matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-31 09:24:31 +03:00
Code Activity

Fix RSA JWT signature and add snapshot tests for JWT signature

Browse Source
This commit is contained in:
Quentin Gliech
2022-10-17 16:27:23 +02:00
parent cf6d5a076a
commit c2a198b821
18 changed files with 194 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
Cargo.lock generated
View File

@ -896,6 +896,19 @@ dependencies = [
"unicode-width",
]
[[package]]
name = "console"
version = "0.15.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c050367d967ced717c04b65d8c619d863ef9292ce0c5760028655a2fb298718c"
dependencies = [
"encode_unicode",
"lazy_static",
"libc",
"terminal_size",
"winapi",
]
[[package]]
name = "const-oid"
version = "0.9.0"
@ -1455,6 +1468,12 @@ version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b1b32a7a2580c4473f10f66b512c34bdd7d33c5e3473227ca833abdb5afe4809"
[[package]]
name = "encode_unicode"
version = "0.3.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a357d28ed41a50f9c765dbfe56cbc04a64e53e5fc58ba79fbc34c10ef3df831f"
[[package]]
name = "encoding_rs"
version = "0.8.31"
@ -2124,6 +2143,19 @@ dependencies = [
"generic-array",
]
[[package]]
name = "insta"
version = "1.21.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "581d4e3314cae4536e5d22ffd23189d4a374696c5ef733eadafae0ed273fd303"
dependencies = [
"console",
"lazy_static",
"linked-hash-map",
"similar",
"yaml-rust",
]
[[package]]
name = "instant"
version = "0.1.12"
@ -2326,6 +2358,12 @@ dependencies = [
"cc",
]
[[package]]
name = "linked-hash-map"
version = "0.5.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f"
[[package]]
name = "linux-raw-sys"
version = "0.0.46"
@ -2627,11 +2665,13 @@ dependencies = [
"elliptic-curve",
"generic-array",
"hmac",
"insta",
"k256",
"mas-iana",
"p256",
"p384",
"rand",
"rand_chacha",
"rsa",
"schemars",
"sec1",
@ -4380,7 +4420,8 @@ dependencies = [
[[package]]
name = "sha2"
version = "0.10.6"
source = "git+https://github.com/RustCrypto/hashes.git?rev=f9af45fdde84bb24c25f90011d7b2316783eb29f#f9af45fdde84bb24c25f90011d7b2316783eb29f"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "82e6b795fe2e3b1e845bafcb27aa35405c4d47cdfc92af5fc8d3002f76cebdc0"
dependencies = [
"cfg-if",
"cpufeatures",
@ -4415,6 +4456,12 @@ dependencies = [
"rand_core",
]
[[package]]
name = "similar"
version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "62ac7f900db32bf3fd12e0117dd3dc4da74bc52ebaac97f39668446d89694803"
[[package]]
name = "siphasher"
version = "0.3.10"
@ -4710,6 +4757,16 @@ dependencies = [
"winapi-util",
]
[[package]]
name = "terminal_size"
version = "0.1.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "633c1a546cee861a1a6d0dc69ebeca693bf4296661ba7852b9d21d159e0506df"
dependencies = [
"libc",
"winapi",
]
[[package]]
name = "thiserror"
version = "1.0.37"
@ -5832,6 +5889,15 @@ version = "0.13.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "114ba2b24d2167ef6d67d7d04c8cc86522b87f490025f39f0303b7db5bf5e3d8"
[[package]]
name = "yaml-rust"
version = "0.4.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "56c1936c4cc7a1c9ab21a1ebb602eb942ba868cbd44a99cb7cdc5892335e1c85"
dependencies = [
"linked-hash-map",
]
[[package]]
name = "yansi"
version = "0.5.1"

4
Cargo.toml
View File

@ -2,7 +2,3 @@
default-members = ["crates/cli"]
members = ["crates/*"]
[patch.crates-io]
# XXX: temporary override waiting on a new version of the sha2 crate
sha2 = { git = "https://github.com/RustCrypto/hashes.git", rev = "f9af45fdde84bb24c25f90011d7b2316783eb29f" }

6
crates/jose/Cargo.toml
View File

@ -18,7 +18,7 @@ k256 = { version = "0.11.6", features = ["ecdsa"] }
p256 = { version = "0.11.1", features = ["ecdsa"] }
p384 = { version = "0.11.2", features = ["ecdsa"] }
rand = "0.8.5"
rsa = "0.7.0-rc.0"
rsa = "0.7.0"
schemars = "0.8.10"
sec1 = "0.3.0"
serde = { version = "1.0.145", features = ["derive"] }
@ -31,3 +31,7 @@ tracing = "0.1.36"
url = { version = "2.3.1", features = ["serde"] }
mas-iana = { path = "../iana" }
[dev-dependencies]
insta = { version = "1.21.0" }
rand_chacha = "0.3.1"

28
crates/jose/src/jwa/asymmetric.rs
View File

@ -13,8 +13,6 @@
// limitations under the License.
use mas_iana::jose::{JsonWebKeyEcEllipticCurve, JsonWebSignatureAlg};
use rand::thread_rng;
use signature::RandomizedSigner;
use thiserror::Error;
use super::signature::Signature;
@ -159,43 +157,47 @@ impl From<super::Es256KSigningKey> for AsymmetricSigningKey {
}
}
impl signature::Signer<Signature> for AsymmetricSigningKey {
fn try_sign(&self, msg: &[u8]) -> Result<Signature, signature::Error> {
impl signature::RandomizedSigner<Signature> for AsymmetricSigningKey {
fn try_sign_with_rng(
&self,
rng: impl rand::CryptoRng + rand::RngCore,
msg: &[u8],
) -> Result<Signature, signature::Error> {
match self {
Self::Rs256(key) => {
let signature = key.try_sign(msg)?;
let signature = key.try_sign_with_rng(rng, msg)?;
Ok(Signature::from_signature(&signature))
}
Self::Rs384(key) => {
let signature = key.try_sign(msg)?;
let signature = key.try_sign_with_rng(rng, msg)?;
Ok(Signature::from_signature(&signature))
}
Self::Rs512(key) => {
let signature = key.try_sign(msg)?;
let signature = key.try_sign_with_rng(rng, msg)?;
Ok(Signature::from_signature(&signature))
}
Self::Ps256(key) => {
let signature = key.try_sign_with_rng(thread_rng(), msg)?;
let signature = key.try_sign_with_rng(rng, msg)?;
Ok(Signature::from_signature(&signature))
}
Self::Ps384(key) => {
let signature = key.try_sign_with_rng(thread_rng(), msg)?;
let signature = key.try_sign_with_rng(rng, msg)?;
Ok(Signature::from_signature(&signature))
}
Self::Ps512(key) => {
let signature = key.try_sign_with_rng(thread_rng(), msg)?;
let signature = key.try_sign_with_rng(rng, msg)?;
Ok(Signature::from_signature(&signature))
}
Self::Es256(key) => {
let signature = key.try_sign(msg)?;
let signature = key.try_sign_with_rng(rng, msg)?;
Ok(Signature::from_signature(&signature))
}
Self::Es384(key) => {
let signature = key.try_sign(msg)?;
let signature = key.try_sign_with_rng(rng, msg)?;
Ok(Signature::from_signature(&signature))
}
Self::Es256K(key) => {
let signature = key.try_sign(msg)?;
let signature = key.try_sign_with_rng(rng, msg)?;
Ok(Signature::from_signature(&signature))
}
}

11
crates/jose/src/jwa/symmetric.rs
View File

@ -79,6 +79,17 @@ impl From<super::Hs512Key> for SymmetricKey {
}
}
impl signature::RandomizedSigner<Signature> for SymmetricKey {
fn try_sign_with_rng(
&self,
_rng: impl rand::CryptoRng + rand::RngCore,
msg: &[u8],
) -> Result<Signature, signature::Error> {
// XXX: is that implementation alright?
signature::Signer::try_sign(self, msg)
}
}
impl signature::Signer<Signature> for SymmetricKey {
fn try_sign(&self, msg: &[u8]) -> Result<Signature, signature::Error> {
match self {

2
crates/jose/src/jwk/private_parameters.rs
View File

@ -271,7 +271,7 @@ mod rsa_impls {
type Error = rsa::errors::Error;
fn try_from(value: &RsaPrivateParameters) -> Result<Self, Self::Error> {
let key: RsaPrivateKey = value.try_into()?;
Ok(Self::new(key))
Ok(Self::new_with_salt_len(key, <H as Digest>::output_size()))
}
}

31
crates/jose/src/jwt/signed.rs
View File

@ -13,8 +13,9 @@
// limitations under the License.
use base64ct::{Base64UrlUnpadded, Encoding};
use rand::{thread_rng, CryptoRng, RngCore};
use serde::{de::DeserializeOwned, Serialize};
use signature::{Signature, Signer, Verifier};
use signature::{RandomizedSigner, Signature, Verifier};
use thiserror::Error;
use super::{header::JsonWebSignatureHeader, raw::RawJwt};
@ -279,6 +280,12 @@ pub enum JwtSignatureError {
#[source]
inner: serde_json::Error,
},
#[error("failed to sign")]
Signature {
#[from]
inner: signature::Error,
},
}
impl JwtSignatureError {
@ -298,7 +305,22 @@ impl<T> Jwt<'static, T> {
key: &K,
) -> Result<Self, JwtSignatureError>
where
K: Signer<S>,
K: RandomizedSigner<S>,
S: Signature,
T: Serialize,
{
Self::sign_with_rng(thread_rng(), header, payload, key)
}
pub fn sign_with_rng<R, K, S>(
rng: R,
header: JsonWebSignatureHeader,
payload: T,
key: &K,
) -> Result<Self, JwtSignatureError>
where
R: CryptoRng + RngCore,
K: RandomizedSigner<S>,
S: Signature,
T: Serialize,
{
@ -313,7 +335,10 @@ impl<T> Jwt<'static, T> {
let first_dot = header_.len();
let second_dot = inner.len();
let signature = key.sign(inner.as_bytes()).as_bytes().to_vec();
let signature = key
.try_sign_with_rng(rng, inner.as_bytes())?
.as_bytes()
.to_vec();
let signature_ = Base64UrlUnpadded::encode_string(&signature);
inner.reserve_exact(1 + signature_.len());
inner.push('.');

21
crates/jose/tests/jws.rs
View File

@ -95,6 +95,8 @@ macro_rules! asymetric_jwt_test {
conditional! { $supported =>
use mas_jose::jwt::JsonWebSignatureHeader;
use rand_chacha::ChaCha8Rng;
use rand::SeedableRng;
#[test]
fn verify_jwt() {
@ -112,6 +114,25 @@ macro_rules! asymetric_jwt_test {
jwt.verify(&key).unwrap();
}
#[test]
fn sign_jwt() {
let rng = ChaCha8Rng::seed_from_u64(42);
let alg = JsonWebSignatureAlg::$alg;
let payload = Payload {
hello: "world".to_string(),
};
let header = JsonWebSignatureHeader::new(alg.clone());
let jwks = private_jwks();
let key = jwks.signing_key_for_algorithm(&alg).unwrap();
let key = mas_jose::jwa::AsymmetricSigningKey::from_jwk_and_alg(key.params(), &alg)
.unwrap();
let jwt: Jwt<'_, Payload> = Jwt::sign_with_rng(rng, header, payload, &key).unwrap();
insta::assert_snapshot!(jwt.as_str());
}
#[test]
fn sign_and_verify_jwt() {
let alg = JsonWebSignatureAlg::$alg;

5
crates/jose/tests/snapshots/jws__es256__sign_jwt.snap Normal file
View File

@ -0,0 +1,5 @@
---
source: crates/jose/tests/jws.rs
expression: jwt.as_str()
---
eyJhbGciOiJFUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIn0._3wYtQklt0l_fhcwpQUSWbySVA3uJjVNgoudkvUInWjPpS7tO0sgmPf8Bwb3Rv9oTJncQfavs4rEw2kmgouPBw

5
crates/jose/tests/snapshots/jws__es256k__sign_jwt.snap Normal file
View File

@ -0,0 +1,5 @@
---
source: crates/jose/tests/jws.rs
expression: jwt.as_str()
---
eyJhbGciOiJFUzI1NksifQ.eyJoZWxsbyI6IndvcmxkIn0.-9Z19RYab_3Ym4Ork_lZUriouz5ktZFkT6B-DBGPYCJhVvSSNtG9Je9PEo0xpe9al0NhFcG5YJ4s4usDicsVjQ

5
crates/jose/tests/snapshots/jws__es384__sign_jwt.snap Normal file
View File

@ -0,0 +1,5 @@
---
source: crates/jose/tests/jws.rs
expression: jwt.as_str()
---
eyJhbGciOiJFUzM4NCJ9.eyJoZWxsbyI6IndvcmxkIn0.QIX0_gN6orAY32t6gKiDnstNdnBAmf1D5y-000ym-C8Y_MGt-HReODkUIMl7k6FNS1kw1FSbNXhXAPnAfcfgg2rR7oWDWfdxY5D0u1DcFGmhIrU5mxcUG50I_5YHIbe2

5
crates/jose/tests/snapshots/jws__ps256__sign_jwt.snap Normal file
View File

@ -0,0 +1,5 @@
---
source: crates/jose/tests/jws.rs
expression: jwt.as_str()
---
eyJhbGciOiJQUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIn0.CupFwPDQkECCpxd9y0y4hdPccVa387MXe8jMnI5Q0nWwdXqJ9PCyEGOfdBDwFqAfWGYlTkcDjTua81K6tV2ctnFRd9mqs_i1PyhLp8PFO9PcdxtqQKRgA0M4CEA_Yd-7mDFeh4raHgWX6xoNGnEoqrPrp-Vl4jQzdXVpY-J_PKuam_0PlXv-pk3uBW5RD8HU1J8injsUp2FRIJfnOGok4ZnXZqy4_jKkBgu35ymgn011MvLKjHnwTSWteHHc1CVUmJ-txiCaQGWL-6sz0tKdpEpekDCXyygaabn4rDtxm4Be2NeS1Nm852pwzg78SLgxgGPs9uxOx-cH66nWX6Ct9w

5
crates/jose/tests/snapshots/jws__ps384__sign_jwt.snap Normal file
View File

@ -0,0 +1,5 @@
---
source: crates/jose/tests/jws.rs
expression: jwt.as_str()
---
eyJhbGciOiJQUzM4NCJ9.eyJoZWxsbyI6IndvcmxkIn0.IlvyM131OVgUdNUlnAFDC4ZgIUtF_rzM_mOYasKi9WMB6d83AD-CRSnpkCXjSRS6WXx8fcLl5WA5COAMTG7PiDZlCxQ2zWsBn4SF2e8ARAiCsEGkkHhY6r68mXq86bdVD_46RKOnpBBK_DGu_ZHFY7Cjo6SGYol57HKIoGhTi79qQd0tYPdqNYO02KOTsR83-ph5vdEdM4jLg81X7--rH08Zhtnywu1JnmtxEotTvtbwXB1tDTTZvgywzgP63krP44D5hH-PlKLw4Bia_LQkSE4OE1HfDsK1IK4Y7SniJTrTQXp5FVASPrQnF2-lJUz_oDqzTKAv7FXCcCz1iPKbvg

5
crates/jose/tests/snapshots/jws__ps512__sign_jwt.snap Normal file
View File

@ -0,0 +1,5 @@
---
source: crates/jose/tests/jws.rs
expression: jwt.as_str()
---
eyJhbGciOiJQUzUxMiJ9.eyJoZWxsbyI6IndvcmxkIn0.Chyx9_a-dAyy2tB5hgj3SzLCoDSFx7GxO1PnFCrPN0z8pVRpOTrHaHDVlqPq0IjIGwPAcrTpNtwTIJdjNcpck9nyTShOUQya0tAGCrV1hbxR_QLGPayJydq8_treTKHeGxby4RaInM8k_hLz-6136FDiZXSxtZ6p4mCEcWeYiG5WGVqY15YptCuIipsY01Fyrew8djnIgW9bqS0aP9pakQWOIigYavFxhrLzyutgXiNxsNSH8OTCh9UQr62xEePJWsXkZIkSqtQlEnK68qhSgLffinyDtDMS7CAt82Lh0ac3vqRVyM0w4_l2C-auLE1aeAAroAhnc9YLVg0BufvydQ

5
crates/jose/tests/snapshots/jws__rs256__sign_jwt.snap Normal file
View File

@ -0,0 +1,5 @@
---
source: crates/jose/tests/jws.rs
expression: jwt.as_str()
---
eyJhbGciOiJSUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIn0.ji96-idJ7VHafGOGt22nJPVSDC6S2XvZSUFG7TLrjv-_ylINko_9YsI9_-9UZcB5ZtMeCX6Z5eO_9MTaq3Fhcj7mdn_hozZaNseTVgnwkFfTBlF7HcWhBdWbihAoY1YDvhTu-l_L6iBt1KhQh3J6fsfeGB-l3JfygZLKLtM1gsEz2qaZpnM90wESpphvpaJ_rGlWcTu61DGBBB3kOGCgaG2CJypCKp67m2vxFfi7J_2yE-1H2Y9ACWye73TWNuZubXNdo6azqqiJRe9o6oFmuPwkjgld66MdshQWjo3sGPHPI1_V-nhR9AtoizzF-3_YoS9oVwAzL6GiVUzeKpvZfQ

5
crates/jose/tests/snapshots/jws__rs384__sign_jwt.snap Normal file
View File

@ -0,0 +1,5 @@
---
source: crates/jose/tests/jws.rs
expression: jwt.as_str()
---
eyJhbGciOiJSUzM4NCJ9.eyJoZWxsbyI6IndvcmxkIn0.UgY6PfaVQ3Rhz_RvS8YZmCjUIcchejdWcf5zvSRK0ANGB1r2yvcdvGkOeVsFdKW_z7oru_4jTOffLgm8NoYVvg_x44u_z63ENrQTGbO0QLOLZKI4fuEvKDrKpkf2BmSPa-2feKQECVXxCcIiR32Q_zTHJtTIaDV2-hk2W_CEJxCVqLZ4b6l5iI2qLKUS3vERDKdwA2igiA_NElv4KThCtNIoS8TBohwio-M-SV43i-aJHnyn2U6Uw3Gu1mCSIBeRUNoQPXFBFnWY1Pa5TrxPA2jekck9j_xCWOX_jWK1khBW1lMwzYC5Ry24S7QxOcg8l2x8I6J03gB4N651fhcKgQ

5
crates/jose/tests/snapshots/jws__rs512__sign_jwt.snap Normal file
View File

@ -0,0 +1,5 @@
---
source: crates/jose/tests/jws.rs
expression: jwt.as_str()
---
eyJhbGciOiJSUzUxMiJ9.eyJoZWxsbyI6IndvcmxkIn0.HMs8F0DuJbLh0mjhXh5-PE66m8hwjdRP0_ixm_LKmeieAmJrerObyKHtstOdaLO0l_r3XXg2bHjzwGNSn3XF5Gj0RgqRqW6T5X8CO_Kf__0B-lTUfiXpxyLMhb3Vkt9fRa1YZjVix8hGsEx8oerA_xqv1DzgdKNvO4kK_Vzykuz5bgLn2oQR1w1NARCqazmjKh4S9q9XS8BZ-Ke2xTLSOpLP4g67IGyo79Y_BZ0-mOgBWZmPGzJnBGOrv4Lc-Vn3kPNZqREM9DA9IILw1hbCRG6x31pM5u1PESIV1dSuoIaab5A9yfBx1Fr9PRxV-1qHRaRYi06E_q_jxwtPG2oM7w

2
crates/keystore/Cargo.toml
View File

@ -20,7 +20,7 @@ pem-rfc7468 = { version = "0.6.0", features = ["std"] }
pkcs1 = { version = "0.4.0", features = ["std"] }
pkcs8 = { version = "0.9.0", features = ["std", "pkcs5", "encryption"] }
rand = "0.8.5"
rsa = { version = "0.7.0-rc.0", features = ["std", "pem"] }
rsa = { version = "0.7.0", features = ["std", "pem"] }
sec1 = { version = "0.3.0", features = ["std"] }
spki = { version = "0.6.0", features = ["std"] }
thiserror = "1.0.37"