Skip to main content

pdk_jwt_lib/model/
signing_algorithm.rs

1// Copyright (c) 2026, Salesforce, Inc.,
2// All rights reserved.
3// For full license text, see the LICENSE.txt file
4
5//! JWT signing algorithms and key lengths
6//!
7//! This module defines the supported JWT signing algorithms and their corresponding
8//! key lengths. It provides type-safe representations for algorithm selection
9//! and key length validation.
10//!
11
12use serde::Deserialize;
13use std::convert::TryFrom;
14
15use crate::error::jwt_error::JWTError;
16
17/// List of possible JWT signing key lengths.
18/// __Note: not all algorithms support all key lengths__
19#[derive(Debug, Deserialize, Clone, Eq, PartialEq, Copy)]
20#[serde(try_from = "&str")]
21pub enum SigningKeyLength {
22    Len256,
23    Len384,
24    Len512,
25}
26
27impl TryFrom<&str> for SigningKeyLength {
28    type Error = JWTError;
29
30    fn try_from(value: &str) -> Result<Self, Self::Error> {
31        match value {
32            "256" => Ok(SigningKeyLength::Len256),
33            "384" => Ok(SigningKeyLength::Len384),
34            "512" => Ok(SigningKeyLength::Len512),
35            _ => Err(JWTError::SigningKeyLengthParseFailed),
36        }
37    }
38}
39
40/// List of possible JWT signing algorithms.
41/// __See [JWT signing algorithms specification (RFC 7518)](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)__
42#[derive(Debug, Deserialize, Clone, Copy, Eq, PartialEq)]
43#[serde(try_from = "&str")]
44pub enum SigningAlgorithm {
45    /// RSA signing algorithm. Requires verifying key to validate tokens. Supports key lengths 256, 384 and 512
46    Rsa,
47    /// HMAC with SHA-2 signing algorithm. Requires signing secret key to validate tokens. Supports key lengths 256, 384 and 512
48    #[cfg(not(fips))]
49    Hmac,
50    /// ECDSA signing algorithm. Requires verifying key to validate tokens. Supports key lengths 256 and 384
51    Es,
52}
53
54impl TryFrom<&str> for SigningAlgorithm {
55    type Error = JWTError;
56
57    fn try_from(value: &str) -> Result<Self, Self::Error> {
58        match value {
59            "rsa" => Ok(SigningAlgorithm::Rsa),
60            #[cfg(not(fips))]
61            "hmac" => Ok(SigningAlgorithm::Hmac),
62            "es" => Ok(SigningAlgorithm::Es),
63            _ => Err(JWTError::SigningAlgorithmParseFailed),
64        }
65    }
66}
67
68#[cfg(test)]
69mod test {
70    use super::{SigningAlgorithm, SigningKeyLength};
71    use crate::api::error::JWTError;
72    use std::convert::TryFrom;
73
74    #[test]
75    fn try_from_algorithm() {
76        #[cfg(not(fips))]
77        assert_eq!(
78            SigningAlgorithm::try_from("hmac").unwrap(),
79            SigningAlgorithm::Hmac
80        );
81        assert_eq!(
82            SigningAlgorithm::try_from("rsa").unwrap(),
83            SigningAlgorithm::Rsa
84        );
85        assert_eq!(
86            SigningAlgorithm::try_from("es").unwrap(),
87            SigningAlgorithm::Es
88        );
89        assert_eq!(
90            SigningAlgorithm::try_from("HMAC").unwrap_err(),
91            JWTError::SigningAlgorithmParseFailed
92        );
93    }
94
95    #[test]
96    fn try_from_length() {
97        assert_eq!(
98            SigningKeyLength::try_from("256").unwrap(),
99            SigningKeyLength::Len256
100        );
101        assert_eq!(
102            SigningKeyLength::try_from("384").unwrap(),
103            SigningKeyLength::Len384
104        );
105        assert_eq!(
106            SigningKeyLength::try_from("512").unwrap(),
107            SigningKeyLength::Len512
108        );
109        assert_eq!(
110            SigningKeyLength::try_from("257").unwrap_err(),
111            JWTError::SigningKeyLengthParseFailed
112        );
113    }
114}