dat 1.1.3

DAT - Data Access Token
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

use crate::crypto_algorithm::CryptoAlgorithm;
use crate::crypto_key::CryptoKey;
use crate::dat::DatPayload;
use crate::dat_records::DatRecords;
use crate::error::DatError;
use crate::signature_algorithm::SignatureAlgorithm;
use crate::signature_key::{SignatureKey, SignatureKeyOutOption};
use crate::util::{decode_base64_url_no_pad, encode_base64_url_no_pad, encode_base64_url_no_pad_out, now_unix_timestamp};
use crate::VERSION_DAT;
use std::cmp::PartialEq;
use std::fmt::Display;
use std::fmt::Write;
use std::str::FromStr;

pub trait Kid: PartialEq + Display + FromStr + Clone {}

impl<T> Kid for T where T: PartialEq + Display + FromStr + Clone {}

pub struct DatKey<T: Kid> {
    pub(crate) kid: T,
    pub(crate) signature_key: SignatureKey,
    pub(crate) crypto_key: CryptoKey,
    pub(crate) issue_begin: u64,
    pub(crate) issue_end: u64,
    pub(crate) token_ttl: u64,
}

impl <T: Kid> DatKey<T> {
    pub fn generate(kid: T, signature_algorithm: SignatureAlgorithm, crypto_algorithm: CryptoAlgorithm, issue_begin: u64, issue_end: u64, token_ttl: u64) -> Result<Self, DatError> {
        Self::from(kid, SignatureKey::generate(signature_algorithm), CryptoKey::generate(crypto_algorithm), issue_begin, issue_end, token_ttl)
    }

    pub fn from(kid: T, signature_key: SignatureKey, crypto_key: CryptoKey, issue_begin: u64, issue_end: u64, token_ttl: u64) -> Result<Self, DatError> {
        if kid.to_string().contains(['.', '\r', '\n']) {
            return Err(DatError::InvalidDatKidFormat);
        }
        Ok(DatKey { kid, signature_key, crypto_key, issue_begin, issue_end, token_ttl })
    }

    pub fn kid(&self) -> T { self.kid.clone() }
    pub fn signature_key(&self) -> SignatureKey { self.signature_key.clone() }
    pub fn crypto_key(&self) -> CryptoKey { self.crypto_key.clone() }
    pub fn issue_begin(&self) -> u64 { self.issue_begin }
    pub fn issue_end(&self) -> u64 { self.issue_end }
    pub fn token_ttl(&self) -> u64 { self.token_ttl }
    pub fn key_expire(&self) -> u64 { self.issue_end + self.token_ttl }

    pub fn format(&self, signature_key_out_option: SignatureKeyOutOption) -> Result<String, DatError> {
        let kid = self.kid.to_string();
        let signature_algorithm = self.signature_key.algorithm();
        let (sk, vk) = self.signature_key.to_bytes();
        if sk.is_empty() && signature_key_out_option != SignatureKeyOutOption::VERIFYING {
            return Err(DatError::VerifyOnlyKey)
        }
        let signature_key = match signature_key_out_option {
            SignatureKeyOutOption::FULL => format!("{}~{}", encode_base64_url_no_pad(sk), encode_base64_url_no_pad(vk)),
            SignatureKeyOutOption::SIGNING => encode_base64_url_no_pad(sk),
            SignatureKeyOutOption::VERIFYING => format!("~{}", encode_base64_url_no_pad(vk)),
        };
        let crypto_algorithm = self.crypto_key.algorithm();
        let crypto_key = encode_base64_url_no_pad(self.crypto_key.to_bytes());
        let issue_begin = self.issue_begin;
        let issue_end = self.issue_end;
        let token_ttl = self.token_ttl;
        Ok(format!("{VERSION_DAT}.{kid}.{signature_algorithm}.{signature_key}.{crypto_algorithm}.{crypto_key}.{issue_begin}.{issue_end}.{token_ttl}"))
    }

    pub fn to_payload(&self, dat_records: &DatRecords<T>) -> Result<DatPayload, DatError> {
        if self.signature_key.verify(dat_records.body_str().as_bytes(), &*decode_base64_url_no_pad(dat_records.sign_base64())?).is_err() {
            return Err(DatError::InvalidDatFormat)
        }
        self.to_payload_without_verify(dat_records)
    }
    pub fn to_payload_without_verify(&self, dat_records: &DatRecords<T>) -> Result<DatPayload, DatError> {
        Ok(DatPayload {
            expire: dat_records.expire(),
            plain_bytes: decode_base64_url_no_pad(dat_records.plain_base64())?,
            secure_bytes: self.crypto_key.decrypt(&*decode_base64_url_no_pad(dat_records.secure_base64())?)?,
        })
    }
    pub fn to_dat<U: AsRef<[u8]>>(&self, plain: U, secure: U) -> Result<String, DatError> {
        let sk = &self.signature_key;
        // (byte size + 2) * 4 / 3 = base 64 size
        // 100 is padding : expire + kid + (dot * 4) + (base64 pad 12)...
        let mut dat = String::with_capacity(100 + ((plain.as_ref().len() + secure.as_ref().len() + sk.signature_size()) * 4 / 3));
        write!(dat, "{}.{}.", now_unix_timestamp() + self.token_ttl, self.kid).unwrap();
        encode_base64_url_no_pad_out(plain.as_ref(), &mut dat); // plain
        dat.push('.');
        encode_base64_url_no_pad_out(self.crypto_key.encrypt(secure.as_ref())?, &mut dat); // secure
        dat.push('.');
        encode_base64_url_no_pad_out(sk.sign(dat[0..dat.len() - 1].as_bytes()), &mut dat); // sign
        Ok(dat)
    }
}

impl <T: Kid> FromStr for DatKey<T> {
    type Err = DatError;
    fn from_str(format: &str) -> Result<Self, Self::Err> {
        let split = format.split(".").collect::<Vec<&str>>();
        let count = split.len();
        let version = split[0];
        match version {
            "2" | "1" => {
                return if count == 9 {
                    let kid = split[1].parse::<T>().map_err(|_| DatError::InvalidDatKidFormat)?;
                    let signature_algorithm = SignatureAlgorithm::from_str(split[2])?;
                    let signature_key_str = split[3];
                    let signature_key = if let Some(pos) = signature_key_str.find('~') {
                        if pos == 0 { // verifying key only
                            SignatureKey::from_bytes(signature_algorithm, &[], &*decode_base64_url_no_pad(signature_key_str[1..].as_bytes())?)
                        } else { // signing key ~ verifying key
                            SignatureKey::from_bytes(signature_algorithm, &*decode_base64_url_no_pad(signature_key_str[..pos].as_bytes())?, &*decode_base64_url_no_pad(signature_key_str[pos + 1..].as_bytes())?)
                        }
                    } else { // signing key only
                        SignatureKey::from_bytes(signature_algorithm, &*decode_base64_url_no_pad(signature_key_str)?, &[])
                    }?;
                    let crypto_algorithm = CryptoAlgorithm::from_str(split[4])?;
                    let crypto_key = CryptoKey::from_bytes(crypto_algorithm, &*decode_base64_url_no_pad(split[5])?)?;
                    let issue_begin = split[6].parse::<u64>().map_err(|_| DatError::InvalidDatKeyFormat)?;
                    let issue_end = split[7].parse::<u64>().map_err(|_| DatError::InvalidDatKeyFormat)?;
                    let token_ttl = split[8].parse::<u64>().map_err(|_| DatError::InvalidDatKeyFormat)?;
                    DatKey::from(kid, signature_key, crypto_key, issue_begin, issue_end, token_ttl)
                } else {
                    Err(DatError::InvalidDatKeyFormat)
                }
            },
            _ => {}
        }
        Err(DatError::UnSupportDatKeyVersion)
    }
}

impl <T: Kid> PartialEq<DatKey<T>> for DatKey<T> {
    fn eq(&self, other: &DatKey<T>) -> bool {
        self.kid.eq(&other.kid)
    }
}

impl <T: Kid> PartialEq<T> for DatKey<T> {
    fn eq(&self, other: &T) -> bool {
        self.kid.eq(other)
    }
}

impl <T: Kid> Clone for DatKey<T> {
    fn clone(&self) -> Self {
        DatKey::<T> {
            kid: self.kid.clone(),
            signature_key: self.signature_key.clone(),
            crypto_key: self.crypto_key.clone(),
            issue_begin: self.issue_begin,
            issue_end: self.issue_end,
            token_ttl: self.token_ttl,
        }
    }
}