1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
use base64;
use crypto_mac::Mac;
use digest::generic_array::ArrayLength;
use digest::{BlockInput, FixedOutput, Input, Reset};
use hmac::Hmac;
use sha2;
use crate::algorithm::{AlgorithmType, SigningAlgorithm, VerifyingAlgorithm};
use crate::error::Error;
use crate::SEPARATOR;
pub trait TypeLevelAlgorithmType {
fn algorithm_type() -> AlgorithmType;
}
macro_rules! type_level_algorithm_type {
($rust_crypto_type: ty, $algorithm_type: expr) => {
impl TypeLevelAlgorithmType for $rust_crypto_type {
fn algorithm_type() -> AlgorithmType {
$algorithm_type
}
}
};
}
type_level_algorithm_type!(sha2::Sha256, AlgorithmType::Hs256);
type_level_algorithm_type!(sha2::Sha384, AlgorithmType::Hs384);
type_level_algorithm_type!(sha2::Sha512, AlgorithmType::Hs512);
impl<D> SigningAlgorithm for Hmac<D>
where
D: Input + BlockInput + FixedOutput + Reset + Default + Clone + TypeLevelAlgorithmType,
D::BlockSize: ArrayLength<u8>,
D::OutputSize: ArrayLength<u8>,
{
fn algorithm_type(&self) -> AlgorithmType {
D::algorithm_type()
}
fn sign(&self, header: &str, claims: &str) -> Result<String, Error> {
let hmac = get_hmac_with_data(&self, header, claims);
let mac_result = hmac.result();
let code = mac_result.code();
Ok(base64::encode_config(&code, base64::URL_SAFE_NO_PAD))
}
}
impl<D> VerifyingAlgorithm for Hmac<D>
where
D: Input + BlockInput + FixedOutput + Reset + Default + Clone + TypeLevelAlgorithmType,
D::BlockSize: ArrayLength<u8>,
D::OutputSize: ArrayLength<u8>,
{
fn algorithm_type(&self) -> AlgorithmType {
D::algorithm_type()
}
fn verify_bytes(&self, header: &str, claims: &str, signature: &[u8]) -> Result<bool, Error> {
let hmac = get_hmac_with_data(self, header, claims);
hmac.verify(&signature)?;
Ok(true)
}
}
fn get_hmac_with_data<D>(hmac: &Hmac<D>, header: &str, claims: &str) -> Hmac<D>
where
D: Input + BlockInput + FixedOutput + Reset + Default + Clone + TypeLevelAlgorithmType,
D::BlockSize: ArrayLength<u8>,
D::OutputSize: ArrayLength<u8>,
{
let mut hmac = hmac.clone();
hmac.reset();
hmac.input(header.as_bytes());
hmac.input(SEPARATOR.as_bytes());
hmac.input(claims.as_bytes());
hmac
}
#[cfg(test)]
mod tests {
use crate::algorithm::{SigningAlgorithm, VerifyingAlgorithm};
use crate::error::Error;
use crypto_mac::Mac;
use hmac::Hmac;
use sha2::Sha256;
#[test]
pub fn sign() -> Result<(), Error> {
let header = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";
let claims = "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9";
let expected_signature = "TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ";
let signer: Hmac<Sha256> = Hmac::new_varkey(b"secret")?;
let computed_signature = SigningAlgorithm::sign(&signer, &header, &claims)?;
assert_eq!(computed_signature, expected_signature);
Ok(())
}
#[test]
pub fn verify() -> Result<(), Error> {
let header = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";
let claims = "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9";
let signature = "TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ";
let verifier: Hmac<Sha256> = Hmac::new_varkey(b"secret")?;
assert!(VerifyingAlgorithm::verify(
&verifier, &header, &claims, &signature
)?);
Ok(())
}
}