Decoupled crypto backends

Cargo.toml

@@ -27,7 +27,6 @@ base64 = "0.22"
 pem = { version = "3", optional = true }
 simple_asn1 = { version = "0.6", optional = true }
 
-hmac = "0.12.1"
 rsa = "0.9.6"
 sha2 = { version = "0.10.7", features = ["oid"] }
 getrandom = { version = "0.2.10", features = ["js"] }
@@ -36,6 +35,14 @@ ed25519-dalek = { version = "2.1.1" }
 p256 = { version = "0.13.2", features = ["ecdsa"] }
 p384 = { version = "0.13.0", features = ["ecdsa"] }
 rand_core = "0.6.4"
+signature = "2.2.0"
+
+# "rust_crypto" feature
+hmac = { version = "0.12.1", optional = true }
+
+# "aws_lc_rs" feature
+aws-lc-rs = { version = "1.10.0", optional = true }
+
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 js-sys = "0.3"
 
@@ -53,8 +60,10 @@ time = { version = "0.3", features = ["wasm-bindgen"] }
 criterion = { version = "0.4", default-features = false }
 
 [features]
-default = ["use_pem"]
+default = ["use_pem", "rust_crypto"]
 use_pem = ["pem", "simple_asn1", 'p256/pem', 'p384/pem']
+rust_crypto = ["hmac"]
+aws_lc_rs = ["aws-lc-rs"]
 
 [[bench]]
 name = "jwt"

src/crypto/aws_lc/hmac.rs

@@ -0,0 +1,105 @@
+//! Implementations of the [`JwtSigner`] and [`JwtVerifier`] traits for the
+//! HMAC family of algorithms using [`aws_lc_rs`]
+
+use aws_lc_rs::hmac;
+use signature::{Signer, Verifier};
+
+use crate::crypto::{JwtSigner, JwtVerifier};
+use crate::errors::Result;
+use crate::{Algorithm, HmacSecret};
+
+pub struct Hs256(hmac::Key);
+
+impl Hs256 {
+    pub(crate) fn new(secret: HmacSecret) -> Result<Self> {
+        Ok(Self(hmac::Key::new(hmac::HMAC_SHA256, &secret)))
+    }
+}
+
+impl Signer<Vec<u8>> for Hs256 {
+    fn try_sign(&self, msg: &[u8]) -> std::result::Result<Vec<u8>, signature::Error> {
+        Ok(hmac::sign(&self.0, msg).as_ref().to_vec())
+    }
+}
+
+impl JwtSigner for Hs256 {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::HS256
+    }
+}
+
+impl Verifier<Vec<u8>> for Hs256 {
+    fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), signature::Error> {
+        hmac::verify(&self.0, msg, &signature).map_err(|err| signature::Error::from_source(err))
+    }
+}
+
+impl JwtVerifier for Hs256 {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::HS256
+    }
+}
+
+pub struct Hs384(hmac::Key);
+
+impl Hs384 {
+    pub(crate) fn new(secret: HmacSecret) -> Result<Self> {
+        Ok(Self(hmac::Key::new(hmac::HMAC_SHA384, &secret)))
+    }
+}
+
+impl Signer<Vec<u8>> for Hs384 {
+    fn try_sign(&self, msg: &[u8]) -> std::result::Result<Vec<u8>, signature::Error> {
+        Ok(hmac::sign(&self.0, msg).as_ref().to_vec())
+    }
+}
+
+impl JwtSigner for Hs384 {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::HS384
+    }
+}
+
+impl Verifier<Vec<u8>> for Hs384 {
+    fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), signature::Error> {
+        hmac::verify(&self.0, msg, &signature).map_err(|err| signature::Error::from_source(err))
+    }
+}
+
+impl JwtVerifier for Hs384 {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::HS384
+    }
+}
+
+pub struct Hs512(hmac::Key);
+
+impl Hs512 {
+    pub(crate) fn new(secret: HmacSecret) -> Result<Self> {
+        Ok(Self(hmac::Key::new(hmac::HMAC_SHA512, &secret)))
+    }
+}
+
+impl Signer<Vec<u8>> for Hs512 {
+    fn try_sign(&self, msg: &[u8]) -> std::result::Result<Vec<u8>, signature::Error> {
+        Ok(hmac::sign(&self.0, msg).as_ref().to_vec())
+    }
+}
+
+impl JwtSigner for Hs512 {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::HS512
+    }
+}
+
+impl Verifier<Vec<u8>> for Hs512 {
+    fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), signature::Error> {
+        hmac::verify(&self.0, msg, &signature).map_err(|err| signature::Error::from_source(err))
+    }
+}
+
+impl JwtVerifier for Hs512 {
+    fn algorithm(&self) -> Algorithm {
+        Algorithm::HS512
+    }
+}

src/crypto/aws_lc/mod.rs

@@ -0,0 +1 @@
+pub(crate) mod hmac;

src/crypto/hmac.rs

@@ -1,106 +1,31 @@
-use hmac::{Hmac, Mac};
-use sha2::{Sha256, Sha384, Sha512};
+//! Common HMAC related functionality.
 
-use crate::errors::Result;
-use crate::serialization::{b64_decode, b64_encode};
-use crate::Algorithm;
-
-type HmacSha256 = Hmac<Sha256>;
-type HmacSha384 = Hmac<Sha384>;
-type HmacSha512 = Hmac<Sha512>;
+use std::ops::Deref;
 
-pub(crate) fn sign_hmac(alg: Algorithm, key: &[u8], message: &[u8]) -> Result<String> {
-    let mut hmac = create_hmac(alg, key)?;
-    let digest = hmac.sign(message);
-    Ok(b64_encode(digest))
-}
-
-pub(crate) fn hmac_verify(
-    alg: Algorithm,
-    signature: &str,
-    key: &[u8],
-    message: &[u8],
-) -> Result<bool> {
-    let mut hmac = create_hmac(alg, key)?;
-    let signature = b64_decode(signature)?;
-    Ok(hmac.verify(&signature, message))
-}
-
-fn create_hmac(alg: Algorithm, key: &[u8]) -> Result<Box<dyn HmacAlgorithm>> {
-    let hmac: Box<dyn HmacAlgorithm> = match alg {
-        Algorithm::HS256 => {
-            let sha256 = HmacSha256::new_from_slice(key)
-                .map_err(|_e| crate::errors::ErrorKind::InvalidKeyFormat)?;
-            Box::new(sha256)
-        }
-        Algorithm::HS384 => {
-            let sha384 = HmacSha384::new_from_slice(key)
-                .map_err(|_e| crate::errors::ErrorKind::InvalidKeyFormat)?;
-            Box::new(sha384)
-        }
-        Algorithm::HS512 => {
-            let sha512 = HmacSha512::new_from_slice(key)
-                .map_err(|_e| crate::errors::ErrorKind::InvalidKeyFormat)?;
-            Box::new(sha512)
-        }
-        _ => {
-            return Err(crate::errors::new_error(crate::errors::ErrorKind::InvalidAlgorithm));
-        }
-    };
-    Ok(hmac)
-}
-
-trait HmacAlgorithm {
-    fn sign(&mut self, message: &[u8]) -> Vec<u8>;
-    fn verify(&mut self, signature: &[u8], message: &[u8]) -> bool;
-}
+use base64::{engine::general_purpose::STANDARD, Engine};
 
-impl HmacAlgorithm for Box<dyn HmacAlgorithm + '_> {
-    fn sign(&mut self, message: &[u8]) -> Vec<u8> {
-        (**self).sign(message)
-    }
+use crate::errors::Result;
 
-    fn verify(&mut self, signature: &[u8], message: &[u8]) -> bool {
-        (**self).verify(signature, message)
-    }
-}
+/// The shared secret used for the HMAC family of algorithms.
+#[derive(Debug)]
+pub struct HmacSecret(Vec<u8>);
 
-impl HmacAlgorithm for HmacSha256 {
-    fn sign(&mut self, message: &[u8]) -> Vec<u8> {
-        self.reset();
-        self.update(message);
-        self.clone().finalize().into_bytes().to_vec()
+impl HmacSecret {
+    /// If you're using an HMAC secret that is not base64, use that.
+    pub fn from_secret(secret: &[u8]) -> Self {
+        Self(secret.to_vec())
     }
-    fn verify(&mut self, signature: &[u8], message: &[u8]) -> bool {
-        self.reset();
-        self.update(message);
-        self.clone().verify_slice(signature).is_ok()
-    }
-}
 
-impl HmacAlgorithm for HmacSha384 {
-    fn sign(&mut self, message: &[u8]) -> Vec<u8> {
-        self.reset();
-        self.update(message);
-        self.clone().finalize().into_bytes().to_vec()
-    }
-    fn verify(&mut self, signature: &[u8], message: &[u8]) -> bool {
-        self.reset();
-        self.update(message);
-        self.clone().verify_slice(signature).is_ok()
+    /// If you have a base64 HMAC secret, use that.
+    pub fn from_base64_secret(secret: &str) -> Result<Self> {
+        Ok(Self(STANDARD.decode(secret)?))
     }
 }
 
-impl HmacAlgorithm for HmacSha512 {
-    fn sign(&mut self, message: &[u8]) -> Vec<u8> {
-        self.reset();
-        self.update(message);
-        self.clone().finalize().into_bytes().to_vec()
-    }
+impl Deref for HmacSecret {
+    type Target = Vec<u8>;
 
-    fn verify(&mut self, signature: &[u8], message: &[u8]) -> bool {
-        self.reset();
-        self.update(message);
-        self.clone().verify_slice(signature).is_ok()
+    fn deref(&self) -> &Self::Target {
+        &self.0
     }
 }