feat(crypto): Implement JwtSigner and JwtVerifier for aws-lc-rs

Author: sidrubs

Cargo.toml

@@ -27,7 +27,6 @@ base64 = "0.22"
 pem = { version = "3", optional = true }
 simple_asn1 = { version = "0.6", optional = true }
 
-hmac = "0.12.1"
 rsa = "0.9.6"
 sha2 = { version = "0.10.7", features = ["oid"] }
 getrandom = { version = "0.2.10", features = ["js"] }
@@ -37,6 +36,13 @@ p256 = { version = "0.13.2", features = ["ecdsa"] }
 p384 = { version = "0.13.0", features = ["ecdsa"] }
 rand_core = "0.6.4"
 signature = "2.2.0"
+
+# "rust_crypto" feature
+hmac = { version = "0.12.1", optional = true }
+
+# "aws_lc_rs" feature
+aws-lc-rs = { version = "1.10.0", optional = true }
+
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 js-sys = "0.3"
 
@@ -54,8 +60,10 @@ time = { version = "0.3", features = ["wasm-bindgen"] }
 criterion = { version = "0.4", default-features = false }
 
 [features]
-default = ["use_pem"]
+default = ["use_pem", "rust_crypto"]
 use_pem = ["pem", "simple_asn1", 'p256/pem', 'p384/pem']
+rust_crypto = ["hmac"]
+aws_lc_rs = ["aws-lc-rs"]
 
 [[bench]]
 name = "jwt"

src/crypto/aws_lc/hmac.rs

@@ -0,0 +1,105 @@
+//! Implementations of the [`JwtSigner`] and [`JwtVerifier`] traits for the
+//! HMAC family of algorithms using [`aws_lc_rs`]
+
+use aws_lc_rs::hmac;
+use signature::{Signer, Verifier};
+
+use crate::crypto::{JwtSigner, JwtVerifier};
+use crate::errors::Result;
+use crate::{Algorithm, HmacSecret};
+
+pub struct Hs256(hmac::Key);
+
+impl Hs256 {
+    pub(crate) fn new(secret: HmacSecret) -> Result<Self> {
+        Ok(Self(hmac::Key::new(hmac::HMAC_SHA256, &secret)))
+    }
+}
+
+impl Signer<Vec<u8>> for Hs256 {
+    fn try_sign(&self, msg: &[u8]) -> std::result::Result<Vec<u8>, signature::Error> {
+        Ok(hmac::sign(&self.0, msg).as_ref().to_vec())
+    }
+}
+
+impl JwtSigner for Hs256 {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::HS256
+    }
+}
+
+impl Verifier<Vec<u8>> for Hs256 {
+    fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), signature::Error> {
+        hmac::verify(&self.0, msg, &signature).map_err(|err| signature::Error::from_source(err))
+    }
+}
+
+impl JwtVerifier for Hs256 {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::HS256
+    }
+}
+
+pub struct Hs384(hmac::Key);
+
+impl Hs384 {
+    pub(crate) fn new(secret: HmacSecret) -> Result<Self> {
+        Ok(Self(hmac::Key::new(hmac::HMAC_SHA384, &secret)))
+    }
+}
+
+impl Signer<Vec<u8>> for Hs384 {
+    fn try_sign(&self, msg: &[u8]) -> std::result::Result<Vec<u8>, signature::Error> {
+        Ok(hmac::sign(&self.0, msg).as_ref().to_vec())
+    }
+}
+
+impl JwtSigner for Hs384 {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::HS384
+    }
+}
+
+impl Verifier<Vec<u8>> for Hs384 {
+    fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), signature::Error> {
+        hmac::verify(&self.0, msg, &signature).map_err(|err| signature::Error::from_source(err))
+    }
+}
+
+impl JwtVerifier for Hs384 {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::HS384
+    }
+}
+
+pub struct Hs512(hmac::Key);
+
+impl Hs512 {
+    pub(crate) fn new(secret: HmacSecret) -> Result<Self> {
+        Ok(Self(hmac::Key::new(hmac::HMAC_SHA512, &secret)))
+    }
+}
+
+impl Signer<Vec<u8>> for Hs512 {
+    fn try_sign(&self, msg: &[u8]) -> std::result::Result<Vec<u8>, signature::Error> {
+        Ok(hmac::sign(&self.0, msg).as_ref().to_vec())
+    }
+}
+
+impl JwtSigner for Hs512 {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::HS512
+    }
+}
+
+impl Verifier<Vec<u8>> for Hs512 {
+    fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), signature::Error> {
+        hmac::verify(&self.0, msg, &signature).map_err(|err| signature::Error::from_source(err))
+    }
+}
+
+impl JwtVerifier for Hs512 {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::HS512
+    }
+}

src/crypto/aws_lc/mod.rs

@@ -0,0 +1 @@
+pub(crate) mod hmac;