pub enum Secret {
None,
Bytes(Vec<u8>),
RsaKeyPair(Arc<RsaKeyPair>),
EcdsaKeyPair(Arc<EcdsaKeyPair>),
PublicKey(Vec<u8>),
RSAModulusExponent {
n: BigUint,
e: BigUint,
},
}
Expand description
The secrets used to sign and/or encrypt tokens
Variants§
None
Used with the None
algorithm variant.
Bytes(Vec<u8>)
Bytes used for HMAC secret. Can be constructed from a string literal
Examples
use biscuit::jws::Secret;
let secret = Secret::bytes_from_str("secret");
RsaKeyPair(Arc<RsaKeyPair>)
An RSA Key pair constructed from a DER-encoded private key
To generate a private key, use
openssl genpkey -algorithm RSA \
-pkeyopt rsa_keygen_bits:2048 \
-outform der \
-out private_key.der
Often, keys generated for use in OpenSSL-based software are
encoded in PEM format, which is not supported by ring. PEM-encoded
keys that are in RSAPrivateKey
format can be decoded into the using
an OpenSSL command like this:
openssl rsa -in private_key.pem -outform DER -out private_key.der
Examples
use biscuit::jws::Secret;
let secret = Secret::rsa_keypair_from_file("test/fixtures/rsa_private_key.der");
EcdsaKeyPair(Arc<EcdsaKeyPair>)
An ECDSA Key pair constructed from a PKCS8 DER encoded private key
To generate a private key, use
openssl ecparam -genkey -name prime256v1 | \
openssl pkcs8 -topk8 -nocrypt -outform DER > ecdsa_private_key.p8
Examples
use biscuit::jws::Secret;
let secret = Secret::ecdsa_keypair_from_file(biscuit::jwa::SignatureAlgorithm::ES256, "test/fixtures/ecdsa_private_key.p8");
PublicKey(Vec<u8>)
Bytes of a DER encoded RSA Public Key
To generate the public key from your DER-encoded private key
openssl rsa -in private_key.der \
-inform DER
-RSAPublicKey_out \
-outform DER \
-out public_key.der
To convert a PEM formatted public key
openssl rsa -RSAPublicKey_in \
-in public_key.pem \
-inform PEM \
-outform DER \
-RSAPublicKey_out \
-out public_key.der
Note that the underlying crate (ring) does not support the format used by OpenSSL. You can check the format using
openssl asn1parse -inform DER -in public_key.der
It should output something like
0:d=0 hl=4 l= 290 cons: SEQUENCE
4:d=1 hl=2 l= 13 cons: SEQUENCE
6:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
17:d=2 hl=2 l= 0 prim: NULL
19:d=1 hl=4 l= 271 prim: BIT STRING
There is a header here that indicates the content of the file
(a public key for rsaEncryption
). The actual key is contained
within the BIT STRING at the end. The bare public key can be
extracted with
openssl asn1parse -inform DER \
-in public_key.der \
-offset 24 \
-out public_key_extracted.der
Run the following to verify that the key is in the right format
openssl asn1parse -inform DER -in public_key_extracted.der
The right format looks like this (the <>
elements show the actual
numbers)
0:d=0 hl=4 l= 266 cons: SEQUENCE
4:d=1 hl=4 l= 257 prim: INTEGER :<public key modulus>
265:d=1 hl=2 l= 3 prim: INTEGER :<public key exponent>
Every other format will be rejected by ring with an unspecified error. Note that OpenSSL is no longer able to interpret this file as a public key, since it no longer contains the expected header.
Examples
use biscuit::jws::Secret;
let secret = Secret::public_key_from_file("test/fixtures/rsa_public_key.der");
RSAModulusExponent
Use the modulus (n
) and exponent (e
) of an RSA key directly
These parameters can be obtained from a JWK directly using
jwk::RSAKeyParameters::jws_public_key_secret
Implementations§
source§impl Secret
impl Secret
sourcepub fn bytes_from_str(secret: &str) -> Self
pub fn bytes_from_str(secret: &str) -> Self
Convenience function to create a secret bytes array from a string
See example in the Secret::Bytes
variant documentation for usage.
sourcepub fn rsa_keypair_from_file(path: &str) -> Result<Self, Error>
pub fn rsa_keypair_from_file(path: &str) -> Result<Self, Error>
Convenience function to get the RSA Keypair from a DER encoded RSA private key.
See example in the Secret::RsaKeyPair
variant documentation for usage.
sourcepub fn ecdsa_keypair_from_file(
algorithm: SignatureAlgorithm,
path: &str
) -> Result<Self, Error>
pub fn ecdsa_keypair_from_file( algorithm: SignatureAlgorithm, path: &str ) -> Result<Self, Error>
Convenience function to get the ECDSA Keypair from a PKCS8-DER encoded EC private key.
sourcepub fn public_key_from_file(path: &str) -> Result<Self, Error>
pub fn public_key_from_file(path: &str) -> Result<Self, Error>
Convenience function to create a Public key from a DER encoded RSA or ECDSA public key
See examples in the Secret::PublicKey
variant documentation for usage.