use base64::{engine::general_purpose::STANDARD, Engine};
use serde::de::DeserializeOwned;
use crate::algorithms::AlgorithmFamily;
use crate::crypto::verify;
use crate::errors::{new_error, ErrorKind, Result};
use crate::header::Header;
use crate::jwk::{AlgorithmParameters, Jwk};
#[cfg(feature = "use_pem")]
use crate::pem::decoder::PemEncodedKey;
use crate::serialization::{b64_decode, DecodedJwtPartClaims};
use crate::validation::{validate, Validation};
#[derive(Debug)]
pub struct TokenData<T> {
pub header: Header,
pub claims: T,
}
impl<T> Clone for TokenData<T>
where
T: Clone,
{
fn clone(&self) -> Self {
Self { header: self.header.clone(), claims: self.claims.clone() }
}
}
macro_rules! expect_two {
($iter:expr) => {{
let mut i = $iter;
match (i.next(), i.next(), i.next()) {
(Some(first), Some(second), None) => (first, second),
_ => return Err(new_error(ErrorKind::InvalidToken)),
}
}};
}
#[derive(Clone)]
pub(crate) enum DecodingKeyKind {
SecretOrDer(Vec<u8>),
RsaModulusExponent { n: Vec<u8>, e: Vec<u8> },
}
#[derive(Clone)]
pub struct DecodingKey {
pub(crate) family: AlgorithmFamily,
pub(crate) kind: DecodingKeyKind,
}
impl DecodingKey {
pub fn from_secret(secret: &[u8]) -> Self {
DecodingKey {
family: AlgorithmFamily::Hmac,
kind: DecodingKeyKind::SecretOrDer(secret.to_vec()),
}
}
pub fn from_base64_secret(secret: &str) -> Result<Self> {
let out = STANDARD.decode(secret)?;
Ok(DecodingKey { family: AlgorithmFamily::Hmac, kind: DecodingKeyKind::SecretOrDer(out) })
}
#[cfg(feature = "use_pem")]
pub fn from_rsa_pem(key: &[u8]) -> Result<Self> {
let pem_key = PemEncodedKey::new(key)?;
let content = pem_key.as_rsa_key()?;
Ok(DecodingKey {
family: AlgorithmFamily::Rsa,
kind: DecodingKeyKind::SecretOrDer(content.to_vec()),
})
}
pub fn from_rsa_components(modulus: &str, exponent: &str) -> Result<Self> {
let n = b64_decode(modulus)?;
let e = b64_decode(exponent)?;
Ok(DecodingKey {
family: AlgorithmFamily::Rsa,
kind: DecodingKeyKind::RsaModulusExponent { n, e },
})
}
pub fn from_rsa_raw_components(modulus: &[u8], exponent: &[u8]) -> Self {
DecodingKey {
family: AlgorithmFamily::Rsa,
kind: DecodingKeyKind::RsaModulusExponent { n: modulus.to_vec(), e: exponent.to_vec() },
}
}
#[cfg(feature = "use_pem")]
pub fn from_ec_pem(key: &[u8]) -> Result<Self> {
let pem_key = PemEncodedKey::new(key)?;
let content = pem_key.as_ec_public_key()?;
Ok(DecodingKey {
family: AlgorithmFamily::Ec,
kind: DecodingKeyKind::SecretOrDer(content.to_vec()),
})
}
pub fn from_ec_components(x: &str, y: &str) -> Result<Self> {
let x_cmp = b64_decode(x)?;
let y_cmp = b64_decode(y)?;
let mut public_key = Vec::with_capacity(1 + x.len() + y.len());
public_key.push(0x04);
public_key.extend_from_slice(&x_cmp);
public_key.extend_from_slice(&y_cmp);
Ok(DecodingKey {
family: AlgorithmFamily::Ec,
kind: DecodingKeyKind::SecretOrDer(public_key),
})
}
#[cfg(feature = "use_pem")]
pub fn from_ed_pem(key: &[u8]) -> Result<Self> {
let pem_key = PemEncodedKey::new(key)?;
let content = pem_key.as_ed_public_key()?;
Ok(DecodingKey {
family: AlgorithmFamily::Ed,
kind: DecodingKeyKind::SecretOrDer(content.to_vec()),
})
}
pub fn from_rsa_der(der: &[u8]) -> Self {
DecodingKey {
family: AlgorithmFamily::Rsa,
kind: DecodingKeyKind::SecretOrDer(der.to_vec()),
}
}
pub fn from_ec_der(der: &[u8]) -> Self {
DecodingKey {
family: AlgorithmFamily::Ec,
kind: DecodingKeyKind::SecretOrDer(der.to_vec()),
}
}
pub fn from_ed_der(der: &[u8]) -> Self {
DecodingKey {
family: AlgorithmFamily::Ed,
kind: DecodingKeyKind::SecretOrDer(der.to_vec()),
}
}
pub fn from_ed_components(x: &str) -> Result<Self> {
let x_decoded = b64_decode(x)?;
Ok(DecodingKey {
family: AlgorithmFamily::Ed,
kind: DecodingKeyKind::SecretOrDer(x_decoded),
})
}
pub fn from_jwk(jwk: &Jwk) -> Result<Self> {
match &jwk.algorithm {
AlgorithmParameters::RSA(params) => {
DecodingKey::from_rsa_components(¶ms.n, ¶ms.e)
}
AlgorithmParameters::EllipticCurve(params) => {
DecodingKey::from_ec_components(¶ms.x, ¶ms.y)
}
AlgorithmParameters::OctetKeyPair(params) => DecodingKey::from_ed_components(¶ms.x),
AlgorithmParameters::OctetKey(params) => {
let out = b64_decode(¶ms.value)?;
Ok(DecodingKey {
family: AlgorithmFamily::Hmac,
kind: DecodingKeyKind::SecretOrDer(out),
})
}
}
}
pub(crate) fn as_bytes(&self) -> &[u8] {
match &self.kind {
DecodingKeyKind::SecretOrDer(b) => b,
DecodingKeyKind::RsaModulusExponent { .. } => unreachable!(),
}
}
}
fn verify_signature<'a>(
token: &'a str,
key: &DecodingKey,
validation: &Validation,
) -> Result<(Header, &'a str)> {
if validation.validate_signature && validation.algorithms.is_empty() {
return Err(new_error(ErrorKind::MissingAlgorithm));
}
if validation.validate_signature {
for alg in &validation.algorithms {
if key.family != alg.family() {
return Err(new_error(ErrorKind::InvalidAlgorithm));
}
}
}
let (signature, message) = expect_two!(token.rsplitn(2, '.'));
let (payload, header) = expect_two!(message.rsplitn(2, '.'));
let header = Header::from_encoded(header)?;
if validation.validate_signature && !validation.algorithms.contains(&header.alg) {
return Err(new_error(ErrorKind::InvalidAlgorithm));
}
if validation.validate_signature && !verify(signature, message.as_bytes(), key, header.alg)? {
return Err(new_error(ErrorKind::InvalidSignature));
}
Ok((header, payload))
}
pub fn decode<T: DeserializeOwned>(
token: &str,
key: &DecodingKey,
validation: &Validation,
) -> Result<TokenData<T>> {
match verify_signature(token, key, validation) {
Err(e) => Err(e),
Ok((header, claims)) => {
let decoded_claims = DecodedJwtPartClaims::from_jwt_part_claims(claims)?;
let claims = decoded_claims.deserialize()?;
validate(decoded_claims.deserialize()?, validation)?;
Ok(TokenData { header, claims })
}
}
}
pub fn decode_header(token: &str) -> Result<Header> {
let (_, message) = expect_two!(token.rsplitn(2, '.'));
let (_, header) = expect_two!(message.rsplitn(2, '.'));
Header::from_encoded(header)
}