Move base64 encoding/decoding out of RSA signing functions

src/http_signatures/create.rs

@@ -2,7 +2,10 @@ use actix_web::http::Method;
 use chrono::Utc;
 use rsa::RsaPrivateKey;
 
-use crate::utils::crypto_rsa::{get_message_digest, sign_message};
+use crate::utils::crypto_rsa::{
+    create_rsa_signature,
+    get_message_digest,
+};
 
 const HTTP_SIGNATURE_ALGORITHM: &str = "rsa-sha256";
 const HTTP_SIGNATURE_DATE_FORMAT: &str = "%a, %d %b %Y %T GMT";
@@ -69,7 +72,8 @@ pub fn create_http_signature(
         .map(|(name, _)| name.to_string())
         .collect::<Vec<String>>()
         .join(" ");
-    let signature_parameter = sign_message(signer_key, &message)?;
+    let signature = create_rsa_signature(signer_key, &message)?;
+    let signature_parameter = base64::encode(signature);
     let signature_header = format!(
         r#"keyId="{}",algorithm="{}",headers="{}",signature="{}""#,
         signer_key_id,

src/http_signatures/verify.rs

@@ -120,11 +120,12 @@ pub fn verify_http_signature(
     if expires_at < Utc::now() {
         log::warn!("signature has expired");
     };
+    let signature = base64::decode(&signature_data.signature)?;
     let is_valid_signature = verify_rsa_signature(
         signer_key,
         &signature_data.message,
-        &signature_data.signature,
-    )?;
+        &signature,
+    );
     if !is_valid_signature {
         return Err(VerificationError::InvalidSignature);
     };

src/json_signatures/create.rs

@@ -16,7 +16,7 @@ use crate::utils::canonicalization::{
     canonicalize_object,
     CanonicalizationError,
 };
-use crate::utils::crypto_rsa::sign_message;
+use crate::utils::crypto_rsa::create_rsa_signature;
 
 pub(super) const PROOF_KEY: &str = "proof";
 pub(super) const PROOF_PURPOSE: &str = "assertionMethod";
@@ -37,14 +37,14 @@ pub struct IntegrityProof {
 impl IntegrityProof {
     fn jcs_rsa(
         signer_key_id: &str,
-        signature: &str,
+        signature: &[u8],
     ) -> Self {
         Self {
             proof_type: PROOF_TYPE_JCS_RSA.to_string(),
             proof_purpose: PROOF_PURPOSE.to_string(),
             verification_method: signer_key_id.to_string(),
             created: Utc::now(),
-            proof_value: signature.to_string(),
+            proof_value: base64::encode(signature),
         }
     }
 
@@ -115,9 +115,9 @@ pub fn sign_object(
     // Canonicalize
     let message = canonicalize_object(object)?;
     // Sign
-    let signature_b64 = sign_message(signer_key, &message)?;
+    let signature = create_rsa_signature(signer_key, &message)?;
     // Insert proof
-    let proof = IntegrityProof::jcs_rsa(signer_key_id, &signature_b64);
+    let proof = IntegrityProof::jcs_rsa(signer_key_id, &signature);
     let mut object_value = serde_json::to_value(object)?;
     add_integrity_proof(&mut object_value, proof)?;
     Ok(object_value)

src/json_signatures/verify.rs

@@ -103,11 +103,12 @@ pub fn verify_rsa_json_signature(
     signature_data: &SignatureData,
     signer_key: &RsaPublicKey,
 ) -> Result<(), VerificationError> {
+    let signature = base64::decode(&signature_data.signature)?;
     let is_valid_signature = verify_rsa_signature(
         signer_key,
         &signature_data.message,
-        &signature_data.signature,
-    )?;
+        &signature,
+    );
     if !is_valid_signature {
         return Err(VerificationError::InvalidSignature);
     };

src/utils/crypto_rsa.rs

@@ -47,15 +47,14 @@ pub fn deserialize_public_key(
 }
 
 /// RSASSA-PKCS1-v1_5 signature
-pub fn sign_message(
+pub fn create_rsa_signature(
     private_key: &RsaPrivateKey,
     message: &str,
-) -> Result<String, rsa::errors::Error> {
+) -> Result<Vec<u8>, rsa::errors::Error> {
     let digest = Sha256::digest(message.as_bytes());
     let padding = PaddingScheme::new_pkcs1v15_sign(Some(Hash::SHA2_256));
     let signature = private_key.sign(padding, &digest)?;
-    let signature_b64 = base64::encode(&signature);
-    Ok(signature_b64)
+    Ok(signature)
 }
 
 pub fn get_message_digest(message: &str) -> String {
@@ -67,17 +66,16 @@ pub fn get_message_digest(message: &str) -> String {
 pub fn verify_rsa_signature(
     public_key: &RsaPublicKey,
     message: &str,
-    signature_b64: &str,
-) -> Result<bool, base64::DecodeError> {
+    signature: &[u8],
+) -> bool {
     let digest = Sha256::digest(message.as_bytes());
     let padding = PaddingScheme::new_pkcs1v15_sign(Some(Hash::SHA2_256));
-    let signature = base64::decode(signature_b64)?;
     let is_valid = public_key.verify(
         padding,
         &digest,
-        &signature,
+        signature,
     ).is_ok();
-    Ok(is_valid)
+    is_valid
 }
 
 #[cfg(test)]
@@ -104,14 +102,17 @@ YsFtrgWDQ/s8k86sNBU+Ce2GOL7seh46kyAWgJeohh4Rcrr23rftHbvxOcRM8VzYuCeb1DgVhPGtA0xU
     fn test_verify_rsa_signature() {
         let private_key = generate_weak_rsa_key().unwrap();
         let message = "test".to_string();
-        let signature = sign_message(&private_key, &message).unwrap();
+        let signature = create_rsa_signature(
+            &private_key,
+            &message,
+        ).unwrap();
         let public_key = RsaPublicKey::from(&private_key);
 
         let is_valid = verify_rsa_signature(
             &public_key,
             &message,
             &signature,
-        ).unwrap();
+        );
         assert_eq!(is_valid, true);
     }
 }