static,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPrivateParameters) -> Result<Self, Self::Error> {
let key: RsaPrivateKey = value.try_into()?;
Ok(Self::from(key))
}
}
impl TryFrom<RsaPrivateParameters> for RsaPrivateKey {
type Error = rsa::errors::Error;

44
crates/jose/src/jwk/public_parameters.rs
View File

@@ -162,9 +162,53 @@ impl OkpPublicParameters {
}
mod rsa_impls {
use digest::DynDigest;
use rsa::{BigUint, RsaPublicKey};
use super::RsaPublicParameters;
use crate::jwa::rsa::RsaHashIdentifier;
impl<H> TryFrom<RsaPublicParameters> for crate::jwa::rsa::pkcs1v15::VerifyingKey<H>
where
H: RsaHashIdentifier,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPublicParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<H> TryFrom<&RsaPublicParameters> for crate::jwa::rsa::pkcs1v15::VerifyingKey<H>
where
H: RsaHashIdentifier,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPublicParameters) -> Result<Self, Self::Error> {
let key: RsaPublicKey = value.try_into()?;
Ok(Self::from(key))
}
}
impl<H> TryFrom<RsaPublicParameters> for crate::jwa::rsa::pss::VerifyingKey<H>
where
H: DynDigest + Default + 'static,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPublicParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<H> TryFrom<&RsaPublicParameters> for crate::jwa::rsa::pss::VerifyingKey<H>
where
H: DynDigest + Default + 'static,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPublicParameters) -> Result<Self, Self::Error> {
let key: RsaPublicKey = value.try_into()?;
Ok(Self::from(key))
}
}
impl TryFrom<RsaPublicParameters> for RsaPublicKey {
type Error = rsa::errors::Error;

3
crates/jose/src/lib.rs
View File

@@ -19,11 +19,10 @@
pub mod claims;
pub mod constraints;
pub mod hmac;
pub(crate) mod jwa;
pub mod jwk;
pub(crate) mod jwt;
mod keystore;
pub(crate) mod rsa;
pub mod signer;
pub mod verifier;

105
crates/jose/src/signer.rs
View File

@@ -13,49 +13,27 @@
// limitations under the License.
use mas_iana::jose::{JsonWebKeyEcEllipticCurve, JsonWebSignatureAlg};
use sha2::{Sha256, Sha384, Sha512};
use signature::Signature;
use thiserror::Error;
use crate::jwk::private_parameters::{EcPrivateParameters, JsonWebKeyPrivateParameters};
use crate::{
jwa,
jwk::private_parameters::{EcPrivateParameters, JsonWebKeyPrivateParameters},
};
pub enum Signer {
Hs256 {
key: crate::hmac::Hmac<Sha256>,
},
Hs384 {
key: crate::hmac::Hmac<Sha384>,
},
Hs512 {
key: crate::hmac::Hmac<Sha512>,
},
Rs256 {
key: crate::rsa::pkcs1v15::SigningKey<Sha256>,
},
Rs384 {
key: crate::rsa::pkcs1v15::SigningKey<Sha384>,
},
Rs512 {
key: crate::rsa::pkcs1v15::SigningKey<Sha512>,
},
Ps256 {
key: crate::rsa::pss::SigningKey<Sha256>,
},
Ps384 {
key: crate::rsa::pss::SigningKey<Sha384>,
},
Ps512 {
key: crate::rsa::pss::SigningKey<Sha512>,
},
Es256 {
key: ecdsa::SigningKey<p256::NistP256>,
},
Es384 {
key: ecdsa::SigningKey<p384::NistP384>,
},
Es256K {
key: ecdsa::SigningKey<k256::Secp256k1>,
},
Hs256 { key: jwa::Hs256Key },
Hs384 { key: jwa::Hs384Key },
Hs512 { key: jwa::Hs512Key },
Rs256 { key: jwa::Rs256SigningKey },
Rs384 { key: jwa::Rs384SigningKey },
Rs512 { key: jwa::Rs512SigningKey },
Ps256 { key: jwa::Ps256SigningKey },
Ps384 { key: jwa::Ps384SigningKey },
Ps512 { key: jwa::Ps512SigningKey },
Es256 { key: jwa::Es256SigningKey },
Es384 { key: jwa::Es384SigningKey },
Es256K { key: jwa::Es256KSigningKey },
}
#[derive(Debug, Error)]
@@ -104,33 +82,39 @@ impl Signer {
) -> Result<Self, SignerFromJwkError> {
match (key, alg) {
(JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Rs256) => {
let key: rsa::RsaPrivateKey = params.try_into()?;
Ok(Self::Rs256 { key: key.into() })
Ok(Self::Rs256 {
key: params.try_into()?,
})
}
(JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Rs384) => {
let key: rsa::RsaPrivateKey = params.try_into()?;
Ok(Self::Rs384 { key: key.into() })
Ok(Self::Rs384 {
key: params.try_into()?,
})
}
(JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Rs512) => {
let key: rsa::RsaPrivateKey = params.try_into()?;
Ok(Self::Rs512 { key: key.into() })
Ok(Self::Rs512 {
key: params.try_into()?,
})
}
(JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Ps256) => {
let key: rsa::RsaPrivateKey = params.try_into()?;
Ok(Self::Ps256 { key: key.into() })
Ok(Self::Ps256 {
key: params.try_into()?,
})
}
(JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Ps384) => {
let key: rsa::RsaPrivateKey = params.try_into()?;
Ok(Self::Ps384 { key: key.into() })
Ok(Self::Ps384 {
key: params.try_into()?,
})
}
(JsonWebKeyPrivateParameters::Rsa(params), JsonWebSignatureAlg::Ps512) => {
let key: rsa::RsaPrivateKey = params.try_into()?;
Ok(Self::Ps512 { key: key.into() })
Ok(Self::Ps512 {
key: params.try_into()?,
})
}
(
@@ -141,10 +125,9 @@ impl Signer {
},
),
JsonWebSignatureAlg::Es256,
) => {
let key = ecdsa::SigningKey::try_from(params)?;
Ok(Self::Es256 { key })
}
) => Ok(Self::Es256 {
key: params.try_into()?,
}),
(
JsonWebKeyPrivateParameters::Ec(
@@ -154,10 +137,9 @@ impl Signer {
},
),
JsonWebSignatureAlg::Es384,
) => {
let key = ecdsa::SigningKey::try_from(params)?;
Ok(Self::Es384 { key })
}
) => Ok(Self::Es384 {
key: params.try_into()?,
}),
(
JsonWebKeyPrivateParameters::Ec(EcPrivateParameters {
@@ -177,10 +159,9 @@ impl Signer {
},
),
JsonWebSignatureAlg::Es256K,
) => {
let key = ecdsa::SigningKey::try_from(params)?;
Ok(Self::Es256K { key })
}
) => Ok(Self::Es256K {
key: params.try_into()?,
}),
(JsonWebKeyPrivateParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => {
Err(SignerFromJwkError::UnsupportedAlgorithm {

153
crates/jose/src/verifier.rs
View File

@@ -13,49 +13,27 @@
// limitations under the License.
use mas_iana::jose::{JsonWebKeyEcEllipticCurve, JsonWebSignatureAlg};
use sha2::{Sha256, Sha384, Sha512};
use signature::Signature;
use thiserror::Error;
use crate::jwk::{public_parameters::EcPublicParameters, JsonWebKeyParameters};
use crate::{
jwa,
jwk::{public_parameters::EcPublicParameters, JsonWebKeyPublicParameters},
};
pub enum Verifier {
Hs256 {
key: crate::hmac::Hmac<Sha256>,
},
Hs384 {
key: crate::hmac::Hmac<Sha384>,
},
Hs512 {
key: crate::hmac::Hmac<Sha512>,
},
Rs256 {
key: crate::rsa::pkcs1v15::VerifyingKey<Sha256>,
},
Rs384 {
key: crate::rsa::pkcs1v15::VerifyingKey<Sha384>,
},
Rs512 {
key: crate::rsa::pkcs1v15::VerifyingKey<Sha512>,
},
Ps256 {
key: crate::rsa::pss::VerifyingKey<Sha256>,
},
Ps384 {
key: crate::rsa::pss::VerifyingKey<Sha384>,
},
Ps512 {
key: crate::rsa::pss::VerifyingKey<Sha512>,
},
Es256 {
key: ecdsa::VerifyingKey<p256::NistP256>,
},
Es384 {
key: ecdsa::VerifyingKey<p384::NistP384>,
},
Es256K {
key: ecdsa::VerifyingKey<k256::Secp256k1>,
},
Hs256 { key: jwa::Hs256Key },
Hs384 { key: jwa::Hs384Key },
Hs512 { key: jwa::Hs512Key },
Rs256 { key: jwa::Rs256VerifyingKey },
Rs384 { key: jwa::Rs384VerifyingKey },
Rs512 { key: jwa::Rs512VerifyingKey },
Ps256 { key: jwa::Ps256VerifyingKey },
Ps384 { key: jwa::Ps384VerifyingKey },
Ps512 { key: jwa::Ps512VerifyingKey },
Es256 { key: jwa::Es256VerifyingKey },
Es384 { key: jwa::Es384VerifyingKey },
Es256K { key: jwa::Es256KVerifyingKey },
}
#[derive(Debug, Error)]
@@ -99,68 +77,72 @@ impl Verifier {
}
pub fn for_jwk_and_alg(
key: &JsonWebKeyParameters,
key: &JsonWebKeyPublicParameters,
alg: JsonWebSignatureAlg,
) -> Result<Self, VerifierFromJwkError> {
match (key, alg) {
(JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Rs256) => {
let key = rsa::RsaPublicKey::try_from(params)?;
Ok(Self::Rs256 { key: key.into() })
(JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Rs256) => {
Ok(Self::Rs256 {
key: params.try_into()?,
})
}
(JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Rs384) => {
let key = rsa::RsaPublicKey::try_from(params)?;
Ok(Self::Rs384 { key: key.into() })
(JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Rs384) => {
Ok(Self::Rs384 {
key: params.try_into()?,
})
}
(JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Rs512) => {
let key = rsa::RsaPublicKey::try_from(params)?;
Ok(Self::Rs512 { key: key.into() })
(JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Rs512) => {
Ok(Self::Rs512 {
key: params.try_into()?,
})
}
(JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Ps256) => {
let key = rsa::RsaPublicKey::try_from(params)?;
Ok(Self::Ps256 { key: key.into() })
(JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Ps256) => {
Ok(Self::Ps256 {
key: params.try_into()?,
})
}
(JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Ps384) => {
let key = rsa::RsaPublicKey::try_from(params)?;
Ok(Self::Ps384 { key: key.into() })
(JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Ps384) => {
Ok(Self::Ps384 {
key: params.try_into()?,
})
}
(JsonWebKeyParameters::Rsa(params), JsonWebSignatureAlg::Ps512) => {
let key = rsa::RsaPublicKey::try_from(params)?;
Ok(Self::Ps512 { key: key.into() })
(JsonWebKeyPublicParameters::Rsa(params), JsonWebSignatureAlg::Ps512) => {
Ok(Self::Ps512 {
key: params.try_into()?,
})
}
(
JsonWebKeyParameters::Ec(
JsonWebKeyPublicParameters::Ec(
params @ EcPublicParameters {
crv: JsonWebKeyEcEllipticCurve::P256,
..
},
),
JsonWebSignatureAlg::Es256,
) => {
let key = ecdsa::VerifyingKey::try_from(params)?;
Ok(Self::Es256 { key })
}
) => Ok(Self::Es256 {
key: params.try_into()?,
}),
(
JsonWebKeyParameters::Ec(
JsonWebKeyPublicParameters::Ec(
params @ EcPublicParameters {
crv: JsonWebKeyEcEllipticCurve::P384,
..
},
),
JsonWebSignatureAlg::Es384,
) => {
let key = ecdsa::VerifyingKey::try_from(params)?;
Ok(Self::Es384 { key })
}
) => Ok(Self::Es384 {
key: params.try_into()?,
}),
(
JsonWebKeyParameters::Ec(EcPublicParameters {
JsonWebKeyPublicParameters::Ec(EcPublicParameters {
crv: JsonWebKeyEcEllipticCurve::P521,
..
}),
@@ -170,19 +152,18 @@ impl Verifier {
}),
(
JsonWebKeyParameters::Ec(
JsonWebKeyPublicParameters::Ec(
params @ EcPublicParameters {
crv: JsonWebKeyEcEllipticCurve::Secp256K1,
..
},
),
JsonWebSignatureAlg::Es256K,
) => {
let key = ecdsa::VerifyingKey::try_from(params)?;
Ok(Self::Es256K { key })
}
) => Ok(Self::Es256K {
key: params.try_into()?,
}),
(JsonWebKeyParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => {
(JsonWebKeyPublicParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => {
Err(VerifierFromJwkError::UnsupportedAlgorithm {
algorithm: JsonWebSignatureAlg::EdDsa,
})
@@ -216,62 +197,62 @@ impl signature::Verifier<GenericSignature> for Verifier {
fn verify(&self, msg: &[u8], signature: &GenericSignature) -> Result<(), signature::Error> {
match self {
Verifier::Hs256 { key } => {
let signature = crate::hmac::Signature::from_bytes(signature.as_bytes())?;
let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?;
Ok(())
}
Verifier::Hs384 { key } => {
let signature = crate::hmac::Signature::from_bytes(signature.as_bytes())?;
let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?;
Ok(())
}
Verifier::Hs512 { key } => {
let signature = crate::hmac::Signature::from_bytes(signature.as_bytes())?;
let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?;
Ok(())
}
Verifier::Rs256 { key } => {
let signature = rsa::pkcs1v15::Signature::from_bytes(signature.as_bytes())?;
let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?;
Ok(())
}
Verifier::Rs384 { key } => {
let signature = rsa::pkcs1v15::Signature::from_bytes(signature.as_bytes())?;
let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?;
Ok(())
}
Verifier::Rs512 { key } => {
let signature = rsa::pkcs1v15::Signature::from_bytes(signature.as_bytes())?;
let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?;
Ok(())
}
Verifier::Ps256 { key } => {
let signature = rsa::pss::Signature::from_bytes(signature.as_bytes())?;
let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?;
Ok(())
}
Verifier::Ps384 { key } => {
let signature = rsa::pss::Signature::from_bytes(signature.as_bytes())?;
let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?;
Ok(())
}
Verifier::Ps512 { key } => {
let signature = rsa::pss::Signature::from_bytes(signature.as_bytes())?;
let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?;
Ok(())
}
Verifier::Es256 { key } => {
let signature = ecdsa::Signature::from_bytes(signature.as_bytes())?;
let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?;
Ok(())
}
Verifier::Es384 { key } => {
let signature = ecdsa::Signature::from_bytes(signature.as_bytes())?;
let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?;
Ok(())
}
Verifier::Es256K { key } => {
let signature = ecdsa::Signature::from_bytes(signature.as_bytes())?;
let signature = signature::Signature::from_bytes(signature.as_bytes())?;
key.verify(msg, &signature)?;
Ok(())
}

7
crates/jose/tests/jws.rs
View File

@@ -170,10 +170,11 @@ macro_rules! symetric_jwt_test {
#[test]
fn verify_jwt() {
let jwt: Jwt<'_, Payload> = Jwt::try_from($jwt).unwrap();
let verifier =
mas_jose::verifier::Verifier::for_oct_and_alg(oct_key(), jwt.header().alg())
let verifier = mas_jose::verifier::Verifier::for_oct_and_alg(
oct_key(),
JsonWebSignatureAlg::$alg,
)
.unwrap();
assert_eq!(jwt.payload().hello, "world");
jwt.verify(&verifier).unwrap();
}