1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104
//! Produce & verify TrueLayer API `Tl-Signature` request headers.
mod base64;
mod common;
mod http;
mod jws;
mod openssl;
mod sign;
mod verify;
use common::Unset;
pub use http::Method;
pub use jws::JwsHeader;
pub use sign::{CustomSigner, Signer, SignerBuilder};
use verify::PublicKey;
pub use verify::{CustomVerifier, Verifier, VerifierBuilder};
/// Start building a request `Tl-Signature` header value using private key
/// pem data & the key's `kid`.
///
/// # Example
/// ```no_run
/// # fn main() -> Result<(), truelayer_signing::Error> {
/// # let (kid, private_key, idempotency_key, body) = unimplemented!();
/// let tl_signature = truelayer_signing::sign_with_pem(kid, private_key)
/// .method(truelayer_signing::Method::Post)
/// .path("/payouts")
/// .header("Idempotency-Key", idempotency_key)
/// .body(body)
/// .build_signer()
/// .sign()?;
/// # Ok(()) }
/// ```
pub fn sign_with_pem<'a>(
kid: &'a str,
private_key_pem: &'a [u8],
) -> SignerBuilder<'a, &'a str, &'a [u8], Unset, Unset, Unset> {
SignerBuilder::build_with_pem(kid, private_key_pem)
}
/// Start building a `Tl-Signature` header verifier using public key pem data.
///
/// # Example
/// ```no_run
/// # fn main() -> Result<(), truelayer_signing::Error> {
/// # let (public_key, idempotency_key, body, tl_signature) = unimplemented!();
/// truelayer_signing::verify_with_pem(public_key)
/// .method(truelayer_signing::Method::Post)
/// .path("/payouts")
/// .require_header("Idempotency-Key")
/// .header("Idempotency-Key", idempotency_key)
/// .body(body)
/// .build_verifier()
/// .verify(tl_signature)?;
/// # Ok(()) }
/// ```
pub fn verify_with_pem(
public_key_pem: &[u8],
) -> VerifierBuilder<'_, PublicKey<'_>, Unset, Unset, Unset> {
VerifierBuilder::pem(public_key_pem)
}
/// Start building a `Tl-Signature` header verifier using public key JWKs JSON response data.
///
/// See <https://datatracker.ietf.org/doc/html/rfc7517>.
///
/// # Example
/// ```no_run
/// # fn main() -> Result<(), truelayer_signing::Error> {
/// # let (jwks, body, tl_signature) = unimplemented!();
/// # let headers: Vec<(&str, &[u8])> = unimplemented!();
/// // jwks json of form: {"keys":[...]}
/// truelayer_signing::verify_with_jwks(jwks)
/// .method(truelayer_signing::Method::Post)
/// .path("/webhook")
/// .headers(headers)
/// .body(body)
/// .build_verifier()
/// .verify(tl_signature)?;
/// # Ok(()) }
/// ```
pub fn verify_with_jwks(jwks: &[u8]) -> VerifierBuilder<'_, PublicKey<'_>, Unset, Unset, Unset> {
VerifierBuilder::jwks(jwks)
}
/// Extract [`JwsHeader`] info from a `Tl-Signature` header value.
///
/// This can then be used to pick a verification key using the `kid` etc.
pub fn extract_jws_header(tl_signature: &str) -> Result<JwsHeader, Error> {
Ok(verify::parse_tl_signature(tl_signature)?.0)
}
/// Sign/verification error.
#[derive(Debug, thiserror::Error)]
pub enum Error {
/// Key data is invalid.
#[error("invalid key: {0}")]
InvalidKey(anyhow::Error),
/// JWS signature generation or verification failed.
#[error("jws signing/verification failed: {0}")]
JwsError(anyhow::Error),
/// Other error.
#[error("Error: {0}")]
Other(anyhow::Error),
}