azure_core/
hmac.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
use crate::auth::Secret;
#[cfg(any(feature = "hmac_rust", feature = "hmac_openssl"))]
use crate::{
    base64,
    error::{ErrorKind, ResultExt},
};

/// Tries to create an HMAC SHA256 signature from the given `data` and `key`.
/// The `key` is expected to be a base64 encoded string and will be decoded
/// before using it for signing. The returned signature is also base64 encoded.
///
/// If both `hmac_rust` and `hmac_openssl` are enabled, use `hmac_openssl`.
///
/// # Errors
/// - If the `key` is not a valid base64 encoded string.
/// - If it fails to create the HMAC from the `key`.
#[cfg(all(feature = "hmac_rust", not(feature = "hmac_openssl")))]
pub fn hmac_sha256(data: &str, key: &Secret) -> crate::Result<String> {
    use hmac::{Hmac, Mac};
    use sha2::Sha256;
    let key = base64::decode(key.secret())?;
    let mut hmac = Hmac::<Sha256>::new_from_slice(&key)
        .with_context(ErrorKind::DataConversion, || {
            "failed to create hmac from key"
        })?;
    hmac.update(data.as_bytes());
    let signature = hmac.finalize().into_bytes();
    Ok(base64::encode(signature))
}

#[cfg(feature = "hmac_openssl")]
pub fn hmac_sha256(data: &str, key: &Secret) -> crate::Result<String> {
    use openssl::{error::ErrorStack, hash::MessageDigest, pkey::PKey, sign::Signer};

    let dkey = base64::decode(key.secret())?;
    let signature = || -> Result<Vec<u8>, ErrorStack> {
        let pkey = PKey::hmac(&dkey)?;
        let mut signer = Signer::new(MessageDigest::sha256(), &pkey)?;
        signer.update(data.as_bytes())?;
        signer.sign_to_vec()
    }()
    .with_context(ErrorKind::DataConversion, || {
        "failed to create hmac from key"
    })?;
    Ok(base64::encode(signature))
}

#[cfg(not(any(feature = "hmac_rust", feature = "hmac_openssl")))]
pub fn hmac_sha256(_data: &str, _key: &Secret) -> crate::Result<String> {
    unimplemented!("An HMAC signing request was called without an hmac implementation.  Make sure to enable either the `hmac_rust` or `hmac_openssl` feature");
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_hmac_sign() {
        let data = "create hmac signature for data";
        let key = Secret::new("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF");

        let sig = hmac_sha256(data, &key).unwrap();

        let expected_sig = "D/y9XyIEdUzEbdV570h8dou/mfkbMA1lKCOPqPDPAd0=";
        assert_eq!(sig, expected_sig);
    }
}