Refactors

njaremko · njaremko · commit a6ac4ca716a9 · 2024-06-23T17:37:51.000-04:00
diff --git a/src/crypto.rs b/src/crypto.rs
@@ -5,6 +5,7 @@ use std::ffi::CString;
 use std::str::FromStr;
 use thiserror::Error;
 
+use crate::signature::SignatureAlgorithm;
 #[cfg(feature = "xmlsec")]
 use crate::xmlsec::{self, XmlSecKey, XmlSecKeyFormat, XmlSecSignatureContext};
 #[cfg(feature = "xmlsec")]
@@ -486,24 +487,6 @@ pub fn gen_saml_assertion_id() -> String {
     format!("_{}", uuid::Uuid::new_v4())
 }
 
-#[derive(Debug, PartialEq)]
-enum SigAlg {
-    Unimplemented,
-    RsaSha256,
-    EcdsaSha256,
-}
-
-impl FromStr for SigAlg {
-    type Err = Box<dyn std::error::Error>;
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        match s {
-            "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" => Ok(SigAlg::RsaSha256),
-            "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256" => Ok(SigAlg::EcdsaSha256),
-            _ => Ok(SigAlg::Unimplemented),
-        }
-    }
-}
-
 #[derive(Debug, Error, Clone)]
 pub enum UrlVerifierError {
     #[error("Unimplemented SigAlg: {:?}", sigalg)]
@@ -621,11 +604,9 @@ impl UrlVerifier {
             .collect::<HashMap<String, String>>();
 
         // Match against implemented SigAlg
-        let sig_alg: SigAlg = SigAlg::from_str(&query_params["SigAlg"])?;
-        if sig_alg == SigAlg::Unimplemented {
-            return Err(Box::new(UrlVerifierError::SigAlgUnimplemented {
-                sigalg: query_params["SigAlg"].clone(),
-            }));
+        let sig_alg = SignatureAlgorithm::from_str(&query_params["SigAlg"])?;
+        if let SignatureAlgorithm::Unsupported(sigalg) = sig_alg {
+            return Err(Box::new(UrlVerifierError::SigAlgUnimplemented { sigalg }));
         }
 
         // Construct a Url so that percent encoded query can be easily
@@ -668,13 +649,13 @@ impl UrlVerifier {
     fn verify_signature(
         &self,
         data: &[u8],
-        sig_alg: SigAlg,
+        sig_alg: SignatureAlgorithm,
         signature: &[u8],
     ) -> Result<bool, Box<dyn std::error::Error>> {
         let mut verifier = openssl::sign::Verifier::new(
             match sig_alg {
-                SigAlg::RsaSha256 => openssl::hash::MessageDigest::sha256(),
-                SigAlg::EcdsaSha256 => openssl::hash::MessageDigest::sha256(),
+                SignatureAlgorithm::RsaSha256 => openssl::hash::MessageDigest::sha256(),
+                SignatureAlgorithm::EcdsaSha256 => openssl::hash::MessageDigest::sha256(),
                 _ => panic!("sig_alg is bad!"),
             },
             &self.public_key,
diff --git a/src/idp/mod.rs b/src/idp/mod.rs
@@ -9,9 +9,10 @@ pub mod verified_request;
 mod tests;
 
 use openssl::bn::{BigNum, MsbOption};
+use openssl::ec::{EcGroup, EcKey};
 use openssl::nid::Nid;
 use openssl::pkey::Private;
-use openssl::{asn1::Asn1Time, pkey, rsa::Rsa, x509};
+use openssl::{asn1::Asn1Time, pkey, x509};
 use std::str::FromStr;
 
 use crate::crypto::{self};
@@ -24,22 +25,31 @@ pub struct IdentityProvider {
     private_key: pkey::PKey<Private>,
 }
 
-pub enum KeyType {
+pub enum Rsa {
     Rsa2048,
     Rsa3072,
     Rsa4096,
 }
 
-impl KeyType {
+impl Rsa {
     fn bit_length(&self) -> u32 {
         match &self {
-            KeyType::Rsa2048 => 2048,
-            KeyType::Rsa3072 => 3072,
-            KeyType::Rsa4096 => 4096,
+            Rsa::Rsa2048 => 2048,
+            Rsa::Rsa3072 => 3072,
+            Rsa::Rsa4096 => 4096,
         }
     }
 }
 
+pub enum Eliptic {
+    NISTP256,
+}
+
+pub enum KeyType {
+    Rsa(Rsa),
+    Eliptic(Eliptic),
+}
+
 pub struct CertificateParams<'a> {
     pub common_name: &'a str,
     pub issuer_name: &'a str,
@@ -48,22 +58,40 @@ pub struct CertificateParams<'a> {
 
 impl IdentityProvider {
     pub fn generate_new(key_type: KeyType) -> Result<Self, Error> {
-        let rsa = Rsa::generate(key_type.bit_length())?;
-        let private_key = pkey::PKey::from_rsa(rsa)?;
+        let private_key = match key_type {
+            KeyType::Rsa(rsa) => {
+                let bit_length = rsa.bit_length();
+                let rsa = openssl::rsa::Rsa::generate(bit_length)?;
+                pkey::PKey::from_rsa(rsa)?
+            }
+            KeyType::Eliptic(ecc) => {
+                let nid = match ecc {
+                    Eliptic::NISTP256 => Nid::X9_62_PRIME256V1,
+                };
+                let group = EcGroup::from_curve_name(nid)?;
+                let private_key: EcKey<Private> = EcKey::generate(&group)?;
+                pkey::PKey::from_ec_key(private_key)?
+            }
+        };
 
         Ok(IdentityProvider { private_key })
     }
 
-    pub fn from_private_key_der(der_bytes: &[u8]) -> Result<Self, Error> {
-        let rsa = Rsa::private_key_from_der(der_bytes)?;
+    pub fn from_rsa_private_key_der(der_bytes: &[u8]) -> Result<Self, Error> {
+        let rsa = openssl::rsa::Rsa::private_key_from_der(der_bytes)?;
         let private_key = pkey::PKey::from_rsa(rsa)?;
 
         Ok(IdentityProvider { private_key })
     }
 
     pub fn export_private_key_der(&self) -> Result<Vec<u8>, Error> {
-        let rsa: Rsa<Private> = self.private_key.rsa()?;
-        Ok(rsa.private_key_to_der()?)
+        if let Ok(ec_key) = self.private_key.ec_key() {
+            Ok(ec_key.private_key_to_der()?)
+        } else if let Ok(rsa) = self.private_key.rsa() {
+            Ok(rsa.private_key_to_der()?)
+        } else {
+            Err(Error::UnexpectedError)?
+        }
     }
 
     pub fn create_certificate(&self, params: &CertificateParams) -> Result<Vec<u8>, Error> {
diff --git a/src/idp/tests.rs b/src/idp/tests.rs
@@ -37,7 +37,7 @@ fn test_extract_sp() {
 #[test]
 fn test_signed_response() {
     // init our IdP
-    let idp = IdentityProvider::from_private_key_der(include_bytes!(
+    let idp = IdentityProvider::from_rsa_private_key_der(include_bytes!(
         "../../test_vectors/idp_private_key.der"
     ))
     .expect("failed to create idp");
@@ -135,7 +135,7 @@ fn test_signed_response_threads() {
 
 #[test]
 fn test_signed_response_fingerprint() {
-    let idp = IdentityProvider::from_private_key_der(include_bytes!(
+    let idp = IdentityProvider::from_rsa_private_key_der(include_bytes!(
         "../../test_vectors/idp_private_key.der"
     ))
     .expect("failed to create idp");
diff --git a/src/signature.rs b/src/signature.rs
@@ -4,6 +4,7 @@ use quick_xml::events::{BytesEnd, BytesStart, BytesText, Event};
 use quick_xml::Writer;
 use serde::Deserialize;
 use std::io::Cursor;
+use std::str::FromStr;
 
 const NAME: &str = "ds:Signature";
 const SCHEMA: (&str, &str) = ("xmlns:ds", "http://www.w3.org/2000/09/xmldsig#");
@@ -33,32 +34,30 @@ impl Signature {
                     algorithm: SignatureAlgorithm::RsaSha256,
                     hmac_output_length: None,
                 },
-                reference: vec![
-                    Reference {
-                        transforms: Some(Transforms {
-                            transforms: vec![
-                                Transform {
-                                    algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
-                                        .to_string(),
-                                    xpath: None,
-                                },
-                                Transform {
-                                    algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#".to_string(),
-                                    xpath: None,
-                                },
-                            ],
-                        }),
-                        digest_method: DigestMethod {
-                            algorithm: DigestAlgorithm::Sha1,
-                        },
-                        digest_value: Some(DigestValue {
-                            base64_content: Some("".to_string()),
-                        }),
-                        uri: Some(format!("#{}", ref_id)),
-                        reference_type: None,
-                        id: None,
-                    }
-                ],
+                reference: vec![Reference {
+                    transforms: Some(Transforms {
+                        transforms: vec![
+                            Transform {
+                                algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+                                    .to_string(),
+                                xpath: None,
+                            },
+                            Transform {
+                                algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#".to_string(),
+                                xpath: None,
+                            },
+                        ],
+                    }),
+                    digest_method: DigestMethod {
+                        algorithm: DigestAlgorithm::Sha1,
+                    },
+                    digest_value: Some(DigestValue {
+                        base64_content: Some("".to_string()),
+                    }),
+                    uri: Some(format!("#{}", ref_id)),
+                    reference_type: None,
+                    id: None,
+                }],
             },
             signature_value: SignatureValue {
                 id: None,
@@ -294,22 +293,43 @@ impl TryFrom<&SignatureMethod> for Event<'_> {
 
 #[derive(Clone, Debug, Deserialize, Hash, Eq, PartialEq, Ord, PartialOrd)]
 pub enum SignatureAlgorithm {
-    #[serde(rename="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")]
+    #[serde(rename = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")]
     RsaSha256,
-    #[serde(rename="http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1")]
+    #[serde(rename = "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1")]
     Sha256RsaMGF1,
+    #[serde(rename = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256")]
+    EcdsaSha256,
     #[serde(untagged)]
     Unsupported(String),
 }
 
+impl FromStr for SignatureAlgorithm {
+    type Err = Box<dyn std::error::Error>;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(match s {
+            "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" => SignatureAlgorithm::RsaSha256,
+            "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1" => {
+                SignatureAlgorithm::Sha256RsaMGF1
+            }
+            "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256" => {
+                SignatureAlgorithm::EcdsaSha256
+            }
+            i => SignatureAlgorithm::Unsupported(i.to_string()),
+        })
+    }
+}
+
 impl SignatureAlgorithm {
     const RSA_SHA256: &'static str = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
     const SHA256_RSA_MGF1: &'static str = "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1";
+    const SHA256_ECDSA: &'static str = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";
 
     pub fn value(&self) -> &str {
         match self {
             SignatureAlgorithm::RsaSha256 => Self::RSA_SHA256,
             SignatureAlgorithm::Sha256RsaMGF1 => Self::SHA256_RSA_MGF1,
+            SignatureAlgorithm::EcdsaSha256 => Self::SHA256_ECDSA,
             SignatureAlgorithm::Unsupported(algo) => algo,
         }
     }
@@ -430,9 +450,9 @@ impl TryFrom<&DigestMethod> for Event<'_> {
 
 #[derive(Clone, Debug, Deserialize, Hash, Eq, PartialEq, Ord, PartialOrd)]
 pub enum DigestAlgorithm {
-    #[serde(rename="http://www.w3.org/2000/09/xmldsig#sha1")]
+    #[serde(rename = "http://www.w3.org/2000/09/xmldsig#sha1")]
     Sha1,
-    #[serde(rename="http://www.w3.org/2001/04/xmlenc#sha256")]
+    #[serde(rename = "http://www.w3.org/2001/04/xmlenc#sha256")]
     Sha256,
     #[serde(untagged)]
     Unsupported(String),
@@ -588,8 +608,10 @@ mod test {
 
     #[test]
     pub fn test_canonicalizationmethod_deserialization() -> Result<(), Box<dyn std::error::Error>> {
-        let canonicalization_method = r#"<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>"#;
-        let deserialized: CanonicalizationMethod = quick_xml::de::from_str(canonicalization_method)?;
+        let canonicalization_method =
+            r#"<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>"#;
+        let deserialized: CanonicalizationMethod =
+            quick_xml::de::from_str(canonicalization_method)?;
         let serialized = deserialized.to_xml()?;
         let re_deserialized: CanonicalizationMethod = quick_xml::de::from_str(&serialized)?;
         assert_eq!(deserialized, re_deserialized);
@@ -627,7 +649,8 @@ mod test {
 
     #[test]
     pub fn test_digestmethod_deserialization() -> Result<(), Box<dyn std::error::Error>> {
-        let digest_method = r#"<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />"#;
+        let digest_method =
+            r#"<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />"#;
         let deserialized: DigestMethod = quick_xml::de::from_str(digest_method)?;
         let serialized = deserialized.to_xml()?;
         let re_deserialized: DigestMethod = quick_xml::de::from_str(&serialized)?;
