feat: add Jwk::from_decoding_key

Allow for constructing a Jwk from a decoding key.
This allows it to be created from a DER encoded file, for example.

This patch refactors some Jwk internals to reduce code duplication.

Author: eyakubovich

src/jwk.rs

@@ -10,7 +10,8 @@ use serde::{Deserialize, Deserializer, Serialize, Serializer, de};
 
 use crate::serialization::b64_encode;
 use crate::{
-    Algorithm, EncodingKey,
+    Algorithm, EncodingKey, DecodingKey,
+    decoding::DecodingKeyKind,
     errors::{self, Error, ErrorKind},
 };
 
@@ -19,12 +20,6 @@ use aws_lc_rs::{digest, signature as aws_sig};
 #[cfg(feature = "aws_lc_rs")]
 use aws_sig::KeyPair;
 #[cfg(feature = "rust_crypto")]
-use p256::{ecdsa::SigningKey as P256SigningKey, pkcs8::DecodePrivateKey};
-#[cfg(feature = "rust_crypto")]
-use p384::ecdsa::SigningKey as P384SigningKey;
-#[cfg(feature = "rust_crypto")]
-use rsa::{RsaPrivateKey, pkcs1::DecodeRsaPrivateKey, traits::PublicKeyParts};
-#[cfg(feature = "rust_crypto")]
 use sha2::{Digest, Sha256, Sha384, Sha512};
 
 /// The intended usage of the public `KeyType`. This enum is serialized `untagged`
@@ -234,6 +229,25 @@ impl FromStr for KeyAlgorithm {
     }
 }
 
+impl From<Algorithm> for KeyAlgorithm {
+    fn from(algorithm: Algorithm) -> Self {
+        match algorithm {
+            Algorithm::HS256 => KeyAlgorithm::HS256,
+            Algorithm::HS384 => KeyAlgorithm::HS384,
+            Algorithm::HS512 => KeyAlgorithm::HS512,
+            Algorithm::ES256 => KeyAlgorithm::ES256,
+            Algorithm::ES384 => KeyAlgorithm::ES384,
+            Algorithm::RS256 => KeyAlgorithm::RS256,
+            Algorithm::RS384 => KeyAlgorithm::RS384,
+            Algorithm::RS512 => KeyAlgorithm::RS512,
+            Algorithm::PS256 => KeyAlgorithm::PS256,
+            Algorithm::PS384 => KeyAlgorithm::PS384,
+            Algorithm::PS512 => KeyAlgorithm::PS512,
+            Algorithm::EdDSA => KeyAlgorithm::EdDSA,
+        }
+    }
+}
+
 impl fmt::Display for KeyAlgorithm {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         write!(f, "{:?}", self)
@@ -440,80 +454,141 @@ pub struct Jwk {
 }
 
 #[cfg(feature = "aws_lc_rs")]
-fn extract_rsa_public_key_components(key_content: &[u8]) -> errors::Result<(Vec<u8>, Vec<u8>)> {
-    let key_pair = aws_sig::RsaKeyPair::from_der(key_content)
-        .map_err(|e| ErrorKind::InvalidRsaKey(e.to_string()))?;
-    let public = key_pair.public_key();
-    let components = aws_sig::RsaPublicKeyComponents::<Vec<u8>>::from(public);
-    Ok((components.n, components.e))
+mod rsa_pubkey_components {
+    use super::*;
+
+    pub fn from_private_key(key_content: &[u8]) -> errors::Result<(Vec<u8>, Vec<u8>)> {
+        let key_pair = aws_sig::RsaKeyPair::from_der(key_content)
+            .map_err(|e| ErrorKind::InvalidRsaKey(e.to_string()))?;
+        let public = key_pair.public_key();
+        let components = aws_sig::RsaPublicKeyComponents::<Vec<u8>>::from(public);
+        Ok((components.n, components.e))
+    }
+
+    pub fn from_public_key(key_content: &[u8]) -> errors::Result<(Vec<u8>, Vec<u8>)> {
+        let public = aws_lc_rs::rsa::PublicKey::from_der(key_content)
+            .map_err(|e| ErrorKind::InvalidRsaKey(e.to_string()))?;
+
+        let components = aws_sig::RsaPublicKeyComponents::<Vec<u8>>::from(&public);
+        Ok((components.n, components.e))
+    }
 }
 
 #[cfg(feature = "rust_crypto")]
-fn extract_rsa_public_key_components(key_content: &[u8]) -> errors::Result<(Vec<u8>, Vec<u8>)> {
-    let private_key = RsaPrivateKey::from_pkcs1_der(key_content)
-        .map_err(|e| ErrorKind::InvalidRsaKey(e.to_string()))?;
-    let public_key = private_key.to_public_key();
-    Ok((public_key.n().to_bytes_be(), public_key.e().to_bytes_be()))
+mod rsa_pubkey_components {
+    use super::*;
+    use rsa::{RsaPrivateKey, RsaPublicKey, pkcs1::DecodeRsaPrivateKey, traits::PublicKeyParts};
+
+    pub fn from_private_key(key_content: &[u8]) -> errors::Result<(Vec<u8>, Vec<u8>)> {
+        let private_key = RsaPrivateKey::from_pkcs1_der(key_content)
+            .map_err(|e| ErrorKind::InvalidRsaKey(e.to_string()))?;
+        let public_key = private_key.to_public_key();
+        Ok((public_key.n().to_bytes_be(), public_key.e().to_bytes_be()))
+    }
+
+    pub fn from_public_key(key_content: &[u8]) -> errors::Result<(Vec<u8>, Vec<u8>)> {
+        use rsa::pkcs1::DecodeRsaPublicKey;
+
+        let public_key = RsaPublicKey::from_pkcs1_der(key_content)
+            .map_err(|e| ErrorKind::InvalidRsaKey(e.to_string()))?;
+        Ok((public_key.n().to_bytes_be(), public_key.e().to_bytes_be()))
+    }
 }
 
-#[cfg(feature = "aws_lc_rs")]
-fn extract_ec_public_key_coordinates(
-    key_content: &[u8],
-    alg: Algorithm,
+fn ec_components_from_public_key(
+    pub_bytes: &[u8],
 ) -> errors::Result<(EllipticCurve, Vec<u8>, Vec<u8>)> {
-    use aws_lc_rs::signature::{
-        ECDSA_P256_SHA256_FIXED_SIGNING, ECDSA_P384_SHA384_FIXED_SIGNING, EcdsaKeyPair,
-    };
-
-    let (signing_alg, curve, pub_elem_bytes) = match alg {
-        Algorithm::ES256 => (&ECDSA_P256_SHA256_FIXED_SIGNING, EllipticCurve::P256, 32),
-        Algorithm::ES384 => (&ECDSA_P384_SHA384_FIXED_SIGNING, EllipticCurve::P384, 48),
+    let (curve, pub_elem_bytes) = match pub_bytes.len() {
+        65 => (EllipticCurve::P256, 32),
+        97 => (EllipticCurve::P384, 48),
         _ => return Err(ErrorKind::InvalidEcdsaKey.into()),
     };
 
-    let key_pair = EcdsaKeyPair::from_pkcs8(signing_alg, key_content)
-        .map_err(|_| ErrorKind::InvalidEcdsaKey)?;
-
-    let pub_bytes = key_pair.public_key().as_ref();
     if pub_bytes[0] != 4 {
         return Err(ErrorKind::InvalidEcdsaKey.into());
     }
 
     let (x, y) = pub_bytes[1..].split_at(pub_elem_bytes);
     Ok((curve, x.to_vec(), y.to_vec()))
 }
+#[cfg(feature = "aws_lc_rs")]
+mod ec_pubkey_components {
+    use super::*;
+
+    pub fn from_private_key(
+        key_content: &[u8],
+        alg: Algorithm,
+    ) -> errors::Result<(EllipticCurve, Vec<u8>, Vec<u8>)> {
+        use aws_lc_rs::signature::{
+            ECDSA_P256_SHA256_FIXED_SIGNING, ECDSA_P384_SHA384_FIXED_SIGNING, EcdsaKeyPair,
+        };
+
+        let (signing_alg, curve, pub_elem_bytes) = match alg {
+            Algorithm::ES256 => (&ECDSA_P256_SHA256_FIXED_SIGNING, EllipticCurve::P256, 32),
+            Algorithm::ES384 => (&ECDSA_P384_SHA384_FIXED_SIGNING, EllipticCurve::P384, 48),
+            _ => return Err(ErrorKind::InvalidEcdsaKey.into()),
+        };
+
+        let key_pair = EcdsaKeyPair::from_pkcs8(signing_alg, key_content)
+            .map_err(|_| ErrorKind::InvalidEcdsaKey)?;
+
+        let pub_bytes = key_pair.public_key().as_ref();
+        if pub_bytes[0] != 4 {
+            return Err(ErrorKind::InvalidEcdsaKey.into());
+        }
+
+        let (x, y) = pub_bytes[1..].split_at(pub_elem_bytes);
+        Ok((curve, x.to_vec(), y.to_vec()))
+    }
+
+    pub fn from_public_key(
+        pub_bytes: &[u8],
+    ) -> errors::Result<(EllipticCurve, Vec<u8>, Vec<u8>)> {
+        ec_components_from_public_key(pub_bytes)
+    }
+}
 
 #[cfg(feature = "rust_crypto")]
-fn extract_ec_public_key_coordinates(
-    key_content: &[u8],
-    alg: Algorithm,
-) -> errors::Result<(EllipticCurve, Vec<u8>, Vec<u8>)> {
-    match alg {
-        Algorithm::ES256 => {
-            let signing_key = P256SigningKey::from_pkcs8_der(key_content)
-                .map_err(|_| ErrorKind::InvalidEcdsaKey)?;
-            let public_key = signing_key.verifying_key();
-            let encoded = public_key.to_encoded_point(false);
-            match encoded.coordinates() {
-                p256::elliptic_curve::sec1::Coordinates::Uncompressed { x, y } => {
-                    Ok((EllipticCurve::P256, x.to_vec(), y.to_vec()))
+mod ec_pubkey_components {
+    use super::*;
+    use p256::{ecdsa::SigningKey as P256SigningKey, pkcs8::DecodePrivateKey};
+    use p384::ecdsa::SigningKey as P384SigningKey;
+
+    pub fn from_private_key(
+        key_content: &[u8],
+        alg: Algorithm,
+    ) -> errors::Result<(EllipticCurve, Vec<u8>, Vec<u8>)> {
+        match alg {
+            Algorithm::ES256 => {
+                let signing_key = P256SigningKey::from_pkcs8_der(key_content)
+                    .map_err(|_| ErrorKind::InvalidEcdsaKey)?;
+                let public_key = signing_key.verifying_key();
+                let encoded = public_key.to_encoded_point(false);
+                match encoded.coordinates() {
+                    p256::elliptic_curve::sec1::Coordinates::Uncompressed { x, y } => {
+                        Ok((EllipticCurve::P256, x.to_vec(), y.to_vec()))
+                    }
+                    _ => Err(ErrorKind::InvalidEcdsaKey.into()),
                 }
-                _ => Err(ErrorKind::InvalidEcdsaKey.into()),
             }
-        }
-        Algorithm::ES384 => {
-            let signing_key = P384SigningKey::from_pkcs8_der(key_content)
-                .map_err(|_| ErrorKind::InvalidEcdsaKey)?;
-            let public_key = signing_key.verifying_key();
-            let encoded = public_key.to_encoded_point(false);
-            match encoded.coordinates() {
-                p384::elliptic_curve::sec1::Coordinates::Uncompressed { x, y } => {
-                    Ok((EllipticCurve::P384, x.to_vec(), y.to_vec()))
+            Algorithm::ES384 => {
+                let signing_key = P384SigningKey::from_pkcs8_der(key_content)
+                    .map_err(|_| ErrorKind::InvalidEcdsaKey)?;
+                let public_key = signing_key.verifying_key();
+                let encoded = public_key.to_encoded_point(false);
+                match encoded.coordinates() {
+                    p384::elliptic_curve::sec1::Coordinates::Uncompressed { x, y } => {
+                        Ok((EllipticCurve::P384, x.to_vec(), y.to_vec()))
+                    }
+                    _ => Err(ErrorKind::InvalidEcdsaKey.into()),
                 }
-                _ => Err(ErrorKind::InvalidEcdsaKey.into()),
             }
+            _ => Err(ErrorKind::InvalidEcdsaKey.into()),
         }
-        _ => Err(ErrorKind::InvalidEcdsaKey.into()),
+    }
+
+    pub fn from_public_key(pub_bytes: &[u8]) -> errors::Result<(EllipticCurve, Vec<u8>, Vec<u8>)> {
+        ec_components_from_public_key(pub_bytes)
     }
 }
 
@@ -547,20 +622,7 @@ impl Jwk {
     pub fn from_encoding_key(key: &EncodingKey, alg: Algorithm) -> crate::errors::Result<Self> {
         Ok(Self {
             common: CommonParameters {
-                key_algorithm: Some(match alg {
-                    Algorithm::HS256 => KeyAlgorithm::HS256,
-                    Algorithm::HS384 => KeyAlgorithm::HS384,
-                    Algorithm::HS512 => KeyAlgorithm::HS512,
-                    Algorithm::ES256 => KeyAlgorithm::ES256,
-                    Algorithm::ES384 => KeyAlgorithm::ES384,
-                    Algorithm::RS256 => KeyAlgorithm::RS256,
-                    Algorithm::RS384 => KeyAlgorithm::RS384,
-                    Algorithm::RS512 => KeyAlgorithm::RS512,
-                    Algorithm::PS256 => KeyAlgorithm::PS256,
-                    Algorithm::PS384 => KeyAlgorithm::PS384,
-                    Algorithm::PS512 => KeyAlgorithm::PS512,
-                    Algorithm::EdDSA => KeyAlgorithm::EdDSA,
-                }),
+                key_algorithm: Some(alg.into()),
                 ..Default::default()
             },
             algorithm: match key.family {
@@ -571,15 +633,15 @@ impl Jwk {
                     })
                 }
                 crate::algorithms::AlgorithmFamily::Rsa => {
-                    let (n, e) = extract_rsa_public_key_components(&key.content)?;
+                    let (n, e) = rsa_pubkey_components::from_private_key(&key.content)?;
                     AlgorithmParameters::RSA(RSAKeyParameters {
                         key_type: RSAKeyType::RSA,
                         n: b64_encode(n),
                         e: b64_encode(e),
                     })
                 }
                 crate::algorithms::AlgorithmFamily::Ec => {
-                    let (curve, x, y) = extract_ec_public_key_coordinates(&key.content, alg)?;
+                    let (curve, x, y) = ec_pubkey_components::from_private_key(&key.content, alg)?;
                     AlgorithmParameters::EllipticCurve(EllipticCurveKeyParameters {
                         key_type: EllipticCurveKeyType::EC,
                         curve,
@@ -592,6 +654,62 @@ impl Jwk {
                 }
             },
         })
+
+    }
+
+    pub fn from_decoding_key(key: &DecodingKey, alg: Option<Algorithm>) -> crate::errors::Result<Self> {
+        Ok(Self {
+            common: CommonParameters {
+                key_algorithm: alg.map(|a| a.into()),
+                ..Default::default()
+            },
+            algorithm: match key.family {
+                crate::algorithms::AlgorithmFamily::Hmac => {
+                    let secret = match &key.kind {
+                        DecodingKeyKind::SecretOrDer(secret) => secret,
+                        _ => return Err(ErrorKind::InvalidKeyFormat.into()),
+                    };
+
+                    AlgorithmParameters::OctetKey(OctetKeyParameters {
+                        key_type: OctetKeyType::Octet,
+                        value: b64_encode(secret),
+                    })
+                }
+                crate::algorithms::AlgorithmFamily::Rsa => {
+                    let (n, e) = match &key.kind {
+                        DecodingKeyKind::RsaModulusExponent { n, e } => (b64_encode(n), b64_encode(e)),
+                        DecodingKeyKind::SecretOrDer(der) => {
+                            let (n, e) = rsa_pubkey_components::from_public_key(der)?;
+                            (b64_encode(n), b64_encode(e))
+                        }
+                    };
+
+                    AlgorithmParameters::RSA(RSAKeyParameters {
+                        key_type: RSAKeyType::RSA,
+                        n,
+                        e,
+                    })
+                }
+                crate::algorithms::AlgorithmFamily::Ec => {
+                    let (curve, x, y) = match &key.kind {
+                        DecodingKeyKind::SecretOrDer(pub_bytes) => {
+                            ec_pubkey_components::from_public_key(pub_bytes)?
+                        }
+                        _ => return Err(ErrorKind::InvalidKeyFormat.into()),
+                    };
+
+                    AlgorithmParameters::EllipticCurve(EllipticCurveKeyParameters {
+                        key_type: EllipticCurveKeyType::EC,
+                        curve,
+                        x: b64_encode(x),
+                        y: b64_encode(y),
+                    })
+                },
+                crate::algorithms::AlgorithmFamily::Ed => {
+                    unimplemented!();
+                }
+            },
+        })
     }
 
     /// Compute the thumbprint of the JWK.
@@ -669,6 +787,7 @@ mod tests {
         AlgorithmParameters, Jwk, JwkSet, KeyAlgorithm, OctetKeyType, RSAKeyParameters,
         ThumbprintHash,
     };
+    use crate::{EncodingKey, DecodingKey};
     use crate::serialization::b64_encode;
 
     #[test]
@@ -724,4 +843,22 @@ mod tests {
             .thumbprint(ThumbprintHash::SHA256);
         assert_eq!(tp.as_str(), "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs");
     }
+
+    #[test]
+    fn check_jwk_from_decoding_key_rsa() {
+        let enc_key = EncodingKey::from_rsa_pem(include_bytes!("../tests/rsa/private_rsa_key_pkcs8.pem")).unwrap();
+        let dec_key = DecodingKey::from_rsa_pem(include_bytes!("../tests/rsa/public_rsa_key_pkcs8.pem")).unwrap();
+        let expected_jwk = Jwk::from_encoding_key(&enc_key, Algorithm::RS256).unwrap();
+        let jwk = Jwk::from_decoding_key(&dec_key, Some(Algorithm::RS256)).unwrap();
+        assert_eq!(jwk, expected_jwk);
+    }
+
+    #[test]
+    fn check_jwk_from_decoding_key_ec() {
+        let enc_key = EncodingKey::from_ec_pem(include_bytes!("../tests/ecdsa/private_ecdsa_key.pem")).unwrap();
+        let dec_key = DecodingKey::from_ec_pem(include_bytes!("../tests/ecdsa/public_ecdsa_key.pem")).unwrap();
+        let expected_jwk = Jwk::from_encoding_key(&enc_key, Algorithm::ES256).unwrap();
+        let jwk = Jwk::from_decoding_key(&dec_key, Some(Algorithm::ES256)).unwrap();
+        assert_eq!(jwk, expected_jwk);
+    }
 }