aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/security/signed.rs72
1 files changed, 0 insertions, 72 deletions
diff --git a/src/security/signed.rs b/src/security/signed.rs
deleted file mode 100644
index 080bed2..0000000
--- a/src/security/signed.rs
+++ /dev/null
@@ -1,72 +0,0 @@
-use hmac::{Hmac, Mac};
-use sha2::Sha256;
-
-const SIGNED_KEY_LEN: usize = 32;
-const BASE64_DIGEST_LEN: usize = 44;
-
-/// A convenience wrapper around HMAC.
-///
-/// This code was adapted from the [`cookie`] crate which does not make the sign and verify functions public
-/// forcing the use of [`CookieJar`](cookie::CookieJar)s, which are akward to work with without a high-level framework.
-// Thanks to Sergio Benitez for writing the original code and releasing it under MIT!
-pub struct Key(pub [u8; SIGNED_KEY_LEN]);
-
-impl Key {
- const fn zero() -> Self {
- Key([0; SIGNED_KEY_LEN])
- }
-
- /// Attempts to generate signing/encryption keys from a secure, random
- /// source. Keys are generated nondeterministically. If randomness cannot be
- /// retrieved from the underlying operating system, returns `None`.
- pub fn try_generate() -> Option<Key> {
- use rand::RngCore;
-
- let mut rng = rand::thread_rng();
- let mut both_keys = [0; SIGNED_KEY_LEN];
- rng.try_fill_bytes(&mut both_keys).ok()?;
- Some(Key::from(&both_keys))
- }
-
- /// Creates a new Key from a 32 byte cryptographically random string.
- pub fn from(key: &[u8]) -> Key {
- if key.len() < SIGNED_KEY_LEN {
- panic!("bad key length: expected >= 32 bytes, found {}", key.len());
- }
-
- let mut output = Key::zero();
- output.0.copy_from_slice(&key[..SIGNED_KEY_LEN]);
- output
- }
-
- /// Signs the value providing integrity and authenticity.
- pub fn sign(&self, value: &str) -> String {
- // Compute HMAC-SHA256 of the cookie's value.
- let mut mac = Hmac::<Sha256>::new_from_slice(&self.0).expect("good key");
- mac.update(value.as_bytes());
-
- // Cookie's new value is [MAC | original-value].
- let mut new_value = base64::encode(&mac.finalize().into_bytes());
- new_value.push_str(value);
- new_value
- }
-
- /// Extracts the value from a string signed with [`Key::sign`].
- /// Fails if the string is malformed or the signature doesn't match.
- pub fn verify(&self, value: &str) -> Result<String, String> {
- if value.len() < BASE64_DIGEST_LEN {
- return Err("length of value is <= BASE64_DIGEST_LEN".to_string());
- }
-
- // Split [MAC | original-value] into its two parts.
- let (digest_str, value) = value.split_at(BASE64_DIGEST_LEN);
- let digest = base64::decode(digest_str).map_err(|_| "bad base64 digest")?;
-
- // Perform the verification.
- let mut mac = Hmac::<Sha256>::new_from_slice(&self.0).expect("good key");
- mac.update(value.as_bytes());
- mac.verify_slice(&digest)
- .map(|_| value.to_string())
- .map_err(|_| "value did not verify".to_string())
- }
-}