Skip to content

Commit 582a3d5

Browse files
committed
fixup: Use openssl instead of rsa
1 parent bdd21e1 commit 582a3d5

3 files changed

Lines changed: 18 additions & 146 deletions

File tree

rust/Cargo.lock

Lines changed: 1 addition & 135 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

rust/auth-impls/Cargo.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ edition = "2021"
55
rust-version.workspace = true
66

77
[features]
8-
jwt = [ "base64", "serde", "serde_json", "rsa" ]
8+
jwt = [ "base64", "serde", "serde_json", "openssl" ]
99
sigs = [ "bitcoin_hashes", "hex-conservative", "secp256k1" ]
1010

1111
[dependencies]
@@ -14,7 +14,7 @@ async-trait = "0.1.77"
1414
base64 = { version = "0.22.1", optional = true, default-features = false, features = ["std"] }
1515
bitcoin_hashes = { version = "0.19", optional = true, default-features = false }
1616
hex-conservative = { version = "1.0", optional = true, default-features = false }
17-
rsa = { version = "0.9.10", optional = true, default-features = false, features = ["sha2"] }
17+
openssl = { version = "0.10.75", optional = true, default-features = false }
1818
secp256k1 = { version = "0.31", optional = true, default-features = false, features = [ "global-context" ] }
1919
serde = { version = "1.0.210", optional = true, default-features = false, features = ["derive"] }
2020
serde_json = { version = "1.0.149", optional = true, default-features = false, features = ["std"] }

rust/auth-impls/src/jwt.rs

Lines changed: 15 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,10 @@ use api::error::VssError;
77
use async_trait::async_trait;
88
use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD};
99
use base64::Engine;
10-
use rsa::sha2::{Digest, Sha256};
11-
use rsa::{pkcs8::DecodePublicKey, RsaPublicKey};
10+
use openssl::hash::MessageDigest;
11+
use openssl::pkey::PKey;
12+
use openssl::pkey::Public;
13+
use openssl::sign::Verifier;
1214
use serde::Deserialize;
1315
use std::collections::HashMap;
1416

@@ -17,7 +19,7 @@ use std::collections::HashMap;
1719
///
1820
/// Refer: https://datatracker.ietf.org/doc/html/rfc7519
1921
pub struct JWTAuthorizer {
20-
jwt_issuer_key: RsaPublicKey,
22+
jwt_issuer_key: PKey<Public>,
2123
}
2224

2325
/// A set of Claims claimed by 'JsonWebToken'
@@ -34,7 +36,7 @@ pub(crate) struct Claims {
3436

3537
const BEARER_PREFIX: &str = "Bearer ";
3638

37-
fn parse_public_key_pem(pem: &str) -> Result<RsaPublicKey, String> {
39+
fn parse_public_key_pem(pem: &str) -> Result<PKey<Public>, String> {
3840
let body = pem
3941
.trim()
4042
.strip_prefix("-----BEGIN PUBLIC KEY-----")
@@ -43,7 +45,7 @@ fn parse_public_key_pem(pem: &str) -> Result<RsaPublicKey, String> {
4345
.ok_or(String::from("Suffix not found"))?;
4446
let body: String = body.lines().map(|line| line.trim()).collect();
4547
let body = STANDARD.decode(body).map_err(|_| String::from("Base64 decode failed"))?;
46-
RsaPublicKey::from_public_key_der(&body).map_err(|_| String::from("DER decode failed"))
48+
PKey::public_key_from_der(&body).map_err(|_| String::from("DER decode failed"))
4749
}
4850

4951
impl JWTAuthorizer {
@@ -93,10 +95,14 @@ impl Authorizer for JWTAuthorizer {
9395
let signature = URL_SAFE_NO_PAD
9496
.decode(signature_base64)
9597
.map_err(|_| VssError::AuthError(String::from("Signature base64 decode failed")))?;
96-
let digest = Sha256::digest(message.as_bytes());
97-
self.jwt_issuer_key
98-
.verify(rsa::pkcs1v15::Pkcs1v15Sign::new::<Sha256>(), &digest, &signature)
99-
.map_err(|_| VssError::AuthError(String::from("RSA verification failed")))?;
98+
let mut verifier = Verifier::new(MessageDigest::sha256(), &self.jwt_issuer_key)
99+
.map_err(|_| VssError::AuthError(String::from("RSA initialization failed")))?;
100+
if !verifier
101+
.verify_oneshot(&signature, message.as_bytes())
102+
.map_err(|_| VssError::AuthError(String::from("RSA verification failed")))?
103+
{
104+
return Err(VssError::AuthError(String::from("RSA verification failed")));
105+
}
100106

101107
let claims_json = URL_SAFE_NO_PAD
102108
.decode(claims_base64)

0 commit comments

Comments
 (0)