From d7dbd588237358c61db181c4e48d9cc5b8a36886 Mon Sep 17 00:00:00 2001 From: Rodolphe Breard Date: Sat, 22 Aug 2020 11:27:44 +0200 Subject: [PATCH] Move the hashing operation inside the signing function This hashing operation is part of the signing process itself and should therefore not be exposed outside of the signing function. --- acme_common/src/crypto/openssl_keys.rs | 38 ++++++++++++++++---------- acmed/src/jws.rs | 10 ++----- 2 files changed, 26 insertions(+), 22 deletions(-) diff --git a/acme_common/src/crypto/openssl_keys.rs b/acme_common/src/crypto/openssl_keys.rs index d70eba4..2194c67 100644 --- a/acme_common/src/crypto/openssl_keys.rs +++ b/acme_common/src/crypto/openssl_keys.rs @@ -67,23 +67,33 @@ impl KeyPair { pub fn sign(&self, data: &[u8]) -> Result, Error> { match self.key_type { KeyType::Curve25519 => Err("Curve25519 signatures are not implemented yet".into()), - KeyType::EcdsaP256 | KeyType::EcdsaP384 => { - let signature = EcdsaSig::sign(data, self.inner_key.ec_key()?.as_ref())?; - let r = signature.r().to_vec(); - let mut s = signature.s().to_vec(); - let mut signature = r; - signature.append(&mut s); - Ok(signature) - } - KeyType::Rsa2048 | KeyType::Rsa4096 => { - let mut signer = Signer::new(MessageDigest::sha256(), &self.inner_key)?; - signer.update(data)?; - let signature = signer.sign_to_vec()?; - Ok(signature) - } + KeyType::EcdsaP256 => self.sign_ecdsa(&crate::crypto::sha256, data), + KeyType::EcdsaP384 => self.sign_ecdsa(&crate::crypto::sha384, data), + KeyType::Rsa2048 | KeyType::Rsa4096 => self.sign_rsa(&MessageDigest::sha256(), data), } } + fn sign_rsa(&self, hash_func: &MessageDigest, data: &[u8]) -> Result, Error> { + let mut signer = Signer::new(*hash_func, &self.inner_key)?; + signer.update(data)?; + let signature = signer.sign_to_vec()?; + Ok(signature) + } + + fn sign_ecdsa( + &self, + hash_func: &dyn Fn(&[u8]) -> Vec, + data: &[u8], + ) -> Result, Error> { + let fingerprint = hash_func(data); + let signature = EcdsaSig::sign(&fingerprint, self.inner_key.ec_key()?.as_ref())?; + let r = signature.r().to_vec(); + let mut s = signature.s().to_vec(); + let mut signature = r; + signature.append(&mut s); + Ok(signature) + } + pub fn jwk_public_key(&self) -> Result { self.get_jwk_public_key(false) } diff --git a/acmed/src/jws.rs b/acmed/src/jws.rs index 1129486..8b4ef5b 100644 --- a/acmed/src/jws.rs +++ b/acmed/src/jws.rs @@ -1,6 +1,6 @@ use crate::jws::algorithms::SignatureAlgorithm; use acme_common::b64_encode; -use acme_common::crypto::{sha256, sha384, KeyPair, KeyType}; +use acme_common::crypto::KeyPair; use acme_common::error::Error; use serde::Serialize; use serde_json::value::Value; @@ -34,13 +34,7 @@ fn get_data(key_pair: &KeyPair, protected: &str, payload: &[u8]) -> Result sha256, - KeyType::EcdsaP384 => sha384, - KeyType::Rsa2048 | KeyType::Rsa4096 | KeyType::Curve25519 => |d: &[u8]| d.to_vec(), - }; - let fingerprint = hash_func(signing_input.as_bytes()); - let signature = key_pair.sign(&fingerprint)?; + let signature = key_pair.sign(signing_input.as_bytes())?; let signature = b64_encode(&signature); let data = JwsData { protected,