[proxmox.git] / src / eab.rs

use openssl::hash::MessageDigest;
use openssl::pkey::{HasPrivate, PKeyRef};
use openssl::sign::Signer;
use serde::{Deserialize, Serialize};

use crate::key::Jwk;
use crate::{b64u, Error};

#[derive(Debug, Serialize)]
#[serde(rename_all = "camelCase")]
struct Protected {
    alg: &'static str,
    url: String,
    kid: String,
}

#[derive(Debug, Serialize, Deserialize, Clone)]
#[serde(rename_all = "camelCase")]
pub struct ExternalAccountBinding {
    protected: String,
    payload: String,
    signature: String,
}

impl ExternalAccountBinding {
    pub fn new<P>(
        eab_kid: &str,
        eab_hmac_key: &PKeyRef<P>,
        jwk: Jwk,
        url: String,
    ) -> Result<Self, Error>
    where
        P: HasPrivate,
    {
        let protected = Protected {
            alg: "HS256",
            kid: eab_kid.to_string(),
            url,
        };
        let payload = b64u::encode(serde_json::to_string(&jwk)?.as_bytes());
        let protected_data = b64u::encode(serde_json::to_string(&protected)?.as_bytes());
        let signature = {
            let protected = protected_data.as_bytes();
            let payload = payload.as_bytes();
            Self::sign_hmac(eab_hmac_key, protected, payload)?
        };

        let signature = b64u::encode(&signature);
        Ok(ExternalAccountBinding {
            protected: protected_data,
            payload,
            signature,
        })
    }

    fn sign_hmac<P>(key: &PKeyRef<P>, protected: &[u8], payload: &[u8]) -> Result<Vec<u8>, Error>
    where
        P: HasPrivate,
    {
        let mut signer = Signer::new(MessageDigest::sha256(), key)?;
        signer.update(protected)?;
        signer.update(b".")?;
        signer.update(payload)?;
        Ok(signer.sign_to_vec()?)
    }
}
Commit	Line	Data
88f7e190 FG	1	use openssl::hash::MessageDigest;
	2	use openssl::pkey::{HasPrivate, PKeyRef};
	3	use openssl::sign::Signer;
	4	use serde::{Deserialize, Serialize};
	5
	6	use crate::key::Jwk;
	7	use crate::{b64u, Error};
	8
	9	#[derive(Debug, Serialize)]
	10	#[serde(rename_all = "camelCase")]
	11	struct Protected {
	12	alg: &'static str,
	13	url: String,
	14	kid: String,
	15	}
	16
	17	#[derive(Debug, Serialize, Deserialize, Clone)]
	18	#[serde(rename_all = "camelCase")]
	19	pub struct ExternalAccountBinding {
	20	protected: String,
	21	payload: String,
	22	signature: String,
	23	}
	24
	25	impl ExternalAccountBinding {
	26	pub fn new<P>(
	27	eab_kid: &str,
	28	eab_hmac_key: &PKeyRef<P>,
	29	jwk: Jwk,
	30	url: String,
	31	) -> Result<Self, Error>
	32	where
	33	P: HasPrivate,
	34	{
	35	let protected = Protected {
	36	alg: "HS256",
	37	kid: eab_kid.to_string(),
	38	url,
	39	};
	40	let payload = b64u::encode(serde_json::to_string(&jwk)?.as_bytes());
	41	let protected_data = b64u::encode(serde_json::to_string(&protected)?.as_bytes());
	42	let signature = {
	43	let protected = protected_data.as_bytes();
	44	let payload = payload.as_bytes();
	45	Self::sign_hmac(eab_hmac_key, protected, payload)?
	46	};
	47
	48	let signature = b64u::encode(&signature);
	49	Ok(ExternalAccountBinding {
	50	protected: protected_data,
	51	payload,
	52	signature,
	53	})
	54	}
	55
	56	fn sign_hmac<P>(key: &PKeyRef<P>, protected: &[u8], payload: &[u8]) -> Result<Vec<u8>, Error>
	57	where
	58	P: HasPrivate,
	59	{
	60	let mut signer = Signer::new(MessageDigest::sha256(), key)?;
	61	signer.update(protected)?;
	62	signer.update(b".")?;
	63	signer.update(payload)?;
	64	Ok(signer.sign_to_vec()?)
65	}
66	}