Unify encoding and decoding key APIs

arckoor · arckoor · commit 71e2199bc652 · 2026-05-29T14:59:37.000+02:00
diff --git a/src/crypto/aws_lc/ecdsa.rs b/src/crypto/aws_lc/ecdsa.rs
@@ -62,7 +62,11 @@ macro_rules! define_ecdsa_verifier {
         impl Verifier<Vec<u8>> for $name {
             fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), Error> {
                 $verification_alg
-                    .verify_sig(self.0.as_bytes(), msg, signature)
+                    .verify_sig(
+                        self.0.try_get_as_bytes().map_err(Error::from_source)?,
+                        msg,
+                        signature,
+                    )
                     .map_err(Error::from_source)?;
                 Ok(())
             }
diff --git a/src/crypto/aws_lc/eddsa.rs b/src/crypto/aws_lc/eddsa.rs
@@ -48,7 +48,9 @@ impl EdDSAVerifier {
 
 impl Verifier<Vec<u8>> for EdDSAVerifier {
     fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), Error> {
-        ED25519.verify_sig(self.0.as_bytes(), msg, signature).map_err(Error::from_source)?;
+        ED25519
+            .verify_sig(self.0.try_get_as_bytes().map_err(Error::from_source)?, msg, signature)
+            .map_err(Error::from_source)?;
         Ok(())
     }
 }
diff --git a/src/crypto/aws_lc/hmac.rs b/src/crypto/aws_lc/hmac.rs
@@ -5,16 +5,20 @@ use aws_lc_rs::hmac;
 use signature::{Signer, Verifier};
 
 use crate::crypto::{JwtSigner, JwtVerifier};
-use crate::errors::Result;
-use crate::{Algorithm, DecodingKey, EncodingKey};
+use crate::errors::{ErrorKind, Result, new_error};
+use crate::{Algorithm, AlgorithmFamily, DecodingKey, EncodingKey};
 
 macro_rules! define_hmac_signer {
     ($name:ident, $alg:expr, $hmac_alg:expr) => {
         pub struct $name(hmac::Key);
 
         impl $name {
             pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
-                Ok(Self(hmac::Key::new($hmac_alg, encoding_key.try_get_hmac_secret()?)))
+                if encoding_key.family() != AlgorithmFamily::Hmac {
+                    return Err(new_error(ErrorKind::InvalidKeyFormat));
+                }
+
+                Ok(Self(hmac::Key::new($hmac_alg, encoding_key.inner())))
             }
         }
 
@@ -38,7 +42,11 @@ macro_rules! define_hmac_verifier {
 
         impl $name {
             pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
-                Ok(Self(hmac::Key::new($hmac_alg, decoding_key.try_get_hmac_secret()?)))
+                if decoding_key.family() != AlgorithmFamily::Hmac {
+                    return Err(new_error(ErrorKind::InvalidKeyFormat));
+                }
+
+                Ok(Self(hmac::Key::new($hmac_alg, decoding_key.try_get_as_bytes()?)))
             }
         }
 
diff --git a/src/crypto/rust_crypto/ecdsa.rs b/src/crypto/rust_crypto/ecdsa.rs
@@ -57,7 +57,7 @@ macro_rules! define_ecdsa_verifier {
                 }
 
                 Ok(Self(
-                    <$verifying_key>::from_sec1_bytes(decoding_key.as_bytes())
+                    <$verifying_key>::from_sec1_bytes(decoding_key.try_get_as_bytes()?)
                         .map_err(|_| ErrorKind::InvalidEcdsaKey)?,
                 ))
             }
diff --git a/src/crypto/rust_crypto/eddsa.rs b/src/crypto/rust_crypto/eddsa.rs
@@ -45,7 +45,7 @@ impl EdDSAVerifier {
 
         Ok(Self(
             VerifyingKey::from_bytes(
-                <&[u8; 32]>::try_from(&decoding_key.as_bytes()[..32])
+                <&[u8; 32]>::try_from(&decoding_key.try_get_as_bytes()?[..32])
                     .map_err(|_| ErrorKind::InvalidEddsaKey)?,
             )
             .map_err(|_| ErrorKind::InvalidEddsaKey)?,
diff --git a/src/crypto/rust_crypto/hmac.rs b/src/crypto/rust_crypto/hmac.rs
@@ -6,8 +6,8 @@ use sha2::{Sha256, Sha384, Sha512};
 use signature::{Signer, Verifier};
 
 use crate::crypto::{JwtSigner, JwtVerifier};
-use crate::errors::{ErrorKind, Result};
-use crate::{Algorithm, DecodingKey, EncodingKey};
+use crate::errors::{ErrorKind, Result, new_error};
+use crate::{Algorithm, AlgorithmFamily, DecodingKey, EncodingKey};
 
 type HmacSha256 = Hmac<Sha256>;
 type HmacSha384 = Hmac<Sha384>;
@@ -20,7 +20,11 @@ macro_rules! define_hmac_signer {
 
         impl $name {
             pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
-                let inner = <$hmac_type>::new_from_slice(encoding_key.try_get_hmac_secret()?)
+                if encoding_key.family() != AlgorithmFamily::Hmac {
+                    return Err(new_error(ErrorKind::InvalidKeyFormat));
+                }
+
+                let inner = <$hmac_type>::new_from_slice(encoding_key.inner())
                     .map_err(|_| ErrorKind::InvalidKeyFormat)?;
 
                 Ok(Self(inner))
@@ -52,7 +56,11 @@ macro_rules! define_hmac_verifier {
 
         impl $name {
             pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
-                let inner = <$hmac_type>::new_from_slice(decoding_key.try_get_hmac_secret()?)
+                if decoding_key.family() != AlgorithmFamily::Hmac {
+                    return Err(new_error(ErrorKind::InvalidKeyFormat));
+                }
+
+                let inner = <$hmac_type>::new_from_slice(decoding_key.try_get_as_bytes()?)
                     .map_err(|_| ErrorKind::InvalidKeyFormat)?;
 
                 Ok(Self(inner))
diff --git a/src/decoding.rs b/src/decoding.rs
@@ -228,20 +228,15 @@ impl DecodingKey {
         }
     }
 
-    /// Get the value of the key.
-    pub fn as_bytes(&self) -> &[u8] {
+    /// Try to get the key in raw byte format.
+    ///
+    /// To be used for defining your own `CryptoProvider`.
+    pub fn try_get_as_bytes(&self) -> Result<&[u8]> {
         match &self.kind {
-            DecodingKeyKind::SecretOrDer(b) => b,
-            DecodingKeyKind::RsaModulusExponent { .. } => unreachable!(),
-        }
-    }
-
-    /// Try to get the HMAC secret from a key.
-    pub fn try_get_hmac_secret(&self) -> Result<&[u8]> {
-        if self.family == AlgorithmFamily::Hmac {
-            Ok(self.as_bytes())
-        } else {
-            Err(new_error(ErrorKind::InvalidKeyFormat))
+            DecodingKeyKind::SecretOrDer(b) => Ok(b),
+            DecodingKeyKind::RsaModulusExponent { .. } => {
+                Err(new_error(ErrorKind::InvalidKeyFormat))
+            }
         }
     }
 }
diff --git a/src/encoding.rs b/src/encoding.rs
@@ -110,18 +110,11 @@ impl EncodingKey {
     }
 
     /// Get the value of the key.
+    ///
+    /// To be used for defining your own `CryptoProvider`.
     pub fn inner(&self) -> &[u8] {
         &self.content
     }
-
-    /// Try to get the HMAC secret from a key.
-    pub fn try_get_hmac_secret(&self) -> Result<&[u8]> {
-        if self.family == AlgorithmFamily::Hmac {
-            Ok(self.inner())
-        } else {
-            Err(new_error(ErrorKind::InvalidKeyFormat))
-        }
-    }
 }
 
 impl Debug for EncodingKey {
diff --git a/tests/hmac.rs b/tests/hmac.rs
@@ -231,6 +231,18 @@ fn decode_token_wrong_algorithm() {
     assert_eq!(claims.unwrap_err().into_kind(), ErrorKind::InvalidAlgorithm);
 }
 
+#[test]
+#[wasm_bindgen_test]
+fn decode_token_wrong_key_family() {
+    let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjI1MzI1MjQ4OTF9.9r56oF7ZliOBlOAyiOFperTGxBtPykRQiWNFxhDCW98";
+    let claims = decode::<Claims>(
+        token,
+        &DecodingKey::from_rsa_der(b"secret"),
+        &Validation::new(Algorithm::HS256),
+    );
+    assert_eq!(claims.unwrap_err().into_kind(), ErrorKind::InvalidKeyFormat);
+}
+
 #[test]
 #[wasm_bindgen_test]
 fn encode_wrong_alg_family() {

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,9 @@ impl EdDSAVerifier {`
`48`	`48`
`49`	`49`	`impl Verifier<Vec<u8>> for EdDSAVerifier {`
`50`	`50`	`fn verify(&self, msg: &[u8], signature: &Vec<u8>) -> std::result::Result<(), Error> {`
`51`		`- ED25519.verify_sig(self.0.as_bytes(), msg, signature).map_err(Error::from_source)?;`
	`51`	`+ ED25519`
	`52`	`+ .verify_sig(self.0.try_get_as_bytes().map_err(Error::from_source)?, msg, signature)`
	`53`	`+ .map_err(Error::from_source)?;`
`52`	`54`	`Ok(())`
`53`	`55`	`}`
`54`	`56`	`}`
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ macro_rules! define_ecdsa_verifier {`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`Ok(Self(`
`60`		`- <$verifying_key>::from_sec1_bytes(decoding_key.as_bytes())`
	`60`	`+ <$verifying_key>::from_sec1_bytes(decoding_key.try_get_as_bytes()?)`
`61`	`61`	`.map_err(\|_\| ErrorKind::InvalidEcdsaKey)?,`
`62`	`62`	`))`
`63`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ impl EdDSAVerifier {`
`45`	`45`
`46`	`46`	`Ok(Self(`
`47`	`47`	`VerifyingKey::from_bytes(`
`48`		`- <&[u8; 32]>::try_from(&decoding_key.as_bytes()[..32])`
	`48`	`+ <&[u8; 32]>::try_from(&decoding_key.try_get_as_bytes()?[..32])`
`49`	`49`	`.map_err(\|_\| ErrorKind::InvalidEddsaKey)?,`
`50`	`50`	`)`
`51`	`51`	`.map_err(\|_\| ErrorKind::InvalidEddsaKey)?,`
Original file line number	Diff line number	Diff line change
`@@ -228,20 +228,15 @@ impl DecodingKey {`
`228`	`228`	`}`
`229`	`229`	`}`
`230`	`230`
`231`		`- /// Get the value of the key.`
`232`		`- pub fn as_bytes(&self) -> &[u8] {`
	`231`	`+ /// Try to get the key in raw byte format.`
	`232`	`+ ///`
	`233`	+ /// To be used for defining your own `CryptoProvider`.
	`234`	`+ pub fn try_get_as_bytes(&self) -> Result<&[u8]> {`
`233`	`235`	`match &self.kind {`
`234`		`- DecodingKeyKind::SecretOrDer(b) => b,`
`235`		`- DecodingKeyKind::RsaModulusExponent { .. } => unreachable!(),`
`236`		`- }`
`237`		`- }`
`238`		`-`
`239`		`- /// Try to get the HMAC secret from a key.`
`240`		`- pub fn try_get_hmac_secret(&self) -> Result<&[u8]> {`
`241`		`- if self.family == AlgorithmFamily::Hmac {`
`242`		`- Ok(self.as_bytes())`
`243`		`- } else {`
`244`		`- Err(new_error(ErrorKind::InvalidKeyFormat))`
	`236`	`+ DecodingKeyKind::SecretOrDer(b) => Ok(b),`
	`237`	`+ DecodingKeyKind::RsaModulusExponent { .. } => {`
	`238`	`+ Err(new_error(ErrorKind::InvalidKeyFormat))`
	`239`	`+ }`
`245`	`240`	`}`
`246`	`241`	`}`
`247`	`242`	`}`
Original file line number	Diff line number	Diff line change
`@@ -110,18 +110,11 @@ impl EncodingKey {`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`/// Get the value of the key.`
	`113`	`+ ///`
	`114`	+ /// To be used for defining your own `CryptoProvider`.
`113`	`115`	`pub fn inner(&self) -> &[u8] {`
`114`	`116`	`&self.content`
`115`	`117`	`}`
`116`		`-`
`117`		`- /// Try to get the HMAC secret from a key.`
`118`		`- pub fn try_get_hmac_secret(&self) -> Result<&[u8]> {`
`119`		`- if self.family == AlgorithmFamily::Hmac {`
`120`		`- Ok(self.inner())`
`121`		`- } else {`
`122`		`- Err(new_error(ErrorKind::InvalidKeyFormat))`
`123`		`- }`
`124`		`- }`
`125`	`118`	`}`
`126`	`119`
`127`	`120`	`impl Debug for EncodingKey {`