Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Move the hashing operation inside the signing function 

This hashing operation is part of the signing process itself and should
therefore not be exposed outside of the signing function.
pull/39/head
Rodolphe Breard 4 years ago
parent
2403633d07
commit
d7dbd58823
2 changed files with 26 additions and 22 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 30
      acme_common/src/crypto/openssl_keys.rs
  2. 10
      acmed/src/jws.rs

30
acme_common/src/crypto/openssl_keys.rs
View File

@ -67,21 +67,31 @@ impl KeyPair {
pub fn sign(&self, data: &[u8]) -> Result<Vec<u8>, Error> { pub fn sign(&self, data: &[u8]) -> Result<Vec<u8>, Error> {
match self.key_type { match self.key_type {
KeyType::Curve25519 => Err("Curve25519 signatures are not implemented yet".into()), KeyType::Curve25519 => Err("Curve25519 signatures are not implemented yet".into()),
KeyType::EcdsaP256 | KeyType::EcdsaP384 => {
let signature = EcdsaSig::sign(data, self.inner_key.ec_key()?.as_ref())?;
let r = signature.r().to_vec();
let mut s = signature.s().to_vec();
let mut signature = r;
signature.append(&mut s);
Ok(signature)
KeyType::EcdsaP256 => self.sign_ecdsa(&crate::crypto::sha256, data),
KeyType::EcdsaP384 => self.sign_ecdsa(&crate::crypto::sha384, data),
KeyType::Rsa2048 | KeyType::Rsa4096 => self.sign_rsa(&MessageDigest::sha256(), data),
}
} }
KeyType::Rsa2048 | KeyType::Rsa4096 => {
let mut signer = Signer::new(MessageDigest::sha256(), &self.inner_key)?;
fn sign_rsa(&self, hash_func: &MessageDigest, data: &[u8]) -> Result<Vec<u8>, Error> {
let mut signer = Signer::new(*hash_func, &self.inner_key)?;
signer.update(data)?; signer.update(data)?;
let signature = signer.sign_to_vec()?; let signature = signer.sign_to_vec()?;
Ok(signature) Ok(signature)
} }
}
fn sign_ecdsa(
&self,
hash_func: &dyn Fn(&[u8]) -> Vec<u8>,
data: &[u8],
) -> Result<Vec<u8>, Error> {
let fingerprint = hash_func(data);
let signature = EcdsaSig::sign(&fingerprint, self.inner_key.ec_key()?.as_ref())?;
let r = signature.r().to_vec();
let mut s = signature.s().to_vec();
let mut signature = r;
signature.append(&mut s);
Ok(signature)
} }
pub fn jwk_public_key(&self) -> Result<Value, Error> { pub fn jwk_public_key(&self) -> Result<Value, Error> {

10
acmed/src/jws.rs
View File

@ -1,6 +1,6 @@
use crate::jws::algorithms::SignatureAlgorithm; use crate::jws::algorithms::SignatureAlgorithm;
use acme_common::b64_encode; use acme_common::b64_encode;
use acme_common::crypto::{sha256, sha384, KeyPair, KeyType};
use acme_common::crypto::KeyPair;
use acme_common::error::Error; use acme_common::error::Error;
use serde::Serialize; use serde::Serialize;
use serde_json::value::Value; use serde_json::value::Value;
@ -34,13 +34,7 @@ fn get_data(key_pair: &KeyPair, protected: &str, payload: &[u8]) -> Result<Strin
let protected = b64_encode(protected); let protected = b64_encode(protected);
let payload = b64_encode(payload); let payload = b64_encode(payload);
let signing_input = format!("{}.{}", protected, payload); let signing_input = format!("{}.{}", protected, payload);
let hash_func = match key_pair.key_type {
KeyType::EcdsaP256 => sha256,
KeyType::EcdsaP384 => sha384,
KeyType::Rsa2048 | KeyType::Rsa4096 | KeyType::Curve25519 => |d: &[u8]| d.to_vec(),
};
let fingerprint = hash_func(signing_input.as_bytes());
let signature = key_pair.sign(&fingerprint)?;
let signature = key_pair.sign(signing_input.as_bytes())?;
let signature = b64_encode(&signature); let signature = b64_encode(&signature);
let data = JwsData { let data = JwsData {
protected, protected,

Write Preview
Loading…
Cancel
Save