jsonwebtoken/src/crypto/rsa.rs

use ring::{rand, signature};

use crate::algorithms::Algorithm;
use crate::errors::{ErrorKind, Result};
use crate::serialization::{b64_decode, b64_encode};

/// Only used internally when validating RSA, to map from our enum to the Ring param structs.
pub(crate) fn alg_to_rsa_parameters(alg: Algorithm) -> &'static signature::RsaParameters {
    match alg {
        Algorithm::RS256 => &signature::RSA_PKCS1_2048_8192_SHA256,
        Algorithm::RS384 => &signature::RSA_PKCS1_2048_8192_SHA384,
        Algorithm::RS512 => &signature::RSA_PKCS1_2048_8192_SHA512,
        Algorithm::PS256 => &signature::RSA_PSS_2048_8192_SHA256,
        Algorithm::PS384 => &signature::RSA_PSS_2048_8192_SHA384,
        Algorithm::PS512 => &signature::RSA_PSS_2048_8192_SHA512,
        _ => unreachable!("Tried to get RSA signature for a non-rsa algorithm"),
    }
}

/// Only used internally when signing with RSA, to map from our enum to the Ring signing structs.
pub(crate) fn alg_to_rsa_signing(alg: Algorithm) -> &'static dyn signature::RsaEncoding {
    match alg {
        Algorithm::RS256 => &signature::RSA_PKCS1_SHA256,
        Algorithm::RS384 => &signature::RSA_PKCS1_SHA384,
        Algorithm::RS512 => &signature::RSA_PKCS1_SHA512,
        Algorithm::PS256 => &signature::RSA_PSS_SHA256,
        Algorithm::PS384 => &signature::RSA_PSS_SHA384,
        Algorithm::PS512 => &signature::RSA_PSS_SHA512,
        _ => unreachable!("Tried to get RSA signature for a non-rsa algorithm"),
    }
}

/// The actual RSA signing + encoding
/// The key needs to be in PKCS8 format
/// Taken from Ring doc https://briansmith.org/rustdoc/ring/signature/index.html
pub(crate) fn sign(
    alg: &'static dyn signature::RsaEncoding,
    key: &[u8],
    message: &[u8],
) -> Result<String> {
    let key_pair = signature::RsaKeyPair::from_der(key)
        .map_err(|e| ErrorKind::InvalidRsaKey(e.description_()))?;

    let mut signature = vec![0; key_pair.public_modulus_len()];
    let rng = rand::SystemRandom::new();
    key_pair.sign(alg, &rng, message, &mut signature).map_err(|_| ErrorKind::RsaFailedSigning)?;

    Ok(b64_encode(signature))
}

/// Checks that a signature is valid based on the (n, e) RSA pubkey components
pub(crate) fn verify_from_components(
    alg: &'static signature::RsaParameters,
    signature: &str,
    message: &[u8],
    components: (&[u8], &[u8]),
) -> Result<bool> {
    let signature_bytes = b64_decode(signature)?;
    let pubkey = signature::RsaPublicKeyComponents { n: components.0, e: components.1 };
    let res = pubkey.verify(alg, message, &signature_bytes);
    Ok(res.is_ok())
}
Move crypto to a dir 2019-11-08 14:00:19 -05:00			`use ring::{rand, signature};`

More refactoring in the crypto mod 2019-11-11 14:29:57 -05:00			`use crate::algorithms::Algorithm;`
Move crypto to a dir 2019-11-08 14:00:19 -05:00			`use crate::errors::{ErrorKind, Result};`
More refactoring in the crypto mod 2019-11-11 14:29:57 -05:00			`use crate::serialization::{b64_decode, b64_encode};`
Refactor decoding 2019-11-11 14:16:34 -05:00
			`/// Only used internally when validating RSA, to map from our enum to the Ring param structs.`
			`pub(crate) fn alg_to_rsa_parameters(alg: Algorithm) -> &'static signature::RsaParameters {`
			`match alg {`
			`Algorithm::RS256 => &signature::RSA_PKCS1_2048_8192_SHA256,`
			`Algorithm::RS384 => &signature::RSA_PKCS1_2048_8192_SHA384,`
			`Algorithm::RS512 => &signature::RSA_PKCS1_2048_8192_SHA512,`
			`Algorithm::PS256 => &signature::RSA_PSS_2048_8192_SHA256,`
			`Algorithm::PS384 => &signature::RSA_PSS_2048_8192_SHA384,`
			`Algorithm::PS512 => &signature::RSA_PSS_2048_8192_SHA512,`
			`_ => unreachable!("Tried to get RSA signature for a non-rsa algorithm"),`
			`}`
			`}`

More refactoring in the crypto mod 2019-11-11 14:29:57 -05:00			`/// Only used internally when signing with RSA, to map from our enum to the Ring signing structs.`
			`pub(crate) fn alg_to_rsa_signing(alg: Algorithm) -> &'static dyn signature::RsaEncoding {`
			`match alg {`
			`Algorithm::RS256 => &signature::RSA_PKCS1_SHA256,`
			`Algorithm::RS384 => &signature::RSA_PKCS1_SHA384,`
			`Algorithm::RS512 => &signature::RSA_PKCS1_SHA512,`
			`Algorithm::PS256 => &signature::RSA_PSS_SHA256,`
			`Algorithm::PS384 => &signature::RSA_PSS_SHA384,`
			`Algorithm::PS512 => &signature::RSA_PSS_SHA512,`
			`_ => unreachable!("Tried to get RSA signature for a non-rsa algorithm"),`
			`}`
			`}`
Move crypto to a dir 2019-11-08 14:00:19 -05:00
			`/// The actual RSA signing + encoding`
Add EncodingKey 2019-12-29 12:42:35 -05:00			`/// The key needs to be in PKCS8 format`
Move crypto to a dir 2019-11-08 14:00:19 -05:00			`/// Taken from Ring doc https://briansmith.org/rustdoc/ring/signature/index.html`
Refactor decoding 2019-11-11 14:16:34 -05:00			`pub(crate) fn sign(`
Move crypto to a dir 2019-11-08 14:00:19 -05:00			`alg: &'static dyn signature::RsaEncoding,`
			`key: &[u8],`
Add sign and verify on bytes (#150) 2020-11-17 08:17:40 -05:00			`message: &[u8],`
Move crypto to a dir 2019-11-08 14:00:19 -05:00			`) -> Result<String> {`
Keep RSA key error message from ring Closes #164 2021-02-19 15:04:17 -05:00			`let key_pair = signature::RsaKeyPair::from_der(key)`
			`.map_err(\|e\| ErrorKind::InvalidRsaKey(e.description_()))?;`
Move crypto to a dir 2019-11-08 14:00:19 -05:00
			`let mut signature = vec![0; key_pair.public_modulus_len()];`
			`let rng = rand::SystemRandom::new();`
Keep RSA key error message from ring Closes #164 2021-02-19 15:04:17 -05:00			`key_pair.sign(alg, &rng, message, &mut signature).map_err(\|_\| ErrorKind::RsaFailedSigning)?;`
Move crypto to a dir 2019-11-08 14:00:19 -05:00
removed unnecessary conversions (#180) * removed unnecessary conversions 2021-03-05 03:10:03 -05:00			`Ok(b64_encode(signature))`
Refactor decoding 2019-11-11 14:16:34 -05:00			`}`

Add DecodingKey 2019-12-29 15:50:06 -05:00			`/// Checks that a signature is valid based on the (n, e) RSA pubkey components`
Refactor decoding 2019-11-11 14:16:34 -05:00			`pub(crate) fn verify_from_components(`
More refactoring in the crypto mod 2019-11-11 14:29:57 -05:00			`alg: &'static signature::RsaParameters,`
Add DecodingKey 2019-12-29 15:50:06 -05:00			`signature: &str,`
Add sign and verify on bytes (#150) 2020-11-17 08:17:40 -05:00			`message: &[u8],`
Make DecodingKey own all the data Closes #120 Supersedes #128 2021-02-19 15:41:08 -05:00			`components: (&[u8], &[u8]),`
More refactoring in the crypto mod 2019-11-11 14:29:57 -05:00			`) -> Result<bool> {`
Add DecodingKey 2019-12-29 15:50:06 -05:00			`let signature_bytes = b64_decode(signature)?;`
Make DecodingKey own all the data Closes #120 Supersedes #128 2021-02-19 15:41:08 -05:00			`let pubkey = signature::RsaPublicKeyComponents { n: components.0, e: components.1 };`
Add sign and verify on bytes (#150) 2020-11-17 08:17:40 -05:00			`let res = pubkey.verify(alg, message, &signature_bytes);`
Refactor decoding 2019-11-11 14:16:34 -05:00			`Ok(res.is_ok())`
Move crypto to a dir 2019-11-08 14:00:19 -05:00			`}`