1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103
//! Produce & verify TrueLayer API `Tl-Signature` request headers.
//!
//! # Example
//! ```no_run
//! # fn main() -> Result<(), truelayer_signing::Error> {
//! # let (kid, private_key, idempotency_key, body) = unimplemented!();
//! // `Tl-Signature` value to send with the request.
//! let tl_signature = truelayer_signing::sign_with_pem(kid, private_key)
//! .method("POST")
//! .path("/payouts")
//! .header("Idempotency-Key", idempotency_key)
//! .body(body)
//! .sign()?;
//! # Ok(()) }
//! ```
mod base64;
mod http;
mod jws;
mod openssl;
mod sign;
mod verify;
pub use jws::JwsHeader;
pub use sign::Signer;
pub use verify::Verifier;
/// Start building a request `Tl-Signature` header value using private key
/// pem data & the key's `kid`.
///
/// # Example
/// ```no_run
/// # fn main() -> Result<(), truelayer_signing::Error> {
/// # let (kid, private_key, idempotency_key, body) = unimplemented!();
/// let tl_signature = truelayer_signing::sign_with_pem(kid, private_key)
/// .method("POST")
/// .path("/payouts")
/// .header("Idempotency-Key", idempotency_key)
/// .body(body)
/// .sign()?;
/// # Ok(()) }
/// ```
pub fn sign_with_pem<'a>(kid: &'a str, private_key_pem: &'a [u8]) -> Signer<'a> {
Signer::new(kid, private_key_pem)
}
/// Start building a `Tl-Signature` header verifier using public key pem data.
///
/// # Example
/// ```no_run
/// # fn main() -> Result<(), truelayer_signing::Error> {
/// # let (public_key, idempotency_key, body, tl_signature) = unimplemented!();
/// truelayer_signing::verify_with_pem(public_key)
/// .method("POST")
/// .path("/payouts")
/// .require_header("Idempotency-Key")
/// .header("Idempotency-Key", idempotency_key)
/// .body(body)
/// .verify(tl_signature)?;
/// # Ok(()) }
/// ```
pub fn verify_with_pem(public_key_pem: &[u8]) -> Verifier<'_> {
Verifier::new(verify::PublicKey::Pem(public_key_pem))
}
/// Start building a `Tl-Signature` header verifier using public key JWKs JSON response data.
///
/// See <https://datatracker.ietf.org/doc/html/rfc7517>.
///
/// # Example
/// ```no_run
/// # fn main() -> Result<(), truelayer_signing::Error> {
/// # let (jwks, body, tl_signature) = unimplemented!();
/// # let headers: Vec<(&str, &[u8])> = unimplemented!();
/// // jwks json of form: {"keys":[...]}
/// truelayer_signing::verify_with_jwks(jwks)
/// .method("POST")
/// .path("/webhook")
/// .headers(headers)
/// .body(body)
/// .verify(tl_signature)?;
/// # Ok(()) }
/// ```
pub fn verify_with_jwks(jwks: &[u8]) -> Verifier<'_> {
Verifier::new(verify::PublicKey::Jwks(jwks))
}
/// Extract [`JwsHeader`] info from a `Tl-Signature` header value.
///
/// This can then be used to pick a verification key using the `kid` etc.
pub fn extract_jws_header(tl_signature: &str) -> Result<JwsHeader, Error> {
Ok(verify::parse_tl_signature(tl_signature)?.0)
}
/// Sign/verification error.
#[derive(Debug, thiserror::Error)]
pub enum Error {
/// Key data is invalid.
#[error("invalid key: {0}")]
InvalidKey(anyhow::Error),
/// JWS signature generation or verification failed.
#[error("jws signing/verification failed: {0}")]
JwsError(anyhow::Error),
}