126 lines
4.4 KiB
Rust
126 lines
4.4 KiB
Rust
use super::Result;
|
|
use crate::header::Algorithm;
|
|
use base64::{decode_config, encode_config, URL_SAFE_NO_PAD};
|
|
use openssl::{
|
|
hash::MessageDigest,
|
|
memcmp,
|
|
pkey::PKey,
|
|
rsa::Rsa,
|
|
sign::{Signer, Verifier},
|
|
};
|
|
|
|
pub fn sign(data: &str, key: &[u8], algorithm: &Algorithm) -> Result<String> {
|
|
match *algorithm {
|
|
Algorithm::HS256 => sign_hmac(data, key, MessageDigest::sha256()),
|
|
Algorithm::HS384 => sign_hmac(data, key, MessageDigest::sha384()),
|
|
Algorithm::HS512 => sign_hmac(data, key, MessageDigest::sha512()),
|
|
Algorithm::RS256 => sign_rsa(data, key, MessageDigest::sha256()),
|
|
Algorithm::RS384 => sign_rsa(data, key, MessageDigest::sha384()),
|
|
Algorithm::RS512 => sign_rsa(data, key, MessageDigest::sha512()),
|
|
}
|
|
}
|
|
|
|
pub fn verify(target: &str, data: &str, key: &[u8], algorithm: &Algorithm) -> Result<bool> {
|
|
match *algorithm {
|
|
Algorithm::HS256 => verify_hmac(target, data, key, MessageDigest::sha256()),
|
|
Algorithm::HS384 => verify_hmac(target, data, key, MessageDigest::sha384()),
|
|
Algorithm::HS512 => verify_hmac(target, data, key, MessageDigest::sha512()),
|
|
Algorithm::RS256 => verify_rsa(target, data, key, MessageDigest::sha256()),
|
|
Algorithm::RS384 => verify_rsa(target, data, key, MessageDigest::sha384()),
|
|
Algorithm::RS512 => verify_rsa(target, data, key, MessageDigest::sha512()),
|
|
}
|
|
}
|
|
|
|
fn sign_hmac(data: &str, key: &[u8], digest: MessageDigest) -> Result<String> {
|
|
let secret_key = PKey::hmac(key)?;
|
|
|
|
let mut signer = Signer::new(digest, &secret_key)?;
|
|
signer.update(data.as_bytes())?;
|
|
|
|
let mac = signer.sign_to_vec()?;
|
|
Ok(encode_config(&mac, URL_SAFE_NO_PAD))
|
|
}
|
|
|
|
fn sign_rsa(data: &str, key: &[u8], digest: MessageDigest) -> Result<String> {
|
|
let private_key = Rsa::private_key_from_pem(key)?;
|
|
let pkey = PKey::from_rsa(private_key)?;
|
|
|
|
let mut signer = Signer::new(digest, &pkey)?;
|
|
signer.update(data.as_bytes())?;
|
|
let sig = signer.sign_to_vec()?;
|
|
Ok(encode_config(&sig, URL_SAFE_NO_PAD))
|
|
}
|
|
|
|
fn verify_hmac(target: &str, data: &str, key: &[u8], digest: MessageDigest) -> Result<bool> {
|
|
let target_bytes: Vec<u8> = decode_config(target, URL_SAFE_NO_PAD)?;
|
|
let secret_key = PKey::hmac(key)?;
|
|
|
|
let mut signer = Signer::new(digest, &secret_key)?;
|
|
signer.update(data.as_bytes())?;
|
|
|
|
let mac = signer.sign_to_vec()?;
|
|
|
|
Ok(memcmp::eq(&mac, &target_bytes))
|
|
}
|
|
|
|
fn verify_rsa(signature: &str, data: &str, key: &[u8], digest: MessageDigest) -> Result<bool> {
|
|
let signature_bytes: Vec<u8> = decode_config(signature, URL_SAFE_NO_PAD)?;
|
|
let public_key = Rsa::public_key_from_pem(key)?;
|
|
let pkey = PKey::from_rsa(public_key)?;
|
|
let mut verifier = Verifier::new(digest, &pkey)?;
|
|
verifier.update(data.as_bytes())?;
|
|
Ok(verifier.verify(&signature_bytes)?)
|
|
}
|
|
|
|
#[cfg(test)]
|
|
pub mod tests {
|
|
use super::{sign, verify};
|
|
use crate::header::Algorithm;
|
|
|
|
#[test]
|
|
pub fn sign_data_hmac() {
|
|
let header = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";
|
|
let claims = "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9";
|
|
let real_sig = "TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ";
|
|
let data = format!("{}.{}", header, claims);
|
|
|
|
let sig = sign(&*data, b"secret", &Algorithm::HS256);
|
|
|
|
assert_eq!(sig.unwrap(), real_sig);
|
|
}
|
|
|
|
#[test]
|
|
pub fn sign_and_verify_data_rsa() {
|
|
let header = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9";
|
|
let claims = "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9";
|
|
|
|
let data = format!("{}.{}", header, claims);
|
|
|
|
let keypair = openssl::rsa::Rsa::generate(2048).unwrap();
|
|
|
|
let sig = sign(
|
|
&*data,
|
|
&keypair.private_key_to_pem().unwrap(),
|
|
&Algorithm::RS256,
|
|
)
|
|
.unwrap();
|
|
|
|
assert!(verify(
|
|
&sig,
|
|
&*data,
|
|
&keypair.public_key_to_pem().unwrap(),
|
|
&Algorithm::RS256
|
|
)
|
|
.unwrap());
|
|
}
|
|
|
|
#[test]
|
|
pub fn verify_data_hmac() {
|
|
let header = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";
|
|
let claims = "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9";
|
|
let target = "TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ";
|
|
let data = format!("{}.{}", header, claims);
|
|
|
|
assert!(verify(target, &*data, b"secret", &Algorithm::HS256).unwrap());
|
|
}
|
|
}
|