jwtk 0.5.0

JWT signing (JWS) and verification, with first class JWK and JWK Set (JWKS) support.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

use super::*;
use crate::{jwk::Jwk, PublicKeyToJwk, VerificationKey, URL_SAFE_TRAILING_BITS};
use aws_lc_rs::rsa::{PublicKeyComponents, RsaParameters};
use aws_lc_rs::signature;
use base64::Engine as _;

/// RSA Public Key (aws-lc-rs backend, verification only).
#[derive(Debug, Clone)]
pub struct RsaPublicKey {
    components: PublicKeyComponents<Vec<u8>>,
    /// If this is `None`, this key verifies signatures generated by ANY RSA
    /// algorithms. Otherwise it ONLY verifies signatures generated by this
    /// algorithm.
    pub algorithm: Option<RsaAlgorithm>,
}

impl RsaPublicKey {
    pub fn from_components(n: &[u8], e: &[u8], algorithm: Option<RsaAlgorithm>) -> Result<Self> {
        Ok(Self {
            components: PublicKeyComponents {
                n: n.to_vec(),
                e: e.to_vec(),
            },
            algorithm,
        })
    }
}

impl PublicKeyToJwk for RsaPublicKey {
    fn public_key_to_jwk(&self) -> Result<Jwk> {
        Ok(Jwk {
            kty: "RSA".into(),
            alg: self.algorithm.map(|alg| alg.name().to_string()),
            use_: Some("sig".into()),
            n: Some(URL_SAFE_TRAILING_BITS.encode(&self.components.n)),
            e: Some(URL_SAFE_TRAILING_BITS.encode(&self.components.e)),
            ..Jwk::default()
        })
    }
}

fn rsa_params(alg: RsaAlgorithm) -> &'static RsaParameters {
    use RsaAlgorithm::*;
    match alg {
        RS256 => &signature::RSA_PKCS1_2048_8192_SHA256,
        RS384 => &signature::RSA_PKCS1_2048_8192_SHA384,
        RS512 => &signature::RSA_PKCS1_2048_8192_SHA512,
        PS256 => &signature::RSA_PSS_2048_8192_SHA256,
        PS384 => &signature::RSA_PSS_2048_8192_SHA384,
        PS512 => &signature::RSA_PSS_2048_8192_SHA512,
    }
}

impl VerificationKey for RsaPublicKey {
    fn verify(&self, v: &[u8], sig: &[u8], alg: &str) -> Result<()> {
        let alg = if let Some(self_alg) = self.algorithm {
            if self_alg.name() != alg {
                return Err(Error::VerificationError);
            }
            self_alg
        } else {
            RsaAlgorithm::from_name(alg)?
        };
        self.components
            .verify(rsa_params(alg), v, sig)
            .map_err(|_| Error::VerificationError)
    }
}