matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-31 09:24:31 +03:00
Code Activity

Be consistent when constructing signers/verifier from JWK and from the keystore

Browse Source
This commit is contained in:
Quentin Gliech
2022-10-17 18:27:27 +02:00
parent c2a198b821
commit e63a21b9f9
5 changed files with 180 additions and 298 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
crates/jose/src/jwa/asymmetric.rs
View File

@ -12,7 +12,9 @@
// See the License for the specific language governing permissions and // See the License for the specific language governing permissions and
// limitations under the License. // limitations under the License.
use digest::Digest;
use mas_iana::jose::{JsonWebKeyEcEllipticCurve, JsonWebSignatureAlg}; use mas_iana::jose::{JsonWebKeyEcEllipticCurve, JsonWebSignatureAlg};
use sha2::{Sha256, Sha384, Sha512};
use thiserror::Error; use thiserror::Error;
use super::signature::Signature; use super::signature::Signature;
@ -27,9 +29,9 @@ pub enum AsymmetricKeyFromJwkError {
}, },
#[error("Invalid Elliptic Curve parameters")] #[error("Invalid Elliptic Curve parameters")]
Ecdsa { EllipticCurve {
#[from] #[from]
inner: ecdsa::Error, inner: elliptic_curve::Error,
}, },
#[error("Unsupported algorithm {alg}")] #[error("Unsupported algorithm {alg}")]
@ -54,32 +56,85 @@ pub enum AsymmetricSigningKey {
} }
impl AsymmetricSigningKey { impl AsymmetricSigningKey {
#[allow(dead_code)] #[must_use]
pub fn rs256(key: rsa::RsaPrivateKey) -> Self {
Self::Rs256(rsa::pkcs1v15::SigningKey::new_with_prefix(key))
}
#[must_use]
pub fn rs384(key: rsa::RsaPrivateKey) -> Self {
Self::Rs384(rsa::pkcs1v15::SigningKey::new_with_prefix(key))
}
#[must_use]
pub fn rs512(key: rsa::RsaPrivateKey) -> Self {
Self::Rs512(rsa::pkcs1v15::SigningKey::new_with_prefix(key))
}
#[must_use]
pub fn ps256(key: rsa::RsaPrivateKey) -> Self {
Self::Ps256(rsa::pss::SigningKey::new_with_salt_len(
key,
Sha256::output_size(),
))
}
#[must_use]
pub fn ps384(key: rsa::RsaPrivateKey) -> Self {
Self::Ps384(rsa::pss::SigningKey::new_with_salt_len(
key,
Sha384::output_size(),
))
}
#[must_use]
pub fn ps512(key: rsa::RsaPrivateKey) -> Self {
Self::Ps512(rsa::pss::SigningKey::new_with_salt_len(
key,
Sha512::output_size(),
))
}
#[must_use]
pub fn es256(key: elliptic_curve::SecretKey<p256::NistP256>) -> Self {
Self::Es256(ecdsa::SigningKey::from(key))
}
#[must_use]
pub fn es384(key: elliptic_curve::SecretKey<p384::NistP384>) -> Self {
Self::Es384(ecdsa::SigningKey::from(key))
}
#[must_use]
pub fn es256k(key: elliptic_curve::SecretKey<k256::Secp256k1>) -> Self {
Self::Es256K(ecdsa::SigningKey::from(key))
}
pub fn from_jwk_and_alg( pub fn from_jwk_and_alg(
params: &JsonWebKeyPrivateParameters, params: &JsonWebKeyPrivateParameters,
alg: &JsonWebSignatureAlg, alg: &JsonWebSignatureAlg,
) -> Result<Self, AsymmetricKeyFromJwkError> { ) -> Result<Self, AsymmetricKeyFromJwkError> {
match (params, alg) { match (params, alg) {
(JsonWebKeyPrivateParameters::Rsa(params), alg) => match alg { (JsonWebKeyPrivateParameters::Rsa(params), alg) => match alg {
JsonWebSignatureAlg::Rs256 => Ok(Self::Rs256(params.try_into()?)), JsonWebSignatureAlg::Rs256 => Ok(Self::rs256(params.try_into()?)),
JsonWebSignatureAlg::Rs384 => Ok(Self::Rs384(params.try_into()?)), JsonWebSignatureAlg::Rs384 => Ok(Self::rs384(params.try_into()?)),
JsonWebSignatureAlg::Rs512 => Ok(Self::Rs512(params.try_into()?)), JsonWebSignatureAlg::Rs512 => Ok(Self::rs512(params.try_into()?)),
JsonWebSignatureAlg::Ps256 => Ok(Self::Ps256(params.try_into()?)), JsonWebSignatureAlg::Ps256 => Ok(Self::ps256(params.try_into()?)),
JsonWebSignatureAlg::Ps384 => Ok(Self::Ps384(params.try_into()?)), JsonWebSignatureAlg::Ps384 => Ok(Self::ps384(params.try_into()?)),
JsonWebSignatureAlg::Ps512 => Ok(Self::Ps512(params.try_into()?)), JsonWebSignatureAlg::Ps512 => Ok(Self::ps512(params.try_into()?)),
_ => Err(AsymmetricKeyFromJwkError::KeyNotSuitable { alg: alg.clone() }), _ => Err(AsymmetricKeyFromJwkError::KeyNotSuitable { alg: alg.clone() }),
}, },
(JsonWebKeyPrivateParameters::Ec(params), JsonWebSignatureAlg::Es256) (JsonWebKeyPrivateParameters::Ec(params), JsonWebSignatureAlg::Es256)
if params.crv == JsonWebKeyEcEllipticCurve::P256 => if params.crv == JsonWebKeyEcEllipticCurve::P256 =>
{ {
Ok(Self::Es256(params.try_into()?)) Ok(Self::es256(params.try_into()?))
} }
(JsonWebKeyPrivateParameters::Ec(params), JsonWebSignatureAlg::Es384) (JsonWebKeyPrivateParameters::Ec(params), JsonWebSignatureAlg::Es384)
if params.crv == JsonWebKeyEcEllipticCurve::P384 => if params.crv == JsonWebKeyEcEllipticCurve::P384 =>
{ {
Ok(Self::Es384(params.try_into()?)) Ok(Self::es384(params.try_into()?))
} }
(JsonWebKeyPrivateParameters::Ec(params), JsonWebSignatureAlg::Es512) (JsonWebKeyPrivateParameters::Ec(params), JsonWebSignatureAlg::Es512)
@ -91,7 +146,7 @@ impl AsymmetricSigningKey {
(JsonWebKeyPrivateParameters::Ec(params), JsonWebSignatureAlg::Es256K) (JsonWebKeyPrivateParameters::Ec(params), JsonWebSignatureAlg::Es256K)
if params.crv == JsonWebKeyEcEllipticCurve::Secp256K1 => if params.crv == JsonWebKeyEcEllipticCurve::Secp256K1 =>
{ {
Ok(Self::Es256K(params.try_into()?)) Ok(Self::es256k(params.try_into()?))
} }
(JsonWebKeyPrivateParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => { (JsonWebKeyPrivateParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => {
@ -219,31 +274,76 @@ pub enum AsymmetricVerifyingKey {
} }
impl AsymmetricVerifyingKey { impl AsymmetricVerifyingKey {
#[must_use]
pub fn rs256(key: rsa::RsaPublicKey) -> Self {
Self::Rs256(rsa::pkcs1v15::VerifyingKey::new_with_prefix(key))
}
#[must_use]
pub fn rs384(key: rsa::RsaPublicKey) -> Self {
Self::Rs384(rsa::pkcs1v15::VerifyingKey::new_with_prefix(key))
}
#[must_use]
pub fn rs512(key: rsa::RsaPublicKey) -> Self {
Self::Rs512(rsa::pkcs1v15::VerifyingKey::new_with_prefix(key))
}
#[must_use]
pub fn ps256(key: rsa::RsaPublicKey) -> Self {
Self::Ps256(rsa::pss::VerifyingKey::new(key))
}
#[must_use]
pub fn ps384(key: rsa::RsaPublicKey) -> Self {
Self::Ps384(rsa::pss::VerifyingKey::new(key))
}
#[must_use]
pub fn ps512(key: rsa::RsaPublicKey) -> Self {
Self::Ps512(rsa::pss::VerifyingKey::new(key))
}
#[must_use]
pub fn es256(key: elliptic_curve::PublicKey<p256::NistP256>) -> Self {
Self::Es256(ecdsa::VerifyingKey::from(key))
}
#[must_use]
pub fn es384(key: elliptic_curve::PublicKey<p384::NistP384>) -> Self {
Self::Es384(ecdsa::VerifyingKey::from(key))
}
#[must_use]
pub fn es256k(key: elliptic_curve::PublicKey<k256::Secp256k1>) -> Self {
Self::Es256K(ecdsa::VerifyingKey::from(key))
}
pub fn from_jwk_and_alg( pub fn from_jwk_and_alg(
params: &JsonWebKeyPublicParameters, params: &JsonWebKeyPublicParameters,
alg: &JsonWebSignatureAlg, alg: &JsonWebSignatureAlg,
) -> Result<Self, AsymmetricKeyFromJwkError> { ) -> Result<Self, AsymmetricKeyFromJwkError> {
match (params, alg) { match (params, alg) {
(JsonWebKeyPublicParameters::Rsa(params), alg) => match alg { (JsonWebKeyPublicParameters::Rsa(params), alg) => match alg {
JsonWebSignatureAlg::Rs256 => Ok(Self::Rs256(params.try_into()?)), JsonWebSignatureAlg::Rs256 => Ok(Self::rs256(params.try_into()?)),
JsonWebSignatureAlg::Rs384 => Ok(Self::Rs384(params.try_into()?)), JsonWebSignatureAlg::Rs384 => Ok(Self::rs384(params.try_into()?)),
JsonWebSignatureAlg::Rs512 => Ok(Self::Rs512(params.try_into()?)), JsonWebSignatureAlg::Rs512 => Ok(Self::rs512(params.try_into()?)),
JsonWebSignatureAlg::Ps256 => Ok(Self::Ps256(params.try_into()?)), JsonWebSignatureAlg::Ps256 => Ok(Self::ps256(params.try_into()?)),
JsonWebSignatureAlg::Ps384 => Ok(Self::Ps384(params.try_into()?)), JsonWebSignatureAlg::Ps384 => Ok(Self::ps384(params.try_into()?)),
JsonWebSignatureAlg::Ps512 => Ok(Self::Ps512(params.try_into()?)), JsonWebSignatureAlg::Ps512 => Ok(Self::ps512(params.try_into()?)),
_ => Err(AsymmetricKeyFromJwkError::KeyNotSuitable { alg: alg.clone() }), _ => Err(AsymmetricKeyFromJwkError::KeyNotSuitable { alg: alg.clone() }),
}, },
(JsonWebKeyPublicParameters::Ec(params), JsonWebSignatureAlg::Es256) (JsonWebKeyPublicParameters::Ec(params), JsonWebSignatureAlg::Es256)
if params.crv == JsonWebKeyEcEllipticCurve::P256 => if params.crv == JsonWebKeyEcEllipticCurve::P256 =>
{ {
Ok(Self::Es256(params.try_into()?)) Ok(Self::es256(params.try_into()?))
} }
(JsonWebKeyPublicParameters::Ec(params), JsonWebSignatureAlg::Es384) (JsonWebKeyPublicParameters::Ec(params), JsonWebSignatureAlg::Es384)
if params.crv == JsonWebKeyEcEllipticCurve::P384 => if params.crv == JsonWebKeyEcEllipticCurve::P384 =>
{ {
Ok(Self::Es384(params.try_into()?)) Ok(Self::es384(params.try_into()?))
} }
(JsonWebKeyPublicParameters::Ec(params), JsonWebSignatureAlg::Es512) (JsonWebKeyPublicParameters::Ec(params), JsonWebSignatureAlg::Es512)
@ -255,7 +355,7 @@ impl AsymmetricVerifyingKey {
(JsonWebKeyPublicParameters::Ec(params), JsonWebSignatureAlg::Es256K) (JsonWebKeyPublicParameters::Ec(params), JsonWebSignatureAlg::Es256K)
if params.crv == JsonWebKeyEcEllipticCurve::Secp256K1 => if params.crv == JsonWebKeyEcEllipticCurve::Secp256K1 =>
{ {
Ok(Self::Es256K(params.try_into()?)) Ok(Self::es256k(params.try_into()?))
} }
(JsonWebKeyPublicParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => { (JsonWebKeyPublicParameters::Okp(_params), JsonWebSignatureAlg::EdDsa) => {

4
crates/jose/src/jwk/mod.rs
View File

@ -526,12 +526,12 @@ mod tests {
rsa::RsaPublicKey::try_from(keys.next().unwrap().params().rsa().unwrap()).unwrap(); rsa::RsaPublicKey::try_from(keys.next().unwrap().params().rsa().unwrap()).unwrap();
rsa::RsaPublicKey::try_from(keys.next().unwrap().params().rsa().unwrap()).unwrap(); rsa::RsaPublicKey::try_from(keys.next().unwrap().params().rsa().unwrap()).unwrap();
// 7th is P-256 // 7th is P-256
ecdsa::VerifyingKey::<p256::NistP256>::try_from( elliptic_curve::PublicKey::<p256::NistP256>::try_from(
keys.next().unwrap().params().ec().unwrap(), keys.next().unwrap().params().ec().unwrap(),
) )
.unwrap(); .unwrap();
// 8th is P-384 // 8th is P-384
ecdsa::VerifyingKey::<p384::NistP384>::try_from( elliptic_curve::PublicKey::<p384::NistP384>::try_from(
keys.next().unwrap().params().ec().unwrap(), keys.next().unwrap().params().ec().unwrap(),
) )
.unwrap(); .unwrap();

100
crates/jose/src/jwk/private_parameters.rs
View File

@ -228,53 +228,10 @@ struct RsaOtherPrimeInfo {
} }
mod rsa_impls { mod rsa_impls {
use digest::{const_oid::AssociatedOid, Digest};
use rsa::{BigUint, RsaPrivateKey}; use rsa::{BigUint, RsaPrivateKey};
use super::RsaPrivateParameters; use super::RsaPrivateParameters;
impl<H> TryFrom<RsaPrivateParameters> for rsa::pkcs1v15::SigningKey<H>
where
H: Digest + AssociatedOid,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPrivateParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<H> TryFrom<&RsaPrivateParameters> for rsa::pkcs1v15::SigningKey<H>
where
H: Digest + AssociatedOid,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPrivateParameters) -> Result<Self, Self::Error> {
let key: RsaPrivateKey = value.try_into()?;
Ok(Self::new_with_prefix(key))
}
}
impl<H> TryFrom<RsaPrivateParameters> for rsa::pss::SigningKey<H>
where
H: Digest,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPrivateParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<H> TryFrom<&RsaPrivateParameters> for rsa::pss::SigningKey<H>
where
H: Digest,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPrivateParameters) -> Result<Self, Self::Error> {
let key: RsaPrivateKey = value.try_into()?;
Ok(Self::new_with_salt_len(key, <H as Digest>::output_size()))
}
}
impl TryFrom<RsaPrivateParameters> for RsaPrivateKey { impl TryFrom<RsaPrivateParameters> for RsaPrivateKey {
type Error = rsa::errors::Error; type Error = rsa::errors::Error;
fn try_from(value: RsaPrivateParameters) -> Result<Self, Self::Error> { fn try_from(value: RsaPrivateParameters) -> Result<Self, Self::Error> {
@ -347,48 +304,16 @@ impl From<EcPrivateParameters> for super::public_parameters::EcPublicParameters
} }
mod ec_impls { mod ec_impls {
use digest::typenum::Unsigned;
use ecdsa::{hazmat::SignPrimitive, EncodedPoint, PrimeCurve, SignatureSize, SigningKey};
use elliptic_curve::{ use elliptic_curve::{
ops::{Invert, Reduce}, sec1::{Coordinates, FromEncodedPoint, ModulusSize, ToEncodedPoint},
sec1::{Coordinates, FromEncodedPoint, ModulusSize, ToEncodedPoint, ValidatePublicKey}, AffinePoint, Curve, FieldSize, SecretKey,
subtle::CtOption,
AffinePoint, Curve, FieldBytes, FieldSize, ProjectiveArithmetic, Scalar, SecretKey,
}; };
use generic_array::ArrayLength;
use super::{super::JwkEcCurve, EcPrivateParameters}; use super::{super::JwkEcCurve, EcPrivateParameters};
impl<C> TryFrom<EcPrivateParameters> for SigningKey<C>
where
C: PrimeCurve + ProjectiveArithmetic,
Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + Reduce<C::UInt> + SignPrimitive<C>,
SignatureSize<C>: ArrayLength<u8>,
{
type Error = ecdsa::Error;
fn try_from(value: EcPrivateParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<C> TryFrom<&EcPrivateParameters> for SigningKey<C>
where
C: PrimeCurve + ProjectiveArithmetic,
Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + Reduce<C::UInt> + SignPrimitive<C>,
SignatureSize<C>: ArrayLength<u8>,
{
type Error = ecdsa::Error;
fn try_from(value: &EcPrivateParameters) -> Result<Self, Self::Error> {
SigningKey::from_bytes(&value.d)
}
}
impl<C> TryFrom<EcPrivateParameters> for SecretKey<C> impl<C> TryFrom<EcPrivateParameters> for SecretKey<C>
where where
C: Curve + ValidatePublicKey, C: Curve,
FieldSize<C>: ModulusSize,
{ {
type Error = elliptic_curve::Error; type Error = elliptic_curve::Error;
fn try_from(value: EcPrivateParameters) -> Result<Self, Self::Error> { fn try_from(value: EcPrivateParameters) -> Result<Self, Self::Error> {
@ -398,27 +323,12 @@ mod ec_impls {
impl<C> TryFrom<&EcPrivateParameters> for SecretKey<C> impl<C> TryFrom<&EcPrivateParameters> for SecretKey<C>
where where
C: Curve + ValidatePublicKey, C: Curve,
FieldSize<C>: ModulusSize,
{ {
type Error = elliptic_curve::Error; type Error = elliptic_curve::Error;
fn try_from(value: &EcPrivateParameters) -> Result<Self, Self::Error> { fn try_from(value: &EcPrivateParameters) -> Result<Self, Self::Error> {
let x = value SecretKey::from_be_bytes(&value.d)
.x
.get(..FieldSize::<C>::USIZE)
.ok_or(elliptic_curve::Error)?;
let y = value
.x
.get(..FieldSize::<C>::USIZE)
.ok_or(elliptic_curve::Error)?;
let x = FieldBytes::<C>::from_slice(x);
let y = FieldBytes::<C>::from_slice(y);
let pubkey = EncodedPoint::<C>::from_affine_coordinates(x, y, false);
let privkey = SecretKey::from_be_bytes(&value.d)?;
C::validate_public_key(&privkey, &pubkey)?;
Ok(privkey)
} }
} }

157
crates/jose/src/jwk/public_parameters.rs
View File

@ -136,10 +136,6 @@ impl EcPublicParameters {
pub const fn new(crv: JsonWebKeyEcEllipticCurve, x: Vec<u8>, y: Vec<u8>) -> Self { pub const fn new(crv: JsonWebKeyEcEllipticCurve, x: Vec<u8>, y: Vec<u8>) -> Self {
Self { crv, x, y } Self { crv, x, y }
} }
pub const fn crv(&self) -> &JsonWebKeyEcEllipticCurve {
&self.crv
}
} }
impl ParametersInfo for EcPublicParameters { impl ParametersInfo for EcPublicParameters {
@ -182,14 +178,9 @@ impl OkpPublicParameters {
pub const fn new(crv: JsonWebKeyOkpEllipticCurve, x: Vec<u8>) -> Self { pub const fn new(crv: JsonWebKeyOkpEllipticCurve, x: Vec<u8>) -> Self {
Self { crv, x } Self { crv, x }
} }
pub const fn crv(&self) -> &JsonWebKeyOkpEllipticCurve {
&self.crv
}
} }
mod rsa_impls { mod rsa_impls {
use digest::{const_oid::AssociatedOid, Digest};
use rsa::{BigUint, PublicKeyParts, RsaPublicKey}; use rsa::{BigUint, PublicKeyParts, RsaPublicKey};
use super::{JsonWebKeyPublicParameters, RsaPublicParameters}; use super::{JsonWebKeyPublicParameters, RsaPublicParameters};
@ -221,48 +212,6 @@ mod rsa_impls {
} }
} }
impl<H> TryFrom<RsaPublicParameters> for rsa::pkcs1v15::VerifyingKey<H>
where
H: Digest + AssociatedOid,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPublicParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<H> TryFrom<&RsaPublicParameters> for rsa::pkcs1v15::VerifyingKey<H>
where
H: Digest + AssociatedOid,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPublicParameters) -> Result<Self, Self::Error> {
let key: RsaPublicKey = value.try_into()?;
Ok(Self::new_with_prefix(key))
}
}
impl<H> TryFrom<RsaPublicParameters> for rsa::pss::VerifyingKey<H>
where
H: Digest,
{
type Error = rsa::errors::Error;
fn try_from(value: RsaPublicParameters) -> Result<Self, Self::Error> {
Self::try_from(&value)
}
}
impl<H> TryFrom<&RsaPublicParameters> for rsa::pss::VerifyingKey<H>
where
H: Digest,
{
type Error = rsa::errors::Error;
fn try_from(value: &RsaPublicParameters) -> Result<Self, Self::Error> {
let key: RsaPublicKey = value.try_into()?;
Ok(Self::new(key))
}
}
impl TryFrom<RsaPublicParameters> for RsaPublicKey { impl TryFrom<RsaPublicParameters> for RsaPublicKey {
type Error = rsa::errors::Error; type Error = rsa::errors::Error;
fn try_from(value: RsaPublicParameters) -> Result<Self, Self::Error> { fn try_from(value: RsaPublicParameters) -> Result<Self, Self::Error> {
@ -283,102 +232,58 @@ mod rsa_impls {
mod ec_impls { mod ec_impls {
use digest::typenum::Unsigned; use digest::typenum::Unsigned;
use ecdsa::{EncodedPoint, PrimeCurve, VerifyingKey}; use ecdsa::EncodedPoint;
use elliptic_curve::{ use elliptic_curve::{
sec1::{Coordinates, FromEncodedPoint, ModulusSize, ToEncodedPoint}, sec1::{Coordinates, FromEncodedPoint, ModulusSize, ToEncodedPoint},
AffinePoint, Curve, FieldBytes, FieldSize, ProjectiveArithmetic, PublicKey, AffinePoint, Curve, FieldBytes, FieldSize, PublicKey,
}; };
use super::{super::JwkEcCurve, EcPublicParameters, JsonWebKeyPublicParameters}; use super::{super::JwkEcCurve, EcPublicParameters, JsonWebKeyPublicParameters};
impl<C> From<ecdsa::VerifyingKey<C>> for JsonWebKeyPublicParameters impl<C> TryFrom<&EcPublicParameters> for PublicKey<C>
where where
C: PrimeCurve + ProjectiveArithmetic + JwkEcCurve, C: Curve + elliptic_curve::ProjectiveArithmetic,
AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>, AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
FieldSize<C>: ModulusSize, FieldSize<C>: ModulusSize,
{ {
fn from(key: ecdsa::VerifyingKey<C>) -> Self { type Error = elliptic_curve::Error;
Self::from(&key)
}
}
impl<C> From<&ecdsa::VerifyingKey<C>> for JsonWebKeyPublicParameters
where
C: PrimeCurve + ProjectiveArithmetic + JwkEcCurve,
AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
FieldSize<C>: ModulusSize,
{
fn from(key: &ecdsa::VerifyingKey<C>) -> Self {
Self::Ec(key.into())
}
}
impl<C> From<ecdsa::VerifyingKey<C>> for EcPublicParameters
where
C: PrimeCurve + ProjectiveArithmetic + JwkEcCurve,
AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
FieldSize<C>: ModulusSize,
{
fn from(key: ecdsa::VerifyingKey<C>) -> Self {
Self::from(&key)
}
}
impl<C> From<&ecdsa::VerifyingKey<C>> for EcPublicParameters
where
C: PrimeCurve + ProjectiveArithmetic + JwkEcCurve,
AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
FieldSize<C>: ModulusSize,
{
fn from(key: &ecdsa::VerifyingKey<C>) -> Self {
let points = key.to_encoded_point(false);
EcPublicParameters {
x: points.x().unwrap().to_vec(),
y: points.y().unwrap().to_vec(),
crv: C::CRV,
}
}
}
impl<C> TryFrom<EcPublicParameters> for VerifyingKey<C>
where
C: PrimeCurve + ProjectiveArithmetic + JwkEcCurve,
AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
FieldSize<C>: ModulusSize,
{
type Error = ecdsa::Error;
fn try_from(value: EcPublicParameters) -> Result<Self, Self::Error> {
(&value).try_into()
}
}
impl<C> TryFrom<&EcPublicParameters> for VerifyingKey<C>
where
C: PrimeCurve + ProjectiveArithmetic + JwkEcCurve,
AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
FieldSize<C>: ModulusSize,
{
type Error = ecdsa::Error;
fn try_from(value: &EcPublicParameters) -> Result<Self, Self::Error> { fn try_from(value: &EcPublicParameters) -> Result<Self, Self::Error> {
if *value.crv() != C::CRV {
return Err(Self::Error::default());
}
let x = value let x = value
.x .x
.get(..FieldSize::<C>::USIZE) .get(..FieldSize::<C>::USIZE)
.ok_or_else(Self::Error::default)?; .ok_or(elliptic_curve::Error)?;
let y = value let y = value
.y .y
.get(..FieldSize::<C>::USIZE) .get(..FieldSize::<C>::USIZE)
.ok_or_else(Self::Error::default)?; .ok_or(elliptic_curve::Error)?;
let x = FieldBytes::<C>::from_slice(x); let x = FieldBytes::<C>::from_slice(x);
let y = FieldBytes::<C>::from_slice(y); let y = FieldBytes::<C>::from_slice(y);
let pubkey = EncodedPoint::<C>::from_affine_coordinates(x, y, false); let pubkey = EncodedPoint::<C>::from_affine_coordinates(x, y, false);
let pubkey = VerifyingKey::from_encoded_point(&pubkey)?; let pubkey: Option<_> = PublicKey::from_encoded_point(&pubkey).into();
Ok(pubkey) pubkey.ok_or(elliptic_curve::Error)
}
}
impl<C> From<PublicKey<C>> for JsonWebKeyPublicParameters
where
C: Curve + elliptic_curve::ProjectiveArithmetic + JwkEcCurve,
AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
FieldSize<C>: ModulusSize,
{
fn from(key: PublicKey<C>) -> Self {
(&key).into()
}
}
impl<C> From<&PublicKey<C>> for JsonWebKeyPublicParameters
where
C: Curve + elliptic_curve::ProjectiveArithmetic + JwkEcCurve,
AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
FieldSize<C>: ModulusSize,
{
fn from(key: &PublicKey<C>) -> Self {
Self::Ec(key.into())
} }
} }

75
crates/keystore/src/lib.rs
View File

@ -438,38 +438,26 @@ impl PrivateKey {
(Self::Rsa(key), _) => { (Self::Rsa(key), _) => {
let key: rsa::RsaPublicKey = key.to_public_key(); let key: rsa::RsaPublicKey = key.to_public_key();
match alg { match alg {
JsonWebSignatureAlg::Rs256 => { JsonWebSignatureAlg::Rs256 => AsymmetricVerifyingKey::rs256(key),
AsymmetricVerifyingKey::Rs256(rsa::pkcs1v15::VerifyingKey::new(key)) JsonWebSignatureAlg::Rs384 => AsymmetricVerifyingKey::rs384(key),
} JsonWebSignatureAlg::Rs512 => AsymmetricVerifyingKey::rs512(key),
JsonWebSignatureAlg::Rs384 => { JsonWebSignatureAlg::Ps256 => AsymmetricVerifyingKey::ps256(key),
AsymmetricVerifyingKey::Rs384(rsa::pkcs1v15::VerifyingKey::new(key)) JsonWebSignatureAlg::Ps384 => AsymmetricVerifyingKey::ps384(key),
} JsonWebSignatureAlg::Ps512 => AsymmetricVerifyingKey::ps512(key),
JsonWebSignatureAlg::Rs512 => {
AsymmetricVerifyingKey::Rs512(rsa::pkcs1v15::VerifyingKey::new(key))
}
JsonWebSignatureAlg::Ps256 => {
AsymmetricVerifyingKey::Ps256(rsa::pss::VerifyingKey::new(key))
}
JsonWebSignatureAlg::Ps384 => {
AsymmetricVerifyingKey::Ps384(rsa::pss::VerifyingKey::new(key))
}
JsonWebSignatureAlg::Ps512 => {
AsymmetricVerifyingKey::Ps512(rsa::pss::VerifyingKey::new(key))
}
_ => return Err(WrongAlgorithmError), _ => return Err(WrongAlgorithmError),
} }
} }
(Self::EcP256(key), JsonWebSignatureAlg::Es256) => { (Self::EcP256(key), JsonWebSignatureAlg::Es256) => {
AsymmetricVerifyingKey::Es256(key.public_key().into()) AsymmetricVerifyingKey::es256(key.public_key())
} }
(Self::EcP384(key), JsonWebSignatureAlg::Es384) => { (Self::EcP384(key), JsonWebSignatureAlg::Es384) => {
AsymmetricVerifyingKey::Es384(key.public_key().into()) AsymmetricVerifyingKey::es384(key.public_key())
} }
(Self::EcK256(key), JsonWebSignatureAlg::Es256K) => { (Self::EcK256(key), JsonWebSignatureAlg::Es256K) => {
AsymmetricVerifyingKey::Es256K(key.public_key().into()) AsymmetricVerifyingKey::es256k(key.public_key())
} }
_ => return Err(WrongAlgorithmError), _ => return Err(WrongAlgorithmError),
@ -492,38 +480,26 @@ impl PrivateKey {
(Self::Rsa(key), _) => { (Self::Rsa(key), _) => {
let key: rsa::RsaPrivateKey = *key.clone(); let key: rsa::RsaPrivateKey = *key.clone();
match alg { match alg {
JsonWebSignatureAlg::Rs256 => { JsonWebSignatureAlg::Rs256 => AsymmetricSigningKey::rs256(key),
AsymmetricSigningKey::Rs256(rsa::pkcs1v15::SigningKey::new(key)) JsonWebSignatureAlg::Rs384 => AsymmetricSigningKey::rs384(key),
} JsonWebSignatureAlg::Rs512 => AsymmetricSigningKey::rs512(key),
JsonWebSignatureAlg::Rs384 => { JsonWebSignatureAlg::Ps256 => AsymmetricSigningKey::ps256(key),
AsymmetricSigningKey::Rs384(rsa::pkcs1v15::SigningKey::new(key)) JsonWebSignatureAlg::Ps384 => AsymmetricSigningKey::ps384(key),
} JsonWebSignatureAlg::Ps512 => AsymmetricSigningKey::ps512(key),
JsonWebSignatureAlg::Rs512 => {
AsymmetricSigningKey::Rs512(rsa::pkcs1v15::SigningKey::new(key))
}
JsonWebSignatureAlg::Ps256 => {
AsymmetricSigningKey::Ps256(rsa::pss::SigningKey::new(key))
}
JsonWebSignatureAlg::Ps384 => {
AsymmetricSigningKey::Ps384(rsa::pss::SigningKey::new(key))
}
JsonWebSignatureAlg::Ps512 => {
AsymmetricSigningKey::Ps512(rsa::pss::SigningKey::new(key))
}
_ => return Err(WrongAlgorithmError), _ => return Err(WrongAlgorithmError),
} }
} }
(Self::EcP256(key), JsonWebSignatureAlg::Es256) => { (Self::EcP256(key), JsonWebSignatureAlg::Es256) => {
AsymmetricSigningKey::Es256(key.as_ref().into()) AsymmetricSigningKey::es256(*key.clone())
} }
(Self::EcP384(key), JsonWebSignatureAlg::Es384) => { (Self::EcP384(key), JsonWebSignatureAlg::Es384) => {
AsymmetricSigningKey::Es384(key.as_ref().into()) AsymmetricSigningKey::es384(*key.clone())
} }
(Self::EcK256(key), JsonWebSignatureAlg::Es256K) => { (Self::EcK256(key), JsonWebSignatureAlg::Es256K) => {
AsymmetricSigningKey::Es256K(key.as_ref().into()) AsymmetricSigningKey::es256k(*key.clone())
} }
_ => return Err(WrongAlgorithmError), _ => return Err(WrongAlgorithmError),
@ -565,18 +541,9 @@ impl From<&PrivateKey> for JsonWebKeyPublicParameters {
fn from(val: &PrivateKey) -> Self { fn from(val: &PrivateKey) -> Self {
match val { match val {
PrivateKey::Rsa(key) => key.to_public_key().into(), PrivateKey::Rsa(key) => key.to_public_key().into(),
PrivateKey::EcP256(key) => { PrivateKey::EcP256(key) => key.public_key().into(),
let key: ecdsa::VerifyingKey<_> = key.public_key().into(); PrivateKey::EcP384(key) => key.public_key().into(),
key.into() PrivateKey::EcK256(key) => key.public_key().into(),
}
PrivateKey::EcP384(key) => {
let key: ecdsa::VerifyingKey<_> = key.public_key().into();
key.into()
}
PrivateKey::EcK256(key) => {
let key: ecdsa::VerifyingKey<_> = key.public_key().into();
key.into()
}
} }
} }
} }