coil-core 0.1.1

Core runtime contracts and composition primitives for the Coil framework.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

use super::{BrowserSecurityError, CookiePolicy, CookieProtection};
use crate::*;

pub(super) fn sign_payload(secret: &[u8], payload: &[u8]) -> Result<String, BrowserSecurityError> {
    if secret.is_empty() {
        return Err(BrowserSecurityError::EmptySecret);
    }

    let mut mac =
        <HmacSha256 as Mac>::new_from_slice(secret).expect("HMAC accepts arbitrary key lengths");
    mac.update(payload);
    Ok(URL_SAFE_NO_PAD.encode(mac.finalize().into_bytes()))
}

pub(super) fn ensure_cookie_protection(
    policy: &CookiePolicy,
    expected: CookieProtection,
) -> Result<(), BrowserSecurityError> {
    if policy.protection == expected {
        Ok(())
    } else {
        Err(BrowserSecurityError::UnexpectedCookieProtection {
            expected,
            actual: policy.protection,
        })
    }
}

pub(super) fn cipher_for_secret(secret: &[u8]) -> Aes256Gcm {
    let key = Sha256::digest(secret);
    Aes256Gcm::new_from_slice(&key).expect("sha256 produces a 256-bit key")
}

pub(super) fn verify_payload(
    secret: &[u8],
    payload: &[u8],
    signature: &str,
) -> Result<(), BrowserSecurityError> {
    if secret.is_empty() {
        return Err(BrowserSecurityError::EmptySecret);
    }

    let signature = URL_SAFE_NO_PAD
        .decode(signature)
        .map_err(|_| BrowserSecurityError::InvalidCookieSignature)?;
    let mut mac =
        <HmacSha256 as Mac>::new_from_slice(secret).expect("HMAC accepts arbitrary key lengths");
    mac.update(payload);
    mac.verify_slice(&signature)
        .map_err(|_| BrowserSecurityError::InvalidCookieSignature)
}