use base64::{engine::general_purpose::STANDARD, Engine}; use serde::ser::Serialize; use crate::algorithms::AlgorithmFamily; use crate::crypto; use crate::errors::{new_error, ErrorKind, Result}; use crate::header::Header; #[cfg(feature = "use_pem")] use crate::pem::decoder::PemEncodedKey; use crate::serialization::b64_encode_part; /// A key to encode a JWT with. Can be a secret, a PEM-encoded key or a DER-encoded key. /// This key can be re-used so make sure you only initialize it once if you can for better performance. #[derive(Clone)] pub struct EncodingKey { pub(crate) family: AlgorithmFamily, content: Vec, } impl EncodingKey { /// If you're using a HMAC secret that is not base64, use that. pub fn from_secret(secret: &[u8]) -> Self { EncodingKey { family: AlgorithmFamily::Hmac, content: secret.to_vec() } } /// If you have a base64 HMAC secret, use that. pub fn from_base64_secret(secret: &str) -> Result { let out = STANDARD.decode(secret)?; Ok(EncodingKey { family: AlgorithmFamily::Hmac, content: out }) } /// If you are loading a RSA key from a .pem file. /// This errors if the key is not a valid RSA key. /// Only exists if the feature `use_pem` is enabled. /// /// # NOTE /// /// According to the [ring doc](https://docs.rs/ring/latest/ring/signature/struct.RsaKeyPair.html#method.from_pkcs8), /// the key should be at least 2047 bits. /// #[cfg(feature = "use_pem")] pub fn from_rsa_pem(key: &[u8]) -> Result { let pem_key = PemEncodedKey::new(key)?; let content = pem_key.as_rsa_key()?; Ok(EncodingKey { family: AlgorithmFamily::Rsa, content: content.to_vec() }) } /// If you are loading a ECDSA key from a .pem file /// This errors if the key is not a valid private EC key /// Only exists if the feature `use_pem` is enabled. /// /// # NOTE /// /// The key should be in PKCS#8 form. /// /// You can generate a key with the following: /// /// ```sh /// openssl ecparam -genkey -noout -name prime256v1 \ /// | openssl pkcs8 -topk8 -nocrypt -out ec-private.pem /// ``` #[cfg(feature = "use_pem")] pub fn from_ec_pem(key: &[u8]) -> Result { let pem_key = PemEncodedKey::new(key)?; let content = pem_key.as_ec_private_key()?; Ok(EncodingKey { family: AlgorithmFamily::Ec, content: content.to_vec() }) } /// If you are loading a EdDSA key from a .pem file /// This errors if the key is not a valid private Ed key /// Only exists if the feature `use_pem` is enabled. #[cfg(feature = "use_pem")] pub fn from_ed_pem(key: &[u8]) -> Result { let pem_key = PemEncodedKey::new(key)?; let content = pem_key.as_ed_private_key()?; Ok(EncodingKey { family: AlgorithmFamily::Ed, content: content.to_vec() }) } /// If you know what you're doing and have the DER-encoded key, for RSA only pub fn from_rsa_der(der: &[u8]) -> Self { EncodingKey { family: AlgorithmFamily::Rsa, content: der.to_vec() } } /// If you know what you're doing and have the DER-encoded key, for ECDSA pub fn from_ec_der(der: &[u8]) -> Self { EncodingKey { family: AlgorithmFamily::Ec, content: der.to_vec() } } /// If you know what you're doing and have the DER-encoded key, for EdDSA pub fn from_ed_der(der: &[u8]) -> Self { EncodingKey { family: AlgorithmFamily::Ed, content: der.to_vec() } } pub(crate) fn inner(&self) -> &[u8] { &self.content } } /// Encode the header and claims given and sign the payload using the algorithm from the header and the key. /// If the algorithm given is RSA or EC, the key needs to be in the PEM format. /// /// ```rust /// use serde::{Deserialize, Serialize}; /// use jsonwebtoken::{encode, Algorithm, Header, EncodingKey}; /// /// #[derive(Debug, Serialize, Deserialize)] /// struct Claims { /// sub: String, /// company: String /// } /// /// let my_claims = Claims { /// sub: "b@b.com".to_owned(), /// company: "ACME".to_owned() /// }; /// /// // my_claims is a struct that implements Serialize /// // This will create a JWT using HS256 as algorithm /// let token = encode(&Header::default(), &my_claims, &EncodingKey::from_secret("secret".as_ref())).unwrap(); /// ``` pub fn encode(header: &Header, claims: &T, key: &EncodingKey) -> Result { if key.family != header.alg.family() { return Err(new_error(ErrorKind::InvalidAlgorithm)); } let encoded_header = b64_encode_part(header)?; let encoded_claims = b64_encode_part(claims)?; let message = [encoded_header, encoded_claims].join("."); let signature = crypto::sign(message.as_bytes(), key, header.alg)?; Ok([message, signature].join(".")) }