Struct jsonwebtokens::Algorithm

source · 
pub struct Algorithm { /* private fields */ }
Expand description

A cryptographic function for signing or verifying a token signature

An Algorithm encapsulates one function for signing or verifying tokens. A key or secret only needs to be decoded once so it can be reused cheaply while signing or verifying tokens. The decoded key or secret and AlgorithmID are immutable after construction to avoid the chance of being coerced into using the wrong algorithm to sign or verify a token at runtime.

Optionally a kid Key ID can be assigned to an Algorithm to add a strict check that a token’s header must include the same kid value. This is useful when using an Algorithm to represent a single key within a JWKS key set, for example.

Implementations§

Returns the AlgorithmID that was used to construct the Algorithm

Examples found in repository?
src/raw.rs (line 212)
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233

pub fn verify_signature_only(
    header: &serde_json::value::Value,
    message: impl AsRef<str>,
    signature: impl AsRef<str>,
    algorithm: &Algorithm,
) -> Result<(), Error> {
    match header.get("alg") {
        Some(serde_json::value::Value::String(alg)) => {
            let alg = AlgorithmID::from_str(alg)?;

            if alg != algorithm.id() {
                return Err(Error::AlgorithmMismatch());
            }

            // An Algorithm may relate to a specific 'kid' which we verify...
            let kid = match header.get("kid") {
                Some(serde_json::value::Value::String(k)) => Some(k.as_ref()),
                Some(_) => {
                    return Err(Error::MalformedToken(ErrorDetails::new(
                        "Non-string 'kid' found",
                    )))
                }
                None => None,
            };

            algorithm.verify(kid, message, signature)?;
        }
        _ => return Err(Error::AlgorithmMismatch()),
    }

    Ok(())
}

Returns the algorithm name as standardized in RFC 7518

Examples found in repository?
src/crypto/algorithm.rs (line 125)
124
125
126

    fn from(alg: Algorithm) -> Self {
        alg.name()
    }

Optionally if a kid is associated with an algorithm there will be an extra verification that a token’s kid matches the one associated with the Algorithm

Returns a reference to any associated kid set via set_kid()

Constructs a NOP algorithm for use with unsecured (unsigned) tokens

Constructs a symmetric HMAC algorithm based on a given secret

This algorithm may be used for signing and/or verifying signatures

Constructs a symmetric HMAC algorithm based on a given base64 secret

This is a convenience api in case the secret you’re using is base64 encoded

This algorithm may be used for signing and/or verifying signatures

Constructs an ECDSA algorithm based on a PEM format private key

This algorithm may only be used for signing tokens

Constructs an ECDSA algorithm based on a PEM format public key

This algorithm may only be used for verifying tokens

Constructs an RSA algorithm based on a PEM format private key

This algorithm may only be used for signing tokens

Constructs an RSA algorithm based on a PEM format public key

This algorithm may only be used for verifying tokens

Constructs an RSA algorithm based on modulus (n) and exponent (e) components

In some situations (such as JWKS key sets), a public RSA key may be described in terms of (base64 encoded) modulus and exponent values.

This algorithm may only be used for verifying tokens

Lower-level api that can be used to verify a signature for a given message

Examples found in repository?
src/raw.rs (line 227)
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233

pub fn verify_signature_only(
    header: &serde_json::value::Value,
    message: impl AsRef<str>,
    signature: impl AsRef<str>,
    algorithm: &Algorithm,
) -> Result<(), Error> {
    match header.get("alg") {
        Some(serde_json::value::Value::String(alg)) => {
            let alg = AlgorithmID::from_str(alg)?;

            if alg != algorithm.id() {
                return Err(Error::AlgorithmMismatch());
            }

            // An Algorithm may relate to a specific 'kid' which we verify...
            let kid = match header.get("kid") {
                Some(serde_json::value::Value::String(k)) => Some(k.as_ref()),
                Some(_) => {
                    return Err(Error::MalformedToken(ErrorDetails::new(
                        "Non-string 'kid' found",
                    )))
                }
                None => None,
            };

            algorithm.verify(kid, message, signature)?;
        }
        _ => return Err(Error::AlgorithmMismatch()),
    }

    Ok(())
}

Lower-level api that can be used to calculate a signature for a message

Examples found in repository?
src/encode.rs (line 47)
39
40
41
42
43
44
45
46
47
48
49

pub fn encode<H: Serialize, C: Serialize>(
    header: &H,
    claims: &C,
    algorithm: &Algorithm,
) -> Result<String, Error> {
    let encoded_header = b64_encode_part(&header)?;
    let encoded_claims = b64_encode_part(&claims)?;
    let message = [encoded_header.as_ref(), encoded_claims.as_ref()].join(".");
    let signature = algorithm.sign(&message)?;
    Ok([message, signature].join("."))
}

Trait Implementations§

Formats the value using the given formatter. Read more
Converts to this type from the input type.

Auto Trait Implementations§

Blanket Implementations§

Gets the TypeId of self. Read more
Immutably borrows from an owned value. Read more
Mutably borrows from an owned value. Read more

Returns the argument unchanged.

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

The type returned in the event of a conversion error.
Performs the conversion.
The type returned in the event of a conversion error.
Performs the conversion.