2019-12-29 12:42:35 -05:00
|
|
|
use serde::ser::Serialize;
|
|
|
|
|
2020-01-13 13:38:33 -05:00
|
|
|
use crate::algorithms::AlgorithmFamily;
|
2019-12-29 12:42:35 -05:00
|
|
|
use crate::crypto;
|
2020-01-13 13:38:33 -05:00
|
|
|
use crate::errors::{new_error, ErrorKind, Result};
|
2019-12-29 12:42:35 -05:00
|
|
|
use crate::header::Header;
|
|
|
|
use crate::pem::decoder::PemEncodedKey;
|
|
|
|
use crate::serialization::b64_encode_part;
|
|
|
|
|
|
|
|
/// A key to encode a JWT with. Can be a secret, a PEM-encoded key or a DER-encoded key.
|
2019-12-29 15:50:06 -05:00
|
|
|
/// This key can be re-used so make sure you only initialize it once if you can for better performance
|
2021-11-19 14:06:45 -05:00
|
|
|
#[derive(Clone)]
|
2020-01-02 13:40:53 -05:00
|
|
|
pub struct EncodingKey {
|
2020-01-13 13:38:33 -05:00
|
|
|
pub(crate) family: AlgorithmFamily,
|
2020-01-02 13:40:53 -05:00
|
|
|
content: Vec<u8>,
|
2019-12-29 12:42:35 -05:00
|
|
|
}
|
|
|
|
|
2020-01-02 13:40:53 -05:00
|
|
|
impl EncodingKey {
|
2020-01-13 13:38:33 -05:00
|
|
|
/// If you're using a HMAC secret that is not base64, use that.
|
2020-01-02 13:40:53 -05:00
|
|
|
pub fn from_secret(secret: &[u8]) -> Self {
|
2020-01-13 13:38:33 -05:00
|
|
|
EncodingKey { family: AlgorithmFamily::Hmac, content: secret.to_vec() }
|
|
|
|
}
|
|
|
|
|
|
|
|
/// If you have a base64 HMAC secret, use that.
|
|
|
|
pub fn from_base64_secret(secret: &str) -> Result<Self> {
|
|
|
|
let out = base64::decode(&secret)?;
|
|
|
|
Ok(EncodingKey { family: AlgorithmFamily::Hmac, content: out })
|
2019-12-29 12:42:35 -05:00
|
|
|
}
|
|
|
|
|
2019-12-29 15:50:06 -05:00
|
|
|
/// If you are loading a RSA key from a .pem file.
|
|
|
|
/// This errors if the key is not a valid RSA key.
|
2020-12-07 10:00:44 -05:00
|
|
|
///
|
|
|
|
/// # NOTE
|
|
|
|
///
|
|
|
|
/// According to the [ring doc](https://briansmith.org/rustdoc/ring/signature/struct.RsaKeyPair.html#method.from_pkcs8),
|
|
|
|
/// the key should be at least 2047 bits.
|
|
|
|
///
|
2020-01-02 13:40:53 -05:00
|
|
|
pub fn from_rsa_pem(key: &[u8]) -> Result<Self> {
|
2019-12-29 12:42:35 -05:00
|
|
|
let pem_key = PemEncodedKey::new(key)?;
|
|
|
|
let content = pem_key.as_rsa_key()?;
|
2020-01-13 13:38:33 -05:00
|
|
|
Ok(EncodingKey { family: AlgorithmFamily::Rsa, content: content.to_vec() })
|
2019-12-29 12:42:35 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
/// If you are loading a ECDSA key from a .pem file
|
|
|
|
/// This errors if the key is not a valid private EC key
|
2020-12-07 10:00:44 -05:00
|
|
|
///
|
|
|
|
/// # NOTE
|
|
|
|
///
|
|
|
|
/// The key should be in PKCS#8 form.
|
|
|
|
///
|
|
|
|
/// You can generate a key with the following:
|
|
|
|
///
|
|
|
|
/// ```sh
|
|
|
|
/// openssl ecparam -genkey -noout -name prime256v1 \
|
|
|
|
/// | openssl pkcs8 -topk8 -nocrypt -out ec-private.pem
|
|
|
|
/// ```
|
2020-01-02 13:40:53 -05:00
|
|
|
pub fn from_ec_pem(key: &[u8]) -> Result<Self> {
|
2019-12-29 12:42:35 -05:00
|
|
|
let pem_key = PemEncodedKey::new(key)?;
|
|
|
|
let content = pem_key.as_ec_private_key()?;
|
2020-01-13 13:38:33 -05:00
|
|
|
Ok(EncodingKey { family: AlgorithmFamily::Ec, content: content.to_vec() })
|
2019-12-29 12:42:35 -05:00
|
|
|
}
|
|
|
|
|
2020-11-17 08:15:17 -05:00
|
|
|
/// If you are loading a EdDSA key from a .pem file
|
|
|
|
/// This errors if the key is not a valid private Ed key
|
|
|
|
pub fn from_ed_pem(key: &[u8]) -> Result<Self> {
|
|
|
|
let pem_key = PemEncodedKey::new(key)?;
|
|
|
|
let content = pem_key.as_ed_private_key()?;
|
|
|
|
Ok(EncodingKey { family: AlgorithmFamily::Ed, content: content.to_vec() })
|
|
|
|
}
|
|
|
|
|
2020-01-13 13:38:33 -05:00
|
|
|
/// If you know what you're doing and have the DER-encoded key, for RSA only
|
|
|
|
pub fn from_rsa_der(der: &[u8]) -> Self {
|
|
|
|
EncodingKey { family: AlgorithmFamily::Rsa, content: der.to_vec() }
|
|
|
|
}
|
|
|
|
|
|
|
|
/// If you know what you're doing and have the DER-encoded key, for ECDSA
|
|
|
|
pub fn from_ec_der(der: &[u8]) -> Self {
|
|
|
|
EncodingKey { family: AlgorithmFamily::Ec, content: der.to_vec() }
|
2019-12-29 12:42:35 -05:00
|
|
|
}
|
|
|
|
|
2020-11-17 08:15:17 -05:00
|
|
|
/// If you know what you're doing and have the DER-encoded key, for EdDSA
|
|
|
|
pub fn from_ed_der(der: &[u8]) -> Self {
|
|
|
|
EncodingKey { family: AlgorithmFamily::Ed, content: der.to_vec() }
|
|
|
|
}
|
|
|
|
|
2020-01-02 13:40:53 -05:00
|
|
|
pub(crate) fn inner(&self) -> &[u8] {
|
2019-12-29 12:42:35 -05:00
|
|
|
&self.content
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Encode the header and claims given and sign the payload using the algorithm from the header and the key.
|
|
|
|
/// If the algorithm given is RSA or EC, the key needs to be in the PEM format.
|
|
|
|
///
|
|
|
|
/// ```rust
|
|
|
|
/// use serde::{Deserialize, Serialize};
|
|
|
|
/// use jsonwebtoken::{encode, Algorithm, Header, EncodingKey};
|
|
|
|
///
|
|
|
|
/// #[derive(Debug, Serialize, Deserialize)]
|
|
|
|
/// struct Claims {
|
|
|
|
/// sub: String,
|
|
|
|
/// company: String
|
|
|
|
/// }
|
|
|
|
///
|
|
|
|
/// let my_claims = Claims {
|
|
|
|
/// sub: "b@b.com".to_owned(),
|
|
|
|
/// company: "ACME".to_owned()
|
|
|
|
/// };
|
|
|
|
///
|
|
|
|
/// // my_claims is a struct that implements Serialize
|
|
|
|
/// // This will create a JWT using HS256 as algorithm
|
|
|
|
/// let token = encode(&Header::default(), &my_claims, &EncodingKey::from_secret("secret".as_ref())).unwrap();
|
|
|
|
/// ```
|
|
|
|
pub fn encode<T: Serialize>(header: &Header, claims: &T, key: &EncodingKey) -> Result<String> {
|
2020-01-13 13:38:33 -05:00
|
|
|
if key.family != header.alg.family() {
|
|
|
|
return Err(new_error(ErrorKind::InvalidAlgorithm));
|
|
|
|
}
|
2021-03-05 03:10:03 -05:00
|
|
|
let encoded_header = b64_encode_part(header)?;
|
|
|
|
let encoded_claims = b64_encode_part(claims)?;
|
|
|
|
let message = [encoded_header, encoded_claims].join(".");
|
|
|
|
let signature = crypto::sign(message.as_bytes(), key, header.alg)?;
|
2019-12-29 12:42:35 -05:00
|
|
|
|
|
|
|
Ok([message, signature].join("."))
|
|
|
|
}
|