Enum biscuit::jws::Secret

source · 
pub enum Secret {
    None,
    Bytes(Vec<u8>),
    RsaKeyPair(Arc<RsaKeyPair>),
    EcdsaKeyPair(Arc<EcdsaKeyPair>),
    PublicKey(Vec<u8>),
    RSAModulusExponent {
        n: BigUint,
        e: BigUint,
    },
}
Expand description

The secrets used to sign and/or encrypt tokens

Variants§

§

None

Used with the None algorithm variant.

§

Bytes(Vec<u8>)

Bytes used for HMAC secret. Can be constructed from a string literal

Examples

use biscuit::jws::Secret;

let secret = Secret::bytes_from_str("secret");
§

RsaKeyPair(Arc<RsaKeyPair>)

An RSA Key pair constructed from a DER-encoded private key

To generate a private key, use

openssl genpkey -algorithm RSA \
                -pkeyopt rsa_keygen_bits:2048 \
                -outform der \
                -out private_key.der

Often, keys generated for use in OpenSSL-based software are encoded in PEM format, which is not supported by ring. PEM-encoded keys that are in RSAPrivateKey format can be decoded into the using an OpenSSL command like this:

openssl rsa -in private_key.pem -outform DER -out private_key.der

Examples

use biscuit::jws::Secret;

let secret = Secret::rsa_keypair_from_file("test/fixtures/rsa_private_key.der");
§

EcdsaKeyPair(Arc<EcdsaKeyPair>)

An ECDSA Key pair constructed from a PKCS8 DER encoded private key

To generate a private key, use

openssl ecparam -genkey -name prime256v1 | \
openssl pkcs8 -topk8 -nocrypt -outform DER > ecdsa_private_key.p8

Examples

use biscuit::jws::Secret;

let secret = Secret::ecdsa_keypair_from_file(biscuit::jwa::SignatureAlgorithm::ES256, "test/fixtures/ecdsa_private_key.p8");
§

PublicKey(Vec<u8>)

Bytes of a DER encoded RSA Public Key

To generate the public key from your DER-encoded private key

openssl rsa -in private_key.der \
            -inform DER
            -RSAPublicKey_out \
            -outform DER \
            -out public_key.der

To convert a PEM formatted public key

openssl rsa -RSAPublicKey_in \
            -in public_key.pem \
            -inform PEM \
            -outform DER \
            -RSAPublicKey_out \
            -out public_key.der

Note that the underlying crate (ring) does not support the format used by OpenSSL. You can check the format using

openssl asn1parse -inform DER -in public_key.der

It should output something like

    0:d=0  hl=4 l= 290 cons: SEQUENCE
    4:d=1  hl=2 l=  13 cons: SEQUENCE
    6:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   17:d=2  hl=2 l=   0 prim: NULL
   19:d=1  hl=4 l= 271 prim: BIT STRING

There is a header here that indicates the content of the file (a public key for rsaEncryption). The actual key is contained within the BIT STRING at the end. The bare public key can be extracted with

openssl asn1parse -inform DER \
                  -in public_key.der \
                  -offset 24 \
                  -out public_key_extracted.der

Run the following to verify that the key is in the right format

openssl asn1parse -inform DER -in public_key_extracted.der

The right format looks like this (the <> elements show the actual numbers)

    0:d=0  hl=4 l= 266 cons: SEQUENCE
    4:d=1  hl=4 l= 257 prim: INTEGER           :<public key modulus>
  265:d=1  hl=2 l=   3 prim: INTEGER           :<public key exponent>

Every other format will be rejected by ring with an unspecified error. Note that OpenSSL is no longer able to interpret this file as a public key, since it no longer contains the expected header.

Examples

use biscuit::jws::Secret;

let secret = Secret::public_key_from_file("test/fixtures/rsa_public_key.der");
§

RSAModulusExponent

Fields

§n: BigUint

RSA modulus

§e: BigUint

RSA exponent

Use the modulus (n) and exponent (e) of an RSA key directly

These parameters can be obtained from a JWK directly using jwk::RSAKeyParameters::jws_public_key_secret

Implementations§

source§

impl Secret

source

pub fn bytes_from_str(secret: &str) -> Self

Convenience function to create a secret bytes array from a string See example in the Secret::Bytes variant documentation for usage.

source

pub fn rsa_keypair_from_file(path: &str) -> Result<Self, Error>

Convenience function to get the RSA Keypair from a DER encoded RSA private key. See example in the Secret::RsaKeyPair variant documentation for usage.

source

pub fn ecdsa_keypair_from_file( algorithm: SignatureAlgorithm, path: &str ) -> Result<Self, Error>

Convenience function to get the ECDSA Keypair from a PKCS8-DER encoded EC private key.

source

pub fn public_key_from_file(path: &str) -> Result<Self, Error>

Convenience function to create a Public key from a DER encoded RSA or ECDSA public key See examples in the Secret::PublicKey variant documentation for usage.

Trait Implementations§

source§

impl Clone for Secret

source§

fn clone(&self) -> Secret

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl From<RSAKeyParameters> for Secret

source§

fn from(rsa: RSAKeyParameters) -> Self

Converts to this type from the input type.

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for Twhere T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for Twhere T: ?Sized,

const: unstable · source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for Twhere T: ?Sized,

const: unstable · source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

const: unstable · source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for Twhere U: From<T>,

const: unstable · source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for Twhere T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
const: unstable · source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
const: unstable · source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.