michael/jsonwebtoken
michael
/
jsonwebtoken
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Remove Key approach in favour of &[u8] with pem

This commit is contained in:
Vincent Prouillet 2019-11-06 22:32:13 +00:00
parent a6ea8c2c1a
commit e3632b3a2c
14 changed files with 262 additions and 351 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
examples/custom_chrono.rs
View File

@ -1,5 +1,5 @@
use chrono::prelude::*;
use jsonwebtoken::{Header, Key, Validation};
use jsonwebtoken::{Header, Validation};
use serde::{Deserialize, Serialize};
const SECRET: &str = "some-secret";
@ -51,14 +51,13 @@ mod jwt_numeric_date {
let claims = Claims { sub: sub.clone(), iat, exp };
let token = encode(&Header::default(), &claims, Key::Hmac(SECRET.as_ref()))
let token = encode(&Header::default(), &claims, SECRET.as_ref())
.expect("Failed to encode claims");
assert_eq!(&token, EXPECTED_TOKEN);
let decoded =
decode::<Claims>(&token, Key::Hmac(SECRET.as_ref()), &Validation::default())
.expect("Failed to decode token");
let decoded = decode::<Claims>(&token, SECRET.as_ref(), &Validation::default())
.expect("Failed to decode token");
assert_eq!(decoded.claims, claims);
}
@ -83,12 +82,12 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
let claims = Claims { sub: sub.clone(), iat, exp };
let token = jsonwebtoken::encode(&Header::default(), &claims, Key::Hmac(SECRET.as_ref()))?;
let token = jsonwebtoken::encode(&Header::default(), &claims, SECRET.as_ref())?;
println!("serialized token: {}", &token);
let token_data =
jsonwebtoken::decode::<Claims>(&token, Key::Hmac(SECRET.as_ref()), &Validation::default())?;
jsonwebtoken::decode::<Claims>(&token, SECRET.as_ref(), &Validation::default())?;
println!("token data:\n{:#?}", &token_data);
Ok(())

19
examples/custom_header.rs
View File

@ -1,7 +1,7 @@
use serde::{Deserialize, Serialize};
use jsonwebtoken::errors::ErrorKind;
use jsonwebtoken::{decode, encode, Algorithm, Header, Key, Validation};
use jsonwebtoken::{decode, encode, Algorithm, Header, Validation};
#[derive(Debug, Serialize, Deserialize)]
struct Claims {
@ -19,20 +19,19 @@ fn main() {
header.kid = Some("signing_key".to_owned());
header.alg = Algorithm::HS512;
let token = match encode(&header, &my_claims, Key::Hmac(key)) {
let token = match encode(&header, &my_claims, key) {
Ok(t) => t,
Err(_) => panic!(), // in practice you would return the error
};
println!("{:?}", token);
let token_data =
match decode::<Claims>(&token, Key::Hmac(key), &Validation::new(Algorithm::HS512)) {
Ok(c) => c,
Err(err) => match *err.kind() {
ErrorKind::InvalidToken => panic!(), // Example on how to handle a specific error
_ => panic!(),
},
};
let token_data = match decode::<Claims>(&token, key, &Validation::new(Algorithm::HS512)) {
Ok(c) => c,
Err(err) => match *err.kind() {
ErrorKind::InvalidToken => panic!(), // Example on how to handle a specific error
_ => panic!(),
},
};
println!("{:?}", token_data.claims);
println!("{:?}", token_data.header);
}

6
examples/validation.rs
View File

@ -1,5 +1,5 @@
use jsonwebtoken::errors::ErrorKind;
use jsonwebtoken::{decode, encode, Header, Key, Validation};
use jsonwebtoken::{decode, encode, Header, Validation};
use serde::{Deserialize, Serialize};
#[derive(Debug, Serialize, Deserialize)]
@ -13,13 +13,13 @@ fn main() {
let my_claims =
Claims { sub: "b@b.com".to_owned(), company: "ACME".to_owned(), exp: 10000000000 };
let key = b"secret";
let token = match encode(&Header::default(), &my_claims, Key::Hmac(key)) {
let token = match encode(&Header::default(), &my_claims, key) {
Ok(t) => t,
Err(_) => panic!(), // in practice you would return the error
};
let validation = Validation { sub: Some("b@b.com".to_string()), ..Validation::default() };
let token_data = match decode::<Claims>(&token, Key::Hmac(key), &validation) {
let token_data = match decode::<Claims>(&token, key, &validation) {
Ok(c) => c,
Err(err) => match *err.kind() {
ErrorKind::InvalidToken => panic!("Token is invalid"), // Example on how to handle a specific error

4
src/algorithms.rs
View File

@ -1,4 +1,4 @@
use crate::errors::{new_error, Error, ErrorKind, Result};
use crate::errors::{Error, ErrorKind, Result};
use serde::{Deserialize, Serialize};
use std::str::FromStr;
@ -53,7 +53,7 @@ impl FromStr for Algorithm {
"PS384" => Ok(Algorithm::PS384),
"PS512" => Ok(Algorithm::PS512),
"RS512" => Ok(Algorithm::RS512),
_ => Err(new_error(ErrorKind::InvalidAlgorithmName)),
_ => Err(ErrorKind::InvalidAlgorithmName.into()),
}
}
}

71
src/crypto.rs
View File

@ -3,32 +3,23 @@ use ring::constant_time::verify_slices_are_equal;
use ring::{hmac, rand, signature};
use crate::algorithms::Algorithm;
use crate::errors::{new_error, ErrorKind, Result};
use crate::keys::Key;
use crate::errors::{ErrorKind, Result};
use crate::pem_decoder::PemEncodedKey;
/// The actual HS signing + encoding
fn sign_hmac(alg: hmac::Algorithm, key: Key, signing_input: &str) -> Result<String> {
let signing_key = match key {
Key::Hmac(bytes) => hmac::Key::new(alg, bytes),
_ => return Err(ErrorKind::InvalidKeyFormat.into()),
};
let digest = hmac::sign(&signing_key, signing_input.as_bytes());
fn sign_hmac(alg: hmac::Algorithm, key: &[u8], signing_input: &str) -> Result<String> {
let digest = hmac::sign(&hmac::Key::new(alg, key), signing_input.as_bytes());
Ok(base64::encode_config::<hmac::Tag>(&digest, base64::URL_SAFE_NO_PAD))
}
/// The actual ECDSA signing + encoding
fn sign_ecdsa(
alg: &'static signature::EcdsaSigningAlgorithm,
key: Key,
key: &[u8],
signing_input: &str,
) -> Result<String> {
let signing_key = match key {
Key::Pkcs8(bytes) => signature::EcdsaKeyPair::from_pkcs8(alg, bytes)?,
_ => {
return Err(new_error(ErrorKind::InvalidKeyFormat));
}
};
let pem_key = PemEncodedKey::new(key)?;
let signing_key = signature::EcdsaKeyPair::from_pkcs8(alg, pem_key.as_ec_private_key()?)?;
let rng = rand::SystemRandom::new();
let sig = signing_key.sign(&rng, signing_input.as_bytes())?;
Ok(base64::encode_config(&sig, base64::URL_SAFE_NO_PAD))
@ -38,20 +29,12 @@ fn sign_ecdsa(
/// Taken from Ring doc https://briansmith.org/rustdoc/ring/signature/index.html
fn sign_rsa(
alg: &'static dyn signature::RsaEncoding,
key: Key,
key: &[u8],
signing_input: &str,
) -> Result<String> {
let key_pair = match key {
Key::Der(bytes) => {
signature::RsaKeyPair::from_der(bytes).map_err(|_| ErrorKind::InvalidRsaKey)?
}
Key::Pkcs8(bytes) => {
signature::RsaKeyPair::from_pkcs8(bytes).map_err(|_| ErrorKind::InvalidRsaKey)?
}
_ => {
return Err(ErrorKind::InvalidKeyFormat.into());
}
};
let pem_key = PemEncodedKey::new(key)?;
let key_pair = signature::RsaKeyPair::from_der(pem_key.as_rsa_key()?)
.map_err(|_| ErrorKind::InvalidRsaKey)?;
let mut signature = vec![0; key_pair.public_modulus_len()];
let rng = rand::SystemRandom::new();
@ -66,7 +49,7 @@ fn sign_rsa(
/// the base64 url safe encoded of the result.
///
/// Only use this function if you want to do something other than JWT.
pub fn sign(signing_input: &str, key: Key, algorithm: Algorithm) -> Result<String> {
pub fn sign(signing_input: &str, key: &[u8], algorithm: Algorithm) -> Result<String> {
match algorithm {
Algorithm::HS256 => sign_hmac(hmac::HMAC_SHA256, key, signing_input),
Algorithm::HS384 => sign_hmac(hmac::HMAC_SHA384, key, signing_input),
@ -107,36 +90,20 @@ fn verify_ring_es(
alg: &'static dyn signature::VerificationAlgorithm,
signature: &str,
signing_input: &str,
key: Key,
key: &[u8],
) -> Result<bool> {
let bytes = match key {
Key::Pkcs8(bytes) => bytes,
_ => {
return Err(ErrorKind::InvalidKeyFormat.into());
}
};
verify_ring(alg, signature, signing_input, bytes)
let pem_key = PemEncodedKey::new(key)?;
verify_ring(alg, signature, signing_input, pem_key.as_ec_public_key()?)
}
fn verify_ring_rsa(
alg: &'static signature::RsaParameters,
signature: &str,
signing_input: &str,
key: Key,
key: &[u8],
) -> Result<bool> {
match key {
Key::Der(bytes) | Key::Pkcs8(bytes) => verify_ring(alg, signature, signing_input, bytes),
Key::ModulusExponent(n, e) => {
let public_key = signature::RsaPublicKeyComponents { n, e };
let signature_bytes = base64::decode_config(signature, base64::URL_SAFE_NO_PAD)?;
let res = public_key.verify(alg, signing_input.as_bytes(), &signature_bytes);
Ok(res.is_ok())
}
_ => Err(ErrorKind::InvalidKeyFormat.into()),
}
let pem_key = PemEncodedKey::new(key)?;
verify_ring(alg, signature, signing_input, pem_key.as_rsa_key()?)
}
/// Compares the signature given with a re-computed signature for HMAC or using the public key
@ -150,7 +117,7 @@ fn verify_ring_rsa(
pub fn verify(
signature: &str,
signing_input: &str,
key: Key,
key: &[u8],
algorithm: Algorithm,
) -> Result<bool> {
match algorithm {

10
src/errors.rs
View File

@ -92,11 +92,12 @@ impl StdError for Error {
ErrorKind::ImmatureSignature => "immature signature",
ErrorKind::InvalidAlgorithm => "algorithms don't match",
ErrorKind::InvalidAlgorithmName => "not a known algorithm",
ErrorKind::InvalidKeyFormat => "invalid key format",
ErrorKind::__Nonexhaustive => "unknown error",
ErrorKind::Base64(ref err) => err.description(),
ErrorKind::Json(ref err) => err.description(),
ErrorKind::Utf8(ref err) => err.description(),
ErrorKind::Crypto(ref err) => err.description(),
_ => unreachable!(),
}
}
@ -113,11 +114,12 @@ impl StdError for Error {
ErrorKind::ImmatureSignature => None,
ErrorKind::InvalidAlgorithm => None,
ErrorKind::InvalidAlgorithmName => None,
ErrorKind::InvalidKeyFormat => None,
ErrorKind::__Nonexhaustive => None,
ErrorKind::Base64(ref err) => Some(err),
ErrorKind::Json(ref err) => Some(err),
ErrorKind::Utf8(ref err) => Some(err),
ErrorKind::Crypto(ref err) => Some(err),
_ => unreachable!(),
}
}
}
@ -135,11 +137,13 @@ impl fmt::Display for Error {
| ErrorKind::InvalidSubject
| ErrorKind::ImmatureSignature
| ErrorKind::InvalidAlgorithm
| ErrorKind::InvalidKeyFormat
| ErrorKind::InvalidAlgorithmName => write!(f, "{}", self.description()),
ErrorKind::Json(ref err) => write!(f, "JSON error: {}", err),
ErrorKind::Utf8(ref err) => write!(f, "UTF-8 error: {}", err),
ErrorKind::Crypto(ref err) => write!(f, "Crypto error: {}", err),
_ => unreachable!(),
ErrorKind::Base64(ref err) => write!(f, "Base64 error: {}", err),
ErrorKind::__Nonexhaustive => write!(f, "Unknown error"),
}
}
}

16
src/keys.rs
View File

@ -1,16 +0,0 @@
/// The supported RSA key formats, see the documentation for ring::signature::RsaKeyPair
/// for more information
#[derive(Debug, PartialEq)]
pub enum Key<'a> {
/// An unencrypted PKCS#8-encoded key. Can be used with both ECDSA and RSA
/// algorithms when signing. See ring for information.
Pkcs8(&'a [u8]),
/// A binary DER-encoded ASN.1 key. Can only be used with RSA algorithms
/// when signing. See ring for more information
Der(&'a [u8]),
/// This is not a key format, but provided for convenience since HMAC is
/// a supported signing algorithm.
Hmac(&'a [u8]),
/// A Modulus/exponent for a RSA public key
ModulusExponent(&'a [u8], &'a [u8]),
}

36
src/lib.rs
View File

@ -8,7 +8,6 @@ mod crypto;
/// All the errors
pub mod errors;
mod header;
mod keys;
mod pem_decoder;
mod pem_encoder;
mod serialization;
@ -17,8 +16,6 @@ mod validation;
pub use algorithms::Algorithm;
pub use crypto::{sign, verify};
pub use header::Header;
pub use keys::Key;
pub use pem_decoder::PemEncodedKey;
pub use serialization::TokenData;
pub use validation::Validation;
@ -49,9 +46,9 @@ use crate::validation::validate;
///
/// // my_claims is a struct that implements Serialize
/// // This will create a JWT using HS256 as algorithm
/// let token = encode(&Header::default(), &my_claims, Key::Hmac("secret".as_ref())).unwrap();
/// let token = encode(&Header::default(), &my_claims, "secret".as_ref()).unwrap();
/// ```
pub fn encode<T: Serialize>(header: &Header, claims: &T, key: Key) -> Result<String> {
pub fn encode<T: Serialize>(header: &Header, claims: &T, key: &[u8]) -> Result<String> {
let encoded_header = encode_part(&header)?;
let encoded_claims = encode_part(&claims)?;
let signing_input = [encoded_header.as_ref(), encoded_claims.as_ref()].join(".");
@ -93,7 +90,7 @@ macro_rules! expect_two {
/// ```
pub fn decode<T: DeserializeOwned>(
token: &str,
key: Key,
key: &[u8],
validation: &Validation,
) -> Result<TokenData<T>> {
let (signature, signing_input) = expect_two!(token.rsplitn(2, '.'));
@ -160,33 +157,6 @@ pub fn decode_header(token: &str) -> Result<Header> {
Header::from_encoded(header)
}
/// Decode a PEM string to obtain its key
///
/// This must be a tagged PEM encoded key, tags start with `-----BEGIN ..-----`
/// and end with a `-----END ..-----`
///
/// ```rust
/// use jsonwebtoken::{decode_pem, sign, verify, Algorithm};
///
/// let pem_content = "-----BEGIN PRIVATE KEY-----
/// MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgWTFfCGljY6aw3Hrt
/// kHmPRiazukxPLb6ilpRAewjW8nihRANCAATDskChT+Altkm9X7MI69T3IUmrQU0L
/// 950IxEzvw/x5BMEINRMrXLBJhqzO9Bm+d6JbqA21YQmd1Kt4RzLJR1W+
/// -----END PRIVATE KEY-----";
///
/// // First use decode_pem from jsonwebtoken
/// let privkey_pem = decode_pem(pem_content).unwrap();
/// // If it decodes Ok, then you can start using it with a given algorithm
/// let privkey = privkey_pem.as_key().unwrap();
///
/// // When using the as_key function, you do not need to wrap in Key::Der or Key::Pkcs8
/// // The same code can be used for public keys too.
/// let encrypted = sign("hello world", privkey, Algorithm::ES256).unwrap();
/// ```
pub fn decode_pem(content: &str) -> Result<PemEncodedKey> {
PemEncodedKey::read(content)
}
/// TODO
pub fn encode_rsa_public_pkcs1_pem(modulus: &[u8], exponent: &[u8]) -> Result<String> {
pem_encoder::encode_rsa_public_pkcs1_pem(modulus, exponent)

63
src/pem_decoder.rs
View File

@ -1,5 +1,4 @@
use crate::errors::{ErrorKind, Result};
use crate::keys::Key;
extern crate pem;
extern crate simple_asn1;
@ -9,10 +8,10 @@ use simple_asn1::{BigUint, OID};
/// Supported PEM files for EC and RSA Public and Private Keys
#[derive(Debug, PartialEq)]
enum PemType {
EcPublicKey,
EcPrivateKey,
RsaPublicKey,
RsaPrivateKey,
EcPublic,
EcPrivate,
RsaPublic,
RsaPrivate,
}
#[derive(Debug, PartialEq)]
@ -42,7 +41,7 @@ enum Classification {
/// PKCS#1: https://tools.ietf.org/html/rfc8017
/// PKCS#8: https://tools.ietf.org/html/rfc5958
#[derive(Debug)]
pub struct PemEncodedKey {
pub(crate) struct PemEncodedKey {
content: Vec<u8>,
asn1: Vec<simple_asn1::ASN1Block>,
pem_type: PemType,
@ -51,7 +50,7 @@ pub struct PemEncodedKey {
impl PemEncodedKey {
/// Read the PEM file for later key use
pub fn read(input: &str) -> Result<PemEncodedKey> {
pub fn new(input: &[u8]) -> Result<PemEncodedKey> {
match pem::parse(input) {
Ok(content) => {
let pem_contents = content.contents;
@ -65,13 +64,13 @@ impl PemEncodedKey {
"RSA PRIVATE KEY" => Ok(PemEncodedKey {
content: pem_contents,
asn1: asn1_content,
pem_type: PemType::RsaPrivateKey,
pem_type: PemType::RsaPrivate,
standard: Standard::Pkcs1,
}),
"RSA PUBLIC KEY" => Ok(PemEncodedKey {
content: pem_contents,
asn1: asn1_content,
pem_type: PemType::RsaPublicKey,
pem_type: PemType::RsaPublic,
standard: Standard::Pkcs1,
}),
@ -86,16 +85,16 @@ impl PemEncodedKey {
let pem_type = match c {
Classification::Ec => {
if is_private {
PemType::EcPrivateKey
PemType::EcPrivate
} else {
PemType::EcPublicKey
PemType::EcPublic
}
}
Classification::Rsa => {
if is_private {
PemType::RsaPrivateKey
PemType::RsaPrivate
} else {
PemType::RsaPublicKey
PemType::RsaPublic
}
}
};
@ -117,18 +116,36 @@ impl PemEncodedKey {
}
}
/// This will do the initial parsing of a PEM file.
/// Supported tagged pems include "RSA PRIVATE KEY", "RSA PUBLIC KEY",
/// "PRIVATE KEY", "PUBLIC KEY"
/// PEMs with multiple tagged portions are not supported
pub fn as_key(&self) -> Result<Key<'_>> {
/// Can only be PKCS8
pub fn as_ec_private_key(&self) -> Result<&[u8]> {
match self.standard {
Standard::Pkcs1 => Ok(Key::Der(self.content.as_slice())),
Standard::Pkcs1 => Err(ErrorKind::InvalidKeyFormat.into()),
Standard::Pkcs8 => match self.pem_type {
PemType::RsaPrivateKey => Ok(Key::Der(extract_first_bitstring(&self.asn1)?)),
PemType::RsaPublicKey => Ok(Key::Der(extract_first_bitstring(&self.asn1)?)),
PemType::EcPrivateKey => Ok(Key::Pkcs8(self.content.as_slice())),
PemType::EcPublicKey => Ok(Key::Pkcs8(extract_first_bitstring(&self.asn1)?)),
PemType::EcPrivate => Ok(self.content.as_slice()),
_ => Err(ErrorKind::InvalidKeyFormat.into()),
},
}
}
/// Can only be PKCS8
pub fn as_ec_public_key(&self) -> Result<&[u8]> {
match self.standard {
Standard::Pkcs1 => Err(ErrorKind::InvalidKeyFormat.into()),
Standard::Pkcs8 => match self.pem_type {
PemType::EcPublic => extract_first_bitstring(&self.asn1),
_ => Err(ErrorKind::InvalidKeyFormat.into()),
},
}
}
/// Can be PKCS1 or PKCS8
pub fn as_rsa_key(&self) -> Result<&[u8]> {
match self.standard {
Standard::Pkcs1 => Ok(self.content.as_slice()),
Standard::Pkcs8 => match self.pem_type {
PemType::RsaPrivate => extract_first_bitstring(&self.asn1),
PemType::RsaPublic => extract_first_bitstring(&self.asn1),
_ => Err(ErrorKind::InvalidKeyFormat.into()),
},
}
}

190
src/pem_encoder.rs
View File

@ -99,102 +99,100 @@ fn encode_ec_public_asn1(x: &[u8]) -> ASN1Block {
#[cfg(test)]
mod tests {
use super::*;
use crate::decode_pem;
use crate::keys::Key;
use ring::{signature, signature::KeyPair};
#[test]
fn public_key_encoding_pkcs1() {
let privkey_pem =
decode_pem(include_str!("../tests/rsa/private_rsa_key_pkcs8.pem")).unwrap();
let privkey = privkey_pem.as_key().unwrap();
let ring_key = signature::RsaKeyPair::from_der(match privkey {
Key::Der(bytes) => bytes,
_ => panic!("Unexpected"),
})
.unwrap();
let mut modulus = vec![0];
modulus.extend(ring_key.public_key().modulus().big_endian_without_leading_zero());
let exponent = ring_key.public_key().exponent();
let public_key_pkcs1_pem = encode_rsa_public_pkcs1_pem(
modulus.as_ref(),
exponent.big_endian_without_leading_zero(),
)
.unwrap();
assert_eq!(
include_str!("../tests/rsa/public_rsa_key_pkcs1.pem").trim(),
public_key_pkcs1_pem.replace('\r', "").trim()
);
let public_key_pkcs1_der = encode_rsa_public_pkcs1_der(
modulus.as_ref(),
exponent.big_endian_without_leading_zero(),
)
.unwrap();
assert_eq!(
include_bytes!("../tests/rsa/public_rsa_key.der").to_vec(),
public_key_pkcs1_der
);
}
#[test]
fn public_key_encoding_pkcs8() {
let privkey_pem =
decode_pem(include_str!("../tests/rsa/private_rsa_key_pkcs8.pem")).unwrap();
let privkey = privkey_pem.as_key().unwrap();
let ring_key = signature::RsaKeyPair::from_der(match privkey {
Key::Der(bytes) => bytes,
_ => panic!("Unexpected"),
})
.unwrap();
let mut modulus = vec![0];
modulus.extend(ring_key.public_key().modulus().big_endian_without_leading_zero());
let exponent = ring_key.public_key().exponent();
let public_key_pkcs8 = encode_rsa_public_pkcs8_pem(
modulus.as_ref(),
exponent.big_endian_without_leading_zero(),
)
.unwrap();
assert_eq!(
include_str!("../tests/rsa/public_rsa_key_pkcs8.pem").trim(),
public_key_pkcs8.replace('\r', "").trim()
);
}
#[test]
fn public_key_encoding() {
let privkey_pem = decode_pem(include_str!("../tests/ec/private_ecdsa_key.pem")).unwrap();
let privkey = privkey_pem.as_key().unwrap();
let alg = &signature::ECDSA_P256_SHA256_FIXED_SIGNING;
let ring_key = signature::EcdsaKeyPair::from_pkcs8(
alg,
match privkey {
Key::Pkcs8(bytes) => bytes,
_ => panic!("Unexpected"),
},
)
.unwrap();
let public_key_pem = encode_ec_public_pem(ring_key.public_key().as_ref()).unwrap();
assert_eq!(
include_str!("../tests/ec/public_ecdsa_key.pem").trim(),
public_key_pem.replace('\r', "").trim()
);
let public_key_der = encode_ec_public_der(ring_key.public_key().as_ref()).unwrap();
// The stored ".pk8" key is just the x coordinate of the EC key
// It's not truly a pkcs8 formatted DER
// To get around that, a prepended binary specifies the EC key, EC name,
// and X coordinate length. The length is unlikely to change.. in the
// event that it does, look at the pem file (convert base64 to hex) and find
// where 0x03, 0x42 don't match up. 0x42 is the length.
let mut stored_pk8_der = vec![
0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06,
0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,
];
stored_pk8_der.extend(include_bytes!("../tests/ec/public_ecdsa_key.pk8").to_vec());
assert_eq!(stored_pk8_der, public_key_der);
}
// #[test]
// fn public_key_encoding_pkcs1() {
// let privkey_pem =
// decode_pem(include_str!("../tests/rsa/private_rsa_key_pkcs8.pem")).unwrap();
// let privkey = privkey_pem.as_key().unwrap();
// let ring_key = signature::RsaKeyPair::from_der(match privkey {
// Key::Der(bytes) => bytes,
// _ => panic!("Unexpected"),
// })
// .unwrap();
// let mut modulus = vec![0];
// modulus.extend(ring_key.public_key().modulus().big_endian_without_leading_zero());
// let exponent = ring_key.public_key().exponent();
//
// let public_key_pkcs1_pem = encode_rsa_public_pkcs1_pem(
// modulus.as_ref(),
// exponent.big_endian_without_leading_zero(),
// )
// .unwrap();
// assert_eq!(
// include_str!("../tests/rsa/public_rsa_key_pkcs1.pem").trim(),
// public_key_pkcs1_pem.replace('\r', "").trim()
// );
//
// let public_key_pkcs1_der = encode_rsa_public_pkcs1_der(
// modulus.as_ref(),
// exponent.big_endian_without_leading_zero(),
// )
// .unwrap();
// assert_eq!(
// include_bytes!("../tests/rsa/public_rsa_key.der").to_vec(),
// public_key_pkcs1_der
// );
// }
//
// #[test]
// fn public_key_encoding_pkcs8() {
// let privkey_pem =
// decode_pem(include_str!("../tests/rsa/private_rsa_key_pkcs8.pem")).unwrap();
// let privkey = privkey_pem.as_key().unwrap();
// let ring_key = signature::RsaKeyPair::from_der(match privkey {
// Key::Der(bytes) => bytes,
// _ => panic!("Unexpected"),
// })
// .unwrap();
// let mut modulus = vec![0];
// modulus.extend(ring_key.public_key().modulus().big_endian_without_leading_zero());
// let exponent = ring_key.public_key().exponent();
//
// let public_key_pkcs8 = encode_rsa_public_pkcs8_pem(
// modulus.as_ref(),
// exponent.big_endian_without_leading_zero(),
// )
// .unwrap();
// assert_eq!(
// include_str!("../tests/rsa/public_rsa_key_pkcs8.pem").trim(),
// public_key_pkcs8.replace('\r', "").trim()
// );
// }
//
// #[test]
// fn public_key_encoding() {
// let privkey_pem = decode_pem(include_str!("../tests/ec/private_ecdsa_key.pem")).unwrap();
// let privkey = privkey_pem.as_key().unwrap();
// let alg = &signature::ECDSA_P256_SHA256_FIXED_SIGNING;
// let ring_key = signature::EcdsaKeyPair::from_pkcs8(
// alg,
// match privkey {
// Key::Pkcs8(bytes) => bytes,
// _ => panic!("Unexpected"),
// },
// )
// .unwrap();
//
// let public_key_pem = encode_ec_public_pem(ring_key.public_key().as_ref()).unwrap();
// assert_eq!(
// include_str!("../tests/ec/public_ecdsa_key.pem").trim(),
// public_key_pem.replace('\r', "").trim()
// );
//
// let public_key_der = encode_ec_public_der(ring_key.public_key().as_ref()).unwrap();
// // The stored ".pk8" key is just the x coordinate of the EC key
// // It's not truly a pkcs8 formatted DER
// // To get around that, a prepended binary specifies the EC key, EC name,
// // and X coordinate length. The length is unlikely to change.. in the
// // event that it does, look at the pem file (convert base64 to hex) and find
// // where 0x03, 0x42 don't match up. 0x42 is the length.
// let mut stored_pk8_der = vec![
// 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06,
// 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,
// ];
// stored_pk8_der.extend(include_bytes!("../tests/ec/public_ecdsa_key.pk8").to_vec());
// assert_eq!(stored_pk8_der, public_key_der);
// }
}

3
src/serialization.rs
View File

@ -22,7 +22,8 @@ pub fn encode_part<T: Serialize>(input: &T) -> Result<String> {
Ok(base64::encode_config(json.as_bytes(), base64::URL_SAFE_NO_PAD))
}
/// Decodes from base64 and deserializes from JSON to a struct AND a hashmap
/// Decodes from base64 and deserializes from JSON to a struct AND a hashmap of Value so we can
/// run validation on it
pub fn from_jwt_part_claims<B: AsRef<str>, T: DeserializeOwned>(
encoded: B,
) -> Result<(T, Map<String, Value>)> {

35
tests/ec/mod.rs
View File

@ -1,5 +1,5 @@
use chrono::Utc;
use jsonwebtoken::{decode, decode_pem, encode, sign, verify, Algorithm, Header, Key, Validation};
use jsonwebtoken::{decode, encode, sign, verify, Algorithm, Header, Validation};
use serde::{Deserialize, Serialize};
#[derive(Debug, PartialEq, Clone, Serialize, Deserialize)]
@ -9,22 +9,21 @@ pub struct Claims {
exp: i64,
}
#[test]
fn round_trip_sign_verification_pk8() {
let privkey = include_bytes!("private_ecdsa_key.pk8");
let encrypted = sign("hello world", Key::Pkcs8(&privkey[..]), Algorithm::ES256).unwrap();
let pubkey = include_bytes!("public_ecdsa_key.pk8");
let is_valid = verify(&encrypted, "hello world", Key::Pkcs8(pubkey), Algorithm::ES256).unwrap();
assert!(is_valid);
}
// TODO: remove completely?
//#[test]
//fn round_trip_sign_verification_pk8() {
// let privkey = include_bytes!("private_ecdsa_key.pk8");
// let encrypted = sign("hello world", privkey, Algorithm::ES256).unwrap();
// let pubkey = include_bytes!("public_ecdsa_key.pk8");
// let is_valid = verify(&encrypted, "hello world", pubkey, Algorithm::ES256).unwrap();
// assert!(is_valid);
//}
#[test]
fn round_trip_sign_verification_pem() {
let privkey_pem = decode_pem(include_str!("private_ecdsa_key.pem")).unwrap();
let privkey = privkey_pem.as_key().unwrap();
let privkey = include_bytes!("private_ecdsa_key.pem");
let encrypted = sign("hello world", privkey, Algorithm::ES256).unwrap();
let pubkey_pem = decode_pem(include_str!("public_ecdsa_key.pem")).unwrap();
let pubkey = pubkey_pem.as_key().unwrap();
let pubkey = include_bytes!("public_ecdsa_key.pem");
let is_valid = verify(&encrypted, "hello world", pubkey, Algorithm::ES256).unwrap();
assert!(is_valid);
}
@ -36,12 +35,10 @@ fn round_trip_claim() {
company: "ACME".to_string(),
exp: Utc::now().timestamp() + 10000,
};
let privkey = include_bytes!("private_ecdsa_key.pk8");
let token =
encode(&Header::new(Algorithm::ES256), &my_claims, Key::Pkcs8(&privkey[..])).unwrap();
let pubkey = include_bytes!("public_ecdsa_key.pk8");
let token_data =
decode::<Claims>(&token, Key::Pkcs8(pubkey), &Validation::new(Algorithm::ES256)).unwrap();
let privkey = include_bytes!("private_ecdsa_key.pem");
let token = encode(&Header::new(Algorithm::ES256), &my_claims, privkey).unwrap();
let pubkey = include_bytes!("public_ecdsa_key.pem");
let token_data = decode::<Claims>(&token, pubkey, &Validation::new(Algorithm::ES256)).unwrap();
assert_eq!(my_claims, token_data.claims);
assert!(token_data.header.kid.is_none());
}

26
tests/hmac.rs
View File

@ -1,6 +1,6 @@
use chrono::Utc;
use jsonwebtoken::{
dangerous_unsafe_decode, decode, decode_header, encode, sign, verify, Algorithm, Header, Key,
dangerous_unsafe_decode, decode, decode_header, encode, sign, verify, Algorithm, Header,
Validation,
};
use serde::{Deserialize, Serialize};
@ -14,7 +14,7 @@ pub struct Claims {
#[test]
fn sign_hs256() {
let result = sign("hello world", Key::Hmac(b"secret"), Algorithm::HS256).unwrap();
let result = sign("hello world", b"secret", Algorithm::HS256).unwrap();
let expected = "c0zGLzKEFWj0VxWuufTXiRMk5tlI5MbGDAYhzaxIYjo";
assert_eq!(result, expected);
}
@ -22,7 +22,7 @@ fn sign_hs256() {
#[test]
fn verify_hs256() {
let sig = "c0zGLzKEFWj0VxWuufTXiRMk5tlI5MbGDAYhzaxIYjo";
let valid = verify(sig, "hello world", Key::Hmac(b"secret"), Algorithm::HS256).unwrap();
let valid = verify(sig, "hello world", b"secret", Algorithm::HS256).unwrap();
assert!(valid);
}
@ -35,9 +35,8 @@ fn encode_with_custom_header() {
};
let mut header = Header::default();
header.kid = Some("kid".to_string());
let token = encode(&header, &my_claims, Key::Hmac(b"secret")).unwrap();
let token_data =
decode::<Claims>(&token, Key::Hmac(b"secret"), &Validation::default()).unwrap();
let token = encode(&header, &my_claims, b"secret").unwrap();
let token_data = decode::<Claims>(&token, b"secret", &Validation::default()).unwrap();
assert_eq!(my_claims, token_data.claims);
assert_eq!("kid", token_data.header.kid.unwrap());
}
@ -49,9 +48,8 @@ fn round_trip_claim() {
company: "ACME".to_string(),
exp: Utc::now().timestamp() + 10000,
};
let token = encode(&Header::default(), &my_claims, Key::Hmac(b"secret")).unwrap();
let token_data =
decode::<Claims>(&token, Key::Hmac(b"secret"), &Validation::default()).unwrap();
let token = encode(&Header::default(), &my_claims, b"secret").unwrap();
let token_data = decode::<Claims>(&token, b"secret", &Validation::default()).unwrap();
assert_eq!(my_claims, token_data.claims);
assert!(token_data.header.kid.is_none());
}
@ -59,7 +57,7 @@ fn round_trip_claim() {
#[test]
fn decode_token() {
let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjI1MzI1MjQ4OTF9.9r56oF7ZliOBlOAyiOFperTGxBtPykRQiWNFxhDCW98";
let claims = decode::<Claims>(token, Key::Hmac(b"secret"), &Validation::default());
let claims = decode::<Claims>(token, b"secret", &Validation::default());
println!("{:?}", claims);
claims.unwrap();
}
@ -68,7 +66,7 @@ fn decode_token() {
#[should_panic(expected = "InvalidToken")]
fn decode_token_missing_parts() {
let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";
let claims = decode::<Claims>(token, Key::Hmac(b"secret"), &Validation::default());
let claims = decode::<Claims>(token, b"secret", &Validation::default());
claims.unwrap();
}
@ -77,7 +75,7 @@ fn decode_token_missing_parts() {
fn decode_token_invalid_signature() {
let token =
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUifQ.wrong";
let claims = decode::<Claims>(token, Key::Hmac(b"secret"), &Validation::default());
let claims = decode::<Claims>(token, b"secret", &Validation::default());
claims.unwrap();
}
@ -85,14 +83,14 @@ fn decode_token_invalid_signature() {
#[should_panic(expected = "InvalidAlgorithm")]
fn decode_token_wrong_algorithm() {
let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUifQ.I1BvFoHe94AFf09O6tDbcSB8-jp8w6xZqmyHIwPeSdY";
let claims = decode::<Claims>(token, Key::Hmac(b"secret"), &Validation::new(Algorithm::RS512));
let claims = decode::<Claims>(token, b"secret", &Validation::new(Algorithm::RS512));
claims.unwrap();
}
#[test]
fn decode_token_with_bytes_secret() {
let token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjI1MzI1MjQ4OTF9.Hm0yvKH25TavFPz7J_coST9lZFYH1hQo0tvhvImmaks";
let claims = decode::<Claims>(token, Key::Hmac(b"\x01\x02\x03"), &Validation::default());
let claims = decode::<Claims>(token, b"\x01\x02\x03", &Validation::default());
assert!(claims.is_ok());
}

121
tests/rsa/mod.rs
View File

@ -1,5 +1,5 @@
use chrono::Utc;
use jsonwebtoken::{decode, decode_pem, encode, sign, verify, Algorithm, Header, Key, Validation};
use jsonwebtoken::{decode, encode, sign, verify, Algorithm, Header, Validation};
use serde::{Deserialize, Serialize};
const RSA_ALGORITHMS: &[Algorithm] = &[
@ -18,42 +18,26 @@ pub struct Claims {
exp: i64,
}
#[test]
fn round_trip_sign_verification_der() {
let privkey = include_bytes!("private_rsa_key.der");
for &alg in RSA_ALGORITHMS {
let encrypted = sign("hello world", Key::Der(&privkey[..]), alg).unwrap();
let is_valid =
verify(&encrypted, "hello world", Key::Der(include_bytes!("public_rsa_key.der")), alg)
.unwrap();
assert!(is_valid);
}
}
#[test]
fn round_trip_sign_verification_pem_pkcs1() {
let privkey_pem = decode_pem(include_str!("private_rsa_key_pkcs1.pem")).unwrap();
let pubkey_pem = decode_pem(include_str!("public_rsa_key_pkcs1.pem")).unwrap();
let privkey_pem = include_bytes!("private_rsa_key_pkcs1.pem");
let pubkey_pem = include_bytes!("public_rsa_key_pkcs1.pem");
for &alg in RSA_ALGORITHMS {
let privkey_key = privkey_pem.as_key().unwrap();
let pubkey_key = pubkey_pem.as_key().unwrap();
let encrypted = sign("hello world", privkey_key, alg).unwrap();
let is_valid = verify(&encrypted, "hello world", pubkey_key, alg).unwrap();
let encrypted = sign("hello world", privkey_pem, alg).unwrap();
let is_valid = verify(&encrypted, "hello world", pubkey_pem, alg).unwrap();
assert!(is_valid);
}
}
#[test]
fn round_trip_sign_verification_pem_pkcs8() {
let privkey_pem = decode_pem(include_str!("private_rsa_key_pkcs8.pem")).unwrap();
let pubkey_pem = decode_pem(include_str!("public_rsa_key_pkcs8.pem")).unwrap();
let privkey_pem = include_bytes!("private_rsa_key_pkcs8.pem");
let pubkey_pem = include_bytes!("public_rsa_key_pkcs8.pem");
for &alg in RSA_ALGORITHMS {
let privkey_key = privkey_pem.as_key().unwrap();
let pubkey_key = pubkey_pem.as_key().unwrap();
let encrypted = sign("hello world", privkey_key, alg).unwrap();
let is_valid = verify(&encrypted, "hello world", pubkey_key, alg).unwrap();
let encrypted = sign("hello world", privkey_pem, alg).unwrap();
let is_valid = verify(&encrypted, "hello world", pubkey_pem, alg).unwrap();
assert!(is_valid);
}
}
@ -65,13 +49,13 @@ fn round_trip_claim() {
company: "ACME".to_string(),
exp: Utc::now().timestamp() + 10000,
};
let privkey = include_bytes!("private_rsa_key.der");
let privkey = include_bytes!("private_rsa_key_pkcs1.pem");
for &alg in RSA_ALGORITHMS {
let token = encode(&Header::new(alg), &my_claims, Key::Der(&privkey[..])).unwrap();
let token = encode(&Header::new(alg), &my_claims, privkey).unwrap();
let token_data = decode::<Claims>(
&token,
Key::Der(include_bytes!("public_rsa_key.der")),
include_bytes!("public_rsa_key_pkcs1.pem"),
&Validation::new(alg),
)
.unwrap();
@ -80,52 +64,45 @@ fn round_trip_claim() {
}
}
#[test]
#[should_panic(expected = "InvalidRsaKey")]
fn fails_with_different_key_format() {
let privkey = include_bytes!("private_rsa_key.der");
sign("hello world", Key::Pkcs8(&privkey[..]), Algorithm::RS256).unwrap();
}
#[test]
fn rsa_modulus_exponent() {
let modulus: Vec<u8> = vec![
0xc9, 0x11, 0x3a, 0xac, 0x7b, 0x8d, 0x47, 0x44, 0x1b, 0x1c, 0xed, 0xc7, 0xdc, 0xab, 0x76,
0xa4, 0xe2, 0x86, 0x56, 0x14, 0x2a, 0x19, 0x95, 0xc8, 0x9c, 0xe7, 0x6e, 0x40, 0xdc, 0x57,
0xce, 0xe2, 0xa5, 0xbd, 0x04, 0xcb, 0x51, 0x3b, 0xf8, 0x97, 0x8b, 0x20, 0x82, 0x1e, 0x7f,
0x09, 0x86, 0x22, 0xfd, 0xcb, 0xc8, 0xf9, 0x25, 0xd5, 0x4f, 0xd9, 0x0f, 0x59, 0x22, 0x97,
0xc4, 0x95, 0xc1, 0x5d, 0xdf, 0xf8, 0x2e, 0x4b, 0xdc, 0x3e, 0xe5, 0x1a, 0x90, 0x1a, 0x00,
0x91, 0xf8, 0x7e, 0x7a, 0x21, 0x55, 0x32, 0x1d, 0x95, 0xad, 0x4c, 0x96, 0xca, 0x3d, 0xcc,
0x16, 0x5d, 0x07, 0x4d, 0x51, 0x7d, 0x2b, 0x04, 0x57, 0x2c, 0x07, 0x30, 0x91, 0x11, 0x22,
0x4b, 0x79, 0xe9, 0x4e, 0x11, 0xd1, 0xc8, 0x8c, 0x6e, 0xcb, 0x46, 0x4c, 0x79, 0x97, 0xf1,
0x54, 0xbe, 0x5a, 0xac, 0xc8, 0x70, 0xd5, 0x24, 0x44, 0x2c, 0x1f, 0x07, 0xa0, 0x67, 0xc6,
0xfc, 0x0b, 0x47, 0xf3, 0xd0, 0x48, 0x13, 0xd8, 0xc3, 0x04, 0x76, 0x7d, 0x74, 0xb7, 0xa5,
0x2b, 0xd6, 0xb5, 0xf3, 0x8c, 0xc0, 0x7f, 0xc2, 0xf0, 0xa0, 0xf2, 0xf1, 0xbc, 0x96, 0xf7,
0x22, 0x5e, 0x67, 0x9d, 0xca, 0x8f, 0x71, 0x27, 0xca, 0x0c, 0x3a, 0x1d, 0x30, 0x50, 0x48,
0x31, 0xce, 0x25, 0x43, 0x30, 0xca, 0x2f, 0x98, 0x2f, 0x9a, 0x25, 0xcb, 0x5c, 0x1d, 0x40,
0x18, 0xb9, 0xbc, 0x28, 0x18, 0xdf, 0x13, 0xcb, 0x37, 0x2f, 0x9c, 0x6a, 0x8b, 0xec, 0x94,
0xa1, 0xdf, 0xa3, 0xf0, 0xcb, 0x6f, 0x22, 0x3f, 0x35, 0xd9, 0xd9, 0x12, 0xe1, 0x03, 0x22,
0x45, 0x53, 0x7f, 0x6f, 0x2d, 0xa1, 0xdd, 0x96, 0x3c, 0x2d, 0x85, 0x46, 0xae, 0xa6, 0x57,
0x65, 0x37, 0x20, 0x9f, 0x6b, 0xa3, 0x9f, 0xcb, 0x8a, 0x8d, 0x72, 0xd9, 0x54, 0x3e, 0x53,
0x75,
];
let exponent: Vec<u8> = vec![0x01, 0x00, 0x01];
let privkey = include_bytes!("private_rsa_key.der");
let encrypted = sign("hello world", Key::Der(&privkey[..]), Algorithm::RS256).unwrap();
let is_valid = verify(
&encrypted,
"hello world",
Key::ModulusExponent(&modulus, &exponent),
Algorithm::RS256,
)
.unwrap();
assert!(is_valid);
}
//#[test]
//fn rsa_modulus_exponent() {
// let modulus: Vec<u8> = vec![
// 0xc9, 0x11, 0x3a, 0xac, 0x7b, 0x8d, 0x47, 0x44, 0x1b, 0x1c, 0xed, 0xc7, 0xdc, 0xab, 0x76,
// 0xa4, 0xe2, 0x86, 0x56, 0x14, 0x2a, 0x19, 0x95, 0xc8, 0x9c, 0xe7, 0x6e, 0x40, 0xdc, 0x57,
// 0xce, 0xe2, 0xa5, 0xbd, 0x04, 0xcb, 0x51, 0x3b, 0xf8, 0x97, 0x8b, 0x20, 0x82, 0x1e, 0x7f,
// 0x09, 0x86, 0x22, 0xfd, 0xcb, 0xc8, 0xf9, 0x25, 0xd5, 0x4f, 0xd9, 0x0f, 0x59, 0x22, 0x97,
// 0xc4, 0x95, 0xc1, 0x5d, 0xdf, 0xf8, 0x2e, 0x4b, 0xdc, 0x3e, 0xe5, 0x1a, 0x90, 0x1a, 0x00,
// 0x91, 0xf8, 0x7e, 0x7a, 0x21, 0x55, 0x32, 0x1d, 0x95, 0xad, 0x4c, 0x96, 0xca, 0x3d, 0xcc,
// 0x16, 0x5d, 0x07, 0x4d, 0x51, 0x7d, 0x2b, 0x04, 0x57, 0x2c, 0x07, 0x30, 0x91, 0x11, 0x22,
// 0x4b, 0x79, 0xe9, 0x4e, 0x11, 0xd1, 0xc8, 0x8c, 0x6e, 0xcb, 0x46, 0x4c, 0x79, 0x97, 0xf1,
// 0x54, 0xbe, 0x5a, 0xac, 0xc8, 0x70, 0xd5, 0x24, 0x44, 0x2c, 0x1f, 0x07, 0xa0, 0x67, 0xc6,
// 0xfc, 0x0b, 0x47, 0xf3, 0xd0, 0x48, 0x13, 0xd8, 0xc3, 0x04, 0x76, 0x7d, 0x74, 0xb7, 0xa5,
// 0x2b, 0xd6, 0xb5, 0xf3, 0x8c, 0xc0, 0x7f, 0xc2, 0xf0, 0xa0, 0xf2, 0xf1, 0xbc, 0x96, 0xf7,
// 0x22, 0x5e, 0x67, 0x9d, 0xca, 0x8f, 0x71, 0x27, 0xca, 0x0c, 0x3a, 0x1d, 0x30, 0x50, 0x48,
// 0x31, 0xce, 0x25, 0x43, 0x30, 0xca, 0x2f, 0x98, 0x2f, 0x9a, 0x25, 0xcb, 0x5c, 0x1d, 0x40,
// 0x18, 0xb9, 0xbc, 0x28, 0x18, 0xdf, 0x13, 0xcb, 0x37, 0x2f, 0x9c, 0x6a, 0x8b, 0xec, 0x94,
// 0xa1, 0xdf, 0xa3, 0xf0, 0xcb, 0x6f, 0x22, 0x3f, 0x35, 0xd9, 0xd9, 0x12, 0xe1, 0x03, 0x22,
// 0x45, 0x53, 0x7f, 0x6f, 0x2d, 0xa1, 0xdd, 0x96, 0x3c, 0x2d, 0x85, 0x46, 0xae, 0xa6, 0x57,
// 0x65, 0x37, 0x20, 0x9f, 0x6b, 0xa3, 0x9f, 0xcb, 0x8a, 0x8d, 0x72, 0xd9, 0x54, 0x3e, 0x53,
// 0x75,
// ];
// let exponent: Vec<u8> = vec![0x01, 0x00, 0x01];
// let privkey = include_bytes!("private_rsa_key.der");
//
// let encrypted = sign("hello world", Key::Der(&privkey[..]), Algorithm::RS256).unwrap();
// let is_valid = verify(
// &encrypted,
// "hello world",
// Key::ModulusExponent(&modulus, &exponent),
// Algorithm::RS256,
// )
// .unwrap();
// assert!(is_valid);
//}
#[test]
#[should_panic(expected = "InvalidKeyFormat")]
fn fails_with_non_pkcs8_key_format() {
let privkey = include_bytes!("private_rsa_key.der");
let _encrypted = sign("hello world", Key::Der(&privkey[..]), Algorithm::ES256).unwrap();
let _encrypted =
sign("hello world", include_bytes!("private_rsa_key_pkcs1.pem"), Algorithm::ES256).unwrap();
}