1use std::convert::TryFrom;
2
3use ct_codecs::{Base64UrlSafeNoPadding, Encoder};
4use k256::ecdsa::{self, signature::DigestVerifier as _, signature::RandomizedDigestSigner as _};
5use k256::pkcs8::{DecodePrivateKey, DecodePublicKey, EncodePrivateKey, EncodePublicKey};
6use serde::{de::DeserializeOwned, Serialize};
7
8use crate::claims::*;
9use crate::common::*;
10#[cfg(feature = "cwt")]
11use crate::cwt_token::*;
12use crate::error::*;
13use crate::jwt_header::*;
14use crate::token::*;
15
16#[doc(hidden)]
17#[derive(Debug, Clone)]
18pub struct K256PublicKey(ecdsa::VerifyingKey);
19
20impl AsRef<ecdsa::VerifyingKey> for K256PublicKey {
21 fn as_ref(&self) -> &ecdsa::VerifyingKey {
22 &self.0
23 }
24}
25
26impl K256PublicKey {
27 pub fn from_bytes(raw: &[u8]) -> Result<Self, Error> {
28 let k256_pk =
29 ecdsa::VerifyingKey::from_sec1_bytes(raw).map_err(|_| JWTError::InvalidPublicKey)?;
30 Ok(K256PublicKey(k256_pk))
31 }
32
33 pub fn from_der(der: &[u8]) -> Result<Self, Error> {
34 let k256_pk = ecdsa::VerifyingKey::from_public_key_der(der)
35 .map_err(|_| JWTError::InvalidPublicKey)?;
36 Ok(K256PublicKey(k256_pk))
37 }
38
39 pub fn from_pem(pem: &str) -> Result<Self, Error> {
40 let k256_pk = ecdsa::VerifyingKey::from_public_key_pem(pem)
41 .map_err(|_| JWTError::InvalidPublicKey)?;
42 Ok(K256PublicKey(k256_pk))
43 }
44
45 pub fn to_bytes(&self) -> Vec<u8> {
46 self.0.to_encoded_point(false).as_bytes().to_vec()
47 }
48
49 pub fn to_bytes_uncompressed(&self) -> Vec<u8> {
50 self.0.to_encoded_point(false).as_bytes().to_vec()
51 }
52
53 pub fn to_der(&self) -> Result<Vec<u8>, Error> {
54 let k256_pk = k256::PublicKey::from(self.0);
55 Ok(k256_pk
56 .to_public_key_der()
57 .map_err(|_| JWTError::InvalidPublicKey)?
58 .as_ref()
59 .to_vec())
60 }
61
62 pub fn to_pem(&self) -> Result<String, Error> {
63 let k256_pk = k256::PublicKey::from(self.0);
64 Ok(k256_pk
65 .to_public_key_pem(Default::default())
66 .map_err(|_| JWTError::InvalidPublicKey)?)
67 }
68}
69
70#[doc(hidden)]
71pub struct K256KeyPair {
72 k256_sk: ecdsa::SigningKey,
73 metadata: Option<KeyMetadata>,
74}
75
76impl AsRef<ecdsa::SigningKey> for K256KeyPair {
77 fn as_ref(&self) -> &ecdsa::SigningKey {
78 &self.k256_sk
79 }
80}
81
82impl K256KeyPair {
83 pub fn from_bytes(raw: &[u8]) -> Result<Self, Error> {
84 let k256_sk =
85 ecdsa::SigningKey::from_bytes(raw.into()).map_err(|_| JWTError::InvalidKeyPair)?;
86 Ok(K256KeyPair {
87 k256_sk,
88 metadata: None,
89 })
90 }
91
92 pub fn from_der(der: &[u8]) -> Result<Self, Error> {
93 let k256_sk =
94 ecdsa::SigningKey::from_pkcs8_der(der).map_err(|_| JWTError::InvalidKeyPair)?;
95 Ok(K256KeyPair {
96 k256_sk,
97 metadata: None,
98 })
99 }
100
101 pub fn from_pem(pem: &str) -> Result<Self, Error> {
102 let k256_sk =
103 ecdsa::SigningKey::from_pkcs8_pem(pem).map_err(|_| JWTError::InvalidKeyPair)?;
104 Ok(K256KeyPair {
105 k256_sk,
106 metadata: None,
107 })
108 }
109
110 pub fn to_bytes(&self) -> Vec<u8> {
111 self.k256_sk.to_bytes().to_vec()
112 }
113
114 pub fn to_der(&self) -> Result<Vec<u8>, Error> {
115 let k256_sk = k256::SecretKey::from(&self.k256_sk);
116 Ok(k256_sk
117 .to_pkcs8_der()
118 .map_err(|_| JWTError::InvalidKeyPair)?
119 .as_bytes()
120 .to_vec())
121 }
122
123 pub fn to_pem(&self) -> Result<String, Error> {
124 let k256_sk = k256::SecretKey::from(&self.k256_sk);
125 Ok(k256_sk
126 .to_pkcs8_pem(Default::default())
127 .map_err(|_| JWTError::InvalidKeyPair)?
128 .to_string())
129 }
130
131 pub fn public_key(&self) -> K256PublicKey {
132 let k256_pk = self.k256_sk.verifying_key();
133 K256PublicKey(*k256_pk)
134 }
135
136 pub fn generate() -> Self {
137 let mut rng = rand::thread_rng();
138 let k256_sk = ecdsa::SigningKey::random(&mut rng);
139 K256KeyPair {
140 k256_sk,
141 metadata: None,
142 }
143 }
144}
145
146pub trait ECDSAP256kKeyPairLike {
147 fn jwt_alg_name() -> &'static str;
148 fn key_pair(&self) -> &K256KeyPair;
149 fn key_id(&self) -> &Option<String>;
150 fn metadata(&self) -> &Option<KeyMetadata>;
151 fn attach_metadata(&mut self, metadata: KeyMetadata) -> Result<(), Error>;
152
153 fn sign<CustomClaims: Serialize + DeserializeOwned>(
154 &self,
155 claims: JWTClaims<CustomClaims>,
156 ) -> Result<String, Error> {
157 self.sign_with_options(claims, &Default::default())
158 }
159
160 fn sign_with_options<CustomClaims: Serialize + DeserializeOwned>(
161 &self,
162 claims: JWTClaims<CustomClaims>,
163 opts: &HeaderOptions,
164 ) -> Result<String, Error> {
165 let jwt_header = JWTHeader::new(Self::jwt_alg_name().to_string(), self.key_id().clone())
166 .with_key_metadata(self.metadata())
167 .with_options(opts);
168 Token::build(&jwt_header, claims, |authenticated| {
169 let mut digest = hmac_sha256::Hash::new();
170 digest.update(authenticated.as_bytes());
171 let mut rng = rand::thread_rng();
172 let signature: ecdsa::Signature = self
173 .key_pair()
174 .as_ref()
175 .sign_digest_with_rng(&mut rng, digest);
176 Ok(signature.to_vec())
177 })
178 }
179}
180
181pub trait ECDSAP256kPublicKeyLike {
182 fn jwt_alg_name() -> &'static str;
183 fn public_key(&self) -> &K256PublicKey;
184 fn key_id(&self) -> &Option<String>;
185 fn set_key_id(&mut self, key_id: String);
186
187 fn verify_token<CustomClaims: Serialize + DeserializeOwned>(
188 &self,
189 token: &str,
190 options: Option<VerificationOptions>,
191 ) -> Result<JWTClaims<CustomClaims>, Error> {
192 Token::verify(
193 Self::jwt_alg_name(),
194 token,
195 options,
196 |authenticated, signature| {
197 let ecdsa_signature = ecdsa::Signature::try_from(signature)
198 .map_err(|_| JWTError::InvalidSignature)?;
199 let mut digest = hmac_sha256::Hash::new();
200 digest.update(authenticated.as_bytes());
201 self.public_key()
202 .as_ref()
203 .verify_digest(digest, &ecdsa_signature)
204 .map_err(|_| JWTError::InvalidSignature)?;
205 Ok(())
206 },
207 |_salt: Option<&[u8]>| Ok(()),
208 )
209 }
210
211 #[cfg(feature = "cwt")]
212 fn verify_cwt_token<CustomClaims: Serialize + DeserializeOwned>(
213 &self,
214 token: &[u8],
215 options: Option<VerificationOptions>,
216 ) -> Result<JWTClaims<NoCustomClaims>, Error> {
217 CWTToken::verify(
218 Self::jwt_alg_name(),
219 token,
220 options,
221 |authenticated, signature| {
222 let ecdsa_signature = ecdsa::Signature::try_from(signature)
223 .map_err(|_| JWTError::InvalidSignature)?;
224 let mut digest = hmac_sha256::Hash::new();
225 digest.update(authenticated.as_bytes());
226 self.public_key()
227 .as_ref()
228 .verify_digest(digest, &ecdsa_signature)
229 .map_err(|_| JWTError::InvalidSignature)?;
230 Ok(())
231 },
232 )
233 }
234
235 #[cfg(feature = "cwt")]
237 fn decode_cwt_metadata(&self, token: impl AsRef<[u8]>) -> Result<TokenMetadata, Error> {
238 CWTToken::decode_metadata(token)
239 }
240
241 fn create_key_id(&mut self) -> &str {
242 self.set_key_id(
243 Base64UrlSafeNoPadding::encode_to_string(hmac_sha256::Hash::hash(
244 &self.public_key().to_bytes(),
245 ))
246 .unwrap(),
247 );
248 self.key_id().as_ref().map(|x| x.as_str()).unwrap()
249 }
250}
251
252pub struct ES256kKeyPair {
253 key_pair: K256KeyPair,
254 key_id: Option<String>,
255}
256
257#[derive(Debug, Clone)]
258pub struct ES256kPublicKey {
259 pk: K256PublicKey,
260 key_id: Option<String>,
261}
262
263impl ECDSAP256kKeyPairLike for ES256kKeyPair {
264 fn jwt_alg_name() -> &'static str {
265 "ES256K"
266 }
267
268 fn key_pair(&self) -> &K256KeyPair {
269 &self.key_pair
270 }
271
272 fn key_id(&self) -> &Option<String> {
273 &self.key_id
274 }
275
276 fn metadata(&self) -> &Option<KeyMetadata> {
277 &self.key_pair.metadata
278 }
279
280 fn attach_metadata(&mut self, metadata: KeyMetadata) -> Result<(), Error> {
281 self.key_pair.metadata = Some(metadata);
282 Ok(())
283 }
284}
285
286impl ES256kKeyPair {
287 pub fn from_bytes(raw: &[u8]) -> Result<Self, Error> {
288 Ok(ES256kKeyPair {
289 key_pair: K256KeyPair::from_bytes(raw)?,
290 key_id: None,
291 })
292 }
293
294 pub fn from_der(der: &[u8]) -> Result<Self, Error> {
295 Ok(ES256kKeyPair {
296 key_pair: K256KeyPair::from_der(der)?,
297 key_id: None,
298 })
299 }
300
301 pub fn from_pem(pem: &str) -> Result<Self, Error> {
302 Ok(ES256kKeyPair {
303 key_pair: K256KeyPair::from_pem(pem)?,
304 key_id: None,
305 })
306 }
307
308 pub fn to_bytes(&self) -> Vec<u8> {
309 self.key_pair.to_bytes()
310 }
311
312 pub fn to_der(&self) -> Result<Vec<u8>, Error> {
313 self.key_pair.to_der()
314 }
315
316 pub fn to_pem(&self) -> Result<String, Error> {
317 self.key_pair.to_pem()
318 }
319
320 pub fn public_key(&self) -> ES256kPublicKey {
321 ES256kPublicKey {
322 pk: self.key_pair.public_key(),
323 key_id: self.key_id.clone(),
324 }
325 }
326
327 pub fn generate() -> Self {
328 ES256kKeyPair {
329 key_pair: K256KeyPair::generate(),
330 key_id: None,
331 }
332 }
333
334 pub fn with_key_id(mut self, key_id: &str) -> Self {
335 self.key_id = Some(key_id.to_string());
336 self
337 }
338}
339
340impl ECDSAP256kPublicKeyLike for ES256kPublicKey {
341 fn jwt_alg_name() -> &'static str {
342 "ES256K"
343 }
344
345 fn public_key(&self) -> &K256PublicKey {
346 &self.pk
347 }
348
349 fn key_id(&self) -> &Option<String> {
350 &self.key_id
351 }
352
353 fn set_key_id(&mut self, key_id: String) {
354 self.key_id = Some(key_id);
355 }
356}
357
358impl ES256kPublicKey {
359 pub fn from_bytes(raw: &[u8]) -> Result<Self, Error> {
360 Ok(ES256kPublicKey {
361 pk: K256PublicKey::from_bytes(raw)?,
362 key_id: None,
363 })
364 }
365
366 pub fn from_der(der: &[u8]) -> Result<Self, Error> {
367 Ok(ES256kPublicKey {
368 pk: K256PublicKey::from_der(der)?,
369 key_id: None,
370 })
371 }
372
373 pub fn from_pem(pem: &str) -> Result<Self, Error> {
374 Ok(ES256kPublicKey {
375 pk: K256PublicKey::from_pem(pem)?,
376 key_id: None,
377 })
378 }
379
380 pub fn to_bytes(&self) -> Vec<u8> {
381 self.pk.to_bytes()
382 }
383
384 pub fn to_der(&self) -> Result<Vec<u8>, Error> {
385 self.pk.to_der()
386 }
387
388 pub fn to_pem(&self) -> Result<String, Error> {
389 self.pk.to_pem()
390 }
391
392 pub fn with_key_id(mut self, key_id: &str) -> Self {
393 self.key_id = Some(key_id.to_string());
394 self
395 }
396}