mirror of
https://github.com/actix/actix-web.git
synced 2025-04-24 10:44:08 +00:00
Follow up ring changes
This commit is contained in:
Yuki Okushi
parent
6101c5928e
commit
cf71cafce9
3 changed files with 33 additions and 28 deletions
|
|
@ -1,13 +1,11 @@
|
||||||
use ring::digest::{Algorithm, SHA256};
|
use ring::hkdf::{HKDF_SHA256, Algorithm, Prk, KeyType};
|
||||||
use ring::hkdf::expand;
|
|
||||||
use ring::hmac::SigningKey;
|
|
||||||
use ring::rand::{SecureRandom, SystemRandom};
|
use ring::rand::{SecureRandom, SystemRandom};
|
||||||
|
|
||||||
use super::private::KEY_LEN as PRIVATE_KEY_LEN;
|
use super::private::KEY_LEN as PRIVATE_KEY_LEN;
|
||||||
use super::signed::KEY_LEN as SIGNED_KEY_LEN;
|
use super::signed::KEY_LEN as SIGNED_KEY_LEN;
|
||||||
|
|
||||||
static HKDF_DIGEST: &Algorithm = &SHA256;
|
static HKDF_DIGEST: Algorithm = HKDF_SHA256;
|
||||||
const KEYS_INFO: &str = "COOKIE;SIGNED:HMAC-SHA256;PRIVATE:AEAD-AES-256-GCM";
|
const KEYS_INFO: &[&[u8]] = &[b"COOKIE;SIGNED:HMAC-SHA256;PRIVATE:AEAD-AES-256-GCM"];
|
||||||
|
|
||||||
/// A cryptographic master key for use with `Signed` and/or `Private` jars.
|
/// A cryptographic master key for use with `Signed` and/or `Private` jars.
|
||||||
///
|
///
|
||||||
|
|
@ -25,6 +23,13 @@ pub struct Key {
|
||||||
encryption_key: [u8; PRIVATE_KEY_LEN],
|
encryption_key: [u8; PRIVATE_KEY_LEN],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl KeyType for &Key {
|
||||||
|
#[inline(always)]
|
||||||
|
fn len(&self) -> usize {
|
||||||
|
SIGNED_KEY_LEN + PRIVATE_KEY_LEN
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
impl Key {
|
impl Key {
|
||||||
/// Derives new signing/encryption keys from a master key.
|
/// Derives new signing/encryption keys from a master key.
|
||||||
///
|
///
|
||||||
|
|
@ -48,29 +53,27 @@ impl Key {
|
||||||
///
|
///
|
||||||
/// let key = Key::from_master(master_key);
|
/// let key = Key::from_master(master_key);
|
||||||
/// ```
|
/// ```
|
||||||
pub fn from_master(key: &[u8]) -> Key {
|
pub fn from_master(master_key: &[u8]) -> Key {
|
||||||
if key.len() < 32 {
|
if master_key.len() < 32 {
|
||||||
panic!(
|
panic!("bad master key length: expected >= 32 bytes, found {}", master_key.len());
|
||||||
"bad master key length: expected at least 32 bytes, found {}",
|
|
||||||
key.len()
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Expand the user's key into two.
|
// An empty `Key` structure; will be filled in with HKDF derived keys.
|
||||||
let prk = SigningKey::new(HKDF_DIGEST, key);
|
let mut output_key = Key {
|
||||||
|
signing_key: [0; SIGNED_KEY_LEN],
|
||||||
|
encryption_key: [0; PRIVATE_KEY_LEN]
|
||||||
|
};
|
||||||
|
|
||||||
|
// Expand the master key into two HKDF generated keys.
|
||||||
let mut both_keys = [0; SIGNED_KEY_LEN + PRIVATE_KEY_LEN];
|
let mut both_keys = [0; SIGNED_KEY_LEN + PRIVATE_KEY_LEN];
|
||||||
expand(&prk, KEYS_INFO.as_bytes(), &mut both_keys);
|
let prk = Prk::new_less_safe(HKDF_DIGEST, master_key);
|
||||||
|
let okm = prk.expand(KEYS_INFO, &output_key).expect("okm expand");
|
||||||
|
okm.fill(&mut both_keys).expect("fill keys");
|
||||||
|
|
||||||
// Copy the keys into their respective arrays.
|
// Copy the key parts into their respective fields.
|
||||||
let mut signing_key = [0; SIGNED_KEY_LEN];
|
output_key.signing_key.copy_from_slice(&both_keys[..SIGNED_KEY_LEN]);
|
||||||
let mut encryption_key = [0; PRIVATE_KEY_LEN];
|
output_key.encryption_key.copy_from_slice(&both_keys[SIGNED_KEY_LEN..]);
|
||||||
signing_key.copy_from_slice(&both_keys[..SIGNED_KEY_LEN]);
|
output_key
|
||||||
encryption_key.copy_from_slice(&both_keys[SIGNED_KEY_LEN..]);
|
|
||||||
|
|
||||||
Key {
|
|
||||||
signing_key,
|
|
||||||
encryption_key,
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Generates signing/encryption keys from a secure, random source. Keys are
|
/// Generates signing/encryption keys from a secure, random source. Keys are
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,10 @@
|
||||||
use std::str;
|
use std::str;
|
||||||
|
|
||||||
use log::warn;
|
use log::warn;
|
||||||
use ring::aead::{open_in_place, seal_in_place, Aad, Algorithm, Nonce, AES_256_GCM};
|
use ring::aead::{Aad, Algorithm, Nonce, AES_256_GCM};
|
||||||
use ring::aead::{OpeningKey, SealingKey};
|
use ring::aead::{OpeningKey, SealingKey};
|
||||||
|
use ring::OpeningKey::open_in_place;
|
||||||
|
use ring::SealingKey::seal_in_place;
|
||||||
use ring::rand::{SecureRandom, SystemRandom};
|
use ring::rand::{SecureRandom, SystemRandom};
|
||||||
|
|
||||||
use super::Key;
|
use super::Key;
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
use ring::digest::{Algorithm, SHA256};
|
use ring::digest::{Algorithm, SHA256};
|
||||||
use ring::hmac::{sign, verify_with_own_key as verify, SigningKey};
|
use ring::hmac::{sign, verify, Key};
|
||||||
|
|
||||||
use super::Key;
|
use super::Key;
|
||||||
use crate::cookie::{Cookie, CookieJar};
|
use crate::cookie::{Cookie, CookieJar};
|
||||||
|
|
@ -21,7 +21,7 @@ pub const KEY_LEN: usize = 32;
|
||||||
/// This type is only available when the `secure` feature is enabled.
|
/// This type is only available when the `secure` feature is enabled.
|
||||||
pub struct SignedJar<'a> {
|
pub struct SignedJar<'a> {
|
||||||
parent: &'a mut CookieJar,
|
parent: &'a mut CookieJar,
|
||||||
key: SigningKey,
|
key: Key,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl<'a> SignedJar<'a> {
|
impl<'a> SignedJar<'a> {
|
||||||
|
|
@ -32,7 +32,7 @@ impl<'a> SignedJar<'a> {
|
||||||
pub fn new(parent: &'a mut CookieJar, key: &Key) -> SignedJar<'a> {
|
pub fn new(parent: &'a mut CookieJar, key: &Key) -> SignedJar<'a> {
|
||||||
SignedJar {
|
SignedJar {
|
||||||
parent,
|
parent,
|
||||||
key: SigningKey::new(HMAC_DIGEST, key.signing()),
|
key: Key::new(HMAC_DIGEST, key.signing()),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue