Coverage Report

Created: 2025-11-28 06:44

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/rust/registry/src/index.crates.io-1949cf8c6b5b557f/jsonwebtoken-9.3.1/src/encoding.rs
Line
Count
Source
1
use base64::{engine::general_purpose::STANDARD, Engine};
2
use serde::ser::Serialize;
3
4
use crate::algorithms::AlgorithmFamily;
5
use crate::crypto;
6
use crate::errors::{new_error, ErrorKind, Result};
7
use crate::header::Header;
8
#[cfg(feature = "use_pem")]
9
use crate::pem::decoder::PemEncodedKey;
10
use crate::serialization::b64_encode_part;
11
12
/// A key to encode a JWT with. Can be a secret, a PEM-encoded key or a DER-encoded key.
13
/// This key can be re-used so make sure you only initialize it once if you can for better performance.
14
#[derive(Clone)]
15
pub struct EncodingKey {
16
    pub(crate) family: AlgorithmFamily,
17
    content: Vec<u8>,
18
}
19
20
impl EncodingKey {
21
    /// If you're using a HMAC secret that is not base64, use that.
22
0
    pub fn from_secret(secret: &[u8]) -> Self {
23
0
        EncodingKey { family: AlgorithmFamily::Hmac, content: secret.to_vec() }
24
0
    }
25
26
    /// If you have a base64 HMAC secret, use that.
27
0
    pub fn from_base64_secret(secret: &str) -> Result<Self> {
28
0
        let out = STANDARD.decode(secret)?;
29
0
        Ok(EncodingKey { family: AlgorithmFamily::Hmac, content: out })
30
0
    }
31
32
    /// If you are loading a RSA key from a .pem file.
33
    /// This errors if the key is not a valid RSA key.
34
    /// Only exists if the feature `use_pem` is enabled.
35
    ///
36
    /// # NOTE
37
    ///
38
    /// According to the [ring doc](https://docs.rs/ring/latest/ring/signature/struct.RsaKeyPair.html#method.from_pkcs8),
39
    /// the key should be at least 2047 bits.
40
    ///
41
    #[cfg(feature = "use_pem")]
42
0
    pub fn from_rsa_pem(key: &[u8]) -> Result<Self> {
43
0
        let pem_key = PemEncodedKey::new(key)?;
44
0
        let content = pem_key.as_rsa_key()?;
45
0
        Ok(EncodingKey { family: AlgorithmFamily::Rsa, content: content.to_vec() })
46
0
    }
47
48
    /// If you are loading a ECDSA key from a .pem file
49
    /// This errors if the key is not a valid private EC key
50
    /// Only exists if the feature `use_pem` is enabled.
51
    ///
52
    /// # NOTE
53
    ///
54
    /// The key should be in PKCS#8 form.
55
    ///
56
    /// You can generate a key with the following:
57
    ///
58
    /// ```sh
59
    /// openssl ecparam -genkey -noout -name prime256v1 \
60
    ///     | openssl pkcs8 -topk8 -nocrypt -out ec-private.pem
61
    /// ```
62
    #[cfg(feature = "use_pem")]
63
0
    pub fn from_ec_pem(key: &[u8]) -> Result<Self> {
64
0
        let pem_key = PemEncodedKey::new(key)?;
65
0
        let content = pem_key.as_ec_private_key()?;
66
0
        Ok(EncodingKey { family: AlgorithmFamily::Ec, content: content.to_vec() })
67
0
    }
68
69
    /// If you are loading a EdDSA key from a .pem file
70
    /// This errors if the key is not a valid private Ed key
71
    /// Only exists if the feature `use_pem` is enabled.
72
    #[cfg(feature = "use_pem")]
73
0
    pub fn from_ed_pem(key: &[u8]) -> Result<Self> {
74
0
        let pem_key = PemEncodedKey::new(key)?;
75
0
        let content = pem_key.as_ed_private_key()?;
76
0
        Ok(EncodingKey { family: AlgorithmFamily::Ed, content: content.to_vec() })
77
0
    }
78
79
    /// If you know what you're doing and have the DER-encoded key, for RSA only
80
0
    pub fn from_rsa_der(der: &[u8]) -> Self {
81
0
        EncodingKey { family: AlgorithmFamily::Rsa, content: der.to_vec() }
82
0
    }
83
84
    /// If you know what you're doing and have the DER-encoded key, for ECDSA
85
0
    pub fn from_ec_der(der: &[u8]) -> Self {
86
0
        EncodingKey { family: AlgorithmFamily::Ec, content: der.to_vec() }
87
0
    }
88
89
    /// If you know what you're doing and have the DER-encoded key, for EdDSA
90
0
    pub fn from_ed_der(der: &[u8]) -> Self {
91
0
        EncodingKey { family: AlgorithmFamily::Ed, content: der.to_vec() }
92
0
    }
93
94
0
    pub(crate) fn inner(&self) -> &[u8] {
95
0
        &self.content
96
0
    }
97
}
98
99
/// Encode the header and claims given and sign the payload using the algorithm from the header and the key.
100
/// If the algorithm given is RSA or EC, the key needs to be in the PEM format.
101
///
102
/// ```rust
103
/// use serde::{Deserialize, Serialize};
104
/// use jsonwebtoken::{encode, Algorithm, Header, EncodingKey};
105
///
106
/// #[derive(Debug, Serialize, Deserialize)]
107
/// struct Claims {
108
///    sub: String,
109
///    company: String
110
/// }
111
///
112
/// let my_claims = Claims {
113
///     sub: "b@b.com".to_owned(),
114
///     company: "ACME".to_owned()
115
/// };
116
///
117
/// // my_claims is a struct that implements Serialize
118
/// // This will create a JWT using HS256 as algorithm
119
/// let token = encode(&Header::default(), &my_claims, &EncodingKey::from_secret("secret".as_ref())).unwrap();
120
/// ```
121
0
pub fn encode<T: Serialize>(header: &Header, claims: &T, key: &EncodingKey) -> Result<String> {
122
0
    if key.family != header.alg.family() {
123
0
        return Err(new_error(ErrorKind::InvalidAlgorithm));
124
0
    }
125
0
    let encoded_header = b64_encode_part(header)?;
126
0
    let encoded_claims = b64_encode_part(claims)?;
127
0
    let message = [encoded_header, encoded_claims].join(".");
128
0
    let signature = crypto::sign(message.as_bytes(), key, header.alg)?;
129
130
0
    Ok([message, signature].join("."))
131
0
}
Unexecuted instantiation: jsonwebtoken::encoding::encode::<surrealdb_core::iam::token::Claims>
Unexecuted instantiation: jsonwebtoken::encoding::encode::<_>