remove custom-provider feature, make jwk utility functions private

Author: arckoor

Cargo.toml

@@ -53,6 +53,8 @@ wasm-bindgen-test = "0.3.1"
 ed25519-dalek = { version = "2.1.1", features = ["pkcs8", "rand_core"] }
 rand = { version = "0.8.5", features = ["std"], default-features = false }
 rand_core = "0.6.4"
+# for the custom provider example
+botan = { version = "0.12.0", features = ["vendored"] }
 [target.'cfg(not(all(target_arch = "wasm32", not(any(target_os = "emscripten", target_os = "wasi")))))'.dev-dependencies]
 # For the custom time example
 time = "0.3"
@@ -68,7 +70,6 @@ default = ["use_pem"]
 use_pem = ["pem", "simple_asn1"]
 rust_crypto = ["ed25519-dalek", "hmac", "p256", "p384", "rand", "rsa", "sha2"]
 aws_lc_rs = ["aws-lc-rs"]
-custom-provider = []
 
 [[bench]]
 name = "jwt"

README.md

@@ -15,7 +15,7 @@ jsonwebtoken = { version = "10", features = ["aws_lc_rs"] }
 serde = {version = "1.0", features = ["derive"] }
 ```
 
-Two crypto backends are available via features, `aws_lc_rs` and `rust_crypto`, at most one of which must be enabled. If you wish to use a custom crypto provider, enable the `custom-provider` feature instead.
+Two crypto backends are available via features, `aws_lc_rs` and `rust_crypto`, at most one of which must be enabled. If you select neither feature, you need to provide your own `CryptoProvider`.
 
 The minimum required Rust version (MSRV) is specified in the `rust-version` field in this project's [Cargo.toml](Cargo.toml).
 

examples/custom_provider.rs

@@ -1,15 +1,15 @@
 use jsonwebtoken::{
-    Algorithm, DecodingKey, EncodingKey, Header, Validation,
+    Algorithm, AlgorithmFamily, DecodingKey, EncodingKey, Error as SigError, Header, Signer,
+    Validation, Verifier,
     crypto::{CryptoProvider, JwkUtils, JwtSigner, JwtVerifier},
     decode, encode,
-    errors::Error,
+    errors::{Error, ErrorKind},
 };
 use serde::{Deserialize, Serialize};
-use signature::{Signer, Verifier};
 
 fn new_signer(algorithm: &Algorithm, key: &EncodingKey) -> Result<Box<dyn JwtSigner>, Error> {
     let jwt_signer = match algorithm {
-        Algorithm::EdDSA => Box::new(CustomEdDSASigner::new(key)?) as Box<dyn JwtSigner>,
+        Algorithm::EdDSA => Box::new(EdDSASigner::new(key)?) as Box<dyn JwtSigner>,
         _ => unimplemented!(),
     };
 
@@ -18,49 +18,71 @@ fn new_signer(algorithm: &Algorithm, key: &EncodingKey) -> Result<Box<dyn JwtSig
 
 fn new_verifier(algorithm: &Algorithm, key: &DecodingKey) -> Result<Box<dyn JwtVerifier>, Error> {
     let jwt_verifier = match algorithm {
-        Algorithm::EdDSA => Box::new(CustomEdDSAVerifier::new(key)?) as Box<dyn JwtVerifier>,
+        Algorithm::EdDSA => Box::new(EdDSAVerifier::new(key)?) as Box<dyn JwtVerifier>,
         _ => unimplemented!(),
     };
 
     Ok(jwt_verifier)
 }
 
-pub struct CustomEdDSASigner;
+struct EdDSASigner(botan::Privkey);
 
-impl CustomEdDSASigner {
-    fn new(_: &EncodingKey) -> Result<Self, Error> {
-        Ok(CustomEdDSASigner)
+impl EdDSASigner {
+    fn new(encoding_key: &EncodingKey) -> Result<Self, Error> {
+        if encoding_key.family() != AlgorithmFamily::Ed {
+            return Err(ErrorKind::InvalidKeyFormat.into());
+        }
+
+        Ok(Self(
+            botan::Privkey::load_der(encoding_key.inner())
+                .map_err(|_| ErrorKind::InvalidEddsaKey)?,
+        ))
     }
 }
 
-// WARNING: This is obviously not secure at all and should NEVER be done in practice!
-impl Signer<Vec<u8>> for CustomEdDSASigner {
-    fn try_sign(&self, _: &[u8]) -> Result<Vec<u8>, signature::Error> {
-        Ok(vec![0; 16])
+impl Signer<Vec<u8>> for EdDSASigner {
+    fn try_sign(&self, msg: &[u8]) -> std::result::Result<Vec<u8>, SigError> {
+        let mut rng = botan::RandomNumberGenerator::new_system().map_err(SigError::from_source)?;
+        let mut signer = botan::Signer::new(&self.0, "Pure").map_err(SigError::from_source)?;
+        signer.update(msg).map_err(SigError::from_source)?;
+        signer.finish(&mut rng).map_err(SigError::from_source)
     }
 }
 
-impl JwtSigner for CustomEdDSASigner {
+impl JwtSigner for EdDSASigner {
     fn algorithm(&self) -> Algorithm {
         Algorithm::EdDSA
     }
 }
 
-pub struct CustomEdDSAVerifier;
+struct EdDSAVerifier(botan::Pubkey);
+
+impl EdDSAVerifier {
+    fn new(decoding_key: &DecodingKey) -> Result<Self, Error> {
+        if decoding_key.family() != AlgorithmFamily::Ed {
+            return Err(ErrorKind::InvalidKeyFormat.into());
+        }
 
-impl CustomEdDSAVerifier {
-    fn new(_: &DecodingKey) -> Result<Self, Error> {
-        Ok(CustomEdDSAVerifier)
+        Ok(Self(
+            botan::Pubkey::load_ed25519(decoding_key.as_bytes())
+                .map_err(|_| ErrorKind::InvalidEddsaKey)?,
+        ))
     }
 }
 
-impl Verifier<Vec<u8>> for CustomEdDSAVerifier {
-    fn verify(&self, _: &[u8], signature: &Vec<u8>) -> Result<(), signature::Error> {
-        if signature == &vec![0; 16] { Ok(()) } else { Err(signature::Error::new()) }
+impl Verifier<Vec<u8>> for EdDSAVerifier {
+    fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), SigError> {
+        let mut verifier = botan::Verifier::new(&self.0, "Pure").map_err(SigError::from_source)?;
+        verifier.update(msg).map_err(SigError::from_source)?;
+        verifier
+            .finish(signature)
+            .map_err(SigError::from_source)?
+            .then_some(())
+            .ok_or(SigError::new())
     }
 }
 
-impl JwtVerifier for CustomEdDSAVerifier {
+impl JwtVerifier for EdDSAVerifier {
     fn algorithm(&self) -> Algorithm {
         Algorithm::EdDSA
     }
@@ -82,21 +104,30 @@ fn main() {
     };
     my_crypto_provider.install_default().unwrap();
 
-    // for an actual EdDSA implementation, this would be some private key
-    let key = b"secret";
+    // generate a new key
+    let (privkey, pubkey) = {
+        let key = botan::Privkey::create(
+            "Ed25519",
+            "",
+            &mut botan::RandomNumberGenerator::new_system().unwrap(),
+        )
+        .unwrap();
+        (key.pem_encode().unwrap(), key.pubkey().unwrap().pem_encode().unwrap())
+    };
     let my_claims = Claims { sub: "me".to_owned(), exp: 10000000000 };
 
     // our crypto provider only supports EdDSA
     let header = Header::new(Algorithm::EdDSA);
 
-    let token = match encode(&header, &my_claims, &EncodingKey::from_ed_der(key)) {
-        Ok(t) => t,
-        Err(_) => panic!(), // in practice you would return an error
-    };
+    let token =
+        match encode(&header, &my_claims, &EncodingKey::from_ed_pem(privkey.as_bytes()).unwrap()) {
+            Ok(t) => t,
+            Err(_) => panic!(), // in practice you would return an error
+        };
 
     let claims = match decode::<Claims>(
         token,
-        &DecodingKey::from_ed_der(key),
+        &DecodingKey::from_ed_pem(pubkey.as_bytes()).unwrap(),
         &Validation::new(Algorithm::EdDSA),
     ) {
         Ok(c) => c.claims,

src/crypto/aws_lc/ecdsa.rs

@@ -18,7 +18,7 @@ macro_rules! define_ecdsa_signer {
 
         impl $name {
             pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
-                if encoding_key.family != AlgorithmFamily::Ec {
+                if encoding_key.family() != AlgorithmFamily::Ec {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }
 
@@ -51,7 +51,7 @@ macro_rules! define_ecdsa_verifier {
 
         impl $name {
             pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
-                if decoding_key.family != AlgorithmFamily::Ec {
+                if decoding_key.family() != AlgorithmFamily::Ec {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }
 

src/crypto/aws_lc/eddsa.rs

@@ -11,7 +11,7 @@ pub struct EdDSASigner(Ed25519KeyPair);
 
 impl EdDSASigner {
     pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
-        if encoding_key.family != AlgorithmFamily::Ed {
+        if encoding_key.family() != AlgorithmFamily::Ed {
             return Err(new_error(ErrorKind::InvalidKeyFormat));
         }
 
@@ -38,7 +38,7 @@ pub struct EdDSAVerifier(DecodingKey);
 
 impl EdDSAVerifier {
     pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
-        if decoding_key.family != AlgorithmFamily::Ed {
+        if decoding_key.family() != AlgorithmFamily::Ed {
             return Err(new_error(ErrorKind::InvalidKeyFormat));
         }
 

src/crypto/aws_lc/mod.rs

@@ -15,18 +15,15 @@ mod eddsa;
 mod hmac;
 mod rsa;
 
-/// Given a DER encoded private key, extract the RSA public key components (n, e)
-pub fn extract_rsa_public_key_components(key_content: &[u8]) -> errors::Result<(Vec<u8>, Vec<u8>)> {
+fn extract_rsa_public_key_components(key_content: &[u8]) -> errors::Result<(Vec<u8>, Vec<u8>)> {
     let key_pair = aws_sig::RsaKeyPair::from_der(key_content)
         .map_err(|e| ErrorKind::InvalidRsaKey(e.to_string()))?;
     let public = key_pair.public_key();
     let components = aws_sig::RsaPublicKeyComponents::<Vec<u8>>::from(public);
     Ok((components.n, components.e))
 }
 
-/// Given a DER encoded private key and an algorithm, extract the associated curve
-/// and the EC public key components (x, y)
-pub fn extract_ec_public_key_coordinates(
+fn extract_ec_public_key_coordinates(
     key_content: &[u8],
     alg: Algorithm,
 ) -> errors::Result<(EllipticCurve, Vec<u8>, Vec<u8>)> {
@@ -52,8 +49,7 @@ pub fn extract_ec_public_key_coordinates(
     Ok((curve, x.to_vec(), y.to_vec()))
 }
 
-/// Given some data and a name of a hash function, compute hash_function(data)
-pub fn compute_digest(data: &[u8], hash_function: ThumbprintHash) -> Vec<u8> {
+fn compute_digest(data: &[u8], hash_function: ThumbprintHash) -> Vec<u8> {
     let algorithm = match hash_function {
         ThumbprintHash::SHA256 => &digest::SHA256,
         ThumbprintHash::SHA384 => &digest::SHA384,

src/crypto/aws_lc/rsa.rs

@@ -37,7 +37,7 @@ fn verify_rsa(
     msg: &[u8],
     signature: &[u8],
 ) -> std::result::Result<(), signature::Error> {
-    match &decoding_key.kind {
+    match decoding_key.kind() {
         DecodingKeyKind::SecretOrDer(bytes) => {
             let public_key = crypto_sig::UnparsedPublicKey::new(algorithm, bytes);
             public_key.verify(msg, signature).map_err(signature::Error::from_source)?;
@@ -57,7 +57,7 @@ macro_rules! define_rsa_signer {
 
         impl $name {
             pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
-                if encoding_key.family != AlgorithmFamily::Rsa {
+                if encoding_key.family() != AlgorithmFamily::Rsa {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }
 
@@ -85,7 +85,7 @@ macro_rules! define_rsa_verifier {
 
         impl $name {
             pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
-                if decoding_key.family != AlgorithmFamily::Rsa {
+                if decoding_key.family() != AlgorithmFamily::Rsa {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }
 

src/crypto/mod.rs

@@ -132,20 +132,12 @@ See the documentation of the CryptoProvider type for more information.
 
     /// Determine a `CryptoProvider` based on crate features.
     pub fn from_crate_features() -> Option<Self> {
-        #[cfg(all(
-            feature = "rust_crypto",
-            not(feature = "aws_lc_rs"),
-            not(feature = "custom-provider")
-        ))]
+        #[cfg(all(feature = "rust_crypto", not(feature = "aws_lc_rs")))]
         {
             return Some(rust_crypto::DEFAULT_PROVIDER);
         }
 
-        #[cfg(all(
-            feature = "aws_lc_rs",
-            not(feature = "rust_crypto"),
-            not(feature = "custom-provider")
-        ))]
+        #[cfg(all(feature = "aws_lc_rs", not(feature = "rust_crypto")))]
         {
             return Some(aws_lc::DEFAULT_PROVIDER);
         }

src/crypto/rust_crypto/ecdsa.rs

@@ -20,7 +20,7 @@ macro_rules! define_ecdsa_signer {
 
         impl $name {
             pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
-                if encoding_key.family != AlgorithmFamily::Ec {
+                if encoding_key.family() != AlgorithmFamily::Ec {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }
 
@@ -52,7 +52,7 @@ macro_rules! define_ecdsa_verifier {
 
         impl $name {
             pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
-                if decoding_key.family != AlgorithmFamily::Ec {
+                if decoding_key.family() != AlgorithmFamily::Ec {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }
 

src/crypto/rust_crypto/eddsa.rs

@@ -12,7 +12,7 @@ pub struct EdDSASigner(SigningKey);
 
 impl EdDSASigner {
     pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
-        if encoding_key.family != AlgorithmFamily::Ed {
+        if encoding_key.family() != AlgorithmFamily::Ed {
             return Err(new_error(ErrorKind::InvalidKeyFormat));
         }
 
@@ -39,7 +39,7 @@ pub struct EdDSAVerifier(VerifyingKey);
 
 impl EdDSAVerifier {
     pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
-        if decoding_key.family != AlgorithmFamily::Ed {
+        if decoding_key.family() != AlgorithmFamily::Ed {
             return Err(new_error(ErrorKind::InvalidKeyFormat));
         }