Move the hashing operation inside the signing function

This hashing operation is part of the signing process itself and should therefore not be exposed outside of the signing function.
4 years ago · d7dbd58823
2 changed files with 26 additions and 22 deletions
--- a/acme_common/src/crypto/openssl_keys.rs
+++ b/acme_common/src/crypto/openssl_keys.rs
@ -67,23 +67,33 @@ impl KeyPair {
    pub fn sign(&self, data: &[u8]) -> Result<Vec<u8>, Error> {
        match self.key_type {
            KeyType::Curve25519 => Err("Curve25519 signatures are not implemented yet".into()),
-            KeyType::EcdsaP256 | KeyType::EcdsaP384 => {
-                let signature = EcdsaSig::sign(data, self.inner_key.ec_key()?.as_ref())?;
-                let r = signature.r().to_vec();
-                let mut s = signature.s().to_vec();
-                let mut signature = r;
-                signature.append(&mut s);
-                Ok(signature)
-            }
-            KeyType::Rsa2048 | KeyType::Rsa4096 => {
-                let mut signer = Signer::new(MessageDigest::sha256(), &self.inner_key)?;
-                signer.update(data)?;
-                let signature = signer.sign_to_vec()?;
-                Ok(signature)
-            }
+            KeyType::EcdsaP256 => self.sign_ecdsa(&crate::crypto::sha256, data),
+            KeyType::EcdsaP384 => self.sign_ecdsa(&crate::crypto::sha384, data),
+            KeyType::Rsa2048 | KeyType::Rsa4096 => self.sign_rsa(&MessageDigest::sha256(), data),
        }
    }

+    fn sign_rsa(&self, hash_func: &MessageDigest, data: &[u8]) -> Result<Vec<u8>, Error> {
+        let mut signer = Signer::new(*hash_func, &self.inner_key)?;
+        signer.update(data)?;
+        let signature = signer.sign_to_vec()?;
+        Ok(signature)
+    }
+
+    fn sign_ecdsa(
+        &self,
+        hash_func: &dyn Fn(&[u8]) -> Vec<u8>,
+        data: &[u8],
+    ) -> Result<Vec<u8>, Error> {
+        let fingerprint = hash_func(data);
+        let signature = EcdsaSig::sign(&fingerprint, self.inner_key.ec_key()?.as_ref())?;
+        let r = signature.r().to_vec();
+        let mut s = signature.s().to_vec();
+        let mut signature = r;
+        signature.append(&mut s);
+        Ok(signature)
+    }
+
    pub fn jwk_public_key(&self) -> Result<Value, Error> {
        self.get_jwk_public_key(false)
    }
--- a/acmed/src/jws.rs
+++ b/acmed/src/jws.rs
@ -1,6 +1,6 @@
 use crate::jws::algorithms::SignatureAlgorithm;
 use acme_common::b64_encode;
-use acme_common::crypto::{sha256, sha384, KeyPair, KeyType};
+use acme_common::crypto::KeyPair;
 use acme_common::error::Error;
 use serde::Serialize;
 use serde_json::value::Value;
@ -34,13 +34,7 @@ fn get_data(key_pair: &KeyPair, protected: &str, payload: &[u8]) -> Result<Strin
    let protected = b64_encode(protected);
    let payload = b64_encode(payload);
    let signing_input = format!("{}.{}", protected, payload);
-    let hash_func = match key_pair.key_type {
-        KeyType::EcdsaP256 => sha256,
-        KeyType::EcdsaP384 => sha384,
-        KeyType::Rsa2048 | KeyType::Rsa4096 | KeyType::Curve25519 => |d: &[u8]| d.to_vec(),
-    };
-    let fingerprint = hash_func(signing_input.as_bytes());
-    let signature = key_pair.sign(&fingerprint)?;
+    let signature = key_pair.sign(signing_input.as_bytes())?;
    let signature = b64_encode(&signature);
    let data = JwsData {
        protected,