1use super::object::{KeyObject, KeyObjectT};
2use super::KeyId;
3use crate::prelude::*;
4use crate::value::{KeyStatus, KeyUsage};
5use crate::valueset::{KeyInternalData, ValueSetKeyInternal};
6use compact_jwt::compact::{JweAlg, JweCompact, JweEnc};
7use compact_jwt::crypto::{
8 JweA128GCMEncipher, JweA128KWEncipher, JwsRs256Signer, JwsRs256Verifier,
9};
10use compact_jwt::jwe::Jwe;
11use compact_jwt::traits::*;
12use compact_jwt::{
13 JwaAlg, Jwk, JwkKeySet, Jws, JwsCompact, JwsEs256Signer, JwsEs256Verifier, JwsSigner,
14 JwsSignerToVerifier,
15};
16use smolset::SmolSet;
17use std::cmp::Reverse;
18use std::collections::{BTreeMap, BTreeSet};
19use std::ops::Bound::{Included, Unbounded};
20use std::sync::Arc;
21
22pub struct KeyProviderInternal {
23 uuid: Uuid,
24 name: String,
25}
26
27impl KeyProviderInternal {
28 pub(super) fn try_from(
29 value: &Entry<EntrySealed, EntryCommitted>,
30 ) -> Result<Self, OperationError> {
31 let name = value
33 .get_ava_single_iname(Attribute::Name)
34 .ok_or_else(|| {
35 error!("Missing {}", Attribute::Name);
36 OperationError::KP0004KeyProviderMissingAttributeName
37 })?
38 .to_string();
39
40 let uuid = value.get_uuid();
41
42 Ok(KeyProviderInternal { uuid, name })
43 }
44
45 pub(crate) fn uuid(&self) -> Uuid {
46 self.uuid
47 }
48
49 pub(crate) fn name(&self) -> &str {
50 &self.name
51 }
52
53 pub(crate) fn create_new_key_object(
54 &self,
55 uuid: Uuid,
56 provider: Arc<Self>,
57 ) -> Result<KeyObject, OperationError> {
58 Ok(Box::new(KeyObjectInternal {
59 provider,
60 uuid,
61 jws_es256: None,
62 jwe_a128gcm: None,
63 jws_rs256: None,
64 }))
65 }
66
67 pub(super) fn load_key_object(
68 &self,
69 entry: &EntrySealedCommitted,
70 provider: Arc<Self>,
71 ) -> Result<Arc<KeyObject>, OperationError> {
72 let uuid = entry.get_uuid();
73 debug!(?uuid, "Loading key object ...");
74
75 let mut jws_es256: Option<KeyObjectInternalJwtEs256> = None;
76 let mut jws_rs256: Option<KeyObjectInternalJwtRs256> = None;
77 let mut jwe_a128gcm: Option<KeyObjectInternalJweA128GCM> = None;
78
79 if let Some(key_internal_map) = entry
80 .get_ava_set(Attribute::KeyInternalData)
81 .and_then(|vs| vs.as_key_internal_map())
82 {
83 for (
84 key_id,
85 KeyInternalData {
86 usage,
87 status,
88 status_cid,
89 der,
90 valid_from,
91 },
92 ) in key_internal_map.iter()
93 {
94 trace!(?uuid, ?usage, ?status, ?key_id);
95 match usage {
96 KeyUsage::JwsEs256 => {
97 let jws_es256_ref =
98 jws_es256.get_or_insert_with(KeyObjectInternalJwtEs256::default);
99
100 jws_es256_ref.load(
101 key_id,
102 *status,
103 status_cid.clone(),
104 der,
105 *valid_from,
106 )?;
107 }
108 KeyUsage::JwsRs256 => {
109 let jws_rs256_ref =
110 jws_rs256.get_or_insert_with(KeyObjectInternalJwtRs256::default);
111
112 jws_rs256_ref.load(
113 key_id,
114 *status,
115 status_cid.clone(),
116 der,
117 *valid_from,
118 )?;
119 }
120 KeyUsage::JweA128GCM => {
121 let jwe_a128gcm_ref =
122 jwe_a128gcm.get_or_insert_with(KeyObjectInternalJweA128GCM::default);
123
124 jwe_a128gcm_ref.load(
125 key_id,
126 *status,
127 status_cid.clone(),
128 der,
129 *valid_from,
130 )?;
131 }
132 }
133 }
134 }
135
136 Ok(Arc::new(Box::new(KeyObjectInternal {
137 provider,
138 uuid,
139 jws_es256,
140 jwe_a128gcm,
141 jws_rs256,
142 })))
143 }
144
145 pub(crate) fn test(&self) -> Result<(), OperationError> {
146 Ok(())
149 }
150}
151
152#[cfg(test)]
153impl KeyProviderInternal {
154 fn create_test_provider() -> Self {
155 KeyProviderInternal {
156 uuid: UUID_KEY_PROVIDER_INTERNAL,
157 name: "key_provider_internal".to_string(),
158 }
159 }
160}
161
162#[derive(Clone)]
163enum InternalJweA128GCMStatus {
164 Valid {
165 cipher: JweA128KWEncipher,
166 key: Vec<u8>,
167 },
168 Retained {
169 cipher: JweA128KWEncipher,
170 key: Vec<u8>,
171 },
172 Revoked,
173}
174
175#[derive(Clone)]
176struct InternalJweA128GCM {
177 valid_from: u64,
178 status: InternalJweA128GCMStatus,
179 status_cid: Cid,
180}
181
182#[derive(Default, Clone)]
183struct KeyObjectInternalJweA128GCM {
184 active: BTreeMap<u64, JweA128KWEncipher>,
190
191 all: BTreeMap<KeyId, InternalJweA128GCM>,
194}
195
196impl KeyObjectInternalJweA128GCM {
197 fn get_valid_cipher(&self, time: Duration) -> Option<&JweA128KWEncipher> {
198 let ct_secs = time.as_secs();
199
200 self.active
201 .range((Unbounded, Included(ct_secs)))
202 .next_back()
203 .map(|(_time, cipher)| cipher)
204 }
205
206 fn assert_active(&mut self, valid_from: Duration, cid: &Cid) -> Result<(), OperationError> {
207 if self.get_valid_cipher(valid_from).is_none() {
208 debug!("no active jwe a128gcm found, creating a new one ...");
210 self.new_active(valid_from, cid)
211 } else {
212 Ok(())
213 }
214 }
215
216 #[instrument(level = "debug", name = "keyobject::jwe_a128_gcm::new", skip_all)]
217 fn new_active(&mut self, valid_from: Duration, cid: &Cid) -> Result<(), OperationError> {
218 let valid_from = valid_from.as_secs();
219
220 let cipher = JweA128KWEncipher::new().map_err(|jwt_error| {
221 error!(?jwt_error, "Unable to generate new jwe a128 encryption key");
222 OperationError::KP0035KeyObjectJweA128GCMGeneration
223 })?;
224
225 let key = cipher.key_bytes().map_err(|jwt_error| {
226 error!(?jwt_error, "Unable to access new jwe a128 encryption key");
227 OperationError::KP0036KeyObjectPrivateToBytes
228 })?;
229
230 let key = Vec::from(key);
231
232 let kid = cipher.kid().to_string();
233
234 self.active.insert(valid_from, cipher.clone());
235
236 self.all.insert(
237 kid,
238 InternalJweA128GCM {
239 valid_from,
240 status: InternalJweA128GCMStatus::Valid { cipher, key },
241 status_cid: cid.clone(),
242 },
243 );
244
245 Ok(())
246 }
247
248 fn to_key_iter(&self) -> impl Iterator<Item = (KeyId, KeyInternalData)> + '_ {
249 self.all.iter().map(|(key_id, internal_jwe)| {
250 let usage = KeyUsage::JweA128GCM;
251
252 let valid_from = internal_jwe.valid_from;
253 let status_cid = internal_jwe.status_cid.clone();
254
255 let (status, der) = match &internal_jwe.status {
256 InternalJweA128GCMStatus::Valid { cipher: _, key } => {
257 (KeyStatus::Valid, key.clone())
258 }
259 InternalJweA128GCMStatus::Retained { cipher: _, key } => {
260 (KeyStatus::Retained, key.clone())
261 }
262 InternalJweA128GCMStatus::Revoked => (KeyStatus::Revoked, Vec::with_capacity(0)),
263 };
264
265 (
266 key_id.clone(),
267 KeyInternalData {
268 usage,
269 valid_from,
270 der,
271 status,
272 status_cid,
273 },
274 )
275 })
276 }
277
278 fn revoke(&mut self, revoke_key_id: &KeyId, cid: &Cid) -> Result<bool, OperationError> {
279 if let Some(key_to_revoke) = self.all.get_mut(revoke_key_id) {
280 key_to_revoke.status = InternalJweA128GCMStatus::Revoked;
281 key_to_revoke.status_cid = cid.clone();
282
283 let valid_from = key_to_revoke.valid_from;
284
285 self.active.remove(&valid_from);
287
288 Ok(true)
289 } else {
290 Ok(false)
292 }
293 }
294
295 fn load(
296 &mut self,
297 id: &str,
298 status: KeyStatus,
299 status_cid: Cid,
300 der: &[u8],
301 valid_from: u64,
302 ) -> Result<(), OperationError> {
303 let id: KeyId = id.to_string();
304
305 let status = match status {
306 KeyStatus::Valid => {
307 let cipher = JweA128KWEncipher::try_from(der).map_err(|err| {
308 error!(?err, ?id, "Unable to load A128GCM retained cipher");
309 OperationError::KP0037KeyObjectImportJweA128GCMInvalid
310 })?;
311
312 self.active.insert(valid_from, cipher.clone());
313
314 InternalJweA128GCMStatus::Valid {
315 cipher,
316 key: der.to_vec(),
317 }
318 }
319 KeyStatus::Retained => {
320 let cipher = JweA128KWEncipher::try_from(der).map_err(|err| {
321 error!(?err, ?id, "Unable to load A128GCM retained cipher");
322 OperationError::KP0038KeyObjectImportJweA128GCMInvalid
323 })?;
324
325 InternalJweA128GCMStatus::Retained {
326 cipher,
327 key: der.to_vec(),
328 }
329 }
330 KeyStatus::Revoked => InternalJweA128GCMStatus::Revoked,
331 };
332
333 let internal_jwe = InternalJweA128GCM {
334 valid_from,
335 status,
336 status_cid,
337 };
338
339 self.all.insert(id, internal_jwe);
340
341 Ok(())
342 }
343
344 fn decipher(&self, jwec: &JweCompact) -> Result<Jwe, OperationError> {
345 let internal_jwe = jwec
346 .kid()
347 .and_then(|kid| {
348 debug!(?kid);
349 self.all.get(kid)
350 })
351 .ok_or_else(|| {
352 error!("JWE is encrypted by a key that is not present in this KeyObject");
353 for pres_kid in self.all.keys() {
354 debug!(?pres_kid);
355 }
356 OperationError::KP0039KeyObjectJweNotAssociated
357 })?;
358
359 match &internal_jwe.status {
360 InternalJweA128GCMStatus::Valid { cipher, .. }
361 | InternalJweA128GCMStatus::Retained { cipher, .. } => {
362 cipher.decipher(jwec).map_err(|jwt_err| {
363 error!(?jwt_err, "Failed to decrypt jwe");
364 OperationError::KP0040KeyObjectJweInvalid
365 })
366 }
367 InternalJweA128GCMStatus::Revoked => {
368 error!("The key used to encrypt this JWE has been revoked.");
369 Err(OperationError::KP0041KeyObjectJweRevoked)
370 }
371 }
372 }
373
374 fn encipher(&self, jwe: &Jwe, current_time: Duration) -> Result<JweCompact, OperationError> {
375 let Some(cipher) = self.get_valid_cipher(current_time) else {
376 error!("No encryption keys available. This may indicate that no keys are valid yet!");
377 return Err(OperationError::KP0042KeyObjectNoActiveEncryptionKeys);
378 };
379
380 cipher.encipher::<JweA128GCMEncipher>(jwe).map_err(|err| {
381 error!(?err, "Unable to sign jwe");
382 OperationError::KP0043KeyObjectJweA128GCMEncryption
383 })
384 }
385}
386
387#[derive(Clone)]
388enum InternalJwtEs256Status {
389 Valid {
390 verifier: JwsEs256Verifier,
392 private_der: Vec<u8>,
393 },
394 Retained {
395 verifier: JwsEs256Verifier,
396 public_der: Vec<u8>,
397 },
398 Revoked {
399 untrusted_verifier: JwsEs256Verifier,
400 public_der: Vec<u8>,
401 },
402}
403
404#[derive(Clone)]
405struct InternalJwtEs256 {
406 valid_from: u64,
407 status: InternalJwtEs256Status,
408 status_cid: Cid,
409}
410
411#[derive(Default, Clone)]
412struct KeyObjectInternalJwtEs256 {
413 active: BTreeMap<u64, JwsEs256Signer>,
419
420 all: BTreeMap<KeyId, InternalJwtEs256>,
423}
424
425impl KeyObjectInternalJwtEs256 {
426 fn get_valid_signer(&self, time: Duration) -> Option<&JwsEs256Signer> {
427 let ct_secs = time.as_secs();
428
429 self.active
430 .range((Unbounded, Included(ct_secs)))
431 .next_back()
432 .map(|(_time, signer)| signer)
433 }
434
435 fn assert_active(&mut self, valid_from: Duration, cid: &Cid) -> Result<(), OperationError> {
436 if self.get_valid_signer(valid_from).is_none() {
437 debug!("no active jwt es256 found, creating a new one ...");
439 self.new_active(valid_from, cid)
440 } else {
441 Ok(())
442 }
443 }
444
445 fn import(
446 &mut self,
447 import_keys: &SmolSet<[Vec<u8>; 1]>,
448 valid_from: Duration,
449 cid: &Cid,
450 ) -> Result<(), OperationError> {
451 let valid_from = valid_from.as_secs();
452
453 for private_der in import_keys {
454 let mut signer = JwsEs256Signer::from_es256_der(private_der).map_err(|err| {
455 error!(?err, "Unable to load imported es256 DER signer");
456 OperationError::KP0028KeyObjectImportJwsEs256DerInvalid
457 })?;
458
459 let verifier = signer.get_verifier().map_err(|jwt_error| {
460 error!(
461 ?jwt_error,
462 "Unable to produce jwt es256 verifier from signer"
463 );
464 OperationError::KP0029KeyObjectSignerToVerifier
465 })?;
466
467 let kid = signer.get_legacy_kid().to_string();
469 debug!(?kid, "imported key");
470
471 signer.set_kid(kid.as_str());
473
474 self.active.insert(valid_from, signer.clone());
475
476 self.all.insert(
477 kid,
478 InternalJwtEs256 {
479 valid_from,
480 status: InternalJwtEs256Status::Valid {
481 verifier,
482 private_der: private_der.clone(),
483 },
484 status_cid: cid.clone(),
485 },
486 );
487 }
488
489 Ok(())
490 }
491
492 #[instrument(level = "debug", name = "keyobject::jws_es256::new", skip_all)]
493 fn new_active(&mut self, valid_from: Duration, cid: &Cid) -> Result<(), OperationError> {
494 let valid_from = valid_from.as_secs();
495
496 let signer = JwsEs256Signer::generate_es256().map_err(|jwt_error| {
497 error!(?jwt_error, "Unable to generate new jwt es256 signing key");
498 OperationError::KP0006KeyObjectJwtEs256Generation
499 })?;
500
501 let verifier = signer.get_verifier().map_err(|jwt_error| {
502 error!(
503 ?jwt_error,
504 "Unable to produce jwt es256 verifier from signer"
505 );
506 OperationError::KP0010KeyObjectSignerToVerifier
507 })?;
508
509 let private_der = signer.private_key_to_der().map_err(|jwt_error| {
510 error!(?jwt_error, "Unable to convert signing key to DER");
511 OperationError::KP0009KeyObjectPrivateToDer
512 })?;
513
514 self.active.insert(valid_from, signer.clone());
515
516 let kid = signer.get_kid().to_string();
517
518 self.all.insert(
519 kid,
520 InternalJwtEs256 {
521 valid_from,
522 status: InternalJwtEs256Status::Valid {
523 verifier,
525 private_der,
526 },
527 status_cid: cid.clone(),
528 },
529 );
530
531 Ok(())
532 }
533
534 fn revoke(&mut self, revoke_key_id: &KeyId, cid: &Cid) -> Result<bool, OperationError> {
535 if let Some(key_to_revoke) = self.all.get_mut(revoke_key_id) {
536 let untrusted_verifier = match &key_to_revoke.status {
537 InternalJwtEs256Status::Valid { verifier, .. }
538 | InternalJwtEs256Status::Retained { verifier, .. } => verifier,
539 InternalJwtEs256Status::Revoked {
540 untrusted_verifier, ..
541 } => untrusted_verifier,
542 }
543 .clone();
544
545 let public_der = untrusted_verifier
546 .public_key_to_der()
547 .map_err(|jwt_error| {
548 error!(?jwt_error, "Unable to convert public key to DER");
549 OperationError::KP0027KeyObjectPublicToDer
550 })?;
551
552 key_to_revoke.status = InternalJwtEs256Status::Revoked {
553 untrusted_verifier,
554 public_der,
555 };
556 key_to_revoke.status_cid = cid.clone();
557
558 let valid_from = key_to_revoke.valid_from;
559
560 self.active.remove(&valid_from);
562
563 Ok(true)
564 } else {
565 Ok(false)
567 }
568 }
569
570 fn load(
571 &mut self,
572 id: &str,
573 status: KeyStatus,
574 status_cid: Cid,
575 der: &[u8],
576 valid_from: u64,
577 ) -> Result<(), OperationError> {
578 let id: KeyId = id.to_string();
579
580 let status = match status {
581 KeyStatus::Valid => {
582 let mut signer = JwsEs256Signer::from_es256_der(der).map_err(|err| {
583 error!(?err, ?id, "Unable to load es256 DER signer");
584 OperationError::KP0013KeyObjectJwsEs256DerInvalid
585 })?;
586
587 signer.set_kid(id.as_str());
589
590 let verifier = signer.get_verifier().map_err(|err| {
591 error!(?err, "Unable to retrieve verifier from signer");
592 OperationError::KP0014KeyObjectSignerToVerifier
593 })?;
594
595 self.active.insert(valid_from, signer);
596
597 InternalJwtEs256Status::Valid {
598 verifier,
600 private_der: der.to_vec(),
601 }
602 }
603 KeyStatus::Retained => {
604 let verifier = JwsEs256Verifier::from_es256_der(der).map_err(|err| {
605 error!(?err, ?id, "Unable to load es256 DER verifier");
606 OperationError::KP0015KeyObjectJwsEs256DerInvalid
607 })?;
608
609 InternalJwtEs256Status::Retained {
610 verifier,
611 public_der: der.to_vec(),
612 }
613 }
614 KeyStatus::Revoked => {
615 let untrusted_verifier = JwsEs256Verifier::from_es256_der(der).map_err(|err| {
616 error!(?err, ?id, "Unable to load es256 DER revoked verifier");
617 OperationError::KP0016KeyObjectJwsEs256DerInvalid
618 })?;
619
620 InternalJwtEs256Status::Revoked {
621 untrusted_verifier,
622 public_der: der.to_vec(),
623 }
624 }
625 };
626
627 let internal_jwt = InternalJwtEs256 {
628 valid_from,
629 status,
630 status_cid,
631 };
632
633 self.all.insert(id, internal_jwt);
634
635 Ok(())
636 }
637
638 fn to_key_iter(&self) -> impl Iterator<Item = (KeyId, KeyInternalData)> + '_ {
639 self.all.iter().map(|(key_id, internal_jwt)| {
640 let usage = KeyUsage::JwsEs256;
641
642 let valid_from = internal_jwt.valid_from;
643 let status_cid = internal_jwt.status_cid.clone();
644
645 let (status, der) = match &internal_jwt.status {
646 InternalJwtEs256Status::Valid { private_der, .. } => {
647 (KeyStatus::Valid, private_der.clone())
648 }
649 InternalJwtEs256Status::Retained { public_der, .. } => {
650 (KeyStatus::Retained, public_der.clone())
651 }
652 InternalJwtEs256Status::Revoked { public_der, .. } => {
653 (KeyStatus::Revoked, public_der.clone())
654 }
655 };
656
657 (
658 key_id.clone(),
659 KeyInternalData {
660 usage,
661 valid_from,
662 der,
663 status,
664 status_cid,
665 },
666 )
667 })
668 }
669
670 fn sign<V: JwsSignable>(
671 &self,
672 jws: &V,
673 current_time: Duration,
674 ) -> Result<V::Signed, OperationError> {
675 let Some(signing_key) = self.get_valid_signer(current_time) else {
676 error!("No signing keys available. This may indicate that no keys are valid yet!");
677 return Err(OperationError::KP0020KeyObjectNoActiveSigningKeys);
678 };
679
680 signing_key.sign(jws).map_err(|jwt_err| {
681 error!(?jwt_err, "Unable to sign jws");
682 OperationError::KP0021KeyObjectJwsEs256Signature
683 })
684 }
685
686 fn verify<V: JwsVerifiable>(&self, jwsc: &V) -> Result<V::Verified, OperationError> {
687 let internal_jws = jwsc
688 .kid()
689 .and_then(|kid| {
690 debug!(?kid);
691 self.all.get(kid)
692 })
693 .ok_or_else(|| {
694 error!("JWS is signed by a key that is not present in this KeyObject");
695 for pres_kid in self.all.keys() {
696 debug!(?pres_kid);
697 }
698 OperationError::KP0022KeyObjectJwsNotAssociated
699 })?;
700
701 match &internal_jws.status {
702 InternalJwtEs256Status::Valid { verifier, .. }
703 | InternalJwtEs256Status::Retained { verifier, .. } => {
704 verifier.verify(jwsc).map_err(|jwt_err| {
705 error!(?jwt_err, "Failed to verify jws");
706 OperationError::KP0024KeyObjectJwsInvalid
707 })
708 }
709 InternalJwtEs256Status::Revoked { .. } => {
710 error!("The key used to sign this JWS has been revoked.");
711 Err(OperationError::KP0023KeyObjectJwsKeyRevoked)
712 }
713 }
714 }
715
716 fn public_jwks(&self) -> JwkKeySet {
717 let mut signing_keys: Vec<_> = self.all.iter().collect();
720
721 signing_keys.sort_unstable_by_key(|(_, k)| Reverse(k.valid_from));
723
724 let keys = signing_keys
725 .into_iter()
726 .filter_map(|(_, es256)| match &es256.status {
727 InternalJwtEs256Status::Valid { verifier, .. }
728 | InternalJwtEs256Status::Retained { verifier, .. } => verifier
729 .public_key_as_jwk()
730 .map_err(|err| {
731 error!(?err);
732 })
733 .ok(),
734 InternalJwtEs256Status::Revoked { .. } => None,
735 })
736 .collect::<Vec<_>>();
737
738 JwkKeySet { keys }
739 }
740
741 fn public_jwk(&self, key_id: &str) -> Result<Option<Jwk>, OperationError> {
742 if let Some(key_to_check) = self.all.get(key_id) {
743 match &key_to_check.status {
744 InternalJwtEs256Status::Valid { verifier, .. }
745 | InternalJwtEs256Status::Retained { verifier, .. } => {
746 verifier.public_key_as_jwk().map(Some).map_err(|err| {
747 error!(?err, "Unable to construct public JWK.");
748 OperationError::KP0044KeyObjectJwsPublicJwk
749 })
750 }
751 InternalJwtEs256Status::Revoked { .. } => Ok(None),
752 }
753 } else {
754 Ok(None)
755 }
756 }
757
758 #[cfg(test)]
759 fn kid_status(&self, key_id: &KeyId) -> Result<Option<KeyStatus>, OperationError> {
760 if let Some(key_to_check) = self.all.get(key_id) {
761 let status = match &key_to_check.status {
762 InternalJwtEs256Status::Valid { .. } => KeyStatus::Valid,
763 InternalJwtEs256Status::Retained { .. } => KeyStatus::Retained,
764 InternalJwtEs256Status::Revoked { .. } => KeyStatus::Revoked,
765 };
766 Ok(Some(status))
767 } else {
768 Ok(None)
769 }
770 }
771}
772
773#[derive(Clone)]
774enum InternalJwtRs256Status {
775 Valid {
776 verifier: JwsRs256Verifier,
777 private_der: Vec<u8>,
778 },
779 Retained {
780 verifier: JwsRs256Verifier,
781 public_der: Vec<u8>,
782 },
783 Revoked {
784 untrusted_verifier: JwsRs256Verifier,
785 public_der: Vec<u8>,
786 },
787}
788
789#[derive(Clone)]
790struct InternalJwtRs256 {
791 valid_from: u64,
792 status: InternalJwtRs256Status,
793 status_cid: Cid,
794}
795
796#[derive(Default, Clone)]
797struct KeyObjectInternalJwtRs256 {
798 active: BTreeMap<u64, JwsRs256Signer>,
804
805 all: BTreeMap<KeyId, InternalJwtRs256>,
808}
809
810impl KeyObjectInternalJwtRs256 {
811 fn get_valid_signer(&self, time: Duration) -> Option<&JwsRs256Signer> {
812 let ct_secs = time.as_secs();
813
814 self.active
815 .range((Unbounded, Included(ct_secs)))
816 .next_back()
817 .map(|(_time, signer)| signer)
818 }
819
820 fn assert_active(&mut self, valid_from: Duration, cid: &Cid) -> Result<(), OperationError> {
821 if self.get_valid_signer(valid_from).is_none() {
822 debug!("no active jwt rs256 found, creating a new one ...");
824 self.new_active(valid_from, cid)
825 } else {
826 Ok(())
827 }
828 }
829
830 fn import(
831 &mut self,
832 import_keys: &SmolSet<[Vec<u8>; 1]>,
833 valid_from: Duration,
834 cid: &Cid,
835 ) -> Result<(), OperationError> {
836 let valid_from = valid_from.as_secs();
837
838 for private_der in import_keys {
839 let mut signer = JwsRs256Signer::from_rs256_der(private_der).map_err(|err| {
840 error!(?err, "Unable to load imported rs256 DER signer");
841 OperationError::KP0045KeyObjectImportJwsRs256DerInvalid
842 })?;
843
844 let verifier = signer.get_verifier().map_err(|jwt_error| {
845 error!(
846 ?jwt_error,
847 "Unable to produce jwt rs256 verifier from signer"
848 );
849 OperationError::KP0046KeyObjectSignerToVerifier
850 })?;
851
852 let kid = signer.get_legacy_kid().to_string();
854 debug!(?kid, "imported key");
855
856 signer.set_kid(kid.as_str());
858
859 self.active.insert(valid_from, signer.clone());
860
861 self.all.insert(
862 kid,
863 InternalJwtRs256 {
864 valid_from,
865 status: InternalJwtRs256Status::Valid {
866 verifier,
867 private_der: private_der.clone(),
868 },
869 status_cid: cid.clone(),
870 },
871 );
872 }
873
874 Ok(())
875 }
876
877 #[instrument(level = "debug", name = "keyobject::jws_rs256::new", skip_all)]
878 fn new_active(&mut self, valid_from: Duration, cid: &Cid) -> Result<(), OperationError> {
879 let valid_from = valid_from.as_secs();
880
881 let signer = JwsRs256Signer::generate_legacy_rs256().map_err(|jwt_error| {
882 error!(?jwt_error, "Unable to generate new jwt rs256 signing key");
883 OperationError::KP0048KeyObjectJwtRs256Generation
884 })?;
885
886 let verifier = signer.get_verifier().map_err(|jwt_error| {
887 error!(
888 ?jwt_error,
889 "Unable to produce jwt rs256 verifier from signer"
890 );
891 OperationError::KP0049KeyObjectSignerToVerifier
892 })?;
893
894 let private_der = signer.private_key_to_der().map_err(|jwt_error| {
895 error!(?jwt_error, "Unable to convert signing key to DER");
896 OperationError::KP0050KeyObjectPrivateToDer
897 })?;
898
899 self.active.insert(valid_from, signer.clone());
900
901 let kid = signer.get_kid().to_string();
902
903 self.all.insert(
904 kid,
905 InternalJwtRs256 {
906 valid_from,
907 status: InternalJwtRs256Status::Valid {
908 verifier,
910 private_der,
911 },
912 status_cid: cid.clone(),
913 },
914 );
915
916 Ok(())
917 }
918
919 fn revoke(&mut self, revoke_key_id: &KeyId, cid: &Cid) -> Result<bool, OperationError> {
920 if let Some(key_to_revoke) = self.all.get_mut(revoke_key_id) {
921 let untrusted_verifier = match &key_to_revoke.status {
922 InternalJwtRs256Status::Valid { verifier, .. }
923 | InternalJwtRs256Status::Retained { verifier, .. } => verifier,
924 InternalJwtRs256Status::Revoked {
925 untrusted_verifier, ..
926 } => untrusted_verifier,
927 }
928 .clone();
929
930 let public_der = untrusted_verifier
931 .public_key_to_der()
932 .map_err(|jwt_error| {
933 error!(?jwt_error, "Unable to convert public key to DER");
934 OperationError::KP0051KeyObjectPublicToDer
935 })?;
936
937 key_to_revoke.status = InternalJwtRs256Status::Revoked {
938 untrusted_verifier,
939 public_der,
940 };
941 key_to_revoke.status_cid = cid.clone();
942
943 let valid_from = key_to_revoke.valid_from;
944
945 self.active.remove(&valid_from);
947
948 Ok(true)
949 } else {
950 Ok(false)
952 }
953 }
954
955 fn load(
956 &mut self,
957 id: &str,
958 status: KeyStatus,
959 status_cid: Cid,
960 der: &[u8],
961 valid_from: u64,
962 ) -> Result<(), OperationError> {
963 let id: KeyId = id.to_string();
964
965 let status = match status {
966 KeyStatus::Valid => {
967 let mut signer = JwsRs256Signer::from_rs256_der(der).map_err(|err| {
968 error!(?err, ?id, "Unable to load rs256 DER signer");
969 OperationError::KP0052KeyObjectJwsRs256DerInvalid
970 })?;
971
972 signer.set_kid(id.as_str());
974
975 let verifier = signer.get_verifier().map_err(|err| {
976 error!(?err, "Unable to retrieve verifier from signer");
977 OperationError::KP0053KeyObjectSignerToVerifier
978 })?;
979
980 self.active.insert(valid_from, signer);
981
982 InternalJwtRs256Status::Valid {
983 verifier,
985 private_der: der.to_vec(),
986 }
987 }
988 KeyStatus::Retained => {
989 let verifier = JwsRs256Verifier::from_rs256_der(der).map_err(|err| {
990 error!(?err, ?id, "Unable to load rs256 DER verifier");
991 OperationError::KP0054KeyObjectJwsRs256DerInvalid
992 })?;
993
994 InternalJwtRs256Status::Retained {
995 verifier,
996 public_der: der.to_vec(),
997 }
998 }
999 KeyStatus::Revoked => {
1000 let untrusted_verifier = JwsRs256Verifier::from_rs256_der(der).map_err(|err| {
1001 error!(?err, ?id, "Unable to load rs256 DER revoked verifier");
1002 OperationError::KP0055KeyObjectJwsRs256DerInvalid
1003 })?;
1004
1005 InternalJwtRs256Status::Revoked {
1006 untrusted_verifier,
1007 public_der: der.to_vec(),
1008 }
1009 }
1010 };
1011
1012 let internal_jwt = InternalJwtRs256 {
1013 valid_from,
1014 status,
1015 status_cid,
1016 };
1017
1018 self.all.insert(id, internal_jwt);
1019
1020 Ok(())
1021 }
1022
1023 fn to_key_iter(&self) -> impl Iterator<Item = (KeyId, KeyInternalData)> + '_ {
1024 self.all.iter().map(|(key_id, internal_jwt)| {
1025 let usage = KeyUsage::JwsRs256;
1026
1027 let valid_from = internal_jwt.valid_from;
1028 let status_cid = internal_jwt.status_cid.clone();
1029
1030 let (status, der) = match &internal_jwt.status {
1031 InternalJwtRs256Status::Valid { private_der, .. } => {
1032 (KeyStatus::Valid, private_der.clone())
1033 }
1034 InternalJwtRs256Status::Retained { public_der, .. } => {
1035 (KeyStatus::Retained, public_der.clone())
1036 }
1037 InternalJwtRs256Status::Revoked { public_der, .. } => {
1038 (KeyStatus::Revoked, public_der.clone())
1039 }
1040 };
1041
1042 (
1043 key_id.clone(),
1044 KeyInternalData {
1045 usage,
1046 valid_from,
1047 der,
1048 status,
1049 status_cid,
1050 },
1051 )
1052 })
1053 }
1054
1055 fn sign<V: JwsSignable>(
1056 &self,
1057 jws: &V,
1058 current_time: Duration,
1059 ) -> Result<V::Signed, OperationError> {
1060 let Some(signing_key) = self.get_valid_signer(current_time) else {
1061 error!("No signing keys available. This may indicate that no keys are valid yet!");
1062 return Err(OperationError::KP0061KeyObjectNoActiveSigningKeys);
1063 };
1064
1065 signing_key.sign(jws).map_err(|jwt_err| {
1066 error!(?jwt_err, "Unable to sign jws");
1067 OperationError::KP0056KeyObjectJwsRs256Signature
1068 })
1069 }
1070
1071 fn verify<V: JwsVerifiable>(&self, jwsc: &V) -> Result<V::Verified, OperationError> {
1072 let internal_jws = jwsc
1073 .kid()
1074 .and_then(|kid| {
1075 debug!(?kid);
1076 self.all.get(kid)
1077 })
1078 .ok_or_else(|| {
1079 error!("JWS is signed by a key that is not present in this KeyObject");
1080 for pres_kid in self.all.keys() {
1081 debug!(?pres_kid);
1082 }
1083 OperationError::KP0057KeyObjectJwsNotAssociated
1084 })?;
1085
1086 match &internal_jws.status {
1087 InternalJwtRs256Status::Valid { verifier, .. }
1088 | InternalJwtRs256Status::Retained { verifier, .. } => {
1089 verifier.verify(jwsc).map_err(|jwt_err| {
1090 error!(?jwt_err, "Failed to verify jws");
1091 OperationError::KP0058KeyObjectJwsInvalid
1092 })
1093 }
1094 InternalJwtRs256Status::Revoked { .. } => {
1095 error!("The key used to sign this JWS has been revoked.");
1096 Err(OperationError::KP0059KeyObjectJwsKeyRevoked)
1097 }
1098 }
1099 }
1100
1101 fn public_jwks(&self) -> JwkKeySet {
1102 let mut signing_keys: Vec<_> = self.all.iter().collect();
1105
1106 signing_keys.sort_unstable_by_key(|(_, k)| Reverse(k.valid_from));
1108
1109 let keys = signing_keys
1110 .iter()
1111 .filter_map(|(key_id, rs256)| {
1112 error!(?key_id);
1113 match &rs256.status {
1114 InternalJwtRs256Status::Valid { verifier, .. }
1115 | InternalJwtRs256Status::Retained { verifier, .. } => verifier
1116 .public_key_as_jwk()
1117 .map_err(|err| {
1118 error!(?err);
1119 })
1120 .ok(),
1121 InternalJwtRs256Status::Revoked { .. } => None,
1122 }
1123 })
1124 .collect::<Vec<_>>();
1125
1126 JwkKeySet { keys }
1127 }
1128
1129 fn public_jwk(&self, key_id: &str) -> Result<Option<Jwk>, OperationError> {
1130 if let Some(key_to_check) = self.all.get(key_id) {
1131 match &key_to_check.status {
1132 InternalJwtRs256Status::Valid { verifier, .. }
1133 | InternalJwtRs256Status::Retained { verifier, .. } => {
1134 verifier.public_key_as_jwk().map(Some).map_err(|err| {
1135 error!(?err, "Unable to construct public JWK.");
1136 OperationError::KP0060KeyObjectJwsPublicJwk
1137 })
1138 }
1139 InternalJwtRs256Status::Revoked { .. } => Ok(None),
1140 }
1141 } else {
1142 Ok(None)
1143 }
1144 }
1145
1146 #[cfg(test)]
1147 fn kid_status(&self, key_id: &KeyId) -> Result<Option<KeyStatus>, OperationError> {
1148 if let Some(key_to_check) = self.all.get(key_id) {
1149 let status = match &key_to_check.status {
1150 InternalJwtRs256Status::Valid { .. } => KeyStatus::Valid,
1151 InternalJwtRs256Status::Retained { .. } => KeyStatus::Retained,
1152 InternalJwtRs256Status::Revoked { .. } => KeyStatus::Revoked,
1153 };
1154 Ok(Some(status))
1155 } else {
1156 Ok(None)
1157 }
1158 }
1159}
1160
1161#[derive(Clone)]
1162pub struct KeyObjectInternal {
1163 provider: Arc<KeyProviderInternal>,
1164 uuid: Uuid,
1165 jws_es256: Option<KeyObjectInternalJwtEs256>,
1166 jws_rs256: Option<KeyObjectInternalJwtRs256>,
1167 jwe_a128gcm: Option<KeyObjectInternalJweA128GCM>,
1168 }
1171
1172#[cfg(test)]
1173impl KeyObjectInternal {
1174 pub fn new_test() -> Arc<KeyObject> {
1175 let provider = Arc::new(KeyProviderInternal::create_test_provider());
1176
1177 let mut key_object = provider
1178 .create_new_key_object(Uuid::new_v4(), provider.clone())
1179 .expect("Unable to build new key object");
1180
1181 key_object
1182 .jws_es256_assert(Duration::from_secs(0), &Cid::new_zero())
1183 .expect("Unable to add jws_es256 to key object");
1184
1185 Arc::new(key_object)
1186 }
1187}
1188
1189impl KeyObjectT for KeyObjectInternal {
1190 fn uuid(&self) -> Uuid {
1191 self.uuid
1192 }
1193
1194 fn duplicate(&self) -> KeyObject {
1195 Box::new(self.clone())
1196 }
1197
1198 fn rotate_keys(&mut self, rotation_time: Duration, cid: &Cid) -> Result<(), OperationError> {
1199 if let Some(jws_es256_object) = &mut self.jws_es256 {
1200 jws_es256_object.new_active(rotation_time, cid)?;
1201 }
1202
1203 if let Some(jws_rs256_object) = &mut self.jws_rs256 {
1204 jws_rs256_object.new_active(rotation_time, cid)?;
1205 }
1206
1207 if let Some(jwe_a128_gcm) = &mut self.jwe_a128gcm {
1208 jwe_a128_gcm.new_active(rotation_time, cid)?;
1209 }
1210
1211 Ok(())
1212 }
1213
1214 fn revoke_keys(
1215 &mut self,
1216 revoke_set: &BTreeSet<String>,
1217 cid: &Cid,
1218 ) -> Result<(), OperationError> {
1219 for revoke_key_id in revoke_set.iter() {
1220 let mut has_revoked = false;
1221
1222 if let Some(jws_es256_object) = &mut self.jws_es256 {
1223 if jws_es256_object.revoke(revoke_key_id, cid)? {
1224 has_revoked = true;
1225 }
1226 };
1227
1228 if let Some(jws_rs256_object) = &mut self.jws_rs256 {
1229 if jws_rs256_object.revoke(revoke_key_id, cid)? {
1230 has_revoked = true;
1231 }
1232 };
1233
1234 if let Some(jwe_a128_gcm) = &mut self.jwe_a128gcm {
1235 if jwe_a128_gcm.revoke(revoke_key_id, cid)? {
1236 has_revoked = true;
1237 }
1238 };
1239
1240 if !has_revoked {
1241 error!(?revoke_key_id, "Unable to revoked key, id not found");
1242 return Err(OperationError::KP0026KeyObjectNoSuchKey);
1243 }
1244 }
1245
1246 Ok(())
1247 }
1248
1249 fn jws_es256_sign(
1250 &self,
1251 jws: &Jws,
1252 current_time: Duration,
1253 ) -> Result<JwsCompact, OperationError> {
1254 if let Some(jws_es256_object) = &self.jws_es256 {
1255 jws_es256_object.sign(jws, current_time)
1256 } else {
1257 error!(provider_uuid = ?self.uuid, "jwt es256 not available on this provider");
1258 Err(OperationError::KP0017KeyProviderNoSuchKey)
1259 }
1260 }
1261
1262 fn jws_verify(&self, jwsc: &JwsCompact) -> Result<Jws, OperationError> {
1263 let alg = jwsc.alg();
1265
1266 match alg {
1267 JwaAlg::ES256 => {
1268 if let Some(jws_es256_object) = &self.jws_es256 {
1269 jws_es256_object.verify(jwsc)
1270 } else {
1271 error!(provider_uuid = ?self.uuid, "jwt es256 not available on this provider");
1272 Err(OperationError::KP0018KeyProviderNoSuchKey)
1273 }
1274 }
1275 JwaAlg::RS256 => {
1276 if let Some(jws_rs256_object) = &self.jws_rs256 {
1277 jws_rs256_object.verify(jwsc)
1278 } else {
1279 error!(provider_uuid = ?self.uuid, "jwt rs256 not available on this provider");
1280 Err(OperationError::KP0018KeyProviderNoSuchKey)
1281 }
1282 }
1283 unsupported_alg => {
1284 error!(provider_uuid = ?self.uuid, ?unsupported_alg, "algorithm not available on this provider");
1286 Err(OperationError::KP0019KeyProviderUnsupportedAlgorithm)
1287 }
1288 }
1289 }
1290
1291 fn jws_es256_jwks(&self) -> Option<JwkKeySet> {
1292 self.jws_es256
1293 .as_ref()
1294 .map(|jws_es256_object| jws_es256_object.public_jwks())
1295 }
1296
1297 fn jws_public_jwk(&self, key_id: &str) -> Result<Option<Jwk>, OperationError> {
1298 if let Some(jws_es256_object) = &self.jws_es256 {
1299 if let Some(status) = jws_es256_object.public_jwk(key_id)? {
1300 return Ok(Some(status));
1301 }
1302 }
1303
1304 if let Some(jws_rs256_object) = &self.jws_rs256 {
1305 if let Some(status) = jws_rs256_object.public_jwk(key_id)? {
1306 return Ok(Some(status));
1307 }
1308 }
1309
1310 Ok(None)
1311 }
1312
1313 #[instrument(level = "debug", name = "keyobject::jws_es256_import", skip_all)]
1314 fn jws_es256_import(
1315 &mut self,
1316 import_keys: &SmolSet<[Vec<u8>; 1]>,
1317 valid_from: Duration,
1318 cid: &Cid,
1319 ) -> Result<(), OperationError> {
1320 let koi = self
1321 .jws_es256
1322 .get_or_insert_with(KeyObjectInternalJwtEs256::default);
1323
1324 koi.import(import_keys, valid_from, cid)
1325 }
1326
1327 fn jws_es256_assert(&mut self, valid_from: Duration, cid: &Cid) -> Result<(), OperationError> {
1328 let koi = self
1329 .jws_es256
1330 .get_or_insert_with(KeyObjectInternalJwtEs256::default);
1331
1332 koi.assert_active(valid_from, cid)
1333 }
1334
1335 fn jwe_decrypt(&self, jwec: &JweCompact) -> Result<Jwe, OperationError> {
1336 let (alg, enc) = jwec.get_alg_enc();
1337
1338 match (alg, enc) {
1339 (JweAlg::A128KW, JweEnc::A128GCM) => {
1340 if let Some(jwe_a128_gcm) = &self.jwe_a128gcm {
1341 jwe_a128_gcm.decipher(jwec)
1342 } else {
1343 error!(provider_uuid = ?self.uuid, "jwe a128gcm not available on this provider");
1344 Err(OperationError::KP0033KeyProviderNoSuchKey)
1345 }
1346 }
1347 (unsupported_alg, unsupported_enc) => {
1348 error!(provider_uuid = ?self.uuid, ?unsupported_alg, ?unsupported_enc, "algorithm+encryption not available on this provider");
1350 Err(OperationError::KP0019KeyProviderUnsupportedAlgorithm)
1351 }
1352 }
1353 }
1354
1355 fn jwe_a128gcm_assert(
1356 &mut self,
1357 valid_from: Duration,
1358 cid: &Cid,
1359 ) -> Result<(), OperationError> {
1360 let koi = self
1361 .jwe_a128gcm
1362 .get_or_insert_with(KeyObjectInternalJweA128GCM::default);
1363
1364 koi.assert_active(valid_from, cid)
1365 }
1366
1367 fn jwe_a128gcm_encrypt(
1368 &self,
1369 jwe: &Jwe,
1370 current_time: Duration,
1371 ) -> Result<JweCompact, OperationError> {
1372 if let Some(jwe_a128_gcm) = &self.jwe_a128gcm {
1373 jwe_a128_gcm.encipher(jwe, current_time)
1374 } else {
1375 error!(provider_uuid = ?self.uuid, "jwe a128gcm not available on this provider");
1376 Err(OperationError::KP0032KeyProviderNoSuchKey)
1377 }
1378 }
1379
1380 #[cfg(test)]
1381 fn kid_status(&self, key_id: &KeyId) -> Result<Option<KeyStatus>, OperationError> {
1382 if let Some(jws_es256_object) = &self.jws_es256 {
1383 if let Some(status) = jws_es256_object.kid_status(key_id)? {
1384 return Ok(Some(status));
1385 }
1386 }
1387
1388 if let Some(jws_rs256_object) = &self.jws_rs256 {
1389 if let Some(status) = jws_rs256_object.kid_status(key_id)? {
1390 return Ok(Some(status));
1391 }
1392 }
1393
1394 Ok(None)
1395 }
1396
1397 fn as_valuesets(&self) -> Result<Vec<(Attribute, ValueSet)>, OperationError> {
1398 let key_iter = self
1399 .jws_es256
1400 .iter()
1401 .flat_map(|jws_es256| jws_es256.to_key_iter())
1402 .chain(
1403 self.jwe_a128gcm
1404 .iter()
1405 .flat_map(|jwe_a128gcm| jwe_a128gcm.to_key_iter()),
1406 )
1407 .chain(
1408 self.jws_rs256
1409 .iter()
1410 .flat_map(|jws_rs256| jws_rs256.to_key_iter()),
1411 );
1412 let key_vs = ValueSetKeyInternal::from_key_iter(key_iter)? as ValueSet;
1413
1414 Ok(vec![
1415 (
1416 Attribute::Class,
1417 ValueSetIutf8::new(EntryClass::KeyObjectInternal.into()) as ValueSet,
1418 ),
1419 (
1420 Attribute::KeyProvider,
1421 ValueSetRefer::new(self.provider.uuid()) as ValueSet,
1422 ),
1423 (Attribute::KeyInternalData, key_vs),
1424 ])
1425 }
1426
1427 #[instrument(level = "debug", name = "keyobject::jws_rs256_import", skip_all)]
1428 fn jws_rs256_import(
1429 &mut self,
1430 import_keys: &SmolSet<[Vec<u8>; 1]>,
1431 valid_from: Duration,
1432 cid: &Cid,
1433 ) -> Result<(), OperationError> {
1434 let koi = self
1435 .jws_rs256
1436 .get_or_insert_with(KeyObjectInternalJwtRs256::default);
1437
1438 koi.import(import_keys, valid_from, cid)
1439 }
1440
1441 fn jws_rs256_assert(&mut self, valid_from: Duration, cid: &Cid) -> Result<(), OperationError> {
1442 let koi = self
1443 .jws_rs256
1444 .get_or_insert_with(KeyObjectInternalJwtRs256::default);
1445
1446 koi.assert_active(valid_from, cid)
1447 }
1448
1449 fn jws_rs256_sign(
1450 &self,
1451 jws: &Jws,
1452 current_time: Duration,
1453 ) -> Result<JwsCompact, OperationError> {
1454 if let Some(jws_rs256_object) = &self.jws_rs256 {
1455 jws_rs256_object.sign(jws, current_time)
1456 } else {
1457 error!(provider_uuid = ?self.uuid, "jwt rs256 not available on this provider");
1458 Err(OperationError::KP0062KeyProviderNoSuchKey)
1459 }
1460 }
1461
1462 fn jws_rs256_jwks(&self) -> Option<JwkKeySet> {
1463 self.jws_rs256
1464 .as_ref()
1465 .map(|jws_rs256_object| jws_rs256_object.public_jwks())
1466 }
1467}
1468
1469#[cfg(test)]
1470mod tests {
1471 use super::*;
1472 use crate::server::keys::*;
1473 use compact_jwt::jws::JwsBuilder;
1474
1475 #[tokio::test]
1476 async fn test_key_object_internal_basic() {
1477 let ct = duration_from_epoch_now();
1478 let test_provider = Arc::new(KeyProviderInternal::create_test_provider());
1479
1480 test_provider.test().expect("Provider failed testing");
1481
1482 let mut key_object = test_provider
1483 .create_new_key_object(Uuid::new_v4(), test_provider.clone())
1484 .expect("Unable to create new key object");
1485
1486 key_object
1487 .jws_es256_assert(ct, &Cid::new_count(ct.as_secs()))
1488 .expect("Unable to create signing key");
1489
1490 let jws = JwsBuilder::from(vec![0, 1, 2, 3, 4]).build();
1491
1492 let sig = key_object
1493 .jws_es256_sign(&jws, ct)
1494 .expect("Unable to sign jws");
1495
1496 let released = key_object.jws_verify(&sig).expect("Unable to validate jws");
1497
1498 assert_eq!(released.payload(), &[0, 1, 2, 3, 4]);
1499 }
1500
1501 #[qs_test]
1502 async fn test_key_object_internal_es256(server: &QueryServer) {
1503 let ct = duration_from_epoch_now();
1504 let mut write_txn = server.write(ct).await.unwrap();
1505
1506 let default_key_provider = write_txn
1508 .get_key_providers()
1509 .get_default()
1510 .expect("Unable to access default key provider object.");
1511
1512 assert_eq!(default_key_provider.uuid(), UUID_KEY_PROVIDER_INTERNAL);
1513
1514 let key_object_uuid = Uuid::new_v4();
1516
1517 write_txn
1518 .internal_create(vec![entry_init!(
1519 (Attribute::Class, EntryClass::Object.to_value()),
1520 (Attribute::Class, EntryClass::KeyObject.to_value()),
1521 (Attribute::Class, EntryClass::KeyObjectJwtEs256.to_value()),
1523 (Attribute::Uuid, Value::Uuid(key_object_uuid))
1524 )])
1525 .expect("Unable to create new key object");
1526
1527 write_txn.reload().expect("Unable to reload transaction");
1529
1530 let key_object_entry = write_txn
1532 .internal_search_uuid(key_object_uuid)
1533 .expect("Unable to retrieve key object by uuid");
1534
1535 assert!(key_object_entry.attribute_pres(Attribute::KeyInternalData));
1537
1538 let jws = JwsBuilder::from(vec![0, 1, 2, 3, 4]).build();
1541
1542 let jwsc_sig_1 = {
1543 let key_object_loaded = write_txn
1544 .get_key_providers()
1545 .get_key_object(key_object_uuid)
1546 .expect("Unable to retrieve key object by uuid");
1547
1548 let jwsc_sig_1 = key_object_loaded
1550 .jws_es256_sign(&jws, ct)
1551 .expect("Unable to sign jws");
1552
1553 assert!(jwsc_sig_1.get_jwk_pubkey_url().is_none());
1554
1555 let released = key_object_loaded
1556 .jws_verify(&jwsc_sig_1)
1557 .expect("Unable to validate jws");
1558
1559 assert_eq!(released.payload(), &[0, 1, 2, 3, 4]);
1560
1561 jwsc_sig_1
1562 };
1563
1564 let ct_future = ct + Duration::from_secs(300);
1568
1569 write_txn
1570 .internal_modify_uuid(
1571 key_object_uuid,
1572 &ModifyList::new_append(
1573 Attribute::KeyActionRotate,
1574 Value::new_datetime_epoch(ct_future),
1575 ),
1576 )
1577 .expect("Unable to rotate key.");
1578
1579 write_txn.reload().expect("Unable to reload transaction");
1582
1583 let (jwsc_sig_2, jwsc_sig_3) = {
1584 let key_object_loaded = write_txn
1585 .get_key_providers()
1586 .get_key_object(key_object_uuid)
1587 .expect("Unable to retrieve key object by uuid");
1588
1589 let jwsc_sig_2 = key_object_loaded
1591 .jws_es256_sign(&jws, ct)
1592 .expect("Unable to sign jws");
1593
1594 let jwsc_sig_3 = key_object_loaded
1596 .jws_es256_sign(&jws, ct_future)
1597 .expect("Unable to sign jws");
1598
1599 (jwsc_sig_2, jwsc_sig_3)
1600 };
1601
1602 assert_eq!(jwsc_sig_1.kid(), jwsc_sig_2.kid());
1603 assert_ne!(jwsc_sig_2.kid(), jwsc_sig_3.kid());
1604
1605 let remain_key = jwsc_sig_3.kid().unwrap().to_string();
1608 let revoke_kid = jwsc_sig_2.kid().unwrap().to_string();
1610
1611 {
1613 let key_object = write_txn
1614 .internal_search_uuid(key_object_uuid)
1615 .expect("unable to access key object");
1616
1617 let key_internal_map = key_object
1618 .get_ava_set(Attribute::KeyInternalData)
1619 .and_then(|vs| vs.as_key_internal_map())
1620 .expect("Unable to access key internal map.");
1621
1622 let revoke_key_status = key_internal_map
1623 .get(&revoke_kid)
1624 .map(|kdata| kdata.status)
1625 .expect("Key ID not found");
1626
1627 assert_eq!(revoke_key_status, KeyStatus::Valid);
1628
1629 let remain_key_status = key_internal_map
1630 .get(&remain_key)
1631 .map(|kdata| kdata.status)
1632 .expect("Key ID not found");
1633
1634 assert_eq!(remain_key_status, KeyStatus::Valid);
1635 }
1637
1638 write_txn
1640 .internal_modify_uuid(
1641 key_object_uuid,
1642 &ModifyList::new_append(
1643 Attribute::KeyActionRevoke,
1644 Value::HexString(revoke_kid.clone()),
1645 ),
1646 )
1647 .expect("Unable to revoke key.");
1648
1649 write_txn.reload().expect("Unable to reload transaction");
1652
1653 {
1654 let key_object = write_txn
1655 .internal_search_uuid(key_object_uuid)
1656 .expect("unable to access key object");
1657
1658 let key_internal_map = key_object
1659 .get_ava_set(Attribute::KeyInternalData)
1660 .and_then(|vs| vs.as_key_internal_map())
1661 .expect("Unable to access key internal map.");
1662
1663 let revoke_key_status = key_internal_map
1664 .get(&revoke_kid)
1665 .map(|kdata| kdata.status)
1666 .expect("Key ID not found");
1667
1668 trace!(?revoke_kid);
1669
1670 assert_eq!(revoke_key_status, KeyStatus::Revoked);
1671
1672 let remain_key_status = key_internal_map
1673 .get(&remain_key)
1674 .map(|kdata| kdata.status)
1675 .expect("Key ID not found");
1676
1677 trace!(?remain_key);
1678 trace!(?remain_key_status);
1679
1680 assert_eq!(remain_key_status, KeyStatus::Valid);
1681 }
1683
1684 {
1687 let key_object_loaded = write_txn
1688 .get_key_providers()
1689 .get_key_object(key_object_uuid)
1690 .expect("Unable to retrieve key object by uuid");
1691
1692 let _ = key_object_loaded
1693 .jws_es256_sign(&jws, ct)
1694 .expect("Unable to sign jws");
1695
1696 let _jwsc_sig_4 = key_object_loaded
1698 .jws_es256_sign(&jws, ct_future)
1699 .expect("Unable to sign jws");
1700 }
1701
1702 write_txn.commit().expect("Failed to commit");
1703 }
1704}