20231121 stage 2 rework trait (#7)

README.md

@@ -13,12 +13,15 @@ a limited set of use cases.
 When should I use this library?
 -------------------------------
 
-If you wish to create ECDSA signed JWT tokens, or verify ECDSA signed JWT tokens, this library is for you.
+If you are:
 
-If you are implementing OIDC as a relying party or authorisation server, this library is for you.
+* creating ECDSA signed JWT tokens, or verify ECDSA signed JWT tokens
+* implementing OIDC as a relying party or authorisation server
+* wanting to use HMAC signatures
+* needing a minimal secure JWS implementation, this library is for you
+* using TPM bound keys for signing JWTs
 
-If you want to use HMAC signatures, have a full JWS implementation, or have the non-compact (JSON)
-serialisation support, this library is not what you want.
+If you need non-compact JWS, or other complex use cases, this library is not for you.
 
 Why another JWT library?
 ------------------------
@@ -30,7 +33,7 @@ or design that conflicts with the project goals in Kanidm. Examples are:
 * Ring as the sole cryptographic provider - we need to use OpenSSL
 * Only supporting RSA/Weak cryptographic algos - We want to use ECDSA
 * Full JWS implementation - As mentioned, JWS has a number of sharp edges like alg=none
+* No library supports pkcs11 or TPMS - We aim to allow hardware security modules to store private keys
 
 As a result, nothing "fit" what we wanted, so we are making another library.
 
-

src/compact.rs

@@ -8,7 +8,7 @@ use url::Url;
 
 use crate::error::JwtError;
 use crate::jws::Jws;
-use crate::traits::JwsVerifier;
+use crate::traits::JwsVerifiable;
 use base64urlsafedata::Base64UrlSafeData;
 
 // https://datatracker.ietf.org/doc/html/rfc7515
@@ -165,26 +165,6 @@ impl JwsCompact {
     pub fn get_jwk_pubkey(&self) -> Option<&Jwk> {
         self.header.jwk.as_ref()
     }
-
-    /// Using this JwsVerifier, assert the correct signature of the data contained in
-    /// this token.
-    pub fn verify<K: JwsVerifier>(&self, verifier: &mut K) -> Result<Jws, JwtError> {
-        if verifier.verify_signature(self)? {
-            general_purpose::URL_SAFE_NO_PAD
-                .decode(&self.payload_b64)
-                .map_err(|_| {
-                    debug!("invalid base64 while decoding payload");
-                    JwtError::InvalidBase64
-                })
-                .map(|payload| Jws {
-                    header: self.header.clone(),
-                    payload,
-                })
-        } else {
-            debug!("invalid signature");
-            Err(JwtError::InvalidSignature)
-        }
-    }
 }
 
 impl FromStr for JwsCompact {
@@ -264,3 +244,48 @@ impl fmt::Display for JwsCompact {
         write!(f, "{}.{}.{}", self.hdr_b64, self.payload_b64, sig)
     }
 }
+
+impl JwsVerifiable for JwsCompact {
+    type Verified = Jws;
+
+    fn data(&self) -> JwsCompactVerifyData {
+        JwsCompactVerifyData {
+            header: &self.header,
+            hdr_bytes: self.hdr_b64.as_bytes(),
+            payload_bytes: self.payload_b64.as_bytes(),
+            signature_bytes: self.signature.as_slice(),
+        }
+    }
+
+    fn post_process(&self, value: Jws) -> Result<Self::Verified, JwtError> {
+        Ok(value)
+    }
+}
+
+/// Data that will be verified
+pub struct JwsCompactVerifyData<'a> {
+    #[allow(dead_code)]
+    pub(crate) header: &'a ProtectedHeader,
+    #[allow(dead_code)]
+    pub(crate) hdr_bytes: &'a [u8],
+    #[allow(dead_code)]
+    pub(crate) payload_bytes: &'a [u8],
+    #[allow(dead_code)]
+    pub(crate) signature_bytes: &'a [u8],
+}
+
+#[cfg(any(feature = "unsafe_release_without_verify", feature = "openssl"))]
+impl<'a> JwsCompactVerifyData<'a> {
+    pub(crate) fn release(&self) -> Result<Jws, JwtError> {
+        general_purpose::URL_SAFE_NO_PAD
+            .decode(self.payload_bytes)
+            .map_err(|_| {
+                debug!("invalid base64 while decoding payload");
+                JwtError::InvalidBase64
+            })
+            .map(|payload| Jws {
+                header: self.header.clone(),
+                payload,
+            })
+    }
+}