Skip to main content

jsonwebtoken/crypto/rust_crypto/
mod.rs

1use ::rsa::{RsaPrivateKey, pkcs1::DecodeRsaPrivateKey, traits::PublicKeyParts};
2use p256::{ecdsa::SigningKey as P256SigningKey, pkcs8::DecodePrivateKey};
3use p384::ecdsa::SigningKey as P384SigningKey;
4use sha2::{Digest, Sha256, Sha384, Sha512};
5
6use crate::{
7    Algorithm, DecodingKey, EncodingKey,
8    crypto::{CryptoProvider, JwkUtils, JwtSigner, JwtVerifier},
9    errors::{self, Error, ErrorKind},
10    jwk::{EllipticCurve, ThumbprintHash},
11};
12
13mod ecdsa;
14mod eddsa;
15mod hmac;
16mod rsa;
17
18fn extract_rsa_public_key_components(key_content: &[u8]) -> errors::Result<(Vec<u8>, Vec<u8>)> {
19    let private_key = RsaPrivateKey::from_pkcs1_der(key_content)
20        .map_err(|e| ErrorKind::InvalidRsaKey(e.to_string()))?;
21    let public_key = private_key.to_public_key();
22    Ok((public_key.n().to_bytes_be(), public_key.e().to_bytes_be()))
23}
24
25fn extract_ec_public_key_coordinates(
26    key_content: &[u8],
27    alg: Algorithm,
28) -> errors::Result<(EllipticCurve, Vec<u8>, Vec<u8>)> {
29    match alg {
30        Algorithm::ES256 => {
31            let signing_key = P256SigningKey::from_pkcs8_der(key_content)
32                .map_err(|_| ErrorKind::InvalidEcdsaKey)?;
33            let public_key = signing_key.verifying_key();
34            let encoded = public_key.to_encoded_point(false);
35            match encoded.coordinates() {
36                p256::elliptic_curve::sec1::Coordinates::Uncompressed { x, y } => {
37                    Ok((EllipticCurve::P256, x.to_vec(), y.to_vec()))
38                }
39                _ => Err(ErrorKind::InvalidEcdsaKey.into()),
40            }
41        }
42        Algorithm::ES384 => {
43            let signing_key = P384SigningKey::from_pkcs8_der(key_content)
44                .map_err(|_| ErrorKind::InvalidEcdsaKey)?;
45            let public_key = signing_key.verifying_key();
46            let encoded = public_key.to_encoded_point(false);
47            match encoded.coordinates() {
48                p384::elliptic_curve::sec1::Coordinates::Uncompressed { x, y } => {
49                    Ok((EllipticCurve::P384, x.to_vec(), y.to_vec()))
50                }
51                _ => Err(ErrorKind::InvalidEcdsaKey.into()),
52            }
53        }
54        _ => Err(ErrorKind::InvalidEcdsaKey.into()),
55    }
56}
57
58fn compute_digest(data: &[u8], hash_function: ThumbprintHash) -> Vec<u8> {
59    match hash_function {
60        ThumbprintHash::SHA256 => Sha256::digest(data).to_vec(),
61        ThumbprintHash::SHA384 => Sha384::digest(data).to_vec(),
62        ThumbprintHash::SHA512 => Sha512::digest(data).to_vec(),
63    }
64}
65
66fn new_signer(algorithm: &Algorithm, key: &EncodingKey) -> Result<Box<dyn JwtSigner>, Error> {
67    let jwt_signer = match algorithm {
68        Algorithm::HS256 => Box::new(hmac::Hs256Signer::new(key)?) as Box<dyn JwtSigner>,
69        Algorithm::HS384 => Box::new(hmac::Hs384Signer::new(key)?) as Box<dyn JwtSigner>,
70        Algorithm::HS512 => Box::new(hmac::Hs512Signer::new(key)?) as Box<dyn JwtSigner>,
71        Algorithm::ES256 => Box::new(ecdsa::Es256Signer::new(key)?) as Box<dyn JwtSigner>,
72        Algorithm::ES384 => Box::new(ecdsa::Es384Signer::new(key)?) as Box<dyn JwtSigner>,
73        Algorithm::RS256 => Box::new(rsa::Rsa256Signer::new(key)?) as Box<dyn JwtSigner>,
74        Algorithm::RS384 => Box::new(rsa::Rsa384Signer::new(key)?) as Box<dyn JwtSigner>,
75        Algorithm::RS512 => Box::new(rsa::Rsa512Signer::new(key)?) as Box<dyn JwtSigner>,
76        Algorithm::PS256 => Box::new(rsa::RsaPss256Signer::new(key)?) as Box<dyn JwtSigner>,
77        Algorithm::PS384 => Box::new(rsa::RsaPss384Signer::new(key)?) as Box<dyn JwtSigner>,
78        Algorithm::PS512 => Box::new(rsa::RsaPss512Signer::new(key)?) as Box<dyn JwtSigner>,
79        Algorithm::EdDSA => Box::new(eddsa::EdDSASigner::new(key)?) as Box<dyn JwtSigner>,
80    };
81
82    Ok(jwt_signer)
83}
84
85fn new_verifier(
86    algorithm: &Algorithm,
87    key: &DecodingKey,
88) -> Result<Box<dyn super::JwtVerifier>, Error> {
89    let jwt_verifier = match algorithm {
90        Algorithm::HS256 => Box::new(hmac::Hs256Verifier::new(key)?) as Box<dyn JwtVerifier>,
91        Algorithm::HS384 => Box::new(hmac::Hs384Verifier::new(key)?) as Box<dyn JwtVerifier>,
92        Algorithm::HS512 => Box::new(hmac::Hs512Verifier::new(key)?) as Box<dyn JwtVerifier>,
93        Algorithm::ES256 => Box::new(ecdsa::Es256Verifier::new(key)?) as Box<dyn JwtVerifier>,
94        Algorithm::ES384 => Box::new(ecdsa::Es384Verifier::new(key)?) as Box<dyn JwtVerifier>,
95        Algorithm::RS256 => Box::new(rsa::Rsa256Verifier::new(key)?) as Box<dyn JwtVerifier>,
96        Algorithm::RS384 => Box::new(rsa::Rsa384Verifier::new(key)?) as Box<dyn JwtVerifier>,
97        Algorithm::RS512 => Box::new(rsa::Rsa512Verifier::new(key)?) as Box<dyn JwtVerifier>,
98        Algorithm::PS256 => Box::new(rsa::RsaPss256Verifier::new(key)?) as Box<dyn JwtVerifier>,
99        Algorithm::PS384 => Box::new(rsa::RsaPss384Verifier::new(key)?) as Box<dyn JwtVerifier>,
100        Algorithm::PS512 => Box::new(rsa::RsaPss512Verifier::new(key)?) as Box<dyn JwtVerifier>,
101        Algorithm::EdDSA => Box::new(eddsa::EdDSAVerifier::new(key)?) as Box<dyn JwtVerifier>,
102    };
103
104    Ok(jwt_verifier)
105}
106
107/// The default [`CryptoProvider`] backed by [`rust_crypto`](https://github.com/RustCrypto).
108pub static DEFAULT_PROVIDER: CryptoProvider = CryptoProvider {
109    signer_factory: new_signer,
110    verifier_factory: new_verifier,
111    jwk_utils: JwkUtils {
112        extract_rsa_public_key_components,
113        extract_ec_public_key_coordinates,
114        compute_digest,
115    },
116};