implement jwa algorithms (#650)

Implement all JWA algorithms
Close #621

Author: valkrypton

rama-crypto/src/jose/constants.rs

@@ -0,0 +1,71 @@
+pub(crate) use der_encoding_tags::*;
+pub(crate) use rsa_algorithm_identifier::RSA_ALGORITHM_IDENTIFIER;
+mod der_encoding_tags {
+    /// Identifier tag for a DER encoded integer.
+    /// Defined in [ITU X.680](https://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf).
+    pub(crate) const DER_TAG_INTEGER: u8 = 0x02;
+    /// Identifier tag for a DER encoded bit string.
+    /// Defined in [ITU X.680](https://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf).
+    pub(crate) const DER_TAG_BIT_STRING: u8 = 0x03;
+    /// Identifier tag for a DER encoded sequence.
+    /// Defined in [ITU X.680](https://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf).
+    pub(crate) const DER_TAG_SEQUENCE: u8 = 0x30;
+    /// Maximum length of a DER encoded length in short form.
+    /// Defined in [ITU X.690](https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf).
+    pub(crate) const DER_LENGTH_SHORT_FORM_MAX: usize = 127;
+    /// Octet that indicates that no unused bits are present in a bit string.
+    /// Defined in section 8.6 of [ITU X.690](https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf).
+    pub(crate) const BIT_STRING_NO_UNUSED_BITS: u8 = 0x00;
+}
+
+/// DER encoded byte representation of RSA encryption algorithm identifier.
+///
+/// The identifier oid: `1.2.840.113549.1.1.1` defined in appendix C of
+/// [RFC 8017](https://datatracker.ietf.org/doc/rfc8017/)
+///
+/// Section 2.2.1 of the [RFC 3279](https://www.rfc-editor.org/rfc/rfc3279.html) specifies the tag needs to be
+/// NULL. The general structure is IDENTIFIER, PARAMETER, but for rsa here we don't
+/// have PARAMETER, so we use NULL instead.
+///
+mod rsa_algorithm_identifier {
+    const SEQUENCE_TAG: u8 = 0x30;
+    const LENGTH: u8 = 0x0d;
+    const OBJECT_IDENTIFIER_TAG: u8 = 0x06;
+    const LENGTH_OID: u8 = 0x09;
+    const NULL_TAG: u8 = 0x05;
+    const LENGTH_NULL: u8 = 0x00;
+
+    /// This entire thing has 3 layers, and the final goal is to
+    /// get the der algorithm identifier for rsa encoding
+    ///
+    /// 1. The identifier oid: 1.2.840.113549.1.1.1 defined in RFC 8017
+    /// 2. RFC 3279 (Algorithms and Identifiers for the Internet X.509 PKI)
+    ///    specifies tag is needs to be NULL. The general structure is
+    ///    IDENTIFIER, PARAMETER, but for rsa here we dont have PARAMETER
+    ///    so NULL instead
+    /// 3. We need to combine everything in DER encode
+    ///   - 3.1 (IDENTIFIER, PARAMETER) is a sequence, so SEQUENCE_TAG, LENGHT of what follows
+    ///   - 3.2 OBJECT_IDENTIFIER_TAG to specify OID, LENGTH of OID,and actual oid
+    ///   - 3.3 NULL_TAG and LENGTH_NULL to encode null value
+    pub(crate) const RSA_ALGORITHM_IDENTIFIER: [u8; 15] = [
+        SEQUENCE_TAG,
+        LENGTH,
+        OBJECT_IDENTIFIER_TAG,
+        LENGTH_OID,
+        // OID: 1.2.840.113549.1.1.1
+        0x2a,
+        0x86,
+        0x48,
+        0x86,
+        0xf7,
+        0x0d,
+        0x01,
+        0x01,
+        0x01,
+        NULL_TAG,
+        LENGTH_NULL,
+    ];
+}
+
+// Integer encoding constants
+pub(crate) const INTEGER_SIGN_BIT_MASK: u8 = 0x80;

rama-crypto/src/jose/jwa.rs

@@ -1,8 +1,16 @@
 use std::ops::Deref;
 
-use aws_lc_rs::signature::{
-    ECDSA_P256_SHA256_FIXED_SIGNING, ECDSA_P384_SHA384_FIXED_SIGNING,
-    ECDSA_P521_SHA512_FIXED_SIGNING, EcdsaSigningAlgorithm, EcdsaVerificationAlgorithm,
+use aws_lc_rs::{
+    hmac,
+    hmac::{HMAC_SHA256, HMAC_SHA384, HMAC_SHA512},
+    signature::{
+        ECDSA_P256_SHA256_FIXED_SIGNING, ECDSA_P384_SHA384_FIXED_SIGNING,
+        ECDSA_P521_SHA512_FIXED_SIGNING, EcdsaSigningAlgorithm, EcdsaVerificationAlgorithm,
+        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
+        RSA_PKCS1_SHA256, RSA_PKCS1_SHA384, RSA_PKCS1_SHA512, RSA_PSS_2048_8192_SHA256,
+        RSA_PSS_2048_8192_SHA384, RSA_PSS_2048_8192_SHA512, RSA_PSS_SHA256, RSA_PSS_SHA384,
+        RSA_PSS_SHA512, RsaEncoding, VerificationAlgorithm,
+    },
 };
 use rama_core::error::OpaqueError;
 use serde::{Deserialize, Serialize};
@@ -113,3 +121,58 @@ impl TryFrom<&'static EcdsaSigningAlgorithm> for JWA {
         }
     }
 }
+
+impl TryFrom<JWA> for &'static hmac::Algorithm {
+    type Error = OpaqueError;
+
+    fn try_from(value: JWA) -> Result<Self, Self::Error> {
+        match value {
+            JWA::HS256 => Ok(&HMAC_SHA256),
+            JWA::HS384 => Ok(&HMAC_SHA384),
+            JWA::HS512 => Ok(&HMAC_SHA512),
+            _ => Err(OpaqueError::from_display(
+                "Non-Hmac algorithm cannot be converted to hmac types",
+            )),
+        }
+    }
+}
+
+impl TryFrom<JWA> for &'static dyn RsaEncoding {
+    type Error = OpaqueError;
+
+    fn try_from(value: JWA) -> Result<Self, Self::Error> {
+        match value {
+            JWA::RS256 => Ok(&RSA_PKCS1_SHA256),
+            JWA::RS384 => Ok(&RSA_PKCS1_SHA384),
+            JWA::RS512 => Ok(&RSA_PKCS1_SHA512),
+            JWA::PS256 => Ok(&RSA_PSS_SHA256),
+            JWA::PS384 => Ok(&RSA_PSS_SHA384),
+            JWA::PS512 => Ok(&RSA_PSS_SHA512),
+            _ => Err(OpaqueError::from_display(
+                "Non-RSA algorithm cannot be converted to rsa types",
+            )),
+        }
+    }
+}
+
+impl TryFrom<JWA> for &'static dyn VerificationAlgorithm {
+    type Error = OpaqueError;
+
+    fn try_from(value: JWA) -> Result<Self, Self::Error> {
+        match value {
+            JWA::RS256 => Ok(&RSA_PKCS1_2048_8192_SHA256),
+            JWA::RS384 => Ok(&RSA_PKCS1_2048_8192_SHA384),
+            JWA::RS512 => Ok(&RSA_PKCS1_2048_8192_SHA512),
+            JWA::PS256 => Ok(&RSA_PSS_2048_8192_SHA256),
+            JWA::PS384 => Ok(&RSA_PSS_2048_8192_SHA384),
+            JWA::PS512 => Ok(&RSA_PSS_2048_8192_SHA512),
+            JWA::ES256 | JWA::ES384 | JWA::ES512 => {
+                let signing_algo: &'static EcdsaSigningAlgorithm = value.try_into()?;
+                Ok(signing_algo.deref())
+            }
+            _ => Err(OpaqueError::from_display(
+                "Verification algorithm is not supported",
+            )),
+        }
+    }
+}

rama-crypto/src/jose/jwk.rs

@@ -1,17 +1,19 @@
 use aws_lc_rs::{
     digest::{Digest, SHA256, digest},
+    encoding::{AsDer, Pkcs8V1Der},
     pkcs8::Document,
     rand::SystemRandom,
+    rsa::KeySize,
     signature::{
         self, ECDSA_P256_SHA256_FIXED_SIGNING, EcdsaKeyPair, EcdsaSigningAlgorithm,
-        EcdsaVerificationAlgorithm, KeyPair, Signature,
+        EcdsaVerificationAlgorithm, KeyPair, RsaKeyPair, Signature,
     },
 };
 use base64::{Engine as _, prelude::BASE64_URL_SAFE_NO_PAD};
 use rama_core::error::{ErrorContext, OpaqueError};
 use serde::{Deserialize, Serialize, Serializer, ser::SerializeStruct};
 
-use crate::jose::{JWA, Signer};
+use crate::jose::{JWA, Signer, jwk_utils::create_subject_public_key_info};
 
 #[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)]
 /// [`JWK`] or JSON Web Key as defined in [`rfc7517`]
@@ -157,7 +159,21 @@ impl JWK {
         &self,
     ) -> Result<signature::UnparsedPublicKey<Vec<u8>>, OpaqueError> {
         match &self.key_type {
-            JWKType::RSA { .. } => Err(OpaqueError::from_display("currently not supported")),
+            JWKType::RSA { n, e } => {
+                let n_bytes = BASE64_URL_SAFE_NO_PAD
+                    .decode(n)
+                    .context("decode RSA modulus (n)")?;
+                let e_bytes = BASE64_URL_SAFE_NO_PAD
+                    .decode(e)
+                    .context("decode RSA exponent (e)")?;
+
+                let rsa_public_key_sequence = create_subject_public_key_info(n_bytes, e_bytes);
+
+                Ok(signature::UnparsedPublicKey::new(
+                    self.alg.try_into()?,
+                    rsa_public_key_sequence,
+                ))
+            }
             JWKType::OCT { .. } => Err(OpaqueError::from_display(
                 "Symmetric key cannot be converted to public key",
             )),
@@ -181,6 +197,25 @@ impl JWK {
             }
         }
     }
+
+    /// Creates a new [`JWK`] from a given [`RSAKeyPair`]
+    #[must_use]
+    pub fn new_from_rsa_key_pair(rsa_key_pair: &RsaKeyPair, alg: JWA) -> Self {
+        let n = rsa_key_pair.public_key().modulus();
+        let e = rsa_key_pair.public_key().exponent();
+        Self {
+            alg,
+            key_type: JWKType::RSA {
+                n: BASE64_URL_SAFE_NO_PAD.encode(n.big_endian_without_leading_zero()),
+                e: BASE64_URL_SAFE_NO_PAD.encode(e.big_endian_without_leading_zero()),
+            },
+            r#use: Some(JWKUse::Signature),
+            key_ops: None,
+            x5c: None,
+            x5t: None,
+            x5t_sha256: None,
+        }
+    }
 }
 
 #[derive(Debug)]
@@ -257,7 +292,7 @@ impl EcdsaKey {
 }
 
 #[derive(Serialize)]
-struct EcdsaKeySigningHeaders<'a> {
+struct SigningHeaders<'a> {
     alg: JWA,
     jwk: &'a JWK,
 }
@@ -272,7 +307,7 @@ impl Signer for EcdsaKey {
         _unprotected_headers: &mut super::jws::Headers,
     ) -> Result<(), Self::Error> {
         let jwk = self.create_jwk();
-        protected_headers.try_set_headers(EcdsaKeySigningHeaders {
+        protected_headers.try_set_headers(SigningHeaders {
             alg: jwk.alg,
             jwk: &jwk,
         })?;
@@ -289,9 +324,91 @@ impl Signer for EcdsaKey {
     }
 }
 
+pub struct RsaKey {
+    rng: SystemRandom,
+    alg: JWA,
+    inner: RsaKeyPair,
+}
+
+impl RsaKey {
+    /// Create a new [`RsaKey`] from the given [`RsaKeyPair`]
+    pub fn new(key_pair: RsaKeyPair, alg: JWA, rng: SystemRandom) -> Result<Self, OpaqueError> {
+        Ok(Self {
+            rng,
+            alg,
+            inner: key_pair,
+        })
+    }
+
+    /// Generate a new [`RsaKey`] from a newly generated [`RsaKeyPair`]
+    pub fn generate(key_size: KeySize) -> Result<Self, OpaqueError> {
+        let key_pair = RsaKeyPair::generate(key_size).context("error generating rsa key pair")?;
+
+        Self::new(key_pair, JWA::RS256, SystemRandom::new())
+    }
+
+    /// Generate a new [`RsaKey`] from the given pkcs8 der
+    pub fn from_pkcs8_der(
+        pkcs8_der: &[u8],
+        alg: JWA,
+        rng: SystemRandom,
+    ) -> Result<Self, OpaqueError> {
+        let key_pair = RsaKeyPair::from_pkcs8(pkcs8_der).context("create RSAKeyPair from pkcs8")?;
+
+        Self::new(key_pair, alg, rng)
+    }
+
+    /// Create pkcs8 der for the current [`RsaKeyPair`]
+    pub fn pkcs8_der(&self) -> Result<(JWA, Pkcs8V1Der<'static>), OpaqueError> {
+        let doc = self
+            .inner
+            .as_der()
+            .context("error creating pkcs8 der from rsa keypair")?;
+        Ok((self.alg, doc))
+    }
+
+    /// Create a [`JWK`] for this [`RsaKey`]
+    #[must_use]
+    pub fn create_jwk(&self) -> JWK {
+        JWK::new_from_rsa_key_pair(&self.inner, self.alg)
+    }
+
+    #[must_use]
+    pub fn rng(&self) -> &SystemRandom {
+        &self.rng
+    }
+}
+
+impl Signer for RsaKey {
+    type Signature = Vec<u8>;
+    type Error = OpaqueError;
+
+    fn set_headers(
+        &self,
+        protected_headers: &mut super::jws::Headers,
+        _unprotected_headers: &mut super::jws::Headers,
+    ) -> Result<(), Self::Error> {
+        let jwk = self.create_jwk();
+        protected_headers.try_set_headers(SigningHeaders {
+            alg: jwk.alg,
+            jwk: &jwk,
+        })?;
+        Ok(())
+    }
+
+    fn sign(&self, data: &str) -> Result<Self::Signature, Self::Error> {
+        let mut sig = vec![0; self.inner.public_modulus_len()];
+        self.inner
+            .sign(self.alg.try_into()?, self.rng(), data.as_bytes(), &mut sig)
+            .context("sign protected data")?;
+        Ok(sig)
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::jose::JWKType::RSA;
 
     #[test]
     fn jwk_thumb_order_is_correct() {
@@ -328,4 +445,60 @@ mod tests {
 
         assert_eq!(key.create_jwk(), recreated_key.create_jwk())
     }
+
+    #[test]
+    fn test_n_and_e_are_base64_encoded() {
+        let rsa_key_pair = RsaKey::generate(KeySize::Rsa4096).unwrap();
+        let jwk = JWK::new_from_rsa_key_pair(&rsa_key_pair.inner, JWA::PS512);
+        let JWKType::RSA { n, e } = jwk.key_type else {
+            panic!("JWK type not RSA")
+        };
+        assert!(BASE64_URL_SAFE_NO_PAD.decode(n).is_ok());
+        assert!(BASE64_URL_SAFE_NO_PAD.decode(e).is_ok());
+    }
+
+    /// This example is taken from the [RFC 7517](https://datatracker.ietf.org/doc/html/rfc7517#appendix-A.1)
+    /// Appendix A.1.
+    #[test]
+    fn test_unparsed_public_key() {
+        let jwk_rsa = JWK {
+            alg: JWA::RS256,
+            key_type: RSA {
+                n: "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK\
+                7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl9\
+                3lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHz\
+                u6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksIN\
+                HaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw"
+                    .to_owned(),
+                e: "AQAB".to_owned(),
+            },
+            r#use: None,
+            key_ops: None,
+            x5c: None,
+            x5t: None,
+            x5t_sha256: None,
+        };
+        // This is the known byte sequence of the unparsed public key generated from the above JWK
+        // using the python `cryptography` library.
+        let expected_unparsed_bytes = [
+            48, 130, 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15,
+            0, 48, 130, 1, 10, 2, 130, 1, 1, 0, 210, 252, 123, 106, 10, 30, 108, 103, 16, 74, 235,
+            143, 136, 178, 87, 102, 155, 77, 246, 121, 221, 173, 9, 155, 92, 74, 108, 217, 168,
+            128, 21, 181, 161, 51, 191, 11, 133, 108, 120, 113, 182, 223, 0, 11, 85, 79, 206, 179,
+            194, 237, 81, 43, 182, 143, 20, 92, 110, 132, 52, 117, 47, 171, 82, 161, 207, 193, 36,
+            64, 143, 121, 181, 138, 69, 120, 193, 100, 40, 133, 87, 137, 247, 162, 73, 227, 132,
+            203, 45, 159, 174, 45, 103, 253, 150, 251, 146, 108, 25, 142, 7, 115, 153, 253, 200,
+            21, 192, 175, 9, 125, 222, 90, 173, 239, 244, 77, 231, 14, 130, 127, 72, 120, 67, 36,
+            57, 191, 238, 185, 96, 104, 208, 71, 79, 197, 13, 109, 144, 191, 58, 152, 223, 175, 16,
+            64, 200, 156, 2, 214, 146, 171, 59, 60, 40, 150, 96, 157, 134, 253, 115, 183, 116, 206,
+            7, 64, 100, 124, 238, 234, 163, 16, 189, 18, 249, 133, 168, 235, 159, 89, 253, 212, 38,
+            206, 165, 178, 18, 15, 79, 42, 52, 188, 171, 118, 75, 126, 108, 84, 214, 132, 2, 56,
+            188, 196, 5, 135, 165, 158, 102, 237, 31, 51, 137, 69, 119, 99, 92, 71, 10, 247, 92,
+            249, 44, 32, 209, 218, 67, 225, 191, 196, 25, 226, 34, 166, 240, 208, 187, 53, 140, 94,
+            56, 249, 203, 5, 10, 234, 254, 144, 72, 20, 241, 172, 26, 164, 156, 202, 158, 160, 202,
+            131, 2, 3, 1, 0, 1,
+        ];
+        let unparsed_key = jwk_rsa.unparsed_public_key().unwrap();
+        assert_eq!(expected_unparsed_bytes, unparsed_key.as_ref());
+    }
 }