Expand description
Framework-agnostic cryptography for Bank Indonesia SNAP BI integrations.
This crate is the cryptographic spine shared by every PT IMMER SNAP BI consumer (client and server). It exposes:
HmacSigner— HMAC-SHA512 sign/verify with constant-time verification.RsaSigner/RsaVerifier— PKCS#8-only RSA, generic overSignatureScheme(PKCS#1-v1.5 and PSS, SHA-256 and SHA-512).Signature+Encoding— encoding-agnostic signature bytes; callers pick base64 / base64url-nopad / lowercase-hex at the call site.snap_bi(featuresnap-bi, default on) — canonical stringToSign builders, SHA-256/512 lower-hex helpers, Jakarta timestamp formatters, and SNAP BI header builders.webhook(featurewebhook, default on) — provider-extensible webhook signature verification (Inacash, BRI VA paid, etc.).
§Security guarantees
- No
unsafeanywhere in this crate (#![forbid(unsafe_code)]). - PKCS#8 enforcement: legacy PKCS#1 PEMs are rejected by the upstream
rsacrate parsers used here. - Constant-time verification: HMAC verification uses
hmac::Mac::verify_slice; RSA verification delegates torsa::signature::Verifier::verifywhich is constant-time per upstream documentation. - No
actix-webor HTTP-framework coupling: this is a leaf crate.wasm32-unknown-unknowncompiles require the downstream consumer to enablegetrandom/js(pulled transitively viarsa).
Re-exports§
pub use error::Error;pub use error::Result;pub use hmac::HmacSigner;pub use rsa::RsaSigner;pub use rsa::RsaVerifier;pub use rsa::SignatureScheme;pub use signature::Encoding;pub use signature::Signature;