1use std::convert::TryFrom;
2
3use ct_codecs::{Base64UrlSafeNoPadding, Encoder};
4use k256::ecdsa::{self, signature::DigestVerifier as _, signature::RandomizedDigestSigner as _};
5use k256::pkcs8::{DecodePrivateKey, DecodePublicKey, EncodePrivateKey, EncodePublicKey};
6use serde::{de::DeserializeOwned, Serialize};
7
8use crate::claims::*;
9use crate::common::*;
10#[cfg(feature = "cwt")]
11use crate::cwt_token::*;
12use crate::error::*;
13use crate::jwt_header::*;
14use crate::token::*;
15
16#[doc(hidden)]
17#[derive(Debug, Clone)]
18pub struct K256PublicKey(ecdsa::VerifyingKey);
19
20impl AsRef<ecdsa::VerifyingKey> for K256PublicKey {
21 fn as_ref(&self) -> &ecdsa::VerifyingKey {
22 &self.0
23 }
24}
25
26impl K256PublicKey {
27 pub fn from_bytes(raw: &[u8]) -> Result<Self, Error> {
28 let k256_pk =
29 ecdsa::VerifyingKey::from_sec1_bytes(raw).map_err(|_| JWTError::InvalidPublicKey)?;
30 Ok(K256PublicKey(k256_pk))
31 }
32
33 pub fn from_der(der: &[u8]) -> Result<Self, Error> {
34 let k256_pk = ecdsa::VerifyingKey::from_public_key_der(der)
35 .map_err(|_| JWTError::InvalidPublicKey)?;
36 Ok(K256PublicKey(k256_pk))
37 }
38
39 pub fn from_pem(pem: &str) -> Result<Self, Error> {
40 let k256_pk = ecdsa::VerifyingKey::from_public_key_pem(pem)
41 .map_err(|_| JWTError::InvalidPublicKey)?;
42 Ok(K256PublicKey(k256_pk))
43 }
44
45 pub fn to_bytes(&self) -> Vec<u8> {
46 self.0.to_encoded_point(false).as_bytes().to_vec()
47 }
48
49 pub fn to_bytes_uncompressed(&self) -> Vec<u8> {
50 self.0.to_encoded_point(false).as_bytes().to_vec()
51 }
52
53 pub fn to_der(&self) -> Result<Vec<u8>, Error> {
54 let k256_pk = k256::PublicKey::from(self.0);
55 Ok(k256_pk
56 .to_public_key_der()
57 .map_err(|_| JWTError::InvalidPublicKey)?
58 .as_ref()
59 .to_vec())
60 }
61
62 pub fn to_pem(&self) -> Result<String, Error> {
63 let k256_pk = k256::PublicKey::from(self.0);
64 Ok(k256_pk
65 .to_public_key_pem(Default::default())
66 .map_err(|_| JWTError::InvalidPublicKey)?)
67 }
68}
69
70#[doc(hidden)]
71pub struct K256KeyPair {
72 k256_sk: ecdsa::SigningKey,
73 metadata: Option<KeyMetadata>,
74}
75
76impl AsRef<ecdsa::SigningKey> for K256KeyPair {
77 fn as_ref(&self) -> &ecdsa::SigningKey {
78 &self.k256_sk
79 }
80}
81
82impl K256KeyPair {
83 pub fn from_bytes(raw: &[u8]) -> Result<Self, Error> {
84 let k256_sk =
85 ecdsa::SigningKey::from_bytes(raw.into()).map_err(|_| JWTError::InvalidKeyPair)?;
86 Ok(K256KeyPair {
87 k256_sk,
88 metadata: None,
89 })
90 }
91
92 pub fn from_der(der: &[u8]) -> Result<Self, Error> {
93 let k256_sk =
94 ecdsa::SigningKey::from_pkcs8_der(der).map_err(|_| JWTError::InvalidKeyPair)?;
95 Ok(K256KeyPair {
96 k256_sk,
97 metadata: None,
98 })
99 }
100
101 pub fn from_pem(pem: &str) -> Result<Self, Error> {
102 let k256_sk =
103 ecdsa::SigningKey::from_pkcs8_pem(pem).map_err(|_| JWTError::InvalidKeyPair)?;
104 Ok(K256KeyPair {
105 k256_sk,
106 metadata: None,
107 })
108 }
109
110 pub fn to_bytes(&self) -> Vec<u8> {
111 self.k256_sk.to_bytes().to_vec()
112 }
113
114 pub fn to_der(&self) -> Result<Vec<u8>, Error> {
115 let k256_sk = k256::SecretKey::from(&self.k256_sk);
116 Ok(k256_sk
117 .to_pkcs8_der()
118 .map_err(|_| JWTError::InvalidKeyPair)?
119 .as_bytes()
120 .to_vec())
121 }
122
123 pub fn to_pem(&self) -> Result<String, Error> {
124 let k256_sk = k256::SecretKey::from(&self.k256_sk);
125 Ok(k256_sk
126 .to_pkcs8_pem(Default::default())
127 .map_err(|_| JWTError::InvalidKeyPair)?
128 .to_string())
129 }
130
131 pub fn public_key(&self) -> K256PublicKey {
132 let k256_pk = self.k256_sk.verifying_key();
133 K256PublicKey(*k256_pk)
134 }
135
136 pub fn generate() -> Self {
137 let mut rng = rand::thread_rng();
138 let k256_sk = ecdsa::SigningKey::random(&mut rng);
139 K256KeyPair {
140 k256_sk,
141 metadata: None,
142 }
143 }
144}
145
146pub trait ECDSAP256kKeyPairLike {
147 fn jwt_alg_name() -> &'static str;
148 fn key_pair(&self) -> &K256KeyPair;
149 fn key_id(&self) -> &Option<String>;
150 fn metadata(&self) -> &Option<KeyMetadata>;
151 fn attach_metadata(&mut self, metadata: KeyMetadata) -> Result<(), Error>;
152
153 fn sign<CustomClaims: Serialize + DeserializeOwned>(
154 &self,
155 claims: JWTClaims<CustomClaims>,
156 ) -> Result<String, Error> {
157 let jwt_header = JWTHeader::new(Self::jwt_alg_name().to_string(), self.key_id().clone())
158 .with_metadata(self.metadata());
159 Token::build(&jwt_header, claims, |authenticated| {
160 let mut digest = hmac_sha256::Hash::new();
161 digest.update(authenticated.as_bytes());
162 let mut rng = rand::thread_rng();
163 let signature: ecdsa::Signature = self
164 .key_pair()
165 .as_ref()
166 .sign_digest_with_rng(&mut rng, digest);
167 Ok(signature.to_vec())
168 })
169 }
170}
171
172pub trait ECDSAP256kPublicKeyLike {
173 fn jwt_alg_name() -> &'static str;
174 fn public_key(&self) -> &K256PublicKey;
175 fn key_id(&self) -> &Option<String>;
176 fn set_key_id(&mut self, key_id: String);
177
178 fn verify_token<CustomClaims: Serialize + DeserializeOwned>(
179 &self,
180 token: &str,
181 options: Option<VerificationOptions>,
182 ) -> Result<JWTClaims<CustomClaims>, Error> {
183 Token::verify(
184 Self::jwt_alg_name(),
185 token,
186 options,
187 |authenticated, signature| {
188 let ecdsa_signature = ecdsa::Signature::try_from(signature)
189 .map_err(|_| JWTError::InvalidSignature)?;
190 let mut digest = hmac_sha256::Hash::new();
191 digest.update(authenticated.as_bytes());
192 self.public_key()
193 .as_ref()
194 .verify_digest(digest, &ecdsa_signature)
195 .map_err(|_| JWTError::InvalidSignature)?;
196 Ok(())
197 },
198 )
199 }
200
201 #[cfg(feature = "cwt")]
202 fn verify_cwt_token<CustomClaims: Serialize + DeserializeOwned>(
203 &self,
204 token: &[u8],
205 options: Option<VerificationOptions>,
206 ) -> Result<JWTClaims<NoCustomClaims>, Error> {
207 CWTToken::verify(
208 Self::jwt_alg_name(),
209 token,
210 options,
211 |authenticated, signature| {
212 let ecdsa_signature = ecdsa::Signature::try_from(signature)
213 .map_err(|_| JWTError::InvalidSignature)?;
214 let mut digest = hmac_sha256::Hash::new();
215 digest.update(authenticated.as_bytes());
216 self.public_key()
217 .as_ref()
218 .verify_digest(digest, &ecdsa_signature)
219 .map_err(|_| JWTError::InvalidSignature)?;
220 Ok(())
221 },
222 )
223 }
224
225 fn create_key_id(&mut self) -> &str {
226 self.set_key_id(
227 Base64UrlSafeNoPadding::encode_to_string(hmac_sha256::Hash::hash(
228 &self.public_key().to_bytes(),
229 ))
230 .unwrap(),
231 );
232 self.key_id().as_ref().map(|x| x.as_str()).unwrap()
233 }
234}
235
236pub struct ES256kKeyPair {
237 key_pair: K256KeyPair,
238 key_id: Option<String>,
239}
240
241#[derive(Debug, Clone)]
242pub struct ES256kPublicKey {
243 pk: K256PublicKey,
244 key_id: Option<String>,
245}
246
247impl ECDSAP256kKeyPairLike for ES256kKeyPair {
248 fn jwt_alg_name() -> &'static str {
249 "ES256K"
250 }
251
252 fn key_pair(&self) -> &K256KeyPair {
253 &self.key_pair
254 }
255
256 fn key_id(&self) -> &Option<String> {
257 &self.key_id
258 }
259
260 fn metadata(&self) -> &Option<KeyMetadata> {
261 &self.key_pair.metadata
262 }
263
264 fn attach_metadata(&mut self, metadata: KeyMetadata) -> Result<(), Error> {
265 self.key_pair.metadata = Some(metadata);
266 Ok(())
267 }
268}
269
270impl ES256kKeyPair {
271 pub fn from_bytes(raw: &[u8]) -> Result<Self, Error> {
272 Ok(ES256kKeyPair {
273 key_pair: K256KeyPair::from_bytes(raw)?,
274 key_id: None,
275 })
276 }
277
278 pub fn from_der(der: &[u8]) -> Result<Self, Error> {
279 Ok(ES256kKeyPair {
280 key_pair: K256KeyPair::from_der(der)?,
281 key_id: None,
282 })
283 }
284
285 pub fn from_pem(pem: &str) -> Result<Self, Error> {
286 Ok(ES256kKeyPair {
287 key_pair: K256KeyPair::from_pem(pem)?,
288 key_id: None,
289 })
290 }
291
292 pub fn to_bytes(&self) -> Vec<u8> {
293 self.key_pair.to_bytes()
294 }
295
296 pub fn to_der(&self) -> Result<Vec<u8>, Error> {
297 self.key_pair.to_der()
298 }
299
300 pub fn to_pem(&self) -> Result<String, Error> {
301 self.key_pair.to_pem()
302 }
303
304 pub fn public_key(&self) -> ES256kPublicKey {
305 ES256kPublicKey {
306 pk: self.key_pair.public_key(),
307 key_id: self.key_id.clone(),
308 }
309 }
310
311 pub fn generate() -> Self {
312 ES256kKeyPair {
313 key_pair: K256KeyPair::generate(),
314 key_id: None,
315 }
316 }
317
318 pub fn with_key_id(mut self, key_id: &str) -> Self {
319 self.key_id = Some(key_id.to_string());
320 self
321 }
322}
323
324impl ECDSAP256kPublicKeyLike for ES256kPublicKey {
325 fn jwt_alg_name() -> &'static str {
326 "ES256K"
327 }
328
329 fn public_key(&self) -> &K256PublicKey {
330 &self.pk
331 }
332
333 fn key_id(&self) -> &Option<String> {
334 &self.key_id
335 }
336
337 fn set_key_id(&mut self, key_id: String) {
338 self.key_id = Some(key_id);
339 }
340}
341
342impl ES256kPublicKey {
343 pub fn from_bytes(raw: &[u8]) -> Result<Self, Error> {
344 Ok(ES256kPublicKey {
345 pk: K256PublicKey::from_bytes(raw)?,
346 key_id: None,
347 })
348 }
349
350 pub fn from_der(der: &[u8]) -> Result<Self, Error> {
351 Ok(ES256kPublicKey {
352 pk: K256PublicKey::from_der(der)?,
353 key_id: None,
354 })
355 }
356
357 pub fn from_pem(pem: &str) -> Result<Self, Error> {
358 Ok(ES256kPublicKey {
359 pk: K256PublicKey::from_pem(pem)?,
360 key_id: None,
361 })
362 }
363
364 pub fn to_bytes(&self) -> Vec<u8> {
365 self.pk.to_bytes()
366 }
367
368 pub fn to_der(&self) -> Result<Vec<u8>, Error> {
369 self.pk.to_der()
370 }
371
372 pub fn to_pem(&self) -> Result<String, Error> {
373 self.pk.to_pem()
374 }
375
376 pub fn with_key_id(mut self, key_id: &str) -> Self {
377 self.key_id = Some(key_id.to_string());
378 self
379 }
380}