feat(crypto): Add RSA family

Author: sidrubs

Cargo.toml

@@ -60,7 +60,7 @@ time = { version = "0.3", features = ["wasm-bindgen"] }
 criterion = { version = "0.4", default-features = false }
 
 [features]
-default = ["use_pem", "rust_crypto"]
+default = ["use_pem", "aws_lc_rs"]
 use_pem = ["pem", "simple_asn1", 'p256/pem', 'p384/pem']
 rust_crypto = ["hmac"]
 aws_lc_rs = ["aws-lc-rs"]

src/crypto/aws_lc/hmac.rs

@@ -4,101 +4,146 @@
 use aws_lc_rs::hmac;
 use signature::{Signer, Verifier};
 
+use crate::crypto::utils::{
+    try_get_hmac_secret_from_decoding_key, try_get_hmac_secret_from_encoding_key,
+};
 use crate::crypto::{JwtSigner, JwtVerifier};
 use crate::errors::Result;
-use crate::{Algorithm, HmacSecret};
+use crate::{Algorithm, DecodingKey, EncodingKey};
 
-pub struct Hs256(hmac::Key);
+pub struct Hs256Signer(hmac::Key);
 
-impl Hs256 {
-    pub(crate) fn new(secret: HmacSecret) -> Result<Self> {
-        Ok(Self(hmac::Key::new(hmac::HMAC_SHA256, &secret)))
+impl Hs256Signer {
+    pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
+        Ok(Self(hmac::Key::new(
+            hmac::HMAC_SHA256,
+            try_get_hmac_secret_from_encoding_key(encoding_key)?,
+        )))
     }
 }
 
-impl Signer<Vec<u8>> for Hs256 {
+impl Signer<Vec<u8>> for Hs256Signer {
     fn try_sign(&self, msg: &[u8]) -> std::result::Result<Vec<u8>, signature::Error> {
         Ok(hmac::sign(&self.0, msg).as_ref().to_vec())
     }
 }
 
-impl JwtSigner for Hs256 {
+impl JwtSigner for Hs256Signer {
     fn algorithm(&self) -> Algorithm {
         Algorithm::HS256
     }
 }
 
-impl Verifier<Vec<u8>> for Hs256 {
+pub struct Hs256Verifier(hmac::Key);
+
+impl Hs256Verifier {
+    pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
+        Ok(Self(hmac::Key::new(
+            hmac::HMAC_SHA256,
+            try_get_hmac_secret_from_decoding_key(decoding_key)?,
+        )))
+    }
+}
+
+impl Verifier<Vec<u8>> for Hs256Verifier {
     fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), signature::Error> {
         hmac::verify(&self.0, msg, &signature).map_err(|err| signature::Error::from_source(err))
     }
 }
 
-impl JwtVerifier for Hs256 {
+impl JwtVerifier for Hs256Verifier {
     fn algorithm(&self) -> Algorithm {
         Algorithm::HS256
     }
 }
 
-pub struct Hs384(hmac::Key);
+pub struct Hs384Signer(hmac::Key);
 
-impl Hs384 {
-    pub(crate) fn new(secret: HmacSecret) -> Result<Self> {
-        Ok(Self(hmac::Key::new(hmac::HMAC_SHA384, &secret)))
+impl Hs384Signer {
+    pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
+        Ok(Self(hmac::Key::new(
+            hmac::HMAC_SHA384,
+            try_get_hmac_secret_from_encoding_key(encoding_key)?,
+        )))
     }
 }
 
-impl Signer<Vec<u8>> for Hs384 {
+impl Signer<Vec<u8>> for Hs384Signer {
     fn try_sign(&self, msg: &[u8]) -> std::result::Result<Vec<u8>, signature::Error> {
         Ok(hmac::sign(&self.0, msg).as_ref().to_vec())
     }
 }
 
-impl JwtSigner for Hs384 {
+impl JwtSigner for Hs384Signer {
     fn algorithm(&self) -> Algorithm {
         Algorithm::HS384
     }
 }
 
-impl Verifier<Vec<u8>> for Hs384 {
+pub struct Hs384Verifier(hmac::Key);
+
+impl Hs384Verifier {
+    pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
+        Ok(Self(hmac::Key::new(
+            hmac::HMAC_SHA384,
+            try_get_hmac_secret_from_decoding_key(decoding_key)?,
+        )))
+    }
+}
+
+impl Verifier<Vec<u8>> for Hs384Verifier {
     fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), signature::Error> {
         hmac::verify(&self.0, msg, &signature).map_err(|err| signature::Error::from_source(err))
     }
 }
 
-impl JwtVerifier for Hs384 {
+impl JwtVerifier for Hs384Verifier {
     fn algorithm(&self) -> Algorithm {
         Algorithm::HS384
     }
 }
 
-pub struct Hs512(hmac::Key);
+pub struct Hs512Signer(hmac::Key);
 
-impl Hs512 {
-    pub(crate) fn new(secret: HmacSecret) -> Result<Self> {
-        Ok(Self(hmac::Key::new(hmac::HMAC_SHA512, &secret)))
+impl Hs512Signer {
+    pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
+        Ok(Self(hmac::Key::new(
+            hmac::HMAC_SHA512,
+            try_get_hmac_secret_from_encoding_key(encoding_key)?,
+        )))
     }
 }
 
-impl Signer<Vec<u8>> for Hs512 {
+impl Signer<Vec<u8>> for Hs512Signer {
     fn try_sign(&self, msg: &[u8]) -> std::result::Result<Vec<u8>, signature::Error> {
         Ok(hmac::sign(&self.0, msg).as_ref().to_vec())
     }
 }
 
-impl JwtSigner for Hs512 {
+impl JwtSigner for Hs512Signer {
     fn algorithm(&self) -> Algorithm {
         Algorithm::HS512
     }
 }
 
-impl Verifier<Vec<u8>> for Hs512 {
+pub struct Hs512Verifier(hmac::Key);
+
+impl Hs512Verifier {
+    pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
+        Ok(Self(hmac::Key::new(
+            hmac::HMAC_SHA512,
+            try_get_hmac_secret_from_decoding_key(decoding_key)?,
+        )))
+    }
+}
+
+impl Verifier<Vec<u8>> for Hs512Verifier {
     fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), signature::Error> {
         hmac::verify(&self.0, msg, &signature).map_err(|err| signature::Error::from_source(err))
     }
 }
 
-impl JwtVerifier for Hs512 {
+impl JwtVerifier for Hs512Verifier {
     fn algorithm(&self) -> Algorithm {
         Algorithm::HS512
     }

src/crypto/aws_lc/mod.rs

@@ -1,2 +1,2 @@
 pub(crate) mod hmac;
-// pub(crate) mod rsa;
+pub(crate) mod rsa;

src/crypto/aws_lc/rsa.rs

@@ -0,0 +1,70 @@
+//! Implementations of the [`JwtSigner`] and [`JwtVerifier`] traits for the
+//! RSA family of algorithms using [`aws_lc_rs`]
+
+use aws_lc_rs::{rand, signature as crypto_sig};
+use signature::{Signer, Verifier};
+
+use crate::crypto::utils::{
+    try_get_rsa_components_from_decoding_key, try_get_rsa_pem_from_encoding_key,
+};
+use crate::crypto::{JwtSigner, JwtVerifier};
+use crate::errors::{ErrorKind, Result};
+use crate::{Algorithm, DecodingKey, EncodingKey};
+
+pub struct Rsa256Signer(crypto_sig::RsaKeyPair);
+
+impl Rsa256Signer {
+    pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
+        let key_pair =
+            crypto_sig::RsaKeyPair::from_der(try_get_rsa_pem_from_encoding_key(encoding_key)?)
+                .map_err(|e| ErrorKind::InvalidRsaKey(e.to_string()))?;
+
+        Ok(Self(key_pair))
+    }
+}
+
+impl Signer<Vec<u8>> for Rsa256Signer {
+    fn try_sign(&self, msg: &[u8]) -> std::result::Result<Vec<u8>, signature::Error> {
+        let mut signature = vec![0; self.0.public_modulus_len()];
+        let rng = rand::SystemRandom::new();
+        self.0
+            .sign(&crypto_sig::RSA_PKCS1_SHA256, &rng, msg, &mut signature)
+            .map_err(|err| signature::Error::from_source(err))?;
+
+        Ok(signature)
+    }
+}
+
+impl JwtSigner for Rsa256Signer {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::RS256
+    }
+}
+
+pub struct Rsa256Verifier(crypto_sig::RsaPublicKeyComponents<Vec<u8>>);
+
+impl Rsa256Verifier {
+    pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
+        let components = try_get_rsa_components_from_decoding_key(decoding_key)?;
+        let pub_key = crypto_sig::RsaPublicKeyComponents {
+            n: components.0.to_vec(),
+            e: components.1.to_vec(),
+        };
+
+        Ok(Self(pub_key))
+    }
+}
+
+impl Verifier<Vec<u8>> for Rsa256Verifier {
+    fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), signature::Error> {
+        self.0
+            .verify(&crypto_sig::RSA_PKCS1_2048_8192_SHA256, msg, signature)
+            .map_err(|err| signature::Error::from_source(err))
+    }
+}
+
+impl JwtVerifier for Rsa256Verifier {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::RS256
+    }
+}

src/crypto/mod.rs

@@ -8,6 +8,7 @@ use crate::algorithms::Algorithm;
 pub(crate) mod aws_lc;
 #[cfg(feature = "rust_crypto")]
 pub(crate) mod rust_crypto;
+pub(crate) mod utils;
 
 use signature::{Signer, Verifier};
 

src/crypto/rust_crypto/hmac.rs

@@ -5,9 +5,10 @@ use hmac::{Hmac, Mac};
 use sha2::{Sha256, Sha384, Sha512};
 use signature::{Signer, Verifier};
 
+use crate::crypto::utils::{
+    try_get_hmac_secret_from_decoding_key, try_get_hmac_secret_from_encoding_key,
+};
 use crate::crypto::{JwtSigner, JwtVerifier};
-use crate::decoding::try_get_hmac_secret_from_decoding_key;
-use crate::encoding::try_get_hmac_secret_from_encoding_key;
 use crate::errors::Result;
 use crate::{Algorithm, DecodingKey, EncodingKey};
 
@@ -48,7 +49,7 @@ pub struct Hs256Verifier(HmacSha256);
 impl Hs256Verifier {
     pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
         let inner =
-            HmacSha256::new_from_slice(&try_get_hmac_secret_from_decoding_key(decoding_key)?)
+            HmacSha256::new_from_slice(try_get_hmac_secret_from_decoding_key(decoding_key)?)
                 .map_err(|_e| crate::errors::ErrorKind::InvalidKeyFormat)?;
 
         Ok(Self(inner))
@@ -104,7 +105,7 @@ pub struct Hs384Verifier(HmacSha384);
 impl Hs384Verifier {
     pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
         let inner =
-            HmacSha384::new_from_slice(&try_get_hmac_secret_from_decoding_key(decoding_key)?)
+            HmacSha384::new_from_slice(try_get_hmac_secret_from_decoding_key(decoding_key)?)
                 .map_err(|_e| crate::errors::ErrorKind::InvalidKeyFormat)?;
 
         Ok(Self(inner))
@@ -160,7 +161,7 @@ pub struct Hs512Verifier(HmacSha512);
 impl Hs512Verifier {
     pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
         let inner =
-            HmacSha512::new_from_slice(&try_get_hmac_secret_from_decoding_key(decoding_key)?)
+            HmacSha512::new_from_slice(try_get_hmac_secret_from_decoding_key(decoding_key)?)
                 .map_err(|_e| crate::errors::ErrorKind::InvalidKeyFormat)?;
 
         Ok(Self(inner))

src/crypto/utils.rs

@@ -0,0 +1,47 @@
+//! # Todo
+//!
+//! - Put in documentation
+
+use crate::{
+    algorithms::AlgorithmFamily,
+    decoding::DecodingKeyKind,
+    errors::{self, new_error, ErrorKind, Result},
+    DecodingKey, EncodingKey,
+};
+
+pub(crate) fn try_get_hmac_secret_from_encoding_key(encoding_key: &EncodingKey) -> Result<&[u8]> {
+    if encoding_key.family == AlgorithmFamily::Hmac {
+        Ok(encoding_key.inner())
+    } else {
+        Err(new_error(ErrorKind::InvalidKeyFormat))
+    }
+}
+
+pub(crate) fn try_get_hmac_secret_from_decoding_key(decoding_key: &DecodingKey) -> Result<&[u8]> {
+    if decoding_key.family != AlgorithmFamily::Hmac {
+        return Err(new_error(ErrorKind::InvalidKeyFormat));
+    }
+
+    Ok(decoding_key.as_bytes())
+}
+
+pub(crate) fn try_get_rsa_pem_from_encoding_key(encoding_key: &EncodingKey) -> Result<&[u8]> {
+    if encoding_key.family == AlgorithmFamily::Rsa {
+        Ok(encoding_key.inner())
+    } else {
+        Err(new_error(ErrorKind::InvalidKeyFormat))
+    }
+}
+
+pub(crate) fn try_get_rsa_components_from_decoding_key(
+    decoding_key: &DecodingKey,
+) -> Result<(&[u8], &[u8])> {
+    if decoding_key.family != AlgorithmFamily::Rsa {
+        return Err(new_error(ErrorKind::InvalidKeyFormat));
+    }
+
+    match &decoding_key.kind {
+        DecodingKeyKind::SecretOrDer(_) => unreachable!(),
+        DecodingKeyKind::RsaModulusExponent { n, e } => Ok((n, e)),
+    }
+}