From fa58c198a870279ba4d742a2a0a2055c4330409f Mon Sep 17 00:00:00 2001
From: Justus K <justus.k@protonmail.com>
Date: Sat, 3 May 2025 12:34:56 +0200
Subject: [PATCH 1/5] feat(tests): start working on new integration tests by
 refactoring jwk tests

---
 .config/nextest.toml                          |   3 +
 Cargo.lock                                    |  23 +
 Cargo.toml                                    |   8 +-
 devenv.nix                                    |  46 ++
 src/jwk/serde_impl.rs                         |   6 +-
 tests/common/mod.rs                           |  16 +
 tests/jwk.rs                                  | 675 +++++++++++-------
 tests/jws.rs                                  | 467 ------------
 tests/keys/hs256.json                         |   6 -
 .../keys/key_ops_duplicates_rsa_enc.pub.json  |  14 -
 tests/vectors/jwk/3_1.ec_public_key.json      |   8 +
 tests/vectors/jwk/3_2.ec_private_key.json     |   9 +
 tests/vectors/jwk/3_3.rsa_public_key.json     |   7 +
 tests/vectors/jwk/3_4.rsa_private_key.json    |  13 +
 .../3_5.symmetric_key_mac_computation.json}   |   0
 .../jwk/3_6.symmetric_key_encryption.json     |   7 +
 tests/{keys => vectors/jwk}/ed25519.json      |   2 +-
 tests/{keys => vectors/jwk}/ed25519.pub.json  |   0
 .../jwk_optional_parameters_rsa_enc.pub.json  |   0
 .../jwk_optional_parameters_rsa_sig.pub.json  |   0
 .../jwk}/key_ops_rsa_enc.pub.json             |   0
 tests/{keys => vectors/jwk}/p256.json         |   0
 tests/{keys => vectors/jwk}/p256.pub.json     |   0
 tests/{keys => vectors/jwk}/p384.json         |   0
 tests/{keys => vectors/jwk}/p384.pub.json     |   0
 tests/{keys => vectors/jwk}/rsa.json          |   0
 tests/{keys => vectors/jwk}/rsa.pub.json      |   0
 27 files changed, 547 insertions(+), 763 deletions(-)
 create mode 100644 .config/nextest.toml
 create mode 100644 tests/common/mod.rs
 delete mode 100644 tests/keys/hs256.json
 delete mode 100644 tests/keys/key_ops_duplicates_rsa_enc.pub.json
 create mode 100644 tests/vectors/jwk/3_1.ec_public_key.json
 create mode 100644 tests/vectors/jwk/3_2.ec_private_key.json
 create mode 100644 tests/vectors/jwk/3_3.rsa_public_key.json
 create mode 100644 tests/vectors/jwk/3_4.rsa_private_key.json
 rename tests/{keys/cookbook_hs256.json => vectors/jwk/3_5.symmetric_key_mac_computation.json} (100%)
 create mode 100644 tests/vectors/jwk/3_6.symmetric_key_encryption.json
 rename tests/{keys => vectors/jwk}/ed25519.json (99%)
 rename tests/{keys => vectors/jwk}/ed25519.pub.json (100%)
 rename tests/{keys => vectors/jwk}/jwk_optional_parameters_rsa_enc.pub.json (100%)
 rename tests/{keys => vectors/jwk}/jwk_optional_parameters_rsa_sig.pub.json (100%)
 rename tests/{keys => vectors/jwk}/key_ops_rsa_enc.pub.json (100%)
 rename tests/{keys => vectors/jwk}/p256.json (100%)
 rename tests/{keys => vectors/jwk}/p256.pub.json (100%)
 rename tests/{keys => vectors/jwk}/p384.json (100%)
 rename tests/{keys => vectors/jwk}/p384.pub.json (100%)
 rename tests/{keys => vectors/jwk}/rsa.json (100%)
 rename tests/{keys => vectors/jwk}/rsa.pub.json (100%)

diff --git a/.config/nextest.toml b/.config/nextest.toml
new file mode 100644
index 0000000..5aa8a7d
--- /dev/null
+++ b/.config/nextest.toml
@@ -0,0 +1,3 @@
+# Profile to only run `tests/jwk.rs` tests.
+[profile.jwk]
+default-filter = "binary_id(jose::jwk)"
diff --git a/Cargo.lock b/Cargo.lock
index 3da5ad3..faf8862 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -330,6 +330,12 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "diff"
+version = "0.1.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56254986775e3233ffa9c4d7d3faaf6d36a2c09d30b20687e9f88bc8bafc16c8"
+
 [[package]]
 name = "digest"
 version = "0.10.7"
@@ -664,6 +670,7 @@ dependencies = [
  "openssl-sys",
  "p256",
  "p384",
+ "pretty_assertions",
  "rand_core",
  "ring",
  "rsa",
@@ -956,6 +963,16 @@ dependencies = [
  "zerocopy",
 ]
 
+[[package]]
+name = "pretty_assertions"
+version = "1.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3ae130e2f271fbc2ac3a40fb1d07180839cdbbe443c7a27e1e3c13c5cac0116d"
+dependencies = [
+ "diff",
+ "yansi",
+]
+
 [[package]]
 name = "prettyplease"
 version = "0.2.32"
@@ -1595,6 +1612,12 @@ dependencies = [
  "bitflags",
 ]
 
+[[package]]
+name = "yansi"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049"
+
 [[package]]
 name = "zerocopy"
 version = "0.8.24"
diff --git a/Cargo.toml b/Cargo.toml
index 68c59d9..a6aa09b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -22,7 +22,7 @@ categories = [
 ]
 
 [features]
-default = []
+default = ["crypto-openssl"]
 std = [
   "thiserror/std",
   "fluent-uri/std",
@@ -130,6 +130,9 @@ eyre = "0.6.12"
 clap = { version = "4.5.27", features = ["derive"] }
 clio = { version = "0.3.5", features = ["clap-parse"] }
 
+# For integration tests
+pretty_assertions = "1.4.1"
+
 # For X.509 certificates of Json Web Keys
 # x509-cert = { git = "https://github.com/RustCrypto/formats.git" }
 
@@ -140,3 +143,6 @@ required-features = ["std"]
 [package.metadata.docs.rs]
 features = ["crypto-rustcrypto", "std", "deterministic-ecdsa"]
 rustdoc-args = ["--cfg", "docsrs"]
+
+[profile.dev.package.num-bigint-dig]
+opt-level = 3
diff --git a/devenv.nix b/devenv.nix
index 25a6d61..55a5067 100644
--- a/devenv.nix
+++ b/devenv.nix
@@ -7,6 +7,9 @@
     cargo-udeps
     cargo-hack
     cargo-nextest
+    cargo-tarpaulin
+
+    jose
 
     openssl
     pkg-config
@@ -30,4 +33,47 @@
       "rust-src"
     ];
   };
+
+  scripts = {
+    each-crypto.exec = ''
+      CRYPTO_FEATURES="$(cat Cargo.toml | grep -o 'crypto-[^ ]* =' | tr -d ' =' | paste -sd ',')"
+
+      cargo hack \
+        --each-feature \
+        --include-features $CRYPTO_FEATURES \
+        "$@"
+    '';
+
+    jwk-thumbprints.exec = ''
+      # write a script, that takes a list of files as arguments
+      # and calculates sha256, sha384 and sha512 thumbprints
+      # for each file, and prints the result in a table
+      # the script should be called jwk-thumbprints
+
+      files="$@"
+
+      if [ -z "$files" ]; then
+        echo "No files provided"
+        exit 1
+      fi
+
+      for file in $files; do
+        if [ ! -f "$file" ]; then
+          echo "$file is not a file"
+          continue
+        fi
+        
+        echo "$file"
+
+        sha256=$(jose jwk thp -a S256 -i "$file")
+        sha384=$(jose jwk thp -a S384 -i "$file")
+        sha512=$(jose jwk thp -a S512 -i "$file")
+
+        echo -e "\tSHA256: $sha256"
+        echo -e "\tSHA384: $sha384"
+        echo -e "\tSHA512: $sha512"
+        echo -e "\n"
+      done
+    '';
+  };
 }
diff --git a/src/jwk/serde_impl.rs b/src/jwk/serde_impl.rs
index c29bb6c..4993ed6 100644
--- a/src/jwk/serde_impl.rs
+++ b/src/jwk/serde_impl.rs
@@ -1,4 +1,4 @@
-use alloc::vec::Vec;
+use alloc::{borrow::Cow, vec::Vec};
 use core::ops::Deref;
 
 use base64ct::{Base64, Base64UrlUnpadded, Encoding};
@@ -53,10 +53,10 @@ pub fn deserialize_ga<'de, D, const N: usize>(deserializer: D) -> Result<Option<
 where
     D: Deserializer<'de>,
 {
-    Ok(match Option::<&str>::deserialize(deserializer)? {
+    Ok(match Option::<Cow<'_, str>>::deserialize(deserializer)? {
         Some(val) => {
             let mut buf = [0u8; N];
-            Base64UrlUnpadded::decode(val, &mut buf).map_err(<D::Error as Error>::custom)?;
+            Base64UrlUnpadded::decode(&*val, &mut buf).map_err(<D::Error as Error>::custom)?;
             Some(buf)
         }
         None => None,
diff --git a/tests/common/mod.rs b/tests/common/mod.rs
new file mode 100644
index 0000000..47143ba
--- /dev/null
+++ b/tests/common/mod.rs
@@ -0,0 +1,16 @@
+//! Common test helpers.
+
+use serde_json::Value;
+
+pub type TestResult<T = ()> = Result<T, Box<dyn std::error::Error>>;
+
+/// Reads a key file from the `tests/vectors/jwk` directory.
+pub fn read_jwk(name: &str) -> TestResult<Value> {
+    let json = std::fs::read_to_string(format!(
+        "{}/tests/vectors/jwk/{name}.json",
+        env!("CARGO_MANIFEST_DIR"),
+    ))?;
+    let key: Value = serde_json::from_str(&json)?;
+
+    Ok(key)
+}
diff --git a/tests/jwk.rs b/tests/jwk.rs
index f2906f3..f3a2a39 100644
--- a/tests/jwk.rs
+++ b/tests/jwk.rs
@@ -1,351 +1,484 @@
 use jose::{
     crypto::hmac,
-    jwa::{EcDSA, Hmac, JsonWebAlgorithm, JsonWebSigningAlgorithm},
-    jwk::{
-        policy::{Checkable, Checked, StandardPolicy},
-        symmetric::{FromOctetSequenceError, OctetSequence},
-        AsymmetricJsonWebKey, EcPrivate, EcPublic, FromKey as _, JsonWebKey, JsonWebKeyType,
-        JwkSigner, OkpPrivate, Private, Public, Thumbprint,
-    },
-    jws::Signer,
-    Base64UrlString,
+    jwa,
+    jwk::{self, FromKey as _, Thumbprint as _},
+    Base64UrlString, JsonWebKey,
 };
-use serde_json::json;
-
-fn read_key_file(name: &str) -> String {
-    std::fs::read_to_string(format!(
-        "{}/tests/keys/{}.json",
-        env!("CARGO_MANIFEST_DIR"),
-        name,
-    ))
-    .unwrap()
-}
+use pretty_assertions::assert_eq;
+
+use crate::common::{read_jwk, TestResult};
 
-macro_rules! key_roundtrip_test {
-    ($priv:ty, $pub:ty, $file:literal, [$($priv_field:literal),*$(,)?], [$($pub_field:literal),*$(,)?]$(,)?) => {
-        #[test]
-        fn private_key_serialisation_roundtrip() {
-            let json_str = crate::read_key_file($file);
-            let json = serde_json::from_str::<serde_json::Value>(&json_str).unwrap();
+mod common;
 
-            let key: $priv = serde_json::from_str(&json_str).unwrap();
+fn roundtrip(file: &str, unsupported: bool, check: fn(&JsonWebKey)) -> TestResult {
+    let mut json_key = read_jwk(file)?;
+    let json_key_str = serde_json::to_string(&json_key)?;
 
-            let json2 = serde_json::to_value(&key).unwrap();
+    let jwk = match serde_json::from_value::<JsonWebKey>(json_key.clone()) {
+        Ok(..) if unsupported => panic!("Unsupported key type was successful"),
+        Ok(jwk) => jwk,
+        Err(..) if unsupported => return Ok(()),
+        Err(e) => return Err(e.into()),
+    };
+    check(&jwk);
 
-            let key2: $priv = serde_json::from_value(json2.clone()).unwrap();
-            assert_eq!(key, key2);
+    // we want to deserialize the JWK from an owned value, and a borrowed value
+    let jwk_from_str = serde_json::from_str::<JsonWebKey>(&json_key_str)?;
+    assert_eq!(jwk.key_type(), jwk_from_str.key_type());
 
-            assert_eq!(json["kty"], json2["kty"]);
+    let mut serialized = serde_json::to_value(&jwk)?;
+    let mut serialized_from_str = serde_json::to_value(&jwk_from_str)?;
 
-            $(assert_eq!(json[$priv_field], json2[$priv_field]);)*
+    // removes the field `name` from the given json value, mostly because some
+    // fields are serialized non-deterministic (key_ops), because the order is
+    // random
+    let remove_field = |value: &mut serde_json::Value, name: &str| {
+        if let Some(obj) = value.as_object_mut() {
+            obj.remove(name);
         }
+    };
+
+    let mut remove_field_from_all = |name: &str| {
+        remove_field(&mut json_key, name);
+        remove_field(&mut serialized, name);
+        remove_field(&mut serialized_from_str, name);
+    };
 
-        #[test]
-        fn public_key_serialisation_roundtrip() {
-            let json_str = crate::read_key_file(&format!("{}.pub", $file));
-            let json = serde_json::from_str::<serde_json::Value>(&json_str).unwrap();
+    remove_field_from_all("key_ops");
 
-            let key: $pub = serde_json::from_str(&json_str).unwrap();
+    assert_eq!(json_key, serialized);
+    assert_eq!(json_key, serialized_from_str);
 
-            let json2 = serde_json::to_value(&key).unwrap();
+    Ok(())
+}
 
-            let key2: $pub = serde_json::from_value(json2.clone()).unwrap();
-            assert_eq!(key, key2);
+fn roundtrip_pair(private: &str, public: &str, check: fn(&JsonWebKey)) -> TestResult {
+    roundtrip(private, false, check)?;
+    roundtrip(public, false, check)?;
 
-            assert_eq!(json["kty"], json2["kty"]);
-            $(assert_eq!(json[$pub_field], json2[$pub_field]);)*
-        }
-    };
+    Ok(())
 }
 
-pub mod rsa {
-    use jose::crypto::rsa;
+fn assert_thumbprint(jwk: &JsonWebKey, sha256: &str, sha384: &str, sha512: &str) {
+    let print_sha256 = Base64UrlString::encode(jwk.thumbprint_sha256());
+    assert_eq!(&*print_sha256, sha256);
 
-    key_roundtrip_test! {
-        rsa::PrivateKey,
-        rsa::PublicKey,
-        "rsa",
-        ["n", "e", "d", "p", "q", "dp", "dq", "di"],
-        ["n", "e"],
-    }
+    let print_sha384 = Base64UrlString::encode(jwk.thumbprint_sha384());
+    assert_eq!(&*print_sha384, sha384);
+
+    let print_sha512 = Base64UrlString::encode(jwk.thumbprint_sha512());
+    assert_eq!(&*print_sha512, sha512);
+}
+
+pub mod roundtrip {
+    use jose::{
+        jwa,
+        jwk::{self, AsymmetricJsonWebKey, JsonWebKeyType},
+    };
+    use pretty_assertions::assert_eq;
+
+    use crate::{assert_thumbprint, common::TestResult, roundtrip, roundtrip_pair};
 
     #[test]
-    fn deny_key_with_other_primes() {
-        let json = r#"{
-            "use":"sig",
-            "kty":"RSA",
-            "kid":"nYPs6qc5zj3VOVKr4yY-EzirO-AcdUl0JC5bcXKGE6Y",
-            "alg":"RS256",
-            "n":"vxmzEVX_Fus8i8BWT_sC_m389t615iPxKSMavPFv0xEhES42RWkO6yNpb_cwWhlJtoy_UdiRW8-0DHYJIbpiwkw4oRRnfMYX4FU77yjovSQLEhKPfIuYDBuP-9LQgF8_NgB9z1WokSUcH-tAf_35MpiXptGxoFuIe1EE7u1TWpTnMwGBnqO1EvJltyWej9R6rt47oqizn1VN8P2No3tys181B_TE9c6N2tXzWpnm5QY7UZO2zPLtYFGbj7hJCNhc5SL3vt-81KkaNjPcW1rgCIoRKvHVI79n_H81LQdiJDJyIobtvPH3XFQa_tM4CP2ul121E_Zi0tcjuD1zyLCq7Q",
-            "e":"AQAB",
-            "d":"n0FzkYbxRtBTbMOlKpItNIvEvJdtT5W0bGvs5HjwkB0-SWsRn1amMB8ax0xg5zUb0R4KctLgkHrPuXLEuW7yzqlmqBaxB7KuQy3E_NJC4x0efLkrCsfqtmxh2aMeT10Q-JgAQMFJ8WvTvGX5IrEs85VnDIbEWLbvTpV-Xv8478qjjt4v91wyhlzZW8A5-fsluy9faZDgKm3a3RaAKzP15ouffYf3ui5CTckXB-50fcrDasNEYlXzUzS1rHgQjF16ApjN7WupFP-FnlDkxudt6VfWmErakQV3iQVinpbqXU4IhtxgthgUOPQPP7cMvV1IVTWT8pHEdv7XZySFUHOwoQ",
-            "p":"wI-kPWTpm34wn0O1KzvCweAUBGJm-6s4R_sdkhE62Aht9NuGE86Z6zFfb6HI-dI6bvwPBNEROKNumrlsABgR13m9AVGFwq4OP-ipI4BVXpxMWi6tnKYFPegP21lDHk9p1cu_LIBWSq-GmqUtZo5Qz3suKeKOKmUNeo3VvM963Vc",
-            "q":"_g7dBzo7f002nuzQO0Ie_2Mb1lBXkmcEXLeouSdwLyYUSH4kuJFVuaq404NknFHotB8wjajP8V3w8s6oscO_2qcLcIeOJOVHvpoVJp0XodFPJteC8ROR2epzkjSxNh_j_plHcCd0ly8IVcWmgoZdf6pjeSfbFPO3OB48wimAy1s",
-            "dp":"e3jfoHpfjNP6i3UX6zPzqutrCnCqhj-A5C7yBCJGMBYfo31L2NGGQpgzENqVixMxYs7_NmB0gXPSTSYOSXUlo5wtBHZopa-D9ZjTM69rjjH8h2sc6bBO9iYiXM08y2eyfmOaHwffzR4F2o2FshgZWyEqNbNO44JOhUIDRoFn0Bs",
-            "dq":"Hd9tid4FBPD1TTaXPYCG2Iy0xzxnL6XBU42c3ziN7l1R4TxD4RfltpEmbmhyuha_f_5y3RVObhkXrdUy7MQRmQovRCoMQrZa-0Ru3D14e-R6pByPHv2oFrGEqVpcw_p3-oXXao6ZHPXAyyUUcSCPeeV1ENfo4MvPbV_Q0RvEMyU",
-            "qi":"srk3oe6CxebsQo1QTTygg-dWBlXongHf2m4Asj7GBeswoa49NcqzUvv5wlWuTgKJeihjjp-L5lkC5JWiFfUpRkBqr7tUE9faUmDa6fPLlvqWcB9A04rrZ3aJYqHgJJZ9e6OrEKwhgliIYSsTxlD-bLGZVLj-dp0R7xSVOFqiRX0",
-            "oth": []
-        }"#;
-
-        let err = serde_json::from_str::<rsa::PrivateKey>(json).unwrap_err();
-        assert_eq!(
-            err.to_string(),
-            "RSA private keys with `oth` field set are not supported"
-        );
+    fn _3_1_ec_public_key() -> TestResult {
+        roundtrip(
+            "3_1.ec_public_key",
+            // RustCrypto and ring do not support P-521 curve
+            cfg!(feature = "crypto-rustcrypto") || cfg!(feature = "crypto-ring"),
+            |jwk| {
+                let JsonWebKeyType::Asymmetric(key) = jwk.key_type() else {
+                    panic!("Expected asymmetric key type");
+                };
+
+                assert!(matches!(
+                    **key,
+                    AsymmetricJsonWebKey::Public(jwk::Public::Ec(jwk::EcPublic::P521(..)))
+                ));
+                assert_eq!(jwk.key_usage(), Some(&jwk::KeyUsage::Signing));
+                assert_thumbprint(
+                    jwk,
+                    "dHri3SADZkrush5HU_50AoRhcKFryN-PI6jPBtPL55M",
+                    "HncTFMje-quVjjwt2ufqfFb75ZwHLDh9M-VY4wJ9awQkfbu194TmVpeGbG6Ykb9b",
+                    "i8RIsIb6HVP2AO9o38HtraybJAP5veAfBIgynNUqpxlhuvq2UDgSA3JFgGgle1YvmCQDHllAn7MG52Idb8B4fA"
+                );
+            },
+        )
     }
 
     #[test]
-    fn deny_key_with_missing_prime() {
-        let json = r#"{
-            "use":"sig",
-            "kty":"RSA",
-            "kid":"nYPs6qc5zj3VOVKr4yY-EzirO-AcdUl0JC5bcXKGE6Y",
-            "alg":"RS256",
-            "n":"vxmzEVX_Fus8i8BWT_sC_m389t615iPxKSMavPFv0xEhES42RWkO6yNpb_cwWhlJtoy_UdiRW8-0DHYJIbpiwkw4oRRnfMYX4FU77yjovSQLEhKPfIuYDBuP-9LQgF8_NgB9z1WokSUcH-tAf_35MpiXptGxoFuIe1EE7u1TWpTnMwGBnqO1EvJltyWej9R6rt47oqizn1VN8P2No3tys181B_TE9c6N2tXzWpnm5QY7UZO2zPLtYFGbj7hJCNhc5SL3vt-81KkaNjPcW1rgCIoRKvHVI79n_H81LQdiJDJyIobtvPH3XFQa_tM4CP2ul121E_Zi0tcjuD1zyLCq7Q",
-            "e":"AQAB",
-            "d":"n0FzkYbxRtBTbMOlKpItNIvEvJdtT5W0bGvs5HjwkB0-SWsRn1amMB8ax0xg5zUb0R4KctLgkHrPuXLEuW7yzqlmqBaxB7KuQy3E_NJC4x0efLkrCsfqtmxh2aMeT10Q-JgAQMFJ8WvTvGX5IrEs85VnDIbEWLbvTpV-Xv8478qjjt4v91wyhlzZW8A5-fsluy9faZDgKm3a3RaAKzP15ouffYf3ui5CTckXB-50fcrDasNEYlXzUzS1rHgQjF16ApjN7WupFP-FnlDkxudt6VfWmErakQV3iQVinpbqXU4IhtxgthgUOPQPP7cMvV1IVTWT8pHEdv7XZySFUHOwoQ",
-            "p":"wI-kPWTpm34wn0O1KzvCweAUBGJm-6s4R_sdkhE62Aht9NuGE86Z6zFfb6HI-dI6bvwPBNEROKNumrlsABgR13m9AVGFwq4OP-ipI4BVXpxMWi6tnKYFPegP21lDHk9p1cu_LIBWSq-GmqUtZo5Qz3suKeKOKmUNeo3VvM963Vc",
-            "q":"_g7dBzo7f002nuzQO0Ie_2Mb1lBXkmcEXLeouSdwLyYUSH4kuJFVuaq404NknFHotB8wjajP8V3w8s6oscO_2qcLcIeOJOVHvpoVJp0XodFPJteC8ROR2epzkjSxNh_j_plHcCd0ly8IVcWmgoZdf6pjeSfbFPO3OB48wimAy1s",
-            "dq":"Hd9tid4FBPD1TTaXPYCG2Iy0xzxnL6XBU42c3ziN7l1R4TxD4RfltpEmbmhyuha_f_5y3RVObhkXrdUy7MQRmQovRCoMQrZa-0Ru3D14e-R6pByPHv2oFrGEqVpcw_p3-oXXao6ZHPXAyyUUcSCPeeV1ENfo4MvPbV_Q0RvEMyU",
-            "qi":"srk3oe6CxebsQo1QTTygg-dWBlXongHf2m4Asj7GBeswoa49NcqzUvv5wlWuTgKJeihjjp-L5lkC5JWiFfUpRkBqr7tUE9faUmDa6fPLlvqWcB9A04rrZ3aJYqHgJJZ9e6OrEKwhgliIYSsTxlD-bLGZVLj-dp0R7xSVOFqiRX0"
-        }"#;
-
-        let err = serde_json::from_str::<rsa::PrivateKey>(json).unwrap_err();
-        assert_eq!(
-            err.to_string(),
-            "expected `dp` to be present because all prime fields must be set if one of them is \
-             set"
-        );
+    fn _3_2_ec_private_key() -> TestResult {
+        roundtrip(
+            "3_2.ec_private_key",
+            // RustCrypto and ring do not support P-521 curve
+            cfg!(feature = "crypto-rustcrypto") || cfg!(feature = "crypto-ring"),
+            |jwk| {
+                let JsonWebKeyType::Asymmetric(key) = jwk.key_type() else {
+                    panic!("Expected asymmetric key type");
+                };
+
+                assert!(matches!(
+                    **key,
+                    AsymmetricJsonWebKey::Private(jwk::Private::Ec(jwk::EcPrivate::P521(..)))
+                ));
+                assert_eq!(jwk.key_usage(), Some(&jwk::KeyUsage::Signing));
+
+                assert_thumbprint(
+                    jwk,
+                    "dHri3SADZkrush5HU_50AoRhcKFryN-PI6jPBtPL55M",
+                    "HncTFMje-quVjjwt2ufqfFb75ZwHLDh9M-VY4wJ9awQkfbu194TmVpeGbG6Ykb9b",
+                    "i8RIsIb6HVP2AO9o38HtraybJAP5veAfBIgynNUqpxlhuvq2UDgSA3JFgGgle1YvmCQDHllAn7MG52Idb8B4fA"
+                );
+            },
+        )
     }
-}
 
-pub mod ec_p256 {
-    key_roundtrip_test! {
-        jose::crypto::ec::P256PrivateKey,
-        jose::crypto::ec::P256PublicKey,
-        "p256",
-        ["crv", "e", "x", "y", "d"],
-        ["crv", "x", "y"],
+    #[test]
+    fn _3_3_rsa_public_key() -> TestResult {
+        roundtrip("3_3.rsa_public_key", false, |jwk| {
+            assert_thumbprint(
+                jwk,
+                "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI",
+                "iRBthSmwxk6o9pTGF6a9yLHohmMXSFRvKoN9rgcbOWFgLldwqED1DrOgDtLq5Q4R",
+                "FerGBUpYnzT0ptNAC7Y3qNpGINqILXdZ_9-Na3UkPUtDznnAChw7NWluNRjx-lmKDnuO1CpmIZL7e2bzRkQBew",
+            );
+        })
     }
-}
 
-pub mod ec_p384 {
-    key_roundtrip_test! {
-        jose::crypto::ec::P384PrivateKey,
-        jose::crypto::ec::P384PublicKey,
-        "p384",
-        ["crv", "e", "x", "y", "d"],
-        ["crv", "x", "y"],
+    #[test]
+    fn _3_4_rsa_private_key() -> TestResult {
+        roundtrip("3_4.rsa_private_key", false, |jwk| {
+            assert_thumbprint(
+                jwk,
+                "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI",
+                "iRBthSmwxk6o9pTGF6a9yLHohmMXSFRvKoN9rgcbOWFgLldwqED1DrOgDtLq5Q4R",
+                "FerGBUpYnzT0ptNAC7Y3qNpGINqILXdZ_9-Na3UkPUtDznnAChw7NWluNRjx-lmKDnuO1CpmIZL7e2bzRkQBew",
+            );
+        })
     }
-}
-
-pub mod ec {
-    use jose::jwk;
-
-    use super::*;
 
     #[test]
-    fn parse_generic_public_key() {
-        let json = read_key_file("p256.pub");
-        let key: jwk::EcPublic = serde_json::from_str(&json).unwrap();
-        assert!(matches!(key, jwk::EcPublic::P256(..)));
+    fn _3_5_symmetric_key_mac() -> TestResult {
+        roundtrip("3_5.symmetric_key_mac_computation", false, |jwk| {
+            assert_eq!(
+                jwk.algorithm(),
+                Some(&jwa::JsonWebAlgorithm::from(jwa::Hmac::Hs256))
+            );
+
+            assert_thumbprint(
+                jwk,
+                "RtoRur_1Dir5M4wuOfqNkDYOf9O_4RJ-aHkTA75RLA8",
+                "KG7sBEFjGfsIG21uR9cggZfOEIdKSvylcD7ndWgQsnG2k_5Wpw700r__c63SBBwf",
+                "EI4XUPoajddrVSS3fgSS6AcPt1uuacMmuYIi9i4A2CgjnWHuUV1qyNks84w03blKdF75HPSTJTJWgqRNEU_ZIg"
+            );
+        })
     }
 
     #[test]
-    fn parse_generic_private_key() {
-        let json = read_key_file("p256");
-        let key: jwk::EcPrivate = serde_json::from_str(&json).unwrap();
-        assert!(matches!(key, jwk::EcPrivate::P256(..)));
+    fn _3_6_symmetric_key_encryption() -> TestResult {
+        roundtrip("3_6.symmetric_key_encryption", false, |jwk| {
+            // NOTE: We do not support A256GCM as a JWK, because it's a one-time use
+            // session key, and must not be stored or reused
+            assert_eq!(
+                jwk.algorithm(),
+                Some(&jwa::JsonWebAlgorithm::Other("A256GCM".to_string()))
+            );
+            assert_eq!(jwk.key_usage(), Some(&jwk::KeyUsage::Encryption));
+
+            assert_thumbprint(
+                jwk,
+                "VDMp1ZgGGv1OKgOeDc1EUKHXNQzMdLkCnxPETHdA4v0",
+                "4YmDfp3zlozmoDxrRxpMBiU6XHA9X82IKNW3bWiitdnudrwmAiKOi4yWWj4fyeYm",
+                "FmHGxbagOqt0LS__rv4hIpgnQ9pAB7nDneYNPN9i1gHIbvJJILw-VyyYIP_RTgsOU7K683SdE5aeplCUqz4ZaA"
+            );
+        })
     }
-}
 
-pub mod okp_ed25519 {
-    key_roundtrip_test! {
-        jose::jwk::OkpPrivate,
-        jose::jwk::OkpPublic,
-        "ed25519",
-        ["crv", "x", "d"],
-        ["crv", "x"],
+    #[test]
+    fn ed25519() -> TestResult {
+        roundtrip_pair("ed25519", "ed25519.pub", |jwk| {
+            assert_eq!(
+                jwk.algorithm(),
+                Some(&jwa::JsonWebAlgorithm::from(
+                    jwa::JsonWebSigningAlgorithm::EdDSA
+                ))
+            );
+
+            assert_thumbprint(
+                jwk,
+                "IpNACexNZWO9hVeADtTT0Nvturu6OtMV3B4u1OVr1fU",
+                "NibgvGWph4nhazrZ1PcyRXYy55bdTotSDi1L4iE8gB0VtxDhh_a-du0fSnGExFwa",
+                "uS4j-x1iQUeF2a4a7M3iHZhPQGwyKgXU2Fh_GeNn9_uw_KAj1VTmNVenxTiFdDqcDHoWBemcLjioFY4slFbIZA",
+            );
+        })
     }
-}
-#[test]
-fn generic_public_key_roundtrip() {
-    let json = read_key_file("p256.pub");
-
-    let key: JsonWebKeyType = serde_json::from_str(&json).unwrap();
-
-    let inner = match key {
-        JsonWebKeyType::Asymmetric(ref inner) => &**inner,
-        _ => unreachable!(),
-    };
-
-    assert!(matches!(
-        inner,
-        AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::P256(..)))
-    ));
-
-    let json2 = serde_json::to_string(&key).unwrap();
-    let key2: JsonWebKeyType = serde_json::from_str(&json2).unwrap();
-
-    assert_eq!(key, key2);
-}
 
-#[test]
-fn generic_private_key_roundtrip() {
-    let json = read_key_file("p256");
-
-    let key: JsonWebKeyType = serde_json::from_str(&json).unwrap();
-
-    let inner = match key {
-        JsonWebKeyType::Asymmetric(ref inner) => &**inner,
-        _ => unreachable!(),
-    };
-
-    assert!(matches!(
-        inner,
-        AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::P256(..)))
-    ));
+    #[test]
+    fn rsa_enc_optional_parameters() -> TestResult {
+        roundtrip("jwk_optional_parameters_rsa_enc.pub", false, |jwk| {
+            assert_eq!(
+                jwk.algorithm(),
+                Some(&jwa::JsonWebAlgorithm::from(jwa::RsaesOaep::RsaesOaep))
+            );
+
+            assert_eq!(jwk.key_usage(), Some(&jwk::KeyUsage::Encryption));
+            assert!(jwk.x509_certificate_sha1_thumbprint().is_some());
+            assert!(jwk.x509_certificate_sha256_thumbprint().is_some());
+
+            assert_thumbprint(
+                jwk,
+                "ZwmJSHbFy5nl7WenHepIG5N9Rz16NH8SPGeqoZPTTuc",
+                "06f-mujFCZ0cUPKCgm0m7EuE0TW2mUmoQ0I519rD73v5JDAWti5QsuOX2PqTYuhV",
+                "EaW6WfYvQ5rauUmOYPZi82-ADGjmOb3Jz76jNVHUIQ_vA42s7CFve47jVTyb1n3UQbqLw3DDguD4u0wlFL4sbg"
+            );
+        })
+    }
 
-    let json2 = serde_json::to_string(&key).unwrap();
-    let key2: JsonWebKeyType = serde_json::from_str(&json2).unwrap();
+    #[test]
+    fn rsa_sign_optional_parameters() -> TestResult {
+        roundtrip("jwk_optional_parameters_rsa_sig.pub", false, |jwk| {
+            assert_eq!(
+                jwk.algorithm(),
+                Some(&jwa::JsonWebAlgorithm::from(jwa::RsassaPkcs1V1_5::Rs256))
+            );
+
+            assert_eq!(jwk.key_usage(), Some(&jwk::KeyUsage::Signing));
+            assert!(jwk.x509_certificate_sha1_thumbprint().is_some());
+            assert!(jwk.x509_certificate_sha256_thumbprint().is_some());
+
+            assert_thumbprint(
+                jwk,
+                "bVeakRIe7OjtcR6E5FfkZvFAhEXfhIboYrcZ7OhZ1UY",
+                "_jnSoeQaW04m5PzXFnP7w2Zl_WFEop1UEKZ2vGHtQCdfsSqOkLhTbn2vyaDcMbHQ",
+                "cHiM1PMNsVve19_e5cfCiJqIMnQhYx0CkcvmiNCdwulCJ5B5ftaAvFYwr7_NQCMTQeXMcTKdbsP2a4mEKojPaQ"
+            );
+        })
+    }
 
-    assert_eq!(key, key2);
-}
+    #[test]
+    fn rsa_with_key_ops_for_enc() -> TestResult {
+        roundtrip("key_ops_rsa_enc.pub", false, |jwk| {
+            assert_eq!(
+                jwk.algorithm(),
+                Some(&jwa::JsonWebAlgorithm::from(jwa::RsaesOaep::RsaesOaep))
+            );
+
+            let ops = jwk.key_operations().unwrap();
+
+            assert_eq!(ops.len(), 2);
+            assert!(ops.contains(&jwk::KeyOperation::Encrypt));
+            assert!(ops.contains(&jwk::KeyOperation::Decrypt));
+
+            assert_eq!(jwk.key_usage(), Some(&jwk::KeyUsage::Encryption));
+
+            assert_thumbprint(
+                jwk,
+                "ZwmJSHbFy5nl7WenHepIG5N9Rz16NH8SPGeqoZPTTuc",
+                "06f-mujFCZ0cUPKCgm0m7EuE0TW2mUmoQ0I519rD73v5JDAWti5QsuOX2PqTYuhV",
+                "EaW6WfYvQ5rauUmOYPZi82-ADGjmOb3Jz76jNVHUIQ_vA42s7CFve47jVTyb1n3UQbqLw3DDguD4u0wlFL4sbg"
+            );
+        })
+    }
 
-#[test]
-fn serde_jwk() {
-    let enc_json = read_key_file("jwk_optional_parameters_rsa_enc.pub");
-    let enc: JsonWebKey = serde_json::from_str(&enc_json).unwrap();
-    match enc.algorithm().unwrap() {
-        JsonWebAlgorithm::Encryption(_) => (),
-        _ => panic!(),
+    #[test]
+    fn p256() -> TestResult {
+        roundtrip_pair("p256", "p256.pub", |jwk| {
+            assert_eq!(
+                jwk.algorithm(),
+                Some(&jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es256))
+            );
+
+            assert_thumbprint(
+                jwk,
+                "6j1ImYAlN6DnVupozzN13UKnLR7BfEvngNmVl5bLlI0",
+                "u5W5WvG_wZc2u18HY0hqP48hVOOwytBz3BZzBimJl43SA3A4l-INFnhMNLEWL8a3",
+                "8fmi-z_V-FykWlKQAscDYj3I_uonEd2-0ChLqb7BwRJqnQiitQ9widx6Pk9ewMkhFk8NnBr1hCFa51kyrg7Pyw"
+            );
+        })
     }
 
-    let sig_json = read_key_file("jwk_optional_parameters_rsa_sig.pub");
-    let sig: JsonWebKey = serde_json::from_str(&sig_json).unwrap();
-    match sig.algorithm().unwrap() {
-        JsonWebAlgorithm::Signing(_) => (),
-        _ => panic!(),
+    #[test]
+    fn p384() -> TestResult {
+        roundtrip_pair("p384", "p384.pub", |jwk| {
+            assert_eq!(
+                jwk.algorithm(),
+                Some(&jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es384))
+            );
+
+            assert_thumbprint(
+                jwk,
+                "B_9VooM6jEuy9OvK_plFUDVADfKKnjCUPrqfc5Wtgq4",
+                "TXXx3K1KOHjCKWt_bY9cFZfsI9E8NUw8sK1xSOfd0jVgaBMiCP1hFvsxaamAQfK5",
+                "AtsWpt8bdnsqT49ovBfv67rhq_PB2eqnhvJ4F-uH-STeCZTVO97hWeEc0zGoOT18XtmHf_2o6ENmwIv9gcXyRQ"
+            );
+        })
     }
 
-    // It is not required for json keys to maintain order. Therefore, the input
-    // and output json string might differ in the sense that keys appear in a
-    // different order but by the definition of the json spec, they are the same
-    // assert_eq!(sig_json, serde_json::to_string(&sig).unwrap());
+    #[test]
+    fn rsa() -> TestResult {
+        roundtrip_pair("rsa", "rsa.pub", |jwk| {
+            assert_thumbprint(
+                jwk,
+                "nYPs6qc5zj3VOVKr4yY-EzirO-AcdUl0JC5bcXKGE6Y",
+                "JhX_riWIrTLs3p7SnueDgpcO27pDgXh1xQOivPzOKsU3CaQgHoLgiKIinmb2CMoE",
+                "DQd_FsR8hTwlVrv3WGQP2E1KQejcBbJCFtqWy489xmmPm8LdNT91zYFX-yTghCtq2zutBGYY2mkwIWN-VQWYyQ"
+            );
+        })
+    }
 }
 
+// TODO: test to ensure correct length of x, y, d
+
 #[test]
 fn deny_duplicates_key_operations() {
-    let _ok: JsonWebKey = serde_json::from_str(&read_key_file("key_ops_rsa_enc.pub")).unwrap();
-    let _err = serde_json::from_str::<JsonWebKey>(&read_key_file("key_ops_duplicates_rsa_enc.pub"))
-        .unwrap_err();
+    let key = r#"
+{
+    "key_ops": ["encrypt", "decrypt", "encrypt"],
+    "kty": "oct",
+    "alg": "HS256",
+    "k": "hJtXIZ2uSN5kbQfbtTNWbpdmhkV8FJG-Onbc6mxCcYg"
 }
+"#;
 
-#[test]
-fn jwk_signer() {
-    let hs256: Checked<JsonWebKey, _> = serde_json::from_str::<JsonWebKey>(&read_key_file("hs256"))
-        .unwrap()
-        .check(StandardPolicy::default())
-        .unwrap();
-    let hs256_signer: JwkSigner = hs256.try_into().unwrap();
-    assert_eq!(
-        hs256_signer.algorithm(),
-        JsonWebSigningAlgorithm::Hmac(Hmac::Hs256)
-    );
-
-    let p256: Checked<_, _> = serde_json::from_str::<JsonWebKey>(&read_key_file("p256"))
-        .unwrap()
-        .check(StandardPolicy::default())
-        .unwrap();
-    let p256_signer: JwkSigner = p256.try_into().unwrap();
-
-    assert_eq!(
-        p256_signer.algorithm(),
-        JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256)
-    );
+    serde_json::from_str::<JsonWebKey>(key).unwrap_err();
 }
 
 #[test]
-fn deny_hmac_key_with_short_key() {
+fn deny_hmac_key_with_short_key() -> TestResult {
     let raw_key = r#"{"kty": "oct", "k": "QUFBQQ"}"#;
-    let key = serde_json::from_str::<OctetSequence>(raw_key).unwrap();
+    let key = serde_json::from_str::<jwk::symmetric::OctetSequence>(raw_key)?;
 
-    let hmac = hmac::Key::<hmac::Hs256>::from_key(
-        &key,
-        JsonWebAlgorithm::Signing(JsonWebSigningAlgorithm::Hmac(Hmac::Hs256)),
-    );
+    let hmac = hmac::Key::<hmac::Hs256>::from_key(&key, jwa::Hmac::Hs256.into());
 
     assert!(matches!(
         hmac.unwrap_err(),
-        FromOctetSequenceError::InvalidLength
+        jwk::symmetric::FromOctetSequenceError::InvalidLength
     ));
+
+    Ok(())
 }
 
-#[test]
-fn ed25519_json_web_key() {
-    let jwk: JsonWebKey = serde_json::from_str(&read_key_file("ed25519")).unwrap();
-    match jwk.key_type() {
-        JsonWebKeyType::Asymmetric(key) => match **key {
-            AsymmetricJsonWebKey::Private(Private::Okp(OkpPrivate::Ed25519(..))) => (),
-            _ => panic!(),
+pub mod generate {
+    use jose::{
+        crypto::{
+            ec::{P256PrivateKey, P384PrivateKey, P521PrivateKey},
+            hmac, okp, rsa,
         },
-        _ => panic!(),
+        jwk::Thumbprint as _,
+    };
+
+    use crate::common::TestResult;
+
+    #[test]
+    #[cfg_attr(
+        feature = "crypto-ring",
+        ignore = "crypto backend does not support ECC key generation"
+    )]
+    fn ec_p256() -> TestResult {
+        let p256 = P256PrivateKey::generate()?;
+        let p256_pub = p256.to_public_key();
+        assert_eq!(p256.thumbprint_sha256(), p256_pub.thumbprint_sha256());
+
+        Ok(())
     }
-}
 
-#[test]
-fn convert_to_public_key() {
-    let private_json = read_key_file("p256");
-    let public_json = read_key_file("p256.pub");
+    #[test]
+    #[cfg_attr(
+        feature = "crypto-ring",
+        ignore = "crypto backend does not support ECC key generation"
+    )]
+    fn ec_p384() -> TestResult {
+        let p384 = P384PrivateKey::generate()?;
+        let p384_pub = p384.to_public_key();
+        assert_eq!(p384.thumbprint_sha256(), p384_pub.thumbprint_sha256());
+
+        Ok(())
+    }
 
-    let private: JsonWebKey = serde_json::from_str(&private_json).unwrap();
-    let public: JsonWebKey = serde_json::from_str(&public_json).unwrap();
+    #[test]
+    #[cfg_attr(
+        any(feature = "crypto-rustcrypto", feature = "crypto-ring"),
+        ignore = "crypto backend does not support P-521 curve"
+    )]
+    fn ec_p521() -> TestResult {
+        let p521 = P521PrivateKey::generate()?;
+        let p521_pub = p521.to_public_key();
+        assert_eq!(p521.thumbprint_sha256(), p521_pub.thumbprint_sha256());
+
+        Ok(())
+    }
 
-    let public_converted = private.clone().into_verifying_key();
-    assert_eq!(public.key_type(), public_converted.key_type());
+    #[test]
+    #[cfg_attr(
+        feature = "crypto-ring",
+        ignore = "crypto backend does not support RSA key generation"
+    )]
+    fn rsa() -> TestResult {
+        let rsa = rsa::PrivateKey::generate(4096)?;
+        let rsa_pub = rsa.to_public_key();
+        assert_eq!(rsa.thumbprint_sha256(), rsa_pub.thumbprint_sha256());
+
+        Ok(())
+    }
 
-    let public_converted = private.strip_secret_material().unwrap();
-    assert_eq!(public.key_type(), public_converted.key_type());
-}
+    #[test]
+    fn hmac() -> TestResult {
+        let _hmac = hmac::Key::<hmac::Hs256>::generate()?;
+        Ok(())
+    }
 
-#[test]
-fn symmetric_key_can_not_strip_secret() {
-    let key = read_key_file("hs256");
-    let key: JsonWebKey = serde_json::from_str(&key).unwrap();
+    #[test]
+    #[cfg_attr(
+        feature = "crypto-ring",
+        ignore = "crypto backend does not support Ed448 curve"
+    )]
+    fn ed25519() -> TestResult {
+        let ed25519 = okp::PrivateKey::<okp::Ed25519>::generate()?;
+        let ed25519_pub = ed25519.to_public_key();
+        assert_eq!(ed25519.thumbprint_sha256(), ed25519_pub.thumbprint_sha256());
+
+        Ok(())
+    }
 
-    assert!(key.strip_secret_material().is_none());
+    #[test]
+    #[cfg_attr(
+        any(
+            feature = "crypto-rustcrypto",
+            feature = "crypto-ring",
+            feature = "crypto-aws-lc"
+        ),
+        ignore = "crypto backend does not support Ed448 curve"
+    )]
+    fn ed448() -> TestResult {
+        let ed448 = okp::PrivateKey::<okp::Ed448>::generate()?;
+        let ed448_pub = ed448.to_public_key();
+        assert_eq!(ed448.thumbprint_sha256(), ed448_pub.thumbprint_sha256());
+
+        Ok(())
+    }
 }
 
 #[test]
-fn ec_p256_thumbprint() {
-    let jwk = read_key_file("p256");
-    let jwk: JsonWebKey = serde_json::from_str(&jwk).unwrap();
+fn convert_to_public_key() -> TestResult {
+    let private_json = read_jwk("p256")?;
+    let public_json = read_jwk("p256.pub")?;
 
-    let p = jwk.thumbprint_sha256();
-    let p = Base64UrlString::encode(p);
-    assert_eq!(&*p, "6j1ImYAlN6DnVupozzN13UKnLR7BfEvngNmVl5bLlI0");
-}
+    let private: JsonWebKey = serde_json::from_value(private_json)?;
+    let public: JsonWebKey = serde_json::from_value(public_json)?;
 
-#[test]
-fn rsa_thumbprint() {
-    let jwk = read_key_file("rsa");
-    let jwk: JsonWebKey = serde_json::from_str(&jwk).unwrap();
+    let public_converted = private.clone().into_verifying_key();
+    assert_eq!(public.key_type(), public_converted.key_type());
 
-    let p = jwk.thumbprint_sha256();
-    let p = Base64UrlString::encode(p);
-    assert_eq!(&*p, "nYPs6qc5zj3VOVKr4yY-EzirO-AcdUl0JC5bcXKGE6Y");
+    let public_converted = private.strip_secret_material().unwrap();
+    assert_eq!(public.key_type(), public_converted.key_type());
+
+    Ok(())
 }
 
 #[test]
-fn symmetric_thumbprint() {
-    let jwk = json!({
-        "k": "FyCq1CKBflh3I5gikEjpYrdOXllzxB_yc02za8ERknI",
-        "kty": "oct",
-    });
-
-    let jwk: JsonWebKey = serde_json::from_value(jwk).unwrap();
+fn symmetric_key_can_not_strip_secret() -> TestResult {
+    let key = read_jwk("3_5.symmetric_key_mac_computation")?;
+    let key: JsonWebKey = serde_json::from_value(key)?;
+    assert!(key.strip_secret_material().is_none());
 
-    let p = jwk.thumbprint_sha256();
-    let p = Base64UrlString::encode(p);
-    assert_eq!(&*p, "prDKy90VJzrDTpm8-W2Q_pv_kzrX_zyZ7ANjRAasDxc");
+    Ok(())
 }
diff --git a/tests/jws.rs b/tests/jws.rs
index e036b57..e69de29 100644
--- a/tests/jws.rs
+++ b/tests/jws.rs
@@ -1,467 +0,0 @@
-// tests for header parsing:
-// - duplicate paremeter name
-// - additional (private, public) headers
-// - for supporting all MUST BE UNDERSTOOD params
-
-use std::{convert::Infallible, str::FromStr};
-
-use jose::{
-    crypto::{
-        self,
-        okp::{Ed25519PrivateKey, Ed25519PublicKey, Ed25519Signer, Ed25519Verifier},
-    },
-    format::{Compact, JsonFlattened, JsonGeneral},
-    header::HeaderValue,
-    jwa::JsonWebSigningAlgorithm,
-    jwk::{
-        policy::{Checkable, StandardPolicy},
-        JwkSigner, JwkVerifier,
-    },
-    jws::{
-        FromRawPayload, IntoPayload, IntoSigner, IntoVerifier, ManyUnverified, PayloadData,
-        PayloadKind, Signer, Unverified, Verifier, VerifyError,
-    },
-    Base64UrlString, JsonWebKey, Jws,
-};
-
-fn read_key_file(name: &str) -> String {
-    std::fs::read_to_string(format!(
-        "{}/tests/keys/{}.json",
-        env!("CARGO_MANIFEST_DIR"),
-        name,
-    ))
-    .unwrap()
-}
-
-#[derive(Debug, PartialEq, Eq)]
-struct StringPayload(String);
-
-impl From<&str> for StringPayload {
-    fn from(value: &str) -> Self {
-        StringPayload(value.to_string())
-    }
-}
-
-impl FromRawPayload for StringPayload {
-    type Context = ();
-    type Error = String;
-
-    fn from_attached(_: &(), payload: PayloadData) -> Result<Self, Self::Error> {
-        match payload {
-            PayloadData::Standard(s) => String::from_utf8(s.decode())
-                .map(StringPayload)
-                .map_err(|e| e.to_string()),
-        }
-    }
-
-    fn from_detached<F, T>(
-        _: &(),
-        _: &jose::JoseHeader<F, T>,
-    ) -> Result<(Self, PayloadData), Self::Error> {
-        Err(String::from("detached payload not supported"))
-    }
-
-    fn from_detached_many<F, T>(
-        _: &(),
-        _: &[jose::JoseHeader<F, T>],
-    ) -> Result<(Self, PayloadData), Self::Error> {
-        Err(String::from("detached payload not supported"))
-    }
-}
-
-impl IntoPayload for StringPayload {
-    type Error = Infallible;
-
-    fn into_payload(self) -> Result<PayloadKind, Self::Error> {
-        let s = Base64UrlString::encode(self.0);
-        Ok(PayloadKind::Attached(PayloadData::Standard(s)))
-    }
-}
-
-struct NoneKey;
-impl Signer<[u8; 0]> for NoneKey {
-    fn sign(&mut self, _msg: &[u8]) -> Result<[u8; 0], crypto::Error> {
-        Ok([])
-    }
-
-    fn algorithm(&self) -> JsonWebSigningAlgorithm {
-        JsonWebSigningAlgorithm::None
-    }
-
-    fn key_id(&self) -> Option<&str> {
-        Some("none")
-    }
-}
-
-struct NoneVerifier;
-impl Verifier for NoneVerifier {
-    fn verify(&mut self, _: &[u8], _: &[u8]) -> Result<(), VerifyError> {
-        Ok(())
-    }
-}
-
-#[test]
-fn signer_without_key_id() {
-    let signer = NoneKey;
-
-    assert_eq!(signer.key_id(), Some("none"));
-
-    let without_key_id = signer.without_key_id();
-
-    assert_eq!(without_key_id.key_id(), None);
-}
-
-#[test]
-fn none_verifier_roundtrip() {
-    let jws = Jws::<Compact, _>::builder()
-        .build(StringPayload::from("abc"))
-        .unwrap();
-    let jws_compact = jws.sign(&mut NoneKey.without_key_id()).unwrap().encode();
-
-    assert_eq!(
-        jws_compact.to_string(),
-        String::from("eyJhbGciOiJub25lIn0.YWJj.")
-    );
-
-    let parsed_jws = Unverified::<Jws<Compact, StringPayload>>::decode(jws_compact)
-        .unwrap()
-        .verify(&mut NoneVerifier)
-        .unwrap();
-
-    assert_eq!(parsed_jws.payload(), &StringPayload::from("abc"));
-}
-
-#[test]
-fn detached_payload_with_context() {
-    use jose::{
-        crypto::ec::{P256PrivateKey, P256Signer, P256Verifier},
-        jwa::EcDSA,
-    };
-
-    #[derive(Debug)]
-    struct MyPayload(String);
-
-    impl IntoPayload for MyPayload {
-        type Error = ();
-
-        fn into_payload(self) -> Result<PayloadKind, Self::Error> {
-            let s = Base64UrlString::encode(self.0);
-            Ok(PayloadKind::Detached(PayloadData::Standard(s)))
-        }
-    }
-
-    impl FromRawPayload for MyPayload {
-        type Context = String;
-        type Error = ();
-
-        fn from_attached(
-            context: &Self::Context,
-            _payload: PayloadData,
-        ) -> Result<Self, Self::Error> {
-            Ok(Self(context.clone()))
-        }
-
-        fn from_detached<F, T>(
-            context: &Self::Context,
-            _header: &jose::JoseHeader<F, T>,
-        ) -> Result<(Self, PayloadData), Self::Error> {
-            let data = PayloadData::Standard(Base64UrlString::encode(context));
-            Ok((Self(context.clone()), data))
-        }
-
-        fn from_detached_many<F, T>(
-            _context: &Self::Context,
-            _headers: &[jose::JoseHeader<F, T>],
-        ) -> Result<(Self, PayloadData), Self::Error> {
-            todo!()
-        }
-    }
-
-    let key = std::fs::read_to_string(format!(
-        "{}/tests/keys/p256.json",
-        env!("CARGO_MANIFEST_DIR"),
-    ))
-    .unwrap();
-    let key: P256PrivateKey = serde_json::from_str(&key).unwrap();
-
-    let mut signer: P256Signer = key
-        .clone()
-        .into_signer(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256))
-        .unwrap();
-
-    let mut verifier: P256Verifier = key
-        .into_verifier(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256))
-        .unwrap();
-
-    let context = "hello".to_string();
-
-    let jws = Jws::<Compact, _>::builder()
-        .build(MyPayload(context.clone()))
-        .unwrap()
-        .sign(&mut signer)
-        .unwrap()
-        .encode();
-
-    // After a recent change in jose, ecdas is not deterministic anymore
-    // assert_eq!(
-    //     jws.to_string(),
-    //     "eyJhbGciOiJFUzI1NiJ9..\
-    //      66Pd7hVwuNAOP4qFlQW5zSOmLNehj69TbZifg7pD5QjRWMqbxEdalWzMJFmRtQisYunNK2Vhm7H54xOnL6_Q4w"
-    // );
-
-    let parsed_jws =
-        Unverified::<Jws<Compact, MyPayload>>::decode_with_context(jws.clone(), &context)
-            .unwrap()
-            .verify(&mut verifier)
-            .unwrap();
-
-    assert_eq!(parsed_jws.payload().0, context);
-
-    // decoding with another context, should fail signature validation
-    let context2 = "world".to_string();
-    Unverified::<Jws<Compact, MyPayload>>::decode_with_context(jws, &context2)
-        .unwrap()
-        .verify(&mut verifier)
-        .unwrap_err();
-}
-
-#[test]
-fn sign_jws_using_p256() {
-    use jose::{
-        crypto::ec::{P256PrivateKey, P256Signer, P256Verifier},
-        jwa::EcDSA,
-    };
-
-    let key = std::fs::read_to_string(format!(
-        "{}/tests/keys/p256.json",
-        env!("CARGO_MANIFEST_DIR"),
-    ))
-    .unwrap();
-
-    let key: P256PrivateKey = serde_json::from_str(&key).unwrap();
-
-    let mut signer: P256Signer = key
-        .clone()
-        .into_signer(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256))
-        .unwrap();
-
-    let mut verifier: P256Verifier = key
-        .into_verifier(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256))
-        .unwrap();
-
-    let jws = Jws::<Compact, _>::builder()
-        .build(StringPayload::from("hello world!"))
-        .unwrap()
-        .sign(&mut signer)
-        .unwrap()
-        .encode();
-
-    // ecdsas is not deterministic anymore
-    // assert_eq!(
-    //     jws.to_string().as_str(),
-    //     "eyJhbGciOiJFUzI1NiJ9.aGVsbG8gd29ybGQh.\
-    //      lVKmpTNK_Im3-JEpF1JzuXM-vP9tNSkR8785hqnYzOHd1__VVOeMzGW7nywUe7Xkp6Wlu3KgWXlvsxhQdU1PlQ"
-    // );
-
-    let parsed_jws = Unverified::<Jws<Compact, StringPayload>>::decode(jws.clone())
-        .unwrap()
-        .verify(&mut verifier)
-        .unwrap();
-
-    assert_eq!(parsed_jws.payload().0, "hello world!");
-}
-
-#[test]
-fn deny_compact_jws_with_empty_protected_header() {
-    let jws: Jws<Compact, StringPayload> = Jws::builder()
-        .header(|b| b.algorithm(HeaderValue::Unprotected(JsonWebSigningAlgorithm::None)))
-        .build(StringPayload::from("abc"))
-        .unwrap();
-
-    jws.sign(&mut NoneKey).unwrap_err();
-}
-
-#[test]
-fn json_flattened_jws_with_no_protected_header() {
-    let key = std::fs::read_to_string(format!(
-        "{}/tests/keys/cookbook_hs256.json",
-        env!("CARGO_MANIFEST_DIR"),
-    ))
-    .unwrap();
-
-    let key: JsonWebKey = serde_json::from_str(&key).unwrap();
-    let key = key.check(StandardPolicy::new()).unwrap();
-
-    let mut signer = JwkSigner::try_from(key).unwrap();
-
-    let payload = "It's a dangerous business, Frodo, going out your door. You step onto the road, \
-                   and if you don't keep your feet, there's no knowing where you";
-
-    let jws: Jws<JsonFlattened, StringPayload> = Jws::builder()
-        .header(|b| b.algorithm(HeaderValue::Unprotected(JsonWebSigningAlgorithm::None)))
-        .build(StringPayload::from(payload))
-        .unwrap();
-
-    let jws = jws.sign(&mut signer).unwrap();
-
-    println!("{jws:#}");
-}
-
-#[test]
-fn smoke() {
-    let key = std::fs::read_to_string(format!(
-        "{}/tests/keys/p256.json",
-        env!("CARGO_MANIFEST_DIR"),
-    ))
-    .unwrap();
-
-    let key2 = std::fs::read_to_string(format!(
-        "{}/tests/keys/hs256.json",
-        env!("CARGO_MANIFEST_DIR"),
-    ))
-    .unwrap();
-
-    let key: JsonWebKey = serde_json::from_str(&key).unwrap();
-    let key = key.check(StandardPolicy::new()).unwrap();
-
-    let key2: JsonWebKey = serde_json::from_str(&key2).unwrap();
-    let key2 = key2.check(StandardPolicy::new()).unwrap();
-
-    let mut signer = JwkSigner::try_from(key.clone()).unwrap();
-    let mut signer2 = JwkSigner::try_from(key2.clone()).unwrap();
-
-    let mut verifier = JwkVerifier::try_from(key).unwrap();
-    let mut verifier2 = JwkVerifier::try_from(key2).unwrap();
-
-    let payload = r#"{"iss":"joe","exp":1300819380,"http://example.com/is_root":true}"#;
-    let payload = StringPayload::from(payload);
-
-    let signers: [&mut dyn Signer<Vec<u8>>; 2] = [&mut signer, &mut signer2];
-
-    let jws = Jws::<JsonGeneral, _>::builder()
-        .header(|b| b)
-        .header(|b| b)
-        .build(payload)
-        .unwrap()
-        .sign_many(signers)
-        .unwrap()
-        .encode();
-    println!("{jws}");
-
-    let verifiers: [&mut dyn Verifier; 2] = [&mut verifier, &mut verifier2];
-    let parsed_jws = ManyUnverified::<Jws<JsonGeneral, StringPayload>>::decode(jws)
-        .unwrap()
-        .verify_many(verifiers)
-        .unwrap();
-
-    println!("{parsed_jws:#?}");
-}
-
-#[test]
-fn additional_jwk_parameters_in_header() {
-    let key = std::fs::read_to_string(format!(
-        "{}/tests/keys/p256.json",
-        env!("CARGO_MANIFEST_DIR"),
-    ))
-    .unwrap();
-
-    #[derive(serde::Serialize, serde::Deserialize)]
-    struct Additional {
-        #[serde(rename = "example.com/custom-key")]
-        foo: usize,
-    }
-
-    let additional = Additional { foo: 1337 };
-
-    let key: JsonWebKey = serde_json::from_str(&key).unwrap();
-    let key = key.check(StandardPolicy::new()).unwrap();
-    let mut signer = JwkSigner::try_from(key.clone()).unwrap();
-    let mut verifier = JwkVerifier::try_from(key.clone()).unwrap();
-
-    let key = key
-        .into_inner()
-        .0
-        .into_builder()
-        .additional(additional)
-        .build()
-        .unwrap();
-    let key = key.into_untyped_additional().unwrap();
-
-    let jws: Jws<Compact, StringPayload> = Jws::builder()
-        .header(|b| b.json_web_key(Some(HeaderValue::Protected(key))))
-        .build(StringPayload::from("abc"))
-        .unwrap();
-
-    let jws = jws.sign(&mut signer).unwrap().encode();
-
-    let parsed_jws = Unverified::<Jws<Compact, StringPayload>>::decode(jws)
-        .unwrap()
-        .verify(&mut verifier)
-        .unwrap();
-
-    let jwk = parsed_jws
-        .header()
-        .json_web_key()
-        .unwrap()
-        .into_inner()
-        .clone();
-    let jwk: JsonWebKey<Additional> = jwk.deserialize_additional().unwrap();
-
-    assert_eq!(jwk.additional().foo, 1337);
-}
-
-#[test]
-fn ed25519() {
-    let private: Ed25519PrivateKey =
-        serde_json::from_str(&read_key_file("ed25519")).expect("valid ed25519 private key");
-    let _wrong_private = serde_json::from_str::<Ed25519PrivateKey>(&read_key_file("ed25519.pub"))
-        .expect_err("is a public key");
-
-    let public: Ed25519PublicKey =
-        serde_json::from_str(&read_key_file("ed25519.pub")).expect("is a valid public key");
-    let _wrong_public = serde_json::from_str::<Ed25519PublicKey>(&read_key_file("ed25519"))
-        .expect("public key can be parsed from private key");
-
-    let msg = "I was cured all right.";
-
-    let mut signer: Ed25519Signer = private
-        .into_signer(jose::jwa::JsonWebSigningAlgorithm::EdDSA)
-        .unwrap();
-
-    let jws = Jws::<Compact, _>::builder()
-        .build(StringPayload(msg.to_string()))
-        .unwrap();
-
-    let jws = jws.sign(&mut signer).unwrap();
-
-    println!("{jws:#?}");
-
-    let mut verifier: Ed25519Verifier = public
-        .into_verifier(JsonWebSigningAlgorithm::EdDSA)
-        .unwrap();
-
-    let encoded = jws.encode().to_string();
-    assert_eq!(
-        encoded,
-        "eyJhbGciOiJFZERTQSJ9.SSB3YXMgY3VyZWQgYWxsIHJpZ2h0Lg.\
-         JtDl6Eq4ORiI_fYmeik8QLMUPur0s37AgaK-o8W2ywEXnomeSPpf3Je0EvCI8K55k0uu0zkdHmGs2vu-DiuLDw"
-    );
-
-    let unverified_jws =
-        Unverified::<Jws<Compact, StringPayload>>::decode(Compact::from_str(&encoded).unwrap())
-            .unwrap();
-    unverified_jws
-        .verify(&mut verifier)
-        .expect("valid signature");
-
-    let signature_by_different_key =
-        "eyJhbGciOiJFZERTQSJ9.SSB3YXMgY3VyZWQgYWxsIHJpZ2h0Lg.\
-         xuBNTX8MSX1Du5sAdSGBUKijn8yqHG8v-3CYrZpoHizzwU9T6aT-XqbS5FBuMR9_pGagmpO6EiPHqZiTUpxXDQ";
-
-    let wrong_jws: Unverified<Jws<Compact, StringPayload>> =
-        Unverified::decode(Compact::from_str(signature_by_different_key).unwrap()).unwrap();
-
-    wrong_jws
-        .verify(&mut verifier)
-        .expect_err("signature made by different private key");
-}
diff --git a/tests/keys/hs256.json b/tests/keys/hs256.json
deleted file mode 100644
index 6d294e6..0000000
--- a/tests/keys/hs256.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-    "use": "sig",
-    "kty": "oct",
-    "alg": "HS256",
-    "k": "QXk0V2FZSWYyMFR3RVNMZmt4SFVwU3Z4MkRtNlpINE4"
-}
diff --git a/tests/keys/key_ops_duplicates_rsa_enc.pub.json b/tests/keys/key_ops_duplicates_rsa_enc.pub.json
deleted file mode 100644
index 8ddd2be..0000000
--- a/tests/keys/key_ops_duplicates_rsa_enc.pub.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "key_ops": ["encrypt", "decrypt", "decrypt"],
-    "kid": "XEK_bZ60VtJpXsnOGMWokkDgdTS3RC-_-5kwlgukIgw",
-    "kty": "RSA",
-    "alg": "RSA-OAEP",
-    "use": "enc",
-    "n": "kzMp0r1czDSZAH4iye4yMlBcHMCHo5G9uxC6UjzDEh_Zwj3sDGeMsUbX-X-UoLnkYySw2bxsdwHrPhuidkJrCC-CzFaujeARRrb3qDgQzOPj8zc8nlJvybC68KBPmj45wxFheHzp_VpfQ90LmUKbs3T8BJssDAKnWhuJSer1GR7vRhU4uKTX2ulxChuHdUJgApzj_Detohm66W8mnnPeSXbF4x8kl6JP1Txiq5GPYZWPDvLX0IjLzUuEIaOyQALObomv3DrWA1dfT2VevAr9ZWmqZNqFvalRrTuINxppF9cYH02Al6TucQOBnacwAj0JeHW-bvypiCuvhwpnRUqWgw",
-    "e": "AQAB",
-    "x5c": [
-        "MIICmzCCAYMCBgGB2iU8RDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjIwNzA3MTkyOTQyWhcNMzIwNzA3MTkzMTIyWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTMynSvVzMNJkAfiLJ7jIyUFwcwIejkb27ELpSPMMSH9nCPewMZ4yxRtf5f5SgueRjJLDZvGx3Aes+G6J2QmsIL4LMVq6N4BFGtveoOBDM4+PzNzyeUm/JsLrwoE+aPjnDEWF4fOn9Wl9D3QuZQpuzdPwEmywMAqdaG4lJ6vUZHu9GFTi4pNfa6XEKG4d1QmACnOP8N62iGbrpbyaec95JdsXjHySXok/VPGKrkY9hlY8O8tfQiMvNS4Qho7JAAs5uia/cOtYDV19PZV68Cv1laapk2oW9qVGtO4g3GmkX1xgfTYCXpO5xA4GdpzACPQl4db5u/KmIK6+HCmdFSpaDAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEcHfQlE2z+0+wpeUXb5JAzL1Mclki8kUzbE53MkCQsDpPrmuuX9gKz4ReEvyTpYJmxzx0TtZ3E8+o5h3i1WSY/V6dVMsXSlwUCzDsVpZ1JwAyC/c1HVhJGT/AqsNsK5XNsYmACGKlV5Z1utn+9aNBBGJWlu1BNqxSy9+jWo73/0K19yBFuKB+dCHpr653NPf1YlD8H5SZ5I0mwdr3Hhm/bXM464KFBNMjDzNtHNF3ucM0OI6CgtMoS44kJOhElAretzYFCtiZA1Nrx0B0kf19GdIyGPXaukn6lbgWutepp6r4hAzVNiOSxXKRpPNZxM1bwNmo3QP+YSqfoh7OYWmR8="
-    ],
-    "x5t": "blHgLn0uMGRznf8iQCCVGtPIpGY",
-    "x5t#S256": "VUTpD68AR1hdCkR02VSODfYJuQtvF0Dqtlv5c_kz3w0"
-}
diff --git a/tests/vectors/jwk/3_1.ec_public_key.json b/tests/vectors/jwk/3_1.ec_public_key.json
new file mode 100644
index 0000000..1d0eb45
--- /dev/null
+++ b/tests/vectors/jwk/3_1.ec_public_key.json
@@ -0,0 +1,8 @@
+{
+  "kty": "EC",
+  "kid": "bilbo.baggins@hobbiton.example",
+  "use": "sig",
+  "crv": "P-521",
+  "x": "AHKZLLOsCOzz5cY97ewNUajB957y-C-U88c3v13nmGZx6sYl_oJXu9A5RkTKqjqvjyekWF-7ytDyRXYgCF5cj0Kt",
+  "y": "AdymlHvOiLxXkEhayXQnNCvDX4h9htZaCJN34kfmC6pV5OhQHiraVySsUdaQkAgDPrwQrJmbnX9cwlGfP-HqHZR1"
+}
diff --git a/tests/vectors/jwk/3_2.ec_private_key.json b/tests/vectors/jwk/3_2.ec_private_key.json
new file mode 100644
index 0000000..2083943
--- /dev/null
+++ b/tests/vectors/jwk/3_2.ec_private_key.json
@@ -0,0 +1,9 @@
+{
+  "kty": "EC",
+  "kid": "bilbo.baggins@hobbiton.example",
+  "use": "sig",
+  "crv": "P-521",
+  "x": "AHKZLLOsCOzz5cY97ewNUajB957y-C-U88c3v13nmGZx6sYl_oJXu9A5RkTKqjqvjyekWF-7ytDyRXYgCF5cj0Kt",
+  "y": "AdymlHvOiLxXkEhayXQnNCvDX4h9htZaCJN34kfmC6pV5OhQHiraVySsUdaQkAgDPrwQrJmbnX9cwlGfP-HqHZR1",
+  "d": "AAhRON2r9cqXX1hg-RoI6R1tX5p2rUAYdmpHZoC1XNM56KtscrX6zbKipQrCW9CGZH3T4ubpnoTKLDYJ_fF3_rJt"
+}
diff --git a/tests/vectors/jwk/3_3.rsa_public_key.json b/tests/vectors/jwk/3_3.rsa_public_key.json
new file mode 100644
index 0000000..4529cfc
--- /dev/null
+++ b/tests/vectors/jwk/3_3.rsa_public_key.json
@@ -0,0 +1,7 @@
+{
+  "kty": "RSA",
+  "kid": "bilbo.baggins@hobbiton.example",
+  "use": "sig",
+  "n": "n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT-O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqVwGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuCLqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5gHdrNP5zw",
+  "e": "AQAB"
+}
diff --git a/tests/vectors/jwk/3_4.rsa_private_key.json b/tests/vectors/jwk/3_4.rsa_private_key.json
new file mode 100644
index 0000000..04843d8
--- /dev/null
+++ b/tests/vectors/jwk/3_4.rsa_private_key.json
@@ -0,0 +1,13 @@
+{
+  "kty": "RSA",
+  "kid": "bilbo.baggins@hobbiton.example",
+  "use": "sig",
+  "n": "n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT-O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqVwGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuCLqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5gHdrNP5zw",
+  "e": "AQAB",
+  "d": "bWUC9B-EFRIo8kpGfh0ZuyGPvMNKvYWNtB_ikiH9k20eT-O1q_I78eiZkpXxXQ0UTEs2LsNRS-8uJbvQ-A1irkwMSMkK1J3XTGgdrhCku9gRldY7sNA_AKZGh-Q661_42rINLRCe8W-nZ34ui_qOfkLnK9QWDDqpaIsA-bMwWWSDFu2MUBYwkHTMEzLYGqOe04noqeq1hExBTHBOBdkMXiuFhUq1BU6l-DqEiWxqg82sXt2h-LMnT3046AOYJoRioz75tSUQfGCshWTBnP5uDjd18kKhyv07lhfSJdrPdM5Plyl21hsFf4L_mHCuoFau7gdsPfHPxxjVOcOpBrQzwQ",
+  "p": "3Slxg_DwTXJcb6095RoXygQCAZ5RnAvZlno1yhHtnUex_fp7AZ_9nRaO7HX_-SFfGQeutao2TDjDAWU4Vupk8rw9JR0AzZ0N2fvuIAmr_WCsmGpeNqQnev1T7IyEsnh8UMt-n5CafhkikzhEsrmndH6LxOrvRJlsPp6Zv8bUq0k",
+  "q": "uKE2dh-cTf6ERF4k4e_jy78GfPYUIaUyoSSJuBzp3Cubk3OCqs6grT8bR_cu0Dm1MZwWmtdqDyI95HrUeq3MP15vMMON8lHTeZu2lmKvwqW7anV5UzhM1iZ7z4yMkuUwFWoBvyY898EXvRD-hdqRxHlSqAZ192zB3pVFJ0s7pFc",
+  "dp": "B8PVvXkvJrj2L-GYQ7v3y9r6Kw5g9SahXBwsWUzp19TVlgI-YV85q1NIb1rxQtD-IsXXR3-TanevuRPRt5OBOdiMGQp8pbt26gljYfKU_E9xn-RULHz0-ed9E9gXLKD4VGngpz-PfQ_q29pk5xWHoJp009Qf1HvChixRX59ehik",
+  "dq": "CLDmDGduhylc9o7r84rEUVn7pzQ6PF83Y-iBZx5NT-TpnOZKF1pErAMVeKzFEl41DlHHqqBLSM0W1sOFbwTxYWZDm6sI6og5iTbwQGIC3gnJKbi_7k_vJgGHwHxgPaX2PnvP-zyEkDERuf-ry4c_Z11Cq9AqC2yeL6kdKT1cYF8",
+  "qi": "3PiqvXQN0zwMeE-sBvZgi289XP9XCQF3VWqPzMKnIgQp7_Tugo6-NZBKCQsMf3HaEGBjTVJs_jcK8-TRXvaKe-7ZMaQj8VfBdYkssbu0NKDDhjJ-GtiseaDVWt7dcH0cfwxgFUHpQh7FoCrjFJ6h6ZEpMF6xmujs4qMpPz8aaI4"
+}
diff --git a/tests/keys/cookbook_hs256.json b/tests/vectors/jwk/3_5.symmetric_key_mac_computation.json
similarity index 100%
rename from tests/keys/cookbook_hs256.json
rename to tests/vectors/jwk/3_5.symmetric_key_mac_computation.json
diff --git a/tests/vectors/jwk/3_6.symmetric_key_encryption.json b/tests/vectors/jwk/3_6.symmetric_key_encryption.json
new file mode 100644
index 0000000..e70ad94
--- /dev/null
+++ b/tests/vectors/jwk/3_6.symmetric_key_encryption.json
@@ -0,0 +1,7 @@
+{
+  "kty": "oct",
+  "kid": "1e571774-2e08-40da-8308-e8d68773842d",
+  "use": "enc",
+  "alg": "A256GCM",
+  "k": "AAPapAv4LbFbiVawEjagUBluYqN5rhna-8nuldDvOx8"
+}
diff --git a/tests/keys/ed25519.json b/tests/vectors/jwk/ed25519.json
similarity index 99%
rename from tests/keys/ed25519.json
rename to tests/vectors/jwk/ed25519.json
index 3d1cd8e..f2112c7 100644
--- a/tests/keys/ed25519.json
+++ b/tests/vectors/jwk/ed25519.json
@@ -6,4 +6,4 @@
   "alg": "EdDSA",
   "x": "etkJX1EBhliHzBaimUQb0h2JhJKQ3G0beRVR3ssiedY",
   "d": "629kbTnU3Pgfkoq7zG9qe5LPuMi1PdaLcNo87nUya1I"
-}
\ No newline at end of file
+}
diff --git a/tests/keys/ed25519.pub.json b/tests/vectors/jwk/ed25519.pub.json
similarity index 100%
rename from tests/keys/ed25519.pub.json
rename to tests/vectors/jwk/ed25519.pub.json
diff --git a/tests/keys/jwk_optional_parameters_rsa_enc.pub.json b/tests/vectors/jwk/jwk_optional_parameters_rsa_enc.pub.json
similarity index 100%
rename from tests/keys/jwk_optional_parameters_rsa_enc.pub.json
rename to tests/vectors/jwk/jwk_optional_parameters_rsa_enc.pub.json
diff --git a/tests/keys/jwk_optional_parameters_rsa_sig.pub.json b/tests/vectors/jwk/jwk_optional_parameters_rsa_sig.pub.json
similarity index 100%
rename from tests/keys/jwk_optional_parameters_rsa_sig.pub.json
rename to tests/vectors/jwk/jwk_optional_parameters_rsa_sig.pub.json
diff --git a/tests/keys/key_ops_rsa_enc.pub.json b/tests/vectors/jwk/key_ops_rsa_enc.pub.json
similarity index 100%
rename from tests/keys/key_ops_rsa_enc.pub.json
rename to tests/vectors/jwk/key_ops_rsa_enc.pub.json
diff --git a/tests/keys/p256.json b/tests/vectors/jwk/p256.json
similarity index 100%
rename from tests/keys/p256.json
rename to tests/vectors/jwk/p256.json
diff --git a/tests/keys/p256.pub.json b/tests/vectors/jwk/p256.pub.json
similarity index 100%
rename from tests/keys/p256.pub.json
rename to tests/vectors/jwk/p256.pub.json
diff --git a/tests/keys/p384.json b/tests/vectors/jwk/p384.json
similarity index 100%
rename from tests/keys/p384.json
rename to tests/vectors/jwk/p384.json
diff --git a/tests/keys/p384.pub.json b/tests/vectors/jwk/p384.pub.json
similarity index 100%
rename from tests/keys/p384.pub.json
rename to tests/vectors/jwk/p384.pub.json
diff --git a/tests/keys/rsa.json b/tests/vectors/jwk/rsa.json
similarity index 100%
rename from tests/keys/rsa.json
rename to tests/vectors/jwk/rsa.json
diff --git a/tests/keys/rsa.pub.json b/tests/vectors/jwk/rsa.pub.json
similarity index 100%
rename from tests/keys/rsa.pub.json
rename to tests/vectors/jwk/rsa.pub.json

From f44af9a14099a25d2a71b721a4f549f6883cbaeb Mon Sep 17 00:00:00 2001
From: Justus K <justus.k@protonmail.com>
Date: Sat, 3 May 2025 13:24:05 +0200
Subject: [PATCH 2/5] feat(tests): add more JWK related tests

---
 Cargo.lock                                    | 146 ++++
 Cargo.toml                                    |   1 +
 tarpaulin-report.html                         | 671 ++++++++++++++++++
 tests/jwk.rs                                  | 243 ++++---
 tests/jws.rs                                  |   1 +
 tests/vectors/jwk/ed448.json                  |   6 +
 tests/vectors/jwk/ed448.pub.json              |   5 +
 tests/vectors/jwk/k256.json                   |   9 +
 tests/vectors/jwk/k256.pub.json               |   8 +
 .../jwk/rsa_with_additional_props.pub.json    |  10 +
 10 files changed, 1015 insertions(+), 85 deletions(-)
 create mode 100644 tarpaulin-report.html
 create mode 100644 tests/vectors/jwk/ed448.json
 create mode 100644 tests/vectors/jwk/ed448.pub.json
 create mode 100644 tests/vectors/jwk/k256.json
 create mode 100644 tests/vectors/jwk/k256.pub.json
 create mode 100644 tests/vectors/jwk/rsa_with_additional_props.pub.json

diff --git a/Cargo.lock b/Cargo.lock
index faf8862..2081b08 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -505,6 +505,49 @@ version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
 
+[[package]]
+name = "futures-core"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
+
+[[package]]
+name = "futures-macro"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "futures-task"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
+
+[[package]]
+name = "futures-timer"
+version = "3.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f288b0a4f20f9a56b5d1da57e2227c661b7b16168e2f72365f57b63326e29b24"
+
+[[package]]
+name = "futures-util"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
+dependencies = [
+ "futures-core",
+ "futures-macro",
+ "futures-task",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+]
+
 [[package]]
 name = "generic-array"
 version = "0.14.7"
@@ -605,6 +648,16 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ce23b50ad8242c51a442f3ff322d56b02f08852c77e4c0b4d3fd684abc89c683"
 
+[[package]]
+name = "indexmap"
+version = "2.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cea70ddb795996207ad57735b50c5982d8844f38ba9ee5f1aedcfb708a2aa11e"
+dependencies = [
+ "equivalent",
+ "hashbrown",
+]
+
 [[package]]
 name = "is-terminal"
 version = "0.4.16"
@@ -674,6 +727,7 @@ dependencies = [
  "rand_core",
  "ring",
  "rsa",
+ "rstest",
  "secrecy",
  "serde",
  "serde-value",
@@ -927,6 +981,18 @@ dependencies = [
  "base64ct",
 ]
 
+[[package]]
+name = "pin-project-lite"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
+
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
 [[package]]
 name = "pkcs1"
 version = "0.7.5"
@@ -992,6 +1058,15 @@ dependencies = [
  "elliptic-curve",
 ]
 
+[[package]]
+name = "proc-macro-crate"
+version = "3.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "edce586971a4dfaa28950c6f18ed55e0406c1ab88bbce2c6f6293a7aaba73d35"
+dependencies = [
+ "toml_edit",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.95"
@@ -1094,6 +1169,12 @@ version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
 
+[[package]]
+name = "relative-path"
+version = "1.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba39f3699c378cd8970968dcbff9c43159ea4cfbd88d43c00b22f2ef10a435d2"
+
 [[package]]
 name = "rfc6979"
 version = "0.4.0"
@@ -1138,6 +1219,36 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "rstest"
+version = "0.25.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6fc39292f8613e913f7df8fa892b8944ceb47c247b78e1b1ae2f09e019be789d"
+dependencies = [
+ "futures-timer",
+ "futures-util",
+ "rstest_macros",
+ "rustc_version",
+]
+
+[[package]]
+name = "rstest_macros"
+version = "0.25.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f168d99749d307be9de54d23fd226628d99768225ef08f6ffb52e0182a27746"
+dependencies = [
+ "cfg-if",
+ "glob",
+ "proc-macro-crate",
+ "proc-macro2",
+ "quote",
+ "regex",
+ "relative-path",
+ "rustc_version",
+ "syn",
+ "unicode-ident",
+]
+
 [[package]]
 name = "rustc-hash"
 version = "1.1.0"
@@ -1304,6 +1415,15 @@ dependencies = [
  "rand_core",
 ]
 
+[[package]]
+name = "slab"
+version = "0.4.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67"
+dependencies = [
+ "autocfg",
+]
+
 [[package]]
 name = "smallvec"
 version = "1.15.0"
@@ -1382,6 +1502,23 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "toml_datetime"
+version = "0.6.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3da5db5a963e24bc68be8b17b6fa82814bb22ee8660f192bb182771d498f09a3"
+
+[[package]]
+name = "toml_edit"
+version = "0.22.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "310068873db2c5b3e7659d2cc35d21855dbafa50d1ce336397c666e3cb08137e"
+dependencies = [
+ "indexmap",
+ "toml_datetime",
+ "winnow",
+]
+
 [[package]]
 name = "typenum"
 version = "1.18.0"
@@ -1603,6 +1740,15 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
 
+[[package]]
+name = "winnow"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9fb597c990f03753e08d3c29efbfcf2019a003b4bf4ba19225c158e1549f0f3"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "wit-bindgen-rt"
 version = "0.39.0"
diff --git a/Cargo.toml b/Cargo.toml
index a6aa09b..b6b3d65 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -132,6 +132,7 @@ clio = { version = "0.3.5", features = ["clap-parse"] }
 
 # For integration tests
 pretty_assertions = "1.4.1"
+rstest = "0.25.0"
 
 # For X.509 certificates of Json Web Keys
 # x509-cert = { git = "https://github.com/RustCrypto/formats.git" }
diff --git a/tarpaulin-report.html b/tarpaulin-report.html
new file mode 100644
index 0000000..c0cdb23
--- /dev/null
+++ b/tarpaulin-report.html
@@ -0,0 +1,671 @@
+<!doctype html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <style>html, body {
+  margin: 0;
+  padding: 0;
+}
+
+.app {
+  margin: 10px;
+  padding: 0;
+}
+
+.files-list {
+  margin: 10px 0 0;
+  width: 100%;
+  border-collapse: collapse;
+}
+.files-list__head {
+  border: 1px solid #999;
+}
+.files-list__head > tr > th {
+  padding: 10px;
+  border: 1px solid #999;
+  text-align: left;
+  font-weight: normal;
+  background: #ddd;
+}
+.files-list__body {
+}
+.files-list__file {
+  cursor: pointer;
+}
+.files-list__file:hover {
+  background: #ccf;
+}
+.files-list__file > td {
+  padding: 10px;
+  border: 1px solid #999;
+}
+.files-list__file > td:first-child::before {
+  content: '\01F4C4';
+  margin-right: 1em;
+}
+.files-list__file_low {
+  background: #fcc;
+}
+.files-list__file_medium {
+  background: #ffc;
+}
+.files-list__file_high {
+  background: #cfc;
+}
+.files-list__file_folder > td:first-child::before {
+  content: '\01F4C1';
+  margin-right: 1em;
+}
+
+.file-header {
+  border: 1px solid #999;
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  position: sticky;
+  top: 0;
+  background: white;
+}
+
+.file-header__back {
+  margin: 10px;
+  cursor: pointer;
+  flex-shrink: 0;
+  flex-grow: 0;
+  text-decoration: underline;
+  color: #338;
+}
+
+.file-header__name {
+  margin: 10px;
+  flex-shrink: 2;
+  flex-grow: 2;
+}
+
+.file-header__stat {
+  margin: 10px;
+  flex-shrink: 0;
+  flex-grow: 0;
+}
+
+.file-content {
+  margin: 10px 0 0;
+  border: 1px solid #999;
+  padding: 10px;
+  counter-reset: line;
+  display: flex;
+  flex-direction: column;
+}
+
+.code-line::before {
+    content: counter(line);
+    margin-right: 10px;
+}
+.code-line {
+  margin: 0;
+  padding: 0.3em;
+  height: 1em;
+  counter-increment: line;
+}
+.code-line_covered {
+  background: #cfc;
+}
+.code-line_uncovered {
+  background: #fcc;
+}
+</style>
+</head>
+<body>
+    <div id="root"></div>
+    <script>
+        var data = {"files":[{"path":["/","home","stu","dev","rust","jose","build.rs"],"content":"use std::{env, process::exit};\n\nstruct CryptoBackend {\n    name: \u0026'static str,\n    feature: \u0026'static str,\n}\n\nconst ALL_BACKENDS: \u0026[CryptoBackend] = \u0026[\n    CryptoBackend {\n        name: \"RustCrypto\",\n        feature: \"crypto-rustcrypto\",\n    },\n    CryptoBackend {\n        name: \"OpenSSL\",\n        feature: \"crypto-openssl\",\n    },\n    CryptoBackend {\n        name: \"AWS-LC\",\n        feature: \"crypto-aws-lc\",\n    },\n    CryptoBackend {\n        name: \"ring\",\n        feature: \"crypto-ring\",\n    },\n];\n\nfn main() {\n    crypto_backends_check();\n\n    println!(\"cargo::rustc-check-cfg=cfg(openssl320)\");\n\n    // the nonce api for deterministic EcDSA signing is only possible on specific\n    // version\n    #[expect(clippy::unusual_byte_groupings)]\n    if let Ok(v) = env::var(\"DEP_OPENSSL_VERSION_NUMBER\") {\n        let version = u64::from_str_radix(\u0026v, 16).unwrap();\n\n        if version \u003e= 0x3_02_00_00_0 {\n            println!(\"cargo:rustc-cfg=openssl320\");\n        }\n    }\n}\n\nfn crypto_backends_check() {\n    let enabled = ALL_BACKENDS\n        .iter()\n        .filter(|backend| {\n            std::env::var(format!(\n                \"CARGO_FEATURE_{}\",\n                backend.feature.to_uppercase().replace(\"-\", \"_\")\n            ))\n            .is_ok()\n        })\n        .collect::\u003cVec\u003c_\u003e\u003e();\n\n    if enabled.is_empty() {\n        eprintln!(\n            \"No cryptographic backend selected.\n\n`jose` requires a cryptographic backend.  This backend \\\n             is selected at compile time using feature flags.\n\nSee https://github.com/minkan-chat/jose#crypto-backends\\\n             \"\n        );\n\n        exit(1);\n    } else if enabled.len() \u003e 1 {\n        eprintln!(\n            \"Multiple cryptographic backends selected.\n\n`jose` requires exactly one cryptographic backend. \\\n             Unfortunately, you have selected multiple backends:\n\n    {}\n\nSee https://github.com/minkan-chat/jose#crypto-backends\\\n             \",\n            enabled\n                .iter()\n                .map(|b| b.name)\n                .collect::\u003cVec\u003c_\u003e\u003e()\n                .join(\", \")\n        );\n\n        exit(1);\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","examples","basic-jwt","main.rs"],"content":"//! Simple program to generate, sign and verify a JsonWebToken (JWT)\n\nuse clap::Parser;\nuse clio::Input;\nuse eyre::eyre;\nuse jose::{\n    crypto::{\n        ec::P256PrivateKey,\n        hmac::{Hs256, Key as HmacKey},\n    },\n    format::{Compact, DecodeFormat},\n    jwk::{\n        policy::{Checkable, StandardPolicy},\n        IntoJsonWebKey, JwkSigner, JwkVerifier, KeyOperation,\n    },\n    jwt::Claims,\n    JsonWebKey, Jwt, UntypedAdditionalProperties,\n};\n\n#[derive(Parser)]\nenum Commands {\n    /// Generates a JsonWebKey\n    Generate {\n        /// Wheter or not it should be a symmetric secret or not\n        #[arg(short, long)]\n        symmetric: bool,\n    },\n    /// Signs a payload with a JsonWebKey\n    Sign {\n        /// Key used to sign the JsonWebToken\n        key: Input,\n        /// The claims that this JWT should contain\n        payload: Input,\n    },\n    /// Verifies a JsonWebToken with a JsonWebKey\n    Verify { jwt: String, key: Input },\n}\n\nfn main() -\u003e eyre::Result\u003c()\u003e {\n    let cmds = Commands::parse();\n\n    match cmds {\n        Commands::Generate { symmetric } =\u003e {\n            let key = match symmetric {\n                true =\u003e HmacKey::\u003cHs256\u003e::generate()?.into_jwk(Some(()))?,\n                false =\u003e P256PrivateKey::generate()?.into_jwk(Some(()))?,\n            };\n            // Key containing private/secret key\n            let private_key = key\n                .into_builder()\n                .key_operations(Some([KeyOperation::Sign, KeyOperation::Verify]))\n                .build()?;\n            println!(\"Private:\\n{}\", serde_json::to_string(\u0026private_key)?);\n\n            // If the key can be made public, do so and print it as well\n            if let Some(public) = private_key.strip_secret_material() {\n                println!(\"Public:\\n{}\", serde_json::to_string(\u0026public)?)\n            };\n        }\n        Commands::Sign { key, payload } =\u003e {\n            let key: JsonWebKey = serde_json::from_reader(key)?;\n            let payload: Claims\u003cUntypedAdditionalProperties\u003e = serde_json::from_reader(payload)?;\n            if !key.is_signing_key() {\n                return Err(eyre!(\"Key is not capable of signing\"));\n            }\n\n            let key = key\n                .check(StandardPolicy::default())\n                .map_err(|(_key, e)| e)?;\n            let mut signer: JwkSigner = key.try_into()?;\n\n            let jwt = Jwt::builder_jwt().build(payload)?;\n            let signed = jwt.sign(\u0026mut signer)?;\n            let encoded = signed.encode();\n            println!(\"JWT: {encoded}\");\n        }\n        Commands::Verify { jwt, key } =\u003e {\n            let key: JsonWebKey = serde_json::from_reader(key)?;\n            let key = key.check(StandardPolicy::default()).map_err(|(_, e)| e)?;\n            let mut verifier: JwkVerifier = key.try_into()?;\n            let encoded: Compact = jwt.parse()?;\n            let unverified_jwt = Jwt::\u003cUntypedAdditionalProperties\u003e::decode(encoded)?;\n            let jwt = unverified_jwt.verify(\u0026mut verifier)?;\n            let payload = jwt.payload();\n            println!(\n                \"JWT: Sub {:?}, {:?}:\",\n                payload.subject,\n                payload.additional.get(\"name\")\n            )\n        }\n    }\n    Ok(())\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","base64_url.rs"],"content":"//! Helpers for base64 urlsafe encoded stuff\n\nuse alloc::{borrow::ToOwned, string::String, vec::Vec};\nuse core::{fmt, ops::Deref, str::FromStr};\n\nuse base64ct::{Base64UrlUnpadded, Encoding};\nuse secrecy::{ExposeSecret as _, SecretSlice};\nuse serde::{de::Error, Deserialize, Deserializer, Serialize};\nuse thiserror::Error;\nuse zeroize::{Zeroize, Zeroizing};\n\n/// Error type indicating that one part of the compact\n/// representation was an invalid Base64Url string.\n#[derive(Debug, Clone, Copy, Error)]\n#[error(\"the string is not a valid Base64Url representation\")]\npub struct NoBase64UrlString;\n\n/// A wrapper around a [`String`] that guarantees that the inner string is a\n/// valid Base64Url string.\n#[derive(Debug, Clone, Hash, PartialEq, Eq, Serialize, Default)]\n#[repr(transparent)]\n#[serde(transparent)]\npub struct Base64UrlString(String);\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Base64UrlString {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let inner = String::deserialize(deserializer)?;\n        Base64UrlString::from_str(\u0026inner).map_err(D::Error::custom)\n    }\n}\n\nimpl fmt::Display for Base64UrlString {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Display::fmt(\u0026self.0, f)\n    }\n}\n\nimpl FromStr for Base64UrlString {\n    type Err = NoBase64UrlString;\n\n    fn from_str(s: \u0026str) -\u003e Result\u003cSelf, Self::Err\u003e {\n        // it is an expensive check.. yes\n        base64ct::Base64UrlUnpadded::decode_vec(s)\n            .map(|_| Self(s.to_owned()))\n            .map_err(|_| NoBase64UrlString)\n    }\n}\n\nimpl Base64UrlString {\n    /// Creates a new, empty Base64Url string.\n    #[inline]\n    pub const fn new() -\u003e Self {\n        Self(String::new())\n    }\n\n    /// Encode the given bytes using Base64Url format.\n    #[inline]\n    pub fn encode(x: impl AsRef\u003c[u8]\u003e) -\u003e Self {\n        Base64UrlString(Base64UrlUnpadded::encode_string(x.as_ref()))\n    }\n\n    /// Decodes this Base64Url string into it's raw byte representation.\n    #[inline]\n    pub fn decode(\u0026self) -\u003e Vec\u003cu8\u003e {\n        Base64UrlUnpadded::decode_vec(\u0026self.0)\n            .expect(\"Base64UrlString is guaranteed to be a valid base64 string\")\n    }\n\n    /// Return the inner string.\n    pub fn into_inner(self) -\u003e String {\n        self.0\n    }\n}\n\nimpl Deref for Base64UrlString {\n    type Target = str;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\n#[derive(Debug, PartialEq, Eq, Clone, Hash, Zeroize)]\npub(crate) struct Base64UrlBytes(pub(crate) Vec\u003cu8\u003e);\n\nimpl Serialize for Base64UrlBytes {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let encoded = Base64UrlUnpadded::encode_string(\u0026self.0);\n        encoded.serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Base64UrlBytes {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let encoded = String::deserialize(deserializer)?;\n\n        let decoded = Base64UrlUnpadded::decode_vec(\u0026encoded)\n            .map_err(|_| D::Error::custom(\"encountered invalid Base64Url string\"))?;\n\n        Ok(Self(decoded))\n    }\n}\n\n#[derive(Debug, Clone, Zeroize)]\npub(crate) struct SecretBase64UrlBytes(pub(crate) SecretSlice\u003cu8\u003e);\n\nimpl Serialize for SecretBase64UrlBytes {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let data = self.0.expose_secret();\n        let encoded = Zeroizing::new(Base64UrlUnpadded::encode_string(data));\n\n        encoded.serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for SecretBase64UrlBytes {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let encoded = Zeroizing::new(String::deserialize(deserializer)?);\n\n        let decoded = Base64UrlUnpadded::decode_vec(\u0026encoded)\n            .map_err(|_| D::Error::custom(\"encountered invalid Base64Url string\"))?;\n\n        Ok(Self(SecretSlice::from(decoded)))\n    }\n}\n\n// TODO: test for correct length check and base64url parsing\n#[cfg(test)]\nmod tests {}\n","traces":[{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":44,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":63}},{"line":62,"address":[],"length":0,"stats":{"Line":63}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":81,"address":[],"length":0,"stats":{"Line":63}},{"line":82,"address":[],"length":0,"stats":{"Line":63}},{"line":90,"address":[],"length":0,"stats":{"Line":206}},{"line":94,"address":[],"length":0,"stats":{"Line":206}},{"line":95,"address":[],"length":0,"stats":{"Line":206}},{"line":100,"address":[],"length":0,"stats":{"Line":257}},{"line":104,"address":[],"length":0,"stats":{"Line":514}},{"line":106,"address":[],"length":0,"stats":{"Line":138}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":36}},{"line":121,"address":[],"length":0,"stats":{"Line":36}},{"line":122,"address":[],"length":0,"stats":{"Line":36}},{"line":124,"address":[],"length":0,"stats":{"Line":36}},{"line":129,"address":[],"length":0,"stats":{"Line":109}},{"line":133,"address":[],"length":0,"stats":{"Line":218}},{"line":135,"address":[],"length":0,"stats":{"Line":76}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}}],"covered":17,"coverable":36},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","dummy.rs"],"content":"//! This backend is a dummy backend, that will return an error for all\n//! methods.\n//!\n//! This is only used for testing purposes, to make the code compile.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse super::interface;\nuse crate::crypto::Result;\n\n#[derive(Debug, thiserror::Error)]\n#[error(\"the dummy crypto backend does not support any operations\")]\npub(crate) struct Error;\n\n/// The dummy backend.\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = DummyKey;\n    type EcPublicKey = DummyKey;\n    type EdPrivateKey = DummyKey;\n    type EdPublicKey = DummyKey;\n    type Error = Error;\n    type HmacKey = DummyKey;\n    type RsaPrivateKey = DummyKey;\n    type RsaPublicKey = DummyKey;\n\n    fn fill_random(_buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        Err(Error)\n    }\n\n    fn sha256(_: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n        panic!(\"The dummy backend does not support any operations\");\n    }\n\n    fn sha384(_: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n        panic!(\"The dummy backend does not support any operations\");\n    }\n\n    fn sha512(_: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n        panic!(\"The dummy backend does not support any operations\");\n    }\n}\n\n#[derive(Debug, Clone, PartialEq, Eq)]\npub(crate) struct DummyKey {\n    _private: (),\n}\n\nimpl interface::ec::PrivateKey for DummyKey {\n    type PublicKey = DummyKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn new(_alg: crate::jwa::EcDSA, _x: Vec\u003cu8\u003e, _y: Vec\u003cu8\u003e, _d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn generate(_: crate::jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        unreachable!()\n    }\n\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        unreachable!()\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        unreachable!()\n    }\n\n    fn sign(\u0026mut self, _: \u0026[u8], _: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::ec::PublicKey for DummyKey {\n    fn new(_: crate::jwa::EcDSA, _: Vec\u003cu8\u003e, _: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        unreachable!()\n    }\n\n    fn verify(\u0026mut self, _: \u0026[u8], _: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::okp::PrivateKey for DummyKey {\n    type PublicKey = DummyKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_: interface::okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn new(_: interface::okp::CurveAlgorithm, _: Vec\u003cu8\u003e, _: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        unreachable!()\n    }\n\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        unreachable!()\n    }\n\n    fn sign(\u0026mut self, _: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::okp::PublicKey for DummyKey {\n    fn new(_: interface::okp::CurveAlgorithm, _: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        unreachable!()\n    }\n\n    fn verify(\u0026mut self, _: \u0026[u8], _: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::hmac::Key for DummyKey {\n    type Signature = Vec\u003cu8\u003e;\n\n    fn new(_: crate::jwa::Hmac, _: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn sign(\u0026mut self, _: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::rsa::PrivateKey for DummyKey {\n    type PublicKey = DummyKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_: usize) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn from_components(\n        _: interface::rsa::PrivateKeyComponents,\n        _: interface::rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        unreachable!()\n    }\n\n    fn sign(\u0026mut self, _: crate::jwa::RsaSigning, _: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003cinterface::rsa::PrivateKeyComponents\u003e {\n        unreachable!()\n    }\n\n    fn public_components(\u0026self) -\u003e interface::rsa::PublicKeyComponents {\n        unreachable!()\n    }\n}\n\nimpl interface::rsa::PublicKey for DummyKey {\n    fn from_components(_: interface::rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn verify(\n        \u0026mut self,\n        _alg: crate::jwa::RsaSigning,\n        _msg: \u0026[u8],\n        _signature: \u0026[u8],\n    ) -\u003e Result\u003cbool\u003e {\n        unreachable!()\n    }\n\n    fn components(\u0026self) -\u003e interface::rsa::PublicKeyComponents {\n        unreachable!()\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","ec.rs"],"content":"//! The interfaces for EC keys.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse crate::{crypto::Result, jwa};\n\n/// The common operations for a curve-generic EC public key.\npub(crate) trait PublicKey: Sized + Clone {\n    /// Creates a new public key from the given data.\n    fn new(alg: jwa::EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the (x, y) coordinates of the public key.\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e);\n\n    /// Verifies if the message is valid for the given signature and algorithm.\n    ///\n    /// Returns `true` if the signature is valid, `false` otherwise.\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e;\n}\n\n/// The common operations for a curve-generic EC private key.\npub(crate) trait PrivateKey: Sized + Clone {\n    /// The signature type that is produced by this key.\n    type Signature: Into\u003cVec\u003cu8\u003e\u003e + AsRef\u003c[u8]\u003e;\n\n    /// The public key type.\n    type PublicKey: PublicKey;\n\n    /// Creates a new private key from the given data.\n    fn new(alg: jwa::EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Generates a new secure random private key.\n    fn generate(alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the private key material of this key.\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e;\n\n    /// Returns the public part of this key, a (x, y) coordinates.\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e);\n\n    /// Returns the public key of this private key.\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    ///\n    /// The `deterministic` flag indicates if the signature should be\n    /// deterministic, as according to [RFC 6979](https://www.rfc-editor.org/rfc/rfc6979).\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","hmac.rs"],"content":"//! The interfaces for HMAC.\n\nuse crate::{crypto::Result, jwa};\n\n/// The common operations for an HMAC key.\npub(crate) trait Key: Sized {\n    /// The signature type that is produced by this key.\n    type Signature: AsRef\u003c[u8]\u003e;\n\n    /// Creates a new key from the given data.\n    fn new(variant: jwa::Hmac, key: \u0026[u8]) -\u003e Result\u003cSelf\u003e;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","okp.rs"],"content":"//! The interfaces for OKP/ED keys.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse crate::crypto::Result;\n\n/// The common operations for a ED public key.\npub(crate) trait PublicKey: Sized + Clone {\n    /// Creates a new public key from the given data.\n    fn new(alg: CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the encoded bytes for this public key.\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e;\n\n    /// Verifies if the message is valid for the given signature and algorithm.\n    ///\n    /// Returns `true` if the signature is valid, `false` otherwise.\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e;\n}\n\n/// The common operations for a ED private key.\npub(crate) trait PrivateKey: Sized + Clone {\n    /// The signature type that is produced by this key.\n    type Signature: Into\u003cVec\u003cu8\u003e\u003e + AsRef\u003c[u8]\u003e;\n\n    /// The public key type.\n    type PublicKey: PublicKey;\n\n    /// Generates a new secure random private key.\n    fn generate(alg: CurveAlgorithm) -\u003e Result\u003cSelf\u003e;\n\n    /// Creates a new private key from the given data.\n    fn new(alg: CurveAlgorithm, x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the public key that belongs to this private key.\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey;\n\n    /// Returns the encoded bytes for this private key.\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e;\n}\n\n/// The different curve algorithm combinations that can be supported\n/// by a crypto backend.\n#[derive(Debug, Clone, Copy, PartialEq, Eq)]\npub(crate) enum CurveAlgorithm {\n    /// The Ed25519 curve.\n    Ed25519,\n    /// The Ed448 curve.\n    Ed448,\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","rsa.rs"],"content":"//! The interfaces for RSA.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse crate::{crypto::Result, jwa};\n\n/// Part of the [`PrivateKeyComponents`], which includes additional information\n/// about the prime numbers.\n#[derive(Clone)]\npub(crate) struct PrivateKeyPrimeComponents {\n    pub p: SecretSlice\u003cu8\u003e,\n    pub q: SecretSlice\u003cu8\u003e,\n    pub dp: SecretSlice\u003cu8\u003e,\n    pub dq: SecretSlice\u003cu8\u003e,\n    pub qi: SecretSlice\u003cu8\u003e,\n}\n\n/// The components of a private key.\n///\n/// All fields in this struct are of type `Vec\u003cu8\u003e` and are\n/// big integers represented in big endian bytes.\n#[derive(Clone)]\npub(crate) struct PrivateKeyComponents {\n    pub d: SecretSlice\u003cu8\u003e,\n    pub prime: PrivateKeyPrimeComponents,\n}\n\n/// The components of a public key.\n///\n/// All fields in this struct are of type `Vec\u003cu8\u003e` and are\n/// big integers represented in big endian bytes.\n#[derive(Clone, PartialEq, Eq)]\npub(crate) struct PublicKeyComponents {\n    pub n: Vec\u003cu8\u003e,\n    pub e: Vec\u003cu8\u003e,\n}\n\n/// The common operations for an RSA private key.\npub(crate) trait PrivateKey: Sized {\n    /// The signature type that is produced by this key.\n    type Signature: Into\u003cVec\u003cu8\u003e\u003e + AsRef\u003c[u8]\u003e;\n\n    /// The public key type.\n    type PublicKey: PublicKey;\n\n    /// Generates a new rsa private key with the given number of bits.\n    fn generate(bits: usize) -\u003e Result\u003cSelf\u003e;\n\n    /// Creates a new RSA private key from the given private \u0026 public key\n    /// components.\n    fn from_components(private: PrivateKeyComponents, public: PublicKeyComponents) -\u003e Result\u003cSelf\u003e;\n\n    /// Creates a new public key from this private key.\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey;\n\n    /// Returns the private key components.\n    fn private_components(\u0026self) -\u003e Result\u003cPrivateKeyComponents\u003e;\n\n    /// Returns the public key components.\n    fn public_components(\u0026self) -\u003e PublicKeyComponents;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e;\n}\n\n/// The common operations for an RSA public key.\npub(crate) trait PublicKey: Sized {\n    /// Creates a new RSA public key from the given public key components.\n    fn from_components(components: PublicKeyComponents) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the public key components.\n    fn components(\u0026self) -\u003e PublicKeyComponents;\n\n    /// Verifies if the message is valid for the given signature and algorithm.\n    ///\n    /// Returns `true` if the signature is valid, `false` otherwise.\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface.rs"],"content":"//! Common traits that define the API each backend must implement.\n\nuse core::{error, fmt};\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n/// The backend trait that all backends must implement.\n///\n/// This trait is used to define some commonly used operations, like generating\n/// random data.\npub(crate) trait Backend {\n    /// The error type that is used by this backend.\n    type Error: fmt::Debug + fmt::Display + error::Error;\n\n    /// The HMAC key type.\n    type HmacKey: hmac::Key;\n\n    /// The RSA private key type.\n    type RsaPrivateKey: rsa::PrivateKey;\n\n    /// The RSA public key type.\n    type RsaPublicKey: rsa::PublicKey;\n\n    /// The EC public key type.\n    type EcPublicKey: ec::PublicKey;\n\n    /// The EC private key type.\n    type EcPrivateKey: ec::PrivateKey;\n\n    /// The ED public key type.\n    type EdPublicKey: okp::PublicKey;\n\n    /// The ED private key type.\n    type EdPrivateKey: okp::PrivateKey;\n\n    /// Fills the given buffer with random data.\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Performs a quick Sha256 of the given data.\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32];\n\n    /// Performs a quick Sha384 of the given data.\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48];\n\n    /// Performs a quick Sha512 of the given data.\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64];\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","ec.rs"],"content":"use alloc::vec::Vec;\n\nuse openssl::{\n    bn::{BigNum, BigNumContext},\n    ec::{EcGroup, EcKey},\n    ecdsa::EcdsaSig,\n    hash::MessageDigest,\n    md::Md,\n    md_ctx::MdCtx,\n    pkey::{PKey, Private, Public},\n    sign::Verifier,\n};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::{\n    crypto::{\n        backend::interface::ec,\n        ec::{coordinate_size, scalar_size},\n        Result,\n    },\n    jwa::{self, EcDSA},\n};\n\nfn ec_group(alg: jwa::EcDSA) -\u003e Result\u003cEcGroup\u003e {\n    let group = match alg {\n        EcDSA::Es256 =\u003e EcGroup::from_curve_name(openssl::nid::Nid::X9_62_PRIME256V1)?,\n        EcDSA::Es384 =\u003e EcGroup::from_curve_name(openssl::nid::Nid::SECP384R1)?,\n        EcDSA::Es512 =\u003e EcGroup::from_curve_name(openssl::nid::Nid::SECP521R1)?,\n        EcDSA::Es256K =\u003e EcGroup::from_curve_name(openssl::nid::Nid::SECP256K1)?,\n    };\n\n    Ok(group)\n}\n\nfn digest(alg: jwa::EcDSA) -\u003e MessageDigest {\n    match alg {\n        EcDSA::Es256 =\u003e MessageDigest::sha256(),\n        EcDSA::Es384 =\u003e MessageDigest::sha384(),\n        EcDSA::Es512 =\u003e MessageDigest::sha512(),\n        EcDSA::Es256K =\u003e MessageDigest::sha256(),\n    }\n}\n\n/// A low level private EC key.\n#[derive(Clone)]\npub(crate) struct PrivateKey {\n    alg: jwa::EcDSA,\n\n    key: PKey\u003cPrivate\u003e,\n    public_key: PKey\u003cPublic\u003e,\n\n    d: SecretSlice\u003cu8\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\nimpl ec::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        let group = ec_group(alg)?;\n\n        let ec_key = EcKey::generate(\u0026group)?;\n        ec_key.check_key()?;\n\n        let public_point = ec_key.public_key();\n        let public_key = EcKey::from_public_key(\u0026group, public_point)?;\n\n        let mut x = BigNum::new()?;\n        let mut y = BigNum::new()?;\n        let mut ctx = BigNumContext::new()?;\n        public_point.affine_coordinates(\u0026group, \u0026mut x, \u0026mut y, \u0026mut ctx)?;\n\n        let coordinate_size = coordinate_size(alg) as i32;\n        Ok(Self {\n            alg,\n            public_key: PKey::from_ec_key(public_key)?,\n            d: SecretSlice::from(\n                ec_key\n                    .private_key()\n                    .to_vec_padded(scalar_size(alg) as i32)?,\n            ),\n            key: PKey::from_ec_key(ec_key)?,\n            x: x.to_vec_padded(coordinate_size)?,\n            y: y.to_vec_padded(coordinate_size)?,\n        })\n    }\n\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let group = ec_group(alg)?;\n\n        let d = BigNum::from_slice(d.expose_secret())?;\n        let x = BigNum::from_slice(\u0026x)?;\n        let y = BigNum::from_slice(\u0026y)?;\n\n        let public_key = EcKey::from_public_key_affine_coordinates(\u0026group, \u0026x, \u0026y)?;\n        public_key.check_key()?;\n\n        let key = EcKey::from_private_components(\u0026group, \u0026d, public_key.public_key())?;\n        key.check_key()?;\n\n        let coordinate_size = coordinate_size(alg) as i32;\n        Ok(Self {\n            alg,\n            key: PKey::from_ec_key(key.clone())?,\n            d: SecretSlice::from(key.private_key().to_vec_padded(scalar_size(alg) as i32)?),\n            public_key: PKey::from_ec_key(public_key)?,\n            x: x.to_vec_padded(coordinate_size)?,\n            y: y.to_vec_padded(coordinate_size)?,\n        })\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.d.clone()\n    }\n\n    #[inline]\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.x.clone(), self.y.clone())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            digest: digest(self.alg),\n            key: self.public_key.clone(),\n            x: self.x.clone(),\n            y: self.y.clone(),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        let mut md_ctx = MdCtx::new()?;\n\n        let md = match self.alg {\n            EcDSA::Es256 =\u003e Md::sha256(),\n            EcDSA::Es384 =\u003e Md::sha384(),\n            EcDSA::Es512 =\u003e Md::sha512(),\n            EcDSA::Es256K =\u003e Md::sha256(),\n        };\n\n        #[allow(unused_variables)]\n        let pkey_ctx = md_ctx.digest_sign_init(Some(md), \u0026self.key)?;\n\n        if deterministic {\n            #[cfg(all(not(feature = \"crypto-aws-lc\"), openssl320))]\n            pkey_ctx.set_nonce_type(openssl::pkey_ctx::NonceType::DETERMINISTIC_K)?;\n\n            #[cfg(any(feature = \"crypto-aws-lc\", not(openssl320)))]\n            return Err(super::BackendError::Unsupported(\n                \"deterministic signing for EcDSA\".to_string(),\n            )\n            .into());\n        }\n\n        md_ctx.digest_update(data)?;\n\n        let mut der_sig = vec![];\n        md_ctx.digest_sign_final_to_vec(\u0026mut der_sig)?;\n\n        // the returned signature is in DER format, we need to convert it according\n        // to Section 3.4 of RFC 7518\n        let signature = EcdsaSig::from_der(\u0026der_sig)?;\n        let r = signature.r().to_vec_padded(32)?;\n        let s = signature.s().to_vec_padded(32)?;\n\n        let mut sig = Vec::with_capacity(r.len() + s.len());\n        sig.extend_from_slice(\u0026r);\n        sig.extend_from_slice(\u0026s);\n\n        Ok(sig)\n    }\n}\n\n/// A low level public EC key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    digest: MessageDigest,\n    key: PKey\u003cPublic\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\nimpl ec::PublicKey for PublicKey {\n    fn new(alg: EcDSA, raw_x: Vec\u003cu8\u003e, raw_y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let group = ec_group(alg)?;\n\n        let x = BigNum::from_slice(\u0026raw_x)?;\n        let y = BigNum::from_slice(\u0026raw_y)?;\n\n        let public_key = EcKey::from_public_key_affine_coordinates(\u0026group, \u0026x, \u0026y)?;\n        public_key.check_key()?;\n        let key = PKey::from_ec_key(public_key)?;\n\n        let coordinate_size = coordinate_size(alg) as i32;\n        Ok(Self {\n            digest: digest(alg),\n            key,\n            x: x.to_vec_padded(coordinate_size)?,\n            y: y.to_vec_padded(coordinate_size)?,\n        })\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.x.clone(), self.y.clone())\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        // the signature is r and s concatenated, but we need it in DER format for\n        // OpenSSL\n\n        let (r, s) = signature.split_at(signature.len() / 2);\n        let r = BigNum::from_slice(r)?;\n        let s = BigNum::from_slice(s)?;\n\n        let signature = EcdsaSig::from_private_components(r, s)?.to_der()?;\n\n        let mut verifier = Verifier::new(self.digest, \u0026self.key)?;\n        verifier.update(msg)?;\n        let valid = verifier.verify(\u0026signature)?;\n\n        Ok(valid)\n    }\n}\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":31}},{"line":25,"address":[],"length":0,"stats":{"Line":62}},{"line":26,"address":[],"length":0,"stats":{"Line":11}},{"line":27,"address":[],"length":0,"stats":{"Line":7}},{"line":28,"address":[],"length":0,"stats":{"Line":7}},{"line":29,"address":[],"length":0,"stats":{"Line":6}},{"line":35,"address":[],"length":0,"stats":{"Line":52}},{"line":36,"address":[],"length":0,"stats":{"Line":52}},{"line":37,"address":[],"length":0,"stats":{"Line":18}},{"line":38,"address":[],"length":0,"stats":{"Line":12}},{"line":39,"address":[],"length":0,"stats":{"Line":12}},{"line":40,"address":[],"length":0,"stats":{"Line":10}},{"line":61,"address":[],"length":0,"stats":{"Line":3}},{"line":62,"address":[],"length":0,"stats":{"Line":6}},{"line":64,"address":[],"length":0,"stats":{"Line":3}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":3}},{"line":68,"address":[],"length":0,"stats":{"Line":3}},{"line":70,"address":[],"length":0,"stats":{"Line":3}},{"line":71,"address":[],"length":0,"stats":{"Line":3}},{"line":72,"address":[],"length":0,"stats":{"Line":3}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":3}},{"line":76,"address":[],"length":0,"stats":{"Line":3}},{"line":77,"address":[],"length":0,"stats":{"Line":3}},{"line":78,"address":[],"length":0,"stats":{"Line":3}},{"line":79,"address":[],"length":0,"stats":{"Line":3}},{"line":80,"address":[],"length":0,"stats":{"Line":3}},{"line":81,"address":[],"length":0,"stats":{"Line":3}},{"line":82,"address":[],"length":0,"stats":{"Line":3}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":3}},{"line":86,"address":[],"length":0,"stats":{"Line":3}},{"line":90,"address":[],"length":0,"stats":{"Line":14}},{"line":91,"address":[],"length":0,"stats":{"Line":28}},{"line":93,"address":[],"length":0,"stats":{"Line":14}},{"line":94,"address":[],"length":0,"stats":{"Line":14}},{"line":95,"address":[],"length":0,"stats":{"Line":14}},{"line":97,"address":[],"length":0,"stats":{"Line":14}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":28}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":14}},{"line":104,"address":[],"length":0,"stats":{"Line":14}},{"line":105,"address":[],"length":0,"stats":{"Line":14}},{"line":106,"address":[],"length":0,"stats":{"Line":14}},{"line":107,"address":[],"length":0,"stats":{"Line":28}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":14}},{"line":110,"address":[],"length":0,"stats":{"Line":14}},{"line":114,"address":[],"length":0,"stats":{"Line":8}},{"line":115,"address":[],"length":0,"stats":{"Line":8}},{"line":119,"address":[],"length":0,"stats":{"Line":8}},{"line":120,"address":[],"length":0,"stats":{"Line":8}},{"line":123,"address":[],"length":0,"stats":{"Line":38}},{"line":125,"address":[],"length":0,"stats":{"Line":38}},{"line":126,"address":[],"length":0,"stats":{"Line":38}},{"line":127,"address":[],"length":0,"stats":{"Line":38}},{"line":128,"address":[],"length":0,"stats":{"Line":38}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":143,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":14}},{"line":186,"address":[],"length":0,"stats":{"Line":28}},{"line":188,"address":[],"length":0,"stats":{"Line":14}},{"line":189,"address":[],"length":0,"stats":{"Line":14}},{"line":191,"address":[],"length":0,"stats":{"Line":14}},{"line":192,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":28}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":200,"address":[],"length":0,"stats":{"Line":14}},{"line":204,"address":[],"length":0,"stats":{"Line":93}},{"line":205,"address":[],"length":0,"stats":{"Line":93}},{"line":208,"address":[],"length":0,"stats":{"Line":0}},{"line":212,"address":[],"length":0,"stats":{"Line":0}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":214,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":219,"address":[],"length":0,"stats":{"Line":0}},{"line":220,"address":[],"length":0,"stats":{"Line":0}}],"covered":62,"coverable":92},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","hmac.rs"],"content":"use openssl::{\n    hash::MessageDigest,\n    pkey::{PKey, Private},\n    sign::Signer,\n};\n\nuse crate::{\n    crypto::{backend::interface::hmac, Result},\n    jwa,\n};\n\n/// A low level HMAC key.\npub(crate) struct Key {\n    inner: PKey\u003cPrivate\u003e,\n    digest: MessageDigest,\n}\n\nimpl hmac::Key for Key {\n    type Signature = Vec\u003cu8\u003e;\n\n    fn new(variant: jwa::Hmac, data: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            digest: match variant {\n                jwa::Hmac::Hs256 =\u003e MessageDigest::sha256(),\n                jwa::Hmac::Hs384 =\u003e MessageDigest::sha384(),\n                jwa::Hmac::Hs512 =\u003e MessageDigest::sha512(),\n            },\n            inner: PKey::hmac(data)?,\n        })\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let mut signer = Signer::new(self.digest, \u0026self.inner)?;\n        signer.update(data)?;\n        let sig = signer.sign_to_vec()?;\n        Ok(sig)\n    }\n}\n","traces":[{"line":21,"address":[],"length":0,"stats":{"Line":1}},{"line":22,"address":[],"length":0,"stats":{"Line":1}},{"line":23,"address":[],"length":0,"stats":{"Line":1}},{"line":24,"address":[],"length":0,"stats":{"Line":1}},{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":1}},{"line":32,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}}],"covered":5,"coverable":11},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","okp.rs"],"content":"use openssl::{\n    pkey::{Id, PKey, Private, Public},\n    sign::{Signer, Verifier},\n};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::crypto::{backend::interface::okp, Result};\n\nfn id_from_alg(alg: okp::CurveAlgorithm) -\u003e Result\u003cId\u003e {\n    Ok(match alg {\n        okp::CurveAlgorithm::Ed25519 =\u003e Id::ED25519,\n        #[cfg(not(feature = \"crypto-aws-lc\"))]\n        okp::CurveAlgorithm::Ed448 =\u003e Id::ED448,\n        #[cfg(feature = \"crypto-aws-lc\")]\n        okp::CurveAlgorithm::Ed448 =\u003e {\n            return Err(super::BackendError::Unsupported(\"Ed448\".to_string()).into())\n        }\n    })\n}\n\n/// A low level private ED key.\n#[derive(Clone)]\npub(crate) struct PrivateKey {\n    key: PKey\u003cPrivate\u003e,\n    public_key: PKey\u003cPublic\u003e,\n\n    raw: SecretSlice\u003cu8\u003e,\n    raw_public_key: Vec\u003cu8\u003e,\n}\n\nimpl okp::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(alg: okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e PKey::generate_ed25519()?,\n            #[cfg(not(feature = \"crypto-aws-lc\"))]\n            okp::CurveAlgorithm::Ed448 =\u003e PKey::generate_ed448()?,\n            #[cfg(feature = \"crypto-aws-lc\")]\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::Unsupported(\"Ed448\".to_string()).into())\n            }\n        };\n\n        let raw_public_key = key.raw_public_key()?;\n        let public_key = PKey::public_key_from_raw_bytes(\u0026raw_public_key, id_from_alg(alg)?)?;\n\n        Ok(Self {\n            raw: SecretSlice::from(key.raw_private_key()?),\n            public_key,\n            key,\n            raw_public_key,\n        })\n    }\n\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key_type = id_from_alg(alg)?;\n\n        let key = PKey::private_key_from_raw_bytes(d.expose_secret(), key_type)?;\n        let public_key = PKey::public_key_from_raw_bytes(\u0026x, key_type)?;\n\n        Ok(Self {\n            raw: SecretSlice::from(key.raw_private_key()?),\n            raw_public_key: public_key.raw_public_key()?,\n            public_key,\n            key,\n        })\n    }\n\n    #[inline]\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.raw.clone()\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        Self::PublicKey {\n            key: self.public_key.clone(),\n            raw: self.raw_public_key.clone(),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let mut signer = Signer::new_without_digest(\u0026self.key)?;\n        let sig = signer.sign_oneshot_to_vec(data)?;\n\n        Ok(sig)\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    key: PKey\u003cPublic\u003e,\n    raw: Vec\u003cu8\u003e,\n}\n\nimpl okp::PublicKey for PublicKey {\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key_type = id_from_alg(alg)?;\n        let key = PKey::public_key_from_raw_bytes(\u0026x, key_type)?;\n\n        Ok(Self {\n            raw: key.raw_public_key()?,\n            key,\n        })\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        self.raw.clone()\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let mut verifier = Verifier::new_without_digest(\u0026self.key)?;\n        let valid = verifier.verify_oneshot(signature, msg)?;\n\n        Ok(valid)\n    }\n}\n","traces":[{"line":9,"address":[],"length":0,"stats":{"Line":14}},{"line":10,"address":[],"length":0,"stats":{"Line":14}},{"line":11,"address":[],"length":0,"stats":{"Line":7}},{"line":13,"address":[],"length":0,"stats":{"Line":7}},{"line":35,"address":[],"length":0,"stats":{"Line":2}},{"line":36,"address":[],"length":0,"stats":{"Line":4}},{"line":37,"address":[],"length":0,"stats":{"Line":1}},{"line":39,"address":[],"length":0,"stats":{"Line":1}},{"line":46,"address":[],"length":0,"stats":{"Line":2}},{"line":47,"address":[],"length":0,"stats":{"Line":4}},{"line":50,"address":[],"length":0,"stats":{"Line":2}},{"line":57,"address":[],"length":0,"stats":{"Line":6}},{"line":58,"address":[],"length":0,"stats":{"Line":12}},{"line":60,"address":[],"length":0,"stats":{"Line":6}},{"line":61,"address":[],"length":0,"stats":{"Line":6}},{"line":64,"address":[],"length":0,"stats":{"Line":6}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":6}},{"line":67,"address":[],"length":0,"stats":{"Line":6}},{"line":72,"address":[],"length":0,"stats":{"Line":4}},{"line":73,"address":[],"length":0,"stats":{"Line":4}},{"line":76,"address":[],"length":0,"stats":{"Line":22}},{"line":78,"address":[],"length":0,"stats":{"Line":22}},{"line":79,"address":[],"length":0,"stats":{"Line":22}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":6}},{"line":100,"address":[],"length":0,"stats":{"Line":12}},{"line":101,"address":[],"length":0,"stats":{"Line":6}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":6}},{"line":109,"address":[],"length":0,"stats":{"Line":48}},{"line":110,"address":[],"length":0,"stats":{"Line":48}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":114,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}}],"covered":29,"coverable":37},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","rsa.rs"],"content":"use alloc::vec::Vec;\n\nuse openssl::{\n    bn::{BigNum, BigNumRef},\n    hash::MessageDigest,\n    pkey::{PKey, Private, Public},\n    rsa::{Padding, Rsa},\n    sign::{Signer, Verifier},\n};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::{\n    crypto::{backend::interface::rsa, Result},\n    jwa,\n};\n\nfn digest(alg: jwa::RsaSigning) -\u003e MessageDigest {\n    match alg {\n        jwa::RsaSigning::Pss(pss) =\u003e match pss {\n            jwa::RsassaPss::Ps256 =\u003e MessageDigest::sha256(),\n            jwa::RsassaPss::Ps384 =\u003e MessageDigest::sha384(),\n            jwa::RsassaPss::Ps512 =\u003e MessageDigest::sha512(),\n        },\n        jwa::RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n            jwa::RsassaPkcs1V1_5::Rs256 =\u003e MessageDigest::sha256(),\n            jwa::RsassaPkcs1V1_5::Rs384 =\u003e MessageDigest::sha384(),\n            jwa::RsassaPkcs1V1_5::Rs512 =\u003e MessageDigest::sha512(),\n        },\n    }\n}\n\n/// A low level private RSA key.\n#[derive(Clone)]\npub(crate) struct PrivateKey {\n    private_key: PKey\u003cPrivate\u003e,\n    public_key: PKey\u003cPublic\u003e,\n\n    private_data: Rsa\u003cPrivate\u003e,\n    public_data: Rsa\u003cPublic\u003e,\n}\n\nimpl rsa::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(bits: usize) -\u003e Result\u003cSelf\u003e {\n        let private_data = Rsa::generate(bits as u32)?;\n        let public_data = Rsa::from_public_components(\n            private_data.n().to_owned()?,\n            private_data.e().to_owned()?,\n        )?;\n\n        Ok(Self {\n            private_key: PKey::from_rsa(private_data.clone())?,\n            public_key: PKey::from_rsa(public_data.clone())?,\n            private_data,\n            public_data,\n        })\n    }\n\n    fn from_components(\n        pri: rsa::PrivateKeyComponents,\n        pu: rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        let n = BigNum::from_slice(\u0026pu.n)?;\n        let e = BigNum::from_slice(\u0026pu.e)?;\n\n        let d = BigNum::from_slice(pri.d.expose_secret())?;\n        let p = BigNum::from_slice(pri.prime.p.expose_secret())?;\n        let q = BigNum::from_slice(pri.prime.q.expose_secret())?;\n        let dp = BigNum::from_slice(pri.prime.dp.expose_secret())?;\n        let dq = BigNum::from_slice(pri.prime.dq.expose_secret())?;\n        let qi = BigNum::from_slice(pri.prime.qi.expose_secret())?;\n\n        let private_data = Rsa::from_private_components(n, e, d, p, q, dp, dq, qi)?;\n        private_data.check_key()?;\n\n        let n = BigNum::from_slice(\u0026pu.n)?;\n        let e = BigNum::from_slice(\u0026pu.e)?;\n        let public_data = Rsa::from_public_components(n, e)?;\n\n        Ok(Self {\n            private_key: PKey::from_rsa(private_data.clone())?,\n            public_key: PKey::from_rsa(public_data.clone())?,\n            private_data,\n            public_data,\n        })\n    }\n\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let digest = digest(alg);\n        let mut signer = Signer::new(digest, \u0026self.private_key)?;\n\n        // FIXME: verify correct setting of parameters\n        match alg {\n            jwa::RsaSigning::Pss(..) =\u003e {\n                signer.set_rsa_mgf1_md(digest)?;\n                signer.set_rsa_padding(Padding::PKCS1_PSS)?;\n            }\n            jwa::RsaSigning::RsPkcs1V1_5(..) =\u003e {\n                signer.set_rsa_padding(Padding::PKCS1)?;\n            }\n        }\n\n        signer.update(data)?;\n        let sig = signer.sign_to_vec()?;\n        Ok(sig)\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            key: self.public_key.clone(),\n            data: self.public_data.clone(),\n        }\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003crsa::PrivateKeyComponents\u003e {\n        let err = || super::BackendError::NoPrimeData;\n        let map = |x: Option\u003c\u0026BigNumRef\u003e| x.map(|x| SecretSlice::from(x.to_vec())).ok_or_else(err);\n\n        let d = SecretSlice::from(self.private_data.d().to_vec());\n\n        let p = map(self.private_data.p())?;\n        let q = map(self.private_data.q())?;\n        let dp = map(self.private_data.dmp1())?;\n        let dq = map(self.private_data.dmq1())?;\n        let qi = map(self.private_data.iqmp())?;\n\n        Ok(rsa::PrivateKeyComponents {\n            d,\n            prime: rsa::PrivateKeyPrimeComponents { p, q, dp, dq, qi },\n        })\n    }\n\n    fn public_components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        let n = self.private_data.n().to_vec();\n        let e = self.private_data.e().to_vec();\n        rsa::PublicKeyComponents { n, e }\n    }\n}\n\n/// A low level public RSA key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    key: PKey\u003cPublic\u003e,\n    data: Rsa\u003cPublic\u003e,\n}\n\nimpl rsa::PublicKey for PublicKey {\n    fn from_components(c: rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        let n = BigNum::from_slice(\u0026c.n)?;\n        let e = BigNum::from_slice(\u0026c.e)?;\n        let data = Rsa::from_public_components(n, e)?;\n\n        Ok(Self {\n            key: PKey::from_rsa(data.clone())?,\n            data,\n        })\n    }\n\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let digest = digest(alg);\n        let mut verifier = Verifier::new(digest, \u0026self.key)?;\n\n        // FIXME: verify correct setting of parameters\n        match alg {\n            jwa::RsaSigning::Pss(..) =\u003e {\n                verifier.set_rsa_mgf1_md(digest)?;\n                verifier.set_rsa_padding(Padding::PKCS1_PSS)?;\n            }\n            jwa::RsaSigning::RsPkcs1V1_5(..) =\u003e {\n                verifier.set_rsa_padding(Padding::PKCS1)?;\n            }\n        }\n\n        verifier.update(msg)?;\n        let valid = verifier.verify(signature)?;\n        Ok(valid)\n    }\n\n    fn components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        rsa::PublicKeyComponents {\n            n: self.data.n().to_vec(),\n            e: self.data.e().to_vec(),\n        }\n    }\n}\n","traces":[{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":18,"address":[],"length":0,"stats":{"Line":0}},{"line":19,"address":[],"length":0,"stats":{"Line":0}},{"line":20,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":1}},{"line":47,"address":[],"length":0,"stats":{"Line":2}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":1}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":1}},{"line":56,"address":[],"length":0,"stats":{"Line":1}},{"line":57,"address":[],"length":0,"stats":{"Line":1}},{"line":61,"address":[],"length":0,"stats":{"Line":6}},{"line":65,"address":[],"length":0,"stats":{"Line":12}},{"line":66,"address":[],"length":0,"stats":{"Line":6}},{"line":68,"address":[],"length":0,"stats":{"Line":6}},{"line":69,"address":[],"length":0,"stats":{"Line":6}},{"line":70,"address":[],"length":0,"stats":{"Line":6}},{"line":71,"address":[],"length":0,"stats":{"Line":6}},{"line":72,"address":[],"length":0,"stats":{"Line":6}},{"line":73,"address":[],"length":0,"stats":{"Line":6}},{"line":75,"address":[],"length":0,"stats":{"Line":6}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":12}},{"line":79,"address":[],"length":0,"stats":{"Line":6}},{"line":80,"address":[],"length":0,"stats":{"Line":6}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":6}},{"line":85,"address":[],"length":0,"stats":{"Line":6}},{"line":86,"address":[],"length":0,"stats":{"Line":6}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":16}},{"line":112,"address":[],"length":0,"stats":{"Line":16}},{"line":113,"address":[],"length":0,"stats":{"Line":16}},{"line":117,"address":[],"length":0,"stats":{"Line":4}},{"line":118,"address":[],"length":0,"stats":{"Line":4}},{"line":119,"address":[],"length":0,"stats":{"Line":64}},{"line":121,"address":[],"length":0,"stats":{"Line":4}},{"line":123,"address":[],"length":0,"stats":{"Line":8}},{"line":124,"address":[],"length":0,"stats":{"Line":4}},{"line":125,"address":[],"length":0,"stats":{"Line":4}},{"line":126,"address":[],"length":0,"stats":{"Line":4}},{"line":127,"address":[],"length":0,"stats":{"Line":4}},{"line":135,"address":[],"length":0,"stats":{"Line":4}},{"line":136,"address":[],"length":0,"stats":{"Line":4}},{"line":137,"address":[],"length":0,"stats":{"Line":4}},{"line":150,"address":[],"length":0,"stats":{"Line":13}},{"line":151,"address":[],"length":0,"stats":{"Line":26}},{"line":152,"address":[],"length":0,"stats":{"Line":13}},{"line":153,"address":[],"length":0,"stats":{"Line":13}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":13}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":162,"address":[],"length":0,"stats":{"Line":0}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":168,"address":[],"length":0,"stats":{"Line":0}},{"line":169,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":176,"address":[],"length":0,"stats":{"Line":0}},{"line":177,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":63}},{"line":183,"address":[],"length":0,"stats":{"Line":63}},{"line":184,"address":[],"length":0,"stats":{"Line":63}}],"covered":45,"coverable":76},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl.rs"],"content":"//! This backend implements the primitives using the [OpenSSL](openssl) library.\n\nuse thiserror::Error;\n\nuse super::interface;\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n#[allow(dead_code)] // may occurr when selecting different OpenSSL variant\n#[derive(Debug, Error)]\npub(crate) enum BackendError {\n    /// An error from the OpenSSL library.\n    #[error(transparent)]\n    OpenSsl(#[from] openssl::error::ErrorStack),\n\n    /// No prime data was found in private key\n    #[error(\"No prime data was found in private key\")]\n    NoPrimeData,\n\n    /// A specific feature is not supported\n    #[error(\"openssl variant does not support feature: {0}\")]\n    Unsupported(String),\n}\n\n/// The [RustCrypto] based backend.\n///\n/// [RustCrypto]: https://github.com/RustCrypto\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = ec::PrivateKey;\n    type EcPublicKey = ec::PublicKey;\n    type EdPrivateKey = okp::PrivateKey;\n    type EdPublicKey = okp::PublicKey;\n    type Error = BackendError;\n    type HmacKey = hmac::Key;\n    type RsaPrivateKey = rsa::PrivateKey;\n    type RsaPublicKey = rsa::PublicKey;\n\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        openssl::rand::rand_bytes(buf)?;\n        Ok(())\n    }\n\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n        openssl::sha::sha256(data)\n    }\n\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n        openssl::sha::sha384(data)\n    }\n\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n        openssl::sha::sha512(data)\n    }\n}\n","traces":[{"line":44,"address":[],"length":0,"stats":{"Line":1}},{"line":45,"address":[],"length":0,"stats":{"Line":1}},{"line":46,"address":[],"length":0,"stats":{"Line":1}},{"line":49,"address":[],"length":0,"stats":{"Line":33}},{"line":50,"address":[],"length":0,"stats":{"Line":33}},{"line":53,"address":[],"length":0,"stats":{"Line":21}},{"line":54,"address":[],"length":0,"stats":{"Line":21}},{"line":57,"address":[],"length":0,"stats":{"Line":21}},{"line":58,"address":[],"length":0,"stats":{"Line":21}}],"covered":9,"coverable":9},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","ec.rs"],"content":"use alloc::{boxed::Box, vec::Vec};\n\nuse ring::{\n    rand::SystemRandom,\n    signature::{self, EcdsaKeyPair, UnparsedPublicKey},\n};\nuse secrecy::{ExposeSecret as _, SecretSlice};\n\nuse crate::{\n    crypto::{backend::interface::ec, Result},\n    jwa::{self, EcDSA},\n};\n\n/// Converts x and y coordinates to a sequence that is compatible\n/// with the \"Octet-String-to-Elliptic-Curve-Point Conversion\" algorithm\n/// defined in Section 2.3.4 of https://www.secg.org/sec1-v2.pdf\nfn make_public_key(x: \u0026[u8], y: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    let mut pubkey = Vec::with_capacity(x.len() + y.len() + 1);\n    pubkey.push(0x04); // uncompressed point\n    pubkey.extend_from_slice(x);\n    pubkey.extend_from_slice(y);\n    pubkey\n}\n\npub(crate) struct PrivateKeyData {\n    key: EcdsaKeyPair,\n    private_material: SecretSlice\u003cu8\u003e,\n\n    pub_key: UnparsedPublicKey\u003cVec\u003cu8\u003e\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\n/// A low level private EC key.\npub(crate) struct PrivateKey {\n    alg: \u0026'static signature::EcdsaSigningAlgorithm,\n    data: Box\u003cPrivateKeyData\u003e,\n}\n\nimpl Clone for PrivateKey {\n    fn clone(\u0026self) -\u003e Self {\n        Self {\n            alg: self.alg,\n            data: Box::new(PrivateKeyData {\n                key: EcdsaKeyPair::from_private_key_and_public_key(\n                    self.alg,\n                    self.data.private_material.expose_secret(),\n                    self.data.pub_key.as_ref(),\n                    \u0026SystemRandom::new(),\n                )\n                .expect(\"this method was already successful with the exact same data\"),\n                private_material: self.data.private_material.clone(),\n                pub_key: self.data.pub_key.clone(),\n                x: self.data.x.clone(),\n                y: self.data.y.clone(),\n            }),\n        }\n    }\n}\n\nimpl ec::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        Err(super::BackendError::Unsupported(\"EcDSA key generation\").into())\n    }\n\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let (sign_alg, verify_alg) = match alg {\n            EcDSA::Es256 =\u003e (\n                \u0026signature::ECDSA_P256_SHA256_FIXED_SIGNING,\n                \u0026signature::ECDSA_P256_SHA256_FIXED,\n            ),\n            EcDSA::Es384 =\u003e (\n                \u0026signature::ECDSA_P384_SHA384_FIXED_SIGNING,\n                \u0026signature::ECDSA_P384_SHA384_FIXED,\n            ),\n            EcDSA::Es512 =\u003e return Err(super::BackendError::UnsupportedCurve(\"P-521\").into()),\n            EcDSA::Es256K =\u003e return Err(super::BackendError::UnsupportedCurve(\"secp256k1\").into()),\n        };\n\n        let rng = SystemRandom::new();\n        let pubkey = make_public_key(\u0026x, \u0026y);\n\n        let keypair = EcdsaKeyPair::from_private_key_and_public_key(\n            sign_alg,\n            d.expose_secret(),\n            \u0026pubkey,\n            \u0026rng,\n        )?;\n\n        Ok(Self {\n            alg: sign_alg,\n            data: Box::new(PrivateKeyData {\n                key: keypair,\n                private_material: d,\n                pub_key: UnparsedPublicKey::new(verify_alg, pubkey),\n                x,\n                y,\n            }),\n        })\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.data.private_material.clone()\n    }\n\n    #[inline]\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.data.x.clone(), self.data.y.clone())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            inner: self.data.pub_key.clone(),\n            x: self.data.x.clone(),\n            y: self.data.y.clone(),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        if deterministic {\n            return Err(super::BackendError::Unsupported(\"deterministic EcDSA signing\").into());\n        }\n\n        let sig = self.data.key.sign(\u0026SystemRandom::new(), data)?;\n        Ok(sig.as_ref().to_vec())\n    }\n}\n\n/// A low level public EC key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    inner: UnparsedPublicKey\u003cVec\u003cu8\u003e\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\nimpl ec::PublicKey for PublicKey {\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let verify_alg = match alg {\n            EcDSA::Es256 =\u003e \u0026signature::ECDSA_P256_SHA256_FIXED,\n            EcDSA::Es384 =\u003e \u0026signature::ECDSA_P384_SHA384_FIXED,\n            EcDSA::Es512 =\u003e return Err(super::BackendError::UnsupportedCurve(\"P-521\").into()),\n            EcDSA::Es256K =\u003e return Err(super::BackendError::UnsupportedCurve(\"secp256k1\").into()),\n        };\n\n        let pubkey = UnparsedPublicKey::new(verify_alg, make_public_key(\u0026x, \u0026y));\n        Ok(Self {\n            inner: pubkey,\n            x,\n            y,\n        })\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.x.clone(), self.y.clone())\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        Ok(self.inner.verify(msg, signature).is_ok())\n    }\n}\n","traces":[{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":2},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","hmac.rs"],"content":"use ring::hmac::Key as RingKey;\n\nuse crate::{\n    crypto::{backend::interface::hmac, Result},\n    jwa,\n};\n\n/// A low level HMAC key.\n#[repr(transparent)]\npub(crate) struct Key {\n    inner: RingKey,\n}\n\nimpl hmac::Key for Key {\n    type Signature = ring::hmac::Tag;\n\n    fn new(variant: jwa::Hmac, data: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        let key = match variant {\n            jwa::Hmac::Hs256 =\u003e RingKey::new(ring::hmac::HMAC_SHA256, data),\n            jwa::Hmac::Hs384 =\u003e RingKey::new(ring::hmac::HMAC_SHA384, data),\n            jwa::Hmac::Hs512 =\u003e RingKey::new(ring::hmac::HMAC_SHA512, data),\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        Ok(ring::hmac::sign(\u0026self.inner, data))\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","okp.rs"],"content":"use alloc::vec::Vec;\n\nuse ring::signature::{Ed25519KeyPair, KeyPair as _, UnparsedPublicKey};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::crypto::{backend::interface::okp, Result};\n\n/// A low level public ED key.\npub(crate) struct PrivateKey {\n    inner: Ed25519KeyPair,\n    d: SecretSlice\u003cu8\u003e,\n}\n\nimpl Clone for PrivateKey {\n    fn clone(\u0026self) -\u003e Self {\n        Self {\n            inner: Ed25519KeyPair::from_seed_and_public_key(\n                self.d.expose_secret(),\n                self.inner.public_key().as_ref(),\n            )\n            .expect(\"this method was already successful with the exact same data\"),\n            d: self.d.clone(),\n        }\n    }\n}\n\nimpl okp::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_alg: okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        Err(super::BackendError::Unsupported(\"Ed25519 key generation\").into())\n    }\n\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        if alg != okp::CurveAlgorithm::Ed25519 {\n            return Err(super::BackendError::UnsupportedCurve(\"Ed2559\").into());\n        }\n\n        let key = Ed25519KeyPair::from_seed_and_public_key(d.expose_secret(), \u0026x)?;\n\n        Ok(Self { inner: key, d })\n    }\n\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.d.clone()\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            inner: UnparsedPublicKey::new(\n                \u0026ring::signature::ED25519,\n                self.inner.public_key().as_ref().to_vec(),\n            ),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let sig = self.inner.sign(data);\n        Ok(sig.as_ref().to_vec())\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    inner: UnparsedPublicKey\u003cVec\u003cu8\u003e\u003e,\n}\n\nimpl okp::PublicKey for PublicKey {\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        if alg != okp::CurveAlgorithm::Ed25519 {\n            return Err(super::BackendError::UnsupportedCurve(\"Ed2559\").into());\n        }\n\n        let key = UnparsedPublicKey::new(\u0026ring::signature::ED25519, x);\n        Ok(Self { inner: key })\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        self.inner.as_ref().to_vec()\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        Ok(self.inner.verify(msg, signature).is_ok())\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","rsa.rs"],"content":"use alloc::{vec, vec::Vec};\n\nuse ring::{\n    rand::SystemRandom,\n    rsa::{KeyPair, KeyPairComponents, PublicKeyComponents, RsaParameters},\n    signature::RsaEncoding,\n};\nuse secrecy::ExposeSecret;\n\nuse crate::{\n    crypto::{backend::interface::rsa, Result},\n    jwa::{self, RsaSigning, RsassaPkcs1V1_5, RsassaPss},\n};\n\n/// A low level private RSA key.\npub(crate) struct PrivateKey {\n    inner: KeyPair,\n\n    // store this data, as ring doesn't provide a way to access it\n    private_components: rsa::PrivateKeyComponents,\n    public_components: rsa::PublicKeyComponents,\n}\n\nimpl Clone for PrivateKey {\n    fn clone(\u0026self) -\u003e Self {\n        let pri = \u0026self.private_components;\n        let pu = \u0026self.public_components;\n        let components = KeyPairComponents {\n            public_key: PublicKeyComponents { n: \u0026pu.n, e: \u0026pu.e },\n            d: pri.d.expose_secret(),\n            p: pri.prime.p.expose_secret(),\n            q: pri.prime.q.expose_secret(),\n            dP: pri.prime.dp.expose_secret(),\n            dQ: pri.prime.dq.expose_secret(),\n            qInv: pri.prime.qi.expose_secret(),\n        };\n\n        Self {\n            inner: KeyPair::from_components(\u0026components)\n                .expect(\"this method was already successful with the exact same data\"),\n            private_components: self.private_components.clone(),\n            public_components: self.public_components.clone(),\n        }\n    }\n}\n\nimpl rsa::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_bits: usize) -\u003e Result\u003cSelf\u003e {\n        Err(super::BackendError::Unsupported(\"RSA key generation\").into())\n    }\n\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let padding_alg: \u0026'static dyn RsaEncoding = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e \u0026ring::signature::RSA_PSS_SHA256,\n                RsassaPss::Ps384 =\u003e \u0026ring::signature::RSA_PSS_SHA384,\n                RsassaPss::Ps512 =\u003e \u0026ring::signature::RSA_PSS_SHA512,\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e \u0026ring::signature::RSA_PKCS1_SHA512,\n                RsassaPkcs1V1_5::Rs384 =\u003e \u0026ring::signature::RSA_PKCS1_SHA384,\n                RsassaPkcs1V1_5::Rs512 =\u003e \u0026ring::signature::RSA_PKCS1_SHA512,\n            },\n        };\n\n        let rng = SystemRandom::new();\n        let mut sig = vec![0; self.inner.public().modulus_len()];\n        self.inner.sign(padding_alg, \u0026rng, data, \u0026mut sig)?;\n        Ok(sig)\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            components: self.public_components.clone(),\n        }\n    }\n\n    fn from_components(\n        pri: rsa::PrivateKeyComponents,\n        pu: rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        let components = KeyPairComponents {\n            public_key: PublicKeyComponents { n: \u0026pu.n, e: \u0026pu.e },\n            d: pri.d.expose_secret(),\n            p: pri.prime.p.expose_secret(),\n            q: pri.prime.q.expose_secret(),\n            dP: pri.prime.dp.expose_secret(),\n            dQ: pri.prime.dq.expose_secret(),\n            qInv: pri.prime.qi.expose_secret(),\n        };\n        let key = KeyPair::from_components(\u0026components)?;\n\n        Ok(Self {\n            inner: key,\n            private_components: pri,\n            public_components: pu,\n        })\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003crsa::PrivateKeyComponents\u003e {\n        Ok(self.private_components.clone())\n    }\n\n    fn public_components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        self.public_components.clone()\n    }\n}\n\n/// A low level public RSA key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    components: rsa::PublicKeyComponents,\n}\n\nimpl rsa::PublicKey for PublicKey {\n    fn from_components(c: rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        Ok(Self { components: c })\n    }\n\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let params: \u0026'static RsaParameters = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e \u0026ring::signature::RSA_PSS_2048_8192_SHA256,\n                RsassaPss::Ps384 =\u003e \u0026ring::signature::RSA_PSS_2048_8192_SHA384,\n                RsassaPss::Ps512 =\u003e \u0026ring::signature::RSA_PSS_2048_8192_SHA512,\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e \u0026ring::signature::RSA_PKCS1_2048_8192_SHA256,\n                RsassaPkcs1V1_5::Rs384 =\u003e \u0026ring::signature::RSA_PKCS1_2048_8192_SHA384,\n                RsassaPkcs1V1_5::Rs512 =\u003e \u0026ring::signature::RSA_PKCS1_2048_8192_SHA512,\n            },\n        };\n\n        let rsa = PublicKeyComponents {\n            n: \u0026self.components.n,\n            e: \u0026self.components.e,\n        };\n\n        Ok(rsa.verify(params, msg, signature).is_ok())\n    }\n\n    fn components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        self.components.clone()\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring.rs"],"content":"//! This backend implements the primitives using the [`ring`] crate\n\nuse ring::{\n    digest,\n    rand::{SecureRandom as _, SystemRandom},\n};\nuse thiserror::Error;\n\nuse super::interface;\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n// TODO: remove the `cfg_attr` once the RustCrypto crates implement\n// the core::error::Error trait.\n\n/// The errors that can be produced by the rust crypto backend.\n#[derive(Debug, Error)]\npub(crate) enum BackendError {\n    /// The error returned by `ring`.\n    #[error(\"ring returned an unspecified error\")]\n    Unspecified,\n\n    /// Key rejected error.\n    #[error(\"{0}\")]\n    KeyRejected(ring::error::KeyRejected),\n\n    /// Unsupported EC curve\n    #[error(\"unsupported EcDSA curve: {0}\")]\n    UnsupportedCurve(\u0026'static str),\n\n    /// A specific feature is not supported\n    #[error(\"ring does not support feature: {0}\")]\n    Unsupported(\u0026'static str),\n}\n\nimpl From\u003cring::error::Unspecified\u003e for BackendError {\n    fn from(_: ring::error::Unspecified) -\u003e Self {\n        Self::Unspecified\n    }\n}\n\nimpl From\u003cring::error::KeyRejected\u003e for BackendError {\n    fn from(x: ring::error::KeyRejected) -\u003e Self {\n        Self::KeyRejected(x)\n    }\n}\n\n/// The [`ring`] based backend.\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = ec::PrivateKey;\n    type EcPublicKey = ec::PublicKey;\n    type EdPrivateKey = okp::PrivateKey;\n    type EdPublicKey = okp::PublicKey;\n    type Error = BackendError;\n    type HmacKey = hmac::Key;\n    type RsaPrivateKey = rsa::PrivateKey;\n    type RsaPublicKey = rsa::PublicKey;\n\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        let rng = SystemRandom::new();\n        rng.fill(buf)?;\n        Ok(())\n    }\n\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n        digest::digest(\u0026digest::SHA256, data)\n            .as_ref()\n            .try_into()\n            .expect(\"SHA256 digest length mismatch\")\n    }\n\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n        digest::digest(\u0026digest::SHA384, data)\n            .as_ref()\n            .try_into()\n            .expect(\"SHA384 digest length mismatch\")\n    }\n\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n        digest::digest(\u0026digest::SHA512, data)\n            .as_ref()\n            .try_into()\n            .expect(\"SHA512 digest length mismatch\")\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","ec.rs"],"content":"use alloc::vec::Vec;\n\nuse ecdsa::EncodedPoint;\nuse elliptic_curve::{\n    sec1::{FromEncodedPoint, ToEncodedPoint, ValidatePublicKey as _},\n    FieldBytes, SecretKey,\n};\nuse generic_array::typenum::Unsigned as _;\nuse k256::Secp256k1;\nuse p256::NistP256;\nuse p384::NistP384;\nuse rand_core::OsRng;\nuse secrecy::{ExposeSecret as _, SecretSlice};\nuse signature::{RandomizedSigner as _, Verifier as _};\nuse zeroize::Zeroizing;\n\nuse crate::{\n    crypto::{backend::interface::ec, Result},\n    jwa::{self, EcDSA},\n};\n\n#[derive(Clone)]\nenum ErasedPrivateKey {\n    P256(SecretKey\u003cNistP256\u003e),\n    P384(SecretKey\u003cNistP384\u003e),\n    Secp256k1(SecretKey\u003cSecp256k1\u003e),\n}\n\n#[derive(Clone)]\nenum ErasedPublicKey {\n    P256(elliptic_curve::PublicKey\u003cNistP256\u003e),\n    P384(elliptic_curve::PublicKey\u003cNistP384\u003e),\n    Secp256k1(elliptic_curve::PublicKey\u003cSecp256k1\u003e),\n}\n\n#[derive(Clone)]\npub(crate) enum ErasedSignature {\n    P256(ecdsa::SignatureBytes\u003cNistP256\u003e),\n    P384(ecdsa::SignatureBytes\u003cNistP384\u003e),\n    Secp256k1(ecdsa::SignatureBytes\u003cSecp256k1\u003e),\n}\n\nimpl From\u003cErasedSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: ErasedSignature) -\u003e Self {\n        match value {\n            ErasedSignature::P256(sig) =\u003e sig.to_vec(),\n            ErasedSignature::P384(sig) =\u003e sig.to_vec(),\n            ErasedSignature::Secp256k1(sig) =\u003e sig.to_vec(),\n        }\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for ErasedSignature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        match self {\n            ErasedSignature::P256(sig) =\u003e sig.as_ref(),\n            ErasedSignature::P384(sig) =\u003e sig.as_ref(),\n            ErasedSignature::Secp256k1(sig) =\u003e sig.as_ref(),\n        }\n    }\n}\n\nfn to_field_bytes\u003cC: elliptic_curve::Curve\u003e(\n    bytes: \u0026[u8],\n) -\u003e Result\u003c\u0026FieldBytes\u003cC\u003e, super::BackendError\u003e {\n    if bytes.len() != C::FieldBytesSize::USIZE {\n        return Err(super::BackendError::InvalidEcPoint {\n            expected: C::FieldBytesSize::USIZE,\n            actual: bytes.len(),\n        });\n    }\n\n    Ok(FieldBytes::\u003cC\u003e::from_slice(bytes))\n}\n\n/// A low level private EC key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PrivateKey {\n    inner: ErasedPrivateKey,\n}\n\nimpl ec::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = ErasedSignature;\n\n    fn generate(alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        let mut rng = OsRng;\n\n        let key = match alg {\n            EcDSA::Es256 =\u003e ErasedPrivateKey::P256(SecretKey::\u003cNistP256\u003e::random(\u0026mut rng)),\n            EcDSA::Es384 =\u003e ErasedPrivateKey::P384(SecretKey::\u003cNistP384\u003e::random(\u0026mut rng)),\n            EcDSA::Es512 =\u003e return Err(super::BackendError::CurveNotSupported(\"P-521\").into()),\n            EcDSA::Es256K =\u003e ErasedPrivateKey::Secp256k1(SecretKey::\u003cSecp256k1\u003e::random(\u0026mut rng)),\n        };\n        Ok(Self { inner: key })\n    }\n\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        fn new_typed\u003cC: elliptic_curve::Curve + elliptic_curve::CurveArithmetic\u003e(\n            x: Vec\u003cu8\u003e,\n            y: Vec\u003cu8\u003e,\n            d: SecretSlice\u003cu8\u003e,\n        ) -\u003e Result\u003celliptic_curve::SecretKey\u003cC\u003e\u003e\n        where\n            \u003cC as elliptic_curve::Curve\u003e::FieldBytesSize: elliptic_curve::sec1::ModulusSize,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: FromEncodedPoint\u003cC\u003e,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: ToEncodedPoint\u003cC\u003e,\n        {\n            let x = to_field_bytes::\u003cC\u003e(\u0026x)?;\n            let y = to_field_bytes::\u003cC\u003e(\u0026y)?;\n\n            let d = d.expose_secret();\n            let d = to_field_bytes::\u003cC\u003e(d)?;\n\n            let point = EncodedPoint::\u003cC\u003e::from_affine_coordinates(x, y, false);\n            let secret = elliptic_curve::SecretKey::\u003cC\u003e::from_bytes(d)\n                .map_err(super::BackendError::EllipticCurve)?;\n\n            C::validate_public_key(\u0026secret, \u0026point).map_err(super::BackendError::EllipticCurve)?;\n\n            Ok(secret)\n        }\n\n        match alg {\n            EcDSA::Es256 =\u003e Ok(Self {\n                inner: ErasedPrivateKey::P256(new_typed::\u003cNistP256\u003e(x, y, d)?),\n            }),\n            EcDSA::Es384 =\u003e Ok(Self {\n                inner: ErasedPrivateKey::P384(new_typed::\u003cNistP384\u003e(x, y, d)?),\n            }),\n            EcDSA::Es512 =\u003e Err(super::BackendError::CurveNotSupported(\"P-521\").into()),\n            EcDSA::Es256K =\u003e Ok(Self {\n                inner: ErasedPrivateKey::Secp256k1(new_typed::\u003cSecp256k1\u003e(x, y, d)?),\n            }),\n        }\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        match self.inner {\n            ErasedPrivateKey::P256(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                let material = material.to_vec();\n                SecretSlice::from(material)\n            }\n            ErasedPrivateKey::P384(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                let material = material.to_vec();\n                SecretSlice::from(material)\n            }\n            ErasedPrivateKey::Secp256k1(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                let material = material.to_vec();\n                SecretSlice::from(material)\n            }\n        }\n    }\n\n    #[inline]\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        ec::PublicKey::to_point(\u0026self.to_public_key())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        match self.inner {\n            ErasedPrivateKey::P256(ref key) =\u003e PublicKey {\n                inner: ErasedPublicKey::P256(key.public_key()),\n            },\n            ErasedPrivateKey::P384(ref key) =\u003e PublicKey {\n                inner: ErasedPublicKey::P384(key.public_key()),\n            },\n            ErasedPrivateKey::Secp256k1(ref key) =\u003e PublicKey {\n                inner: ErasedPublicKey::Secp256k1(key.public_key()),\n            },\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        let sig = match self.inner {\n            ErasedPrivateKey::P256(ref key) =\u003e {\n                let key = ecdsa::SigningKey::\u003cNistP256\u003e::from(key);\n\n                let sig = if deterministic {\n                    key.sign_recoverable(data)\n                        .map_err(super::BackendError::Ecdsa)?\n                        .0\n                } else {\n                    key.try_sign_with_rng(\u0026mut OsRng, data)\n                        .map_err(super::BackendError::Ecdsa)?\n                };\n\n                ErasedSignature::P256(sig.to_bytes())\n            }\n            ErasedPrivateKey::P384(ref key) =\u003e {\n                let key = ecdsa::SigningKey::\u003cNistP384\u003e::from(key);\n\n                let sig = if deterministic {\n                    key.sign_recoverable(data)\n                        .map_err(super::BackendError::Ecdsa)?\n                        .0\n                } else {\n                    key.try_sign_with_rng(\u0026mut OsRng, data)\n                        .map_err(super::BackendError::Ecdsa)?\n                };\n\n                ErasedSignature::P384(sig.to_bytes())\n            }\n            ErasedPrivateKey::Secp256k1(ref key) =\u003e {\n                let key = ecdsa::SigningKey::\u003cSecp256k1\u003e::from(key);\n\n                let sig = if deterministic {\n                    key.sign_recoverable(data)\n                        .map_err(super::BackendError::Ecdsa)?\n                        .0\n                } else {\n                    key.try_sign_with_rng(\u0026mut OsRng, data)\n                        .map_err(super::BackendError::Ecdsa)?\n                };\n\n                ErasedSignature::Secp256k1(sig.to_bytes())\n            }\n        };\n\n        Ok(sig)\n    }\n}\n\n/// A low level public EC key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PublicKey {\n    inner: ErasedPublicKey,\n}\n\nimpl ec::PublicKey for PublicKey {\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        fn new_typed\u003cC: elliptic_curve::Curve + elliptic_curve::CurveArithmetic\u003e(\n            x: Vec\u003cu8\u003e,\n            y: Vec\u003cu8\u003e,\n        ) -\u003e Result\u003celliptic_curve::PublicKey\u003cC\u003e\u003e\n        where\n            \u003cC as elliptic_curve::Curve\u003e::FieldBytesSize: elliptic_curve::sec1::ModulusSize,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: FromEncodedPoint\u003cC\u003e,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: ToEncodedPoint\u003cC\u003e,\n        {\n            let x = to_field_bytes::\u003cC\u003e(\u0026x)?;\n            let y = to_field_bytes::\u003cC\u003e(\u0026y)?;\n\n            let point = EncodedPoint::\u003cC\u003e::from_affine_coordinates(x, y, false);\n            let key: Option\u003c_\u003e = elliptic_curve::PublicKey::\u003cC\u003e::from_encoded_point(\u0026point).into();\n            let key = key.ok_or(super::BackendError::InvalidEcKey)?;\n            Ok(key)\n        }\n\n        match alg {\n            EcDSA::Es256 =\u003e Ok(Self {\n                inner: ErasedPublicKey::P256(new_typed::\u003cNistP256\u003e(x, y)?),\n            }),\n            EcDSA::Es384 =\u003e Ok(Self {\n                inner: ErasedPublicKey::P384(new_typed::\u003cNistP384\u003e(x, y)?),\n            }),\n            EcDSA::Es512 =\u003e Err(super::BackendError::CurveNotSupported(\"P-521\").into()),\n            EcDSA::Es256K =\u003e Ok(Self {\n                inner: ErasedPublicKey::Secp256k1(new_typed::\u003cSecp256k1\u003e(x, y)?),\n            }),\n        }\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        let identity_point = || alloc::vec![0u8];\n        match self.inner {\n            ErasedPublicKey::P256(ref key) =\u003e {\n                let point = key.to_encoded_point(false);\n                (\n                    point.x().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                    point.y().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                )\n            }\n            ErasedPublicKey::P384(ref key) =\u003e {\n                let point = key.to_encoded_point(false);\n                (\n                    point.x().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                    point.y().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                )\n            }\n            ErasedPublicKey::Secp256k1(ref key) =\u003e {\n                let point = key.to_encoded_point(false);\n                (\n                    point.x().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                    point.y().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                )\n            }\n        }\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        Ok(match self.inner {\n            ErasedPublicKey::P256(ref key) =\u003e {\n                let Ok(sig) = ecdsa::Signature::\u003cNistP256\u003e::try_from(signature) else {\n                    return Ok(false);\n                };\n                let key = ecdsa::VerifyingKey::\u003cNistP256\u003e::from(key);\n                key.verify(msg, \u0026sig).is_ok()\n            }\n            ErasedPublicKey::P384(ref key) =\u003e {\n                let Ok(sig) = ecdsa::Signature::\u003cNistP384\u003e::try_from(signature) else {\n                    return Ok(false);\n                };\n                let key = ecdsa::VerifyingKey::\u003cNistP384\u003e::from(key);\n                key.verify(msg, \u0026sig).is_ok()\n            }\n            ErasedPublicKey::Secp256k1(ref key) =\u003e {\n                let Ok(sig) = ecdsa::Signature::\u003cSecp256k1\u003e::try_from(signature) else {\n                    return Ok(false);\n                };\n                let key = ecdsa::VerifyingKey::\u003cSecp256k1\u003e::from(key);\n                key.verify(msg, \u0026sig).is_ok()\n            }\n        })\n    }\n}\n","traces":[{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":114,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":246,"address":[],"length":0,"stats":{"Line":0}},{"line":247,"address":[],"length":0,"stats":{"Line":0}},{"line":249,"address":[],"length":0,"stats":{"Line":0}},{"line":250,"address":[],"length":0,"stats":{"Line":0}},{"line":251,"address":[],"length":0,"stats":{"Line":0}},{"line":252,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":22},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","hmac.rs"],"content":"use ::hmac::Hmac;\nuse digest::{Mac as _, Output};\n\nuse crate::{\n    crypto::{backend::interface::hmac, Result},\n    jwa,\n};\n\n/// Rust crypto uses generic arguments to represent the variant.\n///\n/// We don't to that at this level, so we have to erase the type.\nenum ErasedKey {\n    Hs256(Hmac\u003csha2::Sha256\u003e),\n    Hs384(Hmac\u003csha2::Sha384\u003e),\n    Hs512(Hmac\u003csha2::Sha512\u003e),\n}\n\npub(crate) enum ErasedSignature {\n    Hs256(Output\u003cHmac\u003csha2::Sha256\u003e\u003e),\n    Hs384(Output\u003cHmac\u003csha2::Sha384\u003e\u003e),\n    Hs512(Output\u003cHmac\u003csha2::Sha512\u003e\u003e),\n}\n\nimpl AsRef\u003c[u8]\u003e for ErasedSignature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        match self {\n            ErasedSignature::Hs256(sig) =\u003e sig.as_ref(),\n            ErasedSignature::Hs384(sig) =\u003e sig.as_ref(),\n            ErasedSignature::Hs512(sig) =\u003e sig.as_ref(),\n        }\n    }\n}\n\n/// A low level HMAC key.\n#[repr(transparent)]\npub(crate) struct Key {\n    inner: ErasedKey,\n}\n\nimpl hmac::Key for Key {\n    type Signature = ErasedSignature;\n\n    fn new(variant: jwa::Hmac, data: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        let key = match variant {\n            jwa::Hmac::Hs256 =\u003e ErasedKey::Hs256(Hmac::\u003csha2::Sha256\u003e::new_from_slice(data)?),\n            jwa::Hmac::Hs384 =\u003e ErasedKey::Hs384(Hmac::\u003csha2::Sha384\u003e::new_from_slice(data)?),\n            jwa::Hmac::Hs512 =\u003e ErasedKey::Hs512(Hmac::\u003csha2::Sha512\u003e::new_from_slice(data)?),\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let signature = match \u0026mut self.inner {\n            ErasedKey::Hs256(hmac) =\u003e {\n                hmac.update(data);\n                ErasedSignature::Hs256(hmac.finalize_reset().into_bytes())\n            }\n            ErasedKey::Hs384(hmac) =\u003e {\n                hmac.update(data);\n                ErasedSignature::Hs384(hmac.finalize_reset().into_bytes())\n            }\n            ErasedKey::Hs512(hmac) =\u003e {\n                hmac.update(data);\n                ErasedSignature::Hs512(hmac.finalize_reset().into_bytes())\n            }\n        };\n\n        Ok(signature)\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","okp.rs"],"content":"use alloc::vec::Vec;\n\nuse ed25519_dalek::{PUBLIC_KEY_LENGTH, SECRET_KEY_LENGTH};\nuse rand_core::OsRng;\nuse secrecy::{ExposeSecret, SecretSlice};\nuse signature::Signer as _;\nuse zeroize::Zeroizing;\n\nuse crate::crypto::{backend::interface::okp, Result};\n\n#[derive(Clone)]\nenum ErasedPrivateKey {\n    Ed25519(ed25519_dalek::SigningKey),\n}\n\n#[derive(Clone)]\nenum ErasedPublicKey {\n    Ed25519(ed25519_dalek::VerifyingKey),\n}\n\n#[derive(Clone)]\npub(crate) enum ErasedSignature {\n    Ed25519([u8; ed25519_dalek::Signature::BYTE_SIZE]),\n}\n\nimpl From\u003cErasedSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: ErasedSignature) -\u003e Self {\n        match value {\n            ErasedSignature::Ed25519(sig) =\u003e sig.to_vec(),\n        }\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for ErasedSignature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        match self {\n            ErasedSignature::Ed25519(ref sig) =\u003e sig,\n        }\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PublicKey {\n    inner: ErasedPublicKey,\n}\n\nimpl okp::PublicKey for PublicKey {\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e {\n                let len = x.len();\n                let x: [u8; PUBLIC_KEY_LENGTH] =\n                    x.try_into()\n                        .map_err(|_| super::BackendError::InvalidEcPoint {\n                            expected: PUBLIC_KEY_LENGTH,\n                            actual: len,\n                        })?;\n                ErasedPublicKey::Ed25519(\n                    ed25519_dalek::VerifyingKey::from_bytes(\u0026x)\n                        .map_err(super::BackendError::Ed25519)?,\n                )\n            }\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::CurveNotSupported(\"Ed448\").into())\n            }\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        match self.inner {\n            ErasedPublicKey::Ed25519(ref key) =\u003e key.to_bytes().to_vec(),\n        }\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        match self.inner {\n            ErasedPublicKey::Ed25519(ref key) =\u003e {\n                // FIXME: this needs interop testing in case this is handled differently by\n                // other implementations\n                // See \u003chttps://docs.rs/ed25519-dalek/latest/ed25519_dalek/struct.VerifyingKey.html#on-the-multiple-sources-of-malleability-in-ed25519-signatures\u003e\n\n                let Ok(sig) = ed25519_dalek::Signature::from_slice(signature) else {\n                    return Ok(false);\n                };\n\n                Ok(key.verify_strict(msg, \u0026sig).is_ok())\n            }\n        }\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PrivateKey {\n    inner: ErasedPrivateKey,\n}\n\nimpl okp::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = ErasedSignature;\n\n    fn generate(alg: okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e {\n                let mut rng = OsRng;\n                ErasedPrivateKey::Ed25519(ed25519_dalek::SigningKey::generate(\u0026mut rng))\n            }\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::CurveNotSupported(\"Ed448\").into())\n            }\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn new(alg: okp::CurveAlgorithm, _x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e {\n                let d = d.expose_secret();\n\n                let len = d.len();\n                let d: [u8; SECRET_KEY_LENGTH] =\n                    d.try_into()\n                        .map_err(|_| super::BackendError::InvalidEcPoint {\n                            expected: SECRET_KEY_LENGTH,\n                            actual: len,\n                        })?;\n\n                ErasedPrivateKey::Ed25519(ed25519_dalek::SigningKey::from_bytes(\u0026d))\n            }\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::CurveNotSupported(\"Ed448\").into())\n            }\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        match self.inner {\n            ErasedPrivateKey::Ed25519(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                SecretSlice::from(material.to_vec())\n            }\n        }\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        let key = match self.inner {\n            ErasedPrivateKey::Ed25519(ref key) =\u003e {\n                let pubkey = key.verifying_key();\n                ErasedPublicKey::Ed25519(pubkey)\n            }\n        };\n\n        PublicKey { inner: key }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        Ok(match self.inner {\n            ErasedPrivateKey::Ed25519(ref key) =\u003e {\n                let sig = key.try_sign(data).map_err(super::BackendError::Ed25519)?;\n                ErasedSignature::Ed25519(sig.to_bytes())\n            }\n        })\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","rsa.rs"],"content":"use alloc::vec::Vec;\n\nuse ::rsa::{\n    traits::{PrivateKeyParts, PublicKeyParts as _},\n    BigUint, Pkcs1v15Sign, Pss, RsaPrivateKey, RsaPublicKey,\n};\nuse secrecy::{ExposeSecret, SecretSlice};\nuse sha2::Digest as _;\nuse zeroize::Zeroizing;\n\nuse crate::{\n    crypto::{backend::interface::rsa, Result},\n    jwa::{self, RsaSigning, RsassaPkcs1V1_5, RsassaPss},\n};\n\n/// A low level private RSA key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PrivateKey {\n    // WARN: It is important that the `inner` key always contains it's precomupted values.\n    // It must be ensured that on each construction of this type, `precomputed` method is called\n    inner: RsaPrivateKey,\n}\n\nimpl rsa::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(bits: usize) -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            inner: RsaPrivateKey::new(\u0026mut rand_core::OsRng, bits)?,\n        })\n    }\n\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let hashed = match alg {\n            RsaSigning::Pss(RsassaPss::Ps256) | RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs256) =\u003e {\n                sha2::Sha256::digest(data).to_vec()\n            }\n            RsaSigning::Pss(RsassaPss::Ps384) | RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs384) =\u003e {\n                sha2::Sha384::digest(data).to_vec()\n            }\n            RsaSigning::Pss(RsassaPss::Ps512) | RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs512) =\u003e {\n                sha2::Sha512::digest(data).to_vec()\n            }\n        };\n\n        let mut rng = rand_core::OsRng;\n\n        let res = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e {\n                    let pad = Pss::new::\u003csha2::Sha256\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPss::Ps384 =\u003e {\n                    let pad = Pss::new::\u003csha2::Sha384\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPss::Ps512 =\u003e {\n                    let pad = Pss::new::\u003csha2::Sha512\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e {\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha256\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPkcs1V1_5::Rs384 =\u003e {\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha384\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPkcs1V1_5::Rs512 =\u003e {\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha512\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n            },\n        };\n\n        Ok(res?)\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n        }\n    }\n\n    fn from_components(\n        pri: rsa::PrivateKeyComponents,\n        pu: rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        let n = BigUint::from_bytes_be(\u0026pu.n);\n        let e = BigUint::from_bytes_be(\u0026pu.e);\n\n        let d = pri.d.expose_secret();\n        let d = BigUint::from_bytes_be(d);\n\n        let p = BigUint::from_bytes_be(pri.prime.p.expose_secret());\n        let q = BigUint::from_bytes_be(pri.prime.q.expose_secret());\n\n        let mut key = RsaPrivateKey::from_components(n, e, d, alloc::vec![p, q])?;\n        key.precompute()?;\n        Ok(Self { inner: key })\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003crsa::PrivateKeyComponents\u003e {\n        let mut primes = self.inner.primes().iter().map(|b| b.to_bytes_be());\n\n        let p = primes\n            .next()\n            .map(SecretSlice::from)\n            .ok_or(super::BackendError::RsaTwoPrimes)?;\n        let q = primes\n            .next()\n            .map(SecretSlice::from)\n            .ok_or(super::BackendError::RsaTwoPrimes)?;\n\n        if primes.next().is_some() {\n            return Err(super::BackendError::RsaTwoPrimes.into());\n        }\n\n        let opt_uint = |x: Option\u003c\u0026BigUint\u003e| {\n            x.map(|x| SecretSlice::from(x.to_bytes_be()))\n                .expect(\"key must be precomputed\")\n        };\n\n        Ok(rsa::PrivateKeyComponents {\n            d: SecretSlice::from(self.inner.d().to_bytes_be()),\n            prime: rsa::PrivateKeyPrimeComponents {\n                p,\n                q,\n                dp: opt_uint(self.inner.dp()),\n                dq: opt_uint(self.inner.dq()),\n                qi: {\n                    let qi = Zeroizing::new(self.inner.crt_coefficient());\n                    opt_uint(qi.as_ref())\n                },\n            },\n        })\n    }\n\n    fn public_components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        rsa::PublicKeyComponents {\n            n: self.inner.n().to_bytes_be(),\n            e: self.inner.e().to_bytes_be(),\n        }\n    }\n}\n\n/// A low level public RSA key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PublicKey {\n    inner: RsaPublicKey,\n}\n\nimpl rsa::PublicKey for PublicKey {\n    fn from_components(c: rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        let n = ::rsa::BigUint::from_bytes_be(\u0026c.n);\n        let e = ::rsa::BigUint::from_bytes_be(\u0026c.e);\n        let key = ::rsa::RsaPublicKey::new(n, e)?;\n\n        Ok(Self { inner: key })\n    }\n\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let res = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e {\n                    let hashed = sha2::Sha256::digest(msg);\n                    let pad = Pss::new::\u003csha2::Sha256\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPss::Ps384 =\u003e {\n                    let hashed = sha2::Sha384::digest(msg);\n                    let pad = Pss::new::\u003csha2::Sha384\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPss::Ps512 =\u003e {\n                    let hashed = sha2::Sha512::digest(msg);\n                    let pad = Pss::new::\u003csha2::Sha512\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e {\n                    let hashed = sha2::Sha256::digest(msg);\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha256\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPkcs1V1_5::Rs384 =\u003e {\n                    let hashed = sha2::Sha384::digest(msg);\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha384\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPkcs1V1_5::Rs512 =\u003e {\n                    let hashed = sha2::Sha512::digest(msg);\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha512\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n            },\n        };\n\n        Ok(res.is_ok())\n    }\n\n    fn components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        rsa::PublicKeyComponents {\n            n: self.inner.n().to_bytes_be(),\n            e: self.inner.e().to_bytes_be(),\n        }\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust.rs"],"content":"//! This backend implements the primitives using the [RustCrypto] ecosystem.\n//!\n//! [RustCrypto]: https://github.com/RustCrypto\n\nuse digest::Digest as _;\nuse rand_core::RngCore as _;\nuse thiserror::Error;\n\nuse super::interface;\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n// TODO: remove the `cfg_attr` once the RustCrypto crates implement\n// the core::error::Error trait.\n\n/// The errors that can be produced by the rust crypto backend.\n#[derive(Debug, Error)]\npub(crate) enum BackendError {\n    /// The error returned if the key is invalid.\n    #[error(\"invalid key length\")]\n    InvalidLength,\n\n    /// RSA operation failed.\n    #[cfg_attr(feature = \"std\", error(\"an RSA operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an RSA operation failed: {0}\"))]\n    Rsa(#[cfg_attr(feature = \"std\", source)] ::rsa::errors::Error),\n\n    /// Error of the `elliptic_curve` crate.\n    #[cfg_attr(feature = \"std\", error(\"an elliptic curve operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an elliptic curve operation failed: {0}\"))]\n    EllipticCurve(#[cfg_attr(feature = \"std\", source)] ::elliptic_curve::Error),\n\n    /// Error of the `ecdsa` crate.\n    #[cfg_attr(feature = \"std\", error(\"an ECDSA operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an ECDSA operation failed: {0}\"))]\n    Ecdsa(#[cfg_attr(feature = \"std\", source)] ::ecdsa::Error),\n\n    /// Error of the `ed25519-dalek` crate.\n    #[cfg_attr(feature = \"std\", error(\"an ED25519 operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an ED25519 operation failed: {0}\"))]\n    Ed25519(#[cfg_attr(feature = \"std\", source)] ed25519_dalek::SignatureError),\n\n    /// The amount of bytes for an EC point is invalid.\n    #[error(\"invalid EC point length, expected {expected}, got {actual}\")]\n    InvalidEcPoint { expected: usize, actual: usize },\n\n    /// The coordinates did not form a valid key.\n    #[error(\"invalid EC key\")]\n    InvalidEcKey,\n\n    /// The curve type is not supported by this backend.\n    #[error(\"curve '{0}' not supported by this backend\")]\n    CurveNotSupported(\u0026'static str),\n\n    #[error(\"RSA key expected to have exactly 2 prime numbers\")]\n    RsaTwoPrimes,\n\n    /// `rand_core` error.\n    #[cfg_attr(feature = \"std\", error(\"failed to generate random data\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"failed to generate random data: {0}\"))]\n    Rand(#[cfg_attr(feature = \"std\", source)] rand_core::Error),\n}\n\nimpl From\u003cdigest::InvalidLength\u003e for BackendError {\n    fn from(_: digest::InvalidLength) -\u003e Self {\n        Self::InvalidLength\n    }\n}\n\nimpl From\u003c::rsa::errors::Error\u003e for BackendError {\n    fn from(x: ::rsa::errors::Error) -\u003e Self {\n        Self::Rsa(x)\n    }\n}\n\n/// The [RustCrypto] based backend.\n///\n/// [RustCrypto]: https://github.com/RustCrypto\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = ec::PrivateKey;\n    type EcPublicKey = ec::PublicKey;\n    type EdPrivateKey = okp::PrivateKey;\n    type EdPublicKey = okp::PublicKey;\n    type Error = BackendError;\n    type HmacKey = hmac::Key;\n    type RsaPrivateKey = rsa::PrivateKey;\n    type RsaPublicKey = rsa::PublicKey;\n\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        use rand_core::OsRng;\n\n        OsRng.try_fill_bytes(buf).map_err(BackendError::Rand)?;\n        Ok(())\n    }\n\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n        sha2::Sha256::digest(data).into()\n    }\n\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n        sha2::Sha384::digest(data).into()\n    }\n\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n        sha2::Sha512::digest(data).into()\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend.rs"],"content":"//! The actual implementations for the cryptographic backends.\n\npub(super) mod interface;\n\ncfg_if::cfg_if! {\n    if #[cfg(feature = \"crypto-rustcrypto\")] {\n        mod rust;\n        pub(crate) use rust::*;\n    } else if #[cfg(feature = \"crypto-openssl\")] {\n        mod openssl;\n        pub(crate) use openssl::*;\n    } else if #[cfg(feature = \"crypto-aws-lc\")] {\n        mod openssl;\n        pub(crate) use openssl::*;\n    } else if #[cfg(feature = \"crypto-ring\")] {\n        mod ring;\n        pub(crate) use ring::*;\n    } else {\n        compile_error!(\"No crypto backend selected. Please enable any of the `crypto-*` features.\");\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","ec.rs"],"content":"//! The primitives for working with [EC (elliptic curve)](https://en.wikipedia.org/wiki/Elliptic-curve_cryptography)\n//! algorithms (`kty` parameter = `EC`).\n//!\n//! If you are looking for the other curve types, see the\n//! [`okp`](crate::crypto::okp) module, which contains all curves that require a\n//! octet key pair.\n\nuse alloc::{boxed::Box, format, string::String, vec::Vec};\nuse core::{fmt, marker::PhantomData};\n\nuse secrecy::ExposeSecret;\nuse serde::{de::Error as _, Deserialize, Serialize};\n\nuse super::backend::{interface, Backend};\nuse crate::{\n    base64_url::{Base64UrlBytes, SecretBase64UrlBytes},\n    crypto::{\n        backend::interface::ec::{PrivateKey as _, PublicKey as _},\n        Result,\n    },\n    jwa, jwk, jws, Base64UrlString,\n};\n\ntype BackendPublicKey = \u003cBackend as interface::Backend\u003e::EcPublicKey;\ntype BackendPrivateKey = \u003cBackend as interface::Backend\u003e::EcPrivateKey;\n\n/// The public key type using the P-256 curve.\npub type P256PublicKey = PublicKey\u003cP256\u003e;\n\n/// The private key type using the P-256 curve.\npub type P256PrivateKey = PrivateKey\u003cP256\u003e;\n\n/// The signer type using the P-256 curve.\npub type P256Signer = Signer\u003cP256\u003e;\n\n/// The verifier type using the P-256 curve.\npub type P256Verifier = Verifier\u003cP256\u003e;\n\n/// The public key type using the P-384 curve.\npub type P384PublicKey = PublicKey\u003cP384\u003e;\n\n/// The private key type using the P-384 curve.\npub type P384PrivateKey = PrivateKey\u003cP384\u003e;\n\n/// The signer type using the P-384 curve.\npub type P384Signer = Signer\u003cP384\u003e;\n\n/// The verifier type using the P-384 curve.\npub type P384Verifier = Verifier\u003cP384\u003e;\n\n/// The public key type using the P-521 curve.\npub type P521PublicKey = PublicKey\u003cP521\u003e;\n\n/// The private key type using the P-521 curve.\npub type P521PrivateKey = PrivateKey\u003cP521\u003e;\n\n/// The signer type using the P-521 curve.\npub type P521Signer = Signer\u003cP521\u003e;\n\n/// The verifier type using the P-521 curve.\npub type P521Verifier = Verifier\u003cP521\u003e;\n\n/// The public key type using the secp256k1 curve.\npub type Secp256k1PublicKey = PublicKey\u003cSecp256k1\u003e;\n\n/// The private key type using the secp256k1 curve.\npub type Secp256k1PrivateKey = PrivateKey\u003cSecp256k1\u003e;\n\n/// The signer type using the secp256k1 curve.\npub type Secp256k1Signer = Signer\u003cSecp256k1\u003e;\n\n/// The verifier type using the secp256k1 curve.\npub type Secp256k1Verifier = Verifier\u003cSecp256k1\u003e;\n\n/// The curve trait marks all possible curves for key type `EC`.\npub trait Curve: sealed::Sealed {\n    /// The name of the curve, that is also used in the `crv` parameter of a\n    /// JWK.\n    const NAME: \u0026'static str;\n\n    /// The algorithm used for this curve.\n    const ALGORITHM: jwa::EcDSA;\n}\n\n/// Returns the number of bytes a single coordinate of the given curve holds.\npub(crate) fn coordinate_size(alg: jwa::EcDSA) -\u003e usize {\n    match alg {\n        jwa::EcDSA::Es256 =\u003e 32,\n        jwa::EcDSA::Es384 =\u003e 48,\n        jwa::EcDSA::Es512 =\u003e 66,\n        jwa::EcDSA::Es256K =\u003e 32,\n    }\n}\n\n/// The number of bytes for a scalar value for the given curve.\n///\n/// This is mostly used to ensure the private key has the correct length.\npub(crate) fn scalar_size(alg: jwa::EcDSA) -\u003e usize {\n    // The length of this octet string MUST be ceiling(log-base-2(n)/8) octets\n    // (where n is the order of the curve).\n    match alg {\n        jwa::EcDSA::Es256 =\u003e 32,\n        jwa::EcDSA::Es384 =\u003e 48,\n        jwa::EcDSA::Es512 =\u003e 66,\n        jwa::EcDSA::Es256K =\u003e 32,\n    }\n}\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendPrivateKey as interface::ec::PrivateKey\u003e::Signature,\n}\n\nimpl From\u003cSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: Signature) -\u003e Self {\n        value.as_ref().to_vec()\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(AsRef::\u003c[u8]\u003e::as_ref(\u0026self.inner), f)\n    }\n}\n\n/// The serializable public key for all curve types.\n#[derive(Clone)]\npub struct PublicKey\u003cC\u003e {\n    inner: BackendPublicKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e Eq for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PublicKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        let (x, y) = self.inner.to_point();\n        let (o_x, o_y) = other.inner.to_point();\n\n        x == o_x \u0026\u0026 y == o_y\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PublicKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let (x, y) = self.inner.to_point();\n        let x = Base64UrlString::encode(x);\n        let y = Base64UrlString::encode(y);\n\n        f.debug_struct(\"PublicKey\")\n            .field(\"x\", \u0026x)\n            .field(\"y\", \u0026y)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPublicKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PublicKey\u003cC\u003e) -\u003e Self {\n        C::public_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PublicKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::public_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(key, alg.map(|_| C::ALGORITHM.into()));\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PublicKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        jwk::thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\n#[derive(Deserialize)]\nstruct PublicKeyRepr {\n    crv: String,\n    kty: String,\n    x: Base64UrlBytes,\n    y: Base64UrlBytes,\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PublicKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let key = PublicKeyRepr::deserialize(deserializer)?;\n\n        if key.kty != \"EC\" {\n            return Err(D::Error::custom(alloc::format!(\n                \"Invalid key type `{}`. Expected: `EC`\",\n                key.kty,\n            )));\n        }\n\n        if key.crv != C::NAME {\n            return Err(D::Error::custom(alloc::format!(\n                \"Invalid curve type `{}`. Expected: `{}`\",\n                key.crv,\n                C::NAME,\n            )));\n        }\n\n        let check_coordinate = |c: \u0026[u8], name: \u0026str| {\n            if c.len() != coordinate_size(C::ALGORITHM) {\n                return Err(D::Error::custom(alloc::format!(\n                    \"ECC coordinate {name} has invalid length of {}, expected {}\",\n                    c.len(),\n                    coordinate_size(C::ALGORITHM),\n                )));\n            }\n\n            Ok(())\n        };\n\n        // https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.2\n        //\n        // Verifies that both coordinates are the same length as the curve size.\n        check_coordinate(\u0026key.x.0, \"x\")?;\n        check_coordinate(\u0026key.y.0, \"y\")?;\n\n        Ok(Self {\n            inner: \u003cBackendPublicKey as interface::ec::PublicKey\u003e::new(\n                C::ALGORITHM,\n                key.x.0,\n                key.y.0,\n            )\n            .map_err(|e| D::Error::custom(format!(\"failed to construct public EC key: {e}\")))?,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PublicKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(serde::Serialize)]\n        struct Repr\u003c'a\u003e {\n            crv: \u0026'a str,\n            kty: \u0026'a str,\n            x: Base64UrlBytes,\n            y: Base64UrlBytes,\n        }\n\n        let (x, y) = self.inner.to_point();\n\n        #[expect(clippy::useless_conversion)]\n        let repr = Repr {\n            crv: C::NAME,\n            kty: \"EC\",\n            x: Base64UrlBytes(Vec::\u003cu8\u003e::from(x)),\n            y: Base64UrlBytes(Vec::\u003cu8\u003e::from(y)),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// The serializable private key for all curve types.\n#[derive(Clone)]\npub struct PrivateKey\u003cC\u003e {\n    inner: BackendPrivateKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e PrivateKey\u003cC\u003e {\n    /// Generate a new RSA key pair of the given bit size.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the key generation fails.\n    pub fn generate() -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            inner: BackendPrivateKey::generate(C::ALGORITHM)?,\n            _curve: PhantomData,\n        })\n    }\n\n    /// Returns the public key of this private key.\n    pub fn to_public_key(\u0026self) -\u003e PublicKey\u003cC\u003e {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n            _curve: PhantomData,\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e Eq for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PrivateKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.to_public_key() == other.to_public_key()\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PrivateKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let (x, y) = self.inner.public_point();\n        let x = Base64UrlString::encode(x);\n        let y = Base64UrlString::encode(y);\n\n        f.debug_struct(\"PublicKey\")\n            .field(\"x\", \u0026x)\n            .field(\"y\", \u0026y)\n            .field(\"d\", \u0026\"[REDACTED]\")\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPrivateKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PrivateKey\u003cC\u003e) -\u003e Self {\n        C::private_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PrivateKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::private_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(key, alg.map(|_| C::ALGORITHM.into()));\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PrivateKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.to_public_key().thumbprint_prehashed()\n    }\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PrivateKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            #[serde(flatten)]\n            public: PublicKeyRepr,\n            d: SecretBase64UrlBytes,\n        }\n        let key = Repr::deserialize(deserializer)?;\n\n        let len = key.d.0.expose_secret().len();\n        if len != scalar_size(C::ALGORITHM) {\n            return Err(D::Error::custom(alloc::format!(\n                \"ECC scalar has invalid length of {len}, expected {}\",\n                scalar_size(C::ALGORITHM),\n            )));\n        }\n\n        Ok(Self {\n            inner: \u003cBackendPrivateKey as interface::ec::PrivateKey\u003e::new(\n                C::ALGORITHM,\n                key.public.x.0,\n                key.public.y.0,\n                key.d.0,\n            )\n            .map_err(|e| D::Error::custom(format!(\"failed to construct private EC key: {e}\")))?,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PrivateKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(serde::Serialize)]\n        struct Repr\u003c'a\u003e {\n            crv: \u0026'a str,\n            kty: \u0026'a str,\n            x: Base64UrlBytes,\n            y: Base64UrlBytes,\n            d: SecretBase64UrlBytes,\n        }\n\n        let (x, y) = self.inner.public_point();\n        let d = self.inner.private_material();\n\n        #[expect(clippy::useless_conversion)]\n        let repr = Repr {\n            crv: C::NAME,\n            kty: \"EC\",\n            x: Base64UrlBytes(Vec::\u003cu8\u003e::from(x)),\n            y: Base64UrlBytes(Vec::\u003cu8\u003e::from(y)),\n            d: SecretBase64UrlBytes(d),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// The [`Signer`](jws::Signer) for EC keys.\npub struct Signer\u003cC\u003e {\n    inner: PrivateKey\u003cC\u003e,\n    deterministic: bool,\n}\n\nimpl\u003cC: Curve\u003e Signer\u003cC\u003e {\n    /// Makes the sign operation of this EcDSA signer deterministic.\n    ///\n    /// This enables deterministic signature values, according to [RFC 6979](https://www.rfc-editor.org/rfc/rfc6979).\n    #[cfg(feature = \"deterministic-ecdsa\")]\n    pub fn deterministic(mut self, deterministic: bool) -\u003e Self {\n        self.deterministic = deterministic;\n        self\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Signer\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Signer\").field(\"key\", \u0026self.inner).finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Signer\u003cSignature\u003e for Signer\u003cC\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature\u003e {\n        let sig = self.inner.inner.sign(msg, self.deterministic)?;\n        Ok(Signature { inner: sig })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::EcDSA(C::ALGORITHM)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Signer\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EcDSA(alg))\n                if alg == C::ALGORITHM =\u003e\n            {\n                Ok(Self {\n                    inner: value,\n                    deterministic: false,\n                })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\n/// The [`Verifier`](jws::Verifier) for EC keys.\npub struct Verifier\u003cC\u003e {\n    inner: PublicKey\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Verifier\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Verifier\")\n            .field(\"key\", \u0026self.inner)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Verifier for Verifier\u003cC\u003e {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        match self.inner.inner.verify(msg, signature) {\n            Ok(true) =\u003e Ok(()),\n            Ok(false) =\u003e Err(jws::VerifyError::InvalidSignature),\n            Err(e) =\u003e Err(jws::VerifyError::CryptoBackend(e)),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPublicKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PublicKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EcDSA(alg))\n                if alg == C::ALGORITHM =\u003e\n            {\n                Ok(Self { inner: value })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    #[inline]\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        Self::from_key(value.to_public_key(), alg)\n    }\n}\n\nmacro_rules! impl_curve {\n    ($(\n        $(#[$doc:meta])*\n        $curve:ident {\n            name: $curve_name:literal,\n            algorithm: $algorithm:ident,\n        }\n    ),*$(,)?) =\u003e { $(\n        $(#[$doc])*\n        #[derive(Debug, Clone, Copy)]\n        pub enum $curve {}\n\n        impl Curve for $curve {\n            const NAME: \u0026'static str = $curve_name;\n            const ALGORITHM: jwa::EcDSA = jwa::EcDSA::$algorithm;\n        }\n        impl sealed::Sealed for $curve {\n            fn public_to_jwk_type(key: PublicKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Public(\n                    jwk::Public::Ec(jwk::EcPublic::$curve(key)),\n                )))\n            }\n\n            fn private_to_jwk_type(key: PrivateKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Private(\n                    jwk::Private::Ec(jwk::EcPrivate::$curve(key)),\n                )))\n            }\n        }\n    )* };\n}\n\nimpl_curve!(\n    /// The P-256 curve.\n    P256 {\n        name: \"P-256\",\n        algorithm: Es256,\n    },\n\n    /// The P-384 curve.\n    P384 {\n        name: \"P-384\",\n        algorithm: Es384,\n    },\n\n    /// The P-521 curve.\n    P521 {\n        name: \"P-521\",\n        algorithm: Es512,\n    },\n\n    /// The secp256k1 curve.\n    Secp256k1 {\n        name: \"secp256k1\",\n        algorithm: Es256K,\n    },\n);\n\nmod sealed {\n    use crate::jwk::JsonWebKeyType;\n\n    pub trait Sealed: Sized {\n        fn public_to_jwk_type(key: super::PublicKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n\n        fn private_to_jwk_type(key: super::PrivateKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n    }\n}\n","traces":[{"line":86,"address":[],"length":0,"stats":{"Line":59}},{"line":87,"address":[],"length":0,"stats":{"Line":59}},{"line":88,"address":[],"length":0,"stats":{"Line":21}},{"line":89,"address":[],"length":0,"stats":{"Line":13}},{"line":90,"address":[],"length":0,"stats":{"Line":13}},{"line":91,"address":[],"length":0,"stats":{"Line":12}},{"line":98,"address":[],"length":0,"stats":{"Line":31}},{"line":101,"address":[],"length":0,"stats":{"Line":31}},{"line":102,"address":[],"length":0,"stats":{"Line":11}},{"line":103,"address":[],"length":0,"stats":{"Line":7}},{"line":104,"address":[],"length":0,"stats":{"Line":7}},{"line":105,"address":[],"length":0,"stats":{"Line":6}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":26}},{"line":143,"address":[],"length":0,"stats":{"Line":26}},{"line":144,"address":[],"length":0,"stats":{"Line":26}},{"line":146,"address":[],"length":0,"stats":{"Line":52}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":154,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":174,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":0}},{"line":179,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":33}},{"line":186,"address":[],"length":0,"stats":{"Line":33}},{"line":199,"address":[],"length":0,"stats":{"Line":14}},{"line":203,"address":[],"length":0,"stats":{"Line":28}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":206,"address":[],"length":0,"stats":{"Line":0}},{"line":207,"address":[],"length":0,"stats":{"Line":0}},{"line":208,"address":[],"length":0,"stats":{"Line":0}},{"line":212,"address":[],"length":0,"stats":{"Line":14}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":214,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":220,"address":[],"length":0,"stats":{"Line":42}},{"line":221,"address":[],"length":0,"stats":{"Line":28}},{"line":222,"address":[],"length":0,"stats":{"Line":0}},{"line":223,"address":[],"length":0,"stats":{"Line":0}},{"line":224,"address":[],"length":0,"stats":{"Line":0}},{"line":225,"address":[],"length":0,"stats":{"Line":0}},{"line":229,"address":[],"length":0,"stats":{"Line":28}},{"line":235,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":14}},{"line":238,"address":[],"length":0,"stats":{"Line":0}},{"line":239,"address":[],"length":0,"stats":{"Line":14}},{"line":240,"address":[],"length":0,"stats":{"Line":14}},{"line":241,"address":[],"length":0,"stats":{"Line":14}},{"line":242,"address":[],"length":0,"stats":{"Line":14}},{"line":244,"address":[],"length":0,"stats":{"Line":14}},{"line":245,"address":[],"length":0,"stats":{"Line":14}},{"line":251,"address":[],"length":0,"stats":{"Line":41}},{"line":263,"address":[],"length":0,"stats":{"Line":41}},{"line":269,"address":[],"length":0,"stats":{"Line":41}},{"line":270,"address":[],"length":0,"stats":{"Line":41}},{"line":273,"address":[],"length":0,"stats":{"Line":41}},{"line":290,"address":[],"length":0,"stats":{"Line":3}},{"line":291,"address":[],"length":0,"stats":{"Line":3}},{"line":292,"address":[],"length":0,"stats":{"Line":3}},{"line":293,"address":[],"length":0,"stats":{"Line":3}},{"line":298,"address":[],"length":0,"stats":{"Line":38}},{"line":300,"address":[],"length":0,"stats":{"Line":38}},{"line":308,"address":[],"length":0,"stats":{"Line":4}},{"line":309,"address":[],"length":0,"stats":{"Line":4}},{"line":314,"address":[],"length":0,"stats":{"Line":0}},{"line":315,"address":[],"length":0,"stats":{"Line":0}},{"line":316,"address":[],"length":0,"stats":{"Line":0}},{"line":317,"address":[],"length":0,"stats":{"Line":0}},{"line":319,"address":[],"length":0,"stats":{"Line":0}},{"line":320,"address":[],"length":0,"stats":{"Line":0}},{"line":321,"address":[],"length":0,"stats":{"Line":0}},{"line":322,"address":[],"length":0,"stats":{"Line":0}},{"line":328,"address":[],"length":0,"stats":{"Line":0}},{"line":329,"address":[],"length":0,"stats":{"Line":0}},{"line":338,"address":[],"length":0,"stats":{"Line":0}},{"line":342,"address":[],"length":0,"stats":{"Line":0}},{"line":343,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":349,"address":[],"length":0,"stats":{"Line":17}},{"line":350,"address":[],"length":0,"stats":{"Line":17}},{"line":355,"address":[],"length":0,"stats":{"Line":28}},{"line":365,"address":[],"length":0,"stats":{"Line":56}},{"line":367,"address":[],"length":0,"stats":{"Line":0}},{"line":368,"address":[],"length":0,"stats":{"Line":0}},{"line":369,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":375,"address":[],"length":0,"stats":{"Line":14}},{"line":376,"address":[],"length":0,"stats":{"Line":14}},{"line":377,"address":[],"length":0,"stats":{"Line":14}},{"line":378,"address":[],"length":0,"stats":{"Line":14}},{"line":379,"address":[],"length":0,"stats":{"Line":14}},{"line":380,"address":[],"length":0,"stats":{"Line":14}},{"line":382,"address":[],"length":0,"stats":{"Line":14}},{"line":383,"address":[],"length":0,"stats":{"Line":14}},{"line":389,"address":[],"length":0,"stats":{"Line":8}},{"line":402,"address":[],"length":0,"stats":{"Line":8}},{"line":403,"address":[],"length":0,"stats":{"Line":8}},{"line":409,"address":[],"length":0,"stats":{"Line":8}},{"line":410,"address":[],"length":0,"stats":{"Line":8}},{"line":411,"address":[],"length":0,"stats":{"Line":8}},{"line":414,"address":[],"length":0,"stats":{"Line":8}},{"line":429,"address":[],"length":0,"stats":{"Line":0}},{"line":430,"address":[],"length":0,"stats":{"Line":0}},{"line":431,"address":[],"length":0,"stats":{"Line":0}},{"line":436,"address":[],"length":0,"stats":{"Line":0}},{"line":437,"address":[],"length":0,"stats":{"Line":0}},{"line":442,"address":[],"length":0,"stats":{"Line":0}},{"line":443,"address":[],"length":0,"stats":{"Line":0}},{"line":444,"address":[],"length":0,"stats":{"Line":0}},{"line":447,"address":[],"length":0,"stats":{"Line":0}},{"line":448,"address":[],"length":0,"stats":{"Line":0}},{"line":455,"address":[],"length":0,"stats":{"Line":0}},{"line":456,"address":[],"length":0,"stats":{"Line":0}},{"line":457,"address":[],"length":0,"stats":{"Line":0}},{"line":458,"address":[],"length":0,"stats":{"Line":0}},{"line":460,"address":[],"length":0,"stats":{"Line":0}},{"line":461,"address":[],"length":0,"stats":{"Line":0}},{"line":462,"address":[],"length":0,"stats":{"Line":0}},{"line":465,"address":[],"length":0,"stats":{"Line":0}},{"line":476,"address":[],"length":0,"stats":{"Line":0}},{"line":477,"address":[],"length":0,"stats":{"Line":0}},{"line":478,"address":[],"length":0,"stats":{"Line":0}},{"line":484,"address":[],"length":0,"stats":{"Line":0}},{"line":485,"address":[],"length":0,"stats":{"Line":0}},{"line":486,"address":[],"length":0,"stats":{"Line":0}},{"line":487,"address":[],"length":0,"stats":{"Line":0}},{"line":488,"address":[],"length":0,"stats":{"Line":0}},{"line":496,"address":[],"length":0,"stats":{"Line":0}},{"line":497,"address":[],"length":0,"stats":{"Line":0}},{"line":498,"address":[],"length":0,"stats":{"Line":0}},{"line":499,"address":[],"length":0,"stats":{"Line":0}},{"line":501,"address":[],"length":0,"stats":{"Line":0}},{"line":503,"address":[],"length":0,"stats":{"Line":0}},{"line":512,"address":[],"length":0,"stats":{"Line":0}},{"line":513,"address":[],"length":0,"stats":{"Line":0}},{"line":534,"address":[],"length":0,"stats":{"Line":0}},{"line":535,"address":[],"length":0,"stats":{"Line":0}},{"line":536,"address":[],"length":0,"stats":{"Line":0}},{"line":540,"address":[],"length":0,"stats":{"Line":0}},{"line":541,"address":[],"length":0,"stats":{"Line":0}},{"line":542,"address":[],"length":0,"stats":{"Line":0}}],"covered":63,"coverable":155},{"path":["/","home","stu","dev","rust","jose","src","crypto","hmac.rs"],"content":"//! The primitives for working with [HMAC] algorithms.\n//!\n//! [HMAC]: https://en.wikipedia.org/wiki/HMAC\n\nuse core::fmt;\n\nuse secrecy::{ExposeSecret, SecretSlice};\nuse subtle::ConstantTimeEq as _;\n\nuse super::{\n    backend::{\n        interface::{self, hmac::Key as _},\n        Backend,\n    },\n    Error, Result,\n};\nuse crate::{\n    crypto::backend::interface::Backend as _,\n    jwa,\n    jwk::{\n        self,\n        symmetric::{FromOctetSequenceError, OctetSequence},\n        IntoJsonWebKey,\n    },\n    jws::{self, Signer},\n};\n\ntype BackendHmacKey = \u003cBackend as interface::Backend\u003e::HmacKey;\n\n/// Marker trait is implemented for all supported HMAC variants.\npub trait Variant: crate::sealed::Sealed {\n    /// The JWA algorithm for this variant.\n    const ALGORITHM: jwa::Hmac;\n\n    /// The number of bytes in the output of the hash operation operation.\n    const OUTPUT_SIZE_BYTES: usize;\n}\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendHmacKey as interface::hmac::Key\u003e::Signature,\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(AsRef::\u003c[u8]\u003e::as_ref(\u0026self.inner), f)\n    }\n}\n\n/// A key that can be used for signing and verifying HMAC signatures.\npub struct Key\u003cH: Variant\u003e {\n    inner: BackendHmacKey,\n    // We also need to store the raw key, to be able to convert it to a JWK.\n    raw_key: SecretSlice\u003cu8\u003e,\n    _variant: core::marker::PhantomData\u003cH\u003e,\n}\n\nimpl\u003cH: Variant\u003e Key\u003cH\u003e {\n    /// Generate a new random HMAC key, using the crypto backends default RNG.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the crypto backend failed to generate random data.\n    pub fn generate() -\u003e Result\u003cSelf\u003e {\n        let mut key = alloc::vec![0u8; H::OUTPUT_SIZE_BYTES].into_boxed_slice();\n        Backend::fill_random(\u0026mut key)?;\n        let key = SecretSlice::from(key);\n\n        Self::new_from_key(key)\n    }\n\n    fn new_from_key(key: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let inner = BackendHmacKey::new(H::ALGORITHM, key.expose_secret())?;\n        Ok(Self {\n            inner,\n            raw_key: key,\n            _variant: core::marker::PhantomData,\n        })\n    }\n}\n\nimpl\u003cH: Variant\u003e fmt::Debug for Key\u003cH\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Key\")\n            .field(\"key\", \u0026self.raw_key)\n            .field(\"algorithm\", \u0026H::ALGORITHM)\n            .finish()\n    }\n}\n\nimpl\u003cH: Variant\u003e From\u003cKey\u003cH\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(key: Key\u003cH\u003e) -\u003e Self {\n        jwk::JsonWebKeyType::Symmetric(jwk::SymmetricJsonWebKey::OctetSequence(OctetSequence::new(\n            key.raw_key,\n        )))\n    }\n}\n\nimpl\u003cH: Variant\u003e crate::sealed::Sealed for Key\u003cH\u003e {}\nimpl\u003cH: Variant\u003e IntoJsonWebKey for Key\u003cH\u003e {\n    type Algorithm = ();\n    type Error = core::convert::Infallible;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003ccrate::JsonWebKey, Self::Error\u003e {\n        let key_ty = jwk::JsonWebKeyType::from(self);\n        let alg = alg.map(|_| {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Hmac(H::ALGORITHM))\n        });\n        Ok(jwk::JsonWebKey::new_with_algorithm(key_ty, alg))\n    }\n}\n\nimpl\u003cH: Variant\u003e jws::Verifier for Key\u003cH\u003e {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        let signed = self.inner.sign(msg)?;\n\n        let valid = bool::from(signature.ct_eq(signed.as_ref()));\n        if valid {\n            Ok(())\n        } else {\n            Err(jws::VerifyError::InvalidSignature)\n        }\n    }\n}\n\nimpl\u003cH: Variant\u003e Signer\u003cSignature\u003e for Key\u003cH\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature, Error\u003e {\n        let signature = self.inner.sign(msg)?;\n        Ok(Signature { inner: signature })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::Hmac(H::ALGORITHM)\n    }\n}\n\nimpl\u003cH: Variant\u003e jwk::FromKey\u003cOctetSequence\u003e for Key\u003cH\u003e {\n    type Error = FromOctetSequenceError;\n\n    fn from_key(\n        key: OctetSequence,\n        alg: jwa::JsonWebAlgorithm,\n    ) -\u003e core::result::Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Hmac(alg)) =\u003e {\n                if alg != H::ALGORITHM {\n                    return Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                        jws::InvalidSigningAlgorithmError,\n                    ));\n                }\n\n                // This check is not required for normal Hmac implementations based on RFC 2104\n                // but RFC 7518 section 3.2 requires this check and\n                // forbids keys with a length \u003c output\n                if key.len() \u003c H::OUTPUT_SIZE_BYTES {\n                    return Err(FromOctetSequenceError::InvalidLength);\n                }\n\n                Ok(Self::new_from_key(key.into_bytes())?)\n            }\n            _ =\u003e Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                jws::InvalidSigningAlgorithmError,\n            )),\n        }\n    }\n}\n\nimpl\u003cH: Variant\u003e jwk::FromKey\u003c\u0026OctetSequence\u003e for Key\u003cH\u003e {\n    type Error = FromOctetSequenceError;\n\n    fn from_key(key: \u0026OctetSequence, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Hmac(alg)) =\u003e {\n                if alg != H::ALGORITHM {\n                    return Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                        jws::InvalidSigningAlgorithmError,\n                    ));\n                }\n\n                // This check is not required for normal Hmac implementations based on RFC 2104\n                // but RFC 7518 section 3.2 requires this check and\n                // forbids keys with a length \u003c output\n                if key.len() \u003c H::OUTPUT_SIZE_BYTES {\n                    return Err(FromOctetSequenceError::InvalidLength);\n                }\n\n                Ok(Self::new_from_key(key.bytes().clone())?)\n            }\n            _ =\u003e Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                jws::InvalidSigningAlgorithmError,\n            )),\n        }\n    }\n}\nmacro_rules! impl_variant {\n    (#[$doc:meta] $variant:ident = $size:expr) =\u003e {\n        #[$doc]\n        #[derive(Debug)]\n        pub enum $variant {}\n\n        impl Variant for $variant {\n            const ALGORITHM: jwa::Hmac = jwa::Hmac::$variant;\n            const OUTPUT_SIZE_BYTES: usize = $size;\n        }\n        impl crate::sealed::Sealed for $variant {}\n    };\n}\n\nimpl_variant!(\n    /// Marker type that represents Hmac using the Sha256 digest.\n    Hs256 = 256 / 8\n);\nimpl_variant!(\n    /// Marker type that represents Hmac using the Sha384 digest.\n    Hs384 = 384 / 8\n);\nimpl_variant!(\n    /// Marker type that represents Hmac using the Sha512 digest.\n    Hs512 = 512 / 8\n);\n","traces":[{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":1}},{"line":72,"address":[],"length":0,"stats":{"Line":1}},{"line":73,"address":[],"length":0,"stats":{"Line":1}},{"line":74,"address":[],"length":0,"stats":{"Line":1}},{"line":76,"address":[],"length":0,"stats":{"Line":1}},{"line":79,"address":[],"length":0,"stats":{"Line":1}},{"line":80,"address":[],"length":0,"stats":{"Line":2}},{"line":81,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":143,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":154,"address":[],"length":0,"stats":{"Line":0}},{"line":155,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":166,"address":[],"length":0,"stats":{"Line":0}},{"line":169,"address":[],"length":0,"stats":{"Line":0}},{"line":171,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":1}},{"line":182,"address":[],"length":0,"stats":{"Line":1}},{"line":183,"address":[],"length":0,"stats":{"Line":1}},{"line":184,"address":[],"length":0,"stats":{"Line":1}},{"line":185,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":1}},{"line":194,"address":[],"length":0,"stats":{"Line":1}},{"line":197,"address":[],"length":0,"stats":{"Line":0}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":200,"address":[],"length":0,"stats":{"Line":0}}],"covered":13,"coverable":60},{"path":["/","home","stu","dev","rust","jose","src","crypto","okp.rs"],"content":"//! The primitives for working with EdDSA algorithms (`kty`\n//! parameter = `OKP`).\n//!\n//! If you are looking for the other curve types, see the\n//! [`ec`](crate::crypto::ec) module, which contains all curves, that do not\n//! require an octet key pair as a key.\n\nuse alloc::{borrow::Cow, format, string::String, vec::Vec};\nuse core::{fmt, marker::PhantomData};\n\nuse serde::{de::Error as _, Deserialize, Serialize};\n\nuse super::backend::{\n    interface::{\n        self,\n        okp::{PrivateKey as _, PublicKey as _},\n    },\n    Backend,\n};\nuse crate::{\n    base64_url::{Base64UrlBytes, SecretBase64UrlBytes},\n    crypto::Result,\n    jwa, jwk, jws, Base64UrlString,\n};\n\nconst KTY: \u0026str = \"OKP\";\n\ntype BackendPublicKey = \u003cBackend as interface::Backend\u003e::EdPublicKey;\ntype BackendPrivateKey = \u003cBackend as interface::Backend\u003e::EdPrivateKey;\n\n/// The curve trait marks all possible curves for EdDSA keys.\n///\n/// Technically, the implementors of this trait (e.g. [`Ed25519`]) are not\n/// curves, but rather the curve + algorithm combination. However, the JWK\n/// specification uses the term \"curve\" for this combination, so we will\n/// follow that convention here.\npub trait Curve: sealed::Sealed {\n    /// The name of the curve, that is also used in the `crv` parameter of a\n    /// JWK.\n    const NAME: \u0026'static str;\n}\n\n/// The public key using the Ed25519 curve.\npub type Ed25519PublicKey = PublicKey\u003cEd25519\u003e;\n\n/// The private key using the Ed25519 curve.\npub type Ed25519PrivateKey = PrivateKey\u003cEd25519\u003e;\n\n/// The signer type using the Ed25519 curve.\npub type Ed25519Signer = Signer\u003cEd25519\u003e;\n\n/// The verifier type using the Ed25519 curve.\npub type Ed25519Verifier = Verifier\u003cEd25519\u003e;\n\n/// The public key using the Ed448 curve.\npub type Ed448PublicKey = PublicKey\u003cEd448\u003e;\n\n/// The private key using the Ed448 curve.\npub type Ed448PrivateKey = PrivateKey\u003cEd448\u003e;\n\n/// The signer type using the Ed448 curve.\npub type Ed448Signer = Signer\u003cEd448\u003e;\n\n/// The verifier type using the Ed448 curve.\npub type Ed448Verifier = Verifier\u003cEd448\u003e;\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendPrivateKey as interface::okp::PrivateKey\u003e::Signature,\n}\n\nimpl From\u003cSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: Signature) -\u003e Self {\n        value.as_ref().to_vec()\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(AsRef::\u003c[u8]\u003e::as_ref(\u0026self.inner), f)\n    }\n}\n\n/// A public key for EdDSA algorithms.\n///\n/// The type of algorithm and curve is determined by the\n/// `C` type parameter.\n#[derive(Clone)]\npub struct PublicKey\u003cC\u003e {\n    inner: BackendPublicKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e Eq for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PublicKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        interface::okp::PublicKey::to_bytes(\u0026self.inner)\n            == interface::okp::PublicKey::to_bytes(\u0026other.inner)\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PublicKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let bytes = Base64UrlString::encode(interface::okp::PublicKey::to_bytes(\u0026self.inner));\n        f.debug_struct(\"PublicKey\")\n            .field(\"curve\", \u0026C::NAME)\n            .field(\"x\", \u0026bytes)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPublicKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PublicKey\u003cC\u003e) -\u003e Self {\n        C::public_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PublicKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::public_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(\n            key,\n            alg.map(|_| jwa::JsonWebSigningAlgorithm::EdDSA.into()),\n        );\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PublicKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        jwk::thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\n#[derive(Serialize, Deserialize)]\nstruct PublicRepr\u003c'a\u003e {\n    crv: Cow\u003c'a, str\u003e,\n    kty: Cow\u003c'a, str\u003e,\n    x: Base64UrlBytes,\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PublicKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let repr = PublicRepr::deserialize(deserializer)?;\n\n        if repr.crv != C::NAME {\n            return Err(D::Error::custom(format!(\n                \"Invalid curve type `{}`. Expected `{}`\",\n                repr.crv,\n                C::NAME\n            )));\n        }\n\n        if repr.kty != KTY {\n            return Err(D::Error::custom(format!(\n                \"Invalid key type `{}`. Expected `{KTY}`\",\n                repr.kty,\n            )));\n        }\n\n        let key =\n            interface::okp::PublicKey::new(C::ALGORITHM, repr.x.0).map_err(D::Error::custom)?;\n        Ok(Self {\n            inner: key,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PublicKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let repr = PublicRepr {\n            crv: C::NAME.into(),\n            kty: KTY.into(),\n            x: Base64UrlBytes(interface::okp::PublicKey::to_bytes(\u0026self.inner)),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// A private key for EdDSA algorithms.\n///\n/// The type of algorithm and curve is determined by the\n/// `C` type parameter.\n#[derive(Clone)]\npub struct PrivateKey\u003cC\u003e {\n    inner: BackendPrivateKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e PrivateKey\u003cC\u003e {\n    /// Generate a new random key pair.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the key generation fails.\n    pub fn generate() -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            inner: BackendPrivateKey::generate(C::ALGORITHM)?,\n            _curve: PhantomData,\n        })\n    }\n\n    /// Returns the public key of this private key.\n    pub fn to_public_key(\u0026self) -\u003e PublicKey\u003cC\u003e {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n            _curve: PhantomData,\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e Eq for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PrivateKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.to_public_key() == other.to_public_key()\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PrivateKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let pub_key = interface::okp::PrivateKey::to_public_key(\u0026self.inner);\n        let bytes = Base64UrlString::encode(interface::okp::PublicKey::to_bytes(\u0026pub_key));\n\n        f.debug_struct(\"PrivateKey\")\n            .field(\"curve\", \u0026C::NAME)\n            .field(\"x\", \u0026bytes)\n            .field(\"d\", \u0026\"[REDACTED]\")\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPrivateKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PrivateKey\u003cC\u003e) -\u003e Self {\n        C::private_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PrivateKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::private_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(\n            key,\n            alg.map(|_| jwa::JsonWebSigningAlgorithm::EdDSA.into()),\n        );\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PrivateKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.to_public_key().thumbprint_prehashed()\n    }\n}\n\n#[derive(Serialize, Deserialize)]\nstruct PrivateRepr\u003c'a\u003e {\n    #[serde(flatten)]\n    public: PublicRepr\u003c'a\u003e,\n    d: SecretBase64UrlBytes,\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PrivateKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let repr = PrivateRepr::deserialize(deserializer)?;\n\n        let key = interface::okp::PrivateKey::new(C::ALGORITHM, repr.public.x.0, repr.d.0)\n            .map_err(D::Error::custom)?;\n\n        Ok(Self {\n            inner: key,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PrivateKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let pub_key = self.inner.to_public_key();\n        let repr = PrivateRepr {\n            public: PublicRepr {\n                crv: C::NAME.into(),\n                kty: KTY.into(),\n                x: Base64UrlBytes(interface::okp::PublicKey::to_bytes(\u0026pub_key)),\n            },\n            d: SecretBase64UrlBytes(interface::okp::PrivateKey::to_bytes(\u0026self.inner)),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// The [`Signer`](jws::Signer) for EC keys.\npub struct Signer\u003cC\u003e {\n    inner: PrivateKey\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Signer\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Signer\").field(\"key\", \u0026self.inner).finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Signer\u003cSignature\u003e for Signer\u003cC\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature\u003e {\n        let sig = self.inner.inner.sign(msg)?;\n        Ok(Signature { inner: sig })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::EdDSA\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Signer\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EdDSA) =\u003e {\n                Ok(Self { inner: value })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\n/// The [`Verifier`](jws::Verifier) for EC keys.\npub struct Verifier\u003cC\u003e {\n    inner: PublicKey\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Verifier\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Verifier\")\n            .field(\"key\", \u0026self.inner)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Verifier for Verifier\u003cC\u003e {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        match self.inner.inner.verify(msg, signature) {\n            Ok(true) =\u003e Ok(()),\n            Ok(false) =\u003e Err(jws::VerifyError::InvalidSignature),\n            Err(e) =\u003e Err(jws::VerifyError::CryptoBackend(e)),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPublicKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PublicKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EdDSA) =\u003e {\n                Ok(Self { inner: value })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    #[inline]\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        Self::from_key(value.to_public_key(), alg)\n    }\n}\n\nmacro_rules! impl_curve {\n    ($(\n        $(#[$doc:meta])*\n        $curve:ident {\n            name: $curve_name:literal,\n        }\n    ),*$(,)?) =\u003e { $(\n        $(#[$doc])*\n        #[derive(Debug, Clone, Copy)]\n        pub enum $curve {}\n\n        impl Curve for $curve {\n            const NAME: \u0026'static str = $curve_name;\n        }\n\n        impl sealed::Sealed for $curve {\n            #[expect(private_interfaces)]\n            const ALGORITHM: interface::okp::CurveAlgorithm = interface::okp::CurveAlgorithm::$curve;\n\n            fn public_to_jwk_type(key: PublicKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(jwk::AsymmetricJsonWebKey::Public(\n                    jwk::Public::Okp(jwk::OkpPublic::$curve(key)),\n                )))\n            }\n\n            fn private_to_jwk_type(key: PrivateKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(jwk::AsymmetricJsonWebKey::Private(\n                    jwk::Private::Okp(jwk::OkpPrivate::$curve(key)),\n                )))\n            }\n        }\n    )* };\n}\n\nimpl_curve!(\n    /// The Ed25519 curve.\n    Ed25519 {\n        name: \"Ed25519\",\n    },\n\n    /// The Ed448 curve.\n    Ed448 {\n        name: \"Ed448\",\n    },\n);\n\nmod sealed {\n    use crate::{crypto::backend::interface, jwk::JsonWebKeyType};\n\n    pub trait Sealed: Sized {\n        #[expect(private_interfaces)]\n        const ALGORITHM: interface::okp::CurveAlgorithm;\n\n        fn public_to_jwk_type(key: super::PublicKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n\n        fn private_to_jwk_type(key: super::PrivateKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n    }\n}\n","traces":[{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":81,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":12}},{"line":104,"address":[],"length":0,"stats":{"Line":12}},{"line":105,"address":[],"length":0,"stats":{"Line":12}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":114,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":121,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":16}},{"line":145,"address":[],"length":0,"stats":{"Line":16}},{"line":157,"address":[],"length":0,"stats":{"Line":6}},{"line":161,"address":[],"length":0,"stats":{"Line":12}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":166,"address":[],"length":0,"stats":{"Line":0}},{"line":167,"address":[],"length":0,"stats":{"Line":0}},{"line":171,"address":[],"length":0,"stats":{"Line":6}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":173,"address":[],"length":0,"stats":{"Line":0}},{"line":174,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":6}},{"line":179,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":0}},{"line":182,"address":[],"length":0,"stats":{"Line":0}},{"line":188,"address":[],"length":0,"stats":{"Line":20}},{"line":193,"address":[],"length":0,"stats":{"Line":20}},{"line":194,"address":[],"length":0,"stats":{"Line":20}},{"line":195,"address":[],"length":0,"stats":{"Line":20}},{"line":198,"address":[],"length":0,"stats":{"Line":20}},{"line":218,"address":[],"length":0,"stats":{"Line":2}},{"line":219,"address":[],"length":0,"stats":{"Line":2}},{"line":220,"address":[],"length":0,"stats":{"Line":2}},{"line":221,"address":[],"length":0,"stats":{"Line":2}},{"line":226,"address":[],"length":0,"stats":{"Line":18}},{"line":228,"address":[],"length":0,"stats":{"Line":18}},{"line":236,"address":[],"length":0,"stats":{"Line":2}},{"line":237,"address":[],"length":0,"stats":{"Line":2}},{"line":242,"address":[],"length":0,"stats":{"Line":0}},{"line":243,"address":[],"length":0,"stats":{"Line":0}},{"line":244,"address":[],"length":0,"stats":{"Line":0}},{"line":246,"address":[],"length":0,"stats":{"Line":0}},{"line":247,"address":[],"length":0,"stats":{"Line":0}},{"line":248,"address":[],"length":0,"stats":{"Line":0}},{"line":249,"address":[],"length":0,"stats":{"Line":0}},{"line":255,"address":[],"length":0,"stats":{"Line":0}},{"line":256,"address":[],"length":0,"stats":{"Line":0}},{"line":265,"address":[],"length":0,"stats":{"Line":0}},{"line":269,"address":[],"length":0,"stats":{"Line":0}},{"line":271,"address":[],"length":0,"stats":{"Line":0}},{"line":272,"address":[],"length":0,"stats":{"Line":0}},{"line":274,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":8}},{"line":280,"address":[],"length":0,"stats":{"Line":8}},{"line":292,"address":[],"length":0,"stats":{"Line":12}},{"line":296,"address":[],"length":0,"stats":{"Line":24}},{"line":298,"address":[],"length":0,"stats":{"Line":6}},{"line":299,"address":[],"length":0,"stats":{"Line":0}},{"line":301,"address":[],"length":0,"stats":{"Line":0}},{"line":302,"address":[],"length":0,"stats":{"Line":0}},{"line":303,"address":[],"length":0,"stats":{"Line":0}},{"line":309,"address":[],"length":0,"stats":{"Line":4}},{"line":313,"address":[],"length":0,"stats":{"Line":4}},{"line":315,"address":[],"length":0,"stats":{"Line":4}},{"line":320,"address":[],"length":0,"stats":{"Line":4}},{"line":323,"address":[],"length":0,"stats":{"Line":4}},{"line":333,"address":[],"length":0,"stats":{"Line":0}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":339,"address":[],"length":0,"stats":{"Line":0}},{"line":340,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":352,"address":[],"length":0,"stats":{"Line":0}},{"line":353,"address":[],"length":0,"stats":{"Line":0}},{"line":354,"address":[],"length":0,"stats":{"Line":0}},{"line":355,"address":[],"length":0,"stats":{"Line":0}},{"line":357,"address":[],"length":0,"stats":{"Line":0}},{"line":368,"address":[],"length":0,"stats":{"Line":0}},{"line":369,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":376,"address":[],"length":0,"stats":{"Line":0}},{"line":377,"address":[],"length":0,"stats":{"Line":0}},{"line":378,"address":[],"length":0,"stats":{"Line":0}},{"line":379,"address":[],"length":0,"stats":{"Line":0}},{"line":380,"address":[],"length":0,"stats":{"Line":0}},{"line":388,"address":[],"length":0,"stats":{"Line":0}},{"line":389,"address":[],"length":0,"stats":{"Line":0}},{"line":390,"address":[],"length":0,"stats":{"Line":0}},{"line":391,"address":[],"length":0,"stats":{"Line":0}},{"line":393,"address":[],"length":0,"stats":{"Line":0}},{"line":402,"address":[],"length":0,"stats":{"Line":0}},{"line":403,"address":[],"length":0,"stats":{"Line":0}},{"line":426,"address":[],"length":0,"stats":{"Line":0}},{"line":427,"address":[],"length":0,"stats":{"Line":0}},{"line":428,"address":[],"length":0,"stats":{"Line":0}},{"line":432,"address":[],"length":0,"stats":{"Line":0}},{"line":433,"address":[],"length":0,"stats":{"Line":0}},{"line":434,"address":[],"length":0,"stats":{"Line":0}}],"covered":32,"coverable":113},{"path":["/","home","stu","dev","rust","jose","src","crypto","rsa.rs"],"content":"//! The primitives for working with [RSA] encryption.\n//!\n//! [RSA]: https://en.wikipedia.org/wiki/RSA_cryptosystem\n\nuse alloc::{boxed::Box, format, string::String, vec::Vec};\nuse core::{convert::Infallible, fmt};\n\nuse serde::{de::Error as _, ser::Error as _, Deserialize, Serialize};\n\nuse super::backend::{\n    interface::{\n        self,\n        rsa::{self, PrivateKey as _, PublicKey as _},\n    },\n    Backend,\n};\nuse crate::{\n    base64_url::{Base64UrlBytes, SecretBase64UrlBytes},\n    crypto::Result,\n    jwa::{self, RsaSigning},\n    jwk::{self, FromKey, IntoJsonWebKey},\n    jws::{self, InvalidSigningAlgorithmError},\n    Base64UrlString,\n};\n\ntype BackendPublicKey = \u003cBackend as interface::Backend\u003e::RsaPublicKey;\ntype BackendPrivateKey = \u003cBackend as interface::Backend\u003e::RsaPrivateKey;\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendPrivateKey as rsa::PrivateKey\u003e::Signature,\n}\n\nimpl From\u003cSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: Signature) -\u003e Self {\n        value.as_ref().to_vec()\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(self.as_ref(), f)\n    }\n}\n\n/// The RSA public key type.\n#[derive(Clone)]\npub struct PublicKey {\n    inner: BackendPublicKey,\n}\n\nimpl Eq for PublicKey {}\nimpl PartialEq for PublicKey {\n    fn eq(\u0026self, o: \u0026Self) -\u003e bool {\n        let this_pub = rsa::PublicKey::components(\u0026self.inner);\n        let o_pub = rsa::PublicKey::components(\u0026o.inner);\n\n        this_pub == o_pub\n    }\n}\n\nimpl fmt::Debug for PublicKey {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let key = rsa::PublicKey::components(\u0026self.inner);\n        let n = Base64UrlString::encode(key.n);\n        let e = Base64UrlString::encode(key.e);\n\n        f.debug_struct(\"PublicKey\")\n            .field(\"n\", \u0026n)\n            .field(\"e\", \u0026e)\n            .finish()\n    }\n}\n\nimpl From\u003cPublicKey\u003e for jwk::JsonWebKeyType {\n    fn from(x: PublicKey) -\u003e Self {\n        jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Public(\n            jwk::Public::Rsa(x),\n        )))\n    }\n}\n\nimpl crate::sealed::Sealed for PublicKey {}\nimpl IntoJsonWebKey for PublicKey {\n    type Algorithm = RsaSigning;\n    type Error = Infallible;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003ccrate::JsonWebKey, Self::Error\u003e {\n        let alg = alg.map(|rsa| {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(rsa.into()))\n        });\n\n        let key = jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Public(\n            jwk::Public::Rsa(self),\n        )));\n\n        Ok(jwk::JsonWebKey::new_with_algorithm(key, alg))\n    }\n}\n\nimpl jwk::Thumbprint for PublicKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        crate::jwk::thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\nimpl Serialize for PublicKey {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(Serialize)]\n        struct Repr {\n            kty: \u0026'static str,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n        }\n\n        let key = rsa::PublicKey::components(\u0026self.inner);\n        Repr {\n            kty: \"RSA\",\n            n: Base64UrlBytes(key.n),\n            e: Base64UrlBytes(key.e),\n        }\n        .serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for PublicKey {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            kty: String,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n        }\n\n        let repr = Repr::deserialize(deserializer)?;\n\n        if \u0026*repr.kty != \"RSA\" {\n            return Err(D::Error::custom(\"`kty` field is required to be `RSA`\"));\n        }\n\n        let components = rsa::PublicKeyComponents {\n            n: repr.n.0,\n            e: repr.e.0,\n        };\n        let key = rsa::PublicKey::from_components(components)\n            .map_err(|e| D::Error::custom(format!(\"failed to construct RSA public key: {e}\")))?;\n        Ok(Self { inner: key })\n    }\n}\n\n/// The RSA private key type.\n#[derive(Clone)]\npub struct PrivateKey {\n    inner: BackendPrivateKey,\n}\n\nimpl PrivateKey {\n    /// Generate a new RSA key pair of the given bit size.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the key generation fails.\n    pub fn generate(bits: usize) -\u003e Result\u003cSelf\u003e {\n        let key = BackendPrivateKey::generate(bits)?;\n        Ok(Self { inner: key })\n    }\n\n    /// Get the public key corresponding to this private key.\n    pub fn to_public_key(\u0026self) -\u003e PublicKey {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n        }\n    }\n}\n\nimpl Eq for PrivateKey {}\nimpl PartialEq for PrivateKey {\n    fn eq(\u0026self, o: \u0026Self) -\u003e bool {\n        self.to_public_key() == o.to_public_key()\n    }\n}\n\nimpl From\u003cPrivateKey\u003e for jwk::JsonWebKeyType {\n    fn from(x: PrivateKey) -\u003e Self {\n        jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Private(\n            jwk::Private::Rsa(Box::new(x)),\n        )))\n    }\n}\n\nimpl fmt::Debug for PrivateKey {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let key = rsa::PrivateKey::public_components(\u0026self.inner);\n        let n = Base64UrlString::encode(key.n);\n        let e = Base64UrlString::encode(key.e);\n\n        f.debug_struct(\"PrivateKey\")\n            .field(\"n\", \u0026n)\n            .field(\"e\", \u0026e)\n            .field(\"primes\", \u0026\"[REDACTED]\")\n            .finish()\n    }\n}\n\nimpl crate::sealed::Sealed for PrivateKey {}\nimpl IntoJsonWebKey for PrivateKey {\n    type Algorithm = RsaSigning;\n    type Error = Infallible;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003ccrate::JsonWebKey, Self::Error\u003e {\n        let alg = alg.map(|rsa| {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(rsa.into()))\n        });\n\n        let key = jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Private(\n            jwk::Private::Rsa(Box::new(self)),\n        )));\n\n        Ok(crate::JsonWebKey::new_with_algorithm(key, alg))\n    }\n}\n\nimpl jwk::Thumbprint for PrivateKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.to_public_key().thumbprint_prehashed()\n    }\n}\n\nimpl Serialize for PrivateKey {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(Serialize)]\n        struct Repr {\n            kty: \u0026'static str,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n\n            d: SecretBase64UrlBytes,\n            p: SecretBase64UrlBytes,\n            q: SecretBase64UrlBytes,\n            dp: SecretBase64UrlBytes,\n            dq: SecretBase64UrlBytes,\n            qi: SecretBase64UrlBytes,\n        }\n\n        let pub_key = rsa::PrivateKey::public_components(\u0026self.inner);\n        let key = rsa::PrivateKey::private_components(\u0026self.inner).map_err(S::Error::custom)?;\n\n        let repr = Repr {\n            kty: \"RSA\",\n            n: Base64UrlBytes(pub_key.n),\n            e: Base64UrlBytes(pub_key.e),\n            d: SecretBase64UrlBytes(key.d),\n            p: SecretBase64UrlBytes(key.prime.p),\n            q: SecretBase64UrlBytes(key.prime.q),\n            dp: SecretBase64UrlBytes(key.prime.dp),\n            dq: SecretBase64UrlBytes(key.prime.dq),\n            qi: SecretBase64UrlBytes(key.prime.qi),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for PrivateKey {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            kty: String,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n            d: SecretBase64UrlBytes,\n\n            p: Option\u003cSecretBase64UrlBytes\u003e,\n            q: Option\u003cSecretBase64UrlBytes\u003e,\n            dp: Option\u003cSecretBase64UrlBytes\u003e,\n            dq: Option\u003cSecretBase64UrlBytes\u003e,\n            qi: Option\u003cSecretBase64UrlBytes\u003e,\n\n            oth: Option\u003cserde_json::Value\u003e,\n        }\n\n        let repr = Repr::deserialize(deserializer)?;\n\n        if \u0026*repr.kty != \"RSA\" {\n            return Err(D::Error::custom(\"`kty` field is required to be `RSA`\"));\n        }\n\n        // RFC:\n        //\n        // The parameter \"d\" is REQUIRED for RSA private keys.  The others enable\n        // optimizations and SHOULD be included by producers of JWKs\n        // representing RSA private keys.  If the producer includes any of the\n        // other private key parameters, then all of the others MUST be present,\n        // with the exception of \"oth\", which MUST only be present when more than two\n        // prime factors were used.\n\n        let any_prime_present = repr.p.is_some()\n            | repr.q.is_some()\n            | repr.dp.is_some()\n            | repr.dq.is_some()\n            | repr.qi.is_some();\n\n        let prime_info = if any_prime_present {\n            let err = |field: \u0026str| {\n                D::Error::custom(format!(\n                    \"expected `{field}` to be present because all prime fields must be set if one \\\n                     of them is set\"\n                ))\n            };\n\n            rsa::PrivateKeyPrimeComponents {\n                p: repr.p.ok_or_else(|| err(\"p\"))?.0,\n                q: repr.q.ok_or_else(|| err(\"q\"))?.0,\n                dp: repr.dp.ok_or_else(|| err(\"dp\"))?.0,\n                dq: repr.dq.ok_or_else(|| err(\"dq\"))?.0,\n                qi: repr.qi.ok_or_else(|| err(\"qi\"))?.0,\n            }\n        } else {\n            // FIXME: can we support RSA keys without any primes?\n            return Err(D::Error::custom(\n                \"RSA private keys without any primes are not supported\",\n            ));\n        };\n\n        if repr.oth.is_some() {\n            // FIXME: Support additional primes\n            return Err(D::Error::custom(\n                \"RSA private keys with `oth` field set are not supported\",\n            ));\n        }\n\n        let pub_components = rsa::PublicKeyComponents {\n            n: repr.n.0,\n            e: repr.e.0,\n        };\n\n        let priv_components = rsa::PrivateKeyComponents {\n            d: repr.d.0,\n            prime: prime_info,\n        };\n\n        let key = rsa::PrivateKey::from_components(priv_components, pub_components)\n            .map_err(|e| D::Error::custom(format!(\"failed to construct RSA private key: {e}\")))?;\n        Ok(Self { inner: key })\n    }\n}\n\n/// A [`Signer`](jws::Signer) using an [`PrivateKey`] and an RSA algorithm.\n#[derive(Debug)]\npub struct Signer {\n    key: PrivateKey,\n    alg: RsaSigning,\n}\n\nimpl FromKey\u003cPrivateKey\u003e for Signer {\n    type Error = InvalidSigningAlgorithmError;\n\n    fn from_key(value: PrivateKey, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(alg)) =\u003e {\n                Ok(Self { key: value, alg })\n            }\n            _ =\u003e Err(InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl jws::Signer\u003cSignature\u003e for Signer {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature\u003e {\n        let sig = self.key.inner.sign(self.alg, msg)?;\n        Ok(Signature { inner: sig })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::Rsa(self.alg)\n    }\n}\n\n/// A [`Verifier`](jws::Verifier) using an [`PublicKey`] and an RSA algorithm.\n#[derive(Debug)]\npub struct Verifier {\n    key: PublicKey,\n    alg: RsaSigning,\n}\n\nimpl FromKey\u003cPublicKey\u003e for Verifier {\n    type Error = InvalidSigningAlgorithmError;\n\n    fn from_key(value: PublicKey, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(alg)) =\u003e {\n                Ok(Self { key: value, alg })\n            }\n            _ =\u003e Err(InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl FromKey\u003cPrivateKey\u003e for Verifier {\n    type Error = InvalidSigningAlgorithmError;\n\n    /// Create a [`Verifier`] from the private key by\n    /// turning it into the public key and dropping the private parts afterwards\n    fn from_key(value: PrivateKey, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        Self::from_key(value.to_public_key(), alg)\n    }\n}\n\nimpl jws::Verifier for Verifier {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        match self.key.inner.verify(self.alg, msg, signature) {\n            Ok(true) =\u003e Ok(()),\n            Ok(false) =\u003e Err(jws::VerifyError::InvalidSignature),\n            Err(err) =\u003e Err(jws::VerifyError::CryptoBackend(err)),\n        }\n    }\n}\n","traces":[{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":15}},{"line":62,"address":[],"length":0,"stats":{"Line":15}},{"line":63,"address":[],"length":0,"stats":{"Line":15}},{"line":65,"address":[],"length":0,"stats":{"Line":15}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":23}},{"line":113,"address":[],"length":0,"stats":{"Line":23}},{"line":118,"address":[],"length":0,"stats":{"Line":33}},{"line":130,"address":[],"length":0,"stats":{"Line":33}},{"line":133,"address":[],"length":0,"stats":{"Line":33}},{"line":134,"address":[],"length":0,"stats":{"Line":33}},{"line":136,"address":[],"length":0,"stats":{"Line":33}},{"line":141,"address":[],"length":0,"stats":{"Line":33}},{"line":153,"address":[],"length":0,"stats":{"Line":66}},{"line":155,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":13}},{"line":161,"address":[],"length":0,"stats":{"Line":13}},{"line":163,"address":[],"length":0,"stats":{"Line":13}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":1}},{"line":182,"address":[],"length":0,"stats":{"Line":2}},{"line":187,"address":[],"length":0,"stats":{"Line":16}},{"line":189,"address":[],"length":0,"stats":{"Line":16}},{"line":196,"address":[],"length":0,"stats":{"Line":2}},{"line":197,"address":[],"length":0,"stats":{"Line":2}},{"line":202,"address":[],"length":0,"stats":{"Line":0}},{"line":203,"address":[],"length":0,"stats":{"Line":0}},{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":210,"address":[],"length":0,"stats":{"Line":0}},{"line":211,"address":[],"length":0,"stats":{"Line":0}},{"line":212,"address":[],"length":0,"stats":{"Line":0}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":217,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":228,"address":[],"length":0,"stats":{"Line":0}},{"line":232,"address":[],"length":0,"stats":{"Line":0}},{"line":233,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":0}},{"line":237,"address":[],"length":0,"stats":{"Line":0}},{"line":240,"address":[],"length":0,"stats":{"Line":0}},{"line":245,"address":[],"length":0,"stats":{"Line":7}},{"line":246,"address":[],"length":0,"stats":{"Line":7}},{"line":251,"address":[],"length":0,"stats":{"Line":4}},{"line":270,"address":[],"length":0,"stats":{"Line":4}},{"line":271,"address":[],"length":0,"stats":{"Line":8}},{"line":275,"address":[],"length":0,"stats":{"Line":0}},{"line":276,"address":[],"length":0,"stats":{"Line":0}},{"line":277,"address":[],"length":0,"stats":{"Line":0}},{"line":278,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":0}},{"line":280,"address":[],"length":0,"stats":{"Line":0}},{"line":281,"address":[],"length":0,"stats":{"Line":0}},{"line":282,"address":[],"length":0,"stats":{"Line":0}},{"line":285,"address":[],"length":0,"stats":{"Line":0}},{"line":290,"address":[],"length":0,"stats":{"Line":59}},{"line":311,"address":[],"length":0,"stats":{"Line":118}},{"line":313,"address":[],"length":0,"stats":{"Line":0}},{"line":314,"address":[],"length":0,"stats":{"Line":0}},{"line":326,"address":[],"length":0,"stats":{"Line":6}},{"line":327,"address":[],"length":0,"stats":{"Line":6}},{"line":328,"address":[],"length":0,"stats":{"Line":6}},{"line":329,"address":[],"length":0,"stats":{"Line":6}},{"line":330,"address":[],"length":0,"stats":{"Line":6}},{"line":332,"address":[],"length":0,"stats":{"Line":6}},{"line":333,"address":[],"length":0,"stats":{"Line":6}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":336,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":6}},{"line":342,"address":[],"length":0,"stats":{"Line":6}},{"line":343,"address":[],"length":0,"stats":{"Line":6}},{"line":344,"address":[],"length":0,"stats":{"Line":6}},{"line":345,"address":[],"length":0,"stats":{"Line":6}},{"line":349,"address":[],"length":0,"stats":{"Line":0}},{"line":350,"address":[],"length":0,"stats":{"Line":0}},{"line":354,"address":[],"length":0,"stats":{"Line":0}},{"line":356,"address":[],"length":0,"stats":{"Line":0}},{"line":357,"address":[],"length":0,"stats":{"Line":0}},{"line":362,"address":[],"length":0,"stats":{"Line":6}},{"line":363,"address":[],"length":0,"stats":{"Line":6}},{"line":367,"address":[],"length":0,"stats":{"Line":6}},{"line":371,"address":[],"length":0,"stats":{"Line":6}},{"line":372,"address":[],"length":0,"stats":{"Line":0}},{"line":373,"address":[],"length":0,"stats":{"Line":0}},{"line":387,"address":[],"length":0,"stats":{"Line":0}},{"line":388,"address":[],"length":0,"stats":{"Line":0}},{"line":389,"address":[],"length":0,"stats":{"Line":0}},{"line":390,"address":[],"length":0,"stats":{"Line":0}},{"line":392,"address":[],"length":0,"stats":{"Line":0}},{"line":398,"address":[],"length":0,"stats":{"Line":0}},{"line":399,"address":[],"length":0,"stats":{"Line":0}},{"line":403,"address":[],"length":0,"stats":{"Line":0}},{"line":404,"address":[],"length":0,"stats":{"Line":0}},{"line":418,"address":[],"length":0,"stats":{"Line":0}},{"line":419,"address":[],"length":0,"stats":{"Line":0}},{"line":420,"address":[],"length":0,"stats":{"Line":0}},{"line":421,"address":[],"length":0,"stats":{"Line":0}},{"line":423,"address":[],"length":0,"stats":{"Line":0}},{"line":433,"address":[],"length":0,"stats":{"Line":0}},{"line":434,"address":[],"length":0,"stats":{"Line":0}},{"line":439,"address":[],"length":0,"stats":{"Line":0}},{"line":440,"address":[],"length":0,"stats":{"Line":0}},{"line":441,"address":[],"length":0,"stats":{"Line":0}},{"line":442,"address":[],"length":0,"stats":{"Line":0}},{"line":443,"address":[],"length":0,"stats":{"Line":0}}],"covered":45,"coverable":130},{"path":["/","home","stu","dev","rust","jose","src","crypto.rs"],"content":"//! Cryptographic primitives.\n//!\n//! This module contains all primitives required for the JOSE RFCs. It abstracts\n//! away the different cryptographic libraries and provides a common interface\n//! for them. The goal is to make it easy to switch between different libraries\n//! and implementations without changing the code that uses them.\n//!\n//! ## Random Number Generation\n//!\n//! Many of the private key types provide `generate` functions. These functions\n//! require access to secure, random data. Each backend provides it own way of\n//! getting secure random data from the underlying system. The\n//! `crypto-rustcrypto` and `crypto-ring` use the [`getrandom`] crate to get\n//! random data. In order to use the `jose` crate on `no_std` systems, the user\n//! must supply a custom random number generator by using the\n//! [`register_custom_getrandom`] macro.\n//!\n//! **Note:** The current version `ring` and Rust Crypto crates use the `0.2`\n//! version of the `getrandom` crate.\n//!\n//! [`register_custom_getrandom`]: (https://docs.rs/getrandom/0.2.10/getrandom/macro.register_custom_getrandom.html)\n//! [`getrandom`]: (https://docs.rs/getrandom/0.2.10/getrandom/index.html)\n\npub(crate) mod backend;\npub mod ec;\npub mod hmac;\npub mod okp;\npub mod rsa;\n\nuse core::{error, fmt};\n\nuse backend::interface;\n\nuse self::backend::Backend;\n\n/// The result type used for cryptographic operations.\npub type Result\u003cT, E = Error\u003e = core::result::Result\u003cT, E\u003e;\n\n/// The erased error type that is used to generalize all errors that all the\n/// cryptographic libraries can return.\npub struct Error {\n    inner: \u003cBackend as interface::Backend\u003e::Error,\n}\n\nimpl fmt::Display for Error {\n    fn fmt(\u0026self, _f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Display::fmt(\u0026self.inner, _f)\n    }\n}\n\nimpl fmt::Debug for Error {\n    fn fmt(\u0026self, _f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(\u0026self.inner, _f)\n    }\n}\n\nimpl error::Error for Error {\n    fn source(\u0026self) -\u003e Option\u003c\u0026(dyn error::Error + 'static)\u003e {\n        error::Error::source(\u0026self.inner)\n    }\n}\n\nimpl\u003cE\u003e From\u003cE\u003e for Error\nwhere\n    \u003cBackend as interface::Backend\u003e::Error: From\u003cE\u003e,\n{\n    fn from(err: E) -\u003e Self {\n        Self {\n            inner: \u003cBackend as interface::Backend\u003e::Error::from(err),\n        }\n    }\n}\n\n/// Fills the given buffer with random data.\n#[inline]\n#[expect(unused)] // may be used in the future\npub(crate) fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c()\u003e {\n    \u003cBackend as interface::Backend\u003e::fill_random(buf).map_err(|e| Error { inner: e })\n}\n\n/// Performs a quick Sha256 of the given data.\n#[inline]\npub(crate) fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n    \u003cBackend as interface::Backend\u003e::sha256(data)\n}\n\n/// Performs a quick Sha384 of the given data.\n#[inline]\npub(crate) fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n    \u003cBackend as interface::Backend\u003e::sha384(data)\n}\n\n/// Performs a quick Sha512 of the given data.\n#[inline]\npub(crate) fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n    \u003cBackend as interface::Backend\u003e::sha512(data)\n}\n","traces":[{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":33}},{"line":84,"address":[],"length":0,"stats":{"Line":33}},{"line":89,"address":[],"length":0,"stats":{"Line":21}},{"line":90,"address":[],"length":0,"stats":{"Line":21}},{"line":95,"address":[],"length":0,"stats":{"Line":21}},{"line":96,"address":[],"length":0,"stats":{"Line":21}}],"covered":6,"coverable":16},{"path":["/","home","stu","dev","rust","jose","src","format","compact.rs"],"content":"use alloc::vec::Vec;\nuse core::{fmt, str::FromStr};\n\nuse super::{sealed, Format};\nuse crate::{\n    base64_url::NoBase64UrlString,\n    header,\n    jws::{PayloadData, SignError, Signer},\n    Base64UrlString, JoseHeader,\n};\n\n/// The compact representation is essentially a list of Base64Url\n/// strings that are separated by `.`.\n#[derive(Default, Debug, Clone, PartialEq, Eq, Hash)]\npub struct Compact {\n    parts: Vec\u003cBase64UrlString\u003e,\n}\n\nimpl Format for Compact {}\nimpl sealed::SealedFormat\u003cCompact\u003e for Compact {\n    type JwsHeader = JoseHeader\u003cCompact, header::Jws\u003e;\n    type SerializedJwsHeader = Base64UrlString;\n\n    fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(header: \u0026mut Self::JwsHeader, signer: \u0026dyn Signer\u003cS\u003e) {\n        header.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n    }\n\n    fn serialize_header(\n        header: Self::JwsHeader,\n    ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003ccore::convert::Infallible\u003e\u003e {\n        let (protected_header, _) = header.into_values().map_err(SignError::InvalidHeader)?;\n\n        if protected_header\n            .as_ref()\n            .map(|x| x.is_empty())\n            .unwrap_or(true)\n        {\n            return Err(SignError::EmptyProtectedHeader);\n        }\n\n        let header =\n            serde_json::to_string(\u0026protected_header).map_err(SignError::SerializeHeader)?;\n\n        let header = Base64UrlString::encode(header.as_bytes());\n\n        Ok(header)\n    }\n\n    fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e {\n        Some(hdr.as_bytes())\n    }\n\n    fn finalize(\n        header: Self::SerializedJwsHeader,\n        payload: Option\u003cPayloadData\u003e,\n        signature: \u0026[u8],\n    ) -\u003e Result\u003cSelf, serde_json::Error\u003e {\n        let mut compact = Compact::with_capacity(3);\n\n        compact.push_base64url(header);\n\n        let payload = match payload {\n            Some(PayloadData::Standard(b64)) =\u003e b64,\n            None =\u003e Base64UrlString::new(),\n        };\n\n        compact.parts.push(payload);\n        compact.push(signature);\n\n        Ok(compact)\n    }\n\n    fn finalize_jws_header_builder(\n        value_ref: \u0026mut Result\u003cSelf::JwsHeader, header::JoseHeaderBuilderError\u003e,\n        new_builder: header::JoseHeaderBuilder\u003cCompact, header::Jws\u003e,\n    ) {\n        *value_ref = new_builder.build();\n    }\n}\n\nimpl Compact {\n    pub(crate) fn with_capacity(cap: usize) -\u003e Self {\n        Compact {\n            parts: Vec::with_capacity(cap),\n        }\n    }\n\n    pub(crate) fn push_base64url(\u0026mut self, part: Base64UrlString) {\n        self.parts.push(part);\n    }\n\n    pub(crate) fn push(\u0026mut self, part: impl AsRef\u003c[u8]\u003e) {\n        self.parts.push(Base64UrlString::encode(part));\n    }\n\n    pub(crate) fn part(\u0026self, idx: usize) -\u003e Option\u003c\u0026Base64UrlString\u003e {\n        self.parts.get(idx)\n    }\n\n    pub(crate) fn len(\u0026self) -\u003e usize {\n        self.parts.len()\n    }\n}\n\nimpl FromStr for Compact {\n    type Err = NoBase64UrlString;\n\n    /// Verifies if every part of the string is valid base64url format\n    fn from_str(s: \u0026str) -\u003e Result\u003cSelf, Self::Err\u003e {\n        let parts = s\n            .split('.')\n            .map(Base64UrlString::from_str)\n            .collect::\u003cResult\u003cVec\u003c_\u003e, _\u003e\u003e()?;\n        Ok(Self { parts })\n    }\n}\n\nimpl fmt::Display for Compact {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let len = self.parts.len();\n\n        for (idx, part) in self.parts.iter().enumerate() {\n            fmt::Display::fmt(\u0026part, f)?;\n\n            if idx != len - 1 {\n                f.write_str(\".\")?;\n            }\n        }\n\n        Ok(())\n    }\n}\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":0}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":126,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":41},{"path":["/","home","stu","dev","rust","jose","src","format","json_flattened.rs"],"content":"use alloc::string::String;\nuse core::fmt;\n\nuse serde::{Deserialize, Serialize};\nuse serde_json::Value;\n\nuse super::{sealed, Format};\nuse crate::{\n    header,\n    jws::{PayloadData, SignError},\n    Base64UrlString, JoseHeader,\n};\n\n/// The flattened json serialization format.\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]\npub struct JsonFlattened {\n    pub(crate) payload: Option\u003cBase64UrlString\u003e,\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) protected: Option\u003cBase64UrlString\u003e,\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) header: Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    pub(crate) signature: Base64UrlString,\n}\n\nimpl Format for JsonFlattened {}\n\nimpl fmt::Display for JsonFlattened {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let repr = if f.alternate() {\n            serde_json::to_string_pretty(\u0026self).map_err(|_| fmt::Error)?\n        } else {\n            serde_json::to_string(\u0026self).map_err(|_| fmt::Error)?\n        };\n\n        f.write_str(\u0026repr)\n    }\n}\n\nimpl sealed::SealedFormat\u003cJsonFlattened\u003e for JsonFlattened {\n    type JwsHeader = JoseHeader\u003cJsonFlattened, header::Jws\u003e;\n    type SerializedJwsHeader = (\n        Option\u003cBase64UrlString\u003e,\n        Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    );\n\n    fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(\n        header: \u0026mut Self::JwsHeader,\n        signer: \u0026dyn crate::jws::Signer\u003cS\u003e,\n    ) {\n        header.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n    }\n\n    fn serialize_header(\n        header: Self::JwsHeader,\n    ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003ccore::convert::Infallible\u003e\u003e {\n        let (protected, unprotected) = header.into_values().map_err(SignError::InvalidHeader)?;\n\n        let protected = match protected {\n            Some(hdr) =\u003e {\n                let json = serde_json::to_string(\u0026hdr).map_err(SignError::SerializeHeader)?;\n\n                let encoded = Base64UrlString::encode(json);\n                Some(encoded)\n            }\n            None =\u003e None,\n        };\n\n        Ok((protected, unprotected))\n    }\n\n    fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e {\n        hdr.0.as_ref().map(|x| x.as_bytes())\n    }\n\n    fn finalize(\n        (protected, unprotected): Self::SerializedJwsHeader,\n        payload: Option\u003cPayloadData\u003e,\n        signature: \u0026[u8],\n    ) -\u003e Result\u003cSelf, serde_json::Error\u003e {\n        let payload = payload.map(|PayloadData::Standard(b64)| b64);\n\n        let signature = Base64UrlString::encode(signature);\n\n        Ok(JsonFlattened {\n            payload,\n            protected,\n            header: unprotected,\n            signature,\n        })\n    }\n\n    fn finalize_jws_header_builder(\n        value_ref: \u0026mut Result\u003cSelf::JwsHeader, header::JoseHeaderBuilderError\u003e,\n        new_builder: header::JoseHeaderBuilder\u003cJsonFlattened, header::Jws\u003e,\n    ) {\n        *value_ref = new_builder.build();\n    }\n}\n","traces":[{"line":28,"address":[],"length":0,"stats":{"Line":0}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}},{"line":32,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":24},{"path":["/","home","stu","dev","rust","jose","src","format","json_general.rs"],"content":"use alloc::{string::String, vec, vec::Vec};\nuse core::{convert::Infallible, fmt};\n\nuse serde::{Deserialize, Serialize};\nuse serde_json::Value;\n\nuse super::{sealed, Format};\nuse crate::{\n    header::{self, JoseHeaderBuilder, JoseHeaderBuilderError},\n    jws::{PayloadData, SignError, Signer},\n    Base64UrlString, JoseHeader,\n};\n\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]\npub(crate) struct Signature {\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) protected: Option\u003cBase64UrlString\u003e,\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) header: Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    pub(crate) signature: Base64UrlString,\n}\n\n/// The JSON General Serialization format as specified in [Section 7.2.1] in the\n/// JWS RFC.\n///\n/// [Section 7.2.1]: https://datatracker.ietf.org/doc/html/rfc7515#section-7.2.1\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]\npub struct JsonGeneral {\n    pub(crate) payload: Option\u003cBase64UrlString\u003e,\n    pub(crate) signatures: Vec\u003cSignature\u003e,\n}\n\nimpl fmt::Display for JsonGeneral {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let repr = if f.alternate() {\n            serde_json::to_string_pretty(\u0026self).map_err(|_| fmt::Error)?\n        } else {\n            serde_json::to_string(\u0026self).map_err(|_| fmt::Error)?\n        };\n\n        f.write_str(\u0026repr)\n    }\n}\n\nimpl Format for JsonGeneral {}\n\nimpl sealed::SealedFormat\u003cJsonGeneral\u003e for JsonGeneral {\n    type JwsHeader = Vec\u003cJoseHeader\u003cJsonGeneral, header::Jws\u003e\u003e;\n    // this only a single header, even though JsonGeneral supports multiple headers,\n    // because this trait implementation is only be used for a single signer.\n    type SerializedJwsHeader = (\n        Option\u003cBase64UrlString\u003e,\n        Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    );\n\n    fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(header: \u0026mut Self::JwsHeader, signer: \u0026dyn Signer\u003cS\u003e) {\n        let Some(first) = header.first_mut() else {\n            return;\n        };\n\n        first.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n    }\n\n    fn serialize_header(\n        mut header: Self::JwsHeader,\n    ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003cInfallible\u003e\u003e {\n        let len = header.len();\n\n        let Some(header) = header.pop().filter(|_| len == 1) else {\n            return Err(SignError::HeaderCountMismatch);\n        };\n\n        let (protected, unprotected) = header.into_values().map_err(SignError::InvalidHeader)?;\n\n        let protected = match protected {\n            Some(hdr) =\u003e {\n                let json = serde_json::to_string(\u0026hdr).map_err(SignError::SerializeHeader)?;\n\n                let encoded = Base64UrlString::encode(json);\n                Some(encoded)\n            }\n            None =\u003e None,\n        };\n\n        Ok((protected, unprotected))\n    }\n\n    fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e {\n        hdr.0.as_ref().map(|x| x.as_bytes())\n    }\n\n    fn finalize(\n        header: Self::SerializedJwsHeader,\n        payload: Option\u003cPayloadData\u003e,\n        signature: \u0026[u8],\n    ) -\u003e Result\u003cSelf, serde_json::Error\u003e {\n        let payload = payload.map(|PayloadData::Standard(b64)| b64);\n\n        let signature = Base64UrlString::encode(signature);\n\n        Ok(JsonGeneral {\n            payload,\n            signatures: vec![Signature {\n                protected: header.0,\n                header: header.1,\n                signature,\n            }],\n        })\n    }\n\n    fn finalize_jws_header_builder(\n        value_ref: \u0026mut Result\u003cSelf::JwsHeader, JoseHeaderBuilderError\u003e,\n        new_builder: JoseHeaderBuilder\u003cJsonGeneral, header::Jws\u003e,\n    ) {\n        let header = match new_builder.build() {\n            Ok(header) =\u003e header,\n            Err(err) =\u003e {\n                *value_ref = Err(err);\n                return;\n            }\n        };\n\n        match value_ref {\n            Ok(headers) =\u003e headers.push(header),\n            Err(_) =\u003e *value_ref = Ok(vec![header]),\n        }\n    }\n}\n","traces":[{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":35},{"path":["/","home","stu","dev","rust","jose","src","format.rs"],"content":"//! Contains abstractions for different kinds of\n//! serialization formats.\n//!\n//! Currently, the only two formats are [`Compact`] and [`JsonFlattened`].\n\nmod compact;\nmod json_flattened;\nmod json_general;\n\nuse core::fmt;\n\npub use compact::Compact;\npub use json_flattened::JsonFlattened;\npub use json_general::JsonGeneral;\npub(crate) use json_general::Signature as JsonGeneralSignature;\n\nuse crate::sealed::Sealed;\n\npub(crate) mod sealed {\n    use alloc::fmt;\n    use core::convert::Infallible;\n\n    use crate::{\n        header::{self, JoseHeaderBuilder, JoseHeaderBuilderError},\n        jws::{PayloadData, SignError, Signer},\n    };\n\n    // We put all methods, types, etc into a sealed trait, so\n    // the user is not able to access these thing as they should\n    // only be used internally by this crate\n    pub trait SealedFormat\u003cF\u003e: Sized {\n        type JwsHeader: fmt::Debug;\n        type SerializedJwsHeader: fmt::Debug;\n\n        fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(header: \u0026mut Self::JwsHeader, signer: \u0026dyn Signer\u003cS\u003e);\n\n        /// Serializes the header for this format.\n        ///\n        /// The returned values must be the serializd header and the\n        /// bytes that must be appended to the message for the signature.\n        fn serialize_header(\n            header: Self::JwsHeader,\n        ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003cInfallible\u003e\u003e;\n\n        /// This method converts a serialized header into the message bytes\n        /// that are used for the signature.\n        fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e;\n\n        fn finalize(\n            header: Self::SerializedJwsHeader,\n            payload: Option\u003cPayloadData\u003e,\n            signature: \u0026[u8],\n        ) -\u003e Result\u003cSelf, serde_json::Error\u003e;\n\n        fn finalize_jws_header_builder(\n            value_ref: \u0026mut Result\u003cSelf::JwsHeader, JoseHeaderBuilderError\u003e,\n            new_builder: JoseHeaderBuilder\u003cF, header::Jws\u003e,\n        );\n    }\n}\n\n/// This trait represents any possible format in which a JWS or JWE can be\n/// represented.\npub trait Format: fmt::Display + sealed::SealedFormat\u003cSelf\u003e + Sized {}\n\n/// Used to parse a [`Compact`] or another format representation\n/// into a concrete type.\npub trait DecodeFormat\u003cF\u003e: Sealed + Sized {\n    /// The error that can occurr while parsing `Self` from the input.\n    type Error;\n\n    /// The decoded type to return.\n    type Decoded\u003cT\u003e;\n\n    /// Parse the input into a new [`Decoded`](Self::Decoded) instance of\n    /// `Self`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// this type.\n    fn decode(input: F) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e;\n}\n\n/// Used to parse a [`Compact`] or another format representation\n/// into a concrete type.\npub trait DecodeFormatWithContext\u003cF, C\u003e: Sealed + Sized {\n    /// The error that can occurr while parsing `Self` from the input.\n    type Error;\n\n    /// The decoded type to return.\n    type Decoded\u003cT\u003e;\n\n    /// Parse the input into a new [`Decoded`](Self::Decoded) instance of\n    /// `Self`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// this type.\n    fn decode_with_context(input: F, context: \u0026C) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","builder.rs"],"content":"use alloc::{\n    collections::{BTreeMap, BTreeSet},\n    string::String,\n    vec::Vec,\n};\nuse core::marker::PhantomData;\n\nuse mediatype::MediaTypeBuf;\nuse serde_json::Value;\n\nuse super::{\n    parameters::MediaTypeWithMaybeStrippedApplicationTopLevel, HeaderValue, Jwe, Jws, Type,\n};\nuse crate::{\n    format::Format,\n    header::parameters::Parameters,\n    jwa::{JsonWebContentEncryptionAlgorithm, JsonWebEncryptionAlgorithm, JsonWebSigningAlgorithm},\n    jwk::serde_impl::Base64DerCertificate,\n    JoseHeader, JsonWebKey, UntypedAdditionalProperties, Uri,\n};\n\n/// A builder for a [`JoseHeader`].\n#[derive(Debug)]\n#[non_exhaustive]\npub struct JoseHeaderBuilder\u003cF, T\u003e {\n    // data\n    critical_headers: Option\u003cBTreeSet\u003cString\u003e\u003e,\n    jwk_set_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    json_web_key: Option\u003cHeaderValue\u003cJsonWebKey\u003cUntypedAdditionalProperties\u003e\u003e\u003e,\n    key_identifier: Option\u003cHeaderValue\u003cString\u003e\u003e,\n    x509_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    x509_certificate_chain: Option\u003cHeaderValue\u003cVec\u003cVec\u003cu8\u003e\u003e\u003e\u003e,\n    x509_certificate_sha1_thumbprint: Option\u003cHeaderValue\u003c[u8; 20]\u003e\u003e,\n    x509_certificate_sha256_thumbprint: Option\u003cHeaderValue\u003c[u8; 32]\u003e\u003e,\n    typ: Option\u003cHeaderValue\u003cMediaTypeBuf\u003e\u003e,\n    content_type: Option\u003cHeaderValue\u003cMediaTypeBuf\u003e\u003e,\n    additional: BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e,\n    specific: Specific,\n    _phantom: PhantomData\u003c(F, T)\u003e,\n}\n\nimpl\u003cF, T\u003e JoseHeaderBuilder\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    /// Set the [`critical_headers`](crate::JoseHeader::critical_headers)\n    /// parameter.\n    pub fn critical_headers(self, critical_headers: Option\u003cBTreeSet\u003cString\u003e\u003e) -\u003e Self {\n        // since `crit` header is not allowed to be an empty array, an empty set is\n        // discarded setting `None` will remove any existing critical headers\n        // that may already be present\n        Self {\n            critical_headers,\n            ..self\n        }\n    }\n\n    /// Set [additional](crate::JoseHeader::additional) parameters.\n    ///\n    /// Note: Do not push parameter names that are understood by this\n    /// implementation. Instead, use the appropriate method to set the parameter\n    /// directly.\n    pub fn additional(self, additional: BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e) -\u003e Self {\n        Self { additional, ..self }\n    }\n\n    /// Create a new [`JoseHeaderBuilder`] in order to build a [`JoseHeader`].\n    pub fn new() -\u003e Self {\n        Self {\n            critical_headers: None,\n            jwk_set_url: None,\n            json_web_key: None,\n            key_identifier: None,\n            x509_url: None,\n            x509_certificate_chain: None,\n            x509_certificate_sha1_thumbprint: None,\n            x509_certificate_sha256_thumbprint: None,\n            typ: None,\n            content_type: None,\n            additional: BTreeMap::new(),\n            specific: T::specific_default(),\n            _phantom: PhantomData,\n        }\n    }\n\n    fn build_parameters(self) -\u003e Result\u003c(Parameters\u003c()\u003e, Specific), JoseHeaderBuilderError\u003e {\n        // oh dear god\n        let x509_certificate_chain = self\n            .x509_certificate_chain\n            .map(|v| v.map(|v| v.into_iter().map(Base64DerCertificate).collect::\u003cVec\u003c_\u003e\u003e()));\n\n        // FIXME: check if additional parameters contain parameters that are understood\n        // by our implementation and that should be set via their methods instead.\n\n        let parameters = Parameters {\n            critical_headers: self.critical_headers,\n            jwk_set_url: self.jwk_set_url,\n            json_web_key: self.json_web_key,\n            key_id: self.key_identifier,\n            x509_url: self.x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n            typ: self\n                .typ\n                .map(|v| v.map(MediaTypeWithMaybeStrippedApplicationTopLevel)),\n            content_type: self\n                .content_type\n                .map(|v| v.map(MediaTypeWithMaybeStrippedApplicationTopLevel)),\n            specific: (),\n            additional: self.additional,\n        };\n        Ok((parameters, self.specific))\n    }\n\n    /// Create a [`JoseHeaderBuilder`] from a [`JoseHeader`] preserving the\n    /// parameters.\n    pub fn from_header(header: JoseHeader\u003cF, T\u003e) -\u003e Self {\n        let parameters = header.parameters;\n        let specific = parameters.specific.into_specific();\n\n        let x509_certificate_chain = parameters\n            .x509_certificate_chain\n            .map(|v| v.map(|v| v.into_iter().map(|v| v.0).collect::\u003cVec\u003c_\u003e\u003e()));\n        Self {\n            critical_headers: parameters.critical_headers,\n            jwk_set_url: parameters.jwk_set_url,\n            json_web_key: parameters.json_web_key,\n            key_identifier: parameters.key_id,\n            x509_url: parameters.x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: parameters.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: parameters.x509_certificate_sha256_thumbprint,\n            typ: parameters.typ.map(|v| v.map(|v| v.0)),\n            content_type: parameters.content_type.map(|v| v.map(|v| v.0)),\n            additional: parameters.additional,\n            specific,\n            _phantom: PhantomData,\n        }\n    }\n}\n\nimpl\u003cF, T\u003e Default for JoseHeaderBuilder\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    fn default() -\u003e Self {\n        Self::new()\n    }\n}\n\n/// Specific parameters for Jws and Jwe. See [`Jws`] and [`Jwe`]\n#[derive(Debug)]\n#[non_exhaustive]\npub enum Specific {\n    Jws {\n        algorithm: Option\u003cHeaderValue\u003cJsonWebSigningAlgorithm\u003e\u003e,\n        // default: true\n        payload_base64_url_encoded: Option\u003cbool\u003e,\n    },\n    Jwe {\n        algorithm: Option\u003cHeaderValue\u003cJsonWebEncryptionAlgorithm\u003e\u003e,\n        content_encryption_algorithm: Option\u003cHeaderValue\u003cJsonWebContentEncryptionAlgorithm\u003e\u003e,\n    },\n}\n\n/// Errors that may occur while building a [`JoseHeader`] via\n/// [`JoseHeaderBuilder::build`].\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum JoseHeaderBuilderError {\n    /// There is no algorithm specified. Specify an algorithm via\n    /// [`JoseHeaderBuilder::algorithm`].\n    #[error(\"no algorithm set\")]\n    MissingAlgorithm,\n    /// There is no content encryption algorithm specified. Specify an content\n    /// encryption algorithm via\n    /// [`JoseHeaderBuilder::content_encryption_algorithm`].\n    ///\n    /// Note: This error may only occur while building a [`JoseHeader`] for\n    /// [`Jwe`].\n    #[error(\"no content encryption algorithm set\")]\n    MissingContentEncryptionAlgorithm,\n    /// One or more certificates in the X.509 certificate chain (set via\n    /// [`JoseHeaderBuilder::x509_certificate_chain`]) are invalid. E.g. not\n    /// valid DER-encoded.\n    #[error(\"the certificates in the certificate chain are invalid\")]\n    InvalidX509CertificateChain,\n}\n\nimpl\u003cF\u003e JoseHeaderBuilder\u003cF, Jws\u003e\nwhere\n    F: Format,\n{\n    /// Set the [`algorithm`](crate::JoseHeader::algorithm) parameter for\n    /// [`Jws`].\n    pub fn algorithm(self, algorithm: HeaderValue\u003cJsonWebSigningAlgorithm\u003e) -\u003e Self {\n        let specific = Specific::Jws {\n            algorithm: Some(algorithm),\n            payload_base64_url_encoded: match self.specific {\n                Specific::Jws {\n                    algorithm: _,\n                    payload_base64_url_encoded,\n                } =\u003e payload_base64_url_encoded,\n                // implementation must ensure a JoseHeaderBuilder\u003cF, Jws\u003e cannot be turned into an\n                // JoseHeaderBuilder\u003cF, Jwe\u003e\n                _ =\u003e unreachable!(),\n            },\n        };\n        Self { specific, ..self }\n    }\n\n    /// Set the [`payload_base64_url_encoded`](crate::JoseHeader::payload_base64_url_encoded) parameter for [`Jws`].\n    pub fn payload_base64_url_encoded(self, payload_base64_url_encoded: bool) -\u003e Self {\n        let specific = Specific::Jws {\n            algorithm: match self.specific {\n                Specific::Jws {\n                    algorithm,\n                    payload_base64_url_encoded: _,\n                } =\u003e algorithm,\n                _ =\u003e unreachable!(),\n            },\n            payload_base64_url_encoded: Some(payload_base64_url_encoded),\n        };\n        Self { specific, ..self }\n    }\n\n    /// Try to build a [`JoseHeader`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any of the values provided by the builder are\n    /// invalid. See [`JoseHeaderBuilderError`] for details.\n    pub fn build(self) -\u003e Result\u003cJoseHeader\u003cF, Jws\u003e, JoseHeaderBuilderError\u003e {\n        let (parameters, specific) = self.build_parameters()?;\n\n        let (algorithm, payload_base64_url_encoded) = match specific {\n            Specific::Jws {\n                algorithm,\n                payload_base64_url_encoded,\n            } =\u003e (\n                algorithm.ok_or(JoseHeaderBuilderError::MissingAlgorithm)?,\n                payload_base64_url_encoded,\n            ),\n            _ =\u003e unreachable!(),\n        };\n        let specific = Jws {\n            algorithm,\n            payload_base64_url_encoded,\n        };\n        Ok(JoseHeader {\n            _format: PhantomData,\n            parameters: Parameters {\n                specific,\n                critical_headers: parameters.critical_headers,\n                jwk_set_url: parameters.jwk_set_url,\n                json_web_key: parameters.json_web_key,\n                key_id: parameters.key_id,\n                x509_url: parameters.x509_url,\n                x509_certificate_chain: parameters.x509_certificate_chain,\n                x509_certificate_sha1_thumbprint: parameters.x509_certificate_sha1_thumbprint,\n                x509_certificate_sha256_thumbprint: parameters.x509_certificate_sha256_thumbprint,\n                typ: parameters.typ,\n                content_type: parameters.content_type,\n                additional: parameters.additional,\n            },\n        })\n    }\n}\n\nimpl\u003cF\u003e JoseHeaderBuilder\u003cF, Jwe\u003e\nwhere\n    F: Format,\n{\n    /// Set the [`algorithm`](crate::JoseHeader::algorithm) parameter for\n    /// [`Jwe`].\n    pub fn algorithm(self, algorithm: HeaderValue\u003cJsonWebEncryptionAlgorithm\u003e) -\u003e Self {\n        let specific = Specific::Jwe {\n            algorithm: Some(algorithm),\n            content_encryption_algorithm: match self.specific {\n                Specific::Jwe {\n                    algorithm: _,\n                    content_encryption_algorithm,\n                } =\u003e content_encryption_algorithm,\n                _ =\u003e unreachable!(),\n            },\n        };\n        Self { specific, ..self }\n    }\n\n    /// Set the [`content_encryption_algorithm`](crate::JoseHeader::content_encryption_algorithm) parameter for [`Jwe`].\n    pub fn content_encryption_algorithm(\n        self,\n        content_encryption_algorithm: HeaderValue\u003cJsonWebContentEncryptionAlgorithm\u003e,\n    ) -\u003e Self {\n        let specific = Specific::Jwe {\n            algorithm: match self.specific {\n                Specific::Jwe {\n                    algorithm,\n                    content_encryption_algorithm: _,\n                } =\u003e algorithm,\n                _ =\u003e unreachable!(),\n            },\n            content_encryption_algorithm: Some(content_encryption_algorithm),\n        };\n        Self { specific, ..self }\n    }\n\n    /// Try to build a [`JoseHeader`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any of the values provided by the builder are\n    /// invalid. See [`JoseHeaderBuilderError`] for details.\n    pub fn build(self) -\u003e Result\u003cJoseHeader\u003cF, Jwe\u003e, JoseHeaderBuilderError\u003e {\n        let (parameters, specific) = self.build_parameters()?;\n        let (algorithm, content_encryption_algorithm) = match specific {\n            Specific::Jwe {\n                algorithm,\n                content_encryption_algorithm,\n            } =\u003e (\n                algorithm.ok_or(JoseHeaderBuilderError::MissingAlgorithm)?,\n                content_encryption_algorithm.ok_or(JoseHeaderBuilderError::MissingAlgorithm)?,\n            ),\n            _ =\u003e unreachable!(),\n        };\n        let specific = Jwe {\n            algorithm,\n            content_encryption_algorithm,\n        };\n\n        Ok(JoseHeader {\n            _format: PhantomData,\n            parameters: Parameters {\n                specific,\n                critical_headers: parameters.critical_headers,\n                jwk_set_url: parameters.jwk_set_url,\n                json_web_key: parameters.json_web_key,\n                key_id: parameters.key_id,\n                x509_url: parameters.x509_url,\n                x509_certificate_chain: parameters.x509_certificate_chain,\n                x509_certificate_sha1_thumbprint: parameters.x509_certificate_sha1_thumbprint,\n                x509_certificate_sha256_thumbprint: parameters.x509_certificate_sha256_thumbprint,\n                typ: parameters.typ,\n                content_type: parameters.content_type,\n                additional: parameters.additional,\n            },\n        })\n    }\n}\n\nmacro_rules! setter {\n    ($($parameter:ident: $parameter_typ:ty),+,) =\u003e {\n        impl\u003cF, T\u003e JoseHeaderBuilder\u003cF, T\u003e\n        where\n            F: Format,\n            T: Type,\n        {\n            $(\n            #[doc = concat!(\"Set the [`\", stringify!($parameter), \"`](crate::JoseHeader::\", stringify!($parameter), \") parameter.\")]\n            pub fn $parameter(self, $parameter: Option\u003cHeaderValue\u003c$parameter_typ\u003e\u003e) -\u003e Self {\n                Self {\n                    $parameter,\n                    ..self\n                }\n            }\n            )+\n        }\n    };\n}\n\nsetter! {\n    x509_certificate_chain: Vec\u003cVec\u003cu8\u003e\u003e,\n    jwk_set_url: Uri,\n    json_web_key: JsonWebKey\u003cUntypedAdditionalProperties\u003e,\n    key_identifier: String,\n    x509_url: Uri,\n    x509_certificate_sha1_thumbprint: [u8; 20],\n    x509_certificate_sha256_thumbprint: [u8; 32],\n    typ: MediaTypeBuf,\n    content_type: MediaTypeBuf,\n}\n","traces":[{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":1}},{"line":81,"address":[],"length":0,"stats":{"Line":1}},{"line":82,"address":[],"length":0,"stats":{"Line":1}},{"line":87,"address":[],"length":0,"stats":{"Line":1}},{"line":89,"address":[],"length":0,"stats":{"Line":1}},{"line":90,"address":[],"length":0,"stats":{"Line":1}},{"line":91,"address":[],"length":0,"stats":{"Line":1}},{"line":97,"address":[],"length":0,"stats":{"Line":1}},{"line":98,"address":[],"length":0,"stats":{"Line":1}},{"line":99,"address":[],"length":0,"stats":{"Line":1}},{"line":100,"address":[],"length":0,"stats":{"Line":1}},{"line":101,"address":[],"length":0,"stats":{"Line":1}},{"line":103,"address":[],"length":0,"stats":{"Line":1}},{"line":104,"address":[],"length":0,"stats":{"Line":1}},{"line":105,"address":[],"length":0,"stats":{"Line":1}},{"line":108,"address":[],"length":0,"stats":{"Line":1}},{"line":111,"address":[],"length":0,"stats":{"Line":1}},{"line":112,"address":[],"length":0,"stats":{"Line":1}},{"line":114,"address":[],"length":0,"stats":{"Line":1}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":121,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":135,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":1}},{"line":150,"address":[],"length":0,"stats":{"Line":1}},{"line":199,"address":[],"length":0,"stats":{"Line":1}},{"line":201,"address":[],"length":0,"stats":{"Line":1}},{"line":202,"address":[],"length":0,"stats":{"Line":1}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":225,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":1}},{"line":237,"address":[],"length":0,"stats":{"Line":2}},{"line":239,"address":[],"length":0,"stats":{"Line":1}},{"line":240,"address":[],"length":0,"stats":{"Line":0}},{"line":241,"address":[],"length":0,"stats":{"Line":1}},{"line":242,"address":[],"length":0,"stats":{"Line":1}},{"line":243,"address":[],"length":0,"stats":{"Line":1}},{"line":244,"address":[],"length":0,"stats":{"Line":1}},{"line":245,"address":[],"length":0,"stats":{"Line":0}},{"line":253,"address":[],"length":0,"stats":{"Line":0}},{"line":254,"address":[],"length":0,"stats":{"Line":0}},{"line":255,"address":[],"length":0,"stats":{"Line":0}},{"line":256,"address":[],"length":0,"stats":{"Line":0}},{"line":257,"address":[],"length":0,"stats":{"Line":0}},{"line":258,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":260,"address":[],"length":0,"stats":{"Line":0}},{"line":261,"address":[],"length":0,"stats":{"Line":0}},{"line":262,"address":[],"length":0,"stats":{"Line":0}},{"line":263,"address":[],"length":0,"stats":{"Line":0}},{"line":264,"address":[],"length":0,"stats":{"Line":0}},{"line":265,"address":[],"length":0,"stats":{"Line":0}},{"line":266,"address":[],"length":0,"stats":{"Line":0}},{"line":267,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":0}},{"line":281,"address":[],"length":0,"stats":{"Line":0}},{"line":282,"address":[],"length":0,"stats":{"Line":0}},{"line":294,"address":[],"length":0,"stats":{"Line":0}},{"line":299,"address":[],"length":0,"stats":{"Line":0}},{"line":306,"address":[],"length":0,"stats":{"Line":0}},{"line":317,"address":[],"length":0,"stats":{"Line":0}},{"line":318,"address":[],"length":0,"stats":{"Line":0}},{"line":319,"address":[],"length":0,"stats":{"Line":0}},{"line":320,"address":[],"length":0,"stats":{"Line":0}},{"line":321,"address":[],"length":0,"stats":{"Line":0}},{"line":322,"address":[],"length":0,"stats":{"Line":0}},{"line":323,"address":[],"length":0,"stats":{"Line":0}},{"line":324,"address":[],"length":0,"stats":{"Line":0}},{"line":325,"address":[],"length":0,"stats":{"Line":0}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":336,"address":[],"length":0,"stats":{"Line":0}},{"line":337,"address":[],"length":0,"stats":{"Line":0}},{"line":338,"address":[],"length":0,"stats":{"Line":0}},{"line":339,"address":[],"length":0,"stats":{"Line":0}},{"line":340,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":0}},{"line":342,"address":[],"length":0,"stats":{"Line":0}},{"line":343,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":347,"address":[],"length":0,"stats":{"Line":0}},{"line":348,"address":[],"length":0,"stats":{"Line":0}},{"line":363,"address":[],"length":0,"stats":{"Line":0}},{"line":364,"address":[],"length":0,"stats":{"Line":0}},{"line":365,"address":[],"length":0,"stats":{"Line":0}},{"line":366,"address":[],"length":0,"stats":{"Line":0}}],"covered":31,"coverable":103},{"path":["/","home","stu","dev","rust","jose","src","header","error.rs"],"content":"use alloc::string::String;\n\n/// Errors that may occur while working [`JoseHeader`](super::JoseHeader)\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum Error {\n    /// Found a header parameter that must be protected in the unprotected\n    /// `header` parameter\n    #[error(\"found an unprotected header parameter, that must be proctected\")]\n    ExpectedProtected,\n    /// The `protected` and (unprotected) `header` parameter share members with\n    /// the same name\n    #[error(\"the protected and unprotected header parameters share members with the same name\")]\n    NotDisjoint,\n    /// Both the `protected` and (unprotected) `header` members in a JWS or JWE\n    /// are empty.\n    #[error(\"both the protected and unprotected header parameters are empty\")]\n    NoHeader,\n    /// The `protected` or the (unprotected) `header` member is present but\n    /// contains no members (it is an empty object `{}`)\n    #[error(\"the protected or the unprotected header parameter is empty\")]\n    EmptyHeader,\n    /// Found a header parameter name that is forbidden as per [section 4.1.11\n    /// of RFC 7515]\n    ///\n    /// [section 4.1.11 of RFC 7515]: \u003chttps://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11\u003e\n    #[error(\"found a forbidden header parameter: {0}\")]\n    ForbiddenHeader(String),\n    /// A REQUIRED header is missing (e.g. the `alg` header)\n    #[error(\"a required header is missing: {0}\")]\n    MissingHeader(String),\n    /// The `crit` header is present but an empty list (`[]`)\n    #[error(\"the crit header is empty\")]\n    EmptyCriticalHeaders,\n    /// A JSON deserialization error, see [`serde_json::Error`] for details.\n    #[error(transparent)]\n    JsonError(#[from] serde_json::Error),\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","parameters.rs"],"content":"use alloc::{\n    borrow::Cow,\n    collections::{BTreeMap, BTreeSet},\n    string::{String, ToString},\n    vec::Vec,\n};\n\nuse mediatype::MediaTypeBuf;\nuse serde::{de::Error, Deserialize, Serialize};\nuse serde_json::Value;\n\nuse super::HeaderValue;\nuse crate::{jwk::serde_impl::Base64DerCertificate, JsonWebKey, UntypedAdditionalProperties, Uri};\n\n#[derive(Debug)]\n#[non_exhaustive]\npub(crate) struct Parameters\u003cT\u003e {\n    /// `crit` header MUST always be protected\n    pub(crate) critical_headers: Option\u003cBTreeSet\u003cString\u003e\u003e,\n    /// `jku` parameter defined in section 4.1.2 of JWS and section 4.1.4 of JWE\n    pub(crate) jwk_set_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    /// `jwk` parameter defined in section 4.1.3 of JWS and section 4.1.5 of JWE\n    pub(crate) json_web_key: Option\u003cHeaderValue\u003cJsonWebKey\u003cUntypedAdditionalProperties\u003e\u003e\u003e,\n    // `kid` parameter defined in section 4.1.4 of JWS and section 4.1.6 of JWE\n    pub(crate) key_id: Option\u003cHeaderValue\u003cString\u003e\u003e,\n    /// `x5u` parameter defined in section 4.1.5 of JWS and section 4.1.7 of JWE\n    // FIXME: use url type instead\n    pub(crate) x509_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    /// `x5c` parameter defined in section 4.1.6 of JWS and section 4.1.8 of JWE\n    pub(crate) x509_certificate_chain: Option\u003cHeaderValue\u003cVec\u003cBase64DerCertificate\u003e\u003e\u003e,\n    /// `x5t` parameter defined in section 4.1.7 of JWS and section 4.1.9 of JWE\n    pub(crate) x509_certificate_sha1_thumbprint: Option\u003cHeaderValue\u003c[u8; 20]\u003e\u003e,\n    /// `x5t#S256` parameter defined in section 4.1.8 of JWS and section 4.1.10\n    /// of JWE\n    pub(crate) x509_certificate_sha256_thumbprint: Option\u003cHeaderValue\u003c[u8; 32]\u003e\u003e,\n    /// `typ` parameter defined in section 4.1.9 of JWS and section 4.1.11 of\n    /// JWE\n    pub(crate) typ: Option\u003cHeaderValue\u003cMediaTypeWithMaybeStrippedApplicationTopLevel\u003e\u003e,\n    /// `cty` parameter defined in section 4.1.10 of JWS and section 4.1.12 of\n    /// JWE\n    pub(crate) content_type: Option\u003cHeaderValue\u003cMediaTypeWithMaybeStrippedApplicationTopLevel\u003e\u003e,\n    // additional parameters specific to JWS or JWE (e.g. `enc` in JWE)\n    pub(crate) specific: T,\n    // an untyped list of other values that are not understood by this implementation\n    pub(crate) additional: BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e,\n}\n\n/// A wrapper type that incorporates the special handling of `application/X`\n/// media types in `typ` and `cty` header parameters as defined in [Section\n/// 4.1.9 of RFC 7515][1].\n///\n/// See [#128].\n///\n/// If the mediatype starts with `application/` and no other `/` is present,\n/// implementations should strip the `application/` to save space.\n///\n/// Since this is a serialization detail, we abstract it away, because the\n/// meaning remains the same and this way users can easily use the mediatype\n/// crate.\n///\n/// [#128]: \u003chttps://github.com/minkan-chat/jose/issues/128\u003e\n/// [1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9\u003e\n#[derive(Debug)]\npub(crate) struct MediaTypeWithMaybeStrippedApplicationTopLevel(pub(crate) MediaTypeBuf);\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for MediaTypeWithMaybeStrippedApplicationTopLevel {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let raw: Cow\u003c'_, str\u003e = Cow::deserialize(deserializer)?;\n        // if there is no `/` in the media type the RFC dictates to prepend\n        // `application/`\n        let corrected = if !raw.contains('/') {\n            alloc::format!(\"application/{raw}\")\n        } else {\n            raw.to_string()\n        };\n        let inner = MediaTypeBuf::from_string(corrected).map_err(D::Error::custom)?;\n        Ok(Self(inner))\n    }\n}\n\nimpl Serialize for MediaTypeWithMaybeStrippedApplicationTopLevel {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let correct = self.0.to_string();\n        if self.0.ty() == mediatype::names::APPLICATION\n            // ensure media type contains exactly one slash (parameters included)\n            \u0026\u0026 correct.chars().filter(|c| *c == '/').count() == 1\n        {\n            let raw = correct.split_once('/').expect(\"contains one slash\").1;\n            // these should be UPPERCASE for interop with legacy implementation according to\n            // the JOSE RFCs..\n            const SHOULD_BE_UPPERCASE: [\u0026str; 2] = [\"jwt\", \"jose\"];\n            Ok(\n                if SHOULD_BE_UPPERCASE.contains(\u0026raw.to_lowercase().as_str()) {\n                    raw.to_uppercase().serialize(serializer)?\n                } else {\n                    raw.serialize(serializer)?\n                },\n            )\n        } else {\n            correct.serialize(serializer)\n        }\n    }\n}\n\n#[cfg(test)]\nmod tests {\n    use alloc::string::String;\n\n    use mediatype::{\n        names::{APPLICATION, JWT},\n        MediaType,\n    };\n    use serde::{Deserialize, Serialize};\n\n    use super::MediaTypeWithMaybeStrippedApplicationTopLevel;\n\n    #[derive(Deserialize, Serialize)]\n    struct Dummy {\n        typ: MediaTypeWithMaybeStrippedApplicationTopLevel,\n    }\n    #[test]\n    fn jwt_without_application_roundtrip() {\n        let payload = r#\"{\"typ\":\"JWT\"}\"#;\n        let a: Dummy = serde_json::from_str(payload).expect(\"valid\");\n        assert_eq!(a.typ.0, MediaType::new(APPLICATION, JWT));\n        let json: String = serde_json::to_string(\u0026a).expect(\"valid\");\n        assert_eq!(json, payload);\n    }\n}\n","traces":[{"line":67,"address":[],"length":0,"stats":{"Line":1}},{"line":71,"address":[],"length":0,"stats":{"Line":2}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":1}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":1}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":1}},{"line":89,"address":[],"length":0,"stats":{"Line":1}},{"line":90,"address":[],"length":0,"stats":{"Line":1}},{"line":92,"address":[],"length":0,"stats":{"Line":17}},{"line":94,"address":[],"length":0,"stats":{"Line":1}},{"line":99,"address":[],"length":0,"stats":{"Line":1}},{"line":100,"address":[],"length":0,"stats":{"Line":1}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}}],"covered":11,"coverable":16},{"path":["/","home","stu","dev","rust","jose","src","header","types","jwe.rs"],"content":"use crate::{\n    header::HeaderValue,\n    jwa::{JsonWebContentEncryptionAlgorithm, JsonWebEncryptionAlgorithm},\n    sealed::Sealed,\n};\n\n/// Parameters specific to Json Web Encryption\n#[derive(Debug)]\n#[non_exhaustive]\npub struct Jwe {\n    /// `alg` parameter\n    pub(crate) algorithm: HeaderValue\u003cJsonWebEncryptionAlgorithm\u003e,\n    /// `enc` parameter\n    pub(crate) content_encryption_algorithm: HeaderValue\u003cJsonWebContentEncryptionAlgorithm\u003e,\n    // FIXME: other JWE parameters (zip, epk, ...)\n}\n\nimpl Sealed for Jwe {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","types","jws.rs"],"content":"use crate::{header::HeaderValue, jwa::JsonWebSigningAlgorithm, sealed::Sealed};\n\n/// Parameters specific to Json Web Signatures\n#[derive(Debug)]\n#[non_exhaustive]\npub struct Jws {\n    // `alg` parameter\n    pub(crate) algorithm: HeaderValue\u003cJsonWebSigningAlgorithm\u003e,\n    /// `b64` parameter as defined by RFC 7797. This parameter is optional and\n    /// it's default value is `true`.\n    ///\n    /// If this value is `false`, the payload of the JWS is not base64 urlsafe\n    /// encoded. This can work for simple stuff like a hex string, but will\n    /// often cause parsing errors. Use of this option makes sense if the\n    /// payload of a JWS is detached.\n    ///\n    /// Note: In a JsonWebToken, this value MUST always be true. Therefore, the\n    /// payload MUST NOT use the unencoded payload option.\n    ///\n    /// Note: This header MUST be integrity protected.\n    pub(crate) payload_base64_url_encoded: Option\u003cbool\u003e,\n}\n\nimpl Sealed for Jws {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","types.rs"],"content":"mod jwe;\nmod jws;\n\nuse alloc::{\n    collections::BTreeMap,\n    string::{String, ToString},\n};\n\nuse serde_json::Value;\n\n#[doc(inline)]\npub use self::{jwe::*, jws::*};\nuse super::{builder::Specific, Error, HeaderDeserializer, HeaderValue};\nuse crate::sealed::Sealed;\n\n/// Trait used to specify where a [`JoseHeader`](super::JoseHeader) is being\n/// used. Implemented by [`Jws`] and [`Jwe`].\n///\n/// This trait is an implementation detailed and sealed. It is not relevant for\n/// developers using this crate.\npub trait Type: Sealed {\n    /// A list of parameters that are not allowed in the `crit` header.\n    ///\n    /// This list might grow or shrink. This is not considered a breaking\n    /// change.\n    fn forbidden_critical_headers() -\u003e \u0026'static [\u0026'static str];\n    /// Build the implementing type while preseving the [`HeaderDeserializer`]\n    ///\n    /// # Errors\n    ///\n    /// Should return an [`Error`] if deserialization fails or an invalid value\n    /// is detected.\n    fn from_deserializer(\n        de: HeaderDeserializer,\n    ) -\u003e Result\u003c(Self, HeaderDeserializer), (Error, HeaderDeserializer)\u003e\n    where\n        Self: Sized;\n\n    /// Implementation detail of\n    /// [`JoseHeaderBuilder`](super::JoseHeaderBuilder).\n    fn specific_default() -\u003e Specific;\n\n    /// Implementation detail of\n    /// [`JoseHeaderBuilder`](super::JoseHeaderBuilder).\n    fn into_specific(self) -\u003e Specific;\n\n    /// Convert fields into a Map that can be used for serialization\n    ///\n    /// # Errors\n    ///\n    /// May return an error if the conversion to [`Value`] fails.\n    fn into_map(self) -\u003e Result\u003cBTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e, Error\u003e;\n}\n\nimpl Type for Jws {\n    #[inline]\n    fn forbidden_critical_headers() -\u003e \u0026'static [\u0026'static str] {\n        // \u003chttps://www.rfc-editor.org/rfc/rfc7515.html#section-9.1.2\u003e\n        // FIXME: add parameters from JWA\n        \u0026[\n            \"alg\", \"jku\", \"jwk\", \"kid\", \"x5u\", \"x5c\", \"x5t\", \"x5t#S256\", \"typ\", \"cty\", \"crit\",\n        ]\n    }\n\n    fn from_deserializer(\n        mut de: HeaderDeserializer,\n    ) -\u003e Result\u003c(Self, HeaderDeserializer), (Error, HeaderDeserializer)\u003e\n    where\n        Self: Sized,\n    {\n        // \"try\" blocks hack\n        let mut t = || {\n            Ok(Self {\n                algorithm: de\n                    .deserialize_field(\"alg\")\n                    .transpose()?\n                    .ok_or(Error::MissingHeader(\"alg\".to_string()))?,\n                payload_base64_url_encoded: de\n                    .deserialize_field(\"b64\")\n                    .transpose()?\n                    // `b64` must be protected\n                    .map(|v| v.protected().ok_or(Error::ExpectedProtected))\n                    .transpose()?,\n            })\n        };\n        let s: Result\u003cJws, Error\u003e = t();\n        match s {\n            Ok(v) =\u003e Ok((v, de)),\n            Err(e) =\u003e Err((e, de)),\n        }\n    }\n\n    fn specific_default() -\u003e Specific {\n        Specific::Jws {\n            algorithm: None,\n            payload_base64_url_encoded: None,\n        }\n    }\n\n    fn into_specific(self) -\u003e Specific {\n        Specific::Jws {\n            algorithm: Some(self.algorithm),\n            payload_base64_url_encoded: self.payload_base64_url_encoded,\n        }\n    }\n\n    fn into_map(self) -\u003e Result\u003cBTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e, Error\u003e {\n        let mut map = BTreeMap::new();\n        map.insert(\n            \"alg\".to_string(),\n            self.algorithm.map(serde_json::to_value).transpose()?,\n        );\n\n        // if explictly set to true, set it even tho true is the default\n        if let Some(b64) = self.payload_base64_url_encoded {\n            map.insert(\n                \"b64\".to_string(),\n                HeaderValue::Protected(serde_json::to_value(b64)?),\n            );\n        }\n\n        Ok(map)\n    }\n}\n\nimpl Type for Jwe {\n    #[inline]\n    fn forbidden_critical_headers() -\u003e \u0026'static [\u0026'static str] {\n        // \u003chttps://www.rfc-editor.org/rfc/rfc7516.html#section-10.1.1\u003e\n        // FIXME: add parameters from JWA\n        \u0026[\n            \"alg\", \"enc\", \"zip\", \"jku\", \"jwk\", \"kid\", \"x5u\", \"x5c\", \"x5t\", \"x5t#S256\", \"typ\",\n            \"cty\", \"crit\",\n        ]\n    }\n\n    fn from_deserializer(\n        mut de: HeaderDeserializer,\n    ) -\u003e Result\u003c(Self, HeaderDeserializer), (Error, HeaderDeserializer)\u003e\n    where\n        Self: Sized,\n    {\n        // \"try\" blocks hack\n        let mut t = || {\n            Ok(Self {\n                algorithm: de\n                    .deserialize_field(\"alg\")\n                    .transpose()?\n                    .ok_or(Error::MissingHeader(\"alg\".to_string()))?,\n                content_encryption_algorithm: de\n                    .deserialize_field(\"enc\")\n                    .transpose()?\n                    .ok_or(Error::MissingHeader(\"enc\".to_string()))?,\n            })\n        };\n        let s: Result\u003cJwe, Error\u003e = t();\n        match s {\n            Ok(v) =\u003e Ok((v, de)),\n            Err(e) =\u003e Err((e, de)),\n        }\n    }\n\n    fn specific_default() -\u003e Specific {\n        Specific::Jwe {\n            algorithm: None,\n            content_encryption_algorithm: None,\n        }\n    }\n\n    fn into_specific(self) -\u003e Specific {\n        Specific::Jwe {\n            algorithm: Some(self.algorithm),\n            content_encryption_algorithm: Some(self.content_encryption_algorithm),\n        }\n    }\n\n    fn into_map(self) -\u003e Result\u003cBTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e, Error\u003e {\n        Ok([\n            (\n                \"alg\".to_string(),\n                self.algorithm.map(serde_json::to_value).transpose()?,\n            ),\n            (\n                \"enc\".to_string(),\n                self.content_encryption_algorithm\n                    .map(serde_json::to_value)\n                    .transpose()?,\n            ),\n        ]\n        .into_iter()\n        .collect())\n    }\n}\n","traces":[{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":1}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":145,"address":[],"length":0,"stats":{"Line":0}},{"line":146,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":148,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":173,"address":[],"length":0,"stats":{"Line":0}},{"line":177,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":0}},{"line":184,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}},{"line":187,"address":[],"length":0,"stats":{"Line":0}},{"line":190,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}}],"covered":1,"coverable":65},{"path":["/","home","stu","dev","rust","jose","src","header","value.rs"],"content":"use core::ops::Deref;\n\nuse crate::sealed::Sealed;\n\n/// Some value `T` in either the protected or unprotected header.\n#[derive(Debug, PartialEq, Eq, PartialOrd, Ord)]\npub enum HeaderValue\u003cT\u003e {\n    /// `T` is in the `protected` header parameter and integrity protected.\n    Protected(T),\n    /// `T` is in the unprotected `header` parameter and NOT integrity\n    /// protected.\n    Unprotected(T),\n}\n\nimpl\u003cT\u003e Sealed for HeaderValue\u003cT\u003e {}\n\nimpl\u003cT\u003e HeaderValue\u003cT\u003e {\n    /// Convert from `\u0026HeaderValue\u003cT\u003e` to `HeaderValue\u003c\u0026T\u003e`.\n    ///\n    /// Works like [`Option::as_ref`]\n    pub fn as_ref(\u0026self) -\u003e HeaderValue\u003c\u0026'_ T\u003e {\n        match self {\n            HeaderValue::Protected(v) =\u003e HeaderValue::Protected(v),\n            HeaderValue::Unprotected(v) =\u003e HeaderValue::Unprotected(v),\n        }\n    }\n\n    /// Converts from `\u0026HeaderValue\u003cT\u003e` to `HeaderValue\u003c\u0026T::Target\u003e`.\n    ///\n    /// Works like [`Option::as_deref`]\n    pub fn as_deref(\u0026self) -\u003e HeaderValue\u003c\u0026T::Target\u003e\n    where\n        T: Deref,\n    {\n        match self.as_ref() {\n            HeaderValue::Protected(t) =\u003e HeaderValue::Protected(t.deref()),\n            HeaderValue::Unprotected(t) =\u003e HeaderValue::Unprotected(t.deref()),\n        }\n    }\n\n    /// Maps an `HeaderValue\u003cT\u003e` to `HeaderValue\u003cU\u003e` by applying a function to a\n    /// contained value.\n    pub fn map\u003cU, F\u003e(self, f: F) -\u003e HeaderValue\u003cU\u003e\n    where\n        F: FnOnce(T) -\u003e U,\n    {\n        match self {\n            HeaderValue::Protected(t) =\u003e HeaderValue::Protected(f(t)),\n            HeaderValue::Unprotected(t) =\u003e HeaderValue::Unprotected(f(t)),\n        }\n    }\n\n    /// Returns [`Some`] if `T` is in the `protected` parameter.\n    pub fn protected(self) -\u003e Option\u003cT\u003e {\n        match self {\n            Self::Protected(p) =\u003e Some(p),\n            _ =\u003e None,\n        }\n    }\n\n    /// Returns [`Some`] if `T` is in the unprotected `header` parameter.\n    pub fn unprotected(self) -\u003e Option\u003cT\u003e {\n        match self {\n            Self::Unprotected(u) =\u003e Some(u),\n            _ =\u003e None,\n        }\n    }\n\n    /// Returns the inner type `T` discarding the information about where `T` is\n    /// stored.\n    pub fn into_inner(self) -\u003e T {\n        match self {\n            Self::Protected(t) =\u003e t,\n            Self::Unprotected(t) =\u003e t,\n        }\n    }\n}\n\nimpl\u003cT\u003e HeaderValue\u003cOption\u003cT\u003e\u003e {\n    /// Transpose a [`HeaderValue\u003cOption\u003cT\u003e\u003e`] into [`Option\u003cHeaderValue\u003cT\u003e\u003e`]\n    pub fn transpose(self) -\u003e Option\u003cHeaderValue\u003cT\u003e\u003e {\n        Some(match self {\n            HeaderValue::Protected(p) =\u003e HeaderValue::Protected(p?),\n            HeaderValue::Unprotected(u) =\u003e HeaderValue::Unprotected(u?),\n        })\n    }\n}\n\nimpl\u003cT, E\u003e HeaderValue\u003cResult\u003cT, E\u003e\u003e {\n    /// Transpose a [`HeaderValue\u003cResult\u003cT, E\u003e\u003e`] into\n    /// [`Result\u003cHeaderValue\u003c`T`\u003e, E\u003e`]\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the inner [`Result`] contains an error.\n    pub fn transpose(self) -\u003e Result\u003cHeaderValue\u003cT\u003e, E\u003e {\n        Ok(match self {\n            Self::Protected(p) =\u003e HeaderValue::Protected(p?),\n            Self::Unprotected(u) =\u003e HeaderValue::Unprotected(u?),\n        })\n    }\n}\n","traces":[{"line":21,"address":[],"length":0,"stats":{"Line":1}},{"line":22,"address":[],"length":0,"stats":{"Line":1}},{"line":23,"address":[],"length":0,"stats":{"Line":1}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":81,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}}],"covered":3,"coverable":32},{"path":["/","home","stu","dev","rust","jose","src","header.rs"],"content":"//! [`JoseHeader`] and associated abstractions as defined in [section 4 of RFC\n//! 7515].\n//!\n//! [section 4 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4\u003e\nuse alloc::{\n    collections::{BTreeMap, BTreeSet},\n    string::{String, ToString},\n};\nuse core::{marker::PhantomData, ops::Deref};\n\nuse mediatype::MediaType;\nuse serde::Deserialize;\nuse serde_json::{Map, Value};\n\nmod builder;\nmod error;\nmod parameters;\nmod types;\nmod value;\n\nuse self::parameters::Parameters;\n#[doc(inline)]\npub use self::{\n    builder::{JoseHeaderBuilder, JoseHeaderBuilderError},\n    error::Error,\n    types::*,\n    value::*,\n};\nuse crate::{\n    format::Format,\n    jwa::{JsonWebContentEncryptionAlgorithm, JsonWebEncryptionAlgorithm, JsonWebSigningAlgorithm},\n    uri::BorrowedUri,\n    JsonWebKey, UntypedAdditionalProperties,\n};\n\n/// A [`JoseHeader`] is primarily used to specify how a JSON Web Signature or\n/// JSON Web Encryption should be processed.\n///\n/// Besides the [`algorithm`](JoseHeader::algorithm) used for the cryptographic\n/// primitives, it can also store additional metadata that should not be part of\n/// the payload.\n/// For example, the [`typ`](JoseHeader::typ) parameter may be used to specify a\n/// content type for the payload.\n///\n/// # Structure\n///\n/// A [`JoseHeader`] may be a bit different, depending where it is being used.\n/// Therefore, [`JoseHeader\u003cF, T\u003e`] has two generic types that define where and\n/// how exactly it is being used. `F` defines the [`Format`] that this\n/// [`JoseHeader`] is being used in. `T` defines whether the [`JoseHeader`] is\n/// part of a [JSON Web Signature][Jws] or [JSON Web Encryption][Jwe].\n///\n/// A [`JoseHeader`] can store parameters in two ways:\n///\n/// * [protected](HeaderValue::Protected): Parameters stored in the protected\n///   part of a [`JoseHeader`] **cannot** be modified without knowledge of the\n///   cryptographic key that was used to protect the payload.\n///\n/// * [unprotected](HeaderValue::Unprotected): Parameters stored in the\n///   unprotected part of a [`JoseHeader`] **can** be modified by anybody and\n///   *changes cannot be detected*. You therefore *MUST NOT* trust them.\n///\n/// Since most parameters are allowed in both of the two header parts, each\n/// parameter is wrapped in a [`HeaderValue\u003cT\u003e`] that specifies the part in\n/// which the paramter is stored.\n///\n/// # Parameter classes\n///\n/// [Section 4 of RFC 7515] defines three classes of header parameters:\n///\n/// * [Registered header parameters]: these parameters are registerd in the\n///   [IANA `JSON Web Signature and Encryption Header Parameters` registry].\n///   Most of them are implemented by this library and can be directly accessed\n///   via the methods on [`JoseHeader`]. If you find a registered parameter you\n///   need missing, you are welcome to open an issue or even better a pull\n///   request to support it.\n///\n/// * [Public header parameters]: these parameters are not registered but use a\n///   \"Collision-Resistant Name\" (e.g. they are prefixed by a domain you\n///   control) as defined in [section 2 of RFC 7515]. You may access them using\n///   [`JoseHeader::additional`].\n///\n/// * [Private header parameters]: these parameters are not registered either\n///   but do not use a \"Collisin-Resistant Name\" and are therefore subject to\n///   collision. You can also use them via [`JoseHeader::additional`] but their\n///   use is not recommended and if new paramters are registered that collide\n///   with a private parameter, your implementation may break.\n///\n/// # Examples\n///\n///\n/// ```\n/// use jose::{\n///     format::Compact,\n///     header::{HeaderValue, JoseHeader, Jws},\n///     jwa::Hmac,\n/// };\n///\n/// // we are going to build a `JoseHeader` for a `Compact` `Jws`\n/// let header = JoseHeader::\u003cCompact, Jws\u003e::builder()\n///     // we set the `alg` header parameter as an unprotected parameter\n///     .algorithm(HeaderValue::Unprotected(Hmac::Hs256.into()))\n///     // we set the `kid` header parameter as an protected parameter\n///     .key_identifier(Some(HeaderValue::Protected(\"key-1\".to_string())))\n///     .build()\n///     .unwrap();\n///\n/// assert_eq!(\n///     header.algorithm(),\n///     HeaderValue::Unprotected(\u0026Hmac::Hs256.into())\n/// );\n/// assert_eq!(\n///     header.key_identifier(),\n///     Some(HeaderValue::Protected(\"key-1\"))\n/// );\n/// ```\n///\n/// [section 2 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-2\u003e\n/// [Section 4 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4\u003e\n/// [IANA `JSON Web Signature and Encryption Header Parameters` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-header-parameters\u003e\n/// [Registered header parameters]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1\u003e\n/// [Public header parameters]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.2\u003e\n/// [Private header parameters]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.3\u003e\n#[derive(Debug)]\npub struct JoseHeader\u003cF, T\u003e {\n    parameters: Parameters\u003cT\u003e,\n    // marker for the format (compact, json general, json flattened)\n    _format: PhantomData\u003cF\u003e,\n}\n\nimpl\u003cF\u003e JoseHeader\u003cF, Jws\u003e\nwhere\n    F: Format,\n{\n    /// Method to override the alg and kid fields.\n    /// Only intended for internal usage.\n    pub(crate) fn overwrite_alg_and_key_id(\n        \u0026mut self,\n        alg: JsonWebSigningAlgorithm,\n        kid: Option\u003c\u0026str\u003e,\n    ) {\n        let is_protected = matches!(self.algorithm(), HeaderValue::Protected(_));\n\n        let alg = if is_protected {\n            HeaderValue::Protected(alg)\n        } else {\n            HeaderValue::Unprotected(alg)\n        };\n\n        let kid = kid.map(|s| {\n            let kid = s.to_string();\n            if is_protected {\n                HeaderValue::Protected(kid)\n            } else {\n                HeaderValue::Unprotected(kid)\n            }\n        });\n\n        self.parameters.key_id = kid;\n        self.parameters.specific.algorithm = alg;\n    }\n}\n\nimpl\u003cF, T\u003e JoseHeader\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    /// Build a new [`JoseHeader`].\n    pub fn builder() -\u003e JoseHeaderBuilder\u003cF, T\u003e {\n        JoseHeaderBuilder::default()\n    }\n\n    /// Modify this [`JoseHeader`] by turning it back into a\n    /// [`JoseHeaderBuilder`].\n    pub fn into_builder(self) -\u003e JoseHeaderBuilder\u003cF, T\u003e {\n        JoseHeaderBuilder::from_header(self)\n    }\n\n    /// Returns a url containing a link to a JSON Web Key Set as defined in\n    /// [section 5 of RFC 7517].\n    ///\n    /// This parameter is serialized as `jku` and defined in [section 4.1.2 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.2 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.2\u003e\n    /// [section 5 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-5\u003e\n    // FIXME: use url type instead\n    pub fn jwk_set_url(\u0026self) -\u003e Option\u003cHeaderValue\u003cBorrowedUri\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .jwk_set_url\n            .as_ref()\n            .map(|x| x.as_ref().map(|x| x.borrow()))\n    }\n\n    /// Depending where this [`JoseHeader`] is being used, in JWE it contains\n    /// the recipient's public key and in JWS it contains the signer's public\n    /// key.\n    ///\n    /// This parameter is serialized as `jwk` and defined in [section 4.1.3 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.3 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.3\u003e\n    pub fn json_web_key(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026JsonWebKey\u003cUntypedAdditionalProperties\u003e\u003e\u003e {\n        self.parameters\n            .json_web_key\n            .as_ref()\n            .map(HeaderValue::as_ref)\n    }\n\n    /// The identifier of the key used in this JWE or JWS used to give a hint to\n    /// recipient.\n    ///\n    /// It is a case-sensitive string. When used together with a [`JsonWebKey`]\n    /// via the [`jwk`](Self::json_web_key) parameter, it is used to match the\n    /// [Key ID](JsonWebKey::key_id) of the [`JsonWebKey`].\n    ///\n    /// This parameter is serialized as `jwk` and defined in [section 4.1.4 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.4 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4\u003e\n    pub fn key_identifier(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026str\u003e\u003e {\n        self.parameters.key_id.as_ref().map(HeaderValue::as_deref)\n    }\n\n    /// The X.509 URL parameter is an URI (as defined in [RFC 3986]) that refers\n    /// to a resource for the X.509 public key certificate or certificate chain\n    /// (as defined in [RFC 5280]) of the public key used in this JWE or JWS.\n    ///\n    /// This parameter is serialized as `x5u` and defined in [section 4.1.5 of\n    /// RFC 7515].\n    ///\n    /// [RFC 3986]: \u003chttps://datatracker.ietf.org/doc/html/rfc3986\u003e\n    /// [RFC 5280]: \u003chttps://datatracker.ietf.org/doc/html/rfc5280\u003e\n    /// [section 4.1.5 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.5\u003e\n    pub fn x509_url(\u0026self) -\u003e Option\u003cHeaderValue\u003cBorrowedUri\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .x509_url\n            .as_ref()\n            .map(|x| x.as_ref().map(|x| x.borrow()))\n    }\n\n    /// An [`Iterator`] over a X.509 certificate chain that certify the public\n    /// key used in this JWE or JWS.\n    ///\n    /// The first certificate in the [`Iterator`] returned by this method is the\n    /// PKIX certificate containing the key value as required by the RFC.\n    ///\n    /// Each [`Item`](Iterator::Item) will be the byte representation of a\n    /// DER-encoded X.509 certificate. This parameter works the same as\n    /// [`JsonWebKey::x509_certificate_chain`].\n    ///\n    /// This parameter is serialized as `x5u` and defined in [section 4.1.6 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.6 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6\u003e\n    pub fn x509_certificate_chain(\u0026self) -\u003e Option\u003cHeaderValue\u003cimpl Iterator\u003cItem = \u0026[u8]\u003e\u003e\u003e {\n        self.parameters\n            .x509_certificate_chain\n            .as_ref()\n            .map(HeaderValue::as_deref)\n            .map(|value| value.map(|certs| certs.iter().map(Deref::deref)))\n    }\n\n    /// This parameter is the SHA-1 hash of the DER-encoded X.509 certificate\n    /// (X.509 Certificate SHA-1 Thumbprint).\n    ///\n    /// # Warning: Cryptographically broken!\n    ///\n    /// TL;DR: check if you can use the [SHA-256\n    /// thumbprint](Self::x509_certificate_sha256_thumbprint) instead.\n    ///\n    /// The following text is taken from the `sha1` crate: \\\n    /// The SHA-1 hash function should be considered cryptographically broken\n    /// and unsuitable for further use in any security critical capacity, as it\n    /// is [practically vulnerable to chosen-prefix collisions](https://sha-mbles.github.io/).\n    ///\n    /// This parameter is serialized as `x5t` and defined in [section 4.1.7 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.7 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.7\u003e\n    // replace the hardcoded output size with the Sha1::OutputsizeUser value then\n    // they use const generics\n    pub fn x509_certificate_sha1_thumbprint(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026[u8; 20]\u003e\u003e {\n        self.parameters\n            .x509_certificate_sha1_thumbprint\n            .as_ref()\n            .map(HeaderValue::as_ref)\n    }\n\n    /// This parameter is the SHA-256 hash of the DER-encoded X.509 certificate\n    /// (X.509 Certificate SHA-256 Thumbprint).\n    ///\n    /// This parameter is serialized as `x5t#S256` and defined in [section 4.1.8\n    /// of RFC 7515].\n    ///\n    /// [section 4.1.8 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.8\u003e\n    pub fn x509_certificate_sha256_thumbprint(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026[u8; 32]\u003e\u003e {\n        self.parameters\n            .x509_certificate_sha256_thumbprint\n            .as_ref()\n            .map(HeaderValue::as_ref)\n    }\n\n    /// The Type parameter is used to declare the [media type] of this\n    /// complete JWE or JWS.\n    ///\n    /// This parameter is serialized as `typ` and defined in [section 4.1.9 of\n    /// RFC 7515].\n    ///\n    /// # Note\n    ///\n    /// Media types that start with [`application`]`/` (top-level type) and\n    /// do not contain any other `/` are shortend to just the subtype according\n    /// to [section 4.1.9 of RFC 7515]. Therefore, for example,\n    /// `application/jwt` would become just `jwt`. However, since the RFC\n    /// recommends that the mediatype `jwt` and `jose` should be uppercase for\n    /// interop with legacy implementations, it would actually become `JWT`.\n    ///\n    ///\n    /// # Example\n    ///\n    /// When a [`JoseHeader`] is being used with a JSON Web Token and this\n    /// parameter is set, it is recommended that this type will be\n    /// [`application`]`/`[`jwt`] as defined in [section 5.1 of RFC 7519].\n    /// In the serialized form, `typ` will be `JWT`.\n    ///\n    /// [media type]: \u003chttps://www.iana.org/assignments/media-types\u003e\n    /// [section 4.1.9 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9\u003e\n    /// [`application`]: \u003cmediatype::names::APPLICATION\u003e\n    /// [`jwt`]: \u003cmediatype::names::JWT\u003e\n    /// [section 5.1 of RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519#section-5.1\u003e\n    pub fn typ(\u0026self) -\u003e Option\u003cHeaderValue\u003cMediaType\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .typ\n            .as_ref()\n            .map(|value| value.as_ref().map(|v| v.0.to_ref()))\n    }\n\n    /// The Content Type parameter is used to declare the [media type] of the\n    /// payload of a JWE or JWS.\n    ///\n    /// This parameter is serialized as `cty` and defined in [section 4.1.10 of\n    /// RFC 7515].\n    ///\n    /// # Example\n    ///\n    /// When a [`JoseHeader`] is being used with a JSON Web Token and nested\n    /// encryption or signing is employed, this parameter must be present and be\n    /// set to [`application`]`/`[`jwt`] as defined by [section 5.2 of RFC\n    /// 7519].\n    ///\n    /// [media type]: \u003chttps://www.iana.org/assignments/media-types\u003e\n    /// [section 4.1.10 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.10\u003e\n    /// [`application`]: \u003cmediatype::names::APPLICATION\u003e\n    /// [`jwt`]: \u003cmediatype::names::JWT\u003e\n    /// [section 5.2 of RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519#section-5.2\u003e\n    pub fn content_type(\u0026self) -\u003e Option\u003cHeaderValue\u003cMediaType\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .content_type\n            .as_ref()\n            .map(|value| value.as_ref().map(|v| v.0.to_ref()))\n    }\n\n    /// Get additional parameters by their serialized parameter name.\n    ///\n    /// Note: Parameters that are understood by this implementation (receivable\n    /// via the method on [`JoseHeader`]) will return [`None`]. Use the\n    /// appropriate method instead.\n    pub fn additional(\u0026self, parameter_name: impl AsRef\u003cstr\u003e) -\u003e Option\u003cHeaderValue\u003c\u0026Value\u003e\u003e {\n        self.parameters\n            .additional\n            .get(parameter_name.as_ref())\n            .map(|v| v.as_ref())\n    }\n\n    /// The Critical Header parameter is used to declare headers that must be\n    /// understood by an implementation.\n    ///\n    /// It is an [`Iterator`] over the parameter names of critical headers in\n    /// this [`JoseHeader`]. If there are no headers marked as critical, this\n    /// [`Iterator`] will be empty.\n    ///\n    /// This parameter is serialized as `crit` and defined in [section 4.1.11 of\n    /// RFC 7515].\n    ///\n    /// Note: Header names listed in this parameter have to be present and the\n    /// [`JoseHeader`] is considered invalid otherwise.\n    ///\n    /// Note: This header parameter is always integrity protected.\n    ///\n    /// [section 4.1.11 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.11\u003e\n    pub fn critical_headers(\u0026self) -\u003e impl Iterator\u003cItem = \u0026'_ str\u003e {\n        self.parameters\n            .critical_headers\n            .iter()\n            .flatten()\n            .map(Deref::deref)\n    }\n}\n\nimpl\u003cF\u003e JoseHeader\u003cF, Jws\u003e\nwhere\n    F: Format,\n{\n    /// The [signing algorithm](JsonWebSigningAlgorithm) used to create the\n    /// signature for the JWS this [`JoseHeader`] is contained in.\n    ///\n    /// This parameter is serialized as `alg` and defined in [section 4.1.1 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.1 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.1\u003e\n    pub fn algorithm(\u0026self) -\u003e HeaderValue\u003c\u0026JsonWebSigningAlgorithm\u003e {\n        self.parameters.specific.algorithm.as_ref()\n    }\n\n    /// Whether the payload is being base64url encoded or not.\n    ///\n    /// This parameter is serialized as `b64` and defined in [section 3 of RFC\n    /// 7797].\n    ///\n    /// Note: This header parameter is always integrity protected.\n    ///\n    /// Note: This header parameter is OPTIONAL and has a default value of\n    /// `true`.\n    ///\n    /// [section 3 of RFC 7797]: \u003chttps://datatracker.ietf.org/doc/html/rfc7797#section-3\u003e\n    pub fn payload_base64_url_encoded(\u0026self) -\u003e bool {\n        self.parameters\n            .specific\n            .payload_base64_url_encoded\n            .unwrap_or(true)\n    }\n}\n\nimpl\u003cF\u003e JoseHeader\u003cF, Jwe\u003e\nwhere\n    F: Format,\n{\n    /// The [encryption algorithm][JsonWebEncryptionAlgorithm] used to\n    /// encryption the content encryption key (CEK).\n    ///\n    /// This parameter is serialized as `alg` and defined in [section 4.1.1 of\n    /// RFC 7516].\n    ///\n    /// [section 4.1.1 of RFC 7516]: \u003chttps://datatracker.ietf.org/doc/html/rfc7516/#section-4.1.1\u003e\n    pub fn algorithm(\u0026self) -\u003e HeaderValue\u003c\u0026JsonWebEncryptionAlgorithm\u003e {\n        self.parameters.specific.algorithm.as_ref()\n    }\n\n    /// The [encryption algorithm](JsonWebContentEncryptionAlgorithm) used to\n    /// encryption the payload of a JWE.\n    ///\n    /// This parameter is serialized as `enc` and defined in [section 4.1.2 of\n    /// RFC 7516].\n    ///\n    /// [section 4.1.2 of RFC 7516]: \u003chttps://datatracker.ietf.org/doc/html/rfc7516/#section-4.1.2\u003e\n    pub fn content_encryption_algorithm(\u0026self) -\u003e HeaderValue\u003c\u0026JsonWebContentEncryptionAlgorithm\u003e {\n        self.parameters\n            .specific\n            .content_encryption_algorithm\n            .as_ref()\n    }\n}\n\nimpl\u003cF, T\u003e JoseHeader\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    /// Build a JoseHeader from its `header` and `protected` part.\n    ///\n    /// Note: The `protected` part must already be base64 decoded.\n    pub(crate) fn from_values(\n        protected: Option\u003cMap\u003cString, Value\u003e\u003e,\n        unprotected: Option\u003cMap\u003cString, Value\u003e\u003e,\n    ) -\u003e Result\u003cSelf, Error\u003e {\n        let de = HeaderDeserializer::from_values(protected, unprotected)?;\n        let (specific, mut de) = T::from_deserializer(de).map_err(|(e, _)| e)?;\n        Ok(Self {\n            parameters: Parameters {\n                critical_headers: de\n                    .deserialize_field(\"crit\")\n                    .transpose()?\n                    .map(|v| v.protected().ok_or(Error::ExpectedProtected))\n                    .transpose()?\n                    .map(|v: BTreeSet\u003c_\u003e| {\n                        // RFC 7515\n                        // `crit` must not be an empty list,\n                        // must not contain header names specified by the specification\n                        // FIXME: consider forbidden headers that are `Format` specific.\n                        if v.is_empty() {\n                            return Err(Error::EmptyCriticalHeaders);\n                        }\n                        for forbidden in T::forbidden_critical_headers() {\n                            if v.contains(*forbidden) {\n                                return Err(Error::ForbiddenHeader(forbidden.to_string()));\n                            }\n                        }\n                        Ok(v)\n                    })\n                    .transpose()?,\n                jwk_set_url: de.deserialize_field(\"jku\").transpose()?,\n                json_web_key: de.deserialize_field(\"jwk\").transpose()?,\n                key_id: de.deserialize_field(\"kid\").transpose()?,\n                x509_url: de.deserialize_field(\"x5u\").transpose()?,\n                x509_certificate_chain: de.deserialize_field(\"x5c\").transpose()?,\n                x509_certificate_sha1_thumbprint: de.deserialize_field(\"x5t\").transpose()?,\n                x509_certificate_sha256_thumbprint: de.deserialize_field(\"x5t#S256\").transpose()?,\n                typ: de.deserialize_field(\"typ\").transpose()?,\n                content_type: de.deserialize_field(\"cty\").transpose()?,\n                specific,\n                additional: de.additional(),\n            },\n            _format: PhantomData,\n        })\n    }\n\n    /// Returns `Result\u003c(Option\u003cProtected\u003e, Option\u003cUnprotected\u003e), Error\u003e`\n    #[allow(clippy::type_complexity)]\n    pub(crate) fn into_values(\n        self,\n    ) -\u003e Result\u003c(Option\u003cMap\u003cString, Value\u003e\u003e, Option\u003cMap\u003cString, Value\u003e\u003e), Error\u003e {\n        let parameters = self.parameters;\n\n        // use the existing Map with additional parameters. Parameters that collide with\n        // names understood by this library are replaced.\n        let mut collected_parameters = parameters.additional;\n\n        // insert crit header only if it is some and non empty as per RFC\n        if let Some(crit) = parameters.critical_headers {\n            if !crit.is_empty() {\n                collected_parameters.insert(\n                    \"crit\".to_string(),\n                    HeaderValue::Protected(serde_json::to_value(crit)?),\n                );\n            }\n        } else {\n            collected_parameters.remove(\"crit\");\n        }\n\n        // FIXME: optimize this code in a way that there are not this many inserts\n        macro_rules! insert {\n            ($($name:literal: $value:expr),+,) =\u003e {\n                $(if let Some(value) = $value {\n                    collected_parameters.insert(\n                        $name.to_string(),\n                        value.map(serde_json::to_value).transpose()?,\n                    );\n                } else {\n                    collected_parameters.remove($name);\n                })+\n            };\n        }\n        insert! {\n            \"jku\": parameters.jwk_set_url,\n            \"jwk\": parameters.json_web_key,\n            \"kid\": parameters.key_id,\n            \"x5u\": parameters.x509_url,\n            \"x5c\": parameters.x509_certificate_chain,\n            \"x5t\": parameters.x509_certificate_sha1_thumbprint,\n            \"x5t#S256\": parameters.x509_certificate_sha256_thumbprint,\n            \"typ\": parameters.typ,\n            \"cty\": parameters.content_type,\n        }\n\n        let mut protected = Map::new();\n        let mut unprotected = Map::new();\n        for (key, value) in collected_parameters\n            .into_iter()\n            .chain(parameters.specific.into_map()?)\n        {\n            match value {\n                HeaderValue::Protected(value) =\u003e protected.insert(key, value),\n                HeaderValue::Unprotected(value) =\u003e unprotected.insert(key, value),\n            };\n        }\n\n        let protected = match protected.is_empty() {\n            true =\u003e None,\n            false =\u003e Some(protected),\n        };\n\n        let unprotected = match unprotected.is_empty() {\n            true =\u003e None,\n            false =\u003e Some(unprotected),\n        };\n\n        Ok((protected, unprotected))\n    }\n}\n\n/// An implementation detail for [`JoseHeader`]\n#[derive(Debug)]\npub struct HeaderDeserializer {\n    protected: Map\u003cString, Value\u003e,\n    unprotected: Map\u003cString, Value\u003e,\n}\n\nimpl HeaderDeserializer {\n    /// Prepare the deserialize for deserialization and run a few checks\n    fn from_values(\n        protected: Option\u003cMap\u003cString, Value\u003e\u003e,\n        unprotected: Option\u003cMap\u003cString, Value\u003e\u003e,\n    ) -\u003e Result\u003cSelf, Error\u003e {\n        // ensure that if the header is present, it actually contains some members as\n        // per section 7.2.1 of RFC 7515\n        if let Some(ref p) = protected {\n            if p.is_empty() {\n                return Err(Error::EmptyHeader);\n            }\n        }\n        if let Some(ref u) = unprotected {\n            if u.is_empty() {\n                return Err(Error::EmptyHeader);\n            }\n        }\n\n        let (protected, unprotected) = match (protected, unprotected) {\n            (Some(protected), Some(unprotected)) =\u003e (protected, unprotected),\n            (Some(protected), None) =\u003e (protected, Map::new()),\n            (None, Some(unprotected)) =\u003e (Map::new(), unprotected),\n            (None, None) =\u003e return Err(Error::NoHeader),\n        };\n\n        let protected_keys: BTreeSet\u003c\u0026str\u003e = protected.keys().map(Deref::deref).collect();\n        let unprotected_keys: BTreeSet\u003c\u0026str\u003e = unprotected.keys().map(Deref::deref).collect();\n\n        // the members of `protected` and `header` must be disjoint, because otherwise\n        // an implementation must decide which header type takes priority\n        if !protected_keys.is_disjoint(\u0026unprotected_keys) {\n            return Err(Error::NotDisjoint);\n        }\n\n        Ok(Self {\n            protected,\n            unprotected,\n        })\n    }\n\n    fn deserialize_field\u003c'a, 'de, V\u003e(\n        \u0026'a mut self,\n        field: \u0026'a str,\n    ) -\u003e Option\u003cResult\u003cHeaderValue\u003cV\u003e, serde_json::Error\u003e\u003e\n    where\n        V: Deserialize\u003c'de\u003e,\n        'a: 'de,\n    {\n        // Security\n        //\n        // This method first looks at the `protected` header and if the requested field\n        // isn't in there, it looks in the `header` parameter (which is not integrity\n        // protected). A `HeaderDeserializer` should always ensure that the inner JSON\n        // Objects don't share the same parameters but even if they do, an attacker\n        // cannot overwrite protected headers via the unprotected header, because the\n        // protected header is searched first.\n\n        if let Some(p) = self.protected.remove(field) {\n            debug_assert_eq!(self.unprotected.remove(field), None);\n            return Some(V::deserialize(p).map(|v| HeaderValue::Protected(v)));\n        }\n\n        if let Some(u) = self.unprotected.remove(field) {\n            debug_assert_eq!(self.protected.remove(field), None);\n            return Some(V::deserialize(u).map(|v| HeaderValue::Unprotected(v)));\n        }\n\n        None\n    }\n\n    fn additional(self) -\u003e BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e {\n        self.protected\n            .into_iter()\n            .map(|(field, value)| (field, HeaderValue::Protected(value)))\n            .chain(\n                self.unprotected\n                    .into_iter()\n                    .map(|(field, value)| (field, HeaderValue::Unprotected(value))),\n            )\n            .collect()\n    }\n}\n","traces":[{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":145,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":155,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":1}},{"line":171,"address":[],"length":0,"stats":{"Line":1}},{"line":176,"address":[],"length":0,"stats":{"Line":0}},{"line":177,"address":[],"length":0,"stats":{"Line":0}},{"line":189,"address":[],"length":0,"stats":{"Line":0}},{"line":190,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":0}},{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":206,"address":[],"length":0,"stats":{"Line":0}},{"line":208,"address":[],"length":0,"stats":{"Line":0}},{"line":222,"address":[],"length":0,"stats":{"Line":0}},{"line":223,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":0}},{"line":237,"address":[],"length":0,"stats":{"Line":0}},{"line":238,"address":[],"length":0,"stats":{"Line":0}},{"line":240,"address":[],"length":0,"stats":{"Line":0}},{"line":257,"address":[],"length":0,"stats":{"Line":0}},{"line":258,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":261,"address":[],"length":0,"stats":{"Line":0}},{"line":262,"address":[],"length":0,"stats":{"Line":0}},{"line":284,"address":[],"length":0,"stats":{"Line":0}},{"line":285,"address":[],"length":0,"stats":{"Line":0}},{"line":286,"address":[],"length":0,"stats":{"Line":0}},{"line":288,"address":[],"length":0,"stats":{"Line":0}},{"line":298,"address":[],"length":0,"stats":{"Line":0}},{"line":299,"address":[],"length":0,"stats":{"Line":0}},{"line":300,"address":[],"length":0,"stats":{"Line":0}},{"line":302,"address":[],"length":0,"stats":{"Line":0}},{"line":333,"address":[],"length":0,"stats":{"Line":0}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":337,"address":[],"length":0,"stats":{"Line":0}},{"line":358,"address":[],"length":0,"stats":{"Line":0}},{"line":359,"address":[],"length":0,"stats":{"Line":0}},{"line":360,"address":[],"length":0,"stats":{"Line":0}},{"line":362,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":372,"address":[],"length":0,"stats":{"Line":0}},{"line":373,"address":[],"length":0,"stats":{"Line":0}},{"line":374,"address":[],"length":0,"stats":{"Line":0}},{"line":393,"address":[],"length":0,"stats":{"Line":0}},{"line":394,"address":[],"length":0,"stats":{"Line":0}},{"line":395,"address":[],"length":0,"stats":{"Line":0}},{"line":398,"address":[],"length":0,"stats":{"Line":0}},{"line":413,"address":[],"length":0,"stats":{"Line":1}},{"line":414,"address":[],"length":0,"stats":{"Line":1}},{"line":428,"address":[],"length":0,"stats":{"Line":0}},{"line":429,"address":[],"length":0,"stats":{"Line":0}},{"line":430,"address":[],"length":0,"stats":{"Line":0}},{"line":431,"address":[],"length":0,"stats":{"Line":0}},{"line":447,"address":[],"length":0,"stats":{"Line":0}},{"line":448,"address":[],"length":0,"stats":{"Line":0}},{"line":458,"address":[],"length":0,"stats":{"Line":0}},{"line":459,"address":[],"length":0,"stats":{"Line":0}},{"line":460,"address":[],"length":0,"stats":{"Line":0}},{"line":461,"address":[],"length":0,"stats":{"Line":0}},{"line":474,"address":[],"length":0,"stats":{"Line":0}},{"line":478,"address":[],"length":0,"stats":{"Line":0}},{"line":479,"address":[],"length":0,"stats":{"Line":0}},{"line":480,"address":[],"length":0,"stats":{"Line":0}},{"line":481,"address":[],"length":0,"stats":{"Line":0}},{"line":482,"address":[],"length":0,"stats":{"Line":0}},{"line":483,"address":[],"length":0,"stats":{"Line":0}},{"line":484,"address":[],"length":0,"stats":{"Line":0}},{"line":485,"address":[],"length":0,"stats":{"Line":0}},{"line":486,"address":[],"length":0,"stats":{"Line":0}},{"line":487,"address":[],"length":0,"stats":{"Line":0}},{"line":492,"address":[],"length":0,"stats":{"Line":0}},{"line":493,"address":[],"length":0,"stats":{"Line":0}},{"line":495,"address":[],"length":0,"stats":{"Line":0}},{"line":496,"address":[],"length":0,"stats":{"Line":0}},{"line":497,"address":[],"length":0,"stats":{"Line":0}},{"line":500,"address":[],"length":0,"stats":{"Line":0}},{"line":502,"address":[],"length":0,"stats":{"Line":0}},{"line":503,"address":[],"length":0,"stats":{"Line":0}},{"line":504,"address":[],"length":0,"stats":{"Line":0}},{"line":505,"address":[],"length":0,"stats":{"Line":0}},{"line":506,"address":[],"length":0,"stats":{"Line":0}},{"line":507,"address":[],"length":0,"stats":{"Line":0}},{"line":508,"address":[],"length":0,"stats":{"Line":0}},{"line":509,"address":[],"length":0,"stats":{"Line":0}},{"line":510,"address":[],"length":0,"stats":{"Line":0}},{"line":511,"address":[],"length":0,"stats":{"Line":0}},{"line":512,"address":[],"length":0,"stats":{"Line":0}},{"line":513,"address":[],"length":0,"stats":{"Line":0}},{"line":515,"address":[],"length":0,"stats":{"Line":0}},{"line":521,"address":[],"length":0,"stats":{"Line":0}},{"line":524,"address":[],"length":0,"stats":{"Line":0}},{"line":528,"address":[],"length":0,"stats":{"Line":0}},{"line":531,"address":[],"length":0,"stats":{"Line":0}},{"line":532,"address":[],"length":0,"stats":{"Line":0}},{"line":533,"address":[],"length":0,"stats":{"Line":0}},{"line":534,"address":[],"length":0,"stats":{"Line":0}},{"line":535,"address":[],"length":0,"stats":{"Line":0}},{"line":539,"address":[],"length":0,"stats":{"Line":0}},{"line":543,"address":[],"length":0,"stats":{"Line":0}},{"line":544,"address":[],"length":0,"stats":{"Line":0}},{"line":545,"address":[],"length":0,"stats":{"Line":0}},{"line":546,"address":[],"length":0,"stats":{"Line":0}},{"line":547,"address":[],"length":0,"stats":{"Line":0}},{"line":548,"address":[],"length":0,"stats":{"Line":0}},{"line":551,"address":[],"length":0,"stats":{"Line":0}},{"line":552,"address":[],"length":0,"stats":{"Line":0}},{"line":555,"address":[],"length":0,"stats":{"Line":0}},{"line":556,"address":[],"length":0,"stats":{"Line":0}},{"line":557,"address":[],"length":0,"stats":{"Line":0}},{"line":558,"address":[],"length":0,"stats":{"Line":0}},{"line":559,"address":[],"length":0,"stats":{"Line":0}},{"line":560,"address":[],"length":0,"stats":{"Line":0}},{"line":561,"address":[],"length":0,"stats":{"Line":0}},{"line":562,"address":[],"length":0,"stats":{"Line":0}},{"line":563,"address":[],"length":0,"stats":{"Line":0}},{"line":564,"address":[],"length":0,"stats":{"Line":0}},{"line":567,"address":[],"length":0,"stats":{"Line":0}},{"line":568,"address":[],"length":0,"stats":{"Line":0}},{"line":569,"address":[],"length":0,"stats":{"Line":0}},{"line":570,"address":[],"length":0,"stats":{"Line":0}},{"line":571,"address":[],"length":0,"stats":{"Line":0}},{"line":573,"address":[],"length":0,"stats":{"Line":0}},{"line":574,"address":[],"length":0,"stats":{"Line":0}},{"line":575,"address":[],"length":0,"stats":{"Line":0}},{"line":579,"address":[],"length":0,"stats":{"Line":0}},{"line":580,"address":[],"length":0,"stats":{"Line":0}},{"line":581,"address":[],"length":0,"stats":{"Line":0}},{"line":584,"address":[],"length":0,"stats":{"Line":0}},{"line":585,"address":[],"length":0,"stats":{"Line":0}},{"line":586,"address":[],"length":0,"stats":{"Line":0}},{"line":589,"address":[],"length":0,"stats":{"Line":0}},{"line":602,"address":[],"length":0,"stats":{"Line":0}},{"line":608,"address":[],"length":0,"stats":{"Line":0}},{"line":610,"address":[],"length":0,"stats":{"Line":0}},{"line":613,"address":[],"length":0,"stats":{"Line":0}},{"line":615,"address":[],"length":0,"stats":{"Line":0}},{"line":619,"address":[],"length":0,"stats":{"Line":0}},{"line":620,"address":[],"length":0,"stats":{"Line":0}},{"line":621,"address":[],"length":0,"stats":{"Line":0}},{"line":622,"address":[],"length":0,"stats":{"Line":0}},{"line":623,"address":[],"length":0,"stats":{"Line":0}},{"line":632,"address":[],"length":0,"stats":{"Line":0}},{"line":635,"address":[],"length":0,"stats":{"Line":0}},{"line":636,"address":[],"length":0,"stats":{"Line":0}},{"line":637,"address":[],"length":0,"stats":{"Line":0}},{"line":641,"address":[],"length":0,"stats":{"Line":0}},{"line":658,"address":[],"length":0,"stats":{"Line":0}},{"line":659,"address":[],"length":0,"stats":{"Line":0}},{"line":660,"address":[],"length":0,"stats":{"Line":0}},{"line":663,"address":[],"length":0,"stats":{"Line":0}},{"line":664,"address":[],"length":0,"stats":{"Line":0}},{"line":665,"address":[],"length":0,"stats":{"Line":0}},{"line":668,"address":[],"length":0,"stats":{"Line":0}},{"line":671,"address":[],"length":0,"stats":{"Line":0}},{"line":672,"address":[],"length":0,"stats":{"Line":0}},{"line":674,"address":[],"length":0,"stats":{"Line":0}},{"line":676,"address":[],"length":0,"stats":{"Line":0}},{"line":677,"address":[],"length":0,"stats":{"Line":0}},{"line":678,"address":[],"length":0,"stats":{"Line":0}}],"covered":4,"coverable":172},{"path":["/","home","stu","dev","rust","jose","src","jwa","aes_cbc_hs.rs"],"content":"/// Authenticated encryption algorithms built using a composition of AES in\n/// Cipher Block Chaining (CBC) mode and HMAC as defined in [section 5.2 of RFC\n/// 7518]\n///\n/// [section 5.2 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\npub enum AesCbcHs {\n    /// AES_128_CBC_HMAC_SHA_256 authenticated encryption as defined in [section\n    /// 5.2.3]\n    ///\n    /// [section 5.2.3]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2.3\u003e\n    Aes128CbcHs256,\n    /// AES_192_CBC_HMAC_SHA_384 authenticated encryption algorithm as defined\n    /// in [section 5.2.4]\n    ///\n    /// [section 5.2.4]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2.4\u003e\n    Aes192CbcHs384,\n\n    /// AES_256_CBC_HMAC_SHA_512 authenticated encryption algorithm as defined\n    /// in [section 5.2.5]\n    ///\n    /// [section 5.2.5]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2.5\u003e\n    Aes256CbcHs512,\n}\n\nimpl From\u003cAesCbcHs\u003e for super::JsonWebContentEncryptionAlgorithm {\n    fn from(x: AesCbcHs) -\u003e Self {\n        super::JsonWebContentEncryptionAlgorithm::AesCbcHs(x)\n    }\n}\n","traces":[{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":2},{"path":["/","home","stu","dev","rust","jose","src","jwa","aes_gcm.rs"],"content":"/// Different variants of AES GCM as in the table in [section 4.7 of RFC 7518]\n///\n/// [section 4.7 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.7\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum AesGcm {\n    /// Key wrapping with AES GCM using 128-bit key\n    Aes128,\n    /// Key wrapping with AES GCM using 192-bit key\n    Aes192,\n    /// Key wrapping with AES GCM using 256-bit key\n    Aes256,\n}\n\nimpl From\u003cAesGcm\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: AesGcm) -\u003e Self {\n        Self::AesGcmKw(x)\n    }\n}\n\nimpl From\u003cAesGcm\u003e for super::JsonWebAlgorithm {\n    fn from(x: AesGcm) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::AesGcmKw(x))\n    }\n}\n\nimpl From\u003cAesGcm\u003e for super::JsonWebContentEncryptionAlgorithm {\n    fn from(x: AesGcm) -\u003e Self {\n        super::JsonWebContentEncryptionAlgorithm::AesGcm(x)\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":6},{"path":["/","home","stu","dev","rust","jose","src","jwa","aes_kw.rs"],"content":"/// Key Wrapping with AES Key Wrap as defined in [section 4.4 of RFC 7518]\n///\n/// [section 4.4 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.4\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Copy, Hash)]\npub enum AesKw {\n    /// AES Key Wrap with default initial value using 128-bit key\n    Aes128,\n    /// AES Key Wrap with default initial value using 192-bit key\n    Aes192,\n    /// AES Key Wrap with default initial value using 256-bit key\n    Aes256,\n}\n\nimpl From\u003cAesKw\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: AesKw) -\u003e Self {\n        Self::AesKw(x)\n    }\n}\n\nimpl From\u003cAesKw\u003e for super::JsonWebAlgorithm {\n    fn from(x: AesKw) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::AesKw(x))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","ecdh_es.rs"],"content":"use super::AesKw;\n\n/// Different modes ECDH-ES can be used as defined in [section 4.6 of RFC 7518]\n///\n/// [section 4.6 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.6\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum EcDhES {\n    /// Using ECDH-ES directly without any wrapping\n    Direct,\n    /// ECDH-ES using Concat KDF and CEK wrapped with one variant of [AesKw]\n    AesKw(AesKw),\n}\n\nimpl From\u003cEcDhES\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: EcDhES) -\u003e Self {\n        Self::EcDhES(x)\n    }\n}\n\nimpl From\u003cEcDhES\u003e for super::JsonWebAlgorithm {\n    fn from(x: EcDhES) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::EcDhES(x))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","ecdsa.rs"],"content":"/// Digital Signature with ECDSA as defined in [section 3.4 of RFC 7518]\n///\n/// [section 3.4 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.4\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum EcDSA {\n    /// ECDSA using P-256 and SHA-256\n    Es256,\n    /// ECDSA using P-384 and SHA-384\n    Es384,\n    /// ECDSA using P-521 and SHA-512\n    Es512,\n    /// ECDSA using secp256k1 curve and SHA-256\n    ///\n    /// ECDSA with secp256k1 is defined in [RFC 8812 section 3]\n    ///\n    /// [RFC 8812 section 3]: \u003chttps://datatracker.ietf.org/doc/html/rfc8812#section-3\u003e\n    Es256K,\n}\n\nimpl From\u003cEcDSA\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: EcDSA) -\u003e Self {\n        Self::EcDSA(x)\n    }\n}\n\nimpl From\u003cEcDSA\u003e for super::JsonWebAlgorithm {\n    fn from(x: EcDSA) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::EcDSA(x))\n    }\n}\n","traces":[{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":6}},{"line":28,"address":[],"length":0,"stats":{"Line":6}}],"covered":2,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","hmac.rs"],"content":"/// HMAC with SHA-2 Functions as defined in [section 3.2 of RFC 7518]\n///\n/// [section 3.2 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.2\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum Hmac {\n    /// HMAC using SHA-256\n    Hs256,\n    /// HMAC using SHA-384\n    Hs384,\n    /// HMAC using SHA-512\n    Hs512,\n}\n\nimpl From\u003cHmac\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: Hmac) -\u003e Self {\n        Self::Hmac(x)\n    }\n}\n\nimpl From\u003cHmac\u003e for super::JsonWebAlgorithm {\n    fn from(x: Hmac) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Hmac(x))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":2}},{"line":22,"address":[],"length":0,"stats":{"Line":2}}],"covered":2,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","pbes2.rs"],"content":"/// A variant of Key Encryption with PBES2 as defined in the table of [section\n/// 4.8 of RFC 7518]\n///\n/// [section 4.8 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.8\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum Pbes2 {\n    /// PBES2 with HMAC SHA-256 and \"A128KW\" wrapping\n    Hs256Aes128,\n    /// PBES2 with HMAC SHA-384 and \"A192KW\" wrapping\n    Hs384Aes192,\n    /// PBES2 with HMAC SHA-512 and \"A256KW\" wrapping\n    Hs512Aes256,\n}\n\nimpl From\u003cPbes2\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: Pbes2) -\u003e Self {\n        Self::Pbes2(x)\n    }\n}\n\nimpl From\u003cPbes2\u003e for super::JsonWebAlgorithm {\n    fn from(x: Pbes2) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::Pbes2(x))\n    }\n}\n","traces":[{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":23,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa","rsaes_oaep.rs"],"content":"/// Key Encryption with RSAES OAEP as defined in [section 4.3 of RFC 7518]\n///\n/// [section 4.3 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.3\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsaesOaep {\n    /// RSAES OAEP using default parameters\n    RsaesOaep,\n    /// RSAES OAEP using SHA-256 and MGF1 with SHA-256\n    RsaesOaep256,\n}\n\nimpl From\u003cRsaesOaep\u003e for crate::jwa::JsonWebEncryptionAlgorithm {\n    fn from(x: RsaesOaep) -\u003e Self {\n        Self::RsaesOaep(x)\n    }\n}\n\nimpl From\u003cRsaesOaep\u003e for crate::jwa::JsonWebAlgorithm {\n    fn from(x: RsaesOaep) -\u003e Self {\n        Self::Encryption(crate::jwa::JsonWebEncryptionAlgorithm::RsaesOaep(x))\n    }\n}\n","traces":[{"line":13,"address":[],"length":0,"stats":{"Line":0}},{"line":14,"address":[],"length":0,"stats":{"Line":0}},{"line":19,"address":[],"length":0,"stats":{"Line":2}},{"line":20,"address":[],"length":0,"stats":{"Line":2}}],"covered":2,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa","rsassa_pkcs1_v1_5.rs"],"content":"/// Digital Signature with RSASSA-PKCS1-v1_5 as defined in [section 3.3 of RFC\n/// 7518]\n///\n/// [section 3.3 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.3\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsassaPkcs1V1_5 {\n    /// RSASSA-PKCS1-v1_5 using SHA-256\n    Rs256,\n    /// RSASSA-PKCS1-v1_5 using SHA-384\n    Rs384,\n    /// RSASSA-PKCS1-v1_5 using SHA-512\n    Rs512,\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa","rsassa_pss.rs"],"content":"/// Digital Signature with RSASSA-PSS as defined in [section 3.5 of RFC 7518]\n///\n/// [section 3.5 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.5\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsassaPss {\n    /// RSASSA-PSS using SHA-256 and MGF1 with SHA-256\n    Ps256,\n    /// RSASSA-PSS using SHA-384 and MGF1 with SHA-384\n    Ps384,\n    /// RSASSA-PSS using SHA-512 and MGF1 with SHA-512\n    Ps512,\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa.rs"],"content":"mod rsaes_oaep;\nmod rsassa_pkcs1_v1_5;\nmod rsassa_pss;\n\npub use self::{rsaes_oaep::RsaesOaep, rsassa_pkcs1_v1_5::RsassaPkcs1V1_5, rsassa_pss::RsassaPss};\n\n/// Some signing algorithm using a RSA key under the hood\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsaSigning {\n    /// Digital Signature with RSASSA-PSS\n    Pss(RsassaPss),\n    /// Digital Signature with RSASSA-PKCS1-v1_5\n    RsPkcs1V1_5(RsassaPkcs1V1_5),\n}\n\nimpl From\u003cRsaSigning\u003e for super::JsonWebAlgorithm {\n    fn from(x: RsaSigning) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Rsa(x))\n    }\n}\n\nimpl From\u003cRsaSigning\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: RsaSigning) -\u003e Self {\n        Self::Rsa(x)\n    }\n}\n\nimpl From\u003cRsassaPss\u003e for RsaSigning {\n    fn from(x: RsassaPss) -\u003e Self {\n        RsaSigning::Pss(x)\n    }\n}\n\nimpl From\u003cRsassaPss\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: RsassaPss) -\u003e Self {\n        Self::Rsa(RsaSigning::Pss(x))\n    }\n}\n\nimpl From\u003cRsassaPss\u003e for super::JsonWebAlgorithm {\n    fn from(x: RsassaPss) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Rsa(RsaSigning::Pss(x)))\n    }\n}\n\nimpl From\u003cRsassaPkcs1V1_5\u003e for RsaSigning {\n    fn from(x: RsassaPkcs1V1_5) -\u003e Self {\n        RsaSigning::RsPkcs1V1_5(x)\n    }\n}\n\nimpl From\u003cRsassaPkcs1V1_5\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: RsassaPkcs1V1_5) -\u003e Self {\n        Self::Rsa(RsaSigning::RsPkcs1V1_5(x))\n    }\n}\n\nimpl From\u003cRsassaPkcs1V1_5\u003e for super::JsonWebAlgorithm {\n    fn from(x: RsassaPkcs1V1_5) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Rsa(\n            RsaSigning::RsPkcs1V1_5(x),\n        ))\n    }\n}\n","traces":[{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":18,"address":[],"length":0,"stats":{"Line":0}},{"line":23,"address":[],"length":0,"stats":{"Line":0}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":1}},{"line":60,"address":[],"length":0,"stats":{"Line":1}},{"line":61,"address":[],"length":0,"stats":{"Line":1}}],"covered":3,"coverable":17},{"path":["/","home","stu","dev","rust","jose","src","jwa.rs"],"content":"//! Implementation of JSON Web Algorithms (JWA) as defined in [RFC 7518]\n//!\n//! [RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518\u003e\n\nmod aes_cbc_hs;\nmod aes_gcm;\nmod aes_kw;\nmod ecdh_es;\nmod ecdsa;\nmod hmac;\nmod pbes2;\nmod rsa;\n\nuse alloc::{borrow::Cow, string::String};\n\nuse serde::{Deserialize, Serialize};\n\n#[doc(inline)]\npub use self::{\n    aes_cbc_hs::AesCbcHs,\n    aes_gcm::AesGcm,\n    aes_kw::AesKw,\n    ecdh_es::EcDhES,\n    ecdsa::EcDSA,\n    hmac::Hmac,\n    pbes2::Pbes2,\n    rsa::{RsaSigning, RsaesOaep, RsassaPkcs1V1_5, RsassaPss},\n};\n\n/// Either a JSON Web Algorithm for signing operations, or an algorithm for\n/// encryption operations. Possible values should be registered in the [IANA\n/// `JSON Web Signature and Encryption Algorithms` registry][1].\n///\n/// [1]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize)]\n#[serde(untagged)]\npub enum JsonWebAlgorithm {\n    /// Signing algorithm.\n    Signing(JsonWebSigningAlgorithm),\n\n    /// Encryption algorithm.\n    Encryption(JsonWebEncryptionAlgorithm),\n\n    /// Unknown algorithm.\n    Other(String),\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for JsonWebAlgorithm {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let name = Cow::\u003c'_, str\u003e::deserialize(deserializer)?;\n\n        let sign =\n            JsonWebSigningAlgorithm::from_str_without_other(name.as_ref()).map(Self::Signing);\n        let enc =\n            JsonWebEncryptionAlgorithm::from_str_without_other(name.as_ref()).map(Self::Encryption);\n\n        let alg = sign\n            .or(enc)\n            .unwrap_or_else(|| Self::Other(name.into_owned()));\n        Ok(alg)\n    }\n}\n\n/// A JSON Web Algorithm (JWA) for singing operations (JWS) as defined in [RFC\n/// 7518 section 3]\n///\n/// This enum covers the `alg` Header Parameter Values for JWS. It represents\n/// the table from [section 3.1].\n///\n/// [RFC 7518 section 3]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3\u003e\n/// [section 3.1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.1\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\n#[non_exhaustive]\npub enum JsonWebSigningAlgorithm {\n    /// HMAC with SHA-2 Functions\n    Hmac(Hmac),\n    /// RSASSA-PKCS1-v1_5 using SHA-2 Functions\n    /// Digital Signature with RSASSA-PSS\n    Rsa(RsaSigning),\n    /// Digital Signature with ECDSA\n    EcDSA(EcDSA),\n    /// Digital Signature with Edwards-curve Digital Signature Algorithm (EdDSA)\n    /// as defined in [section 3.1 of RFC 8037]\n    ///\n    /// Note: `EdDSA` should not be confused with\n    /// [`EcDSA`](JsonWebSigningAlgorithm::EcDSA).\n    /// Also note that an EdDSA signature can either be made using `Ed25519` or\n    /// `Ed448` but this information is not included.\n    ///\n    /// [section 3.1 of RFC 8037]: \u003chttps://datatracker.ietf.org/doc/html/rfc8037#section-3.1\u003e\n    EdDSA,\n    /// The \"none\" algorithm as defined in [section 3.6 of RFC 7518].\n    ///\n    /// Using this algorithm essentially means that there is\n    /// no integrity protection for the JWS.\n    ///\n    /// [section 3.6 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.6\u003e\n    None,\n    /// JSON Web Algorithms that are not recognised by this implementation.\n    ///\n    /// If you want to implement custom algorithms via a custom\n    /// [`Signer`](crate::jws::Signer) and [`Verifier`](crate::jws::Verifier)\n    /// type, you should use this type to define an identifier for your\n    /// algorithm.\n    ///\n    /// Note: When you deserialize the `alg` header parameter via the\n    /// [`JsonWebAlgorithm`] enum, this variant will never be\n    /// constructed.\n    Other(String),\n}\n\nimpl From\u003cJsonWebSigningAlgorithm\u003e for JsonWebAlgorithm {\n    fn from(x: JsonWebSigningAlgorithm) -\u003e Self {\n        Self::Signing(x)\n    }\n}\n\n// don't judge this macro please.\n// its ugly but it works\nimpl_serde_jwa!(\n    JsonWebSigningAlgorithm,\n    [\n        \"HS256\" =\u003e Self::Hmac(Hmac::Hs256); Self::Hmac(Hmac::Hs256),\n        \"HS384\" =\u003e Self::Hmac(Hmac::Hs384); Self::Hmac(Hmac::Hs384),\n        \"HS512\" =\u003e Self::Hmac(Hmac::Hs512); Self::Hmac(Hmac::Hs512),\n\n        \"RS256\" =\u003e Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs256)); Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs256)),\n        \"RS384\" =\u003e Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs384)); Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs384)),\n        \"RS512\" =\u003e Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs512)); Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs512)),\n\n        \"ES256\" =\u003e Self::EcDSA(EcDSA::Es256); Self::EcDSA(EcDSA::Es256),\n        \"ES384\" =\u003e Self::EcDSA(EcDSA::Es384); Self::EcDSA(EcDSA::Es384),\n        \"ES512\" =\u003e Self::EcDSA(EcDSA::Es512); Self::EcDSA(EcDSA::Es512),\n        \"ES256K\" =\u003e Self::EcDSA(EcDSA::Es256K); Self::EcDSA(EcDSA::Es256K),\n\n        \"EdDSA\" =\u003e Self::EdDSA; Self::EdDSA,\n\n        \"PS256\" =\u003e Self::Rsa(RsaSigning::Pss(RsassaPss::Ps256)); Self::Rsa(RsaSigning::Pss(RsassaPss::Ps256)),\n        \"PS384\" =\u003e Self::Rsa(RsaSigning::Pss(RsassaPss::Ps384)); Self::Rsa(RsaSigning::Pss(RsassaPss::Ps384)),\n        \"PS512\" =\u003e Self::Rsa(RsaSigning::Pss(RsassaPss::Ps512)); Self::Rsa(RsaSigning::Pss(RsassaPss::Ps512)),\n\n\n        \"none\" =\u003e Self::None; Self::None,\n    ]\n);\n\n/// A JSON Web Algorithm (JWA) for encryption and decryption of Content\n/// Encryption Key (CEK) as defined in [RFC 7518 section 4]\n///\n/// This enum covers the `alg` Header Parameter Values for JWE. It represents\n/// the table from [section 4.1].\n///\n/// [RFC 7518 section 4]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4\u003e\n/// [section 4.1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.1\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\n#[non_exhaustive]\npub enum JsonWebEncryptionAlgorithm {\n    /// Key Encryption with RSAES-PKCS1-v1_5 as defined in [section 4.2]\n    ///\n    /// [section 4.2]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.2\u003e\n    Rsa1_5,\n    /// Key Encryption with RSAES OAEP\n    RsaesOaep(RsaesOaep),\n    /// AES Key Wrap\n    AesKw(AesKw),\n    /// Direct use of a shared symmetric key as the CEK as defined in [section\n    /// 4.5]\n    ///\n    /// [section 4.5]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.5\u003e\n    Direct,\n    /// Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES)\n    EcDhES(EcDhES),\n    /// Key wrapping with AES GCM\n    AesGcmKw(AesGcm),\n    /// PBES2 Key Encryption\n    Pbes2(Pbes2),\n    /// JSON Web Algorithms that are not recognised by this implementation.\n    ///\n    /// If you want to implement custom algorithms for use in JSON Web\n    /// encryption, you should use this variant to identify your algorithm.\n    ///\n    /// Note: When you deserialize the `alg` header parameter via the\n    /// [`JsonWebAlgorithm`] enum, this variant will never be\n    /// constructed.\n    Other(String),\n}\n\nimpl From\u003cJsonWebEncryptionAlgorithm\u003e for JsonWebAlgorithm {\n    fn from(x: JsonWebEncryptionAlgorithm) -\u003e Self {\n        Self::Encryption(x)\n    }\n}\n\nimpl_serde_jwa!(\n    JsonWebEncryptionAlgorithm,\n    [\n        \"RSA1_5\" =\u003e Self::Rsa1_5; Self::Rsa1_5,\n        \"RSA-OAEP\" =\u003e Self::RsaesOaep(RsaesOaep::RsaesOaep); Self::RsaesOaep(RsaesOaep::RsaesOaep),\n        \"RSA-OAEP-256\" =\u003e Self::RsaesOaep(RsaesOaep::RsaesOaep256); Self::RsaesOaep(RsaesOaep::RsaesOaep256),\n        \"A128KW\" =\u003e Self::AesKw(AesKw::Aes128); Self::AesKw(AesKw::Aes128),\n        \"A192KW\" =\u003e Self::AesKw(AesKw::Aes192); Self::AesKw(AesKw::Aes192),\n        \"A256KW\" =\u003e Self::AesKw(AesKw::Aes256); Self::AesKw(AesKw::Aes256),\n        \"dir\" =\u003e Self::Direct; Self::Direct,\n        \"ECDH-ES\" =\u003e Self::EcDhES(EcDhES::Direct); Self::EcDhES(EcDhES::Direct),\n        \"ECDH-ES+A128KW\" =\u003e Self::EcDhES(EcDhES::AesKw(AesKw::Aes128)); Self::EcDhES(EcDhES::AesKw(AesKw::Aes128)),\n        \"ECDH-ES+A192KW\" =\u003e Self::EcDhES(EcDhES::AesKw(AesKw::Aes192)); Self::EcDhES(EcDhES::AesKw(AesKw::Aes192)),\n        \"ECDH-ES+A256KW\" =\u003e Self::EcDhES(EcDhES::AesKw(AesKw::Aes256)); Self::EcDhES(EcDhES::AesKw(AesKw::Aes256)),\n        \"A128GCMKW\" =\u003e Self::AesGcmKw(AesGcm::Aes128); Self::AesGcmKw(AesGcm::Aes128),\n        \"A192GCMKW\" =\u003e Self::AesGcmKw(AesGcm::Aes192); Self::AesGcmKw(AesGcm::Aes192),\n        \"A256GCMKW\" =\u003e Self::AesGcmKw(AesGcm::Aes256); Self::AesGcmKw(AesGcm::Aes256),\n        \"PBES2-HS256+A128KW\" =\u003e Self::Pbes2(Pbes2::Hs256Aes128); Self::Pbes2(Pbes2::Hs256Aes128),\n        \"PBES2-HS384+A192KW\" =\u003e Self::Pbes2(Pbes2::Hs384Aes192); Self::Pbes2(Pbes2::Hs384Aes192),\n        \"PBES2-HS512+A256KW\" =\u003e Self::Pbes2(Pbes2::Hs512Aes256); Self::Pbes2(Pbes2::Hs512Aes256),\n    ]\n);\n\n/// A JSON Web Algorithm (JWA) for content encryption and decryption of a JWE as\n/// defined in [RFC 7518 section 5]\n///\n/// This enum covers the `enc` Header Parameter Values for JWE. It represents\n/// the table from [section 5.1].\n///\n/// [RFC 7518 section 5]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5\u003e\n/// [section 5.1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.1\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\n#[non_exhaustive]\npub enum JsonWebContentEncryptionAlgorithm {\n    /// Content Encryption using AES in CBC mode with HMAC\n    AesCbcHs(AesCbcHs),\n    /// Content Encryption using AES GCM\n    AesGcm(AesGcm),\n    /// JSON Web Algorithms that are not recognised by this implementation.\n    ///\n    /// Use this variant if you want to implement a custom content encryption\n    /// algorithm.\n    Other(String),\n}\n\nimpl_serde_jwa!(\n    JsonWebContentEncryptionAlgorithm,\n    [\n        \"A128CBC-HS256\" =\u003e Self::AesCbcHs(AesCbcHs::Aes128CbcHs256); Self::AesCbcHs(AesCbcHs::Aes128CbcHs256),\n        \"A192CBC-HS384\" =\u003e Self::AesCbcHs(AesCbcHs::Aes192CbcHs384); Self::AesCbcHs(AesCbcHs::Aes192CbcHs384),\n        \"A256CBC-HS512\" =\u003e Self::AesCbcHs(AesCbcHs::Aes256CbcHs512); Self::AesCbcHs(AesCbcHs::Aes256CbcHs512),\n\n        \"A128GCM\" =\u003e Self::AesGcm(AesGcm::Aes128); Self::AesGcm(AesGcm::Aes128),\n        \"A192GCM\" =\u003e Self::AesGcm(AesGcm::Aes192); Self::AesGcm(AesGcm::Aes192),\n        \"A256GCM\" =\u003e Self::AesGcm(AesGcm::Aes256); Self::AesGcm(AesGcm::Aes256),\n    ]\n);\n\n#[test]\nfn test_others_not_stealing() {\n    use alloc::string::ToString;\n    let jwe = \"dir\";\n    let jwa: JsonWebAlgorithm =\n        serde_json::from_value(serde_json::Value::String(jwe.to_string())).unwrap();\n    assert_eq!(\n        jwa,\n        JsonWebAlgorithm::Encryption(JsonWebEncryptionAlgorithm::Direct)\n    );\n}\n","traces":[{"line":49,"address":[],"length":0,"stats":{"Line":47}},{"line":53,"address":[],"length":0,"stats":{"Line":94}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":2}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":2}},{"line":117,"address":[],"length":0,"stats":{"Line":2}},{"line":192,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":0}}],"covered":5,"coverable":14},{"path":["/","home","stu","dev","rust","jose","src","jwe.rs"],"content":"//! Implementation of JSON Web Encryption (JWE) as defined in [RFC 7516]\n//!\n//! [RFC 7516]: \u003chttps://www.rfc-editor.org/rfc/rfc7516.html\u003e\n\n/// TODO\n#[derive(Debug)]\npub struct JsonWebEncryption {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","jwk","asymmetric.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\nuse super::{Private, Public, Thumbprint};\n\n/// Some kind of asymmetric cryptographic key which can be either [`Private`] or\n/// [`Public`]\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum AsymmetricJsonWebKey {\n    /// The private part of an asymmetric key\n    Private(Private),\n    /// The public part of an asymmetric key\n    Public(Public),\n}\n\nimpl crate::sealed::Sealed for AsymmetricJsonWebKey {}\nimpl Thumbprint for AsymmetricJsonWebKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            AsymmetricJsonWebKey::Private(key) =\u003e key.thumbprint_prehashed(),\n            AsymmetricJsonWebKey::Public(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cAsymmetricJsonWebKey\u003e for super::JsonWebKeyType {\n    fn from(x: AsymmetricJsonWebKey) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(x))\n    }\n}\n","traces":[{"line":20,"address":[],"length":0,"stats":{"Line":58}},{"line":21,"address":[],"length":0,"stats":{"Line":58}},{"line":22,"address":[],"length":0,"stats":{"Line":25}},{"line":23,"address":[],"length":0,"stats":{"Line":33}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}}],"covered":4,"coverable":6},{"path":["/","home","stu","dev","rust","jose","src","jwk","builder.rs"],"content":"use alloc::{string::String, vec::Vec};\nuse core::convert::Infallible;\n\nuse hashbrown::HashSet;\n\nuse super::{serde_impl::Base64DerCertificate, JsonWebKey, JsonWebKeyType, KeyOperation, KeyUsage};\nuse crate::{\n    jwa::JsonWebAlgorithm,\n    jwk::policy::{Checkable, Checked, Policy},\n    Uri,\n};\n\n/// Reasons the construction of a `JsonWebKey` via the\n/// [`JsonWebKeyBuilder::build`] method can fail.\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum JsonWebKeyBuildError\u003cP\u003e {\n    /// The [`JsonWebKeyType`] and [`JsonWebAlgorithm`] are not compatible.\n    ///\n    /// An example is usage of an RSA key with an Hmac Json web algorithm.\n    #[error(\"the `key_type` and `algorithm` are not compatible\")]\n    IncompatibleKeyType,\n    /// This error can only happen when using the\n    /// [`build_and_check`](JsonWebKeyBuilder::build_and_check) is used and the\n    /// policy check failed.\n    #[error(transparent)]\n    PolicyCheckFailed(P),\n}\n\n/// The builder for modifying a [`JsonWebKey`].\n#[derive(Debug, Clone)]\npub struct JsonWebKeyBuilder\u003cA\u003e {\n    pub(super) key_type: JsonWebKeyType,\n    pub(super) key_use: Option\u003cKeyUsage\u003e,\n    pub(super) key_operations: Option\u003cHashSet\u003cKeyOperation\u003e\u003e,\n    pub(super) algorithm: Option\u003cJsonWebAlgorithm\u003e,\n    pub(super) kid: Option\u003cString\u003e,\n    pub(super) x509_url: Option\u003cUri\u003e,\n    pub(super) x509_certificate_chain: Vec\u003cBase64DerCertificate\u003e,\n    pub(super) x509_certificate_sha1_thumbprint: Option\u003c[u8; 20]\u003e,\n    pub(super) x509_certificate_sha256_thumbprint: Option\u003c[u8; 32]\u003e,\n    pub(super) additional: A,\n}\n\nmacro_rules! gen_builder_methods {\n    ($($field:ident: $T:ty,)*) =\u003e {\n        $(#[doc = concat!(\"Override the `\", stringify!($field), \"` for this JWK.\")]\n        #[inline]\n        pub fn $field(mut self, $field: Option\u003cimpl Into\u003c$T\u003e\u003e) -\u003e Self {\n            self.$field = $field.map(Into::into);\n            self\n        })*\n    };\n}\n\nimpl JsonWebKeyBuilder\u003c()\u003e {\n    /// Create a new [`JsonWebKeyBuilder`] with the given key.\n    pub fn new(key_type: impl Into\u003cJsonWebKeyType\u003e) -\u003e Self {\n        Self {\n            key_type: key_type.into(),\n            key_use: None,\n            key_operations: None,\n            algorithm: None,\n            kid: None,\n            x509_url: None,\n            x509_certificate_chain: alloc::vec![],\n            x509_certificate_sha1_thumbprint: None,\n            x509_certificate_sha256_thumbprint: None,\n            additional: (),\n        }\n    }\n}\n\nimpl\u003cA\u003e JsonWebKeyBuilder\u003cA\u003e {\n    /// Try to construct the final [`JsonWebKey`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if any parameter is considered invalid. For example,\n    /// if a [`JsonWebKeyType`] is not compatible with the [`JsonWebAlgorithm`]\n    /// set.\n    pub fn build(self) -\u003e Result\u003cJsonWebKey\u003cA\u003e, JsonWebKeyBuildError\u003cInfallible\u003e\u003e {\n        let Self {\n            key_type,\n            key_use,\n            key_operations,\n            algorithm,\n            kid,\n            x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint,\n            additional,\n        } = self;\n\n        if let Some(ref algorithm) = algorithm {\n            if !key_type.compatible_with(algorithm) {\n                return Err(JsonWebKeyBuildError::IncompatibleKeyType);\n            }\n        }\n\n        Ok(JsonWebKey {\n            key_type,\n            key_use,\n            key_operations,\n            algorithm,\n            kid,\n            x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint,\n            additional,\n        })\n    }\n\n    /// Try to construct the final [`JsonWebKey`], and then validates the\n    /// resulting JWK using the given [`Policy`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if any parameter is considered invalid, or the policy\n    /// check failed. For example, if a [`JsonWebKeyType`] is not compatible\n    /// with the [`JsonWebAlgorithm`] set.\n    // We think that this degree of complexity is acceptable and a type alias would make things even\n    // more complex\n    #[allow(clippy::type_complexity, clippy::result_large_err)]\n    pub fn build_and_check\u003cP: Policy\u003e(\n        self,\n        policy: P,\n    ) -\u003e Result\u003cChecked\u003cJsonWebKey\u003cA\u003e, P\u003e, JsonWebKeyBuildError\u003cP::Error\u003e\u003e\n    where\n        A: Checkable,\n    {\n        self.build()\n            .map_err(|e| match e {\n                JsonWebKeyBuildError::IncompatibleKeyType =\u003e {\n                    JsonWebKeyBuildError::IncompatibleKeyType\n                }\n                JsonWebKeyBuildError::PolicyCheckFailed(x) =\u003e match x {},\n            })?\n            .check(policy)\n            .map_err(|(_, e)| JsonWebKeyBuildError::PolicyCheckFailed(e))\n    }\n}\n\nimpl\u003cA\u003e JsonWebKeyBuilder\u003cA\u003e {\n    gen_builder_methods! {\n        key_use: KeyUsage,\n        key_operations: HashSet\u003cKeyOperation\u003e,\n        algorithm: JsonWebAlgorithm,\n        kid: String,\n        x509_url: Uri,\n        x509_certificate_sha1_thumbprint: [u8; 20],\n        x509_certificate_sha256_thumbprint: [u8; 32],\n    }\n\n    /// Override the `key_type` for this JWK.\n    #[inline]\n    pub fn key_type(mut self, key_type: JsonWebKeyType) -\u003e Self {\n        self.key_type = key_type;\n        self\n    }\n\n    /// Override the `x509_certificate_chain` for this JWK.\n    #[inline]\n    pub fn x509_certificate_chain(mut self, x509_certificate_chain: Vec\u003cVec\u003cu8\u003e\u003e) -\u003e Self {\n        self.x509_certificate_chain = x509_certificate_chain\n            .into_iter()\n            .map(Base64DerCertificate)\n            .collect();\n        self\n    }\n\n    /// Override the additional parameters for this JWK.\n    #[inline]\n    pub fn additional\u003cN\u003e(self, additional: N) -\u003e JsonWebKeyBuilder\u003cN\u003e {\n        JsonWebKeyBuilder {\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n            additional,\n        }\n    }\n}\n","traces":[{"line":49,"address":[],"length":0,"stats":{"Line":42}},{"line":50,"address":[],"length":0,"stats":{"Line":42}},{"line":51,"address":[],"length":0,"stats":{"Line":42}},{"line":52,"address":[],"length":0,"stats":{"Line":42}},{"line":58,"address":[],"length":0,"stats":{"Line":21}},{"line":60,"address":[],"length":0,"stats":{"Line":21}},{"line":66,"address":[],"length":0,"stats":{"Line":21}},{"line":69,"address":[],"length":0,"stats":{"Line":21}},{"line":82,"address":[],"length":0,"stats":{"Line":42}},{"line":83,"address":[],"length":0,"stats":{"Line":42}},{"line":84,"address":[],"length":0,"stats":{"Line":42}},{"line":85,"address":[],"length":0,"stats":{"Line":42}},{"line":86,"address":[],"length":0,"stats":{"Line":42}},{"line":87,"address":[],"length":0,"stats":{"Line":42}},{"line":88,"address":[],"length":0,"stats":{"Line":42}},{"line":89,"address":[],"length":0,"stats":{"Line":42}},{"line":90,"address":[],"length":0,"stats":{"Line":42}},{"line":91,"address":[],"length":0,"stats":{"Line":42}},{"line":92,"address":[],"length":0,"stats":{"Line":42}},{"line":93,"address":[],"length":0,"stats":{"Line":42}},{"line":94,"address":[],"length":0,"stats":{"Line":42}},{"line":96,"address":[],"length":0,"stats":{"Line":84}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":42}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":135,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":141,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":166,"address":[],"length":0,"stats":{"Line":0}},{"line":167,"address":[],"length":0,"stats":{"Line":0}},{"line":168,"address":[],"length":0,"stats":{"Line":0}},{"line":169,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":0}},{"line":171,"address":[],"length":0,"stats":{"Line":0}},{"line":176,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":0}},{"line":179,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":0}},{"line":182,"address":[],"length":0,"stats":{"Line":0}},{"line":183,"address":[],"length":0,"stats":{"Line":0}},{"line":184,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}}],"covered":23,"coverable":62},{"path":["/","home","stu","dev","rust","jose","src","jwk","key_ops.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\n/// This enum represents the key operations (`key_ops`) parameter as defined in\n/// [Section 4.3 of RFC 7517]. All possible values are registered in the [IANA\n/// `JSON Web Key Operations` registry].\n///\n/// This enum SHOULD NOT be used together with the [`KeyUsage`](super::KeyUsage)\n/// enum. If they are both present, their information MUST be consistent.\n///\n/// [Section 4.3 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.3\u003e\n/// [IANA `JSON Web Key Operations` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-key-operations\u003e\n#[non_exhaustive]\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum KeyOperation {\n    /// This key may compute digital signatures or MACs\n    Sign,\n    /// This key may verify digital signatures or MACs\n    Verify,\n    /// This key may encrypt content\n    Encrypt,\n    /// This key may decrypt content and validate decryption, if applicable\n    Decrypt,\n    /// This key may encrypt a key\n    WrapKey,\n    /// This key may decrypt a key and validate the decryption, if applicable\n    UnwrapKey,\n    /// This key may derive a key\n    DeriveKey,\n    /// This key may derive bits not to be used as a key\n    DeriveBits,\n    /// Some other case-sensitive [`String`] that did not match any of the\n    /// publicly known key operations\n    Other(String),\n}\n\nimpl Serialize for KeyOperation {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        match self {\n            Self::Sign =\u003e \"sign\",\n            Self::Verify =\u003e \"verify\",\n            Self::Encrypt =\u003e \"encrypt\",\n            Self::Decrypt =\u003e \"decrypt\",\n            Self::WrapKey =\u003e \"wrapKey\",\n            Self::UnwrapKey =\u003e \"unwrapKey\",\n            Self::DeriveKey =\u003e \"deriveKey\",\n            Self::DeriveBits =\u003e \"deriveBits\",\n            Self::Other(s) =\u003e s,\n        }\n        .serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for KeyOperation {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let val = \u003calloc::borrow::Cow\u003c'_, str\u003e\u003e::deserialize(deserializer)?;\n        Ok(match \u0026*val {\n            \"sign\" =\u003e Self::Sign,\n            \"verify\" =\u003e Self::Verify,\n            \"encrypt\" =\u003e Self::Encrypt,\n            \"decrypt\" =\u003e Self::Decrypt,\n            \"wrapKey\" =\u003e Self::WrapKey,\n            \"unwrapKey\" =\u003e Self::UnwrapKey,\n            \"deriveKey\" =\u003e Self::DeriveKey,\n            \"deriveBits\" =\u003e Self::DeriveBits,\n            _ =\u003e Self::Other(val.into_owned()),\n        })\n    }\n}\n","traces":[{"line":39,"address":[],"length":0,"stats":{"Line":10}},{"line":43,"address":[],"length":0,"stats":{"Line":10}},{"line":44,"address":[],"length":0,"stats":{"Line":2}},{"line":45,"address":[],"length":0,"stats":{"Line":4}},{"line":46,"address":[],"length":0,"stats":{"Line":2}},{"line":47,"address":[],"length":0,"stats":{"Line":2}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":0}},{"line":51,"address":[],"length":0,"stats":{"Line":0}},{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":10}},{"line":59,"address":[],"length":0,"stats":{"Line":16}},{"line":63,"address":[],"length":0,"stats":{"Line":32}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":3}},{"line":66,"address":[],"length":0,"stats":{"Line":19}},{"line":67,"address":[],"length":0,"stats":{"Line":11}},{"line":68,"address":[],"length":0,"stats":{"Line":6}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}}],"covered":13,"coverable":24},{"path":["/","home","stu","dev","rust","jose","src","jwk","key_use.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\n/// This enum represents possible key usage (`use`) parameter as\n/// defined in [Section 4.2 of RFC 7517]. All possible values are registered in\n/// the [IANA `JSON Web Key Use` registry].\n///\n/// [Section 4.2 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.2\u003e\n/// [IANA `JSON Web Key Use` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-key-use\u003e\n#[non_exhaustive]\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum KeyUsage {\n    /// The `sig` (signature) value\n    Signing,\n    /// The `enc` (encryption) value\n    Encryption,\n    /// Some other case-sensitive [`String`] that did not match any of the\n    /// publicly known variants\n    Other(String),\n}\n\nimpl Serialize for KeyUsage {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        match self {\n            Self::Signing =\u003e \"sig\",\n            Self::Encryption =\u003e \"enc\",\n            Self::Other(s) =\u003e s,\n        }\n        .serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for KeyUsage {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let val = \u003calloc::borrow::Cow\u003c'_, str\u003e\u003e::deserialize(deserializer)?;\n        Ok(match \u0026*val {\n            \"sig\" =\u003e Self::Signing,\n            \"enc\" =\u003e Self::Encryption,\n            _ =\u003e Self::Other(val.into_owned()),\n        })\n    }\n}\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":34}},{"line":28,"address":[],"length":0,"stats":{"Line":34}},{"line":29,"address":[],"length":0,"stats":{"Line":28}},{"line":30,"address":[],"length":0,"stats":{"Line":6}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":34}},{"line":38,"address":[],"length":0,"stats":{"Line":50}},{"line":42,"address":[],"length":0,"stats":{"Line":100}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":44,"address":[],"length":0,"stats":{"Line":44}},{"line":45,"address":[],"length":0,"stats":{"Line":12}},{"line":46,"address":[],"length":0,"stats":{"Line":0}}],"covered":9,"coverable":12},{"path":["/","home","stu","dev","rust","jose","src","jwk","policy","standard.rs"],"content":"use alloc::string::{String, ToString};\nuse core::fmt::Display;\n\nuse hashbrown::HashSet;\nuse thiserror::Error;\n\nuse super::{CryptographicOperation, Policy, PolicyError};\nuse crate::{\n    jwa::{JsonWebAlgorithm, JsonWebEncryptionAlgorithm, JsonWebSigningAlgorithm},\n    jwk::{KeyOperation, KeyUsage},\n};\n\n/// Reasons a [`StandardPolicy`] can deny a JWK.\n#[derive(Debug, Error)]\npub enum StandardPolicyFail {\n    /// A [`JsonWebKey`](crate::jwk::JsonWebKey) may not perform a\n    /// [`CryptographicOperation`]\n    #[error(\"this key may not perform this cryptographic operation\")]\n    OperationNotAllowed,\n    /// The [`JsonWebSigningAlgorithm::None`] algorithm is not allowed as this\n    /// indicates an unverified/unencrypted JWS/JWE.\n    #[error(\"`none` algorithm is not allowed\")]\n    NoneAlgorithm,\n    /// [`KeyUsage::Other`] can not be verified by the standard policy, thus\n    /// it's simply declined and the user needs to use a custom policy to\n    /// check it.\n    #[error(\"`use` contained custom usage which can't be checked\")]\n    OtherKeyUsage,\n    /// [`KeyOperation::Other`] can not be verified by the standard policy, thus\n    /// it's simply declined and the user needs to use a custom policy to\n    /// check it.\n    #[error(\"`key_ops` contained custom operation which can't be checked\")]\n    OtherKeyOperation,\n    /// If any of [`JsonWebSigningAlgorithm`] or [`JsonWebEncryptionAlgorithm`]\n    /// contains the `Other` variant, this error will be raised by the\n    /// [`StandardPolicy`] because it is not understood by the implementations\n    /// provided by this library.\n    ///\n    /// If you use custom implementations (for example, via your own\n    /// [`Signer`](crate::jws::Signer) type) and use custom values for your\n    /// algorithm identification, you should provide our own [`Policy`] that\n    /// compares the `Other` variants against values understood by your\n    /// implementation.\n    #[error(\"`alg` header contains an unknown value\")]\n    OtherAlgorithm,\n    /// Used for the [`PolicyError`] implementation\n    #[error(\"{0}\")]\n    Custom(String),\n}\n\nimpl PolicyError for StandardPolicyFail {\n    fn custom\u003cT\u003e(msg: T) -\u003e Self\n    where\n        T: Display,\n    {\n        Self::Custom(msg.to_string())\n    }\n}\n\n/// A [`Policy`] with reasonable rules. Use this struct if you want to have some\n/// secure defaults.\n///\n/// # Included checks\n///\n/// - [`JsonWebSigningAlgorithm::None`] is not allowed\n/// - `use` field must not contain [`KeyUsage::Other`] because it can't be\n///   verified\n/// - `key_ops` field must not contain [`KeyOperation::Other`] because it can't\n///   be verified\n#[non_exhaustive]\n#[derive(Debug, Default, Clone)]\npub struct StandardPolicy;\n\nimpl StandardPolicy {\n    /// Create a [`StandardPolicy`]\n    pub const fn new() -\u003e Self {\n        Self\n    }\n}\n\n// TODO: StandardPolicy should check that the JsonWebKeyType and the provided\n// Algorithm make sense\nimpl Policy for StandardPolicy {\n    type Error = StandardPolicyFail;\n\n    fn algorithm(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e Result\u003c(), Self::Error\u003e {\n        match alg {\n            JsonWebAlgorithm::Encryption(JsonWebEncryptionAlgorithm::Other(_))\n            | JsonWebAlgorithm::Signing(JsonWebSigningAlgorithm::Other(_)) =\u003e {\n                Err(StandardPolicyFail::OtherAlgorithm)\n            }\n\n            JsonWebAlgorithm::Signing(JsonWebSigningAlgorithm::None) =\u003e {\n                Err(StandardPolicyFail::NoneAlgorithm)\n            }\n            JsonWebAlgorithm::Other(..) =\u003e Err(StandardPolicyFail::OtherAlgorithm),\n            _ =\u003e Ok(()),\n        }\n    }\n\n    fn compare_key_ops_and_use(\n        \u0026self,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        if matches!(key_use, KeyUsage::Other(..)) {\n            return Err(StandardPolicyFail::OtherKeyUsage);\n        }\n\n        if key_ops.iter().any(|o| matches!(o, KeyOperation::Other(..))) {\n            return Err(StandardPolicyFail::OtherKeyOperation);\n        }\n\n        // TODO: check that the typed variants of KeyUsage and KeyOperation\n        Ok(())\n    }\n\n    fn may_perform_operation_key_ops(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        use CryptographicOperation::*;\n        match operation {\n            Encrypt if key_ops.contains(\u0026KeyOperation::Encrypt) =\u003e Ok(()),\n            Decrypt if key_ops.contains(\u0026KeyOperation::Encrypt) =\u003e Ok(()),\n            Sign if key_ops.contains(\u0026KeyOperation::Sign) =\u003e Ok(()),\n            Verify if key_ops.contains(\u0026KeyOperation::Verify) =\u003e Ok(()),\n            _ =\u003e Err(StandardPolicyFail::OperationNotAllowed),\n        }\n    }\n\n    fn may_perform_operation_key_use(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        use CryptographicOperation::*;\n        match operation {\n            Decrypt | Encrypt if key_use == \u0026KeyUsage::Encryption =\u003e Ok(()),\n            Sign | Verify if key_use == \u0026KeyUsage::Signing =\u003e Ok(()),\n            _ =\u003e Err(StandardPolicyFail::OperationNotAllowed),\n        }\n    }\n}\n","traces":[{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":1}},{"line":77,"address":[],"length":0,"stats":{"Line":1}},{"line":86,"address":[],"length":0,"stats":{"Line":1}},{"line":87,"address":[],"length":0,"stats":{"Line":1}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":1}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":126,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":1}},{"line":139,"address":[],"length":0,"stats":{"Line":1}},{"line":140,"address":[],"length":0,"stats":{"Line":0}},{"line":141,"address":[],"length":0,"stats":{"Line":3}},{"line":142,"address":[],"length":0,"stats":{"Line":0}}],"covered":8,"coverable":28},{"path":["/","home","stu","dev","rust","jose","src","jwk","policy.rs"],"content":"//! Validate jose data against some [`Policy`]\n\nmod standard;\nuse core::{\n    fmt::{Debug, Display},\n    ops::{Deref, DerefMut},\n};\n\nuse hashbrown::HashSet;\npub use standard::{StandardPolicy, StandardPolicyFail};\n\nuse crate::{\n    jwa::JsonWebAlgorithm,\n    jwk::{KeyOperation, KeyUsage},\n};\n\n/// A type `T` that was checked against a [`Policy`] `P`\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub struct Checked\u003cT, P\u003e {\n    /// The [`Policy`] this `T` was checked against\n    policy: P,\n    /// The data that were checked\n    data: T,\n}\n\nimpl\u003cT, P\u003e Deref for Checked\u003cT, P\u003e\nwhere\n    P: Policy,\n{\n    type Target = T;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.data\n    }\n}\n\nimpl\u003cT, P\u003e DerefMut for Checked\u003cT, P\u003e\nwhere\n    P: Policy,\n{\n    fn deref_mut(\u0026mut self) -\u003e \u0026mut Self::Target {\n        \u0026mut self.data\n    }\n}\n\nimpl\u003cT, P\u003e Checked\u003cT, P\u003e {\n    /// Create a new [`Checked\u003cT, P\u003e`]\n    ///\n    /// **Warning**: This function can't perform any validation/checks and\n    /// therefore MUST only be used after sufficient validation is already done.\n    pub fn new(data: T, policy: P) -\u003e Self\n    where\n        P: Policy,\n    {\n        Self { policy, data }\n    }\n\n    /// Turns this `Checked` into it's underlying values. `T` is the type that\n    /// was checked and `P` the [`Policy`] used to check `T`\n    pub fn into_inner(self) -\u003e (T, P) {\n        (self.data, self.policy)\n    }\n\n    /// Turns this `Checked` into it's underlying checked type `T`\n    pub fn into_type(self) -\u003e T {\n        self.into_inner().0\n    }\n\n    /// Turns this `Checked` into it's underlying [`Policy`] `P` that was used\n    /// to check `T`\n    pub fn into_policy(self) -\u003e P {\n        self.into_inner().1\n    }\n\n    /// Returns the [`Policy`] that was used to validate `T`\n    pub fn policy(\u0026self) -\u003e \u0026P\n    where\n        P: Policy,\n    {\n        \u0026self.policy\n    }\n}\n\n/// A trait to enforce some rules in jose\npub trait Policy {\n    /// The error type returned when any check of this policy fails.\n    type Error: PolicyError;\n\n    /// Checks the `alg` header\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the algorithm is not accepted (e.g.\n    /// because it is considered insecure)\n    fn algorithm(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Compares the `use` and `key_ops` parameters\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if key_use and key_ops are inconsistent\n    /// with each other\n    fn compare_key_ops_and_use(\n        \u0026self,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Checks if a [`JsonWebKey`](crate::jwk::JsonWebKey) with the given\n    /// [`KeyOperation`]s is allowed to perform a certain\n    /// [`CryptographicOperation`]\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the given\n    /// [`JsonWebKey`](crate::jwk::JsonWebKey) with this specific set of\n    /// [`KeyOperation`]s is not allowed to perform the\n    /// [`CryptographicOperation`] For example, this might be the case if\n    /// key_ops only contain [`KeyOperation::Encrypt`] but the\n    /// [`CryptographicOperation`] is [`Sign`](CryptographicOperation::Sign).\n    fn may_perform_operation_key_ops(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Checks if a [`JsonWebKey`](crate::jwk::JsonWebKey) with the given\n    /// [`KeyUsage`] parameter is allowed to perform a certain\n    /// [`CryptographicOperation`]\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the given\n    /// [`JsonWebKey`](crate::jwk::JsonWebKey) with this specific [`KeyUsage`]\n    /// is not allowed to perform the [`CryptographicOperation`]\n    fn may_perform_operation_key_use(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n    ) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Checks both [`KeyUsage`] and [`KeyOperation`] for the given\n    /// [`CryptographicOperation`]\n    ///\n    /// The default implementation just calls\n    /// [`may_perform_operation_key_ops`](Self::may_perform_operation_key_ops)\n    /// and [`may_perform_operation_key_use`](Self::may_perform_operation_key_use).\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the [`KeyUsage`] and [`KeyOperation`]\n    /// do not allow for the [`CryptographicOperation`]\n    fn may_perform_operation(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        self.may_perform_operation_key_ops(operation, key_ops)?;\n        self.may_perform_operation_key_use(operation, key_use)\n    }\n}\n\n/// An enum used to specify a cryptographic operation\n#[non_exhaustive]\n#[derive(Debug, PartialEq, Eq, Hash, Clone, Copy)]\npub enum CryptographicOperation {\n    /// Create a signature (used in JWS)\n    Sign,\n    /// Verify a signature (used in JWS)\n    Verify,\n    /// Encrypt something (used in JWE)\n    Encrypt,\n    /// Decrypt some ciphertext (used in JWE)\n    Decrypt,\n    // TODO: possibly add derive key and derive bits in case they are ever needed (maybe in JWE?)\n}\n\nimpl\u003cP: Policy\u003e Policy for \u0026P {\n    type Error = P::Error;\n\n    fn algorithm(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e Result\u003c(), Self::Error\u003e {\n        P::algorithm(self, alg)\n    }\n\n    fn compare_key_ops_and_use(\n        \u0026self,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        P::compare_key_ops_and_use(self, key_use, key_ops)\n    }\n\n    fn may_perform_operation_key_ops(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        P::may_perform_operation_key_ops(self, operation, key_ops)\n    }\n\n    fn may_perform_operation_key_use(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        P::may_perform_operation_key_use(self, operation, key_use)\n    }\n}\n\n/// An error returned by the [`Policy`] trait\npub trait PolicyError {\n    /// A custom error message\n    fn custom\u003cT\u003e(msg: T) -\u003e Self\n    where\n        T: Display;\n}\n\n/// A type that can be checked against some [`Policy`]\npub trait Checkable: Sized {\n    /// Check [`self`] against a [`Policy`]\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any check against the [`Policy`] failed\n    fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e;\n}\n\n/// This implementation allows the default JsonWebKey (and others types with\n/// additional members) to implement Checkable where there are no additional\n/// members (`T = ()`)\nimpl Checkable for () {\n    fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n        Ok(Checked::new(self, policy))\n    }\n}\n","traces":[{"line":32,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":51,"address":[],"length":0,"stats":{"Line":2}},{"line":60,"address":[],"length":0,"stats":{"Line":1}},{"line":61,"address":[],"length":0,"stats":{"Line":1}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":182,"address":[],"length":0,"stats":{"Line":0}},{"line":183,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":194,"address":[],"length":0,"stats":{"Line":0}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":202,"address":[],"length":0,"stats":{"Line":0}},{"line":207,"address":[],"length":0,"stats":{"Line":0}},{"line":233,"address":[],"length":0,"stats":{"Line":0}},{"line":234,"address":[],"length":0,"stats":{"Line":0}}],"covered":3,"coverable":26},{"path":["/","home","stu","dev","rust","jose","src","jwk","private.rs"],"content":"use alloc::{boxed::Box, string::String};\n\nuse serde::{Deserialize, Serialize};\n\nuse super::Thumbprint;\nuse crate::crypto::{ec, okp, rsa};\n\n/// The `private` part of some asymmetric cryptographic key\n#[non_exhaustive]\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum Private {\n    /// The private part of a Rsa key\n    Rsa(Box\u003crsa::PrivateKey\u003e),\n    /// The private part of an elliptic curve\n    Ec(EcPrivate),\n    /// The private part of an `OKP` key type, probably the private part of a\n    /// curve25519 or curve448 key\n    Okp(OkpPrivate),\n}\n\nimpl From\u003cPrivate\u003e for super::JsonWebKeyType {\n    fn from(x: Private) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(Box::new(super::AsymmetricJsonWebKey::Private(x)))\n    }\n}\n\nimpl crate::sealed::Sealed for Private {}\nimpl Thumbprint for Private {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            Private::Rsa(key) =\u003e key.thumbprint_prehashed(),\n            Private::Ec(key) =\u003e key.thumbprint_prehashed(),\n            Private::Okp(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\n/// The private part of some elliptic curve\n///\n/// Note: This does not include Curve25519 and Curve448. For these, see the\n/// `Okp` variant of the [`Private`](super::Private)\n/// enum.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum EcPrivate {\n    /// Private part of the P-256 curve\n    P256(ec::P256PrivateKey),\n    /// Private part of the P-384 curve\n    P384(ec::P384PrivateKey),\n    /// Private part of the P-521 curve\n    P521(ec::P521PrivateKey),\n    /// Private part of the secp256k1 curve\n    Secp256k1(ec::Secp256k1PrivateKey),\n}\n\nimpl crate::sealed::Sealed for EcPrivate {}\nimpl Thumbprint for EcPrivate {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            EcPrivate::P256(key) =\u003e key.thumbprint_prehashed(),\n            EcPrivate::P384(key) =\u003e key.thumbprint_prehashed(),\n            EcPrivate::P521(key) =\u003e key.thumbprint_prehashed(),\n            EcPrivate::Secp256k1(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cEcPrivate\u003e for super::JsonWebKeyType {\n    fn from(x: EcPrivate) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Private(super::Private::Ec(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(EcPrivate, \"crv\", \"EcCurve\", [\n    \"P-256\" =\u003e P256,\n    \"P-384\" =\u003e P384,\n    \"P-521\" =\u003e P521,\n    \"secp256k1\" =\u003e Secp256k1,\n]);\n\n/// The private part of ED keys, whose type is `OKP`.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum OkpPrivate {\n    /// Private part of the Ed25519 curve\n    Ed25519(okp::Ed25519PrivateKey),\n\n    /// Private part of the Ed448 curve\n    Ed448(okp::Ed448PrivateKey),\n}\n\nimpl crate::sealed::Sealed for OkpPrivate {}\nimpl Thumbprint for OkpPrivate {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            OkpPrivate::Ed25519(key) =\u003e key.thumbprint_prehashed(),\n            OkpPrivate::Ed448(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cOkpPrivate\u003e for super::JsonWebKeyType {\n    fn from(x: OkpPrivate) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Private(super::Private::Okp(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(OkpPrivate, \"crv\", \"OkpCurve\", [\n    \"Ed25519\" =\u003e Ed25519,\n    \"Ed448\" =\u003e Ed448,\n]);\n","traces":[{"line":23,"address":[],"length":0,"stats":{"Line":0}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":25}},{"line":31,"address":[],"length":0,"stats":{"Line":25}},{"line":32,"address":[],"length":0,"stats":{"Line":6}},{"line":33,"address":[],"length":0,"stats":{"Line":13}},{"line":34,"address":[],"length":0,"stats":{"Line":6}},{"line":60,"address":[],"length":0,"stats":{"Line":13}},{"line":61,"address":[],"length":0,"stats":{"Line":13}},{"line":62,"address":[],"length":0,"stats":{"Line":4}},{"line":63,"address":[],"length":0,"stats":{"Line":3}},{"line":64,"address":[],"length":0,"stats":{"Line":3}},{"line":65,"address":[],"length":0,"stats":{"Line":3}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":6}},{"line":100,"address":[],"length":0,"stats":{"Line":6}},{"line":101,"address":[],"length":0,"stats":{"Line":3}},{"line":102,"address":[],"length":0,"stats":{"Line":3}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}}],"covered":15,"coverable":23},{"path":["/","home","stu","dev","rust","jose","src","jwk","public.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\nuse super::Thumbprint;\nuse crate::crypto::{ec, okp, rsa};\n\n/// The `public` part of some asymmetric cryptographic key\n#[non_exhaustive]\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum Public {\n    /// The public part of a Rsa key\n    Rsa(rsa::PublicKey),\n    /// The public part of an elliptic curve\n    Ec(EcPublic),\n    /// The public part of an `OKP` key type, probably the public part of a\n    /// curve25519 or curve448 key\n    Okp(OkpPublic),\n}\n\nimpl crate::sealed::Sealed for Public {}\nimpl Thumbprint for Public {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            Public::Rsa(key) =\u003e key.thumbprint_prehashed(),\n            Public::Ec(key) =\u003e key.thumbprint_prehashed(),\n            Public::Okp(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\n/// The public part of some elliptic curve\n///\n/// Note: This does not include Curve25519 and Curve448. For these, see the\n/// `Okp` variant of the [`Public`](super::Public) enum.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum EcPublic {\n    /// Public part of the P-256 curve\n    P256(ec::P256PublicKey),\n\n    /// Public part of the P-384 curve\n    P384(ec::P384PublicKey),\n\n    /// Public part of the P-521 curve\n    P521(ec::P521PublicKey),\n\n    /// Public part of the secp256k1 curve\n    Secp256k1(ec::Secp256k1PublicKey),\n}\n\nimpl crate::sealed::Sealed for EcPublic {}\nimpl Thumbprint for EcPublic {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            EcPublic::P256(key) =\u003e key.thumbprint_prehashed(),\n            EcPublic::P384(key) =\u003e key.thumbprint_prehashed(),\n            EcPublic::P521(key) =\u003e key.thumbprint_prehashed(),\n            EcPublic::Secp256k1(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cEcPublic\u003e for super::JsonWebKeyType {\n    fn from(x: EcPublic) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Public(super::Public::Ec(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(EcPublic, \"crv\", \"EcCurve\", [\n    \"P-256\" =\u003e P256,\n    \"P-384\" =\u003e P384,\n    \"P-521\" =\u003e P521,\n    \"secp256k1\" =\u003e Secp256k1,\n]);\n\n/// The public part of ED keys, whose type is `OKP`.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum OkpPublic {\n    /// Public part of the Ed25519 curve\n    Ed25519(okp::Ed25519PublicKey),\n\n    /// Public part of the Ed448 curve\n    Ed448(okp::Ed448PublicKey),\n}\n\nimpl crate::sealed::Sealed for OkpPublic {}\nimpl Thumbprint for OkpPublic {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            OkpPublic::Ed25519(key) =\u003e key.thumbprint_prehashed(),\n            OkpPublic::Ed448(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cOkpPublic\u003e for super::JsonWebKeyType {\n    fn from(x: OkpPublic) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Public(super::Public::Okp(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(OkpPublic, \"crv\", \"OkpCurve\", [\n    \"Ed25519\" =\u003e Ed25519,\n    \"Ed448\" =\u003e Ed448,\n]);\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":33}},{"line":25,"address":[],"length":0,"stats":{"Line":33}},{"line":26,"address":[],"length":0,"stats":{"Line":15}},{"line":27,"address":[],"length":0,"stats":{"Line":12}},{"line":28,"address":[],"length":0,"stats":{"Line":6}},{"line":56,"address":[],"length":0,"stats":{"Line":12}},{"line":57,"address":[],"length":0,"stats":{"Line":12}},{"line":58,"address":[],"length":0,"stats":{"Line":3}},{"line":59,"address":[],"length":0,"stats":{"Line":3}},{"line":60,"address":[],"length":0,"stats":{"Line":3}},{"line":61,"address":[],"length":0,"stats":{"Line":3}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":6}},{"line":96,"address":[],"length":0,"stats":{"Line":6}},{"line":97,"address":[],"length":0,"stats":{"Line":3}},{"line":98,"address":[],"length":0,"stats":{"Line":3}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}}],"covered":15,"coverable":21},{"path":["/","home","stu","dev","rust","jose","src","jwk","serde_impl.rs"],"content":"use alloc::{borrow::Cow, vec::Vec};\nuse core::ops::Deref;\n\nuse base64ct::{Base64, Base64UrlUnpadded, Encoding};\nuse hashbrown::HashSet;\nuse serde::{de::Error, Deserialize, Deserializer, Serialize, Serializer};\n\nuse super::KeyOperation;\n\n/// Helper function to ensure that a [`HashSet`] is created from a [`Vec`]\n/// without duplicates\npub fn deserialize_ensure_set\u003c'de, D\u003e(\n    deserializer: D,\n) -\u003e Result\u003cOption\u003cHashSet\u003cKeyOperation\u003e\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    match \u003cOption\u003cVec\u003cKeyOperation\u003e\u003e as Deserialize\u003e::deserialize(deserializer)? {\n        Some(val) =\u003e {\n            let mut set = HashSet::new();\n            for o in val {\n                // detect duplicates in `key_ops` parameter. according to the rfc,\n                // \u003e Duplicate key operation values MUST NOT be present in the array.\n                // means: this is a set\n                if !set.insert(o) {\n                    return Err(\u003cD::Error as Error\u003e::custom(\n                        \"found duplicate in `key_ops` parameter\",\n                    ));\n                }\n            }\n            Ok(Some(set))\n        }\n        None =\u003e Ok(None),\n    }\n}\n\n/// serialize a generic array to base64 urlsafe nopad\npub fn serialize_ga\u003cconst N: usize, S\u003e(\n    // \u0026Option needed because serde passes an \u0026Option\u003cT\u003e instead of Option\u003c\u0026T\u003e\n    v: \u0026Option\u003c[u8; N]\u003e,\n    serializer: S,\n) -\u003e Result\u003cS::Ok, S::Error\u003e\nwhere\n    S: Serializer,\n{\n    let v = v.as_ref();\n    v.map(|v| Base64UrlUnpadded::encode_string(v))\n        .serialize(serializer)\n}\n\n/// deserialize a generic array from base64 urlsafe nopad\npub fn deserialize_ga\u003c'de, D, const N: usize\u003e(deserializer: D) -\u003e Result\u003cOption\u003c[u8; N]\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    Ok(match Option::\u003cCow\u003c'_, str\u003e\u003e::deserialize(deserializer)? {\n        Some(val) =\u003e {\n            let mut buf = [0u8; N];\n            Base64UrlUnpadded::decode(\u0026*val, \u0026mut buf).map_err(\u003cD::Error as Error\u003e::custom)?;\n            Some(buf)\n        }\n        None =\u003e None,\n    })\n}\n\npub fn serialize_ga_sha1\u003cS\u003e(v: \u0026Option\u003c[u8; 20]\u003e, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\nwhere\n    S: Serializer,\n{\n    serialize_ga::\u003c20, _\u003e(v, serializer)\n}\n\npub fn serialize_ga_sha256\u003cS\u003e(v: \u0026Option\u003c[u8; 32]\u003e, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\nwhere\n    S: Serializer,\n{\n    serialize_ga::\u003c32, _\u003e(v, serializer)\n}\n\npub fn deserialize_ga_sha1\u003c'de, D\u003e(deserializer: D) -\u003e Result\u003cOption\u003c[u8; 20]\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    deserialize_ga::\u003c_, 20\u003e(deserializer)\n}\n\npub fn deserialize_ga_sha256\u003c'de, D\u003e(deserializer: D) -\u003e Result\u003cOption\u003c[u8; 32]\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    deserialize_ga::\u003c_, 32\u003e(deserializer)\n}\n\n#[derive(Debug, Hash, PartialEq, Eq, Clone)]\npub(crate) struct Base64DerCertificate(pub Vec\u003cu8\u003e);\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Base64DerCertificate {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let val = \u003calloc::borrow::Cow\u003c'_, str\u003e\u003e::deserialize(deserializer)?;\n        Ok(Self(\n            Base64::decode_vec(\u0026val).map_err(\u003cD::Error as Error\u003e::custom)?,\n        ))\n    }\n}\n\nimpl Deref for Base64DerCertificate {\n    type Target = [u8];\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        self.0.deref()\n    }\n}\n\nimpl Serialize for Base64DerCertificate {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: Serializer,\n    {\n        Base64::encode_string(\u0026self.0).serialize(serializer)\n    }\n}\n","traces":[{"line":12,"address":[],"length":0,"stats":{"Line":9}},{"line":18,"address":[],"length":0,"stats":{"Line":9}},{"line":19,"address":[],"length":0,"stats":{"Line":9}},{"line":20,"address":[],"length":0,"stats":{"Line":9}},{"line":21,"address":[],"length":0,"stats":{"Line":40}},{"line":25,"address":[],"length":0,"stats":{"Line":16}},{"line":26,"address":[],"length":0,"stats":{"Line":1}},{"line":27,"address":[],"length":0,"stats":{"Line":1}},{"line":31,"address":[],"length":0,"stats":{"Line":8}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":12}},{"line":46,"address":[],"length":0,"stats":{"Line":12}},{"line":47,"address":[],"length":0,"stats":{"Line":24}},{"line":48,"address":[],"length":0,"stats":{"Line":12}},{"line":52,"address":[],"length":0,"stats":{"Line":12}},{"line":56,"address":[],"length":0,"stats":{"Line":12}},{"line":57,"address":[],"length":0,"stats":{"Line":12}},{"line":58,"address":[],"length":0,"stats":{"Line":12}},{"line":59,"address":[],"length":0,"stats":{"Line":12}},{"line":60,"address":[],"length":0,"stats":{"Line":12}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":6}},{"line":70,"address":[],"length":0,"stats":{"Line":6}},{"line":73,"address":[],"length":0,"stats":{"Line":6}},{"line":77,"address":[],"length":0,"stats":{"Line":6}},{"line":80,"address":[],"length":0,"stats":{"Line":6}},{"line":84,"address":[],"length":0,"stats":{"Line":6}},{"line":87,"address":[],"length":0,"stats":{"Line":6}},{"line":91,"address":[],"length":0,"stats":{"Line":6}},{"line":98,"address":[],"length":0,"stats":{"Line":6}},{"line":102,"address":[],"length":0,"stats":{"Line":12}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":6}},{"line":122,"address":[],"length":0,"stats":{"Line":6}}],"covered":31,"coverable":37},{"path":["/","home","stu","dev","rust","jose","src","jwk","signer.rs"],"content":"use alloc::{borrow::ToOwned, string::String, vec::Vec};\n\nuse super::{\n    private::EcPrivate, symmetric::FromOctetSequenceError, AsymmetricJsonWebKey, FromKey,\n    JsonWebKeyType, OkpPrivate, Private, SymmetricJsonWebKey,\n};\nuse crate::{\n    crypto::{ec, hmac, okp, rsa},\n    jwa::{EcDSA, Hmac, JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::policy::{Checked, CryptographicOperation, Policy},\n    jws::{IntoSigner, InvalidSigningAlgorithmError, Signer},\n    JsonWebKey,\n};\n\n/// An abstract [`Signer`] over all possible [key types](JsonWebKeyType)\n// FIXME: make PR to dependencies to we can derive C-COMMON-TRAITS\n#[derive(Debug)]\npub struct JwkSigner {\n    inner: InnerSigner,\n    key_id: Option\u003cString\u003e,\n}\n\nimpl JwkSigner {\n    /// Create a [`JwkSigner`] from a [`JsonWebKeyType`] used with the provided\n    /// [`JsonWebAlgorithm`]\n    ///\n    /// # Errors\n    ///\n    /// This function returns an error if the provided [`JsonWebAlgorithm`] and\n    /// the actual [`JsonWebKeyType`] don't match. For example, you'll get an\n    /// error if you try to to use this function with a [symmetric\n    /// key](JsonWebKeyType::Symmetric) and an asymmetric key algorithm.\n    ///\n    /// E.g., this won't work:\n    ///     \n    /// ```\n    /// use jose::{\n    ///     jwa::{Hmac, JsonWebSigningAlgorithm},\n    ///     jwk::{FromJwkError, JsonWebKeyType, JwkSigner},\n    /// };\n    /// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n    /// let key: JsonWebKeyType = serde_json::from_str(\n    ///     r#\"\n    /// {\n    ///   \"kty\": \"EC\",\n    ///   \"kid\": \"6j1ImYAlN6DnVupozzN13UKnLR7BfEvngNmVl5bLlI0\",\n    ///   \"crv\": \"P-256\",\n    ///   \"x\": \"-HGJKqKLCoB6z4zlNKef927CODDulLcHdxNi2iUTi5g\",\n    ///   \"y\": \"GaVhYaBvIgSAaNLjXjVqOvtCGH56x5s4DnWMy9TXbTU\",\n    ///   \"d\": \"C6AV5ZvCGQevYYMJT15frXWuKaqEDthnSMtuJKEKykI\"\n    /// }\"#,\n    /// )?;\n    ///\n    /// // returns an error since a P-256 key cannot be used with Hmac\n    /// assert!(matches!(\n    ///     JwkSigner::new(key, JsonWebSigningAlgorithm::Hmac(Hmac::Hs256)),\n    ///     Err(FromJwkError::InvalidAlgorithm)\n    /// ));\n    /// # Ok(())\n    /// # }\n    /// ```\n    pub fn new(key: JsonWebKeyType, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cSelf, FromJwkError\u003e {\n        Ok(Self {\n            key_id: None,\n            inner: match key {\n                JsonWebKeyType::Asymmetric(key) =\u003e match *key {\n                    AsymmetricJsonWebKey::Public(_) =\u003e Err(FromJwkError::NoPrivateKey)?,\n                    AsymmetricJsonWebKey::Private(key) =\u003e match key {\n                        Private::Ec(key) =\u003e match key {\n                            EcPrivate::P256(key) =\u003e InnerSigner::Es256(key.into_signer(alg)?),\n                            EcPrivate::P384(key) =\u003e InnerSigner::Es384(key.into_signer(alg)?),\n                            EcPrivate::P521(key) =\u003e InnerSigner::Es512(key.into_signer(alg)?),\n                            EcPrivate::Secp256k1(key) =\u003e {\n                                InnerSigner::Secp256k1(key.into_signer(alg)?)\n                            }\n                        },\n                        Private::Rsa(key) =\u003e InnerSigner::Rsa((*key).into_signer(alg)?),\n                        Private::Okp(key) =\u003e match key {\n                            OkpPrivate::Ed25519(key) =\u003e InnerSigner::Ed25519(key.into_signer(alg)?),\n                            OkpPrivate::Ed448(key) =\u003e InnerSigner::Ed448(key.into_signer(alg)?),\n                        },\n                    },\n                },\n                JsonWebKeyType::Symmetric(key) =\u003e match key {\n                    SymmetricJsonWebKey::OctetSequence(ref key) =\u003e match alg {\n                        JsonWebSigningAlgorithm::Hmac(hs) =\u003e match hs {\n                            Hmac::Hs256 =\u003e InnerSigner::Hs256(key.into_signer(alg)?),\n                            Hmac::Hs384 =\u003e InnerSigner::Hs384(key.into_signer(alg)?),\n                            Hmac::Hs512 =\u003e InnerSigner::Hs512(key.into_signer(alg)?),\n                        },\n                        _ =\u003e Err(InvalidSigningAlgorithmError)?,\n                    },\n                },\n            },\n        })\n    }\n\n    /// Sets the key id for this [`Signer`].\n    ///\n    /// If this method is used, the [`kid`] header of the signed JWS will be set\n    /// to the given key id.\n    ///\n    /// [`kid`]: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4\n    pub fn with_key_id(mut self, key_id: String) -\u003e Self {\n        self.key_id = Some(key_id);\n        self\n    }\n\n    /// Sets the key id of this signer to `None`.\n    ///\n    /// Calling this method will result to omitting the [`kid`] header in the\n    /// signed JWS header.\n    ///\n    /// [`kid`]: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4\n    pub fn without_key_id(mut self) -\u003e Self {\n        self.key_id = None;\n        self\n    }\n}\n\nimpl Signer\u003cVec\u003cu8\u003e\u003e for JwkSigner {\n    fn sign(\u0026mut self, x: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, crate::crypto::Error\u003e {\n        match \u0026mut self.inner {\n            InnerSigner::Rsa(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Hs256(s) =\u003e s.sign(x).map(|x| x.as_ref().to_vec()),\n            InnerSigner::Hs384(s) =\u003e s.sign(x).map(|x| x.as_ref().to_vec()),\n            InnerSigner::Hs512(s) =\u003e s.sign(x).map(|x| x.as_ref().to_vec()),\n            InnerSigner::Es256(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Es384(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Es512(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Secp256k1(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Ed448(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Ed25519(s) =\u003e s.sign(x).map(|x| x.into()),\n        }\n    }\n\n    fn algorithm(\u0026self) -\u003e JsonWebSigningAlgorithm {\n        match self.inner {\n            InnerSigner::Hs256(_) =\u003e JsonWebSigningAlgorithm::Hmac(Hmac::Hs256),\n            InnerSigner::Hs384(_) =\u003e JsonWebSigningAlgorithm::Hmac(Hmac::Hs384),\n            InnerSigner::Hs512(_) =\u003e JsonWebSigningAlgorithm::Hmac(Hmac::Hs512),\n            InnerSigner::Es256(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256),\n            InnerSigner::Es384(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es384),\n            InnerSigner::Es512(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es512),\n            InnerSigner::Secp256k1(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256K),\n            InnerSigner::Rsa(ref rsa) =\u003e rsa.algorithm(),\n            InnerSigner::Ed25519(_) | InnerSigner::Ed448(_) =\u003e JsonWebSigningAlgorithm::EdDSA,\n        }\n    }\n\n    fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        self.key_id.as_deref()\n    }\n}\n\nimpl\u003cT, P\u003e TryFrom\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkSigner\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkSigner`] from a [`JsonWebKey`]\n    ///\n    /// # Errors\n    ///\n    /// This conversion fails if [`JsonWebKey::algorithm`] is [`None`]\n    fn try_from(jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e) -\u003e Result\u003cSelf, Self::Error\u003e {\n        let alg = jwk\n            .algorithm()\n            .ok_or(FromJwkError::InvalidAlgorithm)?\n            .to_owned();\n        let kid = jwk.kid.clone();\n        let mut signer = JwkSigner::from_key(jwk, alg)?;\n        signer.key_id = kid;\n        Ok(signer)\n    }\n}\n\nimpl\u003cT, P\u003e FromKey\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkSigner\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkSigner`] from a [`JsonWebKey`] overwriting\n    /// [`JsonWebKey::algorithm`] with `alg`.\n    fn from_key(\n        jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e,\n        alg: JsonWebAlgorithm,\n    ) -\u003e Result\u003cSelf, Self::Error\u003e {\n        if let Some(usage) = jwk.key_usage() {\n            jwk.policy()\n                .may_perform_operation_key_use(CryptographicOperation::Sign, usage)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        if let Some(ops) = jwk.key_operations() {\n            jwk.policy()\n                .may_perform_operation_key_ops(CryptographicOperation::Sign, ops)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        match alg {\n            JsonWebAlgorithm::Encryption(..) | JsonWebAlgorithm::Other(..) =\u003e {\n                Err(InvalidSigningAlgorithmError.into())\n            }\n            JsonWebAlgorithm::Signing(alg) =\u003e Self::new(jwk.into_type().key_type, alg),\n        }\n    }\n}\n\n/// An error returned when creating a [`JwkSigner`] from a [`JsonWebKeyType`]\n/// (or indirectly via [`JsonWebKey`])\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum FromJwkError {\n    /// A [`JsonWebKey`] has either the `use` or `key_ops` parameter set and one\n    /// of these parameters indicates that this key MAY NOT be used for signing\n    /// or verifying\n    #[error(\"key not allowed for signing\")]\n    OperationNotAllowed,\n    /// The algorithm can't be used with the provided [`JsonWebKeyType`]\n    #[error(\"this algorithm can't be used together with this JsonWebKey\")]\n    InvalidAlgorithm,\n    /// The provided [`JsonWebKeyType`] did not contain a [private\n    /// key](super::Private) which is needed by [`JwkSigner`] to create\n    /// signatures.\n    #[error(\"found variant which has no private key\")]\n    NoPrivateKey,\n    /// See the documentation of [`FromOctetSequenceError`] for details.\n    ///\n    /// Usually, [`FromOctetSequenceError::InvalidLength`] shouldn't be returend\n    /// since the key already exists at this point.\n    #[error(transparent)]\n    OctetSequence(#[from] FromOctetSequenceError),\n}\n\nimpl From\u003cInvalidSigningAlgorithmError\u003e for FromJwkError {\n    fn from(_: InvalidSigningAlgorithmError) -\u003e Self {\n        Self::InvalidAlgorithm\n    }\n}\n\n/// Abstract type with a variant for each [`Signer`]\n#[derive(Debug)]\nenum InnerSigner {\n    // symmetric algorithms\n    Hs256(hmac::Key\u003chmac::Hs256\u003e),\n    Hs384(hmac::Key\u003chmac::Hs384\u003e),\n    Hs512(hmac::Key\u003chmac::Hs512\u003e),\n    // asymmetric algorithms\n    Rsa(rsa::Signer),\n\n    Es256(ec::P256Signer),\n    Es384(ec::P384Signer),\n    Es512(ec::P521Signer),\n    Secp256k1(ec::Secp256k1Signer),\n\n    Ed25519(okp::Ed25519Signer),\n    Ed448(okp::Ed448Signer),\n}\n","traces":[{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":126,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":140,"address":[],"length":0,"stats":{"Line":0}},{"line":141,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":143,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":145,"address":[],"length":0,"stats":{"Line":0}},{"line":146,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":167,"address":[],"length":0,"stats":{"Line":0}},{"line":168,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":173,"address":[],"length":0,"stats":{"Line":0}},{"line":174,"address":[],"length":0,"stats":{"Line":0}},{"line":175,"address":[],"length":0,"stats":{"Line":0}},{"line":187,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":192,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":0}},{"line":194,"address":[],"length":0,"stats":{"Line":0}},{"line":197,"address":[],"length":0,"stats":{"Line":0}},{"line":198,"address":[],"length":0,"stats":{"Line":0}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":200,"address":[],"length":0,"stats":{"Line":0}},{"line":203,"address":[],"length":0,"stats":{"Line":0}},{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":207,"address":[],"length":0,"stats":{"Line":0}},{"line":239,"address":[],"length":0,"stats":{"Line":0}},{"line":240,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":77},{"path":["/","home","stu","dev","rust","jose","src","jwk","symmetric.rs"],"content":"//! Symmetric cryptography for JWS and JWE\n\nuse alloc::string::String;\n\nuse secrecy::{ExposeSecret, SecretBox};\nuse serde::{de::Error, Deserialize, Deserializer, Serialize};\nuse subtle::ConstantTimeEq;\nuse zeroize::Zeroize;\n\nuse super::thumbprint::{self, Thumbprint};\nuse crate::{base64_url::Base64UrlBytes, jws::InvalidSigningAlgorithmError};\n\n/// Symmetric Keys\n///\n/// Symmetric keys only have a secret value, therefore, they MUST only be used\n/// in a protected environment.\n/// For example, with a symmetric key, checking the validity of a\n/// [`JsonWebSignature`](crate::JsonWebSignature) cannot be done on the client\n/// side, because it leaks the key and the client can then create own\n/// signatures.\n///\n/// See \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6.4\u003e\n#[non_exhaustive]\n#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum SymmetricJsonWebKey {\n    /// `oct` \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6.4\u003e\n    OctetSequence(OctetSequence),\n}\n\nimpl crate::sealed::Sealed for SymmetricJsonWebKey {}\nimpl Thumbprint for SymmetricJsonWebKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            SymmetricJsonWebKey::OctetSequence(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\n/// [`OctetSequence`] is the simplest and only available\n/// [`SymmetricJsonWebKey`].\n///\n/// However, because its length is not defined, it cannot be generated directly.\n/// Instead, you should use [`HmacKey\u003cH\u003e`](crate::crypto::hmac::Key)\n/// with the appropriate key size, for example\n/// [`Hs512`](crate::crypto::hmac::Hs512) and then, if needed, convert\n/// it to a [`JsonWebKey`](crate::JsonWebKey) using\n/// [`IntoJsonWebKey`](crate::jwk::IntoJsonWebKey).\n///\n/// \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6.4.1\u003e\n#[derive(Debug, Clone, Zeroize)]\npub struct OctetSequence(SecretBox\u003c[u8]\u003e);\n\nimpl OctetSequence {\n    pub(crate) fn new(x: SecretBox\u003c[u8]\u003e) -\u003e Self {\n        Self(x)\n    }\n\n    /// Returns the bytes of this octet sequence.\n    pub(crate) fn bytes(\u0026self) -\u003e \u0026SecretBox\u003c[u8]\u003e {\n        \u0026self.0\n    }\n\n    /// Returns the bytes of this octet sequence.\n    pub(crate) fn into_bytes(self) -\u003e SecretBox\u003c[u8]\u003e {\n        self.0\n    }\n\n    /// Returns the number of bytes that are in this octet sequence.\n    #[inline]\n    pub fn len(\u0026self) -\u003e usize {\n        self.0.expose_secret().len()\n    }\n\n    /// Returns `true` if this octet sequence has a length of zero.\n    #[inline]\n    pub fn is_empty(\u0026self) -\u003e bool {\n        self.len() == 0\n    }\n}\n\nimpl PartialEq for OctetSequence {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        bool::from(self.0.expose_secret().ct_eq(other.0.expose_secret()))\n    }\n}\nimpl Eq for OctetSequence {}\n\nimpl crate::sealed::Sealed for OctetSequence {}\nimpl Thumbprint for OctetSequence {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\nimpl From\u003cSymmetricJsonWebKey\u003e for super::JsonWebKeyType {\n    fn from(x: SymmetricJsonWebKey) -\u003e Self {\n        super::JsonWebKeyType::Symmetric(x)\n    }\n}\n\nimpl From\u003cOctetSequence\u003e for super::JsonWebKeyType {\n    fn from(x: OctetSequence) -\u003e Self {\n        super::JsonWebKeyType::Symmetric(SymmetricJsonWebKey::OctetSequence(x))\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for OctetSequence {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            kty: String,\n            k: Base64UrlBytes,\n        }\n\n        let repr = Repr::deserialize(deserializer)?;\n        if repr.kty != \"oct\" {\n            return Err(D::Error::custom(\"`kty` field is required to be `oct`\"));\n        }\n        Ok(Self(SecretBox::new(repr.k.0.into_boxed_slice())))\n    }\n}\n\nimpl Serialize for OctetSequence {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(Serialize)]\n        struct Repr\u003c'a\u003e {\n            kty: \u0026'static str,\n            k: \u0026'a Base64UrlBytes,\n        }\n        Repr {\n            kty: \"oct\",\n            k: \u0026Base64UrlBytes(self.0.expose_secret().to_vec()),\n        }\n        .serialize(serializer)\n    }\n}\n\n/// An error that can occur when creating an\n/// [`HmacKey`](crate::crypto::hmac::Key) from an [`OctetSequence`].\n#[derive(Debug, thiserror::Error)]\npub enum FromOctetSequenceError {\n    /// An invalid signing algorithm was used\n    #[error(transparent)]\n    InvalidSigningAlgorithm(#[from] InvalidSigningAlgorithmError),\n\n    /// A key from which a signer should've been created had an invalid length\n    #[error(\"the length of the is invalid\")]\n    InvalidLength,\n\n    /// Crypto backend threw an unknown error.\n    #[error(\"the crypto backend failed\")]\n    Crypto(\n        #[from]\n        #[source]\n        crate::crypto::Error,\n    ),\n}\n","traces":[{"line":33,"address":[],"length":0,"stats":{"Line":6}},{"line":34,"address":[],"length":0,"stats":{"Line":6}},{"line":35,"address":[],"length":0,"stats":{"Line":6}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":1}},{"line":72,"address":[],"length":0,"stats":{"Line":1}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":3}},{"line":84,"address":[],"length":0,"stats":{"Line":3}},{"line":91,"address":[],"length":0,"stats":{"Line":6}},{"line":92,"address":[],"length":0,"stats":{"Line":6}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":65}},{"line":119,"address":[],"length":0,"stats":{"Line":130}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":121,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":6}},{"line":128,"address":[],"length":0,"stats":{"Line":10}},{"line":139,"address":[],"length":0,"stats":{"Line":10}},{"line":141,"address":[],"length":0,"stats":{"Line":10}}],"covered":15,"coverable":29},{"path":["/","home","stu","dev","rust","jose","src","jwk","thumbprint.rs"],"content":"use alloc::{collections::BTreeMap, string::String};\n\nuse serde::Serialize;\n\nuse crate::sealed::Sealed;\n\n/// This trait is implemented by all key types, and can be used\n/// to compute the thumbprint of any private, public or symmetric key.\n///\n/// If you want to use custom hashing functions, call the\n/// [`Self::thumbprint_prehashed`] method and hash the result yourself.\npub trait Thumbprint: Sealed {\n    /// Compute the thumbprint JSON string of this key.\n    ///\n    /// This method does not perform any hashing, it only returns\n    /// the constructed JSON string, so that it can be hashed\n    /// with some custom hashing algorithm that is not supported\n    /// natively by this crate.\n    ///\n    /// For common hashing methods have a look at these methods:\n    ///\n    /// - SHA256 - [`thumbprint_sha256`](Self::thumbprint_sha256)\n    /// - SHA384 - [`thumbprint_sha384`](Self::thumbprint_sha384)\n    /// - SHA512 - [`thumbprint_sha512`](Self::thumbprint_sha512)\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_prehashed(\u0026self) -\u003e String;\n\n    /// Computes the SHA256-hashed thumbprint of this key.\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_sha256(\u0026self) -\u003e [u8; 32] {\n        let msg = self.thumbprint_prehashed();\n        crate::crypto::sha256(msg.as_bytes())\n    }\n\n    /// Computes the SHA384-hashed thumbprint of this key.\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_sha384(\u0026self) -\u003e [u8; 48] {\n        let msg = self.thumbprint_prehashed();\n        crate::crypto::sha384(msg.as_bytes())\n    }\n\n    /// Computes the SHA512-hashed thumbprint of this key.\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_sha512(\u0026self) -\u003e [u8; 64] {\n        let msg = self.thumbprint_prehashed();\n        crate::crypto::sha512(msg.as_bytes())\n    }\n}\n\npub(crate) fn serialize_key_thumbprint\u003cT: Serialize\u003e(key: \u0026T) -\u003e String {\n    let obj = serde_json::to_value(key).expect(\"serialization of OctetSequence can not fail\");\n\n    let map = match obj {\n        serde_json::Value::Object(map) =\u003e BTreeMap::from_iter(map),\n        _ =\u003e unreachable!(\"all keytypes must serialize to structs\"),\n    };\n\n    serde_json::to_string(\u0026map).expect(\"BTreeMap serialization can not fail\")\n}\n","traces":[{"line":36,"address":[],"length":0,"stats":{"Line":33}},{"line":37,"address":[],"length":0,"stats":{"Line":33}},{"line":38,"address":[],"length":0,"stats":{"Line":33}},{"line":46,"address":[],"length":0,"stats":{"Line":21}},{"line":47,"address":[],"length":0,"stats":{"Line":21}},{"line":48,"address":[],"length":0,"stats":{"Line":21}},{"line":56,"address":[],"length":0,"stats":{"Line":21}},{"line":57,"address":[],"length":0,"stats":{"Line":21}},{"line":58,"address":[],"length":0,"stats":{"Line":21}},{"line":62,"address":[],"length":0,"stats":{"Line":78}},{"line":63,"address":[],"length":0,"stats":{"Line":78}},{"line":65,"address":[],"length":0,"stats":{"Line":156}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}}],"covered":12,"coverable":14},{"path":["/","home","stu","dev","rust","jose","src","jwk","verifier.rs"],"content":"use alloc::borrow::ToOwned;\n\nuse super::{\n    private::EcPrivate, public::EcPublic, AsymmetricJsonWebKey, FromJwkError, FromKey, OkpPrivate,\n    OkpPublic, Private, Public, SymmetricJsonWebKey,\n};\nuse crate::{\n    crypto::{ec, hmac, okp, rsa},\n    jwa::{Hmac, JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::{\n        policy::{Checked, CryptographicOperation, Policy},\n        JsonWebKeyType,\n    },\n    jws::{IntoVerifier, InvalidSigningAlgorithmError, Verifier, VerifyError},\n    JsonWebKey,\n};\n#[derive(Debug)]\n/// An abstract [`Verifier`] over all possible [key types](JsonWebKeyType)\npub struct JwkVerifier {\n    inner: InnerVerifier,\n}\n\nimpl JwkVerifier {\n    /// Create a [`JwkVerifier`] from a [`JsonWebKeyType`] used with the\n    /// provided [`JsonWebAlgorithm`].\n    ///\n    /// # Errors\n    ///\n    /// This function returns an error if the provided [`JsonWebAlgorithm`] and\n    /// the actual [`JsonWebKeyType`] don't match. Since this type is the\n    /// counterpart to [`JwkSigner`](super::JwkSigner) it behaves almost\n    /// identical. See it's error documentation for details.\n    pub fn new(key: JsonWebKeyType, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cSelf, FromJwkError\u003e {\n        Ok(Self {\n            inner: match key {\n                JsonWebKeyType::Asymmetric(key) =\u003e match *key {\n                    AsymmetricJsonWebKey::Public(key) =\u003e match key {\n                        Public::Ec(key) =\u003e match key {\n                            EcPublic::P256(key) =\u003e InnerVerifier::Es256(key.into_verifier(alg)?),\n                            EcPublic::P384(key) =\u003e InnerVerifier::Es384(key.into_verifier(alg)?),\n                            EcPublic::P521(key) =\u003e InnerVerifier::Es512(key.into_verifier(alg)?),\n                            EcPublic::Secp256k1(key) =\u003e {\n                                InnerVerifier::Secp256k1(key.into_verifier(alg)?)\n                            }\n                        },\n                        Public::Rsa(key) =\u003e InnerVerifier::Rsa(key.into_verifier(alg)?),\n                        Public::Okp(key) =\u003e match key {\n                            OkpPublic::Ed25519(key) =\u003e {\n                                InnerVerifier::Ed25519(key.into_verifier(alg)?)\n                            }\n                            OkpPublic::Ed448(key) =\u003e InnerVerifier::Ed448(key.into_verifier(alg)?),\n                        },\n                    },\n                    AsymmetricJsonWebKey::Private(key) =\u003e match key {\n                        Private::Ec(key) =\u003e match key {\n                            EcPrivate::P256(key) =\u003e InnerVerifier::Es256(key.into_verifier(alg)?),\n                            EcPrivate::P384(key) =\u003e InnerVerifier::Es384(key.into_verifier(alg)?),\n                            EcPrivate::P521(key) =\u003e InnerVerifier::Es512(key.into_verifier(alg)?),\n                            EcPrivate::Secp256k1(key) =\u003e {\n                                InnerVerifier::Secp256k1(key.into_verifier(alg)?)\n                            }\n                        },\n                        Private::Rsa(key) =\u003e InnerVerifier::Rsa((*key).into_verifier(alg)?),\n                        Private::Okp(key) =\u003e match key {\n                            OkpPrivate::Ed25519(key) =\u003e {\n                                InnerVerifier::Ed25519(key.into_verifier(alg)?)\n                            }\n                            OkpPrivate::Ed448(key) =\u003e InnerVerifier::Ed448(key.into_verifier(alg)?),\n                        },\n                    },\n                },\n                JsonWebKeyType::Symmetric(key) =\u003e match key {\n                    SymmetricJsonWebKey::OctetSequence(ref key) =\u003e match alg {\n                        JsonWebSigningAlgorithm::Hmac(hs) =\u003e match hs {\n                            Hmac::Hs256 =\u003e InnerVerifier::Hs256(key.into_verifier(alg)?),\n                            Hmac::Hs384 =\u003e InnerVerifier::Hs384(key.into_verifier(alg)?),\n                            Hmac::Hs512 =\u003e InnerVerifier::Hs512(key.into_verifier(alg)?),\n                        },\n                        _ =\u003e Err(InvalidSigningAlgorithmError)?,\n                    },\n                },\n            },\n        })\n    }\n}\n\nimpl Verifier for JwkVerifier {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), VerifyError\u003e {\n        match \u0026mut self.inner {\n            InnerVerifier::Hs256(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Hs384(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Hs512(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Rsa(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Es256(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Es384(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Es512(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Secp256k1(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Ed448(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Ed25519(verifier) =\u003e verifier.verify(msg, signature),\n        }\n    }\n}\n\nimpl\u003cT, P\u003e FromKey\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkVerifier\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkVerifier`] form a [`JsonWebKey`] overwriting\n    /// [`JsonWebKey::algorithm`] with `alg`.\n    fn from_key(\n        jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e,\n        alg: JsonWebAlgorithm,\n    ) -\u003e Result\u003cSelf, Self::Error\u003e {\n        if let Some(usage) = jwk.key_usage() {\n            jwk.policy()\n                .may_perform_operation_key_use(CryptographicOperation::Verify, usage)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        if let Some(ops) = jwk.key_operations() {\n            jwk.policy()\n                .may_perform_operation_key_ops(CryptographicOperation::Verify, ops)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        match alg {\n            JsonWebAlgorithm::Encryption(..) | JsonWebAlgorithm::Other(..) =\u003e {\n                Err(FromJwkError::InvalidAlgorithm)\n            }\n            JsonWebAlgorithm::Signing(alg) =\u003e Self::new(jwk.into_type().key_type, alg),\n        }\n    }\n}\n\nimpl\u003cT, P\u003e TryFrom\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkVerifier\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkVerifier`] from a [`JsonWebKey`]\n    ///\n    /// # Errors\n    ///\n    /// This conversion fails if [`JsonWebKey::algorithm`] is [`None`]\n    fn try_from(jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e) -\u003e Result\u003cSelf, Self::Error\u003e {\n        let alg = jwk\n            .algorithm()\n            .ok_or(FromJwkError::InvalidAlgorithm)?\n            .to_owned();\n        JwkVerifier::from_key(jwk, alg)\n    }\n}\n/// Abstract type with a variant for each [`Verifier`]\n#[derive(Debug)]\nenum InnerVerifier {\n    // symmetric algorithms\n    Hs256(hmac::Key\u003chmac::Hs256\u003e),\n    Hs384(hmac::Key\u003chmac::Hs384\u003e),\n    Hs512(hmac::Key\u003chmac::Hs512\u003e),\n    // asymmetric algorithms\n    Rsa(rsa::Verifier),\n\n    Es256(ec::P256Verifier),\n    Es384(ec::P384Verifier),\n    Es512(ec::P521Verifier),\n    Secp256k1(ec::Secp256k1Verifier),\n\n    Ed25519(okp::Ed25519Verifier),\n    Ed448(okp::Ed448Verifier),\n}\n","traces":[{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":0}},{"line":39,"address":[],"length":0,"stats":{"Line":0}},{"line":40,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":51,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":148,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":64},{"path":["/","home","stu","dev","rust","jose","src","jwk.rs"],"content":"//! [`JsonWebKey`] and connected things\n\nuse alloc::{boxed::Box, string::String, vec, vec::Vec};\nuse core::{\n    fmt::Debug,\n    ops::{ControlFlow, Deref},\n};\n\nuse hashbrown::HashSet;\nuse serde::{de::DeserializeOwned, Deserialize, Serialize};\n\nuse crate::{\n    crypto::hmac::{self, Variant as _},\n    jwa::{\n        AesGcm, AesKw, EcDSA, Hmac, JsonWebAlgorithm, JsonWebEncryptionAlgorithm,\n        JsonWebSigningAlgorithm, Pbes2,\n    },\n    sealed::Sealed,\n    uri::BorrowedUri,\n    UntypedAdditionalProperties, Uri,\n};\n\npub mod symmetric;\n\nmod asymmetric;\nmod builder;\nmod key_ops;\nmod key_use;\npub mod policy;\nmod private;\nmod public;\npub(crate) mod serde_impl;\nmod signer;\npub(crate) mod thumbprint;\nmod verifier;\n\n#[doc(inline)]\npub use self::{\n    asymmetric::AsymmetricJsonWebKey,\n    builder::{JsonWebKeyBuildError, JsonWebKeyBuilder},\n    key_ops::KeyOperation,\n    key_use::KeyUsage,\n    private::{EcPrivate, OkpPrivate, Private},\n    public::{EcPublic, OkpPublic, Public},\n    signer::{FromJwkError, JwkSigner},\n    symmetric::SymmetricJsonWebKey,\n    thumbprint::Thumbprint,\n    verifier::JwkVerifier,\n};\nuse self::{\n    policy::{Checkable, Checked, CryptographicOperation, Policy, PolicyError as _},\n    serde_impl::Base64DerCertificate,\n};\n\n/// A [`JsonWebKey`] is a [JSON Object](serde_json::Value::Object) representing\n/// the components of a cryptographic keys that can be used for\n/// [JWE](crate::jwe::JsonWebEncryption) and\n/// [JWS](crate::jws::JsonWebSignature).\n///\n/// The format of Json Web Keys is defined in [RFC 7517] with key specific\n/// parameters defined in [section 6 of RFC 7518]. The [`JsonWebKey`] struct is\n/// an abstract representation of all possible key types. The [`JsonWebKeyType`]\n/// enum is used to specialize on concrete key type.\n///\n/// # Comparison and equality\n///\n/// It is not defined how to determine if a [`JsonWebKey`] is [equal](PartialEq)\n/// to another. Therefore, [`JsonWebKey`] *does not* implement [`PartialEq`].\n/// If you want to compare a [`JsonWebKey`], you should either use something\n/// like the [`kid`](JsonWebKey::key_id) parameter or a [`Thumbprint`] of\n/// the key (or ideally, a [`Thumbprint`] as [`kid`](JsonWebKey::key_id)).\n///\n/// You should *avoid* comparing the serialized form of a [`JsonWebKey`] as it\n/// may contain optional parameters, which may not always be present and would\n/// lead to unexpected results.\n///\n/// # Examples\n///\n/// Parse a JsonWebKey from its json representation:\n///\n/// ```\n/// # // std is available in tests\n/// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n/// use jose::{jwk::KeyUsage, JsonWebKey};\n///\n/// // The following json object represents a RSA key used for signing\n/// let json = r#\"\n/// {\n///  \"kty\": \"RSA\",\n///  \"kid\": \"bilbo.baggins@hobbiton.example\",\n///  \"use\": \"sig\",\n///  \"n\": \"n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT-O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqVwGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuCLqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5gHdrNP5zw\",\n///  \"e\": \"AQAB\"\n/// }\"#;\n///\n/// // deserialize the key from it's json representation using serde_json\n/// let jwk: JsonWebKey = serde_json::from_str(json)?;\n///\n/// // You can use the JsonWebKey to access parameters defined by the spec.\n/// // For example, we might want to ensure that this key is for signing by\n/// // checking the `use` parameter\n/// assert_eq!(jwk.key_usage(), Some(\u0026KeyUsage::Signing));\n/// # Ok(())\n/// # }\n/// ```\n///\n/// ## Additional parameters\n///\n/// The spec allows custom/additional parameters that are not registered in the\n/// [IANA `JSON Web Key Parameters` registry]. The `A` generic parameter of\n/// [`JsonWebKey\u003cA\u003e`] allows you to bring your own type to do just that.\n///\n/// To do so, create a container type that holds all your parameters (and maybe\n/// even another container).\n/// Imagine we have a custom parameter `intended_party` which holds a [`String`]\n/// identifying the application which should use the [`JsonWebKey`]:\n///\n/// ```\n/// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n/// use jose::JsonWebKey;\n/// use serde::{Deserialize, Serialize};\n///\n/// // don't forget to derive or implement the serde traits since they are used for (de)serialization\n/// #[derive(Deserialize, Serialize)]\n/// struct MyCustomParameters {\n///     intended_party: String,\n/// }\n///\n/// /// A type alias so we dont have to type so much\n/// type MyJsonWebKey = JsonWebKey\u003cMyCustomParameters\u003e;\n///\n/// // consider the same key as before but this time it needs our custom parameter `intended_party`\n/// let json = r#\"\n/// {\n///  \"intended_party\": \"my_application\",\n///  \"kty\": \"RSA\",\n///  \"kid\": \"bilbo.baggins@hobbiton.example\",\n///  \"use\": \"sig\",\n///  \"n\": \"n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT-O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqVwGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuCLqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5gHdrNP5zw\",\n///  \"e\": \"AQAB\"\n/// }\"#;\n///\n/// let jwk: MyJsonWebKey = serde_json::from_str(json)?;\n///\n/// // access the custom parameter\n/// assert_eq!(\"my_application\", jwk.additional().intended_party.as_str());\n/// # Ok(())\n/// # }\n/// ```\n///\n/// ### Implementing [`Checkable`] for your additional type\n///\n/// The [`Checkable`] trait should be implemented by types that can utilize some\n/// (potentially expensive) checks to ensure their validity optionally using a\n/// [`Policy`]. For example, [`JsonWebKey`] implements the [`Checkable`] trait\n/// to validate some parameters which can't be validated during deserialization.\n///\n/// For [`JsonWebKey`] to implement [`Checkable`], your additional type also\n/// needs to implement [`Checkable`]. If we recall the example from before, we\n/// might want to ensure that our `intended_party` parameter containts only\n/// ascii characters. An implementation for that purpose might look like this:\n/// ```\n/// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n/// use jose::jwk::policy::{Checkable, Checked, Policy, PolicyError};\n/// use serde::{Deserialize, Serialize};\n/// // our type from before\n/// #[derive(Deserialize, Serialize)]\n/// struct MyCustomParameters {\n///     intended_party: String,\n/// }\n///\n/// impl Checkable for MyCustomParameters {\n///     fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n///         if self.intended_party.is_ascii() {\n///             Ok(Checked::new(self, policy))\n///         } else {\n///             Err((\n///                 self,\n///                 \u003cP::Error as PolicyError\u003e::custom(\n///                     \"`intended_party` parameter must contain ascii characters only\",\n///                 ),\n///             ))\n///         }\n///     }\n/// }\n/// # Ok(())\n/// # }\n/// ```\n///\n/// [RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517\u003e\n/// [section 6 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6\u003e\n/// [IANA `Json Web Key Parameters` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-key-parameters\u003e\n#[derive(Debug, Deserialize, Serialize, Clone)]\npub struct JsonWebKey\u003cA = ()\u003e {\n    /// Additional members in the JWK as permitted by the fourth paragraph of\n    /// [section 4]\n    ///\n    /// [section 4]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4\u003e\n    // Note: `A` is first because otherwise it is possible to overwrite parameters set by us\n    #[serde(flatten)]\n    additional: A,\n    /// `kty` parameter section 4.1\n    /// Note that the [`JsonWebKeyType`] enum does way more than just\n    /// checking/storing the `kty` parameter\n    #[serde(flatten)]\n    key_type: JsonWebKeyType,\n    /// `use` parameter section 4.2\n    #[serde(rename = \"use\", skip_serializing_if = \"Option::is_none\")]\n    key_use: Option\u003cKeyUsage\u003e,\n    /// `key_ops` parameter section 4.3\n    #[serde(\n        deserialize_with = \"serde_impl::deserialize_ensure_set\",\n        rename = \"key_ops\",\n        skip_serializing_if = \"Option::is_none\",\n        // default needed because else serde will error if the `key_ops` parameter is not present\n        default\n    )]\n    key_operations: Option\u003cHashSet\u003cKeyOperation\u003e\u003e,\n    /// `alg` parameter section 4.4\n    #[serde(rename = \"alg\", skip_serializing_if = \"Option::is_none\")]\n    algorithm: Option\u003cJsonWebAlgorithm\u003e,\n    /// `kid` parameter section 4.4\n    // FIXME: Consider an enum if this value is a valid JWK Thumbprint,\n    // see \u003chttps://www.rfc-editor.org/rfc/rfc7638\u003e\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    kid: Option\u003cString\u003e,\n    /// `x5u` parameter section 4.6\n    // FIXME: considerung to ensure the protocol\n    // uses TLS or some other form of integrity protection.\n    // There are other things to consider, see the relevant section in the RFC.\n    #[serde(rename = \"x5u\", skip_serializing_if = \"Option::is_none\")]\n    x509_url: Option\u003cUri\u003e,\n    /// `x5c` parameter section 4.7\n    // If the `x5c` parameter is not present, this will be an empty Vec\n    // FIXME: find a good way and crate to parse the DER-encoded X.509 certificate(s)\n    #[serde(rename = \"x5c\", skip_serializing_if = \"Vec::is_empty\", default)]\n    x509_certificate_chain: Vec\u003cBase64DerCertificate\u003e,\n    /// `x5t` parameter section 4.8\n    #[serde(\n        serialize_with = \"serde_impl::serialize_ga_sha1\",\n        deserialize_with = \"serde_impl::deserialize_ga_sha1\",\n        rename = \"x5t\",\n        default,\n        skip_serializing_if = \"Option::is_none\"\n    )]\n    x509_certificate_sha1_thumbprint: Option\u003c[u8; 20]\u003e,\n    /// `x5t#S256` parameter section 4.9\n    #[serde(\n        serialize_with = \"serde_impl::serialize_ga_sha256\",\n        deserialize_with = \"serde_impl::deserialize_ga_sha256\",\n        rename = \"x5t#S256\",\n        default,\n        skip_serializing_if = \"Option::is_none\"\n    )]\n    x509_certificate_sha256_thumbprint: Option\u003c[u8; 32]\u003e,\n}\n\nimpl JsonWebKey\u003c()\u003e {\n    pub(crate) fn new_with_algorithm(\n        key_type: JsonWebKeyType,\n        alg: Option\u003cJsonWebAlgorithm\u003e,\n    ) -\u003e Self {\n        Self {\n            key_type,\n            key_use: None,\n            key_operations: None,\n            algorithm: alg,\n            kid: None,\n            x509_url: None,\n            x509_certificate_chain: vec![],\n            x509_certificate_sha1_thumbprint: None,\n            x509_certificate_sha256_thumbprint: None,\n            additional: (),\n        }\n    }\n}\n\nimpl JsonWebKey\u003c()\u003e {\n    /// Create a [`JsonWebKeyBuilder`] to construct a new JWK.\n    pub fn builder(key_type: impl Into\u003cJsonWebKeyType\u003e) -\u003e JsonWebKeyBuilder\u003c()\u003e {\n        JsonWebKeyBuilder::new(key_type)\n    }\n}\n\nimpl\u003cT\u003e JsonWebKey\u003cT\u003e {\n    /// Turn this Json Web Key into a builder to modify it's contents.\n    pub fn into_builder(self) -\u003e JsonWebKeyBuilder\u003cT\u003e {\n        JsonWebKeyBuilder {\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n            additional: self.additional,\n        }\n    }\n\n    /// [Section 4.1 of RFC 7517] defines the `kty` (Key Type) Parameter.\n    ///\n    /// Since the `kty` parameter is used to distinguish different key types, we\n    /// use the [`JsonWebKeyType`] to also store key specific data. You can\n    /// match the [`JsonWebKeyType`] to determine the exact key type used.\n    ///\n    /// [Section 4.1 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.1\u003e\n    pub fn key_type(\u0026self) -\u003e \u0026JsonWebKeyType {\n        \u0026self.key_type\n    }\n\n    /// [Section 4.2 of RFC 7517] defines the `use` (Public Key Use) Parameter.\n    ///\n    /// See the documentation of [`KeyUsage`] for details.\n    ///\n    /// [Section 4.2 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.2\u003e\n    pub fn key_usage(\u0026self) -\u003e Option\u003c\u0026KeyUsage\u003e {\n        self.key_use.as_ref()\n    }\n\n    /// [Section 4.3 of RFC 7517] defines the `key_ops` (Key Operations)\n    /// Parameter.\n    ///\n    /// It is a set of different operations a key may perform.\n    /// See the documentation of [`KeyOperation`] for details.\n    ///\n    /// [Section 4.3 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.3\u003e\n    pub fn key_operations(\u0026self) -\u003e Option\u003c\u0026HashSet\u003cKeyOperation\u003e\u003e {\n        self.key_operations.as_ref()\n    }\n\n    /// [Section 4.4 of RFC 7517] defines the `alg` (Algorithm) Parameter.\n    ///\n    /// See the documentation of [`JsonWebAlgorithm`] for details.\n    ///\n    /// [Section 4.4 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.4\u003e\n    pub fn algorithm(\u0026self) -\u003e Option\u003c\u0026JsonWebAlgorithm\u003e {\n        self.algorithm.as_ref()\n    }\n\n    /// [Section 4.5 of RFC 7517] defines the `kid` (Key ID) Parameter.\n    ///\n    /// [Section 4.5 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.5\u003e\n    pub fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        self.kid.as_deref()\n    }\n\n    /// [Section 4.6 of RFC 7517] defines the `x5u` (X.509 URL) Parameter.\n    ///\n    /// [Section 4.6 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.6\u003e\n    pub fn x509_url(\u0026self) -\u003e Option\u003cBorrowedUri\u003c'_\u003e\u003e {\n        self.x509_url.as_ref().map(|x| x.borrow())\n    }\n\n    /// [Section 4.7 of RFC 7517] defines the `x5c` (X.509 Certificate Chain)\n    /// Parameter.\n    ///\n    /// This parameter is a list of X.509 certificates. The first certificate in\n    /// the [`ExactSizeIterator`] returned by this method is the PKIX\n    /// certificate containing the key value as required by the RFC. Note\n    /// that this parameter is OPTIONAL and if not present, this\n    /// [`ExactSizeIterator`] will be empty ([`next`](Iterator::next) will be\n    /// [`None`] and [`len`](ExactSizeIterator::len) will be `0`).\n    ///\n    /// Each [`Item`](Iterator::Item) will be the byte representation of a\n    /// DER-encoded X.509 certificate.\n    ///\n    /// [Section 4.7 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.7\u003e\n    pub fn x509_certificate_chain(\u0026self) -\u003e impl ExactSizeIterator\u003cItem = \u0026[u8]\u003e {\n        self.x509_certificate_chain.iter().map(Deref::deref)\n    }\n\n    /// [Section 4.8 of RFC 7517] defines the `x5t` (X.509 Certificate SHA-1\n    /// Thumbprint) Parameter.\n    ///\n    /// It is the SHA-1 hash of the DER-encoded X.509 certificate.\n    ///\n    /// # Warning: Cryptographically broken!\n    ///\n    /// TL;DR: check if you can use the [SHA-256\n    /// thumbprint](JsonWebKey::x509_certificate_sha256_thumbprint) instead.\n    ///\n    /// The following text is taken from the `sha1` crate: \\\n    /// The SHA-1 hash function should be considered cryptographically broken\n    /// and unsuitable for further use in any security critical capacity, as it\n    /// is [practically vulnerable to chosen-prefix collisions](https://sha-mbles.github.io/).\n    ///\n    /// [Section 4.8 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.8\u003e\n    // replace the hardcoded output size with the Sha1::OutputsizeUser value then\n    // they use const generics\n    pub fn x509_certificate_sha1_thumbprint(\u0026self) -\u003e Option\u003c\u0026[u8; 20]\u003e {\n        self.x509_certificate_sha1_thumbprint.as_ref()\n    }\n\n    /// [Section 4.9 of RFC 7517] defines the `x5t#S256` (X.509 Certificate\n    /// SHA-256 Thumbprint) Parameter.\n    ///\n    /// It is the SHA-256 hash of the DER-encoded X.509 certificate.\n    ///\n    /// [Section 4.9 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.9\u003e\n    pub fn x509_certificate_sha256_thumbprint(\u0026self) -\u003e Option\u003c\u0026[u8; 32]\u003e {\n        self.x509_certificate_sha256_thumbprint.as_ref()\n    }\n\n    /// Additional members in the [`JsonWebKey`] as permitted by the fourth\n    /// paragraph of [section 4 in RFC 7517]\n    ///\n    /// [section 4 in RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4\u003e\n    pub fn additional(\u0026self) -\u003e \u0026T {\n        \u0026self.additional\n    }\n\n    /// Checks if this [`JsonWebKey`] is a symmetric key.\n    #[inline]\n    pub fn is_symmetric(\u0026self) -\u003e bool {\n        matches!(self.key_type, JsonWebKeyType::Symmetric(_))\n    }\n\n    /// Checks if this [`JsonWebKey`] is an asymmetric key.\n    #[inline]\n    pub fn is_asymmetric(\u0026self) -\u003e bool {\n        matches!(self.key_type, JsonWebKeyType::Asymmetric(_))\n    }\n\n    /// Checks if this [`JsonWebKey`] can be used for signing.\n    ///\n    /// For asymmetric keys, this method is equivalent to checking\n    /// if this key is a private key.\n    /// For symmetric keys, this always returns `true`.\n    #[inline]\n    pub fn is_signing_key(\u0026self) -\u003e bool {\n        match self.key_type() {\n            JsonWebKeyType::Symmetric(_) =\u003e true,\n            JsonWebKeyType::Asymmetric(ref key) =\u003e match \u0026**key {\n                AsymmetricJsonWebKey::Private(_) =\u003e true,\n                AsymmetricJsonWebKey::Public(_) =\u003e false,\n            },\n        }\n    }\n\n    /// Strips the secret material from this [`JsonWebKey`].\n    ///\n    /// After calling this method, the key can safely be shared as it\n    /// only contains the public parts.\n    ///\n    /// For symmetric keys, this method returns [`None`], as symmetric\n    /// keys will always hold the secret material.\n    #[doc(alias = \"strip_private_material\")]\n    pub fn strip_secret_material(mut self) -\u003e Option\u003cSelf\u003e {\n        let key = match self.key_type {\n            JsonWebKeyType::Symmetric(_) =\u003e return None,\n            JsonWebKeyType::Asymmetric(ref key) =\u003e key,\n        };\n\n        match \u0026**key {\n            // public keys are no-ops\n            AsymmetricJsonWebKey::Public(_) =\u003e Some(self),\n            AsymmetricJsonWebKey::Private(Private::Okp(okp)) =\u003e {\n                let key = match okp {\n                    OkpPrivate::Ed25519(key) =\u003e OkpPublic::Ed25519(key.to_public_key()),\n                    OkpPrivate::Ed448(key) =\u003e OkpPublic::Ed448(key.to_public_key()),\n                };\n\n                self.key_type = JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(\n                    Public::Okp(key),\n                )));\n\n                Some(self)\n            }\n            AsymmetricJsonWebKey::Private(Private::Ec(ec)) =\u003e {\n                let pub_key = match ec {\n                    EcPrivate::P256(key) =\u003e EcPublic::P256(key.to_public_key()),\n                    EcPrivate::P384(key) =\u003e EcPublic::P384(key.to_public_key()),\n                    EcPrivate::P521(key) =\u003e EcPublic::P521(key.to_public_key()),\n                    EcPrivate::Secp256k1(key) =\u003e EcPublic::Secp256k1(key.to_public_key()),\n                };\n\n                self.key_type = JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(\n                    Public::Ec(pub_key),\n                )));\n\n                Some(self)\n            }\n            AsymmetricJsonWebKey::Private(Private::Rsa(rsa)) =\u003e {\n                let pub_key = Public::Rsa(rsa.to_public_key());\n\n                self.key_type =\n                    JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(pub_key)));\n\n                Some(self)\n            }\n        }\n    }\n\n    /// Converts this [`JsonWebKey`] into a [`JsonWebKey`] that is only meant to\n    /// be uesd for verifying signatures.\n    ///\n    /// For asymmetric keys, this operation is equivalent to converting a\n    /// private key into it's public key.\n    ///\n    /// For symmetric keys, this operation is a no-op, as the secret material\n    /// can not be removed from the key.\n    #[doc(alias = \"into_public_key\")]\n    pub fn into_verifying_key(mut self) -\u003e Self {\n        match self.key_type {\n            // symmetric keys are no-op\n            JsonWebKeyType::Symmetric(_) =\u003e self,\n            JsonWebKeyType::Asymmetric(ref key) =\u003e match \u0026**key {\n                // public keys are no-ops too\n                AsymmetricJsonWebKey::Public(_) =\u003e self,\n                AsymmetricJsonWebKey::Private(Private::Okp(okp)) =\u003e {\n                    let key = match okp {\n                        OkpPrivate::Ed25519(key) =\u003e OkpPublic::Ed25519(key.to_public_key()),\n                        OkpPrivate::Ed448(key) =\u003e OkpPublic::Ed448(key.to_public_key()),\n                    };\n\n                    self.key_type = JsonWebKeyType::Asymmetric(Box::new(\n                        AsymmetricJsonWebKey::Public(Public::Okp(key)),\n                    ));\n\n                    self\n                }\n                AsymmetricJsonWebKey::Private(Private::Ec(ec)) =\u003e {\n                    let pub_key = match ec {\n                        EcPrivate::P256(key) =\u003e EcPublic::P256(key.to_public_key()),\n                        EcPrivate::P384(key) =\u003e EcPublic::P384(key.to_public_key()),\n                        EcPrivate::P521(key) =\u003e EcPublic::P521(key.to_public_key()),\n                        EcPrivate::Secp256k1(key) =\u003e EcPublic::Secp256k1(key.to_public_key()),\n                    };\n\n                    self.key_type = JsonWebKeyType::Asymmetric(Box::new(\n                        AsymmetricJsonWebKey::Public(Public::Ec(pub_key)),\n                    ));\n\n                    self\n                }\n                AsymmetricJsonWebKey::Private(Private::Rsa(rsa)) =\u003e {\n                    let pub_key = Public::Rsa(rsa.to_public_key());\n\n                    self.key_type =\n                        JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(pub_key)));\n\n                    self\n                }\n            },\n        }\n    }\n}\n\nimpl\u003cT: Serialize\u003e JsonWebKey\u003cT\u003e {\n    /// Converts this [`JsonWebKey`] with custom additional parameters,\n    /// into a [`JsonWebKey`] with untyped additional parameters.\n    ///\n    /// # Errors\n    ///\n    /// This function fails if the serialization of the additional parameters\n    /// failed, or the serialization does not result in a JSON object.\n    pub fn into_untyped_additional(\n        self,\n    ) -\u003e Result\u003cJsonWebKey\u003cUntypedAdditionalProperties\u003e, serde_json::Error\u003e {\n        let value = serde_json::to_value(\u0026self.additional)?;\n        let additional: UntypedAdditionalProperties = serde_json::from_value(value)?;\n\n        Ok(JsonWebKey {\n            additional,\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n        })\n    }\n}\n\nimpl JsonWebKey\u003cUntypedAdditionalProperties\u003e {\n    /// Deserializes the additional members of this [`JsonWebKey`]\n    /// to the given type.\n    ///\n    /// # Errors\n    ///\n    /// The given type failed to be deserialized from the additional members.\n    pub fn deserialize_additional\u003cT: DeserializeOwned\u003e(\n        self,\n    ) -\u003e Result\u003cJsonWebKey\u003cT\u003e, serde_json::Error\u003e {\n        let additional = serde_json::from_value(self.additional.into())?;\n\n        Ok(JsonWebKey {\n            additional,\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n        })\n    }\n}\n\nimpl\u003cT\u003e Checkable for JsonWebKey\u003cT\u003e\nwhere\n    T: Checkable,\n{\n    fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n        if let Some(alg) = self.algorithm() {\n            if let Err(e) = policy.algorithm(alg) {\n                return Err((self, e));\n            }\n\n            let operations = match alg {\n                JsonWebAlgorithm::Encryption(..) =\u003e [\n                    CryptographicOperation::Encrypt,\n                    CryptographicOperation::Decrypt,\n                ],\n                JsonWebAlgorithm::Signing(..) =\u003e {\n                    [CryptographicOperation::Sign, CryptographicOperation::Verify]\n                }\n                JsonWebAlgorithm::Other(..) =\u003e {\n                    return Err((self, P::Error::custom(\"specified key algorithm is unknown\")))\n                }\n            };\n            debug_assert!(!operations.is_empty());\n\n            if let Some(key_use) = self.key_usage() {\n                // The following ensures that at least one `operation` is allowed with the\n                // current key usage (returns Ok(())). If Ok(()) is returned, it\n                // short-circuits\n                match operations.iter().try_fold(None, |_, operation| {\n                    match policy.may_perform_operation_key_use(*operation, key_use) {\n                        Ok(_) =\u003e ControlFlow::Break(()),\n                        Err(err) =\u003e ControlFlow::Continue(Some(err)),\n                    }\n                }) {\n                    ControlFlow::Break(_) =\u003e (),\n                    ControlFlow::Continue(err) =\u003e {\n                        return Err((\n                            self,\n                            // Safety\n                            //\n                            // First of, this could use unwrap_unchecked but doesn't since we\n                            // forbid unsafe code in this crate. However, it would be safe,\n                            // because: the call to the Policy returns\n                            // Result\u003c(), err\u003e and if it's Ok, it\n                            // will break and this branch will never get called. If the call\n                            // failed, the inital state of `None` will be set to\n                            // Continue(Some(err)), which will be the value in this branch\n                            err.expect(\"at least one call has been made to the Policy\"),\n                        ));\n                    }\n                }\n            }\n\n            if let Some(key_ops) = self.key_operations() {\n                // The following ensures tthat at loeast one `operation` is allowed with the\n                // current key operations. If Ok(()) is returned, it short-circuits.\n                // For example, a key might have a signing algorithm, but only\n                // `KeyOperation::Verify` is set since it is a public key and can't perform\n                // signing operations. In this case, it has the same signing algorithm.\n                match operations.iter().try_fold(None, |_, operation| {\n                    match policy.may_perform_operation_key_ops(*operation, key_ops) {\n                        Ok(_) =\u003e ControlFlow::Break(()),\n                        Err(err) =\u003e ControlFlow::Continue(Some(err)),\n                    }\n                }) {\n                    ControlFlow::Break(_) =\u003e (),\n                    ControlFlow::Continue(err) =\u003e {\n                        return Err((\n                            self,\n                            // Same rules as for the code with `key_usage` from above apply.\n                            err.expect(\"at leat one call has been made to the Policy\"),\n                        ));\n                    }\n                }\n            }\n        }\n\n        if let (Some(key_use), Some(key_ops)) = (self.key_usage(), self.key_operations()) {\n            if let Err(e) = policy.compare_key_ops_and_use(key_use, key_ops) {\n                return Err((self, e));\n            }\n        }\n\n        match self.additional.check(policy) {\n            Err(e) =\u003e Err((\n                Self {\n                    additional: e.0,\n                    ..self\n                },\n                e.1,\n            )),\n            Ok(o) =\u003e {\n                let (additional, p) = o.into_inner();\n                Ok(Checked::new(Self { additional, ..self }, p))\n            }\n        }\n    }\n}\n\nimpl Sealed for JsonWebKey {}\nimpl Thumbprint for JsonWebKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.key_type().thumbprint_prehashed()\n    }\n}\n\n/// A [`JsonWebKey`] represents a cryptographic key. It can either be symmetric\n/// or asymmetric. In the latter case, it can store public or private\n/// information about the key. This enum represents the key types as defined in\n/// [RFC 7518 section 6].\n///\n/// [RFC 7518 section 6]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6\u003e\n#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum JsonWebKeyType {\n    /// A symmetric cryptographic key\n    Symmetric(SymmetricJsonWebKey),\n    /// An asymmetric cryptographic key\n    Asymmetric(Box\u003cAsymmetricJsonWebKey\u003e),\n}\n\nimpl Sealed for JsonWebKeyType {}\nimpl Thumbprint for JsonWebKeyType {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            JsonWebKeyType::Symmetric(key) =\u003e key.thumbprint_prehashed(),\n            JsonWebKeyType::Asymmetric(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl JsonWebKeyType {\n    pub(self) fn compatible_with(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e bool {\n        use JsonWebAlgorithm::*;\n        use JsonWebKeyType::*;\n\n        // it is unreadable with the matches! macro and there's no benefit\n        #[allow(clippy::match_like_matches_macro)]\n        match (self, alg) {\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Signing(JsonWebSigningAlgorithm::Hmac(hmac)),\n            ) =\u003e match (hmac, key.len()) {\n                (Hmac::Hs256, hmac::Hs256::OUTPUT_SIZE_BYTES..)\n                | (Hmac::Hs384, hmac::Hs384::OUTPUT_SIZE_BYTES..)\n                | (Hmac::Hs512, hmac::Hs512::OUTPUT_SIZE_BYTES..) =\u003e true,\n                _ =\u003e false,\n            },\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Encryption(JsonWebEncryptionAlgorithm::AesKw(aes)),\n            ) =\u003e matches!(\n                (aes, key.len()),\n                (AesKw::Aes128, 16) | (AesKw::Aes192, 24) | (AesKw::Aes256, 32)\n            ),\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Encryption(JsonWebEncryptionAlgorithm::AesGcmKw(aes)),\n            ) =\u003e matches!(\n                (aes, key.len()),\n                (AesGcm::Aes128, 16) | (AesGcm::Aes192, 24) | (AesGcm::Aes256, 32)\n            ),\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Encryption(JsonWebEncryptionAlgorithm::Pbes2(pbes2)),\n            ) =\u003e matches!(\n                (pbes2, key.len()),\n                (Pbes2::Hs256Aes128, 16) | (Pbes2::Hs384Aes192, 24) | (Pbes2::Hs512Aes256, 32)\n            ),\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(..)),\n                Encryption(JsonWebEncryptionAlgorithm::Direct),\n            ) =\u003e true,\n            (Asymmetric(key), alg) =\u003e match (\u0026**key, alg) {\n                (\n                    AsymmetricJsonWebKey::Public(Public::Ec(..))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(..)),\n                    Encryption(JsonWebEncryptionAlgorithm::EcDhES(..)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::P256(..)))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::P256(..))),\n                    Signing(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::P384(..)))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::P384(..))),\n                    Signing(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es384)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::Secp256k1(..)))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::Secp256k1(..))),\n                    Signing(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256K)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Okp(\n                        OkpPublic::Ed25519(..) | OkpPublic::Ed448(..),\n                    ))\n                    | AsymmetricJsonWebKey::Private(Private::Okp(\n                        OkpPrivate::Ed25519(..) | OkpPrivate::Ed448(..),\n                    )),\n                    Signing(JsonWebSigningAlgorithm::EdDSA),\n                    // FIXME: look how encryption is handled and which algorithm is used\n                    //| Encryption(JsonWebEncryptionAlgorithm::EcDhES(..)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Rsa(..))\n                    | AsymmetricJsonWebKey::Private(Private::Rsa(..)),\n                    Signing(JsonWebSigningAlgorithm::Rsa(..))\n                    | Encryption(JsonWebEncryptionAlgorithm::Rsa1_5)\n                    | Encryption(JsonWebEncryptionAlgorithm::RsaesOaep(..)),\n                ) =\u003e true,\n                _ =\u003e false,\n            },\n            _ =\u003e false,\n        }\n    }\n}\n\n/// A trait for a [`Signer`](crate::jws::Signer) or\n/// [`Verifier`](crate::jws::Verifier) to implement if it can be created from\n/// key material as long as the algorithm is known\npub trait FromKey\u003cK\u003e: Sized {\n    /// The error returned if the conversion failed\n    type Error;\n\n    /// Turn `K` into this [`Signer`](crate::jws::Signer) or\n    /// [`Verifier`](crate::jws::Verifier).\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the conversion failed\n    fn from_key(value: K, alg: JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e;\n}\n\n/// A trait for different key types to implement if they can be converted into a\n/// [`JsonWebKey`].\n///\n/// This trait, and deserialization, is the only public way of creating a\n/// [`JsonWebKey`].\npub trait IntoJsonWebKey: Sealed {\n    /// One key type may be used for multiple [`JsonWebAlgorithm`]s.\n    ///\n    /// This algorithm can be specified using this type.\n    type Algorithm;\n\n    /// The error that can occurr when converting this key into a JWK.\n    type Error;\n\n    /// Turns this key mateiral into a [`JsonWebKey`] for the given algorithm.\n    ///\n    /// If the given argument is `None`, the `alg` header field of the resulting\n    /// JWK will be None.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the conversion fails.\n    fn into_jwk(self, alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e) -\u003e Result\u003cJsonWebKey, Self::Error\u003e;\n}\n\n/// Hash implementation for all types that implement `Thumbprint` trait\nmod hash_impl {\n    use core::hash::{Hash, Hasher};\n\n    use super::{symmetric::OctetSequence, JsonWebKey};\n    use crate::crypto::{ec, okp, rsa};\n\n    impl_thumbprint_hash_trait!(ec::P256PublicKey, ec::P256PrivateKey);\n    impl_thumbprint_hash_trait!(ec::P384PublicKey, ec::P384PrivateKey);\n    impl_thumbprint_hash_trait!(ec::P521PublicKey, ec::P521PrivateKey);\n    impl_thumbprint_hash_trait!(ec::Secp256k1PublicKey, ec::Secp256k1PrivateKey);\n    impl_thumbprint_hash_trait!(okp::Ed25519PublicKey, okp::Ed25519PrivateKey);\n    impl_thumbprint_hash_trait!(okp::Ed448PublicKey, okp::Ed448PrivateKey);\n    impl_thumbprint_hash_trait!(rsa::PublicKey, rsa::PrivateKey);\n    impl_thumbprint_hash_trait!(OctetSequence);\n\n    /// The [`Hash`] implementation of [`JsonWebKey`] uses the [`Hash`]\n    /// implementation of the underlying\n    /// [`JsonWebKeyType`](super::JsonWebKeyType).\n    ///\n    /// **Note**: [`Hash`] and [`Thumbprint`](super::Thumbprint) are used\n    /// differently. A [`Thumbprint`](super::Thumbprint) does does distinguish\n    /// between a private and a public key. But the [`Hash`] implementation of\n    /// all [`JsonWebKey`]s does, because otherwise two different versions of\n    /// [`JsonWebKey`] with different capabilities would have the same hash.\n    impl Hash for JsonWebKey {\n        fn hash\u003cH: Hasher\u003e(\u0026self, state: \u0026mut H) {\n            self.key_type.hash(state);\n        }\n    }\n\n    #[test]\n    fn smoke() {\n        use crate::{jwk::Thumbprint, JsonWebKey};\n\n        #[allow(unused_extern_crates)]\n        extern crate std;\n\n        // This is a serialized asymmetric key. The private key part is stored in\n        // the `d` parameter\n        let serialized_private_key = r#\"\n{\n    \"crv\": \"P-256\",\n    \"kty\": \"EC\",\n     \"x\": \"1uiXGPoQ3eLR3VOsCfnx1YzIJZGUQLbVfbl1CpCHcs0\",\n     \"y\": \"danaoyQqKi48vlB2jnCoFmq3PdIbYwIRJyNKWiindZM\",\n     \"d\": \"eLGzm5zd242okyN9SQBvmaC_4EPvASCgMhFgwtBvf3k\",\n     \"alg\": \"ES256\"\n}\n\"#;\n        let private_key: JsonWebKey =\n            serde_json::from_str(serialized_private_key).expect(\"valid key\");\n\n        let expected_prehash = r#\"{\"crv\":\"P-256\",\"kty\":\"EC\",\"x\":\"1uiXGPoQ3eLR3VOsCfnx1YzIJZGUQLbVfbl1CpCHcs0\",\"y\":\"danaoyQqKi48vlB2jnCoFmq3PdIbYwIRJyNKWiindZM\"}\"#;\n        assert_eq!(private_key.thumbprint_prehashed(), expected_prehash);\n\n        let mut hasher = std::hash::DefaultHasher::default();\n        private_key.hash(\u0026mut hasher);\n        let hash_private = hasher.finish();\n\n        let serialized_public_key = r#\"\n{\n    \"crv\": \"P-256\",\n    \"kty\": \"EC\",\n     \"x\": \"1uiXGPoQ3eLR3VOsCfnx1YzIJZGUQLbVfbl1CpCHcs0\",\n     \"y\": \"danaoyQqKi48vlB2jnCoFmq3PdIbYwIRJyNKWiindZM\",\n     \"alg\": \"ES256\"\n}\n\"#;\n\n        let public_key: JsonWebKey = serde_json::from_str(serialized_public_key).unwrap();\n        let mut hasher = std::hash::DefaultHasher::default();\n        public_key.hash(\u0026mut hasher);\n        let hash_public = hasher.finish();\n        assert_ne!(hash_private, hash_public);\n    }\n}\n","traces":[{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":270,"address":[],"length":0,"stats":{"Line":0}},{"line":273,"address":[],"length":0,"stats":{"Line":0}},{"line":280,"address":[],"length":0,"stats":{"Line":21}},{"line":281,"address":[],"length":0,"stats":{"Line":21}},{"line":287,"address":[],"length":0,"stats":{"Line":21}},{"line":289,"address":[],"length":0,"stats":{"Line":21}},{"line":290,"address":[],"length":0,"stats":{"Line":21}},{"line":291,"address":[],"length":0,"stats":{"Line":21}},{"line":292,"address":[],"length":0,"stats":{"Line":21}},{"line":293,"address":[],"length":0,"stats":{"Line":21}},{"line":294,"address":[],"length":0,"stats":{"Line":21}},{"line":295,"address":[],"length":0,"stats":{"Line":21}},{"line":296,"address":[],"length":0,"stats":{"Line":21}},{"line":297,"address":[],"length":0,"stats":{"Line":21}},{"line":298,"address":[],"length":0,"stats":{"Line":21}},{"line":309,"address":[],"length":0,"stats":{"Line":214}},{"line":310,"address":[],"length":0,"stats":{"Line":214}},{"line":318,"address":[],"length":0,"stats":{"Line":8}},{"line":319,"address":[],"length":0,"stats":{"Line":8}},{"line":329,"address":[],"length":0,"stats":{"Line":3}},{"line":330,"address":[],"length":0,"stats":{"Line":3}},{"line":338,"address":[],"length":0,"stats":{"Line":14}},{"line":339,"address":[],"length":0,"stats":{"Line":14}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":352,"address":[],"length":0,"stats":{"Line":0}},{"line":353,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":392,"address":[],"length":0,"stats":{"Line":2}},{"line":393,"address":[],"length":0,"stats":{"Line":2}},{"line":402,"address":[],"length":0,"stats":{"Line":2}},{"line":403,"address":[],"length":0,"stats":{"Line":2}},{"line":410,"address":[],"length":0,"stats":{"Line":5}},{"line":411,"address":[],"length":0,"stats":{"Line":5}},{"line":416,"address":[],"length":0,"stats":{"Line":17}},{"line":417,"address":[],"length":0,"stats":{"Line":33}},{"line":422,"address":[],"length":0,"stats":{"Line":16}},{"line":423,"address":[],"length":0,"stats":{"Line":16}},{"line":432,"address":[],"length":0,"stats":{"Line":17}},{"line":433,"address":[],"length":0,"stats":{"Line":17}},{"line":434,"address":[],"length":0,"stats":{"Line":1}},{"line":435,"address":[],"length":0,"stats":{"Line":16}},{"line":436,"address":[],"length":0,"stats":{"Line":8}},{"line":437,"address":[],"length":0,"stats":{"Line":8}},{"line":450,"address":[],"length":0,"stats":{"Line":18}},{"line":451,"address":[],"length":0,"stats":{"Line":35}},{"line":452,"address":[],"length":0,"stats":{"Line":1}},{"line":453,"address":[],"length":0,"stats":{"Line":17}},{"line":456,"address":[],"length":0,"stats":{"Line":9}},{"line":458,"address":[],"length":0,"stats":{"Line":8}},{"line":459,"address":[],"length":0,"stats":{"Line":2}},{"line":460,"address":[],"length":0,"stats":{"Line":4}},{"line":461,"address":[],"length":0,"stats":{"Line":1}},{"line":462,"address":[],"length":0,"stats":{"Line":1}},{"line":465,"address":[],"length":0,"stats":{"Line":2}},{"line":466,"address":[],"length":0,"stats":{"Line":2}},{"line":469,"address":[],"length":0,"stats":{"Line":2}},{"line":471,"address":[],"length":0,"stats":{"Line":5}},{"line":472,"address":[],"length":0,"stats":{"Line":10}},{"line":473,"address":[],"length":0,"stats":{"Line":2}},{"line":474,"address":[],"length":0,"stats":{"Line":1}},{"line":475,"address":[],"length":0,"stats":{"Line":1}},{"line":476,"address":[],"length":0,"stats":{"Line":1}},{"line":479,"address":[],"length":0,"stats":{"Line":5}},{"line":480,"address":[],"length":0,"stats":{"Line":5}},{"line":483,"address":[],"length":0,"stats":{"Line":5}},{"line":485,"address":[],"length":0,"stats":{"Line":2}},{"line":486,"address":[],"length":0,"stats":{"Line":2}},{"line":488,"address":[],"length":0,"stats":{"Line":2}},{"line":489,"address":[],"length":0,"stats":{"Line":2}},{"line":491,"address":[],"length":0,"stats":{"Line":2}},{"line":505,"address":[],"length":0,"stats":{"Line":18}},{"line":506,"address":[],"length":0,"stats":{"Line":18}},{"line":508,"address":[],"length":0,"stats":{"Line":1}},{"line":509,"address":[],"length":0,"stats":{"Line":26}},{"line":511,"address":[],"length":0,"stats":{"Line":8}},{"line":512,"address":[],"length":0,"stats":{"Line":2}},{"line":513,"address":[],"length":0,"stats":{"Line":4}},{"line":514,"address":[],"length":0,"stats":{"Line":1}},{"line":515,"address":[],"length":0,"stats":{"Line":1}},{"line":518,"address":[],"length":0,"stats":{"Line":2}},{"line":519,"address":[],"length":0,"stats":{"Line":2}},{"line":522,"address":[],"length":0,"stats":{"Line":2}},{"line":524,"address":[],"length":0,"stats":{"Line":5}},{"line":525,"address":[],"length":0,"stats":{"Line":10}},{"line":526,"address":[],"length":0,"stats":{"Line":2}},{"line":527,"address":[],"length":0,"stats":{"Line":1}},{"line":528,"address":[],"length":0,"stats":{"Line":1}},{"line":529,"address":[],"length":0,"stats":{"Line":1}},{"line":532,"address":[],"length":0,"stats":{"Line":5}},{"line":533,"address":[],"length":0,"stats":{"Line":5}},{"line":536,"address":[],"length":0,"stats":{"Line":5}},{"line":538,"address":[],"length":0,"stats":{"Line":2}},{"line":539,"address":[],"length":0,"stats":{"Line":2}},{"line":541,"address":[],"length":0,"stats":{"Line":2}},{"line":542,"address":[],"length":0,"stats":{"Line":2}},{"line":544,"address":[],"length":0,"stats":{"Line":2}},{"line":559,"address":[],"length":0,"stats":{"Line":1}},{"line":562,"address":[],"length":0,"stats":{"Line":2}},{"line":563,"address":[],"length":0,"stats":{"Line":1}},{"line":565,"address":[],"length":0,"stats":{"Line":0}},{"line":566,"address":[],"length":0,"stats":{"Line":0}},{"line":567,"address":[],"length":0,"stats":{"Line":0}},{"line":568,"address":[],"length":0,"stats":{"Line":0}},{"line":569,"address":[],"length":0,"stats":{"Line":0}},{"line":570,"address":[],"length":0,"stats":{"Line":0}},{"line":571,"address":[],"length":0,"stats":{"Line":0}},{"line":572,"address":[],"length":0,"stats":{"Line":0}},{"line":573,"address":[],"length":0,"stats":{"Line":0}},{"line":574,"address":[],"length":0,"stats":{"Line":0}},{"line":575,"address":[],"length":0,"stats":{"Line":0}},{"line":587,"address":[],"length":0,"stats":{"Line":1}},{"line":590,"address":[],"length":0,"stats":{"Line":2}},{"line":592,"address":[],"length":0,"stats":{"Line":0}},{"line":593,"address":[],"length":0,"stats":{"Line":0}},{"line":594,"address":[],"length":0,"stats":{"Line":0}},{"line":595,"address":[],"length":0,"stats":{"Line":0}},{"line":596,"address":[],"length":0,"stats":{"Line":0}},{"line":597,"address":[],"length":0,"stats":{"Line":0}},{"line":598,"address":[],"length":0,"stats":{"Line":0}},{"line":599,"address":[],"length":0,"stats":{"Line":0}},{"line":600,"address":[],"length":0,"stats":{"Line":0}},{"line":601,"address":[],"length":0,"stats":{"Line":0}},{"line":602,"address":[],"length":0,"stats":{"Line":0}},{"line":611,"address":[],"length":0,"stats":{"Line":1}},{"line":612,"address":[],"length":0,"stats":{"Line":2}},{"line":613,"address":[],"length":0,"stats":{"Line":0}},{"line":614,"address":[],"length":0,"stats":{"Line":0}},{"line":617,"address":[],"length":0,"stats":{"Line":2}},{"line":618,"address":[],"length":0,"stats":{"Line":0}},{"line":619,"address":[],"length":0,"stats":{"Line":0}},{"line":620,"address":[],"length":0,"stats":{"Line":0}},{"line":622,"address":[],"length":0,"stats":{"Line":0}},{"line":623,"address":[],"length":0,"stats":{"Line":1}},{"line":625,"address":[],"length":0,"stats":{"Line":0}},{"line":626,"address":[],"length":0,"stats":{"Line":0}},{"line":629,"address":[],"length":0,"stats":{"Line":0}},{"line":631,"address":[],"length":0,"stats":{"Line":2}},{"line":635,"address":[],"length":0,"stats":{"Line":1}},{"line":636,"address":[],"length":0,"stats":{"Line":1}},{"line":637,"address":[],"length":0,"stats":{"Line":1}},{"line":638,"address":[],"length":0,"stats":{"Line":0}},{"line":641,"address":[],"length":0,"stats":{"Line":1}},{"line":642,"address":[],"length":0,"stats":{"Line":0}},{"line":643,"address":[],"length":0,"stats":{"Line":0}},{"line":644,"address":[],"length":0,"stats":{"Line":0}},{"line":654,"address":[],"length":0,"stats":{"Line":0}},{"line":660,"address":[],"length":0,"stats":{"Line":1}},{"line":666,"address":[],"length":0,"stats":{"Line":0}},{"line":667,"address":[],"length":0,"stats":{"Line":0}},{"line":668,"address":[],"length":0,"stats":{"Line":0}},{"line":669,"address":[],"length":0,"stats":{"Line":0}},{"line":672,"address":[],"length":0,"stats":{"Line":0}},{"line":673,"address":[],"length":0,"stats":{"Line":0}},{"line":674,"address":[],"length":0,"stats":{"Line":0}},{"line":675,"address":[],"length":0,"stats":{"Line":0}},{"line":677,"address":[],"length":0,"stats":{"Line":0}},{"line":684,"address":[],"length":0,"stats":{"Line":1}},{"line":685,"address":[],"length":0,"stats":{"Line":0}},{"line":686,"address":[],"length":0,"stats":{"Line":0}},{"line":690,"address":[],"length":0,"stats":{"Line":1}},{"line":691,"address":[],"length":0,"stats":{"Line":0}},{"line":692,"address":[],"length":0,"stats":{"Line":0}},{"line":693,"address":[],"length":0,"stats":{"Line":0}},{"line":694,"address":[],"length":0,"stats":{"Line":0}},{"line":696,"address":[],"length":0,"stats":{"Line":0}},{"line":698,"address":[],"length":0,"stats":{"Line":1}},{"line":699,"address":[],"length":0,"stats":{"Line":1}},{"line":700,"address":[],"length":0,"stats":{"Line":1}},{"line":708,"address":[],"length":0,"stats":{"Line":64}},{"line":709,"address":[],"length":0,"stats":{"Line":64}},{"line":730,"address":[],"length":0,"stats":{"Line":64}},{"line":731,"address":[],"length":0,"stats":{"Line":64}},{"line":732,"address":[],"length":0,"stats":{"Line":6}},{"line":733,"address":[],"length":0,"stats":{"Line":58}},{"line":739,"address":[],"length":0,"stats":{"Line":42}},{"line":745,"address":[],"length":0,"stats":{"Line":42}},{"line":747,"address":[],"length":0,"stats":{"Line":0}},{"line":748,"address":[],"length":0,"stats":{"Line":0}},{"line":749,"address":[],"length":0,"stats":{"Line":0}},{"line":750,"address":[],"length":0,"stats":{"Line":0}},{"line":751,"address":[],"length":0,"stats":{"Line":0}},{"line":752,"address":[],"length":0,"stats":{"Line":0}},{"line":753,"address":[],"length":0,"stats":{"Line":0}},{"line":756,"address":[],"length":0,"stats":{"Line":0}},{"line":757,"address":[],"length":0,"stats":{"Line":0}},{"line":758,"address":[],"length":0,"stats":{"Line":0}},{"line":759,"address":[],"length":0,"stats":{"Line":0}},{"line":763,"address":[],"length":0,"stats":{"Line":0}},{"line":764,"address":[],"length":0,"stats":{"Line":0}},{"line":765,"address":[],"length":0,"stats":{"Line":0}},{"line":766,"address":[],"length":0,"stats":{"Line":0}},{"line":770,"address":[],"length":0,"stats":{"Line":0}},{"line":771,"address":[],"length":0,"stats":{"Line":0}},{"line":772,"address":[],"length":0,"stats":{"Line":0}},{"line":773,"address":[],"length":0,"stats":{"Line":0}},{"line":779,"address":[],"length":0,"stats":{"Line":0}},{"line":780,"address":[],"length":0,"stats":{"Line":38}},{"line":818,"address":[],"length":0,"stats":{"Line":0}},{"line":819,"address":[],"length":0,"stats":{"Line":38}},{"line":821,"address":[],"length":0,"stats":{"Line":4}},{"line":893,"address":[],"length":0,"stats":{"Line":2}},{"line":894,"address":[],"length":0,"stats":{"Line":2}}],"covered":123,"coverable":205},{"path":["/","home","stu","dev","rust","jose","src","jws","builder.rs"],"content":"use crate::{\n    format::Format,\n    header::{self, HeaderValue, JoseHeaderBuilder, JoseHeaderBuilderError},\n    jwa::JsonWebSigningAlgorithm,\n    JoseHeader, JsonWebSignature,\n};\n\n/// Builds a [`JsonWebSignature`] with custom header parameters.\n#[derive(Debug)]\npub struct JsonWebSignatureBuilder\u003cF: Format\u003e {\n    header: Option\u003cResult\u003cF::JwsHeader, JoseHeaderBuilderError\u003e\u003e,\n}\n\nimpl\u003cF: Format\u003e JsonWebSignatureBuilder\u003cF\u003e {\n    pub(super) fn new() -\u003e Self {\n        Self { header: None }\n    }\n\n    /// Configures the custom header for this [`JsonWebSignature`].\n    ///\n    /// For [`Compact`](crate::format::Compact) and\n    /// [`JsonFlattened`](crate::format::JsonFlattened) format, this method\n    /// will set the single protected, and unprotected header if JSON flattened,\n    /// header.\n    ///\n    /// ## Support for empty protected headers\n    ///\n    /// The [JWS RFC] allows for the protected header to be empty, and instead\n    /// supply all necessary parameters in the unprotected header. By\n    /// default, the `jose` crate will overwrite the `alg` field (and\n    /// optionally `kid` field) in the protected header, with the signing\n    /// algorithm used in the signing operation.\n    /// To achieve that the `alg` field is set on the unprotected header, one\n    /// must set the `alg`\n    /// field to `HeaderValue::Protected(JsonWebSigningAlgorithm::None)`\n    /// manually.\n    ///\n    /// However, you must note, that this feature is not supported for the\n    /// [`Compact`](crate::format::Compact) format, becuase that format can only\n    /// have a protected header.\n    ///\n    /// ```\n    /// # use jose::{format::*, jws::*, header::HeaderValue, jwa::*};\n    /// # fn main() {\n    /// let jws = JsonWebSignature::\u003cJsonFlattened, _\u003e::builder()\n    ///     .header(|b| b.algorithm(HeaderValue::Unprotected(JsonWebSigningAlgorithm::None)))\n    ///     .build(())\n    ///     .unwrap();\n    /// # }\n    /// ```\n    ///\n    /// [JWS RFC]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515\u003e\n    pub fn header\u003c\n        CB: FnOnce(JoseHeaderBuilder\u003cF, header::Jws\u003e) -\u003e JoseHeaderBuilder\u003cF, header::Jws\u003e,\n    \u003e(\n        mut self,\n        callback: CB,\n    ) -\u003e Self {\n        let mut header = match self.header {\n            Some(Ok(hdr)) =\u003e Ok(hdr),\n\n            // when there was an error setting the previous header,\n            // do not overwrite the header value, because we want\n            // to keep the error and report it in the `build` method\n            Some(Err(_)) =\u003e return self,\n\n            // this `Err` value is just used as a placeholder to be replaced\n            None =\u003e Err(JoseHeaderBuilderError::MissingAlgorithm),\n        };\n\n        let builder = JoseHeader::\u003cF, header::Jws\u003e::builder()\n            .algorithm(HeaderValue::Protected(JsonWebSigningAlgorithm::None));\n        let builder = callback(builder);\n\n        F::finalize_jws_header_builder(\u0026mut header, builder);\n        self.header = Some(header);\n\n        self\n    }\n\n    /// Finalizes this builder and returns the creates [`JsonWebSignature`].\n    ///\n    /// # Errors\n    ///\n    /// Fails if the supplied header parameters were invalid.\n    pub fn build\u003cT\u003e(self, payload: T) -\u003e Result\u003cJsonWebSignature\u003cF, T\u003e, JoseHeaderBuilderError\u003e {\n        let header = match self.header {\n            Some(hdr) =\u003e hdr?,\n            None =\u003e {\n                let default_header = JoseHeader::\u003cF, header::Jws\u003e::builder()\n                    .algorithm(HeaderValue::Protected(JsonWebSigningAlgorithm::None));\n\n                let mut header = Err(JoseHeaderBuilderError::MissingAlgorithm);\n                F::finalize_jws_header_builder(\u0026mut header, default_header);\n                header?\n            }\n        };\n\n        Ok(JsonWebSignature::new(header, payload))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":22},{"path":["/","home","stu","dev","rust","jose","src","jws","sign.rs"],"content":"use core::fmt;\n\nuse crate::{\n    crypto,\n    format::Format,\n    jwa::{JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::FromKey,\n};\n\n/// This type indicates that the inner value is signed using a [signing\n/// algorithm].\n///\n/// # Generic Arguments\n///\n/// - `T` is the inner type that is signed\n/// - `S` is the signature\n///\n/// [signing algorithm]: crate::jwa::JsonWebSigningAlgorithm\n#[derive(Debug, PartialEq, Eq, Hash)]\npub struct Signed\u003cF\u003e {\n    pub(crate) value: F,\n}\n\nimpl\u003cF: Format\u003e fmt::Display for Signed\u003cF\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Display::fmt(\u0026self.value, f)\n    }\n}\n\nimpl\u003cF: Format\u003e Signed\u003cF\u003e {\n    /// Encodes this signed value into the format of the signed JWS.\n    #[inline]\n    pub fn encode(self) -\u003e F {\n        self.value\n    }\n}\n\n/// This trait represents anything that can be used to sign a JWS, JWE, or\n/// whatever.\n///\n/// A message is signed by just passing the raw bytes that should be signed.\n///\n/// To be able to be used as a [`Signer`], one must provide the sign operation\n/// itself, and also needs to [specify the algorithm] used for signing. The\n/// algorithm will be used as the value for the `alg` field inside the\n/// [`JoseHeader`](crate::header::JoseHeader) for the signed type.\n///\n/// [specify the algorithm]: Signer::algorithm\npub trait Signer\u003cS: AsRef\u003c[u8]\u003e\u003e {\n    /// Signs a raw byte message using this signer, returning a signature.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the signing operation fails.\n    /// An error usually only appears when communicating with external signers.\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cS, crypto::Error\u003e;\n\n    /// Return the type of signing algorithm used by this signer.\n    fn algorithm(\u0026self) -\u003e JsonWebSigningAlgorithm;\n\n    /// JsonWebSignatures *can* contain a key id which is specified\n    /// by this method.\n    fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        None\n    }\n\n    /// Returns a new [`Signer`] that wraps `self`, but returns `None` when\n    /// calling the `key_id` method.\n    fn without_key_id(self) -\u003e SignerWithoutKeyId\u003cSelf\u003e\n    where\n        Self: Sized,\n    {\n        SignerWithoutKeyId { inner: self }\n    }\n}\n\n/// Wrapper type around an existing [`Signer`] that will always return `None`\n/// for the key id.\n///\n/// This is useful if you parse a JWK, which has a Key ID, but you do not want\n/// to add this ID to the header in a JWS.\n#[derive(Debug, Clone)]\npub struct SignerWithoutKeyId\u003cS\u003e {\n    inner: S,\n}\n\nimpl\u003cSIG: AsRef\u003c[u8]\u003e, S: Signer\u003cSIG\u003e\u003e Signer\u003cSIG\u003e for SignerWithoutKeyId\u003cS\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSIG, crypto::Error\u003e {\n        S::sign(\u0026mut self.inner, msg)\n    }\n\n    fn algorithm(\u0026self) -\u003e JsonWebSigningAlgorithm {\n        S::algorithm(\u0026self.inner)\n    }\n\n    fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        None\n    }\n}\n\n/// An error returned if something expected a different\n/// [`JsonWebAlgorithm`]\n#[derive(Debug, thiserror::Error, PartialEq, Eq)]\n#[error(\"Invalid algorithm\")]\npub struct InvalidSigningAlgorithmError;\n\n/// A trait to turn something into a [`Signer`].\n///\n/// Some key types like the [`Rsa`](crate::crypto::rsa::PrivateKey) key type\n/// need to know which [algorithm](JsonWebSigningAlgorithm) to use.\npub trait IntoSigner\u003cT, S\u003e\nwhere\n    T: Signer\u003cS\u003e,\n    S: AsRef\u003c[u8]\u003e,\n{\n    /// The error returned if the conversion failed\n    type Error;\n\n    /// Turn `self` into the [`Signer`] `T`\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the conversion failed\n    fn into_signer(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cT, Self::Error\u003e;\n}\n\nimpl\u003cK, T, S\u003e IntoSigner\u003cT, S\u003e for K\nwhere\n    T: FromKey\u003cK\u003e + Signer\u003cS\u003e,\n    S: AsRef\u003c[u8]\u003e,\n{\n    type Error = \u003cT as FromKey\u003cK\u003e\u003e::Error;\n\n    fn into_signer(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cT, Self::Error\u003e {\n        T::from_key(self, JsonWebAlgorithm::Signing(alg))\n    }\n}\n","traces":[{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":135,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":15},{"path":["/","home","stu","dev","rust","jose","src","jws","verify.rs"],"content":"use alloc::vec::Vec;\nuse core::ops::{Deref, DerefMut};\n\nuse thiserror::Error;\n\nuse super::JsonWebSignature;\nuse crate::{\n    crypto,\n    format::{DecodeFormat, DecodeFormatWithContext, Format, JsonGeneral},\n    jwa::{JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::FromKey,\n};\n\n/// The error indicating if either the signature is invalid, or if the\n/// cyptographic operation failed.\n#[derive(Debug, Error)]\npub enum VerifyError {\n    /// The signature is invalid.\n    #[error(\"signature is invalid\")]\n    InvalidSignature,\n\n    /// The crypto backend threw an error.\n    #[error(\"crypto backend error\")]\n    CryptoBackend(\n        #[from]\n        #[source]\n        crypto::Error,\n    ),\n}\n\n/// This trait represents anything that can be used to verify a JWS, JWE, or\n/// whatever.\npub trait Verifier {\n    /// The `verify` operation.\n    ///\n    /// If the message is valid, returns `Ok(())`.\n    ///\n    /// # Errors\n    ///\n    /// Returns [`VerifyError`] if anything went wrong during signature\n    /// verification or if the signature is just invalid.\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), VerifyError\u003e;\n}\n\n/// This wrapper type represents a [JWS](crate::JsonWebSignature) that was\n/// parsed from user input, but the data integrity was not verified, thus it\n/// might contain corrupted or malicious data.\n///\n/// An [`Unverified`] struct can be verified using the [`verify`](Self::verify)\n/// method.\n#[derive(Debug)]\npub struct Unverified\u003cT\u003e {\n    pub(crate) value: T,\n    pub(crate) signature: Vec\u003cu8\u003e,\n    pub(crate) msg: Vec\u003cu8\u003e,\n}\n\nimpl\u003cT\u003e Unverified\u003cT\u003e {\n    /// Parse the input format to an unverified representation of `T`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// the `T` type.\n    pub fn decode\u003cF: Format\u003e(input: F) -\u003e Result\u003cSelf, T::Error\u003e\n    where\n        T: DecodeFormat\u003cF, Decoded\u003cT\u003e = Unverified\u003cT\u003e\u003e,\n    {\n        T::decode(input)\n    }\n\n    /// Parse the input format to an unverified representation of `T`, with the\n    /// given context.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// the `T` type.\n    pub fn decode_with_context\u003cF: Format, C\u003e(input: F, context: \u0026C) -\u003e Result\u003cSelf, T::Error\u003e\n    where\n        T: DecodeFormatWithContext\u003cF, C, Decoded\u003cT\u003e = Unverified\u003cT\u003e\u003e,\n    {\n        T::decode_with_context(input, context)\n    }\n\n    /// Verify this struct using the given verifier, returning a [`Verified`]\n    /// representation of the inner type.\n    ///\n    /// # Errors\n    ///\n    /// Returns [`VerifyError`] if anything went wrong during signature\n    /// verification or if the signature is just invalid.\n    pub fn verify(self, verifier: \u0026mut dyn Verifier) -\u003e Result\u003cVerified\u003cT\u003e, VerifyError\u003e {\n        verifier.verify(\u0026self.msg, \u0026self.signature)?;\n        Ok(Verified(self.value))\n    }\n}\n\nimpl\u003cT, F\u003e Unverified\u003cJsonWebSignature\u003cF, T\u003e\u003e\nwhere\n    F: Format,\n{\n    /// Exposes the **unverified** [`JoseHeader`](crate::JoseHeader) of this\n    /// [`JsonWebSignature`]\n    ///\n    /// You usually **should not use this method**. Instead, verify the\n    /// [`JsonWebSignature`] and potentially protected headers first, to avoid\n    /// creating security vulnerabilities.\n    ///\n    /// # When to use\n    ///\n    /// One use case is to determine which key was used to create this signature\n    /// in the first place. For example, consider you have a list of public\n    /// keys used by the same party. If you were not able to peek inside to\n    /// get a hint of the key used, for example via\n    /// [`JoseHeader::key_identifier`](crate::JoseHeader::key_identifier), you\n    /// would have to try each key until either a signature is valid or\n    /// there are no keys left.\n    ///\n    /// However, note that, since the header is not verified yet, an attacker\n    /// can spoof the key hint. For example, you MUST still make sure that the\n    /// key in the hint is actually established and does not belong to some\n    /// other party which might still be in your list of keys but is unrelated.\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// [`JoseHeader`](crate::JoseHeader), including\n    /// [`HeaderValue::Protected`](crate::header::HeaderValue). Thus, you should\n    /// use this method only within isolated code regions.\n    pub fn expose_unverified_header(\u0026self) -\u003e \u0026F::JwsHeader {\n        \u0026self.value.header\n    }\n\n    /// Exposes the **unverified** [`payload`](JsonWebSignature::payload) of\n    /// this [`JsonWebSignature`]\n    ///\n    /// You **should never have the need to use this method**. If you have\n    /// information in the payload that you need in order to verify the\n    /// signature, you are using it wrong. Instead, such information should be\n    /// put in the [`JoseHeader`](crate::JoseHeader) and can be accessed via\n    /// [`expose_unverified_header]`](Self::expose_unverified_header).\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// payload `T`. Thus, you should use this method only within isolated code\n    /// regions.\n    pub fn expose_unverified_payload(\u0026self) -\u003e \u0026T {\n        \u0026self.value.payload\n    }\n\n    /// Exposes the **unverified** raw signature in its byte representation\n    ///\n    /// Note: raw means that it is already base64 decoded.\n    ///\n    /// There is absolutely no reason to use this method. If you want to use\n    /// your own code for verification, you should create your own [`Verifier`]\n    /// instead.\n    pub fn expose_unverified_raw_signature(\u0026self) -\u003e \u0026[u8] {\n        self.signature.as_slice()\n    }\n}\n\n/// This wrapper type represents a [JWS](crate::JsonWebSignature) that was\n/// parsed from user input, but the data integrity was not verified, thus it\n/// might contain corrupted or malicious data.\n///\n/// Compared to [`Unverified`] this type can contain multiple signatures that\n/// need to be verified. An instance of this type can only be obtained by\n/// decoding a JWS using the [`JsonGeneral`] format.\n#[derive(Debug)]\npub struct ManyUnverified\u003cT\u003e {\n    pub(crate) value: T,\n    // Vec\u003c(msg, signature)\u003e\n    pub(crate) signatures: Vec\u003c(Vec\u003cu8\u003e, Vec\u003cu8\u003e)\u003e,\n}\n\nimpl\u003cT\u003e ManyUnverified\u003cT\u003e {\n    /// Parses a JWS in the [`JsonGeneral`] format into an unverified\n    /// representation of `T`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// the `T` type.\n    pub fn decode(input: JsonGeneral) -\u003e Result\u003cSelf, T::Error\u003e\n    where\n        T: DecodeFormat\u003cJsonGeneral, Decoded\u003cT\u003e = ManyUnverified\u003cT\u003e\u003e,\n    {\n        T::decode(input)\n    }\n\n    /// Returns the number of signatures in this JWS.\n    pub fn signature_count(\u0026self) -\u003e usize {\n        self.signatures.len()\n    }\n\n    /// Verify this struct using the given verifies, returning a [`Verified`]\n    /// representation of the inner type.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the number of verifiers does not match the number of\n    /// signatures, or if anything went wrong during a signature\n    /// verification or if one of the signatures is just invalid.\n    // TODO: consider using a more specific error type to give the usermore\n    // information about the error\n    pub fn verify_many\u003c'a\u003e(\n        self,\n        verifiers: impl IntoIterator\u003cItem = \u0026'a mut dyn Verifier\u003e,\n    ) -\u003e Result\u003cVerified\u003cT\u003e, VerifyError\u003e {\n        let verifiers = verifiers.into_iter().collect::\u003cVec\u003c_\u003e\u003e();\n        if verifiers.len() != self.signatures.len() {\n            return Err(VerifyError::InvalidSignature);\n        }\n\n        for (verifier, (msg, signature)) in verifiers.into_iter().zip(self.signatures) {\n            verifier.verify(\u0026msg, \u0026signature)?;\n        }\n\n        Ok(Verified(self.value))\n    }\n}\n\nimpl\u003cT, F\u003e ManyUnverified\u003cJsonWebSignature\u003cF, T\u003e\u003e\nwhere\n    F: Format,\n{\n    /// Exposes the **unverified** [`JoseHeader`](crate::JoseHeader) of this\n    /// [`JsonWebSignature`]\n    ///\n    /// You usually **should not use this method**. Instead, verify the\n    /// [`JsonWebSignature`] and potentially protected headers first, to avoid\n    /// creating security vulnerabilities.\n    ///\n    /// # When to use\n    ///\n    /// One use case is to determine which key was used to create this signature\n    /// in the first place. For example, consider you have a list of public\n    /// keys used by the same party. If you were not able to peek inside to\n    /// get a hint of the key used, for example via\n    /// [`JoseHeader::key_identifier`](crate::JoseHeader::key_identifier), you\n    /// would have to try each key until either a signature is valid or\n    /// there are no keys left.\n    ///\n    /// However, note that, since the header is not verified yet, an attacker\n    /// can spoof the key hint. For example, you MUST still make sure that the\n    /// key in the hint is actually established and does not belong to some\n    /// other party which might still be in your list of keys but is unrelated.\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// [`JoseHeader`](crate::JoseHeader), including\n    /// [`HeaderValue::Protected`](crate::header::HeaderValue). Thus, you should\n    /// use this method only within isolated code regions.\n    pub fn expose_unverified_header(\u0026self) -\u003e \u0026F::JwsHeader {\n        \u0026self.value.header\n    }\n\n    /// Exposes the **unverified** [`payload`](JsonWebSignature::payload) of\n    /// this [`JsonWebSignature`]\n    ///\n    /// You **should never have the need to use this method**. If you have\n    /// information in the payload that you need in order to verify the\n    /// signature, you are using it wrong. Instead, such information should be\n    /// put in the [`JoseHeader`](crate::JoseHeader) and can be accessed via\n    /// [`expose_unverified_header]`](Self::expose_unverified_header).\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// payload `T`. Thus, you should use this method only within isolated code\n    /// regions.\n    pub fn expose_unverified_payload(\u0026self) -\u003e \u0026T {\n        \u0026self.value.payload\n    }\n\n    /// Exposes an [`Iterator`] over the **unverified** signatures and their\n    /// corresponding messages.\n    ///\n    /// It returns an [`Iterator`] over `(message, signature)` for each\n    /// signature. Note: raw means that they are already base64 decoded.\n    ///\n    /// There is absolutely no reason to use this method. If you want to use\n    /// your own code for verification, you should create your own [`Verifier`]\n    /// instead.\n    pub fn expose_unverified_raw_signatures(\u0026self) -\u003e impl Iterator\u003cItem = (\u0026[u8], \u0026[u8])\u003e {\n        self.signatures\n            .iter()\n            .map(|(msg, sig)| (msg.as_slice(), sig.as_slice()))\n    }\n}\n\n/// Wrapper type around a JWS, or JWE that was verified using a [`Verifier`].\n#[derive(Debug)]\npub struct Verified\u003cT\u003e(T);\n\nimpl\u003cT\u003e Verified\u003cT\u003e {\n    /// Turns self into it's inner `T`.\n    pub fn into_inner(self) -\u003e T {\n        self.0\n    }\n}\n\nimpl\u003cT\u003e Deref for Verified\u003cT\u003e {\n    type Target = T;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\nimpl\u003cT\u003e DerefMut for Verified\u003cT\u003e {\n    fn deref_mut(\u0026mut self) -\u003e \u0026mut Self::Target {\n        \u0026mut self.0\n    }\n}\n\n/// A trait to turn something into a [`Verifier`]\n///\n/// Some key types like the [`Rsa`](crate::crypto::rsa::PublicKey) key type need\n/// to know which [algorithm](JsonWebSigningAlgorithm) to use.\npub trait IntoVerifier\u003cV\u003e\nwhere\n    V: Verifier,\n{\n    /// The error returned if the conversion failed\n    type Error;\n\n    /// Turn `self` into the [`Verifier`] `V`\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the conversion failed\n    fn into_verifier(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cV, Self::Error\u003e;\n}\n\nimpl\u003cK, V\u003e IntoVerifier\u003cV\u003e for K\nwhere\n    V: FromKey\u003cK\u003e + Verifier,\n{\n    type Error = \u003cV as FromKey\u003cK\u003e\u003e::Error;\n\n    fn into_verifier(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cV, Self::Error\u003e {\n        V::from_key(self, JsonWebAlgorithm::Signing(alg))\n    }\n}\n","traces":[{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":187,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":195,"address":[],"length":0,"stats":{"Line":0}},{"line":196,"address":[],"length":0,"stats":{"Line":0}},{"line":209,"address":[],"length":0,"stats":{"Line":0}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":214,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":219,"address":[],"length":0,"stats":{"Line":0}},{"line":222,"address":[],"length":0,"stats":{"Line":0}},{"line":258,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":276,"address":[],"length":0,"stats":{"Line":0}},{"line":277,"address":[],"length":0,"stats":{"Line":0}},{"line":289,"address":[],"length":0,"stats":{"Line":0}},{"line":290,"address":[],"length":0,"stats":{"Line":0}},{"line":292,"address":[],"length":0,"stats":{"Line":0}},{"line":302,"address":[],"length":0,"stats":{"Line":0}},{"line":303,"address":[],"length":0,"stats":{"Line":0}},{"line":310,"address":[],"length":0,"stats":{"Line":0}},{"line":311,"address":[],"length":0,"stats":{"Line":0}},{"line":316,"address":[],"length":0,"stats":{"Line":0}},{"line":317,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":347,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":39},{"path":["/","home","stu","dev","rust","jose","src","jws.rs"],"content":"//! Implementation of JSON Web Signature (JWS) as defined in [RFC 7515]\n//!\n//! [RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515\u003e\n\nuse alloc::{format, string::String, vec, vec::Vec};\n\nuse thiserror::Error;\n\nuse crate::{\n    crypto,\n    format::{\n        Compact, DecodeFormat, DecodeFormatWithContext, Format, JsonFlattened, JsonGeneral,\n        JsonGeneralSignature,\n    },\n    header, Base64UrlString, JoseHeader,\n};\n\nmod builder;\nmod sign;\nmod verify;\n\n#[doc(inline)]\npub use {builder::*, sign::*, verify::*};\n\n// FIXME: check section 5.3. (string comparison) and verify correctness\n// FIXME: protected headers\n// FIXME: unencoded payload (IMPORTANT: check that string is all ascii, except\n// `.` character)\n\n/// The kind of payload used in a JWS.\n///\n/// Kind means that a payload data is either attached, or detached.\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum PayloadKind {\n    /// Attached payload.\n    ///\n    /// The payload data will be put into the JWS.\n    /// This is the standard kind.\n    Attached(PayloadData),\n\n    /// Detached payload.\n    ///\n    /// Detached payload is a special payload\n    /// representation of a JWS, specified\n    /// in [Appendix F](https://datatracker.ietf.org/doc/html/rfc7515#appendix-F)\n    /// of the JWS RFC.\n    ///\n    /// Essentially, the payload is not put into the JWS,\n    /// instead it's only used for signing.\n    Detached(PayloadData),\n}\n\n/// The raw payload data that should be stored in the JWS.\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum PayloadData {\n    /// The given base64 string will just be used as the payload.\n    Standard(Base64UrlString),\n}\n\n/// Represents anything that can be serialized into a raw payload.\n///\n/// This is required to be implemented when trying to sign a JWS, or encrypt a\n/// JWE.\n///\n/// # Examples\n///\n/// ```\n/// # extern crate alloc;\n/// # use alloc::string::{FromUtf8Error, String};\n/// # use core::convert::Infallible;\n/// # use jose::Base64UrlString;\n/// # use jose::jws::{FromRawPayload, IntoPayload, PayloadKind, PayloadData};\n///\n/// #[derive(Debug, PartialEq, Eq)]\n/// struct StringPayload(String);\n///\n/// impl IntoPayload for StringPayload {\n///     type Error = Infallible;\n///\n///     fn into_payload(self) -\u003e Result\u003cPayloadKind, Self::Error\u003e {\n///         let s = Base64UrlString::encode(self.0);\n///         Ok(PayloadKind::Attached(PayloadData::Standard(s)))\n///     }\n/// }\n/// ```\npub trait IntoPayload {\n    /// The error that can occurr while providing the payload in the\n    /// [`Self::into_payload`] method.\n    type Error;\n\n    /// First, this method must insert the raw bytes representation of this\n    /// payload into the given `digest`, which is later used for creating the\n    /// signature. Then the method must return the [kind of\n    /// payload](PayloadKind) to use in the resulting JWS.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if it failed to provide the payload.\n    fn into_payload(self) -\u003e Result\u003cPayloadKind, Self::Error\u003e;\n}\n\n/// Represents anything that can be parsed from a raw payload.\n///\n/// This is required to be implemented when trying to decoe a JWS, or encrypt a\n/// JWE, from it's format representation.\npub trait FromRawPayload: Sized {\n    /// The error that can occurr in any of the `from_*` methods.\n    type Error;\n\n    /// The additional context that is passed when decoding a payload.\n    type Context;\n\n    /// Converts a standard, attached [`PayloadData`] into this payload type.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the operation failed.\n    fn from_attached(context: \u0026Self::Context, payload: PayloadData) -\u003e Result\u003cSelf, Self::Error\u003e;\n\n    /// Construts this payload type from a detached content.\n    ///\n    /// For context, the header of the JWS will be provided,\n    /// to get / construct the payload.\n    ///\n    /// In addition to `Self`, the raw payload data must be\n    /// returned, in order to verify the signature.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the operation failed.\n    fn from_detached\u003cF, T\u003e(\n        context: \u0026Self::Context,\n        header: \u0026JoseHeader\u003cF, T\u003e,\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e;\n\n    /// Construts this payload type from a detached content.\n    ///\n    /// This method is only used when verifying JWS in JSON General format.\n    /// For context, all the header of the JWS will be provided,\n    /// to get / construct the payload.\n    ///\n    /// In addition to `Self`, the raw payload data must be\n    /// returned, in order to verify the signature.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the operation failed.\n    fn from_detached_many\u003cF, T\u003e(\n        context: \u0026Self::Context,\n        headers: \u0026[JoseHeader\u003cF, T\u003e],\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e;\n}\n\n/// Different kinds of errors that can occurr while signing a JWS.\n#[derive(Debug, Error)]\npub enum SignError\u003cP\u003e {\n    /// The number of headers in the JWS does not match the number of\n    /// [`Signer`]s.\n    ///\n    /// This error is only possible when using the [`JsonGeneral`] format.\n    #[error(\"the number of headers does not match the number of signers\")]\n    HeaderCountMismatch,\n    /// Failed to serialize the [`JoseHeader`].\n    #[error(\"failed to serialize header: {0}\")]\n    SerializeHeader(#[source] serde_json::Error),\n    /// The `protected` part of the header was empty, which is disallowed in the\n    /// compact format.\n    #[error(\"the protected header was empty on a compact JWS\")]\n    EmptyProtectedHeader,\n    /// The header of the JWS is invalid.\n    #[error(\"invalid JWS header: {0}\")]\n    InvalidHeader(#[source] header::Error),\n    /// The underlying signing operation of the given signer failed.\n    #[error(transparent)]\n    Sign(crypto::Error),\n    /// Failed to convert payload into it's raw byte representation.\n    #[error(transparent)]\n    Payload(P),\n}\n\n/// Represents a JSON Web Signature (JWS) as defined in [RFC 7515].\n///\n/// The JWS is a format for representing digitally signed or MACed (Message\n/// Authentication Code) content using JSON. The JSON representation is used\n/// to convey the payload, the signature, and optionally additional meta-data\n/// about the payload and signature.\n///\n/// The [`JsonWebSignature`] struct has two type parameters:\n///\n/// * `F`: The format of the JWS. This can be either [`Compact`] or\n///   [`JsonFlattened`].\n/// * `T`: The type of the payload. This can be any type that implements the\n///   [`IntoPayload`] trait and also the [`FromRawPayload`] trait.\n///\n/// [RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515\u003e\n#[derive(Debug)]\npub struct JsonWebSignature\u003cF: Format, T = ()\u003e {\n    header: F::JwsHeader,\n    payload: T,\n}\n\nimpl\u003cF: Format\u003e JsonWebSignature\u003cF, ()\u003e {\n    /// Constructs a [`JsonWebSignatureBuilder`].\n    pub fn builder() -\u003e JsonWebSignatureBuilder\u003cF\u003e {\n        JsonWebSignatureBuilder::new()\n    }\n}\n\nimpl\u003cF: Format, T\u003e JsonWebSignature\u003cF, T\u003e {\n    pub(crate) fn new(header: F::JwsHeader, payload: T) -\u003e Self {\n        Self { header, payload }\n    }\n\n    /// Returns a reference to the payload of this JWS.\n    pub fn payload(\u0026self) -\u003e \u0026T {\n        \u0026self.payload\n    }\n}\n\nimpl\u003cT\u003e JsonWebSignature\u003cCompact, T\u003e {\n    /// Returns a reference to the [`JoseHeader`] of\n    /// this JWS.\n    pub fn header(\u0026self) -\u003e \u0026JoseHeader\u003cCompact, header::Jws\u003e {\n        \u0026self.header\n    }\n}\n\nimpl\u003cT\u003e JsonWebSignature\u003cJsonFlattened, T\u003e {\n    /// Returns a reference to the [`JoseHeader`] of\n    /// this JWS.\n    pub fn header(\u0026self) -\u003e \u0026JoseHeader\u003cJsonFlattened, header::Jws\u003e {\n        \u0026self.header\n    }\n}\n\nimpl\u003cT\u003e JsonWebSignature\u003cJsonGeneral, T\u003e {\n    /// Returns a reference to the list of [`JoseHeader`] of this JWS.\n    pub fn header(\u0026self) -\u003e \u0026Vec\u003cJoseHeader\u003cJsonGeneral, header::Jws\u003e\u003e {\n        \u0026self.header\n    }\n}\n\nimpl\u003cF: Format, T: IntoPayload\u003e JsonWebSignature\u003cF, T\u003e {\n    /// Signs this [`JsonWebSignature`] using the given `signer`.\n    ///\n    /// When signing the JWS, some fields of the header of this JWS may be\n    /// updated. For example, the `alg` header parameter will be updated to\n    /// reflect the algorithm used to sign the JWS, and the `kid` header\n    /// parameter may be updated using the value from the given [`Signer`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any step of the signing operation failed.\n    /// This may include:\n    /// - The header is invalid or failed to serialize.\n    /// - The header is invalid after updating it with the given signer.\n    /// - The underlying signing operation of the given signer failed.\n    /// - The payload failed to provide it's raw byte representation.\n    pub fn sign\u003cS: AsRef\u003c[u8]\u003e\u003e(\n        mut self,\n        signer: \u0026mut dyn Signer\u003cS\u003e,\n    ) -\u003e Result\u003cSigned\u003cF\u003e, SignError\u003cT::Error\u003e\u003e {\n        F::update_header(\u0026mut self.header, signer);\n\n        let serialized_header = F::serialize_header(self.header).map_err(|x| match x {\n            SignError::HeaderCountMismatch =\u003e SignError::HeaderCountMismatch,\n            SignError::SerializeHeader(x) =\u003e SignError::SerializeHeader(x),\n            SignError::InvalidHeader(x) =\u003e SignError::InvalidHeader(x),\n            SignError::EmptyProtectedHeader =\u003e SignError::EmptyProtectedHeader,\n            SignError::Sign(x) =\u003e SignError::Sign(x),\n            SignError::Payload(x) =\u003e match x {},\n        })?;\n\n        let mut msg = F::message_from_header(\u0026serialized_header)\n            .map(|x| x.to_vec())\n            .unwrap_or_default();\n        msg.push(b'.');\n\n        let payload = self.payload.into_payload().map_err(SignError::Payload)?;\n        let payload = match payload {\n            PayloadKind::Attached(PayloadData::Standard(b64)) =\u003e {\n                msg.extend(b64.as_bytes());\n                Some(PayloadData::Standard(b64))\n            }\n            PayloadKind::Detached(PayloadData::Standard(b64)) =\u003e {\n                msg.extend(b64.as_bytes());\n                None\n            }\n        };\n\n        let signature = signer.sign(\u0026msg).map_err(SignError::Sign)?;\n\n        Ok(Signed {\n            value: F::finalize(serialized_header, payload, signature.as_ref())\n                .map_err(SignError::SerializeHeader)?,\n        })\n    }\n}\n\nimpl\u003cT: IntoPayload\u003e JsonWebSignature\u003cJsonGeneral, T\u003e {\n    /// Signs this JWS using multiple signers.\n    ///\n    /// This is only supported when the JWS is in the [`JsonGeneral`] format.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the length of the given iterator of signers does\n    /// not match the number of headers in this JWS.\n    /// Otherwise, this method may return the same errors as the normal sign\n    /// operation.\n    pub fn sign_many\u003c's, S: AsRef\u003c[u8]\u003e + 's\u003e(\n        self,\n        signers: impl IntoIterator\u003cItem = \u0026's mut dyn Signer\u003cS\u003e\u003e,\n    ) -\u003e Result\u003cSigned\u003cJsonGeneral\u003e, SignError\u003cT::Error\u003e\u003e {\n        if self.header.is_empty() {\n            // this is unreachable right now, but we don't want to panic, so just return a\n            // kind of matching error\n            return Err(SignError::HeaderCountMismatch);\n        }\n\n        let signers = signers.into_iter().collect::\u003cVec\u003c_\u003e\u003e();\n\n        if signers.len() != self.header.len() {\n            return Err(SignError::HeaderCountMismatch);\n        }\n\n        let payload = self.payload.into_payload().map_err(SignError::Payload)?;\n        let payload_msg = match payload {\n            PayloadKind::Attached(PayloadData::Standard(ref b64)) =\u003e b64.as_bytes(),\n            PayloadKind::Detached(PayloadData::Standard(ref b64)) =\u003e b64.as_bytes(),\n        };\n\n        let mut signatures = vec![];\n\n        for (mut hdr, signer) in self.header.into_iter().zip(signers) {\n            hdr.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n\n            let mut msg = vec![];\n\n            let serialized_hdr = {\n                let (protected, unprotected) =\n                    hdr.into_values().map_err(SignError::InvalidHeader)?;\n\n                let protected = match protected {\n                    Some(hdr) =\u003e {\n                        let json =\n                            serde_json::to_string(\u0026hdr).map_err(SignError::SerializeHeader)?;\n\n                        let encoded = Base64UrlString::encode(json);\n                        msg.extend(encoded.as_bytes());\n                        Some(encoded)\n                    }\n                    None =\u003e None,\n                };\n\n                (protected, unprotected)\n            };\n\n            msg.push(b'.');\n            msg.extend(payload_msg);\n\n            let signature = signer.sign(\u0026msg).map_err(SignError::Sign)?;\n\n            signatures.push(JsonGeneralSignature {\n                protected: serialized_hdr.0,\n                header: serialized_hdr.1,\n                signature: Base64UrlString::encode(signature.as_ref()),\n            });\n        }\n\n        let payload = match payload {\n            PayloadKind::Attached(PayloadData::Standard(s)) =\u003e Some(s),\n            PayloadKind::Detached(_) =\u003e None,\n        };\n\n        Ok(Signed {\n            value: JsonGeneral {\n                payload,\n                signatures,\n            },\n        })\n    }\n}\n\n/// Different kinds of errors that can occurr while parsing a JWS from it's\n/// compact format.\n#[derive(Debug, Error)]\npub enum ParseCompactError\u003cP\u003e {\n    /// `crit` header field contained an unsupported name.\n    #[error(\"encountered unsupported critical headers (crit header field)\")]\n    UnsupportedCriticalHeader,\n    /// One of the parts was invalid UTF8\n    #[error(\"one of the parts was an invalid UTF-8 byte sequence\")]\n    InvalidUtf8Encoding,\n    /// One of the parts was an invalid Json string\n    #[error(\"one of the parts was an invalid json string\")]\n    InvalidJson(#[source] serde_json::Error),\n    /// The header of the JWS is invalid.\n    #[error(\"invalid JWS header: {0}\")]\n    InvalidHeader(#[source] header::Error),\n    /// Got a `Compact` with less or more than three elements.\n    #[error(\"got compact representation that didn't have 3 parts\")]\n    InvalidLength,\n    /// Failed to parse the payload.\n    #[error(transparent)]\n    Payload(P),\n}\n\nimpl\u003cF: Format, T\u003e crate::sealed::Sealed for JsonWebSignature\u003cF, T\u003e {}\n\nimpl\u003cT: FromRawPayload\u003cContext = ()\u003e\u003e DecodeFormat\u003cCompact\u003e for JsonWebSignature\u003cCompact, T\u003e {\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseCompactError\u003cT::Error\u003e;\n\n    fn decode(input: Compact) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        Self::decode_with_context(input, \u0026())\n    }\n}\n\nimpl\u003cC, T: FromRawPayload\u003cContext = C\u003e\u003e DecodeFormatWithContext\u003cCompact, C\u003e\n    for JsonWebSignature\u003cCompact, T\u003e\n{\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseCompactError\u003cT::Error\u003e;\n\n    fn decode_with_context(input: Compact, context: \u0026C) -\u003e Result\u003cUnverified\u003cSelf\u003e, Self::Error\u003e {\n        if input.len() != 3 {\n            return Err(ParseCompactError::InvalidLength);\n        }\n\n        let (header, raw_header) = {\n            let raw = input.part(0).expect(\"`len()` is checked above to be 3\");\n            let json = String::from_utf8(raw.decode())\n                .map_err(|_| ParseCompactError::InvalidUtf8Encoding)?;\n\n            let header = serde_json::from_str::\u003cserde_json::Map\u003cString, serde_json::Value\u003e\u003e(\u0026json)\n                .map_err(ParseCompactError::InvalidJson)?;\n\n            let header = JoseHeader::from_values(Some(header), None)\n                .map_err(ParseCompactError::InvalidHeader)?;\n\n            (header, raw)\n        };\n\n        let (payload, raw_payload) = {\n            let raw = input.part(1).expect(\"`len()` is checked above to be 3\");\n\n            // if payload is empty, detached payload\n            let (payload, raw) = if raw.is_empty() {\n                T::from_detached(context, \u0026header).map_err(ParseCompactError::Payload)?\n            } else {\n                let data = PayloadData::Standard(raw.clone());\n\n                (\n                    T::from_attached(context, data.clone()).map_err(ParseCompactError::Payload)?,\n                    data,\n                )\n            };\n\n            (payload, raw)\n        };\n        let PayloadData::Standard(raw_payload) = raw_payload;\n\n        let signature = input.part(2).expect(\"`len()` is checked above to be 3\");\n\n        let msg = format!(\"{raw_header}.{raw_payload}\");\n\n        Ok(Unverified {\n            value: JsonWebSignature { header, payload },\n            signature: signature.decode(),\n            msg: msg.into_bytes(),\n        })\n    }\n}\n\nfn parse_json_header\u003cF: Format, E\u003e(\n    protected: Option\u003c\u0026Base64UrlString\u003e,\n    header: Option\u003cserde_json::Map\u003cString, serde_json::Value\u003e\u003e,\n) -\u003e Result\u003cJoseHeader\u003cF, header::Jws\u003e, ParseJsonError\u003cE\u003e\u003e {\n    let protected = match protected {\n        Some(encoded) =\u003e {\n            let json = String::from_utf8(encoded.decode())\n                .map_err(|_| ParseJsonError::InvalidUtf8Encoding)?;\n\n            let values = serde_json::from_str::\u003cserde_json::Map\u003cString, serde_json::Value\u003e\u003e(\u0026json)\n                .map_err(ParseJsonError::InvalidJson)?;\n            Some(values)\n        }\n        None =\u003e None,\n    };\n\n    JoseHeader::from_values(protected, header).map_err(ParseJsonError::InvalidHeader)\n}\n\n/// Different kinds of errors that can occurr while parsing a JWS from it's\n/// JSON, general or flattened, format.\n#[derive(Debug, Error)]\npub enum ParseJsonError\u003cP\u003e {\n    /// The `signatures` array was empty.\n    ///\n    /// This error can only happen when decoding the [`JsonGeneral`] format.\n    #[error(\"the signatures array was empty\")]\n    EmptySignatures,\n    /// The header of the JWS is invalid.\n    #[error(\"invalid JWS header: {0}\")]\n    InvalidHeader(#[source] header::Error),\n    /// The protected header or signature contained invalid UTF-8\n    #[error(\"protected header or signature contained invalid UTF-8\")]\n    InvalidUtf8Encoding,\n    /// The protected header contained invalid JSON\n    #[error(\"protected header contained invalid JSON\")]\n    InvalidJson(#[source] serde_json::Error),\n    /// Failed to parse the payload.\n    #[error(transparent)]\n    Payload(P),\n}\n\nimpl\u003cT: FromRawPayload\u003cContext = ()\u003e\u003e DecodeFormat\u003cJsonFlattened\u003e\n    for JsonWebSignature\u003cJsonFlattened, T\u003e\n{\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode(input: JsonFlattened) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        Self::decode_with_context(input, \u0026())\n    }\n}\n\nimpl\u003cC, T: FromRawPayload\u003cContext = C\u003e\u003e DecodeFormatWithContext\u003cJsonFlattened, C\u003e\n    for JsonWebSignature\u003cJsonFlattened, T\u003e\n{\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode_with_context(\n        JsonFlattened {\n            payload,\n            protected,\n            header,\n            signature,\n        }: JsonFlattened,\n        context: \u0026C,\n    ) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        let protected_str = protected.clone().unwrap_or_default().into_inner();\n        let header = parse_json_header(protected.as_ref(), header)?;\n\n        let (payload, raw_payload) = match payload {\n            Some(b64) =\u003e (\n                T::from_attached(context, PayloadData::Standard(b64.clone()))\n                    .map_err(ParseJsonError::Payload)?,\n                PayloadData::Standard(b64),\n            ),\n            None =\u003e T::from_detached(context, \u0026header).map_err(ParseJsonError::Payload)?,\n        };\n        let PayloadData::Standard(raw_payload) = raw_payload;\n\n        let msg = format!(\"{protected_str}.{raw_payload}\");\n        Ok(Unverified {\n            value: JsonWebSignature { header, payload },\n            signature: signature.decode(),\n            msg: msg.into_bytes(),\n        })\n    }\n}\n\nimpl\u003cT: FromRawPayload\u003cContext = ()\u003e\u003e DecodeFormat\u003cJsonGeneral\u003e\n    for JsonWebSignature\u003cJsonGeneral, T\u003e\n{\n    type Decoded\u003cD\u003e = ManyUnverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode(input: JsonGeneral) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        Self::decode_with_context(input, \u0026())\n    }\n}\n\nimpl\u003cC, T: FromRawPayload\u003cContext = C\u003e\u003e DecodeFormatWithContext\u003cJsonGeneral, C\u003e\n    for JsonWebSignature\u003cJsonGeneral, T\u003e\n{\n    type Decoded\u003cD\u003e = ManyUnverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode_with_context(\n        JsonGeneral {\n            payload,\n            signatures,\n        }: JsonGeneral,\n        context: \u0026C,\n    ) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        if signatures.is_empty() {\n            return Err(ParseJsonError::EmptySignatures);\n        }\n\n        let mut headers = Vec::with_capacity(signatures.len());\n        let mut sigs = Vec::with_capacity(signatures.len());\n\n        for sig in signatures {\n            let header = parse_json_header(sig.protected.as_ref(), sig.header)?;\n\n            headers.push(header);\n            sigs.push((sig.protected.unwrap_or_default(), sig.signature.decode()));\n        }\n\n        let (payload, raw_payload) = match payload {\n            Some(b64) =\u003e (\n                T::from_attached(context, PayloadData::Standard(b64.clone()))\n                    .map_err(ParseJsonError::Payload)?,\n                PayloadData::Standard(b64),\n            ),\n            None =\u003e T::from_detached_many(context, \u0026headers).map_err(ParseJsonError::Payload)?,\n        };\n        let PayloadData::Standard(raw_payload) = raw_payload;\n\n        let unverified_signatures = sigs\n            .into_iter()\n            .map(|(protected, signature)| {\n                let msg = format!(\"{protected}.{raw_payload}\");\n\n                (msg.into_bytes(), signature)\n            })\n            .collect();\n\n        Ok(ManyUnverified {\n            value: JsonWebSignature {\n                header: headers,\n                payload,\n            },\n            signatures: unverified_signatures,\n        })\n    }\n}\n","traces":[{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":210,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":223,"address":[],"length":0,"stats":{"Line":0}},{"line":224,"address":[],"length":0,"stats":{"Line":0}},{"line":231,"address":[],"length":0,"stats":{"Line":0}},{"line":232,"address":[],"length":0,"stats":{"Line":0}},{"line":238,"address":[],"length":0,"stats":{"Line":0}},{"line":239,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":263,"address":[],"length":0,"stats":{"Line":0}},{"line":265,"address":[],"length":0,"stats":{"Line":0}},{"line":266,"address":[],"length":0,"stats":{"Line":0}},{"line":267,"address":[],"length":0,"stats":{"Line":0}},{"line":268,"address":[],"length":0,"stats":{"Line":0}},{"line":269,"address":[],"length":0,"stats":{"Line":0}},{"line":270,"address":[],"length":0,"stats":{"Line":0}},{"line":271,"address":[],"length":0,"stats":{"Line":0}},{"line":274,"address":[],"length":0,"stats":{"Line":0}},{"line":275,"address":[],"length":0,"stats":{"Line":0}},{"line":277,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":0}},{"line":280,"address":[],"length":0,"stats":{"Line":0}},{"line":281,"address":[],"length":0,"stats":{"Line":0}},{"line":282,"address":[],"length":0,"stats":{"Line":0}},{"line":283,"address":[],"length":0,"stats":{"Line":0}},{"line":285,"address":[],"length":0,"stats":{"Line":0}},{"line":286,"address":[],"length":0,"stats":{"Line":0}},{"line":287,"address":[],"length":0,"stats":{"Line":0}},{"line":291,"address":[],"length":0,"stats":{"Line":0}},{"line":293,"address":[],"length":0,"stats":{"Line":0}},{"line":294,"address":[],"length":0,"stats":{"Line":0}},{"line":295,"address":[],"length":0,"stats":{"Line":0}},{"line":311,"address":[],"length":0,"stats":{"Line":0}},{"line":315,"address":[],"length":0,"stats":{"Line":0}},{"line":318,"address":[],"length":0,"stats":{"Line":0}},{"line":321,"address":[],"length":0,"stats":{"Line":0}},{"line":323,"address":[],"length":0,"stats":{"Line":0}},{"line":324,"address":[],"length":0,"stats":{"Line":0}},{"line":327,"address":[],"length":0,"stats":{"Line":0}},{"line":328,"address":[],"length":0,"stats":{"Line":0}},{"line":329,"address":[],"length":0,"stats":{"Line":0}},{"line":330,"address":[],"length":0,"stats":{"Line":0}},{"line":333,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":336,"address":[],"length":0,"stats":{"Line":0}},{"line":338,"address":[],"length":0,"stats":{"Line":0}},{"line":340,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":0}},{"line":342,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":347,"address":[],"length":0,"stats":{"Line":0}},{"line":349,"address":[],"length":0,"stats":{"Line":0}},{"line":350,"address":[],"length":0,"stats":{"Line":0}},{"line":351,"address":[],"length":0,"stats":{"Line":0}},{"line":353,"address":[],"length":0,"stats":{"Line":0}},{"line":356,"address":[],"length":0,"stats":{"Line":0}},{"line":359,"address":[],"length":0,"stats":{"Line":0}},{"line":360,"address":[],"length":0,"stats":{"Line":0}},{"line":362,"address":[],"length":0,"stats":{"Line":0}},{"line":364,"address":[],"length":0,"stats":{"Line":0}},{"line":365,"address":[],"length":0,"stats":{"Line":0}},{"line":366,"address":[],"length":0,"stats":{"Line":0}},{"line":367,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":372,"address":[],"length":0,"stats":{"Line":0}},{"line":373,"address":[],"length":0,"stats":{"Line":0}},{"line":376,"address":[],"length":0,"stats":{"Line":0}},{"line":377,"address":[],"length":0,"stats":{"Line":0}},{"line":378,"address":[],"length":0,"stats":{"Line":0}},{"line":379,"address":[],"length":0,"stats":{"Line":0}},{"line":415,"address":[],"length":0,"stats":{"Line":0}},{"line":416,"address":[],"length":0,"stats":{"Line":0}},{"line":426,"address":[],"length":0,"stats":{"Line":0}},{"line":427,"address":[],"length":0,"stats":{"Line":0}},{"line":428,"address":[],"length":0,"stats":{"Line":0}},{"line":431,"address":[],"length":0,"stats":{"Line":0}},{"line":432,"address":[],"length":0,"stats":{"Line":0}},{"line":433,"address":[],"length":0,"stats":{"Line":0}},{"line":434,"address":[],"length":0,"stats":{"Line":0}},{"line":436,"address":[],"length":0,"stats":{"Line":0}},{"line":437,"address":[],"length":0,"stats":{"Line":0}},{"line":439,"address":[],"length":0,"stats":{"Line":0}},{"line":440,"address":[],"length":0,"stats":{"Line":0}},{"line":442,"address":[],"length":0,"stats":{"Line":0}},{"line":445,"address":[],"length":0,"stats":{"Line":0}},{"line":446,"address":[],"length":0,"stats":{"Line":0}},{"line":449,"address":[],"length":0,"stats":{"Line":0}},{"line":450,"address":[],"length":0,"stats":{"Line":0}},{"line":452,"address":[],"length":0,"stats":{"Line":0}},{"line":455,"address":[],"length":0,"stats":{"Line":0}},{"line":456,"address":[],"length":0,"stats":{"Line":0}},{"line":460,"address":[],"length":0,"stats":{"Line":0}},{"line":462,"address":[],"length":0,"stats":{"Line":0}},{"line":464,"address":[],"length":0,"stats":{"Line":0}},{"line":466,"address":[],"length":0,"stats":{"Line":0}},{"line":468,"address":[],"length":0,"stats":{"Line":0}},{"line":469,"address":[],"length":0,"stats":{"Line":0}},{"line":470,"address":[],"length":0,"stats":{"Line":0}},{"line":471,"address":[],"length":0,"stats":{"Line":0}},{"line":476,"address":[],"length":0,"stats":{"Line":0}},{"line":480,"address":[],"length":0,"stats":{"Line":0}},{"line":481,"address":[],"length":0,"stats":{"Line":0}},{"line":482,"address":[],"length":0,"stats":{"Line":0}},{"line":483,"address":[],"length":0,"stats":{"Line":0}},{"line":485,"address":[],"length":0,"stats":{"Line":0}},{"line":486,"address":[],"length":0,"stats":{"Line":0}},{"line":487,"address":[],"length":0,"stats":{"Line":0}},{"line":489,"address":[],"length":0,"stats":{"Line":0}},{"line":492,"address":[],"length":0,"stats":{"Line":0}},{"line":524,"address":[],"length":0,"stats":{"Line":0}},{"line":525,"address":[],"length":0,"stats":{"Line":0}},{"line":535,"address":[],"length":0,"stats":{"Line":0}},{"line":544,"address":[],"length":0,"stats":{"Line":0}},{"line":545,"address":[],"length":0,"stats":{"Line":0}},{"line":547,"address":[],"length":0,"stats":{"Line":0}},{"line":548,"address":[],"length":0,"stats":{"Line":0}},{"line":549,"address":[],"length":0,"stats":{"Line":0}},{"line":550,"address":[],"length":0,"stats":{"Line":0}},{"line":551,"address":[],"length":0,"stats":{"Line":0}},{"line":553,"address":[],"length":0,"stats":{"Line":0}},{"line":555,"address":[],"length":0,"stats":{"Line":0}},{"line":557,"address":[],"length":0,"stats":{"Line":0}},{"line":558,"address":[],"length":0,"stats":{"Line":0}},{"line":559,"address":[],"length":0,"stats":{"Line":0}},{"line":560,"address":[],"length":0,"stats":{"Line":0}},{"line":561,"address":[],"length":0,"stats":{"Line":0}},{"line":572,"address":[],"length":0,"stats":{"Line":0}},{"line":573,"address":[],"length":0,"stats":{"Line":0}},{"line":583,"address":[],"length":0,"stats":{"Line":0}},{"line":590,"address":[],"length":0,"stats":{"Line":0}},{"line":591,"address":[],"length":0,"stats":{"Line":0}},{"line":594,"address":[],"length":0,"stats":{"Line":0}},{"line":595,"address":[],"length":0,"stats":{"Line":0}},{"line":597,"address":[],"length":0,"stats":{"Line":0}},{"line":598,"address":[],"length":0,"stats":{"Line":0}},{"line":600,"address":[],"length":0,"stats":{"Line":0}},{"line":601,"address":[],"length":0,"stats":{"Line":0}},{"line":604,"address":[],"length":0,"stats":{"Line":0}},{"line":605,"address":[],"length":0,"stats":{"Line":0}},{"line":606,"address":[],"length":0,"stats":{"Line":0}},{"line":607,"address":[],"length":0,"stats":{"Line":0}},{"line":608,"address":[],"length":0,"stats":{"Line":0}},{"line":610,"address":[],"length":0,"stats":{"Line":0}},{"line":612,"address":[],"length":0,"stats":{"Line":0}},{"line":614,"address":[],"length":0,"stats":{"Line":0}},{"line":616,"address":[],"length":0,"stats":{"Line":0}},{"line":617,"address":[],"length":0,"stats":{"Line":0}},{"line":619,"address":[],"length":0,"stats":{"Line":0}},{"line":623,"address":[],"length":0,"stats":{"Line":0}},{"line":624,"address":[],"length":0,"stats":{"Line":0}},{"line":625,"address":[],"length":0,"stats":{"Line":0}},{"line":626,"address":[],"length":0,"stats":{"Line":0}},{"line":628,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":158},{"path":["/","home","stu","dev","rust","jose","src","jwt.rs"],"content":"//! JsonWebToken (JWT) implementation\n//!\n//! JWTs are the most common use of JOSE.\n\nuse alloc::string::String;\n\nuse serde::{de::DeserializeOwned, Deserialize, Serialize};\n\nuse crate::{\n    format::{self, Compact},\n    jws::{FromRawPayload, IntoPayload, JsonWebSignatureBuilder, PayloadData, PayloadKind},\n    Base64UrlString, JsonWebSignature, Jws,\n};\n\n/// A JSON Web Token (JWT) as defined in [RFC 7519].\n///\n/// Since a JWT is only allowed to be serialized in the compact format, the\n/// `F` type parameter is fixed to [`Compact`] in this type\n/// alias.\n///\n/// [RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519\u003e\npub type JsonWebToken\u003cA\u003e = JsonWebSignature\u003cformat::Compact, Claims\u003cA\u003e\u003e;\n\nimpl JsonWebToken\u003c()\u003e {\n    /// Returns a [`JsonWebSignatureBuilder`] for a [`JsonWebToken`]\n    // this method is needed because of interference problems if it is named\n    // builder directly.\n    pub fn builder_jwt() -\u003e JsonWebSignatureBuilder\u003cCompact\u003e {\n        Jws::builder()\n    }\n}\n\n/// The claims of a JSON Web Token (JWT) as defined in [RFC 7519].\n///\n/// The `A` type parameter is used to specify the type of the additional\n/// parameters of the claims. If no additional parameters are required,\n/// the unit type `()` can be used.\n///\n/// [RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Default)]\npub struct Claims\u003cA = ()\u003e {\n    /// The \"iss\" (issuer) claim identifies the principal that issued the JWT.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1).\n    #[serde(rename = \"iss\", skip_serializing_if = \"Option::is_none\")]\n    pub issuer: Option\u003cString\u003e,\n\n    /// The \"sub\" (subject) claim identifies the principal that is the subject\n    /// of the JWT.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.2](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2).\n    #[serde(rename = \"sub\", skip_serializing_if = \"Option::is_none\")]\n    pub subject: Option\u003cString\u003e,\n\n    /// The \"aud\" (audience) claim identifies the recipients that the JWT is\n    /// intended for.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3).\n    #[serde(rename = \"aud\", skip_serializing_if = \"Option::is_none\")]\n    pub audience: Option\u003cString\u003e,\n\n    /// The \"exp\" (expiration time) claim identifies the expiration time on or\n    /// after which the JWT MUST NOT be accepted for processing.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.4](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4).\n    #[serde(rename = \"exp\", skip_serializing_if = \"Option::is_none\")]\n    pub expiration: Option\u003cu64\u003e,\n\n    /// The \"nbf\" (not before) claim identifies the time before which the JWT\n    /// MUST NOT be accepted for processing.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.5](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5).\n    #[serde(rename = \"nbf\", skip_serializing_if = \"Option::is_none\")]\n    pub not_before: Option\u003cu64\u003e,\n\n    /// The \"iat\" (issued at) claim identifies the time at which the JWT was\n    /// issued.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.6](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6).\n    #[serde(rename = \"iat\", skip_serializing_if = \"Option::is_none\")]\n    pub issued_at: Option\u003cu64\u003e,\n\n    /// The \"jti\" (JWT ID) claim provides a unique identifier for the JWT.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.7](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7).\n    #[serde(rename = \"jti\", skip_serializing_if = \"Option::is_none\")]\n    pub jwt_id: Option\u003cString\u003e,\n\n    /// Additional, potentially unregistered JWT claims.\n    #[serde(flatten)]\n    pub additional: A,\n}\n\nimpl\u003cA\u003e IntoPayload for Claims\u003cA\u003e\nwhere\n    A: Serialize,\n{\n    type Error = serde_json::Error;\n\n    fn into_payload(self) -\u003e Result\u003cPayloadKind, Self::Error\u003e {\n        let encoded = serde_json::to_vec(\u0026self)?;\n        Ok(PayloadKind::Attached(PayloadData::Standard(\n            Base64UrlString::encode(encoded),\n        )))\n    }\n}\n\n/// Error returned by [`FromRawPayload`] implementation of [`Claims`]\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum ClaimsDecodeError {\n    /// [`Claims`] does not support this operation.\n    #[error(\"Operation not supported.\")]\n    OperationUnsupported,\n    /// Error while deserializing underlying Json\n    #[error(transparent)]\n    Json(#[from] serde_json::Error),\n}\n\nimpl\u003cA\u003e FromRawPayload for Claims\u003cA\u003e\nwhere\n    A: DeserializeOwned,\n{\n    type Context = ();\n    type Error = ClaimsDecodeError;\n\n    fn from_attached(_: \u0026Self::Context, payload: PayloadData) -\u003e Result\u003cSelf, Self::Error\u003e {\n        let data = match payload {\n            PayloadData::Standard(data) =\u003e data.decode(),\n        };\n        let claims: Claims\u003cA\u003e = serde_json::from_slice(\u0026data)?;\n        Ok(claims)\n    }\n\n    /// Detached is not supported with [`JsonWebToken`]\n    ///\n    /// # Returns\n    ///\n    /// Always returns [`ClaimsDecodeError::OperationUnsupported`]\n    fn from_detached\u003cF, T\u003e(\n        _: \u0026Self::Context,\n        _: \u0026crate::JoseHeader\u003cF, T\u003e,\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e {\n        Err(ClaimsDecodeError::OperationUnsupported)\n    }\n\n    /// Detached is not supported with [`JsonWebToken`]\n    ///\n    /// # Returns\n    ///\n    /// Always returns [`ClaimsDecodeError::OperationUnsupported`]\n    fn from_detached_many\u003cF, T\u003e(\n        _: \u0026Self::Context,\n        _: \u0026[crate::JoseHeader\u003cF, T\u003e],\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e {\n        Err(ClaimsDecodeError::OperationUnsupported)\n    }\n}\n","traces":[{"line":28,"address":[],"length":0,"stats":{"Line":0}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":140,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":15},{"path":["/","home","stu","dev","rust","jose","src","lib.rs"],"content":"#![doc = include_str!(\"../README.md\")]\n#![allow(clippy::doc_overindented_list_items)]\n#![warn(\n    missing_docs,\n    missing_debug_implementations,\n    trivial_casts,\n    trivial_numeric_casts,\n    unused_extern_crates,\n    unused_import_braces,\n    explicit_outlives_requirements,\n    clippy::missing_errors_doc\n)]\n#![deny(\n    rustdoc::broken_intra_doc_links,\n    rustdoc::bare_urls,\n    macro_use_extern_crate,\n    non_ascii_idents,\n    elided_lifetimes_in_paths\n)]\n#![forbid(unsafe_code)]\n#![cfg_attr(not(feature = \"std\"), no_std)]\n#![cfg_attr(feature = \"std\", allow(unused_qualifications))]\n#![cfg_attr(docsrs, feature(doc_auto_cfg))]\n\nextern crate alloc;\n\n#[macro_use]\nmod macros;\n\npub(crate) mod base64_url;\n#[macro_use]\npub(crate) mod tagged_visitor;\npub(crate) mod sealed;\n\npub mod crypto;\npub mod format;\npub mod header;\npub mod jwa;\npub mod jwe;\npub mod jwk;\npub mod jws;\npub mod jwt;\nmod uri;\n\nuse alloc::string::String;\n\npub use base64_url::Base64UrlString;\npub use uri::Uri;\n\n#[doc(inline)]\npub use self::{header::JoseHeader, jwk::JsonWebKey, jws::JsonWebSignature, jwt::JsonWebToken};\n\n/// Type alias to make [`JsonWebSignature`] easier to access.\npub type Jws\u003cF = format::Compact, T = ()\u003e = JsonWebSignature\u003cF, T\u003e;\n\n/// Type alias to make [`JsonWebToken`] easier to access.\npub type Jwt\u003cA = ()\u003e = JsonWebToken\u003cA\u003e;\n\n/// Type alias to make [`JsonWebKey`] easier to access.\npub type Jwk\u003cA = ()\u003e = JsonWebKey\u003cA\u003e;\n\n/// This type is used when the type of the additional parameters\n/// of a [`JsonWebKey`], or a [`JoseHeader`] can not be\n/// specified, but must not be discarded.\npub type UntypedAdditionalProperties = serde_json::Map\u003cString, serde_json::Value\u003e;\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","macros.rs"],"content":"macro_rules! impl_serde_jwa {\n    ($T:ty, [\n        $($name:literal =\u003e $val:expr; $valp:pat,)*\n    ]) =\u003e {\n\n        impl core::fmt::Display for $T {\n            fn fmt(\u0026self, f: \u0026mut core::fmt::Formatter\u003c'_\u003e) -\u003e core::fmt::Result {\n                match \u0026self {\n                    $($valp =\u003e write!(f, \"{}\", $name),)*\n                    Self::Other(other) =\u003e write!(f, \"{}\", other),\n                }\n            }\n        }\n        #[allow(unused_qualifications)]\n        impl\u003c'de\u003e serde::Deserialize\u003c'de\u003e for $T {\n            fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n            where\n                D: serde::Deserializer\u003c'de\u003e,\n            {\n                let name = \u003calloc::borrow::Cow\u003c'_, str\u003e as serde::Deserialize\u003e::deserialize(deserializer)?;\n\n                Ok(Self::from_str_without_other(\u0026name).unwrap_or_else(|| {\n                    Self::Other(name.into_owned())\n                }))\n            }\n        }\n\n        #[allow(unused_qualifications)]\n        impl serde::Serialize for $T {\n            fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n            where\n                S: serde::Serializer,\n            {\n                let name = match self {\n                    $($valp =\u003e $name,)*\n                    Self::Other(custom) =\u003e custom,\n                };\n                \u003c\u0026str as serde::Serialize\u003e::serialize(\u0026name, serializer)\n            }\n        }\n\n        impl $T {\n            /// Tries to parse the given name into a variant, and returns `None`\n            /// if no variant matched.\n            pub(crate) fn from_str_without_other(name: \u0026str) -\u003e Option\u003cSelf\u003e {\n                match name {\n                    $($name =\u003e Some($val),)*\n                    _ =\u003e None,\n                }\n            }\n        }\n    };\n}\n\nmacro_rules! impl_internally_tagged_deserialize {\n    ($T:ty, $tag:literal, $expecting:literal, [$($name:literal =\u003e $i:ident),* $(,)?]) =\u003e {\n        #[allow(unused_qualifications)]\n        impl\u003c'de\u003e serde::Deserialize\u003c'de\u003e for $T {\n            fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n            where\n                D: serde::Deserializer\u003c'de\u003e,\n            {\n                #[derive(Clone, Copy, Deserialize)]\n                enum Tag {\n                    $(#[serde(rename = $name)]\n                    $i,)*\n                }\n\n                let tagged =\n                    deserializer.deserialize_any(crate::tagged_visitor::TaggedContentVisitor::new($tag, $expecting))?;\n\n                match tagged.tag {\n                    $(Tag::$i =\u003e Deserialize::deserialize(tagged.content).map(\u003c$T\u003e::$i),)*\n                }\n                .map_err(|x| x.into_error())\n            }\n        }\n    };\n}\n\nmacro_rules! impl_thumbprint_hash_trait {\n    ($symmetric:ty) =\u003e {\n        #[allow(rustdoc::redundant_explicit_links)]\n        /// The [`Hash`](core::hash::Hash) implementation uses\n        /// [`Thumbprint::thumbprint_prehashed`](crate::jwk::Thumbprint::thumbprint_prehashed)\n        impl core::hash::Hash for $symmetric {\n            fn hash\u003cH\u003e(\u0026self, state: \u0026mut H)\n            where\n                H: core::hash::Hasher,\n            {\n                alloc::format!(\n                    \"symmetric:{}\",\n                    \u003c$symmetric as crate::jwk::Thumbprint\u003e::thumbprint_prehashed(\u0026self)\n                )\n                .hash(state)\n            }\n        }\n    };\n    ($public:ty, $private:ty) =\u003e {\n        #[allow(rustdoc::redundant_explicit_links)]\n        /// The [`Hash`](core::hash::Hash) implementation uses\n        /// [`Thumbprint::thumbprint_prehashed`](crate::jwk::Thumbprint::thumbprint_prehashed)\n        impl core::hash::Hash for $public {\n            fn hash\u003cH\u003e(\u0026self, state: \u0026mut H)\n            where\n                H: core::hash::Hasher,\n            {\n                alloc::format!(\n                    \"public:{}\",\n                    \u003c$public as crate::jwk::Thumbprint\u003e::thumbprint_prehashed(\u0026self)\n                )\n                .hash(state)\n            }\n        }\n        #[allow(rustdoc::redundant_explicit_links)]\n        /// The [`Hash`](core::hash::Hash) implementation uses\n        /// [`Thumbprint::thumbprint_prehashed`](crate::jwk::Thumbprint::thumbprint_prehashed)\n        impl core::hash::Hash for $private {\n            fn hash\u003cH\u003e(\u0026self, state: \u0026mut H)\n            where\n                H: core::hash::Hasher,\n            {\n                alloc::format!(\n                    \"private:{}\",\n                    \u003c$private as crate::jwk::Thumbprint\u003e::thumbprint_prehashed(\u0026self)\n                )\n                .hash(state)\n            }\n        }\n    };\n}\n","traces":[{"line":7,"address":[],"length":0,"stats":{"Line":0}},{"line":8,"address":[],"length":0,"stats":{"Line":0}},{"line":9,"address":[],"length":0,"stats":{"Line":0}},{"line":10,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":18,"address":[],"length":0,"stats":{"Line":0}},{"line":20,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":23,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":28}},{"line":31,"address":[],"length":0,"stats":{"Line":28}},{"line":32,"address":[],"length":0,"stats":{"Line":28}},{"line":34,"address":[],"length":0,"stats":{"Line":34}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":28}},{"line":45,"address":[],"length":0,"stats":{"Line":94}},{"line":46,"address":[],"length":0,"stats":{"Line":94}},{"line":47,"address":[],"length":0,"stats":{"Line":49}},{"line":48,"address":[],"length":0,"stats":{"Line":49}},{"line":59,"address":[],"length":0,"stats":{"Line":118}},{"line":60,"address":[],"length":0,"stats":{"Line":118}},{"line":61,"address":[],"length":0,"stats":{"Line":118}},{"line":69,"address":[],"length":0,"stats":{"Line":60}},{"line":70,"address":[],"length":0,"stats":{"Line":176}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":24}},{"line":75,"address":[],"length":0,"stats":{"Line":20}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":1}},{"line":105,"address":[],"length":0,"stats":{"Line":1}},{"line":106,"address":[],"length":0,"stats":{"Line":1}},{"line":108,"address":[],"length":0,"stats":{"Line":1}},{"line":109,"address":[],"length":0,"stats":{"Line":1}},{"line":110,"address":[],"length":0,"stats":{"Line":1}},{"line":112,"address":[],"length":0,"stats":{"Line":1}},{"line":119,"address":[],"length":0,"stats":{"Line":1}},{"line":120,"address":[],"length":0,"stats":{"Line":1}},{"line":121,"address":[],"length":0,"stats":{"Line":1}},{"line":123,"address":[],"length":0,"stats":{"Line":1}},{"line":124,"address":[],"length":0,"stats":{"Line":1}},{"line":125,"address":[],"length":0,"stats":{"Line":1}},{"line":127,"address":[],"length":0,"stats":{"Line":1}}],"covered":30,"coverable":49},{"path":["/","home","stu","dev","rust","jose","src","sealed.rs"],"content":"/// A trait to protect traits meant only to be implemented by types from this\n/// crate from types outside this crate ([`C-SEALED`])\n///\n/// [`C-SEALED`]: \u003chttps://rust-lang.github.io/api-guidelines/future-proofing.html\u003e\npub trait Sealed {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","tagged_visitor.rs"],"content":"use alloc::{collections::BTreeMap, fmt};\nuse core::marker::PhantomData;\n\nuse serde::{\n    de::{self, DeserializeSeed, MapAccess, Visitor},\n    Deserialize, Deserializer,\n};\nuse serde_value::Value;\n\npub(crate) struct TaggedContent\u003cT\u003e {\n    pub tag: T,\n    pub content: Value,\n}\n\npub(crate) struct TaggedContentVisitor\u003c'de, T\u003e {\n    tag_name: \u0026'static str,\n    expecting: \u0026'static str,\n    _tag: PhantomData\u003cT\u003e,\n    _content: PhantomData\u003c\u0026'de [u8]\u003e,\n}\n\nimpl\u003cT\u003e TaggedContentVisitor\u003c'_, T\u003e {\n    pub fn new(tag_name: \u0026'static str, expecting: \u0026'static str) -\u003e Self {\n        Self {\n            tag_name,\n            expecting,\n            _tag: PhantomData,\n            _content: PhantomData,\n        }\n    }\n}\n\nimpl\u003c'de, T\u003e DeserializeSeed\u003c'de\u003e for TaggedContentVisitor\u003c'de, T\u003e\nwhere\n    T: Deserialize\u003c'de\u003e + Clone,\n{\n    type Value = TaggedContent\u003cT\u003e;\n\n    fn deserialize\u003cD\u003e(self, deserializer: D) -\u003e Result\u003cSelf::Value, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        // Internally tagged enums are only supported in self-describing\n        // formats.\n        deserializer.deserialize_any(self)\n    }\n}\n\nimpl\u003c'de, T\u003e Visitor\u003c'de\u003e for TaggedContentVisitor\u003c'de, T\u003e\nwhere\n    T: Deserialize\u003c'de\u003e + Clone,\n{\n    type Value = TaggedContent\u003cT\u003e;\n\n    fn expecting(\u0026self, fmt: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt.write_str(self.expecting)\n    }\n\n    fn visit_map\u003cM\u003e(self, mut map: M) -\u003e Result\u003cSelf::Value, M::Error\u003e\n    where\n        M: MapAccess\u003c'de\u003e,\n    {\n        let mut tag = None;\n        let mut content = BTreeMap::new();\n\n        while let Some(k) = map.next_key::\u003cValue\u003e()? {\n            let val = if matches!(k, Value::String(ref s) if s == self.tag_name) {\n                let val = map.next_value::\u003cValue\u003e()?;\n                tag = Some(val.clone().deserialize_into().map_err(|e| e.into_error())?);\n                val\n            } else {\n                map.next_value()?\n            };\n\n            content.insert(k, val);\n        }\n\n        match tag {\n            None =\u003e Err(de::Error::missing_field(self.tag_name)),\n            Some(tag) =\u003e Ok(TaggedContent {\n                tag,\n                content: Value::Map(content),\n            }),\n        }\n    }\n}\n","traces":[{"line":23,"address":[],"length":0,"stats":{"Line":118}},{"line":39,"address":[],"length":0,"stats":{"Line":0}},{"line":45,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":118}},{"line":63,"address":[],"length":0,"stats":{"Line":118}},{"line":64,"address":[],"length":0,"stats":{"Line":118}},{"line":66,"address":[],"length":0,"stats":{"Line":790}},{"line":67,"address":[],"length":0,"stats":{"Line":856}},{"line":68,"address":[],"length":0,"stats":{"Line":184}},{"line":69,"address":[],"length":0,"stats":{"Line":124}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":260}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":86}},{"line":79,"address":[],"length":0,"stats":{"Line":26}},{"line":80,"address":[],"length":0,"stats":{"Line":60}},{"line":81,"address":[],"length":0,"stats":{"Line":60}},{"line":82,"address":[],"length":0,"stats":{"Line":60}}],"covered":14,"coverable":20},{"path":["/","home","stu","dev","rust","jose","src","uri.rs"],"content":"use alloc::string::String;\nuse core::{fmt, ops::Deref};\n\nuse serde::{Deserialize, Serialize};\n\n/// A serializable URI type implemented using [`serde`] and [`fluent_uri`].\n///\n/// This is a thing wrapper around a [`fluent_uri::Uri\u003cString\u003e`] that implements\n/// [`Serialize`] and [`Deserialize`].\n#[derive(Debug, Clone, Default)]\npub struct Uri(fluent_uri::Uri\u003cString\u003e);\n\nimpl Uri {\n    /// Borrows this URI.\n    pub fn borrow(\u0026self) -\u003e BorrowedUri\u003c'_\u003e {\n        BorrowedUri(self.0.borrow())\n    }\n\n    /// Turns this URI into the underlying [`fluent_uri::Uri\u003cString\u003e`].\n    pub fn into_inner(self) -\u003e fluent_uri::Uri\u003cString\u003e {\n        self.0\n    }\n}\n\nimpl PartialEq for Uri {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.0.as_str().eq(other.0.as_str())\n    }\n}\nimpl Eq for Uri {}\n\nimpl Deref for Uri {\n    type Target = fluent_uri::Uri\u003cString\u003e;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\nimpl From\u003cfluent_uri::Uri\u003cString\u003e\u003e for Uri {\n    fn from(uri: fluent_uri::Uri\u003cString\u003e) -\u003e Self {\n        Self(uri)\n    }\n}\n\nimpl fmt::Display for Uri {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        self.0.fmt(f)\n    }\n}\n\nimpl Serialize for Uri {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        self.0.as_str().serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Uri {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cUri, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let uri = String::deserialize(deserializer)?;\n\n        Ok(Uri(\n            fluent_uri::Uri::parse(uri).map_err(serde::de::Error::custom)?\n        ))\n    }\n}\n\n/// A borrowed version of the [`Uri`].\n///\n/// This is a thing wrapper around a [`fluent_uri::Uri\u003c\u0026str\u003e`] that implements\n/// [`Serialize`].\n#[derive(Debug)]\npub struct BorrowedUri\u003c's\u003e(fluent_uri::Uri\u003c\u0026's str\u003e);\n\nimpl BorrowedUri\u003c'_\u003e {\n    /// Turns this borrowed URI into an owned [`Uri`].\n    pub fn to_owned(\u0026self) -\u003e Uri {\n        Uri(self.0.to_owned())\n    }\n}\n\nimpl\u003c's\u003e Deref for BorrowedUri\u003c's\u003e {\n    type Target = fluent_uri::Uri\u003c\u0026's str\u003e;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\nimpl fmt::Display for BorrowedUri\u003c'_\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        self.0.fmt(f)\n    }\n}\n\nimpl Serialize for BorrowedUri\u003c'_\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        self.0.as_str().serialize(serializer)\n    }\n}\n\nimpl PartialEq for BorrowedUri\u003c'_\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.0.as_str().eq(other.0.as_str())\n    }\n}\nimpl Eq for BorrowedUri\u003c'_\u003e {}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":20,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":28},{"path":["/","home","stu","dev","rust","jose","target","debug","build","eyre-43034007078a440d","out","probe.rs"],"content":"\n    #![allow(dead_code)]\n\n    #[track_caller]\n    fn foo() {\n        let _location = std::panic::Location::caller();\n    }\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","target","debug","build","eyre-75120121d1e0e56e","out","probe.rs"],"content":"\n    #![allow(dead_code)]\n\n    #[track_caller]\n    fn foo() {\n        let _location = std::panic::Location::caller();\n    }\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","common","mod.rs"],"content":"//! Common test helpers.\n\nuse serde_json::Value;\n\npub type TestResult\u003cT = ()\u003e = Result\u003cT, Box\u003cdyn std::error::Error\u003e\u003e;\n\n/// Reads a key file from the `tests/vectors/jwk` directory.\npub fn read_jwk(name: \u0026str) -\u003e TestResult\u003cValue\u003e {\n    let json = std::fs::read_to_string(format!(\n        \"{}/tests/vectors/jwk/{name}.json\",\n        env!(\"CARGO_MANIFEST_DIR\"),\n    ))?;\n    let key: Value = serde_json::from_str(\u0026json)?;\n\n    Ok(key)\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","header.rs"],"content":"use jose::{\n    format::Compact,\n    header::{HeaderValue, Jws},\n    jwa::JsonWebSigningAlgorithm,\n    JoseHeader,\n};\n\n#[test]\nfn build_header() {\n    let builder = JoseHeader::\u003cCompact, Jws\u003e::builder();\n    let header = builder\n        .algorithm(HeaderValue::Protected(JsonWebSigningAlgorithm::None))\n        .build()\n        .unwrap();\n    assert_eq!(\n        header.algorithm(),\n        HeaderValue::Protected(\u0026JsonWebSigningAlgorithm::None)\n    );\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","jwk.rs"],"content":"use jose::{\n    crypto::hmac,\n    jwa::{self, JsonWebAlgorithm},\n    jwk::{self, policy::Checkable, FromKey as _, Thumbprint as _},\n    Base64UrlString, JsonWebKey,\n};\nuse pretty_assertions::assert_eq;\nuse serde::{Deserialize, Serialize};\n\nuse crate::common::{read_jwk, TestResult};\n\nmod common;\n\nfn roundtrip(file: \u0026str, unsupported: bool, check: fn(\u0026JsonWebKey)) -\u003e TestResult {\n    let mut json_key = read_jwk(file)?;\n    let json_key_str = serde_json::to_string(\u0026json_key)?;\n\n    let jwk = match serde_json::from_value::\u003cJsonWebKey\u003e(json_key.clone()) {\n        Ok(..) if unsupported =\u003e panic!(\"Unsupported key type was successful\"),\n        Ok(jwk) =\u003e jwk,\n        Err(..) if unsupported =\u003e return Ok(()),\n        Err(e) =\u003e return Err(e.into()),\n    };\n    check(\u0026jwk);\n\n    // we want to deserialize the JWK from an owned value, and a borrowed value\n    let jwk_from_str = serde_json::from_str::\u003cJsonWebKey\u003e(\u0026json_key_str)?;\n    assert_eq!(jwk.key_type(), jwk_from_str.key_type());\n\n    let mut serialized = serde_json::to_value(\u0026jwk)?;\n    let mut serialized_from_str = serde_json::to_value(\u0026jwk_from_str)?;\n\n    // removes the field `name` from the given json value, mostly because some\n    // fields are serialized non-deterministic (key_ops), because the order is\n    // random\n    let remove_field = |value: \u0026mut serde_json::Value, name: \u0026str| {\n        if let Some(obj) = value.as_object_mut() {\n            obj.remove(name);\n        }\n    };\n\n    let mut remove_field_from_all = |name: \u0026str| {\n        remove_field(\u0026mut json_key, name);\n        remove_field(\u0026mut serialized, name);\n        remove_field(\u0026mut serialized_from_str, name);\n    };\n\n    remove_field_from_all(\"key_ops\");\n\n    assert_eq!(json_key, serialized);\n    assert_eq!(json_key, serialized_from_str);\n\n    // now try constructing a builder using this key, and check invalid\n    // algorithm\n    let err = JsonWebKey::builder(jwk.key_type().clone())\n        .algorithm(Some(JsonWebAlgorithm::Other(\"foo\".to_string())))\n        .build()\n        .unwrap_err();\n    assert!(matches!(\n        err,\n        jwk::JsonWebKeyBuildError::IncompatibleKeyType\n    ));\n\n    let err = jwk\n        .into_builder()\n        .algorithm(Some(JsonWebAlgorithm::Other(\"foo\".to_string())))\n        .build()\n        .unwrap_err();\n    assert!(matches!(\n        err,\n        jwk::JsonWebKeyBuildError::IncompatibleKeyType\n    ));\n\n    Ok(())\n}\n\nfn roundtrip_pair(\n    private: \u0026str,\n    public: \u0026str,\n    unsupported: bool,\n    check: fn(\u0026JsonWebKey),\n) -\u003e TestResult {\n    roundtrip(private, unsupported, check)?;\n    roundtrip(public, unsupported, check)?;\n\n    let private_key: JsonWebKey = serde_json::from_value(read_jwk(private)?)?;\n    let public_key: JsonWebKey = serde_json::from_value(read_jwk(public)?)?;\n\n    assert!(private_key.is_signing_key());\n    assert!(!public_key.is_signing_key());\n\n    assert!(!private_key.is_symmetric());\n    assert!(!public_key.is_symmetric());\n\n    assert!(private_key.is_asymmetric());\n    assert!(public_key.is_asymmetric());\n\n    let stripped = private_key.clone().strip_secret_material().unwrap();\n    assert_eq!(stripped.key_type(), public_key.key_type());\n\n    let stripped_from_public = public_key.clone().strip_secret_material().unwrap();\n    assert_eq!(stripped_from_public.key_type(), public_key.key_type());\n\n    let into_verifying = private_key.into_verifying_key();\n    assert_eq!(into_verifying.key_type(), public_key.key_type());\n\n    let public_into_verifying = public_key.clone().into_verifying_key();\n    assert_eq!(public_into_verifying.key_type(), public_key.key_type());\n\n    Ok(())\n}\n\nfn assert_thumbprint(jwk: \u0026JsonWebKey, sha256: \u0026str, sha384: \u0026str, sha512: \u0026str) {\n    let print_sha256 = Base64UrlString::encode(jwk.thumbprint_sha256());\n    assert_eq!(\u0026*print_sha256, sha256);\n\n    let print_sha384 = Base64UrlString::encode(jwk.thumbprint_sha384());\n    assert_eq!(\u0026*print_sha384, sha384);\n\n    let print_sha512 = Base64UrlString::encode(jwk.thumbprint_sha512());\n    assert_eq!(\u0026*print_sha512, sha512);\n}\n\npub mod roundtrip {\n    use jose::{jwa, jwk};\n    use pretty_assertions::assert_eq;\n\n    use crate::{assert_thumbprint, common::TestResult, roundtrip, roundtrip_pair};\n\n    #[test]\n    fn _3_1_and_2_ec() -\u003e TestResult {\n        roundtrip_pair(\n            \"3_2.ec_private_key\",\n            \"3_1.ec_public_key\",\n            // RustCrypto and ring do not support P-521 curve\n            cfg!(feature = \"crypto-rustcrypto\") || cfg!(feature = \"crypto-ring\"),\n            |jwk| {\n                assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Signing));\n                assert_thumbprint(\n                    jwk,\n                    \"dHri3SADZkrush5HU_50AoRhcKFryN-PI6jPBtPL55M\",\n                    \"HncTFMje-quVjjwt2ufqfFb75ZwHLDh9M-VY4wJ9awQkfbu194TmVpeGbG6Ykb9b\",\n                    \"i8RIsIb6HVP2AO9o38HtraybJAP5veAfBIgynNUqpxlhuvq2UDgSA3JFgGgle1YvmCQDHllAn7MG52Idb8B4fA\"\n                );\n            },\n        )\n    }\n\n    #[test]\n    fn _3_3_and_4_rsa() -\u003e TestResult {\n        roundtrip_pair(\"3_4.rsa_private_key\", \"3_3.rsa_public_key\", false, |jwk| {\n            assert_thumbprint(\n                jwk,\n                \"9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI\",\n                \"iRBthSmwxk6o9pTGF6a9yLHohmMXSFRvKoN9rgcbOWFgLldwqED1DrOgDtLq5Q4R\",\n                \"FerGBUpYnzT0ptNAC7Y3qNpGINqILXdZ_9-Na3UkPUtDznnAChw7NWluNRjx-lmKDnuO1CpmIZL7e2bzRkQBew\",\n            );\n        })\n    }\n\n    #[test]\n    fn _3_5_symmetric_key_mac() -\u003e TestResult {\n        roundtrip(\"3_5.symmetric_key_mac_computation\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::Hmac::Hs256))\n            );\n\n            assert!(jwk.is_symmetric());\n            assert!(jwk.is_signing_key());\n\n            assert_eq!(jwk.key_type(), jwk.clone().into_verifying_key().key_type());\n\n            assert_thumbprint(\n                jwk,\n                \"RtoRur_1Dir5M4wuOfqNkDYOf9O_4RJ-aHkTA75RLA8\",\n                \"KG7sBEFjGfsIG21uR9cggZfOEIdKSvylcD7ndWgQsnG2k_5Wpw700r__c63SBBwf\",\n                \"EI4XUPoajddrVSS3fgSS6AcPt1uuacMmuYIi9i4A2CgjnWHuUV1qyNks84w03blKdF75HPSTJTJWgqRNEU_ZIg\"\n            );\n        })\n    }\n\n    #[test]\n    fn _3_6_symmetric_key_encryption() -\u003e TestResult {\n        roundtrip(\"3_6.symmetric_key_encryption\", false, |jwk| {\n            // NOTE: We do not support A256GCM as a JWK, because it's a one-time use\n            // session key, and must not be stored or reused\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::Other(\"A256GCM\".to_string()))\n            );\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Encryption));\n\n            assert_thumbprint(\n                jwk,\n                \"VDMp1ZgGGv1OKgOeDc1EUKHXNQzMdLkCnxPETHdA4v0\",\n                \"4YmDfp3zlozmoDxrRxpMBiU6XHA9X82IKNW3bWiitdnudrwmAiKOi4yWWj4fyeYm\",\n                \"FmHGxbagOqt0LS__rv4hIpgnQ9pAB7nDneYNPN9i1gHIbvJJILw-VyyYIP_RTgsOU7K683SdE5aeplCUqz4ZaA\"\n            );\n        })\n    }\n\n    #[test]\n    fn ed25519() -\u003e TestResult {\n        roundtrip_pair(\"ed25519\", \"ed25519.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(\n                    jwa::JsonWebSigningAlgorithm::EdDSA\n                ))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"IpNACexNZWO9hVeADtTT0Nvturu6OtMV3B4u1OVr1fU\",\n                \"NibgvGWph4nhazrZ1PcyRXYy55bdTotSDi1L4iE8gB0VtxDhh_a-du0fSnGExFwa\",\n                \"uS4j-x1iQUeF2a4a7M3iHZhPQGwyKgXU2Fh_GeNn9_uw_KAj1VTmNVenxTiFdDqcDHoWBemcLjioFY4slFbIZA\",\n            );\n        })\n    }\n\n    #[test]\n    fn rsa_enc_optional_parameters() -\u003e TestResult {\n        roundtrip(\"jwk_optional_parameters_rsa_enc.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::RsaesOaep::RsaesOaep))\n            );\n\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Encryption));\n            assert!(jwk.x509_certificate_sha1_thumbprint().is_some());\n            assert!(jwk.x509_certificate_sha256_thumbprint().is_some());\n\n            assert_thumbprint(\n                jwk,\n                \"ZwmJSHbFy5nl7WenHepIG5N9Rz16NH8SPGeqoZPTTuc\",\n                \"06f-mujFCZ0cUPKCgm0m7EuE0TW2mUmoQ0I519rD73v5JDAWti5QsuOX2PqTYuhV\",\n                \"EaW6WfYvQ5rauUmOYPZi82-ADGjmOb3Jz76jNVHUIQ_vA42s7CFve47jVTyb1n3UQbqLw3DDguD4u0wlFL4sbg\"\n            );\n        })\n    }\n\n    #[test]\n    fn rsa_sign_optional_parameters() -\u003e TestResult {\n        roundtrip(\"jwk_optional_parameters_rsa_sig.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::RsassaPkcs1V1_5::Rs256))\n            );\n\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Signing));\n            assert!(jwk.x509_certificate_sha1_thumbprint().is_some());\n            assert!(jwk.x509_certificate_sha256_thumbprint().is_some());\n\n            assert_thumbprint(\n                jwk,\n                \"bVeakRIe7OjtcR6E5FfkZvFAhEXfhIboYrcZ7OhZ1UY\",\n                \"_jnSoeQaW04m5PzXFnP7w2Zl_WFEop1UEKZ2vGHtQCdfsSqOkLhTbn2vyaDcMbHQ\",\n                \"cHiM1PMNsVve19_e5cfCiJqIMnQhYx0CkcvmiNCdwulCJ5B5ftaAvFYwr7_NQCMTQeXMcTKdbsP2a4mEKojPaQ\"\n            );\n        })\n    }\n\n    #[test]\n    fn rsa_with_key_ops_for_enc() -\u003e TestResult {\n        roundtrip(\"key_ops_rsa_enc.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::RsaesOaep::RsaesOaep))\n            );\n\n            let ops = jwk.key_operations().unwrap();\n\n            assert_eq!(ops.len(), 2);\n            assert!(ops.contains(\u0026jwk::KeyOperation::Encrypt));\n            assert!(ops.contains(\u0026jwk::KeyOperation::Decrypt));\n\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Encryption));\n\n            assert_thumbprint(\n                jwk,\n                \"ZwmJSHbFy5nl7WenHepIG5N9Rz16NH8SPGeqoZPTTuc\",\n                \"06f-mujFCZ0cUPKCgm0m7EuE0TW2mUmoQ0I519rD73v5JDAWti5QsuOX2PqTYuhV\",\n                \"EaW6WfYvQ5rauUmOYPZi82-ADGjmOb3Jz76jNVHUIQ_vA42s7CFve47jVTyb1n3UQbqLw3DDguD4u0wlFL4sbg\"\n            );\n        })\n    }\n\n    #[test]\n    fn p256() -\u003e TestResult {\n        roundtrip_pair(\"p256\", \"p256.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es256))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"6j1ImYAlN6DnVupozzN13UKnLR7BfEvngNmVl5bLlI0\",\n                \"u5W5WvG_wZc2u18HY0hqP48hVOOwytBz3BZzBimJl43SA3A4l-INFnhMNLEWL8a3\",\n                \"8fmi-z_V-FykWlKQAscDYj3I_uonEd2-0ChLqb7BwRJqnQiitQ9widx6Pk9ewMkhFk8NnBr1hCFa51kyrg7Pyw\"\n            );\n        })\n    }\n\n    #[test]\n    fn p384() -\u003e TestResult {\n        roundtrip_pair(\"p384\", \"p384.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es384))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"B_9VooM6jEuy9OvK_plFUDVADfKKnjCUPrqfc5Wtgq4\",\n                \"TXXx3K1KOHjCKWt_bY9cFZfsI9E8NUw8sK1xSOfd0jVgaBMiCP1hFvsxaamAQfK5\",\n                \"AtsWpt8bdnsqT49ovBfv67rhq_PB2eqnhvJ4F-uH-STeCZTVO97hWeEc0zGoOT18XtmHf_2o6ENmwIv9gcXyRQ\"\n            );\n        })\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn secp256k1() -\u003e TestResult {\n        roundtrip_pair(\"k256\", \"k256.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es256K))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"i0H0zy_Zyc4g9gUfIU3ZgSk21eC_a9B-J_keq5eRVq4\",\n                \"NWo1frAmwhk6vYKYK0YCTpJWbgvI-EDV5ZvEFvA_7V4y6VRAG0l4Q_uNkFIiisuL\",\n                \"E1oJ78FUrNMsq66wi7AT8jIU4QUMoV_JnYiCqwy2vgDod7yDHMXLkweJ0Vhd1A1TJysPMFNr4Q8yVvQ4Q1fXKg\"\n            );\n        })\n    }\n\n    #[test]\n    fn rsa() -\u003e TestResult {\n        roundtrip_pair(\"rsa\", \"rsa.pub\", false, |jwk| {\n            assert_thumbprint(\n                jwk,\n                \"nYPs6qc5zj3VOVKr4yY-EzirO-AcdUl0JC5bcXKGE6Y\",\n                \"JhX_riWIrTLs3p7SnueDgpcO27pDgXh1xQOivPzOKsU3CaQgHoLgiKIinmb2CMoE\",\n                \"DQd_FsR8hTwlVrv3WGQP2E1KQejcBbJCFtqWy489xmmPm8LdNT91zYFX-yTghCtq2zutBGYY2mkwIWN-VQWYyQ\"\n            );\n        })\n    }\n\n    #[test]\n    #[cfg_attr(\n        any(\n            feature = \"crypto-ring\",\n            feature = \"crypto-aws-lc\",\n            feature = \"crypto-rustcrypto\"\n        ),\n        ignore\n    )]\n    fn ed448() -\u003e TestResult {\n        roundtrip_pair(\"ed448\", \"ed448.pub\", false, |jwk| {\n            assert_thumbprint(\n                jwk,\n                \"-K8d13H2SA_vuRYSxn05sQN4hAkeWXFt5XainSnkfZc\",\n                \"a_AWZk_w5qSm2XziCOKyHRLU1amUzTlbb1df8Q0JCx3bOaQp0YcLqdHS2Sbyw2PQ\",\n                \"qM1ai1zIZ-NRzbkOKxVkOY6DXVXmDWsSXMCQRRy7oIZEwRzQ0gQK5c-cruMkpyYcBs7ftQcofV_YXWfCdKhSWw\",\n            );\n        })\n    }\n}\n\n// TODO: test to ensure correct length of x, y, d\n\n#[test]\nfn deny_duplicates_key_operations() {\n    let key = r#\"\n{\n    \"key_ops\": [\"encrypt\", \"decrypt\", \"encrypt\"],\n    \"kty\": \"oct\",\n    \"alg\": \"HS256\",\n    \"k\": \"hJtXIZ2uSN5kbQfbtTNWbpdmhkV8FJG-Onbc6mxCcYg\"\n}\n\"#;\n\n    serde_json::from_str::\u003cJsonWebKey\u003e(key).unwrap_err();\n}\n\n#[test]\nfn deny_hmac_key_with_short_key() -\u003e TestResult {\n    let raw_key = r#\"{\"kty\": \"oct\", \"k\": \"QUFBQQ\"}\"#;\n    let key = serde_json::from_str::\u003cjwk::symmetric::OctetSequence\u003e(raw_key)?;\n\n    let hmac = hmac::Key::\u003chmac::Hs256\u003e::from_key(\u0026key, jwa::Hmac::Hs256.into());\n\n    assert!(matches!(\n        hmac.unwrap_err(),\n        jwk::symmetric::FromOctetSequenceError::InvalidLength\n    ));\n\n    Ok(())\n}\n\npub mod generate {\n    use jose::{\n        crypto::{\n            ec::{P256PrivateKey, P384PrivateKey, P521PrivateKey},\n            hmac, okp, rsa,\n        },\n        jwk::Thumbprint as _,\n    };\n\n    use crate::common::TestResult;\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn ec_p256() -\u003e TestResult {\n        let p256 = P256PrivateKey::generate()?;\n        let p256_pub = p256.to_public_key();\n        assert_eq!(p256.thumbprint_sha256(), p256_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn ec_p384() -\u003e TestResult {\n        let p384 = P384PrivateKey::generate()?;\n        let p384_pub = p384.to_public_key();\n        assert_eq!(p384.thumbprint_sha256(), p384_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(any(feature = \"crypto-rustcrypto\", feature = \"crypto-ring\"), ignore)]\n    fn ec_p521() -\u003e TestResult {\n        let p521 = P521PrivateKey::generate()?;\n        let p521_pub = p521.to_public_key();\n        assert_eq!(p521.thumbprint_sha256(), p521_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn rsa() -\u003e TestResult {\n        let rsa = rsa::PrivateKey::generate(4096)?;\n        let rsa_pub = rsa.to_public_key();\n        assert_eq!(rsa.thumbprint_sha256(), rsa_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    fn hmac() -\u003e TestResult {\n        let _hmac = hmac::Key::\u003chmac::Hs256\u003e::generate()?;\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn ed25519() -\u003e TestResult {\n        let ed25519 = okp::PrivateKey::\u003cokp::Ed25519\u003e::generate()?;\n        let ed25519_pub = ed25519.to_public_key();\n        assert_eq!(ed25519.thumbprint_sha256(), ed25519_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(\n        any(\n            feature = \"crypto-rustcrypto\",\n            feature = \"crypto-ring\",\n            feature = \"crypto-aws-lc\"\n        ),\n        ignore\n    )]\n    fn ed448() -\u003e TestResult {\n        let ed448 = okp::PrivateKey::\u003cokp::Ed448\u003e::generate()?;\n        let ed448_pub = ed448.to_public_key();\n        assert_eq!(ed448.thumbprint_sha256(), ed448_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n}\n\n#[test]\nfn convert_to_public_key() -\u003e TestResult {\n    let private_json = read_jwk(\"p256\")?;\n    let public_json = read_jwk(\"p256.pub\")?;\n\n    let private: JsonWebKey = serde_json::from_value(private_json)?;\n    let public: JsonWebKey = serde_json::from_value(public_json)?;\n\n    let public_converted = private.clone().into_verifying_key();\n    assert_eq!(public.key_type(), public_converted.key_type());\n\n    let public_converted = private.strip_secret_material().unwrap();\n    assert_eq!(public.key_type(), public_converted.key_type());\n\n    Ok(())\n}\n\n#[test]\nfn symmetric_key_can_not_strip_secret() -\u003e TestResult {\n    let key = read_jwk(\"3_5.symmetric_key_mac_computation\")?;\n    let key: JsonWebKey = serde_json::from_value(key)?;\n    assert!(key.strip_secret_material().is_none());\n\n    Ok(())\n}\n\n#[test]\nfn additional_properties() -\u003e TestResult {\n    #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]\n    struct Additional {\n        #[serde(rename = \"additional/one\")]\n        one: String,\n        another_additional: i32,\n    }\n\n    impl Checkable for Additional {\n        fn check\u003cP: jwk::policy::Policy\u003e(\n            self,\n            policy: P,\n        ) -\u003e Result\u003cjwk::policy::Checked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n            Ok(jwk::policy::Checked::new(self, policy))\n        }\n    }\n\n    let key = read_jwk(\"rsa_with_additional_props.pub\")?;\n    let key: JsonWebKey\u003cAdditional\u003e = serde_json::from_value(key)?;\n\n    assert_eq!(key.additional().one.as_str(), \"my rsa key\");\n    assert_eq!(key.additional().another_additional, 1);\n\n    let untyped = key.clone().into_untyped_additional()?;\n    assert_eq!(\n        untyped\n            .clone()\n            .deserialize_additional::\u003cAdditional\u003e()?\n            .additional(),\n        key.additional()\n    );\n\n    let untyped = untyped.additional();\n\n    assert_eq!(untyped[\"additional/one\"], \"my rsa key\");\n    assert_eq!(untyped[\"another_additional\"], 1);\n\n    let _checked = key.check(jwk::policy::StandardPolicy::new()).unwrap();\n\n    Ok(())\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","jws.rs"],"content":"","traces":[],"covered":0,"coverable":0}]};
+        var previousData = {"files":[{"path":["/","home","stu","dev","rust","jose","build.rs"],"content":"use std::{env, process::exit};\n\nstruct CryptoBackend {\n    name: \u0026'static str,\n    feature: \u0026'static str,\n}\n\nconst ALL_BACKENDS: \u0026[CryptoBackend] = \u0026[\n    CryptoBackend {\n        name: \"RustCrypto\",\n        feature: \"crypto-rustcrypto\",\n    },\n    CryptoBackend {\n        name: \"OpenSSL\",\n        feature: \"crypto-openssl\",\n    },\n    CryptoBackend {\n        name: \"AWS-LC\",\n        feature: \"crypto-aws-lc\",\n    },\n    CryptoBackend {\n        name: \"ring\",\n        feature: \"crypto-ring\",\n    },\n];\n\nfn main() {\n    crypto_backends_check();\n\n    println!(\"cargo::rustc-check-cfg=cfg(openssl320)\");\n\n    // the nonce api for deterministic EcDSA signing is only possible on specific\n    // version\n    #[expect(clippy::unusual_byte_groupings)]\n    if let Ok(v) = env::var(\"DEP_OPENSSL_VERSION_NUMBER\") {\n        let version = u64::from_str_radix(\u0026v, 16).unwrap();\n\n        if version \u003e= 0x3_02_00_00_0 {\n            println!(\"cargo:rustc-cfg=openssl320\");\n        }\n    }\n}\n\nfn crypto_backends_check() {\n    let enabled = ALL_BACKENDS\n        .iter()\n        .filter(|backend| {\n            std::env::var(format!(\n                \"CARGO_FEATURE_{}\",\n                backend.feature.to_uppercase().replace(\"-\", \"_\")\n            ))\n            .is_ok()\n        })\n        .collect::\u003cVec\u003c_\u003e\u003e();\n\n    if enabled.is_empty() {\n        eprintln!(\n            \"No cryptographic backend selected.\n\n`jose` requires a cryptographic backend.  This backend \\\n             is selected at compile time using feature flags.\n\nSee https://github.com/minkan-chat/jose#crypto-backends\\\n             \"\n        );\n\n        exit(1);\n    } else if enabled.len() \u003e 1 {\n        eprintln!(\n            \"Multiple cryptographic backends selected.\n\n`jose` requires exactly one cryptographic backend. \\\n             Unfortunately, you have selected multiple backends:\n\n    {}\n\nSee https://github.com/minkan-chat/jose#crypto-backends\\\n             \",\n            enabled\n                .iter()\n                .map(|b| b.name)\n                .collect::\u003cVec\u003c_\u003e\u003e()\n                .join(\", \")\n        );\n\n        exit(1);\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","examples","basic-jwt","main.rs"],"content":"//! Simple program to generate, sign and verify a JsonWebToken (JWT)\n\nuse clap::Parser;\nuse clio::Input;\nuse eyre::eyre;\nuse jose::{\n    crypto::{\n        ec::P256PrivateKey,\n        hmac::{Hs256, Key as HmacKey},\n    },\n    format::{Compact, DecodeFormat},\n    jwk::{\n        policy::{Checkable, StandardPolicy},\n        IntoJsonWebKey, JwkSigner, JwkVerifier, KeyOperation,\n    },\n    jwt::Claims,\n    JsonWebKey, Jwt, UntypedAdditionalProperties,\n};\n\n#[derive(Parser)]\nenum Commands {\n    /// Generates a JsonWebKey\n    Generate {\n        /// Wheter or not it should be a symmetric secret or not\n        #[arg(short, long)]\n        symmetric: bool,\n    },\n    /// Signs a payload with a JsonWebKey\n    Sign {\n        /// Key used to sign the JsonWebToken\n        key: Input,\n        /// The claims that this JWT should contain\n        payload: Input,\n    },\n    /// Verifies a JsonWebToken with a JsonWebKey\n    Verify { jwt: String, key: Input },\n}\n\nfn main() -\u003e eyre::Result\u003c()\u003e {\n    let cmds = Commands::parse();\n\n    match cmds {\n        Commands::Generate { symmetric } =\u003e {\n            let key = match symmetric {\n                true =\u003e HmacKey::\u003cHs256\u003e::generate()?.into_jwk(Some(()))?,\n                false =\u003e P256PrivateKey::generate()?.into_jwk(Some(()))?,\n            };\n            // Key containing private/secret key\n            let private_key = key\n                .into_builder()\n                .key_operations(Some([KeyOperation::Sign, KeyOperation::Verify]))\n                .build()?;\n            println!(\"Private:\\n{}\", serde_json::to_string(\u0026private_key)?);\n\n            // If the key can be made public, do so and print it as well\n            if let Some(public) = private_key.strip_secret_material() {\n                println!(\"Public:\\n{}\", serde_json::to_string(\u0026public)?)\n            };\n        }\n        Commands::Sign { key, payload } =\u003e {\n            let key: JsonWebKey = serde_json::from_reader(key)?;\n            let payload: Claims\u003cUntypedAdditionalProperties\u003e = serde_json::from_reader(payload)?;\n            if !key.is_signing_key() {\n                return Err(eyre!(\"Key is not capable of signing\"));\n            }\n\n            let key = key\n                .check(StandardPolicy::default())\n                .map_err(|(_key, e)| e)?;\n            let mut signer: JwkSigner = key.try_into()?;\n\n            let jwt = Jwt::builder_jwt().build(payload)?;\n            let signed = jwt.sign(\u0026mut signer)?;\n            let encoded = signed.encode();\n            println!(\"JWT: {encoded}\");\n        }\n        Commands::Verify { jwt, key } =\u003e {\n            let key: JsonWebKey = serde_json::from_reader(key)?;\n            let key = key.check(StandardPolicy::default()).map_err(|(_, e)| e)?;\n            let mut verifier: JwkVerifier = key.try_into()?;\n            let encoded: Compact = jwt.parse()?;\n            let unverified_jwt = Jwt::\u003cUntypedAdditionalProperties\u003e::decode(encoded)?;\n            let jwt = unverified_jwt.verify(\u0026mut verifier)?;\n            let payload = jwt.payload();\n            println!(\n                \"JWT: Sub {:?}, {:?}:\",\n                payload.subject,\n                payload.additional.get(\"name\")\n            )\n        }\n    }\n    Ok(())\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","base64_url.rs"],"content":"//! Helpers for base64 urlsafe encoded stuff\n\nuse alloc::{borrow::ToOwned, string::String, vec::Vec};\nuse core::{fmt, ops::Deref, str::FromStr};\n\nuse base64ct::{Base64UrlUnpadded, Encoding};\nuse secrecy::{ExposeSecret as _, SecretSlice};\nuse serde::{de::Error, Deserialize, Deserializer, Serialize};\nuse thiserror::Error;\nuse zeroize::{Zeroize, Zeroizing};\n\n/// Error type indicating that one part of the compact\n/// representation was an invalid Base64Url string.\n#[derive(Debug, Clone, Copy, Error)]\n#[error(\"the string is not a valid Base64Url representation\")]\npub struct NoBase64UrlString;\n\n/// A wrapper around a [`String`] that guarantees that the inner string is a\n/// valid Base64Url string.\n#[derive(Debug, Clone, Hash, PartialEq, Eq, Serialize, Default)]\n#[repr(transparent)]\n#[serde(transparent)]\npub struct Base64UrlString(String);\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Base64UrlString {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let inner = String::deserialize(deserializer)?;\n        Base64UrlString::from_str(\u0026inner).map_err(D::Error::custom)\n    }\n}\n\nimpl fmt::Display for Base64UrlString {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Display::fmt(\u0026self.0, f)\n    }\n}\n\nimpl FromStr for Base64UrlString {\n    type Err = NoBase64UrlString;\n\n    fn from_str(s: \u0026str) -\u003e Result\u003cSelf, Self::Err\u003e {\n        // it is an expensive check.. yes\n        base64ct::Base64UrlUnpadded::decode_vec(s)\n            .map(|_| Self(s.to_owned()))\n            .map_err(|_| NoBase64UrlString)\n    }\n}\n\nimpl Base64UrlString {\n    /// Creates a new, empty Base64Url string.\n    #[inline]\n    pub const fn new() -\u003e Self {\n        Self(String::new())\n    }\n\n    /// Encode the given bytes using Base64Url format.\n    #[inline]\n    pub fn encode(x: impl AsRef\u003c[u8]\u003e) -\u003e Self {\n        Base64UrlString(Base64UrlUnpadded::encode_string(x.as_ref()))\n    }\n\n    /// Decodes this Base64Url string into it's raw byte representation.\n    #[inline]\n    pub fn decode(\u0026self) -\u003e Vec\u003cu8\u003e {\n        Base64UrlUnpadded::decode_vec(\u0026self.0)\n            .expect(\"Base64UrlString is guaranteed to be a valid base64 string\")\n    }\n\n    /// Return the inner string.\n    pub fn into_inner(self) -\u003e String {\n        self.0\n    }\n}\n\nimpl Deref for Base64UrlString {\n    type Target = str;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\n#[derive(Debug, PartialEq, Eq, Clone, Hash, Zeroize)]\npub(crate) struct Base64UrlBytes(pub(crate) Vec\u003cu8\u003e);\n\nimpl Serialize for Base64UrlBytes {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let encoded = Base64UrlUnpadded::encode_string(\u0026self.0);\n        encoded.serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Base64UrlBytes {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let encoded = String::deserialize(deserializer)?;\n\n        let decoded = Base64UrlUnpadded::decode_vec(\u0026encoded)\n            .map_err(|_| D::Error::custom(\"encountered invalid Base64Url string\"))?;\n\n        Ok(Self(decoded))\n    }\n}\n\n#[derive(Debug, Clone, Zeroize)]\npub(crate) struct SecretBase64UrlBytes(pub(crate) SecretSlice\u003cu8\u003e);\n\nimpl Serialize for SecretBase64UrlBytes {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let data = self.0.expose_secret();\n        let encoded = Zeroizing::new(Base64UrlUnpadded::encode_string(data));\n\n        encoded.serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for SecretBase64UrlBytes {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let encoded = Zeroizing::new(String::deserialize(deserializer)?);\n\n        let decoded = Base64UrlUnpadded::decode_vec(\u0026encoded)\n            .map_err(|_| D::Error::custom(\"encountered invalid Base64Url string\"))?;\n\n        Ok(Self(SecretSlice::from(decoded)))\n    }\n}\n\n// TODO: test for correct length check and base64url parsing\n#[cfg(test)]\nmod tests {}\n","traces":[{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":44,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":63}},{"line":62,"address":[],"length":0,"stats":{"Line":63}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":81,"address":[],"length":0,"stats":{"Line":63}},{"line":82,"address":[],"length":0,"stats":{"Line":63}},{"line":90,"address":[],"length":0,"stats":{"Line":206}},{"line":94,"address":[],"length":0,"stats":{"Line":206}},{"line":95,"address":[],"length":0,"stats":{"Line":206}},{"line":100,"address":[],"length":0,"stats":{"Line":257}},{"line":104,"address":[],"length":0,"stats":{"Line":514}},{"line":106,"address":[],"length":0,"stats":{"Line":138}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":36}},{"line":121,"address":[],"length":0,"stats":{"Line":36}},{"line":122,"address":[],"length":0,"stats":{"Line":36}},{"line":124,"address":[],"length":0,"stats":{"Line":36}},{"line":129,"address":[],"length":0,"stats":{"Line":109}},{"line":133,"address":[],"length":0,"stats":{"Line":218}},{"line":135,"address":[],"length":0,"stats":{"Line":76}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}}],"covered":17,"coverable":36},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","dummy.rs"],"content":"//! This backend is a dummy backend, that will return an error for all\n//! methods.\n//!\n//! This is only used for testing purposes, to make the code compile.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse super::interface;\nuse crate::crypto::Result;\n\n#[derive(Debug, thiserror::Error)]\n#[error(\"the dummy crypto backend does not support any operations\")]\npub(crate) struct Error;\n\n/// The dummy backend.\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = DummyKey;\n    type EcPublicKey = DummyKey;\n    type EdPrivateKey = DummyKey;\n    type EdPublicKey = DummyKey;\n    type Error = Error;\n    type HmacKey = DummyKey;\n    type RsaPrivateKey = DummyKey;\n    type RsaPublicKey = DummyKey;\n\n    fn fill_random(_buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        Err(Error)\n    }\n\n    fn sha256(_: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n        panic!(\"The dummy backend does not support any operations\");\n    }\n\n    fn sha384(_: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n        panic!(\"The dummy backend does not support any operations\");\n    }\n\n    fn sha512(_: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n        panic!(\"The dummy backend does not support any operations\");\n    }\n}\n\n#[derive(Debug, Clone, PartialEq, Eq)]\npub(crate) struct DummyKey {\n    _private: (),\n}\n\nimpl interface::ec::PrivateKey for DummyKey {\n    type PublicKey = DummyKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn new(_alg: crate::jwa::EcDSA, _x: Vec\u003cu8\u003e, _y: Vec\u003cu8\u003e, _d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn generate(_: crate::jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        unreachable!()\n    }\n\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        unreachable!()\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        unreachable!()\n    }\n\n    fn sign(\u0026mut self, _: \u0026[u8], _: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::ec::PublicKey for DummyKey {\n    fn new(_: crate::jwa::EcDSA, _: Vec\u003cu8\u003e, _: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        unreachable!()\n    }\n\n    fn verify(\u0026mut self, _: \u0026[u8], _: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::okp::PrivateKey for DummyKey {\n    type PublicKey = DummyKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_: interface::okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn new(_: interface::okp::CurveAlgorithm, _: Vec\u003cu8\u003e, _: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        unreachable!()\n    }\n\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        unreachable!()\n    }\n\n    fn sign(\u0026mut self, _: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::okp::PublicKey for DummyKey {\n    fn new(_: interface::okp::CurveAlgorithm, _: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        unreachable!()\n    }\n\n    fn verify(\u0026mut self, _: \u0026[u8], _: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::hmac::Key for DummyKey {\n    type Signature = Vec\u003cu8\u003e;\n\n    fn new(_: crate::jwa::Hmac, _: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn sign(\u0026mut self, _: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::rsa::PrivateKey for DummyKey {\n    type PublicKey = DummyKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_: usize) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn from_components(\n        _: interface::rsa::PrivateKeyComponents,\n        _: interface::rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        unreachable!()\n    }\n\n    fn sign(\u0026mut self, _: crate::jwa::RsaSigning, _: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003cinterface::rsa::PrivateKeyComponents\u003e {\n        unreachable!()\n    }\n\n    fn public_components(\u0026self) -\u003e interface::rsa::PublicKeyComponents {\n        unreachable!()\n    }\n}\n\nimpl interface::rsa::PublicKey for DummyKey {\n    fn from_components(_: interface::rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn verify(\n        \u0026mut self,\n        _alg: crate::jwa::RsaSigning,\n        _msg: \u0026[u8],\n        _signature: \u0026[u8],\n    ) -\u003e Result\u003cbool\u003e {\n        unreachable!()\n    }\n\n    fn components(\u0026self) -\u003e interface::rsa::PublicKeyComponents {\n        unreachable!()\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","ec.rs"],"content":"//! The interfaces for EC keys.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse crate::{crypto::Result, jwa};\n\n/// The common operations for a curve-generic EC public key.\npub(crate) trait PublicKey: Sized + Clone {\n    /// Creates a new public key from the given data.\n    fn new(alg: jwa::EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the (x, y) coordinates of the public key.\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e);\n\n    /// Verifies if the message is valid for the given signature and algorithm.\n    ///\n    /// Returns `true` if the signature is valid, `false` otherwise.\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e;\n}\n\n/// The common operations for a curve-generic EC private key.\npub(crate) trait PrivateKey: Sized + Clone {\n    /// The signature type that is produced by this key.\n    type Signature: Into\u003cVec\u003cu8\u003e\u003e + AsRef\u003c[u8]\u003e;\n\n    /// The public key type.\n    type PublicKey: PublicKey;\n\n    /// Creates a new private key from the given data.\n    fn new(alg: jwa::EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Generates a new secure random private key.\n    fn generate(alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the private key material of this key.\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e;\n\n    /// Returns the public part of this key, a (x, y) coordinates.\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e);\n\n    /// Returns the public key of this private key.\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    ///\n    /// The `deterministic` flag indicates if the signature should be\n    /// deterministic, as according to [RFC 6979](https://www.rfc-editor.org/rfc/rfc6979).\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","hmac.rs"],"content":"//! The interfaces for HMAC.\n\nuse crate::{crypto::Result, jwa};\n\n/// The common operations for an HMAC key.\npub(crate) trait Key: Sized {\n    /// The signature type that is produced by this key.\n    type Signature: AsRef\u003c[u8]\u003e;\n\n    /// Creates a new key from the given data.\n    fn new(variant: jwa::Hmac, key: \u0026[u8]) -\u003e Result\u003cSelf\u003e;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","okp.rs"],"content":"//! The interfaces for OKP/ED keys.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse crate::crypto::Result;\n\n/// The common operations for a ED public key.\npub(crate) trait PublicKey: Sized + Clone {\n    /// Creates a new public key from the given data.\n    fn new(alg: CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the encoded bytes for this public key.\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e;\n\n    /// Verifies if the message is valid for the given signature and algorithm.\n    ///\n    /// Returns `true` if the signature is valid, `false` otherwise.\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e;\n}\n\n/// The common operations for a ED private key.\npub(crate) trait PrivateKey: Sized + Clone {\n    /// The signature type that is produced by this key.\n    type Signature: Into\u003cVec\u003cu8\u003e\u003e + AsRef\u003c[u8]\u003e;\n\n    /// The public key type.\n    type PublicKey: PublicKey;\n\n    /// Generates a new secure random private key.\n    fn generate(alg: CurveAlgorithm) -\u003e Result\u003cSelf\u003e;\n\n    /// Creates a new private key from the given data.\n    fn new(alg: CurveAlgorithm, x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the public key that belongs to this private key.\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey;\n\n    /// Returns the encoded bytes for this private key.\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e;\n}\n\n/// The different curve algorithm combinations that can be supported\n/// by a crypto backend.\n#[derive(Debug, Clone, Copy, PartialEq, Eq)]\npub(crate) enum CurveAlgorithm {\n    /// The Ed25519 curve.\n    Ed25519,\n    /// The Ed448 curve.\n    Ed448,\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","rsa.rs"],"content":"//! The interfaces for RSA.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse crate::{crypto::Result, jwa};\n\n/// Part of the [`PrivateKeyComponents`], which includes additional information\n/// about the prime numbers.\n#[derive(Clone)]\npub(crate) struct PrivateKeyPrimeComponents {\n    pub p: SecretSlice\u003cu8\u003e,\n    pub q: SecretSlice\u003cu8\u003e,\n    pub dp: SecretSlice\u003cu8\u003e,\n    pub dq: SecretSlice\u003cu8\u003e,\n    pub qi: SecretSlice\u003cu8\u003e,\n}\n\n/// The components of a private key.\n///\n/// All fields in this struct are of type `Vec\u003cu8\u003e` and are\n/// big integers represented in big endian bytes.\n#[derive(Clone)]\npub(crate) struct PrivateKeyComponents {\n    pub d: SecretSlice\u003cu8\u003e,\n    pub prime: PrivateKeyPrimeComponents,\n}\n\n/// The components of a public key.\n///\n/// All fields in this struct are of type `Vec\u003cu8\u003e` and are\n/// big integers represented in big endian bytes.\n#[derive(Clone, PartialEq, Eq)]\npub(crate) struct PublicKeyComponents {\n    pub n: Vec\u003cu8\u003e,\n    pub e: Vec\u003cu8\u003e,\n}\n\n/// The common operations for an RSA private key.\npub(crate) trait PrivateKey: Sized {\n    /// The signature type that is produced by this key.\n    type Signature: Into\u003cVec\u003cu8\u003e\u003e + AsRef\u003c[u8]\u003e;\n\n    /// The public key type.\n    type PublicKey: PublicKey;\n\n    /// Generates a new rsa private key with the given number of bits.\n    fn generate(bits: usize) -\u003e Result\u003cSelf\u003e;\n\n    /// Creates a new RSA private key from the given private \u0026 public key\n    /// components.\n    fn from_components(private: PrivateKeyComponents, public: PublicKeyComponents) -\u003e Result\u003cSelf\u003e;\n\n    /// Creates a new public key from this private key.\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey;\n\n    /// Returns the private key components.\n    fn private_components(\u0026self) -\u003e Result\u003cPrivateKeyComponents\u003e;\n\n    /// Returns the public key components.\n    fn public_components(\u0026self) -\u003e PublicKeyComponents;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e;\n}\n\n/// The common operations for an RSA public key.\npub(crate) trait PublicKey: Sized {\n    /// Creates a new RSA public key from the given public key components.\n    fn from_components(components: PublicKeyComponents) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the public key components.\n    fn components(\u0026self) -\u003e PublicKeyComponents;\n\n    /// Verifies if the message is valid for the given signature and algorithm.\n    ///\n    /// Returns `true` if the signature is valid, `false` otherwise.\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface.rs"],"content":"//! Common traits that define the API each backend must implement.\n\nuse core::{error, fmt};\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n/// The backend trait that all backends must implement.\n///\n/// This trait is used to define some commonly used operations, like generating\n/// random data.\npub(crate) trait Backend {\n    /// The error type that is used by this backend.\n    type Error: fmt::Debug + fmt::Display + error::Error;\n\n    /// The HMAC key type.\n    type HmacKey: hmac::Key;\n\n    /// The RSA private key type.\n    type RsaPrivateKey: rsa::PrivateKey;\n\n    /// The RSA public key type.\n    type RsaPublicKey: rsa::PublicKey;\n\n    /// The EC public key type.\n    type EcPublicKey: ec::PublicKey;\n\n    /// The EC private key type.\n    type EcPrivateKey: ec::PrivateKey;\n\n    /// The ED public key type.\n    type EdPublicKey: okp::PublicKey;\n\n    /// The ED private key type.\n    type EdPrivateKey: okp::PrivateKey;\n\n    /// Fills the given buffer with random data.\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Performs a quick Sha256 of the given data.\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32];\n\n    /// Performs a quick Sha384 of the given data.\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48];\n\n    /// Performs a quick Sha512 of the given data.\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64];\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","ec.rs"],"content":"use alloc::vec::Vec;\n\nuse openssl::{\n    bn::{BigNum, BigNumContext},\n    ec::{EcGroup, EcKey},\n    ecdsa::EcdsaSig,\n    hash::MessageDigest,\n    md::Md,\n    md_ctx::MdCtx,\n    pkey::{PKey, Private, Public},\n    sign::Verifier,\n};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::{\n    crypto::{\n        backend::interface::ec,\n        ec::{coordinate_size, scalar_size},\n        Result,\n    },\n    jwa::{self, EcDSA},\n};\n\nfn ec_group(alg: jwa::EcDSA) -\u003e Result\u003cEcGroup\u003e {\n    let group = match alg {\n        EcDSA::Es256 =\u003e EcGroup::from_curve_name(openssl::nid::Nid::X9_62_PRIME256V1)?,\n        EcDSA::Es384 =\u003e EcGroup::from_curve_name(openssl::nid::Nid::SECP384R1)?,\n        EcDSA::Es512 =\u003e EcGroup::from_curve_name(openssl::nid::Nid::SECP521R1)?,\n        EcDSA::Es256K =\u003e EcGroup::from_curve_name(openssl::nid::Nid::SECP256K1)?,\n    };\n\n    Ok(group)\n}\n\nfn digest(alg: jwa::EcDSA) -\u003e MessageDigest {\n    match alg {\n        EcDSA::Es256 =\u003e MessageDigest::sha256(),\n        EcDSA::Es384 =\u003e MessageDigest::sha384(),\n        EcDSA::Es512 =\u003e MessageDigest::sha512(),\n        EcDSA::Es256K =\u003e MessageDigest::sha256(),\n    }\n}\n\n/// A low level private EC key.\n#[derive(Clone)]\npub(crate) struct PrivateKey {\n    alg: jwa::EcDSA,\n\n    key: PKey\u003cPrivate\u003e,\n    public_key: PKey\u003cPublic\u003e,\n\n    d: SecretSlice\u003cu8\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\nimpl ec::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        let group = ec_group(alg)?;\n\n        let ec_key = EcKey::generate(\u0026group)?;\n        ec_key.check_key()?;\n\n        let public_point = ec_key.public_key();\n        let public_key = EcKey::from_public_key(\u0026group, public_point)?;\n\n        let mut x = BigNum::new()?;\n        let mut y = BigNum::new()?;\n        let mut ctx = BigNumContext::new()?;\n        public_point.affine_coordinates(\u0026group, \u0026mut x, \u0026mut y, \u0026mut ctx)?;\n\n        let coordinate_size = coordinate_size(alg) as i32;\n        Ok(Self {\n            alg,\n            public_key: PKey::from_ec_key(public_key)?,\n            d: SecretSlice::from(\n                ec_key\n                    .private_key()\n                    .to_vec_padded(scalar_size(alg) as i32)?,\n            ),\n            key: PKey::from_ec_key(ec_key)?,\n            x: x.to_vec_padded(coordinate_size)?,\n            y: y.to_vec_padded(coordinate_size)?,\n        })\n    }\n\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let group = ec_group(alg)?;\n\n        let d = BigNum::from_slice(d.expose_secret())?;\n        let x = BigNum::from_slice(\u0026x)?;\n        let y = BigNum::from_slice(\u0026y)?;\n\n        let public_key = EcKey::from_public_key_affine_coordinates(\u0026group, \u0026x, \u0026y)?;\n        public_key.check_key()?;\n\n        let key = EcKey::from_private_components(\u0026group, \u0026d, public_key.public_key())?;\n        key.check_key()?;\n\n        let coordinate_size = coordinate_size(alg) as i32;\n        Ok(Self {\n            alg,\n            key: PKey::from_ec_key(key.clone())?,\n            d: SecretSlice::from(key.private_key().to_vec_padded(scalar_size(alg) as i32)?),\n            public_key: PKey::from_ec_key(public_key)?,\n            x: x.to_vec_padded(coordinate_size)?,\n            y: y.to_vec_padded(coordinate_size)?,\n        })\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.d.clone()\n    }\n\n    #[inline]\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.x.clone(), self.y.clone())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            digest: digest(self.alg),\n            key: self.public_key.clone(),\n            x: self.x.clone(),\n            y: self.y.clone(),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        let mut md_ctx = MdCtx::new()?;\n\n        let md = match self.alg {\n            EcDSA::Es256 =\u003e Md::sha256(),\n            EcDSA::Es384 =\u003e Md::sha384(),\n            EcDSA::Es512 =\u003e Md::sha512(),\n            EcDSA::Es256K =\u003e Md::sha256(),\n        };\n\n        #[allow(unused_variables)]\n        let pkey_ctx = md_ctx.digest_sign_init(Some(md), \u0026self.key)?;\n\n        if deterministic {\n            #[cfg(all(not(feature = \"crypto-aws-lc\"), openssl320))]\n            pkey_ctx.set_nonce_type(openssl::pkey_ctx::NonceType::DETERMINISTIC_K)?;\n\n            #[cfg(any(feature = \"crypto-aws-lc\", not(openssl320)))]\n            return Err(super::BackendError::Unsupported(\n                \"deterministic signing for EcDSA\".to_string(),\n            )\n            .into());\n        }\n\n        md_ctx.digest_update(data)?;\n\n        let mut der_sig = vec![];\n        md_ctx.digest_sign_final_to_vec(\u0026mut der_sig)?;\n\n        // the returned signature is in DER format, we need to convert it according\n        // to Section 3.4 of RFC 7518\n        let signature = EcdsaSig::from_der(\u0026der_sig)?;\n        let r = signature.r().to_vec_padded(32)?;\n        let s = signature.s().to_vec_padded(32)?;\n\n        let mut sig = Vec::with_capacity(r.len() + s.len());\n        sig.extend_from_slice(\u0026r);\n        sig.extend_from_slice(\u0026s);\n\n        Ok(sig)\n    }\n}\n\n/// A low level public EC key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    digest: MessageDigest,\n    key: PKey\u003cPublic\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\nimpl ec::PublicKey for PublicKey {\n    fn new(alg: EcDSA, raw_x: Vec\u003cu8\u003e, raw_y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let group = ec_group(alg)?;\n\n        let x = BigNum::from_slice(\u0026raw_x)?;\n        let y = BigNum::from_slice(\u0026raw_y)?;\n\n        let public_key = EcKey::from_public_key_affine_coordinates(\u0026group, \u0026x, \u0026y)?;\n        public_key.check_key()?;\n        let key = PKey::from_ec_key(public_key)?;\n\n        let coordinate_size = coordinate_size(alg) as i32;\n        Ok(Self {\n            digest: digest(alg),\n            key,\n            x: x.to_vec_padded(coordinate_size)?,\n            y: y.to_vec_padded(coordinate_size)?,\n        })\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.x.clone(), self.y.clone())\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        // the signature is r and s concatenated, but we need it in DER format for\n        // OpenSSL\n\n        let (r, s) = signature.split_at(signature.len() / 2);\n        let r = BigNum::from_slice(r)?;\n        let s = BigNum::from_slice(s)?;\n\n        let signature = EcdsaSig::from_private_components(r, s)?.to_der()?;\n\n        let mut verifier = Verifier::new(self.digest, \u0026self.key)?;\n        verifier.update(msg)?;\n        let valid = verifier.verify(\u0026signature)?;\n\n        Ok(valid)\n    }\n}\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":31}},{"line":25,"address":[],"length":0,"stats":{"Line":62}},{"line":26,"address":[],"length":0,"stats":{"Line":11}},{"line":27,"address":[],"length":0,"stats":{"Line":7}},{"line":28,"address":[],"length":0,"stats":{"Line":7}},{"line":29,"address":[],"length":0,"stats":{"Line":6}},{"line":35,"address":[],"length":0,"stats":{"Line":52}},{"line":36,"address":[],"length":0,"stats":{"Line":52}},{"line":37,"address":[],"length":0,"stats":{"Line":18}},{"line":38,"address":[],"length":0,"stats":{"Line":12}},{"line":39,"address":[],"length":0,"stats":{"Line":12}},{"line":40,"address":[],"length":0,"stats":{"Line":10}},{"line":61,"address":[],"length":0,"stats":{"Line":3}},{"line":62,"address":[],"length":0,"stats":{"Line":6}},{"line":64,"address":[],"length":0,"stats":{"Line":3}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":3}},{"line":68,"address":[],"length":0,"stats":{"Line":3}},{"line":70,"address":[],"length":0,"stats":{"Line":3}},{"line":71,"address":[],"length":0,"stats":{"Line":3}},{"line":72,"address":[],"length":0,"stats":{"Line":3}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":3}},{"line":76,"address":[],"length":0,"stats":{"Line":3}},{"line":77,"address":[],"length":0,"stats":{"Line":3}},{"line":78,"address":[],"length":0,"stats":{"Line":3}},{"line":79,"address":[],"length":0,"stats":{"Line":3}},{"line":80,"address":[],"length":0,"stats":{"Line":3}},{"line":81,"address":[],"length":0,"stats":{"Line":3}},{"line":82,"address":[],"length":0,"stats":{"Line":3}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":3}},{"line":86,"address":[],"length":0,"stats":{"Line":3}},{"line":90,"address":[],"length":0,"stats":{"Line":14}},{"line":91,"address":[],"length":0,"stats":{"Line":28}},{"line":93,"address":[],"length":0,"stats":{"Line":14}},{"line":94,"address":[],"length":0,"stats":{"Line":14}},{"line":95,"address":[],"length":0,"stats":{"Line":14}},{"line":97,"address":[],"length":0,"stats":{"Line":14}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":28}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":14}},{"line":104,"address":[],"length":0,"stats":{"Line":14}},{"line":105,"address":[],"length":0,"stats":{"Line":14}},{"line":106,"address":[],"length":0,"stats":{"Line":14}},{"line":107,"address":[],"length":0,"stats":{"Line":28}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":14}},{"line":110,"address":[],"length":0,"stats":{"Line":14}},{"line":114,"address":[],"length":0,"stats":{"Line":8}},{"line":115,"address":[],"length":0,"stats":{"Line":8}},{"line":119,"address":[],"length":0,"stats":{"Line":8}},{"line":120,"address":[],"length":0,"stats":{"Line":8}},{"line":123,"address":[],"length":0,"stats":{"Line":38}},{"line":125,"address":[],"length":0,"stats":{"Line":38}},{"line":126,"address":[],"length":0,"stats":{"Line":38}},{"line":127,"address":[],"length":0,"stats":{"Line":38}},{"line":128,"address":[],"length":0,"stats":{"Line":38}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":143,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":14}},{"line":186,"address":[],"length":0,"stats":{"Line":28}},{"line":188,"address":[],"length":0,"stats":{"Line":14}},{"line":189,"address":[],"length":0,"stats":{"Line":14}},{"line":191,"address":[],"length":0,"stats":{"Line":14}},{"line":192,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":28}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":200,"address":[],"length":0,"stats":{"Line":14}},{"line":204,"address":[],"length":0,"stats":{"Line":93}},{"line":205,"address":[],"length":0,"stats":{"Line":93}},{"line":208,"address":[],"length":0,"stats":{"Line":0}},{"line":212,"address":[],"length":0,"stats":{"Line":0}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":214,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":219,"address":[],"length":0,"stats":{"Line":0}},{"line":220,"address":[],"length":0,"stats":{"Line":0}}],"covered":62,"coverable":92},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","hmac.rs"],"content":"use openssl::{\n    hash::MessageDigest,\n    pkey::{PKey, Private},\n    sign::Signer,\n};\n\nuse crate::{\n    crypto::{backend::interface::hmac, Result},\n    jwa,\n};\n\n/// A low level HMAC key.\npub(crate) struct Key {\n    inner: PKey\u003cPrivate\u003e,\n    digest: MessageDigest,\n}\n\nimpl hmac::Key for Key {\n    type Signature = Vec\u003cu8\u003e;\n\n    fn new(variant: jwa::Hmac, data: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            digest: match variant {\n                jwa::Hmac::Hs256 =\u003e MessageDigest::sha256(),\n                jwa::Hmac::Hs384 =\u003e MessageDigest::sha384(),\n                jwa::Hmac::Hs512 =\u003e MessageDigest::sha512(),\n            },\n            inner: PKey::hmac(data)?,\n        })\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let mut signer = Signer::new(self.digest, \u0026self.inner)?;\n        signer.update(data)?;\n        let sig = signer.sign_to_vec()?;\n        Ok(sig)\n    }\n}\n","traces":[{"line":21,"address":[],"length":0,"stats":{"Line":1}},{"line":22,"address":[],"length":0,"stats":{"Line":1}},{"line":23,"address":[],"length":0,"stats":{"Line":1}},{"line":24,"address":[],"length":0,"stats":{"Line":1}},{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":1}},{"line":32,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}}],"covered":5,"coverable":11},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","okp.rs"],"content":"use openssl::{\n    pkey::{Id, PKey, Private, Public},\n    sign::{Signer, Verifier},\n};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::crypto::{backend::interface::okp, Result};\n\nfn id_from_alg(alg: okp::CurveAlgorithm) -\u003e Result\u003cId\u003e {\n    Ok(match alg {\n        okp::CurveAlgorithm::Ed25519 =\u003e Id::ED25519,\n        #[cfg(not(feature = \"crypto-aws-lc\"))]\n        okp::CurveAlgorithm::Ed448 =\u003e Id::ED448,\n        #[cfg(feature = \"crypto-aws-lc\")]\n        okp::CurveAlgorithm::Ed448 =\u003e {\n            return Err(super::BackendError::Unsupported(\"Ed448\".to_string()).into())\n        }\n    })\n}\n\n/// A low level private ED key.\n#[derive(Clone)]\npub(crate) struct PrivateKey {\n    key: PKey\u003cPrivate\u003e,\n    public_key: PKey\u003cPublic\u003e,\n\n    raw: SecretSlice\u003cu8\u003e,\n    raw_public_key: Vec\u003cu8\u003e,\n}\n\nimpl okp::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(alg: okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e PKey::generate_ed25519()?,\n            #[cfg(not(feature = \"crypto-aws-lc\"))]\n            okp::CurveAlgorithm::Ed448 =\u003e PKey::generate_ed448()?,\n            #[cfg(feature = \"crypto-aws-lc\")]\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::Unsupported(\"Ed448\".to_string()).into())\n            }\n        };\n\n        let raw_public_key = key.raw_public_key()?;\n        let public_key = PKey::public_key_from_raw_bytes(\u0026raw_public_key, id_from_alg(alg)?)?;\n\n        Ok(Self {\n            raw: SecretSlice::from(key.raw_private_key()?),\n            public_key,\n            key,\n            raw_public_key,\n        })\n    }\n\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key_type = id_from_alg(alg)?;\n\n        let key = PKey::private_key_from_raw_bytes(d.expose_secret(), key_type)?;\n        let public_key = PKey::public_key_from_raw_bytes(\u0026x, key_type)?;\n\n        Ok(Self {\n            raw: SecretSlice::from(key.raw_private_key()?),\n            raw_public_key: public_key.raw_public_key()?,\n            public_key,\n            key,\n        })\n    }\n\n    #[inline]\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.raw.clone()\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        Self::PublicKey {\n            key: self.public_key.clone(),\n            raw: self.raw_public_key.clone(),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let mut signer = Signer::new_without_digest(\u0026self.key)?;\n        let sig = signer.sign_oneshot_to_vec(data)?;\n\n        Ok(sig)\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    key: PKey\u003cPublic\u003e,\n    raw: Vec\u003cu8\u003e,\n}\n\nimpl okp::PublicKey for PublicKey {\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key_type = id_from_alg(alg)?;\n        let key = PKey::public_key_from_raw_bytes(\u0026x, key_type)?;\n\n        Ok(Self {\n            raw: key.raw_public_key()?,\n            key,\n        })\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        self.raw.clone()\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let mut verifier = Verifier::new_without_digest(\u0026self.key)?;\n        let valid = verifier.verify_oneshot(signature, msg)?;\n\n        Ok(valid)\n    }\n}\n","traces":[{"line":9,"address":[],"length":0,"stats":{"Line":14}},{"line":10,"address":[],"length":0,"stats":{"Line":14}},{"line":11,"address":[],"length":0,"stats":{"Line":7}},{"line":13,"address":[],"length":0,"stats":{"Line":7}},{"line":35,"address":[],"length":0,"stats":{"Line":2}},{"line":36,"address":[],"length":0,"stats":{"Line":4}},{"line":37,"address":[],"length":0,"stats":{"Line":1}},{"line":39,"address":[],"length":0,"stats":{"Line":1}},{"line":46,"address":[],"length":0,"stats":{"Line":2}},{"line":47,"address":[],"length":0,"stats":{"Line":4}},{"line":50,"address":[],"length":0,"stats":{"Line":2}},{"line":57,"address":[],"length":0,"stats":{"Line":6}},{"line":58,"address":[],"length":0,"stats":{"Line":12}},{"line":60,"address":[],"length":0,"stats":{"Line":6}},{"line":61,"address":[],"length":0,"stats":{"Line":6}},{"line":64,"address":[],"length":0,"stats":{"Line":6}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":6}},{"line":67,"address":[],"length":0,"stats":{"Line":6}},{"line":72,"address":[],"length":0,"stats":{"Line":4}},{"line":73,"address":[],"length":0,"stats":{"Line":4}},{"line":76,"address":[],"length":0,"stats":{"Line":22}},{"line":78,"address":[],"length":0,"stats":{"Line":22}},{"line":79,"address":[],"length":0,"stats":{"Line":22}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":6}},{"line":100,"address":[],"length":0,"stats":{"Line":12}},{"line":101,"address":[],"length":0,"stats":{"Line":6}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":6}},{"line":109,"address":[],"length":0,"stats":{"Line":48}},{"line":110,"address":[],"length":0,"stats":{"Line":48}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":114,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}}],"covered":29,"coverable":37},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","rsa.rs"],"content":"use alloc::vec::Vec;\n\nuse openssl::{\n    bn::{BigNum, BigNumRef},\n    hash::MessageDigest,\n    pkey::{PKey, Private, Public},\n    rsa::{Padding, Rsa},\n    sign::{Signer, Verifier},\n};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::{\n    crypto::{backend::interface::rsa, Result},\n    jwa,\n};\n\nfn digest(alg: jwa::RsaSigning) -\u003e MessageDigest {\n    match alg {\n        jwa::RsaSigning::Pss(pss) =\u003e match pss {\n            jwa::RsassaPss::Ps256 =\u003e MessageDigest::sha256(),\n            jwa::RsassaPss::Ps384 =\u003e MessageDigest::sha384(),\n            jwa::RsassaPss::Ps512 =\u003e MessageDigest::sha512(),\n        },\n        jwa::RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n            jwa::RsassaPkcs1V1_5::Rs256 =\u003e MessageDigest::sha256(),\n            jwa::RsassaPkcs1V1_5::Rs384 =\u003e MessageDigest::sha384(),\n            jwa::RsassaPkcs1V1_5::Rs512 =\u003e MessageDigest::sha512(),\n        },\n    }\n}\n\n/// A low level private RSA key.\n#[derive(Clone)]\npub(crate) struct PrivateKey {\n    private_key: PKey\u003cPrivate\u003e,\n    public_key: PKey\u003cPublic\u003e,\n\n    private_data: Rsa\u003cPrivate\u003e,\n    public_data: Rsa\u003cPublic\u003e,\n}\n\nimpl rsa::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(bits: usize) -\u003e Result\u003cSelf\u003e {\n        let private_data = Rsa::generate(bits as u32)?;\n        let public_data = Rsa::from_public_components(\n            private_data.n().to_owned()?,\n            private_data.e().to_owned()?,\n        )?;\n\n        Ok(Self {\n            private_key: PKey::from_rsa(private_data.clone())?,\n            public_key: PKey::from_rsa(public_data.clone())?,\n            private_data,\n            public_data,\n        })\n    }\n\n    fn from_components(\n        pri: rsa::PrivateKeyComponents,\n        pu: rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        let n = BigNum::from_slice(\u0026pu.n)?;\n        let e = BigNum::from_slice(\u0026pu.e)?;\n\n        let d = BigNum::from_slice(pri.d.expose_secret())?;\n        let p = BigNum::from_slice(pri.prime.p.expose_secret())?;\n        let q = BigNum::from_slice(pri.prime.q.expose_secret())?;\n        let dp = BigNum::from_slice(pri.prime.dp.expose_secret())?;\n        let dq = BigNum::from_slice(pri.prime.dq.expose_secret())?;\n        let qi = BigNum::from_slice(pri.prime.qi.expose_secret())?;\n\n        let private_data = Rsa::from_private_components(n, e, d, p, q, dp, dq, qi)?;\n        private_data.check_key()?;\n\n        let n = BigNum::from_slice(\u0026pu.n)?;\n        let e = BigNum::from_slice(\u0026pu.e)?;\n        let public_data = Rsa::from_public_components(n, e)?;\n\n        Ok(Self {\n            private_key: PKey::from_rsa(private_data.clone())?,\n            public_key: PKey::from_rsa(public_data.clone())?,\n            private_data,\n            public_data,\n        })\n    }\n\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let digest = digest(alg);\n        let mut signer = Signer::new(digest, \u0026self.private_key)?;\n\n        // FIXME: verify correct setting of parameters\n        match alg {\n            jwa::RsaSigning::Pss(..) =\u003e {\n                signer.set_rsa_mgf1_md(digest)?;\n                signer.set_rsa_padding(Padding::PKCS1_PSS)?;\n            }\n            jwa::RsaSigning::RsPkcs1V1_5(..) =\u003e {\n                signer.set_rsa_padding(Padding::PKCS1)?;\n            }\n        }\n\n        signer.update(data)?;\n        let sig = signer.sign_to_vec()?;\n        Ok(sig)\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            key: self.public_key.clone(),\n            data: self.public_data.clone(),\n        }\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003crsa::PrivateKeyComponents\u003e {\n        let err = || super::BackendError::NoPrimeData;\n        let map = |x: Option\u003c\u0026BigNumRef\u003e| x.map(|x| SecretSlice::from(x.to_vec())).ok_or_else(err);\n\n        let d = SecretSlice::from(self.private_data.d().to_vec());\n\n        let p = map(self.private_data.p())?;\n        let q = map(self.private_data.q())?;\n        let dp = map(self.private_data.dmp1())?;\n        let dq = map(self.private_data.dmq1())?;\n        let qi = map(self.private_data.iqmp())?;\n\n        Ok(rsa::PrivateKeyComponents {\n            d,\n            prime: rsa::PrivateKeyPrimeComponents { p, q, dp, dq, qi },\n        })\n    }\n\n    fn public_components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        let n = self.private_data.n().to_vec();\n        let e = self.private_data.e().to_vec();\n        rsa::PublicKeyComponents { n, e }\n    }\n}\n\n/// A low level public RSA key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    key: PKey\u003cPublic\u003e,\n    data: Rsa\u003cPublic\u003e,\n}\n\nimpl rsa::PublicKey for PublicKey {\n    fn from_components(c: rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        let n = BigNum::from_slice(\u0026c.n)?;\n        let e = BigNum::from_slice(\u0026c.e)?;\n        let data = Rsa::from_public_components(n, e)?;\n\n        Ok(Self {\n            key: PKey::from_rsa(data.clone())?,\n            data,\n        })\n    }\n\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let digest = digest(alg);\n        let mut verifier = Verifier::new(digest, \u0026self.key)?;\n\n        // FIXME: verify correct setting of parameters\n        match alg {\n            jwa::RsaSigning::Pss(..) =\u003e {\n                verifier.set_rsa_mgf1_md(digest)?;\n                verifier.set_rsa_padding(Padding::PKCS1_PSS)?;\n            }\n            jwa::RsaSigning::RsPkcs1V1_5(..) =\u003e {\n                verifier.set_rsa_padding(Padding::PKCS1)?;\n            }\n        }\n\n        verifier.update(msg)?;\n        let valid = verifier.verify(signature)?;\n        Ok(valid)\n    }\n\n    fn components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        rsa::PublicKeyComponents {\n            n: self.data.n().to_vec(),\n            e: self.data.e().to_vec(),\n        }\n    }\n}\n","traces":[{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":18,"address":[],"length":0,"stats":{"Line":0}},{"line":19,"address":[],"length":0,"stats":{"Line":0}},{"line":20,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":1}},{"line":47,"address":[],"length":0,"stats":{"Line":2}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":1}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":1}},{"line":56,"address":[],"length":0,"stats":{"Line":1}},{"line":57,"address":[],"length":0,"stats":{"Line":1}},{"line":61,"address":[],"length":0,"stats":{"Line":6}},{"line":65,"address":[],"length":0,"stats":{"Line":12}},{"line":66,"address":[],"length":0,"stats":{"Line":6}},{"line":68,"address":[],"length":0,"stats":{"Line":6}},{"line":69,"address":[],"length":0,"stats":{"Line":6}},{"line":70,"address":[],"length":0,"stats":{"Line":6}},{"line":71,"address":[],"length":0,"stats":{"Line":6}},{"line":72,"address":[],"length":0,"stats":{"Line":6}},{"line":73,"address":[],"length":0,"stats":{"Line":6}},{"line":75,"address":[],"length":0,"stats":{"Line":6}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":12}},{"line":79,"address":[],"length":0,"stats":{"Line":6}},{"line":80,"address":[],"length":0,"stats":{"Line":6}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":6}},{"line":85,"address":[],"length":0,"stats":{"Line":6}},{"line":86,"address":[],"length":0,"stats":{"Line":6}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":16}},{"line":112,"address":[],"length":0,"stats":{"Line":16}},{"line":113,"address":[],"length":0,"stats":{"Line":16}},{"line":117,"address":[],"length":0,"stats":{"Line":4}},{"line":118,"address":[],"length":0,"stats":{"Line":4}},{"line":119,"address":[],"length":0,"stats":{"Line":64}},{"line":121,"address":[],"length":0,"stats":{"Line":4}},{"line":123,"address":[],"length":0,"stats":{"Line":8}},{"line":124,"address":[],"length":0,"stats":{"Line":4}},{"line":125,"address":[],"length":0,"stats":{"Line":4}},{"line":126,"address":[],"length":0,"stats":{"Line":4}},{"line":127,"address":[],"length":0,"stats":{"Line":4}},{"line":135,"address":[],"length":0,"stats":{"Line":4}},{"line":136,"address":[],"length":0,"stats":{"Line":4}},{"line":137,"address":[],"length":0,"stats":{"Line":4}},{"line":150,"address":[],"length":0,"stats":{"Line":13}},{"line":151,"address":[],"length":0,"stats":{"Line":26}},{"line":152,"address":[],"length":0,"stats":{"Line":13}},{"line":153,"address":[],"length":0,"stats":{"Line":13}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":13}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":162,"address":[],"length":0,"stats":{"Line":0}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":168,"address":[],"length":0,"stats":{"Line":0}},{"line":169,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":176,"address":[],"length":0,"stats":{"Line":0}},{"line":177,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":63}},{"line":183,"address":[],"length":0,"stats":{"Line":63}},{"line":184,"address":[],"length":0,"stats":{"Line":63}}],"covered":45,"coverable":76},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl.rs"],"content":"//! This backend implements the primitives using the [OpenSSL](openssl) library.\n\nuse thiserror::Error;\n\nuse super::interface;\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n#[allow(dead_code)] // may occurr when selecting different OpenSSL variant\n#[derive(Debug, Error)]\npub(crate) enum BackendError {\n    /// An error from the OpenSSL library.\n    #[error(transparent)]\n    OpenSsl(#[from] openssl::error::ErrorStack),\n\n    /// No prime data was found in private key\n    #[error(\"No prime data was found in private key\")]\n    NoPrimeData,\n\n    /// A specific feature is not supported\n    #[error(\"openssl variant does not support feature: {0}\")]\n    Unsupported(String),\n}\n\n/// The [RustCrypto] based backend.\n///\n/// [RustCrypto]: https://github.com/RustCrypto\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = ec::PrivateKey;\n    type EcPublicKey = ec::PublicKey;\n    type EdPrivateKey = okp::PrivateKey;\n    type EdPublicKey = okp::PublicKey;\n    type Error = BackendError;\n    type HmacKey = hmac::Key;\n    type RsaPrivateKey = rsa::PrivateKey;\n    type RsaPublicKey = rsa::PublicKey;\n\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        openssl::rand::rand_bytes(buf)?;\n        Ok(())\n    }\n\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n        openssl::sha::sha256(data)\n    }\n\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n        openssl::sha::sha384(data)\n    }\n\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n        openssl::sha::sha512(data)\n    }\n}\n","traces":[{"line":44,"address":[],"length":0,"stats":{"Line":1}},{"line":45,"address":[],"length":0,"stats":{"Line":1}},{"line":46,"address":[],"length":0,"stats":{"Line":1}},{"line":49,"address":[],"length":0,"stats":{"Line":33}},{"line":50,"address":[],"length":0,"stats":{"Line":33}},{"line":53,"address":[],"length":0,"stats":{"Line":21}},{"line":54,"address":[],"length":0,"stats":{"Line":21}},{"line":57,"address":[],"length":0,"stats":{"Line":21}},{"line":58,"address":[],"length":0,"stats":{"Line":21}}],"covered":9,"coverable":9},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","ec.rs"],"content":"use alloc::{boxed::Box, vec::Vec};\n\nuse ring::{\n    rand::SystemRandom,\n    signature::{self, EcdsaKeyPair, UnparsedPublicKey},\n};\nuse secrecy::{ExposeSecret as _, SecretSlice};\n\nuse crate::{\n    crypto::{backend::interface::ec, Result},\n    jwa::{self, EcDSA},\n};\n\n/// Converts x and y coordinates to a sequence that is compatible\n/// with the \"Octet-String-to-Elliptic-Curve-Point Conversion\" algorithm\n/// defined in Section 2.3.4 of https://www.secg.org/sec1-v2.pdf\nfn make_public_key(x: \u0026[u8], y: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    let mut pubkey = Vec::with_capacity(x.len() + y.len() + 1);\n    pubkey.push(0x04); // uncompressed point\n    pubkey.extend_from_slice(x);\n    pubkey.extend_from_slice(y);\n    pubkey\n}\n\npub(crate) struct PrivateKeyData {\n    key: EcdsaKeyPair,\n    private_material: SecretSlice\u003cu8\u003e,\n\n    pub_key: UnparsedPublicKey\u003cVec\u003cu8\u003e\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\n/// A low level private EC key.\npub(crate) struct PrivateKey {\n    alg: \u0026'static signature::EcdsaSigningAlgorithm,\n    data: Box\u003cPrivateKeyData\u003e,\n}\n\nimpl Clone for PrivateKey {\n    fn clone(\u0026self) -\u003e Self {\n        Self {\n            alg: self.alg,\n            data: Box::new(PrivateKeyData {\n                key: EcdsaKeyPair::from_private_key_and_public_key(\n                    self.alg,\n                    self.data.private_material.expose_secret(),\n                    self.data.pub_key.as_ref(),\n                    \u0026SystemRandom::new(),\n                )\n                .expect(\"this method was already successful with the exact same data\"),\n                private_material: self.data.private_material.clone(),\n                pub_key: self.data.pub_key.clone(),\n                x: self.data.x.clone(),\n                y: self.data.y.clone(),\n            }),\n        }\n    }\n}\n\nimpl ec::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        Err(super::BackendError::Unsupported(\"EcDSA key generation\").into())\n    }\n\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let (sign_alg, verify_alg) = match alg {\n            EcDSA::Es256 =\u003e (\n                \u0026signature::ECDSA_P256_SHA256_FIXED_SIGNING,\n                \u0026signature::ECDSA_P256_SHA256_FIXED,\n            ),\n            EcDSA::Es384 =\u003e (\n                \u0026signature::ECDSA_P384_SHA384_FIXED_SIGNING,\n                \u0026signature::ECDSA_P384_SHA384_FIXED,\n            ),\n            EcDSA::Es512 =\u003e return Err(super::BackendError::UnsupportedCurve(\"P-521\").into()),\n            EcDSA::Es256K =\u003e return Err(super::BackendError::UnsupportedCurve(\"secp256k1\").into()),\n        };\n\n        let rng = SystemRandom::new();\n        let pubkey = make_public_key(\u0026x, \u0026y);\n\n        let keypair = EcdsaKeyPair::from_private_key_and_public_key(\n            sign_alg,\n            d.expose_secret(),\n            \u0026pubkey,\n            \u0026rng,\n        )?;\n\n        Ok(Self {\n            alg: sign_alg,\n            data: Box::new(PrivateKeyData {\n                key: keypair,\n                private_material: d,\n                pub_key: UnparsedPublicKey::new(verify_alg, pubkey),\n                x,\n                y,\n            }),\n        })\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.data.private_material.clone()\n    }\n\n    #[inline]\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.data.x.clone(), self.data.y.clone())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            inner: self.data.pub_key.clone(),\n            x: self.data.x.clone(),\n            y: self.data.y.clone(),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        if deterministic {\n            return Err(super::BackendError::Unsupported(\"deterministic EcDSA signing\").into());\n        }\n\n        let sig = self.data.key.sign(\u0026SystemRandom::new(), data)?;\n        Ok(sig.as_ref().to_vec())\n    }\n}\n\n/// A low level public EC key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    inner: UnparsedPublicKey\u003cVec\u003cu8\u003e\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\nimpl ec::PublicKey for PublicKey {\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let verify_alg = match alg {\n            EcDSA::Es256 =\u003e \u0026signature::ECDSA_P256_SHA256_FIXED,\n            EcDSA::Es384 =\u003e \u0026signature::ECDSA_P384_SHA384_FIXED,\n            EcDSA::Es512 =\u003e return Err(super::BackendError::UnsupportedCurve(\"P-521\").into()),\n            EcDSA::Es256K =\u003e return Err(super::BackendError::UnsupportedCurve(\"secp256k1\").into()),\n        };\n\n        let pubkey = UnparsedPublicKey::new(verify_alg, make_public_key(\u0026x, \u0026y));\n        Ok(Self {\n            inner: pubkey,\n            x,\n            y,\n        })\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.x.clone(), self.y.clone())\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        Ok(self.inner.verify(msg, signature).is_ok())\n    }\n}\n","traces":[{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":2},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","hmac.rs"],"content":"use ring::hmac::Key as RingKey;\n\nuse crate::{\n    crypto::{backend::interface::hmac, Result},\n    jwa,\n};\n\n/// A low level HMAC key.\n#[repr(transparent)]\npub(crate) struct Key {\n    inner: RingKey,\n}\n\nimpl hmac::Key for Key {\n    type Signature = ring::hmac::Tag;\n\n    fn new(variant: jwa::Hmac, data: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        let key = match variant {\n            jwa::Hmac::Hs256 =\u003e RingKey::new(ring::hmac::HMAC_SHA256, data),\n            jwa::Hmac::Hs384 =\u003e RingKey::new(ring::hmac::HMAC_SHA384, data),\n            jwa::Hmac::Hs512 =\u003e RingKey::new(ring::hmac::HMAC_SHA512, data),\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        Ok(ring::hmac::sign(\u0026self.inner, data))\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","okp.rs"],"content":"use alloc::vec::Vec;\n\nuse ring::signature::{Ed25519KeyPair, KeyPair as _, UnparsedPublicKey};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::crypto::{backend::interface::okp, Result};\n\n/// A low level public ED key.\npub(crate) struct PrivateKey {\n    inner: Ed25519KeyPair,\n    d: SecretSlice\u003cu8\u003e,\n}\n\nimpl Clone for PrivateKey {\n    fn clone(\u0026self) -\u003e Self {\n        Self {\n            inner: Ed25519KeyPair::from_seed_and_public_key(\n                self.d.expose_secret(),\n                self.inner.public_key().as_ref(),\n            )\n            .expect(\"this method was already successful with the exact same data\"),\n            d: self.d.clone(),\n        }\n    }\n}\n\nimpl okp::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_alg: okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        Err(super::BackendError::Unsupported(\"Ed25519 key generation\").into())\n    }\n\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        if alg != okp::CurveAlgorithm::Ed25519 {\n            return Err(super::BackendError::UnsupportedCurve(\"Ed2559\").into());\n        }\n\n        let key = Ed25519KeyPair::from_seed_and_public_key(d.expose_secret(), \u0026x)?;\n\n        Ok(Self { inner: key, d })\n    }\n\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.d.clone()\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            inner: UnparsedPublicKey::new(\n                \u0026ring::signature::ED25519,\n                self.inner.public_key().as_ref().to_vec(),\n            ),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let sig = self.inner.sign(data);\n        Ok(sig.as_ref().to_vec())\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    inner: UnparsedPublicKey\u003cVec\u003cu8\u003e\u003e,\n}\n\nimpl okp::PublicKey for PublicKey {\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        if alg != okp::CurveAlgorithm::Ed25519 {\n            return Err(super::BackendError::UnsupportedCurve(\"Ed2559\").into());\n        }\n\n        let key = UnparsedPublicKey::new(\u0026ring::signature::ED25519, x);\n        Ok(Self { inner: key })\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        self.inner.as_ref().to_vec()\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        Ok(self.inner.verify(msg, signature).is_ok())\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","rsa.rs"],"content":"use alloc::{vec, vec::Vec};\n\nuse ring::{\n    rand::SystemRandom,\n    rsa::{KeyPair, KeyPairComponents, PublicKeyComponents, RsaParameters},\n    signature::RsaEncoding,\n};\nuse secrecy::ExposeSecret;\n\nuse crate::{\n    crypto::{backend::interface::rsa, Result},\n    jwa::{self, RsaSigning, RsassaPkcs1V1_5, RsassaPss},\n};\n\n/// A low level private RSA key.\npub(crate) struct PrivateKey {\n    inner: KeyPair,\n\n    // store this data, as ring doesn't provide a way to access it\n    private_components: rsa::PrivateKeyComponents,\n    public_components: rsa::PublicKeyComponents,\n}\n\nimpl Clone for PrivateKey {\n    fn clone(\u0026self) -\u003e Self {\n        let pri = \u0026self.private_components;\n        let pu = \u0026self.public_components;\n        let components = KeyPairComponents {\n            public_key: PublicKeyComponents { n: \u0026pu.n, e: \u0026pu.e },\n            d: pri.d.expose_secret(),\n            p: pri.prime.p.expose_secret(),\n            q: pri.prime.q.expose_secret(),\n            dP: pri.prime.dp.expose_secret(),\n            dQ: pri.prime.dq.expose_secret(),\n            qInv: pri.prime.qi.expose_secret(),\n        };\n\n        Self {\n            inner: KeyPair::from_components(\u0026components)\n                .expect(\"this method was already successful with the exact same data\"),\n            private_components: self.private_components.clone(),\n            public_components: self.public_components.clone(),\n        }\n    }\n}\n\nimpl rsa::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_bits: usize) -\u003e Result\u003cSelf\u003e {\n        Err(super::BackendError::Unsupported(\"RSA key generation\").into())\n    }\n\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let padding_alg: \u0026'static dyn RsaEncoding = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e \u0026ring::signature::RSA_PSS_SHA256,\n                RsassaPss::Ps384 =\u003e \u0026ring::signature::RSA_PSS_SHA384,\n                RsassaPss::Ps512 =\u003e \u0026ring::signature::RSA_PSS_SHA512,\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e \u0026ring::signature::RSA_PKCS1_SHA512,\n                RsassaPkcs1V1_5::Rs384 =\u003e \u0026ring::signature::RSA_PKCS1_SHA384,\n                RsassaPkcs1V1_5::Rs512 =\u003e \u0026ring::signature::RSA_PKCS1_SHA512,\n            },\n        };\n\n        let rng = SystemRandom::new();\n        let mut sig = vec![0; self.inner.public().modulus_len()];\n        self.inner.sign(padding_alg, \u0026rng, data, \u0026mut sig)?;\n        Ok(sig)\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            components: self.public_components.clone(),\n        }\n    }\n\n    fn from_components(\n        pri: rsa::PrivateKeyComponents,\n        pu: rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        let components = KeyPairComponents {\n            public_key: PublicKeyComponents { n: \u0026pu.n, e: \u0026pu.e },\n            d: pri.d.expose_secret(),\n            p: pri.prime.p.expose_secret(),\n            q: pri.prime.q.expose_secret(),\n            dP: pri.prime.dp.expose_secret(),\n            dQ: pri.prime.dq.expose_secret(),\n            qInv: pri.prime.qi.expose_secret(),\n        };\n        let key = KeyPair::from_components(\u0026components)?;\n\n        Ok(Self {\n            inner: key,\n            private_components: pri,\n            public_components: pu,\n        })\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003crsa::PrivateKeyComponents\u003e {\n        Ok(self.private_components.clone())\n    }\n\n    fn public_components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        self.public_components.clone()\n    }\n}\n\n/// A low level public RSA key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    components: rsa::PublicKeyComponents,\n}\n\nimpl rsa::PublicKey for PublicKey {\n    fn from_components(c: rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        Ok(Self { components: c })\n    }\n\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let params: \u0026'static RsaParameters = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e \u0026ring::signature::RSA_PSS_2048_8192_SHA256,\n                RsassaPss::Ps384 =\u003e \u0026ring::signature::RSA_PSS_2048_8192_SHA384,\n                RsassaPss::Ps512 =\u003e \u0026ring::signature::RSA_PSS_2048_8192_SHA512,\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e \u0026ring::signature::RSA_PKCS1_2048_8192_SHA256,\n                RsassaPkcs1V1_5::Rs384 =\u003e \u0026ring::signature::RSA_PKCS1_2048_8192_SHA384,\n                RsassaPkcs1V1_5::Rs512 =\u003e \u0026ring::signature::RSA_PKCS1_2048_8192_SHA512,\n            },\n        };\n\n        let rsa = PublicKeyComponents {\n            n: \u0026self.components.n,\n            e: \u0026self.components.e,\n        };\n\n        Ok(rsa.verify(params, msg, signature).is_ok())\n    }\n\n    fn components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        self.components.clone()\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring.rs"],"content":"//! This backend implements the primitives using the [`ring`] crate\n\nuse ring::{\n    digest,\n    rand::{SecureRandom as _, SystemRandom},\n};\nuse thiserror::Error;\n\nuse super::interface;\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n// TODO: remove the `cfg_attr` once the RustCrypto crates implement\n// the core::error::Error trait.\n\n/// The errors that can be produced by the rust crypto backend.\n#[derive(Debug, Error)]\npub(crate) enum BackendError {\n    /// The error returned by `ring`.\n    #[error(\"ring returned an unspecified error\")]\n    Unspecified,\n\n    /// Key rejected error.\n    #[error(\"{0}\")]\n    KeyRejected(ring::error::KeyRejected),\n\n    /// Unsupported EC curve\n    #[error(\"unsupported EcDSA curve: {0}\")]\n    UnsupportedCurve(\u0026'static str),\n\n    /// A specific feature is not supported\n    #[error(\"ring does not support feature: {0}\")]\n    Unsupported(\u0026'static str),\n}\n\nimpl From\u003cring::error::Unspecified\u003e for BackendError {\n    fn from(_: ring::error::Unspecified) -\u003e Self {\n        Self::Unspecified\n    }\n}\n\nimpl From\u003cring::error::KeyRejected\u003e for BackendError {\n    fn from(x: ring::error::KeyRejected) -\u003e Self {\n        Self::KeyRejected(x)\n    }\n}\n\n/// The [`ring`] based backend.\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = ec::PrivateKey;\n    type EcPublicKey = ec::PublicKey;\n    type EdPrivateKey = okp::PrivateKey;\n    type EdPublicKey = okp::PublicKey;\n    type Error = BackendError;\n    type HmacKey = hmac::Key;\n    type RsaPrivateKey = rsa::PrivateKey;\n    type RsaPublicKey = rsa::PublicKey;\n\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        let rng = SystemRandom::new();\n        rng.fill(buf)?;\n        Ok(())\n    }\n\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n        digest::digest(\u0026digest::SHA256, data)\n            .as_ref()\n            .try_into()\n            .expect(\"SHA256 digest length mismatch\")\n    }\n\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n        digest::digest(\u0026digest::SHA384, data)\n            .as_ref()\n            .try_into()\n            .expect(\"SHA384 digest length mismatch\")\n    }\n\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n        digest::digest(\u0026digest::SHA512, data)\n            .as_ref()\n            .try_into()\n            .expect(\"SHA512 digest length mismatch\")\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","ec.rs"],"content":"use alloc::vec::Vec;\n\nuse ecdsa::EncodedPoint;\nuse elliptic_curve::{\n    sec1::{FromEncodedPoint, ToEncodedPoint, ValidatePublicKey as _},\n    FieldBytes, SecretKey,\n};\nuse generic_array::typenum::Unsigned as _;\nuse k256::Secp256k1;\nuse p256::NistP256;\nuse p384::NistP384;\nuse rand_core::OsRng;\nuse secrecy::{ExposeSecret as _, SecretSlice};\nuse signature::{RandomizedSigner as _, Verifier as _};\nuse zeroize::Zeroizing;\n\nuse crate::{\n    crypto::{backend::interface::ec, Result},\n    jwa::{self, EcDSA},\n};\n\n#[derive(Clone)]\nenum ErasedPrivateKey {\n    P256(SecretKey\u003cNistP256\u003e),\n    P384(SecretKey\u003cNistP384\u003e),\n    Secp256k1(SecretKey\u003cSecp256k1\u003e),\n}\n\n#[derive(Clone)]\nenum ErasedPublicKey {\n    P256(elliptic_curve::PublicKey\u003cNistP256\u003e),\n    P384(elliptic_curve::PublicKey\u003cNistP384\u003e),\n    Secp256k1(elliptic_curve::PublicKey\u003cSecp256k1\u003e),\n}\n\n#[derive(Clone)]\npub(crate) enum ErasedSignature {\n    P256(ecdsa::SignatureBytes\u003cNistP256\u003e),\n    P384(ecdsa::SignatureBytes\u003cNistP384\u003e),\n    Secp256k1(ecdsa::SignatureBytes\u003cSecp256k1\u003e),\n}\n\nimpl From\u003cErasedSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: ErasedSignature) -\u003e Self {\n        match value {\n            ErasedSignature::P256(sig) =\u003e sig.to_vec(),\n            ErasedSignature::P384(sig) =\u003e sig.to_vec(),\n            ErasedSignature::Secp256k1(sig) =\u003e sig.to_vec(),\n        }\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for ErasedSignature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        match self {\n            ErasedSignature::P256(sig) =\u003e sig.as_ref(),\n            ErasedSignature::P384(sig) =\u003e sig.as_ref(),\n            ErasedSignature::Secp256k1(sig) =\u003e sig.as_ref(),\n        }\n    }\n}\n\nfn to_field_bytes\u003cC: elliptic_curve::Curve\u003e(\n    bytes: \u0026[u8],\n) -\u003e Result\u003c\u0026FieldBytes\u003cC\u003e, super::BackendError\u003e {\n    if bytes.len() != C::FieldBytesSize::USIZE {\n        return Err(super::BackendError::InvalidEcPoint {\n            expected: C::FieldBytesSize::USIZE,\n            actual: bytes.len(),\n        });\n    }\n\n    Ok(FieldBytes::\u003cC\u003e::from_slice(bytes))\n}\n\n/// A low level private EC key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PrivateKey {\n    inner: ErasedPrivateKey,\n}\n\nimpl ec::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = ErasedSignature;\n\n    fn generate(alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        let mut rng = OsRng;\n\n        let key = match alg {\n            EcDSA::Es256 =\u003e ErasedPrivateKey::P256(SecretKey::\u003cNistP256\u003e::random(\u0026mut rng)),\n            EcDSA::Es384 =\u003e ErasedPrivateKey::P384(SecretKey::\u003cNistP384\u003e::random(\u0026mut rng)),\n            EcDSA::Es512 =\u003e return Err(super::BackendError::CurveNotSupported(\"P-521\").into()),\n            EcDSA::Es256K =\u003e ErasedPrivateKey::Secp256k1(SecretKey::\u003cSecp256k1\u003e::random(\u0026mut rng)),\n        };\n        Ok(Self { inner: key })\n    }\n\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        fn new_typed\u003cC: elliptic_curve::Curve + elliptic_curve::CurveArithmetic\u003e(\n            x: Vec\u003cu8\u003e,\n            y: Vec\u003cu8\u003e,\n            d: SecretSlice\u003cu8\u003e,\n        ) -\u003e Result\u003celliptic_curve::SecretKey\u003cC\u003e\u003e\n        where\n            \u003cC as elliptic_curve::Curve\u003e::FieldBytesSize: elliptic_curve::sec1::ModulusSize,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: FromEncodedPoint\u003cC\u003e,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: ToEncodedPoint\u003cC\u003e,\n        {\n            let x = to_field_bytes::\u003cC\u003e(\u0026x)?;\n            let y = to_field_bytes::\u003cC\u003e(\u0026y)?;\n\n            let d = d.expose_secret();\n            let d = to_field_bytes::\u003cC\u003e(d)?;\n\n            let point = EncodedPoint::\u003cC\u003e::from_affine_coordinates(x, y, false);\n            let secret = elliptic_curve::SecretKey::\u003cC\u003e::from_bytes(d)\n                .map_err(super::BackendError::EllipticCurve)?;\n\n            C::validate_public_key(\u0026secret, \u0026point).map_err(super::BackendError::EllipticCurve)?;\n\n            Ok(secret)\n        }\n\n        match alg {\n            EcDSA::Es256 =\u003e Ok(Self {\n                inner: ErasedPrivateKey::P256(new_typed::\u003cNistP256\u003e(x, y, d)?),\n            }),\n            EcDSA::Es384 =\u003e Ok(Self {\n                inner: ErasedPrivateKey::P384(new_typed::\u003cNistP384\u003e(x, y, d)?),\n            }),\n            EcDSA::Es512 =\u003e Err(super::BackendError::CurveNotSupported(\"P-521\").into()),\n            EcDSA::Es256K =\u003e Ok(Self {\n                inner: ErasedPrivateKey::Secp256k1(new_typed::\u003cSecp256k1\u003e(x, y, d)?),\n            }),\n        }\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        match self.inner {\n            ErasedPrivateKey::P256(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                let material = material.to_vec();\n                SecretSlice::from(material)\n            }\n            ErasedPrivateKey::P384(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                let material = material.to_vec();\n                SecretSlice::from(material)\n            }\n            ErasedPrivateKey::Secp256k1(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                let material = material.to_vec();\n                SecretSlice::from(material)\n            }\n        }\n    }\n\n    #[inline]\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        ec::PublicKey::to_point(\u0026self.to_public_key())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        match self.inner {\n            ErasedPrivateKey::P256(ref key) =\u003e PublicKey {\n                inner: ErasedPublicKey::P256(key.public_key()),\n            },\n            ErasedPrivateKey::P384(ref key) =\u003e PublicKey {\n                inner: ErasedPublicKey::P384(key.public_key()),\n            },\n            ErasedPrivateKey::Secp256k1(ref key) =\u003e PublicKey {\n                inner: ErasedPublicKey::Secp256k1(key.public_key()),\n            },\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        let sig = match self.inner {\n            ErasedPrivateKey::P256(ref key) =\u003e {\n                let key = ecdsa::SigningKey::\u003cNistP256\u003e::from(key);\n\n                let sig = if deterministic {\n                    key.sign_recoverable(data)\n                        .map_err(super::BackendError::Ecdsa)?\n                        .0\n                } else {\n                    key.try_sign_with_rng(\u0026mut OsRng, data)\n                        .map_err(super::BackendError::Ecdsa)?\n                };\n\n                ErasedSignature::P256(sig.to_bytes())\n            }\n            ErasedPrivateKey::P384(ref key) =\u003e {\n                let key = ecdsa::SigningKey::\u003cNistP384\u003e::from(key);\n\n                let sig = if deterministic {\n                    key.sign_recoverable(data)\n                        .map_err(super::BackendError::Ecdsa)?\n                        .0\n                } else {\n                    key.try_sign_with_rng(\u0026mut OsRng, data)\n                        .map_err(super::BackendError::Ecdsa)?\n                };\n\n                ErasedSignature::P384(sig.to_bytes())\n            }\n            ErasedPrivateKey::Secp256k1(ref key) =\u003e {\n                let key = ecdsa::SigningKey::\u003cSecp256k1\u003e::from(key);\n\n                let sig = if deterministic {\n                    key.sign_recoverable(data)\n                        .map_err(super::BackendError::Ecdsa)?\n                        .0\n                } else {\n                    key.try_sign_with_rng(\u0026mut OsRng, data)\n                        .map_err(super::BackendError::Ecdsa)?\n                };\n\n                ErasedSignature::Secp256k1(sig.to_bytes())\n            }\n        };\n\n        Ok(sig)\n    }\n}\n\n/// A low level public EC key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PublicKey {\n    inner: ErasedPublicKey,\n}\n\nimpl ec::PublicKey for PublicKey {\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        fn new_typed\u003cC: elliptic_curve::Curve + elliptic_curve::CurveArithmetic\u003e(\n            x: Vec\u003cu8\u003e,\n            y: Vec\u003cu8\u003e,\n        ) -\u003e Result\u003celliptic_curve::PublicKey\u003cC\u003e\u003e\n        where\n            \u003cC as elliptic_curve::Curve\u003e::FieldBytesSize: elliptic_curve::sec1::ModulusSize,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: FromEncodedPoint\u003cC\u003e,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: ToEncodedPoint\u003cC\u003e,\n        {\n            let x = to_field_bytes::\u003cC\u003e(\u0026x)?;\n            let y = to_field_bytes::\u003cC\u003e(\u0026y)?;\n\n            let point = EncodedPoint::\u003cC\u003e::from_affine_coordinates(x, y, false);\n            let key: Option\u003c_\u003e = elliptic_curve::PublicKey::\u003cC\u003e::from_encoded_point(\u0026point).into();\n            let key = key.ok_or(super::BackendError::InvalidEcKey)?;\n            Ok(key)\n        }\n\n        match alg {\n            EcDSA::Es256 =\u003e Ok(Self {\n                inner: ErasedPublicKey::P256(new_typed::\u003cNistP256\u003e(x, y)?),\n            }),\n            EcDSA::Es384 =\u003e Ok(Self {\n                inner: ErasedPublicKey::P384(new_typed::\u003cNistP384\u003e(x, y)?),\n            }),\n            EcDSA::Es512 =\u003e Err(super::BackendError::CurveNotSupported(\"P-521\").into()),\n            EcDSA::Es256K =\u003e Ok(Self {\n                inner: ErasedPublicKey::Secp256k1(new_typed::\u003cSecp256k1\u003e(x, y)?),\n            }),\n        }\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        let identity_point = || alloc::vec![0u8];\n        match self.inner {\n            ErasedPublicKey::P256(ref key) =\u003e {\n                let point = key.to_encoded_point(false);\n                (\n                    point.x().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                    point.y().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                )\n            }\n            ErasedPublicKey::P384(ref key) =\u003e {\n                let point = key.to_encoded_point(false);\n                (\n                    point.x().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                    point.y().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                )\n            }\n            ErasedPublicKey::Secp256k1(ref key) =\u003e {\n                let point = key.to_encoded_point(false);\n                (\n                    point.x().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                    point.y().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                )\n            }\n        }\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        Ok(match self.inner {\n            ErasedPublicKey::P256(ref key) =\u003e {\n                let Ok(sig) = ecdsa::Signature::\u003cNistP256\u003e::try_from(signature) else {\n                    return Ok(false);\n                };\n                let key = ecdsa::VerifyingKey::\u003cNistP256\u003e::from(key);\n                key.verify(msg, \u0026sig).is_ok()\n            }\n            ErasedPublicKey::P384(ref key) =\u003e {\n                let Ok(sig) = ecdsa::Signature::\u003cNistP384\u003e::try_from(signature) else {\n                    return Ok(false);\n                };\n                let key = ecdsa::VerifyingKey::\u003cNistP384\u003e::from(key);\n                key.verify(msg, \u0026sig).is_ok()\n            }\n            ErasedPublicKey::Secp256k1(ref key) =\u003e {\n                let Ok(sig) = ecdsa::Signature::\u003cSecp256k1\u003e::try_from(signature) else {\n                    return Ok(false);\n                };\n                let key = ecdsa::VerifyingKey::\u003cSecp256k1\u003e::from(key);\n                key.verify(msg, \u0026sig).is_ok()\n            }\n        })\n    }\n}\n","traces":[{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":114,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":246,"address":[],"length":0,"stats":{"Line":0}},{"line":247,"address":[],"length":0,"stats":{"Line":0}},{"line":249,"address":[],"length":0,"stats":{"Line":0}},{"line":250,"address":[],"length":0,"stats":{"Line":0}},{"line":251,"address":[],"length":0,"stats":{"Line":0}},{"line":252,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":22},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","hmac.rs"],"content":"use ::hmac::Hmac;\nuse digest::{Mac as _, Output};\n\nuse crate::{\n    crypto::{backend::interface::hmac, Result},\n    jwa,\n};\n\n/// Rust crypto uses generic arguments to represent the variant.\n///\n/// We don't to that at this level, so we have to erase the type.\nenum ErasedKey {\n    Hs256(Hmac\u003csha2::Sha256\u003e),\n    Hs384(Hmac\u003csha2::Sha384\u003e),\n    Hs512(Hmac\u003csha2::Sha512\u003e),\n}\n\npub(crate) enum ErasedSignature {\n    Hs256(Output\u003cHmac\u003csha2::Sha256\u003e\u003e),\n    Hs384(Output\u003cHmac\u003csha2::Sha384\u003e\u003e),\n    Hs512(Output\u003cHmac\u003csha2::Sha512\u003e\u003e),\n}\n\nimpl AsRef\u003c[u8]\u003e for ErasedSignature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        match self {\n            ErasedSignature::Hs256(sig) =\u003e sig.as_ref(),\n            ErasedSignature::Hs384(sig) =\u003e sig.as_ref(),\n            ErasedSignature::Hs512(sig) =\u003e sig.as_ref(),\n        }\n    }\n}\n\n/// A low level HMAC key.\n#[repr(transparent)]\npub(crate) struct Key {\n    inner: ErasedKey,\n}\n\nimpl hmac::Key for Key {\n    type Signature = ErasedSignature;\n\n    fn new(variant: jwa::Hmac, data: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        let key = match variant {\n            jwa::Hmac::Hs256 =\u003e ErasedKey::Hs256(Hmac::\u003csha2::Sha256\u003e::new_from_slice(data)?),\n            jwa::Hmac::Hs384 =\u003e ErasedKey::Hs384(Hmac::\u003csha2::Sha384\u003e::new_from_slice(data)?),\n            jwa::Hmac::Hs512 =\u003e ErasedKey::Hs512(Hmac::\u003csha2::Sha512\u003e::new_from_slice(data)?),\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let signature = match \u0026mut self.inner {\n            ErasedKey::Hs256(hmac) =\u003e {\n                hmac.update(data);\n                ErasedSignature::Hs256(hmac.finalize_reset().into_bytes())\n            }\n            ErasedKey::Hs384(hmac) =\u003e {\n                hmac.update(data);\n                ErasedSignature::Hs384(hmac.finalize_reset().into_bytes())\n            }\n            ErasedKey::Hs512(hmac) =\u003e {\n                hmac.update(data);\n                ErasedSignature::Hs512(hmac.finalize_reset().into_bytes())\n            }\n        };\n\n        Ok(signature)\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","okp.rs"],"content":"use alloc::vec::Vec;\n\nuse ed25519_dalek::{PUBLIC_KEY_LENGTH, SECRET_KEY_LENGTH};\nuse rand_core::OsRng;\nuse secrecy::{ExposeSecret, SecretSlice};\nuse signature::Signer as _;\nuse zeroize::Zeroizing;\n\nuse crate::crypto::{backend::interface::okp, Result};\n\n#[derive(Clone)]\nenum ErasedPrivateKey {\n    Ed25519(ed25519_dalek::SigningKey),\n}\n\n#[derive(Clone)]\nenum ErasedPublicKey {\n    Ed25519(ed25519_dalek::VerifyingKey),\n}\n\n#[derive(Clone)]\npub(crate) enum ErasedSignature {\n    Ed25519([u8; ed25519_dalek::Signature::BYTE_SIZE]),\n}\n\nimpl From\u003cErasedSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: ErasedSignature) -\u003e Self {\n        match value {\n            ErasedSignature::Ed25519(sig) =\u003e sig.to_vec(),\n        }\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for ErasedSignature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        match self {\n            ErasedSignature::Ed25519(ref sig) =\u003e sig,\n        }\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PublicKey {\n    inner: ErasedPublicKey,\n}\n\nimpl okp::PublicKey for PublicKey {\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e {\n                let len = x.len();\n                let x: [u8; PUBLIC_KEY_LENGTH] =\n                    x.try_into()\n                        .map_err(|_| super::BackendError::InvalidEcPoint {\n                            expected: PUBLIC_KEY_LENGTH,\n                            actual: len,\n                        })?;\n                ErasedPublicKey::Ed25519(\n                    ed25519_dalek::VerifyingKey::from_bytes(\u0026x)\n                        .map_err(super::BackendError::Ed25519)?,\n                )\n            }\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::CurveNotSupported(\"Ed448\").into())\n            }\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        match self.inner {\n            ErasedPublicKey::Ed25519(ref key) =\u003e key.to_bytes().to_vec(),\n        }\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        match self.inner {\n            ErasedPublicKey::Ed25519(ref key) =\u003e {\n                // FIXME: this needs interop testing in case this is handled differently by\n                // other implementations\n                // See \u003chttps://docs.rs/ed25519-dalek/latest/ed25519_dalek/struct.VerifyingKey.html#on-the-multiple-sources-of-malleability-in-ed25519-signatures\u003e\n\n                let Ok(sig) = ed25519_dalek::Signature::from_slice(signature) else {\n                    return Ok(false);\n                };\n\n                Ok(key.verify_strict(msg, \u0026sig).is_ok())\n            }\n        }\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PrivateKey {\n    inner: ErasedPrivateKey,\n}\n\nimpl okp::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = ErasedSignature;\n\n    fn generate(alg: okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e {\n                let mut rng = OsRng;\n                ErasedPrivateKey::Ed25519(ed25519_dalek::SigningKey::generate(\u0026mut rng))\n            }\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::CurveNotSupported(\"Ed448\").into())\n            }\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn new(alg: okp::CurveAlgorithm, _x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e {\n                let d = d.expose_secret();\n\n                let len = d.len();\n                let d: [u8; SECRET_KEY_LENGTH] =\n                    d.try_into()\n                        .map_err(|_| super::BackendError::InvalidEcPoint {\n                            expected: SECRET_KEY_LENGTH,\n                            actual: len,\n                        })?;\n\n                ErasedPrivateKey::Ed25519(ed25519_dalek::SigningKey::from_bytes(\u0026d))\n            }\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::CurveNotSupported(\"Ed448\").into())\n            }\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        match self.inner {\n            ErasedPrivateKey::Ed25519(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                SecretSlice::from(material.to_vec())\n            }\n        }\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        let key = match self.inner {\n            ErasedPrivateKey::Ed25519(ref key) =\u003e {\n                let pubkey = key.verifying_key();\n                ErasedPublicKey::Ed25519(pubkey)\n            }\n        };\n\n        PublicKey { inner: key }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        Ok(match self.inner {\n            ErasedPrivateKey::Ed25519(ref key) =\u003e {\n                let sig = key.try_sign(data).map_err(super::BackendError::Ed25519)?;\n                ErasedSignature::Ed25519(sig.to_bytes())\n            }\n        })\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","rsa.rs"],"content":"use alloc::vec::Vec;\n\nuse ::rsa::{\n    traits::{PrivateKeyParts, PublicKeyParts as _},\n    BigUint, Pkcs1v15Sign, Pss, RsaPrivateKey, RsaPublicKey,\n};\nuse secrecy::{ExposeSecret, SecretSlice};\nuse sha2::Digest as _;\nuse zeroize::Zeroizing;\n\nuse crate::{\n    crypto::{backend::interface::rsa, Result},\n    jwa::{self, RsaSigning, RsassaPkcs1V1_5, RsassaPss},\n};\n\n/// A low level private RSA key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PrivateKey {\n    // WARN: It is important that the `inner` key always contains it's precomupted values.\n    // It must be ensured that on each construction of this type, `precomputed` method is called\n    inner: RsaPrivateKey,\n}\n\nimpl rsa::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(bits: usize) -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            inner: RsaPrivateKey::new(\u0026mut rand_core::OsRng, bits)?,\n        })\n    }\n\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let hashed = match alg {\n            RsaSigning::Pss(RsassaPss::Ps256) | RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs256) =\u003e {\n                sha2::Sha256::digest(data).to_vec()\n            }\n            RsaSigning::Pss(RsassaPss::Ps384) | RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs384) =\u003e {\n                sha2::Sha384::digest(data).to_vec()\n            }\n            RsaSigning::Pss(RsassaPss::Ps512) | RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs512) =\u003e {\n                sha2::Sha512::digest(data).to_vec()\n            }\n        };\n\n        let mut rng = rand_core::OsRng;\n\n        let res = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e {\n                    let pad = Pss::new::\u003csha2::Sha256\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPss::Ps384 =\u003e {\n                    let pad = Pss::new::\u003csha2::Sha384\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPss::Ps512 =\u003e {\n                    let pad = Pss::new::\u003csha2::Sha512\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e {\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha256\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPkcs1V1_5::Rs384 =\u003e {\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha384\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPkcs1V1_5::Rs512 =\u003e {\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha512\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n            },\n        };\n\n        Ok(res?)\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n        }\n    }\n\n    fn from_components(\n        pri: rsa::PrivateKeyComponents,\n        pu: rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        let n = BigUint::from_bytes_be(\u0026pu.n);\n        let e = BigUint::from_bytes_be(\u0026pu.e);\n\n        let d = pri.d.expose_secret();\n        let d = BigUint::from_bytes_be(d);\n\n        let p = BigUint::from_bytes_be(pri.prime.p.expose_secret());\n        let q = BigUint::from_bytes_be(pri.prime.q.expose_secret());\n\n        let mut key = RsaPrivateKey::from_components(n, e, d, alloc::vec![p, q])?;\n        key.precompute()?;\n        Ok(Self { inner: key })\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003crsa::PrivateKeyComponents\u003e {\n        let mut primes = self.inner.primes().iter().map(|b| b.to_bytes_be());\n\n        let p = primes\n            .next()\n            .map(SecretSlice::from)\n            .ok_or(super::BackendError::RsaTwoPrimes)?;\n        let q = primes\n            .next()\n            .map(SecretSlice::from)\n            .ok_or(super::BackendError::RsaTwoPrimes)?;\n\n        if primes.next().is_some() {\n            return Err(super::BackendError::RsaTwoPrimes.into());\n        }\n\n        let opt_uint = |x: Option\u003c\u0026BigUint\u003e| {\n            x.map(|x| SecretSlice::from(x.to_bytes_be()))\n                .expect(\"key must be precomputed\")\n        };\n\n        Ok(rsa::PrivateKeyComponents {\n            d: SecretSlice::from(self.inner.d().to_bytes_be()),\n            prime: rsa::PrivateKeyPrimeComponents {\n                p,\n                q,\n                dp: opt_uint(self.inner.dp()),\n                dq: opt_uint(self.inner.dq()),\n                qi: {\n                    let qi = Zeroizing::new(self.inner.crt_coefficient());\n                    opt_uint(qi.as_ref())\n                },\n            },\n        })\n    }\n\n    fn public_components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        rsa::PublicKeyComponents {\n            n: self.inner.n().to_bytes_be(),\n            e: self.inner.e().to_bytes_be(),\n        }\n    }\n}\n\n/// A low level public RSA key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PublicKey {\n    inner: RsaPublicKey,\n}\n\nimpl rsa::PublicKey for PublicKey {\n    fn from_components(c: rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        let n = ::rsa::BigUint::from_bytes_be(\u0026c.n);\n        let e = ::rsa::BigUint::from_bytes_be(\u0026c.e);\n        let key = ::rsa::RsaPublicKey::new(n, e)?;\n\n        Ok(Self { inner: key })\n    }\n\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let res = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e {\n                    let hashed = sha2::Sha256::digest(msg);\n                    let pad = Pss::new::\u003csha2::Sha256\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPss::Ps384 =\u003e {\n                    let hashed = sha2::Sha384::digest(msg);\n                    let pad = Pss::new::\u003csha2::Sha384\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPss::Ps512 =\u003e {\n                    let hashed = sha2::Sha512::digest(msg);\n                    let pad = Pss::new::\u003csha2::Sha512\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e {\n                    let hashed = sha2::Sha256::digest(msg);\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha256\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPkcs1V1_5::Rs384 =\u003e {\n                    let hashed = sha2::Sha384::digest(msg);\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha384\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPkcs1V1_5::Rs512 =\u003e {\n                    let hashed = sha2::Sha512::digest(msg);\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha512\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n            },\n        };\n\n        Ok(res.is_ok())\n    }\n\n    fn components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        rsa::PublicKeyComponents {\n            n: self.inner.n().to_bytes_be(),\n            e: self.inner.e().to_bytes_be(),\n        }\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust.rs"],"content":"//! This backend implements the primitives using the [RustCrypto] ecosystem.\n//!\n//! [RustCrypto]: https://github.com/RustCrypto\n\nuse digest::Digest as _;\nuse rand_core::RngCore as _;\nuse thiserror::Error;\n\nuse super::interface;\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n// TODO: remove the `cfg_attr` once the RustCrypto crates implement\n// the core::error::Error trait.\n\n/// The errors that can be produced by the rust crypto backend.\n#[derive(Debug, Error)]\npub(crate) enum BackendError {\n    /// The error returned if the key is invalid.\n    #[error(\"invalid key length\")]\n    InvalidLength,\n\n    /// RSA operation failed.\n    #[cfg_attr(feature = \"std\", error(\"an RSA operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an RSA operation failed: {0}\"))]\n    Rsa(#[cfg_attr(feature = \"std\", source)] ::rsa::errors::Error),\n\n    /// Error of the `elliptic_curve` crate.\n    #[cfg_attr(feature = \"std\", error(\"an elliptic curve operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an elliptic curve operation failed: {0}\"))]\n    EllipticCurve(#[cfg_attr(feature = \"std\", source)] ::elliptic_curve::Error),\n\n    /// Error of the `ecdsa` crate.\n    #[cfg_attr(feature = \"std\", error(\"an ECDSA operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an ECDSA operation failed: {0}\"))]\n    Ecdsa(#[cfg_attr(feature = \"std\", source)] ::ecdsa::Error),\n\n    /// Error of the `ed25519-dalek` crate.\n    #[cfg_attr(feature = \"std\", error(\"an ED25519 operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an ED25519 operation failed: {0}\"))]\n    Ed25519(#[cfg_attr(feature = \"std\", source)] ed25519_dalek::SignatureError),\n\n    /// The amount of bytes for an EC point is invalid.\n    #[error(\"invalid EC point length, expected {expected}, got {actual}\")]\n    InvalidEcPoint { expected: usize, actual: usize },\n\n    /// The coordinates did not form a valid key.\n    #[error(\"invalid EC key\")]\n    InvalidEcKey,\n\n    /// The curve type is not supported by this backend.\n    #[error(\"curve '{0}' not supported by this backend\")]\n    CurveNotSupported(\u0026'static str),\n\n    #[error(\"RSA key expected to have exactly 2 prime numbers\")]\n    RsaTwoPrimes,\n\n    /// `rand_core` error.\n    #[cfg_attr(feature = \"std\", error(\"failed to generate random data\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"failed to generate random data: {0}\"))]\n    Rand(#[cfg_attr(feature = \"std\", source)] rand_core::Error),\n}\n\nimpl From\u003cdigest::InvalidLength\u003e for BackendError {\n    fn from(_: digest::InvalidLength) -\u003e Self {\n        Self::InvalidLength\n    }\n}\n\nimpl From\u003c::rsa::errors::Error\u003e for BackendError {\n    fn from(x: ::rsa::errors::Error) -\u003e Self {\n        Self::Rsa(x)\n    }\n}\n\n/// The [RustCrypto] based backend.\n///\n/// [RustCrypto]: https://github.com/RustCrypto\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = ec::PrivateKey;\n    type EcPublicKey = ec::PublicKey;\n    type EdPrivateKey = okp::PrivateKey;\n    type EdPublicKey = okp::PublicKey;\n    type Error = BackendError;\n    type HmacKey = hmac::Key;\n    type RsaPrivateKey = rsa::PrivateKey;\n    type RsaPublicKey = rsa::PublicKey;\n\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        use rand_core::OsRng;\n\n        OsRng.try_fill_bytes(buf).map_err(BackendError::Rand)?;\n        Ok(())\n    }\n\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n        sha2::Sha256::digest(data).into()\n    }\n\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n        sha2::Sha384::digest(data).into()\n    }\n\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n        sha2::Sha512::digest(data).into()\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend.rs"],"content":"//! The actual implementations for the cryptographic backends.\n\npub(super) mod interface;\n\ncfg_if::cfg_if! {\n    if #[cfg(feature = \"crypto-rustcrypto\")] {\n        mod rust;\n        pub(crate) use rust::*;\n    } else if #[cfg(feature = \"crypto-openssl\")] {\n        mod openssl;\n        pub(crate) use openssl::*;\n    } else if #[cfg(feature = \"crypto-aws-lc\")] {\n        mod openssl;\n        pub(crate) use openssl::*;\n    } else if #[cfg(feature = \"crypto-ring\")] {\n        mod ring;\n        pub(crate) use ring::*;\n    } else {\n        compile_error!(\"No crypto backend selected. Please enable any of the `crypto-*` features.\");\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","ec.rs"],"content":"//! The primitives for working with [EC (elliptic curve)](https://en.wikipedia.org/wiki/Elliptic-curve_cryptography)\n//! algorithms (`kty` parameter = `EC`).\n//!\n//! If you are looking for the other curve types, see the\n//! [`okp`](crate::crypto::okp) module, which contains all curves that require a\n//! octet key pair.\n\nuse alloc::{boxed::Box, format, string::String, vec::Vec};\nuse core::{fmt, marker::PhantomData};\n\nuse secrecy::ExposeSecret;\nuse serde::{de::Error as _, Deserialize, Serialize};\n\nuse super::backend::{interface, Backend};\nuse crate::{\n    base64_url::{Base64UrlBytes, SecretBase64UrlBytes},\n    crypto::{\n        backend::interface::ec::{PrivateKey as _, PublicKey as _},\n        Result,\n    },\n    jwa, jwk, jws, Base64UrlString,\n};\n\ntype BackendPublicKey = \u003cBackend as interface::Backend\u003e::EcPublicKey;\ntype BackendPrivateKey = \u003cBackend as interface::Backend\u003e::EcPrivateKey;\n\n/// The public key type using the P-256 curve.\npub type P256PublicKey = PublicKey\u003cP256\u003e;\n\n/// The private key type using the P-256 curve.\npub type P256PrivateKey = PrivateKey\u003cP256\u003e;\n\n/// The signer type using the P-256 curve.\npub type P256Signer = Signer\u003cP256\u003e;\n\n/// The verifier type using the P-256 curve.\npub type P256Verifier = Verifier\u003cP256\u003e;\n\n/// The public key type using the P-384 curve.\npub type P384PublicKey = PublicKey\u003cP384\u003e;\n\n/// The private key type using the P-384 curve.\npub type P384PrivateKey = PrivateKey\u003cP384\u003e;\n\n/// The signer type using the P-384 curve.\npub type P384Signer = Signer\u003cP384\u003e;\n\n/// The verifier type using the P-384 curve.\npub type P384Verifier = Verifier\u003cP384\u003e;\n\n/// The public key type using the P-521 curve.\npub type P521PublicKey = PublicKey\u003cP521\u003e;\n\n/// The private key type using the P-521 curve.\npub type P521PrivateKey = PrivateKey\u003cP521\u003e;\n\n/// The signer type using the P-521 curve.\npub type P521Signer = Signer\u003cP521\u003e;\n\n/// The verifier type using the P-521 curve.\npub type P521Verifier = Verifier\u003cP521\u003e;\n\n/// The public key type using the secp256k1 curve.\npub type Secp256k1PublicKey = PublicKey\u003cSecp256k1\u003e;\n\n/// The private key type using the secp256k1 curve.\npub type Secp256k1PrivateKey = PrivateKey\u003cSecp256k1\u003e;\n\n/// The signer type using the secp256k1 curve.\npub type Secp256k1Signer = Signer\u003cSecp256k1\u003e;\n\n/// The verifier type using the secp256k1 curve.\npub type Secp256k1Verifier = Verifier\u003cSecp256k1\u003e;\n\n/// The curve trait marks all possible curves for key type `EC`.\npub trait Curve: sealed::Sealed {\n    /// The name of the curve, that is also used in the `crv` parameter of a\n    /// JWK.\n    const NAME: \u0026'static str;\n\n    /// The algorithm used for this curve.\n    const ALGORITHM: jwa::EcDSA;\n}\n\n/// Returns the number of bytes a single coordinate of the given curve holds.\npub(crate) fn coordinate_size(alg: jwa::EcDSA) -\u003e usize {\n    match alg {\n        jwa::EcDSA::Es256 =\u003e 32,\n        jwa::EcDSA::Es384 =\u003e 48,\n        jwa::EcDSA::Es512 =\u003e 66,\n        jwa::EcDSA::Es256K =\u003e 32,\n    }\n}\n\n/// The number of bytes for a scalar value for the given curve.\n///\n/// This is mostly used to ensure the private key has the correct length.\npub(crate) fn scalar_size(alg: jwa::EcDSA) -\u003e usize {\n    // The length of this octet string MUST be ceiling(log-base-2(n)/8) octets\n    // (where n is the order of the curve).\n    match alg {\n        jwa::EcDSA::Es256 =\u003e 32,\n        jwa::EcDSA::Es384 =\u003e 48,\n        jwa::EcDSA::Es512 =\u003e 66,\n        jwa::EcDSA::Es256K =\u003e 32,\n    }\n}\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendPrivateKey as interface::ec::PrivateKey\u003e::Signature,\n}\n\nimpl From\u003cSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: Signature) -\u003e Self {\n        value.as_ref().to_vec()\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(AsRef::\u003c[u8]\u003e::as_ref(\u0026self.inner), f)\n    }\n}\n\n/// The serializable public key for all curve types.\n#[derive(Clone)]\npub struct PublicKey\u003cC\u003e {\n    inner: BackendPublicKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e Eq for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PublicKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        let (x, y) = self.inner.to_point();\n        let (o_x, o_y) = other.inner.to_point();\n\n        x == o_x \u0026\u0026 y == o_y\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PublicKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let (x, y) = self.inner.to_point();\n        let x = Base64UrlString::encode(x);\n        let y = Base64UrlString::encode(y);\n\n        f.debug_struct(\"PublicKey\")\n            .field(\"x\", \u0026x)\n            .field(\"y\", \u0026y)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPublicKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PublicKey\u003cC\u003e) -\u003e Self {\n        C::public_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PublicKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::public_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(key, alg.map(|_| C::ALGORITHM.into()));\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PublicKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        jwk::thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\n#[derive(Deserialize)]\nstruct PublicKeyRepr {\n    crv: String,\n    kty: String,\n    x: Base64UrlBytes,\n    y: Base64UrlBytes,\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PublicKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let key = PublicKeyRepr::deserialize(deserializer)?;\n\n        if key.kty != \"EC\" {\n            return Err(D::Error::custom(alloc::format!(\n                \"Invalid key type `{}`. Expected: `EC`\",\n                key.kty,\n            )));\n        }\n\n        if key.crv != C::NAME {\n            return Err(D::Error::custom(alloc::format!(\n                \"Invalid curve type `{}`. Expected: `{}`\",\n                key.crv,\n                C::NAME,\n            )));\n        }\n\n        let check_coordinate = |c: \u0026[u8], name: \u0026str| {\n            if c.len() != coordinate_size(C::ALGORITHM) {\n                return Err(D::Error::custom(alloc::format!(\n                    \"ECC coordinate {name} has invalid length of {}, expected {}\",\n                    c.len(),\n                    coordinate_size(C::ALGORITHM),\n                )));\n            }\n\n            Ok(())\n        };\n\n        // https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.2\n        //\n        // Verifies that both coordinates are the same length as the curve size.\n        check_coordinate(\u0026key.x.0, \"x\")?;\n        check_coordinate(\u0026key.y.0, \"y\")?;\n\n        Ok(Self {\n            inner: \u003cBackendPublicKey as interface::ec::PublicKey\u003e::new(\n                C::ALGORITHM,\n                key.x.0,\n                key.y.0,\n            )\n            .map_err(|e| D::Error::custom(format!(\"failed to construct public EC key: {e}\")))?,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PublicKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(serde::Serialize)]\n        struct Repr\u003c'a\u003e {\n            crv: \u0026'a str,\n            kty: \u0026'a str,\n            x: Base64UrlBytes,\n            y: Base64UrlBytes,\n        }\n\n        let (x, y) = self.inner.to_point();\n\n        #[expect(clippy::useless_conversion)]\n        let repr = Repr {\n            crv: C::NAME,\n            kty: \"EC\",\n            x: Base64UrlBytes(Vec::\u003cu8\u003e::from(x)),\n            y: Base64UrlBytes(Vec::\u003cu8\u003e::from(y)),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// The serializable private key for all curve types.\n#[derive(Clone)]\npub struct PrivateKey\u003cC\u003e {\n    inner: BackendPrivateKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e PrivateKey\u003cC\u003e {\n    /// Generate a new RSA key pair of the given bit size.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the key generation fails.\n    pub fn generate() -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            inner: BackendPrivateKey::generate(C::ALGORITHM)?,\n            _curve: PhantomData,\n        })\n    }\n\n    /// Returns the public key of this private key.\n    pub fn to_public_key(\u0026self) -\u003e PublicKey\u003cC\u003e {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n            _curve: PhantomData,\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e Eq for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PrivateKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.to_public_key() == other.to_public_key()\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PrivateKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let (x, y) = self.inner.public_point();\n        let x = Base64UrlString::encode(x);\n        let y = Base64UrlString::encode(y);\n\n        f.debug_struct(\"PublicKey\")\n            .field(\"x\", \u0026x)\n            .field(\"y\", \u0026y)\n            .field(\"d\", \u0026\"[REDACTED]\")\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPrivateKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PrivateKey\u003cC\u003e) -\u003e Self {\n        C::private_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PrivateKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::private_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(key, alg.map(|_| C::ALGORITHM.into()));\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PrivateKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.to_public_key().thumbprint_prehashed()\n    }\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PrivateKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            #[serde(flatten)]\n            public: PublicKeyRepr,\n            d: SecretBase64UrlBytes,\n        }\n        let key = Repr::deserialize(deserializer)?;\n\n        let len = key.d.0.expose_secret().len();\n        if len != scalar_size(C::ALGORITHM) {\n            return Err(D::Error::custom(alloc::format!(\n                \"ECC scalar has invalid length of {len}, expected {}\",\n                scalar_size(C::ALGORITHM),\n            )));\n        }\n\n        Ok(Self {\n            inner: \u003cBackendPrivateKey as interface::ec::PrivateKey\u003e::new(\n                C::ALGORITHM,\n                key.public.x.0,\n                key.public.y.0,\n                key.d.0,\n            )\n            .map_err(|e| D::Error::custom(format!(\"failed to construct private EC key: {e}\")))?,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PrivateKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(serde::Serialize)]\n        struct Repr\u003c'a\u003e {\n            crv: \u0026'a str,\n            kty: \u0026'a str,\n            x: Base64UrlBytes,\n            y: Base64UrlBytes,\n            d: SecretBase64UrlBytes,\n        }\n\n        let (x, y) = self.inner.public_point();\n        let d = self.inner.private_material();\n\n        #[expect(clippy::useless_conversion)]\n        let repr = Repr {\n            crv: C::NAME,\n            kty: \"EC\",\n            x: Base64UrlBytes(Vec::\u003cu8\u003e::from(x)),\n            y: Base64UrlBytes(Vec::\u003cu8\u003e::from(y)),\n            d: SecretBase64UrlBytes(d),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// The [`Signer`](jws::Signer) for EC keys.\npub struct Signer\u003cC\u003e {\n    inner: PrivateKey\u003cC\u003e,\n    deterministic: bool,\n}\n\nimpl\u003cC: Curve\u003e Signer\u003cC\u003e {\n    /// Makes the sign operation of this EcDSA signer deterministic.\n    ///\n    /// This enables deterministic signature values, according to [RFC 6979](https://www.rfc-editor.org/rfc/rfc6979).\n    #[cfg(feature = \"deterministic-ecdsa\")]\n    pub fn deterministic(mut self, deterministic: bool) -\u003e Self {\n        self.deterministic = deterministic;\n        self\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Signer\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Signer\").field(\"key\", \u0026self.inner).finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Signer\u003cSignature\u003e for Signer\u003cC\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature\u003e {\n        let sig = self.inner.inner.sign(msg, self.deterministic)?;\n        Ok(Signature { inner: sig })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::EcDSA(C::ALGORITHM)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Signer\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EcDSA(alg))\n                if alg == C::ALGORITHM =\u003e\n            {\n                Ok(Self {\n                    inner: value,\n                    deterministic: false,\n                })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\n/// The [`Verifier`](jws::Verifier) for EC keys.\npub struct Verifier\u003cC\u003e {\n    inner: PublicKey\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Verifier\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Verifier\")\n            .field(\"key\", \u0026self.inner)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Verifier for Verifier\u003cC\u003e {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        match self.inner.inner.verify(msg, signature) {\n            Ok(true) =\u003e Ok(()),\n            Ok(false) =\u003e Err(jws::VerifyError::InvalidSignature),\n            Err(e) =\u003e Err(jws::VerifyError::CryptoBackend(e)),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPublicKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PublicKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EcDSA(alg))\n                if alg == C::ALGORITHM =\u003e\n            {\n                Ok(Self { inner: value })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    #[inline]\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        Self::from_key(value.to_public_key(), alg)\n    }\n}\n\nmacro_rules! impl_curve {\n    ($(\n        $(#[$doc:meta])*\n        $curve:ident {\n            name: $curve_name:literal,\n            algorithm: $algorithm:ident,\n        }\n    ),*$(,)?) =\u003e { $(\n        $(#[$doc])*\n        #[derive(Debug, Clone, Copy)]\n        pub enum $curve {}\n\n        impl Curve for $curve {\n            const NAME: \u0026'static str = $curve_name;\n            const ALGORITHM: jwa::EcDSA = jwa::EcDSA::$algorithm;\n        }\n        impl sealed::Sealed for $curve {\n            fn public_to_jwk_type(key: PublicKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Public(\n                    jwk::Public::Ec(jwk::EcPublic::$curve(key)),\n                )))\n            }\n\n            fn private_to_jwk_type(key: PrivateKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Private(\n                    jwk::Private::Ec(jwk::EcPrivate::$curve(key)),\n                )))\n            }\n        }\n    )* };\n}\n\nimpl_curve!(\n    /// The P-256 curve.\n    P256 {\n        name: \"P-256\",\n        algorithm: Es256,\n    },\n\n    /// The P-384 curve.\n    P384 {\n        name: \"P-384\",\n        algorithm: Es384,\n    },\n\n    /// The P-521 curve.\n    P521 {\n        name: \"P-521\",\n        algorithm: Es512,\n    },\n\n    /// The secp256k1 curve.\n    Secp256k1 {\n        name: \"secp256k1\",\n        algorithm: Es256K,\n    },\n);\n\nmod sealed {\n    use crate::jwk::JsonWebKeyType;\n\n    pub trait Sealed: Sized {\n        fn public_to_jwk_type(key: super::PublicKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n\n        fn private_to_jwk_type(key: super::PrivateKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n    }\n}\n","traces":[{"line":86,"address":[],"length":0,"stats":{"Line":59}},{"line":87,"address":[],"length":0,"stats":{"Line":59}},{"line":88,"address":[],"length":0,"stats":{"Line":21}},{"line":89,"address":[],"length":0,"stats":{"Line":13}},{"line":90,"address":[],"length":0,"stats":{"Line":13}},{"line":91,"address":[],"length":0,"stats":{"Line":12}},{"line":98,"address":[],"length":0,"stats":{"Line":31}},{"line":101,"address":[],"length":0,"stats":{"Line":31}},{"line":102,"address":[],"length":0,"stats":{"Line":11}},{"line":103,"address":[],"length":0,"stats":{"Line":7}},{"line":104,"address":[],"length":0,"stats":{"Line":7}},{"line":105,"address":[],"length":0,"stats":{"Line":6}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":26}},{"line":143,"address":[],"length":0,"stats":{"Line":26}},{"line":144,"address":[],"length":0,"stats":{"Line":26}},{"line":146,"address":[],"length":0,"stats":{"Line":52}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":154,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":174,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":0}},{"line":179,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":33}},{"line":186,"address":[],"length":0,"stats":{"Line":33}},{"line":199,"address":[],"length":0,"stats":{"Line":14}},{"line":203,"address":[],"length":0,"stats":{"Line":28}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":206,"address":[],"length":0,"stats":{"Line":0}},{"line":207,"address":[],"length":0,"stats":{"Line":0}},{"line":208,"address":[],"length":0,"stats":{"Line":0}},{"line":212,"address":[],"length":0,"stats":{"Line":14}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":214,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":220,"address":[],"length":0,"stats":{"Line":42}},{"line":221,"address":[],"length":0,"stats":{"Line":28}},{"line":222,"address":[],"length":0,"stats":{"Line":0}},{"line":223,"address":[],"length":0,"stats":{"Line":0}},{"line":224,"address":[],"length":0,"stats":{"Line":0}},{"line":225,"address":[],"length":0,"stats":{"Line":0}},{"line":229,"address":[],"length":0,"stats":{"Line":28}},{"line":235,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":14}},{"line":238,"address":[],"length":0,"stats":{"Line":0}},{"line":239,"address":[],"length":0,"stats":{"Line":14}},{"line":240,"address":[],"length":0,"stats":{"Line":14}},{"line":241,"address":[],"length":0,"stats":{"Line":14}},{"line":242,"address":[],"length":0,"stats":{"Line":14}},{"line":244,"address":[],"length":0,"stats":{"Line":14}},{"line":245,"address":[],"length":0,"stats":{"Line":14}},{"line":251,"address":[],"length":0,"stats":{"Line":41}},{"line":263,"address":[],"length":0,"stats":{"Line":41}},{"line":269,"address":[],"length":0,"stats":{"Line":41}},{"line":270,"address":[],"length":0,"stats":{"Line":41}},{"line":273,"address":[],"length":0,"stats":{"Line":41}},{"line":290,"address":[],"length":0,"stats":{"Line":3}},{"line":291,"address":[],"length":0,"stats":{"Line":3}},{"line":292,"address":[],"length":0,"stats":{"Line":3}},{"line":293,"address":[],"length":0,"stats":{"Line":3}},{"line":298,"address":[],"length":0,"stats":{"Line":38}},{"line":300,"address":[],"length":0,"stats":{"Line":38}},{"line":308,"address":[],"length":0,"stats":{"Line":4}},{"line":309,"address":[],"length":0,"stats":{"Line":4}},{"line":314,"address":[],"length":0,"stats":{"Line":0}},{"line":315,"address":[],"length":0,"stats":{"Line":0}},{"line":316,"address":[],"length":0,"stats":{"Line":0}},{"line":317,"address":[],"length":0,"stats":{"Line":0}},{"line":319,"address":[],"length":0,"stats":{"Line":0}},{"line":320,"address":[],"length":0,"stats":{"Line":0}},{"line":321,"address":[],"length":0,"stats":{"Line":0}},{"line":322,"address":[],"length":0,"stats":{"Line":0}},{"line":328,"address":[],"length":0,"stats":{"Line":0}},{"line":329,"address":[],"length":0,"stats":{"Line":0}},{"line":338,"address":[],"length":0,"stats":{"Line":0}},{"line":342,"address":[],"length":0,"stats":{"Line":0}},{"line":343,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":349,"address":[],"length":0,"stats":{"Line":17}},{"line":350,"address":[],"length":0,"stats":{"Line":17}},{"line":355,"address":[],"length":0,"stats":{"Line":28}},{"line":365,"address":[],"length":0,"stats":{"Line":56}},{"line":367,"address":[],"length":0,"stats":{"Line":0}},{"line":368,"address":[],"length":0,"stats":{"Line":0}},{"line":369,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":375,"address":[],"length":0,"stats":{"Line":14}},{"line":376,"address":[],"length":0,"stats":{"Line":14}},{"line":377,"address":[],"length":0,"stats":{"Line":14}},{"line":378,"address":[],"length":0,"stats":{"Line":14}},{"line":379,"address":[],"length":0,"stats":{"Line":14}},{"line":380,"address":[],"length":0,"stats":{"Line":14}},{"line":382,"address":[],"length":0,"stats":{"Line":14}},{"line":383,"address":[],"length":0,"stats":{"Line":14}},{"line":389,"address":[],"length":0,"stats":{"Line":8}},{"line":402,"address":[],"length":0,"stats":{"Line":8}},{"line":403,"address":[],"length":0,"stats":{"Line":8}},{"line":409,"address":[],"length":0,"stats":{"Line":8}},{"line":410,"address":[],"length":0,"stats":{"Line":8}},{"line":411,"address":[],"length":0,"stats":{"Line":8}},{"line":414,"address":[],"length":0,"stats":{"Line":8}},{"line":429,"address":[],"length":0,"stats":{"Line":0}},{"line":430,"address":[],"length":0,"stats":{"Line":0}},{"line":431,"address":[],"length":0,"stats":{"Line":0}},{"line":436,"address":[],"length":0,"stats":{"Line":0}},{"line":437,"address":[],"length":0,"stats":{"Line":0}},{"line":442,"address":[],"length":0,"stats":{"Line":0}},{"line":443,"address":[],"length":0,"stats":{"Line":0}},{"line":444,"address":[],"length":0,"stats":{"Line":0}},{"line":447,"address":[],"length":0,"stats":{"Line":0}},{"line":448,"address":[],"length":0,"stats":{"Line":0}},{"line":455,"address":[],"length":0,"stats":{"Line":0}},{"line":456,"address":[],"length":0,"stats":{"Line":0}},{"line":457,"address":[],"length":0,"stats":{"Line":0}},{"line":458,"address":[],"length":0,"stats":{"Line":0}},{"line":460,"address":[],"length":0,"stats":{"Line":0}},{"line":461,"address":[],"length":0,"stats":{"Line":0}},{"line":462,"address":[],"length":0,"stats":{"Line":0}},{"line":465,"address":[],"length":0,"stats":{"Line":0}},{"line":476,"address":[],"length":0,"stats":{"Line":0}},{"line":477,"address":[],"length":0,"stats":{"Line":0}},{"line":478,"address":[],"length":0,"stats":{"Line":0}},{"line":484,"address":[],"length":0,"stats":{"Line":0}},{"line":485,"address":[],"length":0,"stats":{"Line":0}},{"line":486,"address":[],"length":0,"stats":{"Line":0}},{"line":487,"address":[],"length":0,"stats":{"Line":0}},{"line":488,"address":[],"length":0,"stats":{"Line":0}},{"line":496,"address":[],"length":0,"stats":{"Line":0}},{"line":497,"address":[],"length":0,"stats":{"Line":0}},{"line":498,"address":[],"length":0,"stats":{"Line":0}},{"line":499,"address":[],"length":0,"stats":{"Line":0}},{"line":501,"address":[],"length":0,"stats":{"Line":0}},{"line":503,"address":[],"length":0,"stats":{"Line":0}},{"line":512,"address":[],"length":0,"stats":{"Line":0}},{"line":513,"address":[],"length":0,"stats":{"Line":0}},{"line":534,"address":[],"length":0,"stats":{"Line":0}},{"line":535,"address":[],"length":0,"stats":{"Line":0}},{"line":536,"address":[],"length":0,"stats":{"Line":0}},{"line":540,"address":[],"length":0,"stats":{"Line":0}},{"line":541,"address":[],"length":0,"stats":{"Line":0}},{"line":542,"address":[],"length":0,"stats":{"Line":0}}],"covered":63,"coverable":155},{"path":["/","home","stu","dev","rust","jose","src","crypto","hmac.rs"],"content":"//! The primitives for working with [HMAC] algorithms.\n//!\n//! [HMAC]: https://en.wikipedia.org/wiki/HMAC\n\nuse core::fmt;\n\nuse secrecy::{ExposeSecret, SecretSlice};\nuse subtle::ConstantTimeEq as _;\n\nuse super::{\n    backend::{\n        interface::{self, hmac::Key as _},\n        Backend,\n    },\n    Error, Result,\n};\nuse crate::{\n    crypto::backend::interface::Backend as _,\n    jwa,\n    jwk::{\n        self,\n        symmetric::{FromOctetSequenceError, OctetSequence},\n        IntoJsonWebKey,\n    },\n    jws::{self, Signer},\n};\n\ntype BackendHmacKey = \u003cBackend as interface::Backend\u003e::HmacKey;\n\n/// Marker trait is implemented for all supported HMAC variants.\npub trait Variant: crate::sealed::Sealed {\n    /// The JWA algorithm for this variant.\n    const ALGORITHM: jwa::Hmac;\n\n    /// The number of bytes in the output of the hash operation operation.\n    const OUTPUT_SIZE_BYTES: usize;\n}\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendHmacKey as interface::hmac::Key\u003e::Signature,\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(AsRef::\u003c[u8]\u003e::as_ref(\u0026self.inner), f)\n    }\n}\n\n/// A key that can be used for signing and verifying HMAC signatures.\npub struct Key\u003cH: Variant\u003e {\n    inner: BackendHmacKey,\n    // We also need to store the raw key, to be able to convert it to a JWK.\n    raw_key: SecretSlice\u003cu8\u003e,\n    _variant: core::marker::PhantomData\u003cH\u003e,\n}\n\nimpl\u003cH: Variant\u003e Key\u003cH\u003e {\n    /// Generate a new random HMAC key, using the crypto backends default RNG.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the crypto backend failed to generate random data.\n    pub fn generate() -\u003e Result\u003cSelf\u003e {\n        let mut key = alloc::vec![0u8; H::OUTPUT_SIZE_BYTES].into_boxed_slice();\n        Backend::fill_random(\u0026mut key)?;\n        let key = SecretSlice::from(key);\n\n        Self::new_from_key(key)\n    }\n\n    fn new_from_key(key: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let inner = BackendHmacKey::new(H::ALGORITHM, key.expose_secret())?;\n        Ok(Self {\n            inner,\n            raw_key: key,\n            _variant: core::marker::PhantomData,\n        })\n    }\n}\n\nimpl\u003cH: Variant\u003e fmt::Debug for Key\u003cH\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Key\")\n            .field(\"key\", \u0026self.raw_key)\n            .field(\"algorithm\", \u0026H::ALGORITHM)\n            .finish()\n    }\n}\n\nimpl\u003cH: Variant\u003e From\u003cKey\u003cH\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(key: Key\u003cH\u003e) -\u003e Self {\n        jwk::JsonWebKeyType::Symmetric(jwk::SymmetricJsonWebKey::OctetSequence(OctetSequence::new(\n            key.raw_key,\n        )))\n    }\n}\n\nimpl\u003cH: Variant\u003e crate::sealed::Sealed for Key\u003cH\u003e {}\nimpl\u003cH: Variant\u003e IntoJsonWebKey for Key\u003cH\u003e {\n    type Algorithm = ();\n    type Error = core::convert::Infallible;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003ccrate::JsonWebKey, Self::Error\u003e {\n        let key_ty = jwk::JsonWebKeyType::from(self);\n        let alg = alg.map(|_| {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Hmac(H::ALGORITHM))\n        });\n        Ok(jwk::JsonWebKey::new_with_algorithm(key_ty, alg))\n    }\n}\n\nimpl\u003cH: Variant\u003e jws::Verifier for Key\u003cH\u003e {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        let signed = self.inner.sign(msg)?;\n\n        let valid = bool::from(signature.ct_eq(signed.as_ref()));\n        if valid {\n            Ok(())\n        } else {\n            Err(jws::VerifyError::InvalidSignature)\n        }\n    }\n}\n\nimpl\u003cH: Variant\u003e Signer\u003cSignature\u003e for Key\u003cH\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature, Error\u003e {\n        let signature = self.inner.sign(msg)?;\n        Ok(Signature { inner: signature })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::Hmac(H::ALGORITHM)\n    }\n}\n\nimpl\u003cH: Variant\u003e jwk::FromKey\u003cOctetSequence\u003e for Key\u003cH\u003e {\n    type Error = FromOctetSequenceError;\n\n    fn from_key(\n        key: OctetSequence,\n        alg: jwa::JsonWebAlgorithm,\n    ) -\u003e core::result::Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Hmac(alg)) =\u003e {\n                if alg != H::ALGORITHM {\n                    return Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                        jws::InvalidSigningAlgorithmError,\n                    ));\n                }\n\n                // This check is not required for normal Hmac implementations based on RFC 2104\n                // but RFC 7518 section 3.2 requires this check and\n                // forbids keys with a length \u003c output\n                if key.len() \u003c H::OUTPUT_SIZE_BYTES {\n                    return Err(FromOctetSequenceError::InvalidLength);\n                }\n\n                Ok(Self::new_from_key(key.into_bytes())?)\n            }\n            _ =\u003e Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                jws::InvalidSigningAlgorithmError,\n            )),\n        }\n    }\n}\n\nimpl\u003cH: Variant\u003e jwk::FromKey\u003c\u0026OctetSequence\u003e for Key\u003cH\u003e {\n    type Error = FromOctetSequenceError;\n\n    fn from_key(key: \u0026OctetSequence, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Hmac(alg)) =\u003e {\n                if alg != H::ALGORITHM {\n                    return Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                        jws::InvalidSigningAlgorithmError,\n                    ));\n                }\n\n                // This check is not required for normal Hmac implementations based on RFC 2104\n                // but RFC 7518 section 3.2 requires this check and\n                // forbids keys with a length \u003c output\n                if key.len() \u003c H::OUTPUT_SIZE_BYTES {\n                    return Err(FromOctetSequenceError::InvalidLength);\n                }\n\n                Ok(Self::new_from_key(key.bytes().clone())?)\n            }\n            _ =\u003e Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                jws::InvalidSigningAlgorithmError,\n            )),\n        }\n    }\n}\nmacro_rules! impl_variant {\n    (#[$doc:meta] $variant:ident = $size:expr) =\u003e {\n        #[$doc]\n        #[derive(Debug)]\n        pub enum $variant {}\n\n        impl Variant for $variant {\n            const ALGORITHM: jwa::Hmac = jwa::Hmac::$variant;\n            const OUTPUT_SIZE_BYTES: usize = $size;\n        }\n        impl crate::sealed::Sealed for $variant {}\n    };\n}\n\nimpl_variant!(\n    /// Marker type that represents Hmac using the Sha256 digest.\n    Hs256 = 256 / 8\n);\nimpl_variant!(\n    /// Marker type that represents Hmac using the Sha384 digest.\n    Hs384 = 384 / 8\n);\nimpl_variant!(\n    /// Marker type that represents Hmac using the Sha512 digest.\n    Hs512 = 512 / 8\n);\n","traces":[{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":1}},{"line":72,"address":[],"length":0,"stats":{"Line":1}},{"line":73,"address":[],"length":0,"stats":{"Line":1}},{"line":74,"address":[],"length":0,"stats":{"Line":1}},{"line":76,"address":[],"length":0,"stats":{"Line":1}},{"line":79,"address":[],"length":0,"stats":{"Line":1}},{"line":80,"address":[],"length":0,"stats":{"Line":2}},{"line":81,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":143,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":154,"address":[],"length":0,"stats":{"Line":0}},{"line":155,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":166,"address":[],"length":0,"stats":{"Line":0}},{"line":169,"address":[],"length":0,"stats":{"Line":0}},{"line":171,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":1}},{"line":182,"address":[],"length":0,"stats":{"Line":1}},{"line":183,"address":[],"length":0,"stats":{"Line":1}},{"line":184,"address":[],"length":0,"stats":{"Line":1}},{"line":185,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":1}},{"line":194,"address":[],"length":0,"stats":{"Line":1}},{"line":197,"address":[],"length":0,"stats":{"Line":0}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":200,"address":[],"length":0,"stats":{"Line":0}}],"covered":13,"coverable":60},{"path":["/","home","stu","dev","rust","jose","src","crypto","okp.rs"],"content":"//! The primitives for working with EdDSA algorithms (`kty`\n//! parameter = `OKP`).\n//!\n//! If you are looking for the other curve types, see the\n//! [`ec`](crate::crypto::ec) module, which contains all curves, that do not\n//! require an octet key pair as a key.\n\nuse alloc::{borrow::Cow, format, string::String, vec::Vec};\nuse core::{fmt, marker::PhantomData};\n\nuse serde::{de::Error as _, Deserialize, Serialize};\n\nuse super::backend::{\n    interface::{\n        self,\n        okp::{PrivateKey as _, PublicKey as _},\n    },\n    Backend,\n};\nuse crate::{\n    base64_url::{Base64UrlBytes, SecretBase64UrlBytes},\n    crypto::Result,\n    jwa, jwk, jws, Base64UrlString,\n};\n\nconst KTY: \u0026str = \"OKP\";\n\ntype BackendPublicKey = \u003cBackend as interface::Backend\u003e::EdPublicKey;\ntype BackendPrivateKey = \u003cBackend as interface::Backend\u003e::EdPrivateKey;\n\n/// The curve trait marks all possible curves for EdDSA keys.\n///\n/// Technically, the implementors of this trait (e.g. [`Ed25519`]) are not\n/// curves, but rather the curve + algorithm combination. However, the JWK\n/// specification uses the term \"curve\" for this combination, so we will\n/// follow that convention here.\npub trait Curve: sealed::Sealed {\n    /// The name of the curve, that is also used in the `crv` parameter of a\n    /// JWK.\n    const NAME: \u0026'static str;\n}\n\n/// The public key using the Ed25519 curve.\npub type Ed25519PublicKey = PublicKey\u003cEd25519\u003e;\n\n/// The private key using the Ed25519 curve.\npub type Ed25519PrivateKey = PrivateKey\u003cEd25519\u003e;\n\n/// The signer type using the Ed25519 curve.\npub type Ed25519Signer = Signer\u003cEd25519\u003e;\n\n/// The verifier type using the Ed25519 curve.\npub type Ed25519Verifier = Verifier\u003cEd25519\u003e;\n\n/// The public key using the Ed448 curve.\npub type Ed448PublicKey = PublicKey\u003cEd448\u003e;\n\n/// The private key using the Ed448 curve.\npub type Ed448PrivateKey = PrivateKey\u003cEd448\u003e;\n\n/// The signer type using the Ed448 curve.\npub type Ed448Signer = Signer\u003cEd448\u003e;\n\n/// The verifier type using the Ed448 curve.\npub type Ed448Verifier = Verifier\u003cEd448\u003e;\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendPrivateKey as interface::okp::PrivateKey\u003e::Signature,\n}\n\nimpl From\u003cSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: Signature) -\u003e Self {\n        value.as_ref().to_vec()\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(AsRef::\u003c[u8]\u003e::as_ref(\u0026self.inner), f)\n    }\n}\n\n/// A public key for EdDSA algorithms.\n///\n/// The type of algorithm and curve is determined by the\n/// `C` type parameter.\n#[derive(Clone)]\npub struct PublicKey\u003cC\u003e {\n    inner: BackendPublicKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e Eq for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PublicKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        interface::okp::PublicKey::to_bytes(\u0026self.inner)\n            == interface::okp::PublicKey::to_bytes(\u0026other.inner)\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PublicKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let bytes = Base64UrlString::encode(interface::okp::PublicKey::to_bytes(\u0026self.inner));\n        f.debug_struct(\"PublicKey\")\n            .field(\"curve\", \u0026C::NAME)\n            .field(\"x\", \u0026bytes)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPublicKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PublicKey\u003cC\u003e) -\u003e Self {\n        C::public_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PublicKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::public_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(\n            key,\n            alg.map(|_| jwa::JsonWebSigningAlgorithm::EdDSA.into()),\n        );\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PublicKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        jwk::thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\n#[derive(Serialize, Deserialize)]\nstruct PublicRepr\u003c'a\u003e {\n    crv: Cow\u003c'a, str\u003e,\n    kty: Cow\u003c'a, str\u003e,\n    x: Base64UrlBytes,\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PublicKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let repr = PublicRepr::deserialize(deserializer)?;\n\n        if repr.crv != C::NAME {\n            return Err(D::Error::custom(format!(\n                \"Invalid curve type `{}`. Expected `{}`\",\n                repr.crv,\n                C::NAME\n            )));\n        }\n\n        if repr.kty != KTY {\n            return Err(D::Error::custom(format!(\n                \"Invalid key type `{}`. Expected `{KTY}`\",\n                repr.kty,\n            )));\n        }\n\n        let key =\n            interface::okp::PublicKey::new(C::ALGORITHM, repr.x.0).map_err(D::Error::custom)?;\n        Ok(Self {\n            inner: key,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PublicKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let repr = PublicRepr {\n            crv: C::NAME.into(),\n            kty: KTY.into(),\n            x: Base64UrlBytes(interface::okp::PublicKey::to_bytes(\u0026self.inner)),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// A private key for EdDSA algorithms.\n///\n/// The type of algorithm and curve is determined by the\n/// `C` type parameter.\n#[derive(Clone)]\npub struct PrivateKey\u003cC\u003e {\n    inner: BackendPrivateKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e PrivateKey\u003cC\u003e {\n    /// Generate a new random key pair.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the key generation fails.\n    pub fn generate() -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            inner: BackendPrivateKey::generate(C::ALGORITHM)?,\n            _curve: PhantomData,\n        })\n    }\n\n    /// Returns the public key of this private key.\n    pub fn to_public_key(\u0026self) -\u003e PublicKey\u003cC\u003e {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n            _curve: PhantomData,\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e Eq for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PrivateKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.to_public_key() == other.to_public_key()\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PrivateKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let pub_key = interface::okp::PrivateKey::to_public_key(\u0026self.inner);\n        let bytes = Base64UrlString::encode(interface::okp::PublicKey::to_bytes(\u0026pub_key));\n\n        f.debug_struct(\"PrivateKey\")\n            .field(\"curve\", \u0026C::NAME)\n            .field(\"x\", \u0026bytes)\n            .field(\"d\", \u0026\"[REDACTED]\")\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPrivateKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PrivateKey\u003cC\u003e) -\u003e Self {\n        C::private_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PrivateKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::private_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(\n            key,\n            alg.map(|_| jwa::JsonWebSigningAlgorithm::EdDSA.into()),\n        );\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PrivateKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.to_public_key().thumbprint_prehashed()\n    }\n}\n\n#[derive(Serialize, Deserialize)]\nstruct PrivateRepr\u003c'a\u003e {\n    #[serde(flatten)]\n    public: PublicRepr\u003c'a\u003e,\n    d: SecretBase64UrlBytes,\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PrivateKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let repr = PrivateRepr::deserialize(deserializer)?;\n\n        let key = interface::okp::PrivateKey::new(C::ALGORITHM, repr.public.x.0, repr.d.0)\n            .map_err(D::Error::custom)?;\n\n        Ok(Self {\n            inner: key,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PrivateKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let pub_key = self.inner.to_public_key();\n        let repr = PrivateRepr {\n            public: PublicRepr {\n                crv: C::NAME.into(),\n                kty: KTY.into(),\n                x: Base64UrlBytes(interface::okp::PublicKey::to_bytes(\u0026pub_key)),\n            },\n            d: SecretBase64UrlBytes(interface::okp::PrivateKey::to_bytes(\u0026self.inner)),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// The [`Signer`](jws::Signer) for EC keys.\npub struct Signer\u003cC\u003e {\n    inner: PrivateKey\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Signer\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Signer\").field(\"key\", \u0026self.inner).finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Signer\u003cSignature\u003e for Signer\u003cC\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature\u003e {\n        let sig = self.inner.inner.sign(msg)?;\n        Ok(Signature { inner: sig })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::EdDSA\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Signer\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EdDSA) =\u003e {\n                Ok(Self { inner: value })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\n/// The [`Verifier`](jws::Verifier) for EC keys.\npub struct Verifier\u003cC\u003e {\n    inner: PublicKey\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Verifier\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Verifier\")\n            .field(\"key\", \u0026self.inner)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Verifier for Verifier\u003cC\u003e {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        match self.inner.inner.verify(msg, signature) {\n            Ok(true) =\u003e Ok(()),\n            Ok(false) =\u003e Err(jws::VerifyError::InvalidSignature),\n            Err(e) =\u003e Err(jws::VerifyError::CryptoBackend(e)),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPublicKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PublicKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EdDSA) =\u003e {\n                Ok(Self { inner: value })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    #[inline]\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        Self::from_key(value.to_public_key(), alg)\n    }\n}\n\nmacro_rules! impl_curve {\n    ($(\n        $(#[$doc:meta])*\n        $curve:ident {\n            name: $curve_name:literal,\n        }\n    ),*$(,)?) =\u003e { $(\n        $(#[$doc])*\n        #[derive(Debug, Clone, Copy)]\n        pub enum $curve {}\n\n        impl Curve for $curve {\n            const NAME: \u0026'static str = $curve_name;\n        }\n\n        impl sealed::Sealed for $curve {\n            #[expect(private_interfaces)]\n            const ALGORITHM: interface::okp::CurveAlgorithm = interface::okp::CurveAlgorithm::$curve;\n\n            fn public_to_jwk_type(key: PublicKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(jwk::AsymmetricJsonWebKey::Public(\n                    jwk::Public::Okp(jwk::OkpPublic::$curve(key)),\n                )))\n            }\n\n            fn private_to_jwk_type(key: PrivateKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(jwk::AsymmetricJsonWebKey::Private(\n                    jwk::Private::Okp(jwk::OkpPrivate::$curve(key)),\n                )))\n            }\n        }\n    )* };\n}\n\nimpl_curve!(\n    /// The Ed25519 curve.\n    Ed25519 {\n        name: \"Ed25519\",\n    },\n\n    /// The Ed448 curve.\n    Ed448 {\n        name: \"Ed448\",\n    },\n);\n\nmod sealed {\n    use crate::{crypto::backend::interface, jwk::JsonWebKeyType};\n\n    pub trait Sealed: Sized {\n        #[expect(private_interfaces)]\n        const ALGORITHM: interface::okp::CurveAlgorithm;\n\n        fn public_to_jwk_type(key: super::PublicKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n\n        fn private_to_jwk_type(key: super::PrivateKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n    }\n}\n","traces":[{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":81,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":12}},{"line":104,"address":[],"length":0,"stats":{"Line":12}},{"line":105,"address":[],"length":0,"stats":{"Line":12}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":114,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":121,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":16}},{"line":145,"address":[],"length":0,"stats":{"Line":16}},{"line":157,"address":[],"length":0,"stats":{"Line":6}},{"line":161,"address":[],"length":0,"stats":{"Line":12}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":166,"address":[],"length":0,"stats":{"Line":0}},{"line":167,"address":[],"length":0,"stats":{"Line":0}},{"line":171,"address":[],"length":0,"stats":{"Line":6}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":173,"address":[],"length":0,"stats":{"Line":0}},{"line":174,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":6}},{"line":179,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":0}},{"line":182,"address":[],"length":0,"stats":{"Line":0}},{"line":188,"address":[],"length":0,"stats":{"Line":20}},{"line":193,"address":[],"length":0,"stats":{"Line":20}},{"line":194,"address":[],"length":0,"stats":{"Line":20}},{"line":195,"address":[],"length":0,"stats":{"Line":20}},{"line":198,"address":[],"length":0,"stats":{"Line":20}},{"line":218,"address":[],"length":0,"stats":{"Line":2}},{"line":219,"address":[],"length":0,"stats":{"Line":2}},{"line":220,"address":[],"length":0,"stats":{"Line":2}},{"line":221,"address":[],"length":0,"stats":{"Line":2}},{"line":226,"address":[],"length":0,"stats":{"Line":18}},{"line":228,"address":[],"length":0,"stats":{"Line":18}},{"line":236,"address":[],"length":0,"stats":{"Line":2}},{"line":237,"address":[],"length":0,"stats":{"Line":2}},{"line":242,"address":[],"length":0,"stats":{"Line":0}},{"line":243,"address":[],"length":0,"stats":{"Line":0}},{"line":244,"address":[],"length":0,"stats":{"Line":0}},{"line":246,"address":[],"length":0,"stats":{"Line":0}},{"line":247,"address":[],"length":0,"stats":{"Line":0}},{"line":248,"address":[],"length":0,"stats":{"Line":0}},{"line":249,"address":[],"length":0,"stats":{"Line":0}},{"line":255,"address":[],"length":0,"stats":{"Line":0}},{"line":256,"address":[],"length":0,"stats":{"Line":0}},{"line":265,"address":[],"length":0,"stats":{"Line":0}},{"line":269,"address":[],"length":0,"stats":{"Line":0}},{"line":271,"address":[],"length":0,"stats":{"Line":0}},{"line":272,"address":[],"length":0,"stats":{"Line":0}},{"line":274,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":8}},{"line":280,"address":[],"length":0,"stats":{"Line":8}},{"line":292,"address":[],"length":0,"stats":{"Line":12}},{"line":296,"address":[],"length":0,"stats":{"Line":24}},{"line":298,"address":[],"length":0,"stats":{"Line":6}},{"line":299,"address":[],"length":0,"stats":{"Line":0}},{"line":301,"address":[],"length":0,"stats":{"Line":0}},{"line":302,"address":[],"length":0,"stats":{"Line":0}},{"line":303,"address":[],"length":0,"stats":{"Line":0}},{"line":309,"address":[],"length":0,"stats":{"Line":4}},{"line":313,"address":[],"length":0,"stats":{"Line":4}},{"line":315,"address":[],"length":0,"stats":{"Line":4}},{"line":320,"address":[],"length":0,"stats":{"Line":4}},{"line":323,"address":[],"length":0,"stats":{"Line":4}},{"line":333,"address":[],"length":0,"stats":{"Line":0}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":339,"address":[],"length":0,"stats":{"Line":0}},{"line":340,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":352,"address":[],"length":0,"stats":{"Line":0}},{"line":353,"address":[],"length":0,"stats":{"Line":0}},{"line":354,"address":[],"length":0,"stats":{"Line":0}},{"line":355,"address":[],"length":0,"stats":{"Line":0}},{"line":357,"address":[],"length":0,"stats":{"Line":0}},{"line":368,"address":[],"length":0,"stats":{"Line":0}},{"line":369,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":376,"address":[],"length":0,"stats":{"Line":0}},{"line":377,"address":[],"length":0,"stats":{"Line":0}},{"line":378,"address":[],"length":0,"stats":{"Line":0}},{"line":379,"address":[],"length":0,"stats":{"Line":0}},{"line":380,"address":[],"length":0,"stats":{"Line":0}},{"line":388,"address":[],"length":0,"stats":{"Line":0}},{"line":389,"address":[],"length":0,"stats":{"Line":0}},{"line":390,"address":[],"length":0,"stats":{"Line":0}},{"line":391,"address":[],"length":0,"stats":{"Line":0}},{"line":393,"address":[],"length":0,"stats":{"Line":0}},{"line":402,"address":[],"length":0,"stats":{"Line":0}},{"line":403,"address":[],"length":0,"stats":{"Line":0}},{"line":426,"address":[],"length":0,"stats":{"Line":0}},{"line":427,"address":[],"length":0,"stats":{"Line":0}},{"line":428,"address":[],"length":0,"stats":{"Line":0}},{"line":432,"address":[],"length":0,"stats":{"Line":0}},{"line":433,"address":[],"length":0,"stats":{"Line":0}},{"line":434,"address":[],"length":0,"stats":{"Line":0}}],"covered":32,"coverable":113},{"path":["/","home","stu","dev","rust","jose","src","crypto","rsa.rs"],"content":"//! The primitives for working with [RSA] encryption.\n//!\n//! [RSA]: https://en.wikipedia.org/wiki/RSA_cryptosystem\n\nuse alloc::{boxed::Box, format, string::String, vec::Vec};\nuse core::{convert::Infallible, fmt};\n\nuse serde::{de::Error as _, ser::Error as _, Deserialize, Serialize};\n\nuse super::backend::{\n    interface::{\n        self,\n        rsa::{self, PrivateKey as _, PublicKey as _},\n    },\n    Backend,\n};\nuse crate::{\n    base64_url::{Base64UrlBytes, SecretBase64UrlBytes},\n    crypto::Result,\n    jwa::{self, RsaSigning},\n    jwk::{self, FromKey, IntoJsonWebKey},\n    jws::{self, InvalidSigningAlgorithmError},\n    Base64UrlString,\n};\n\ntype BackendPublicKey = \u003cBackend as interface::Backend\u003e::RsaPublicKey;\ntype BackendPrivateKey = \u003cBackend as interface::Backend\u003e::RsaPrivateKey;\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendPrivateKey as rsa::PrivateKey\u003e::Signature,\n}\n\nimpl From\u003cSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: Signature) -\u003e Self {\n        value.as_ref().to_vec()\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(self.as_ref(), f)\n    }\n}\n\n/// The RSA public key type.\n#[derive(Clone)]\npub struct PublicKey {\n    inner: BackendPublicKey,\n}\n\nimpl Eq for PublicKey {}\nimpl PartialEq for PublicKey {\n    fn eq(\u0026self, o: \u0026Self) -\u003e bool {\n        let this_pub = rsa::PublicKey::components(\u0026self.inner);\n        let o_pub = rsa::PublicKey::components(\u0026o.inner);\n\n        this_pub == o_pub\n    }\n}\n\nimpl fmt::Debug for PublicKey {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let key = rsa::PublicKey::components(\u0026self.inner);\n        let n = Base64UrlString::encode(key.n);\n        let e = Base64UrlString::encode(key.e);\n\n        f.debug_struct(\"PublicKey\")\n            .field(\"n\", \u0026n)\n            .field(\"e\", \u0026e)\n            .finish()\n    }\n}\n\nimpl From\u003cPublicKey\u003e for jwk::JsonWebKeyType {\n    fn from(x: PublicKey) -\u003e Self {\n        jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Public(\n            jwk::Public::Rsa(x),\n        )))\n    }\n}\n\nimpl crate::sealed::Sealed for PublicKey {}\nimpl IntoJsonWebKey for PublicKey {\n    type Algorithm = RsaSigning;\n    type Error = Infallible;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003ccrate::JsonWebKey, Self::Error\u003e {\n        let alg = alg.map(|rsa| {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(rsa.into()))\n        });\n\n        let key = jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Public(\n            jwk::Public::Rsa(self),\n        )));\n\n        Ok(jwk::JsonWebKey::new_with_algorithm(key, alg))\n    }\n}\n\nimpl jwk::Thumbprint for PublicKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        crate::jwk::thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\nimpl Serialize for PublicKey {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(Serialize)]\n        struct Repr {\n            kty: \u0026'static str,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n        }\n\n        let key = rsa::PublicKey::components(\u0026self.inner);\n        Repr {\n            kty: \"RSA\",\n            n: Base64UrlBytes(key.n),\n            e: Base64UrlBytes(key.e),\n        }\n        .serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for PublicKey {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            kty: String,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n        }\n\n        let repr = Repr::deserialize(deserializer)?;\n\n        if \u0026*repr.kty != \"RSA\" {\n            return Err(D::Error::custom(\"`kty` field is required to be `RSA`\"));\n        }\n\n        let components = rsa::PublicKeyComponents {\n            n: repr.n.0,\n            e: repr.e.0,\n        };\n        let key = rsa::PublicKey::from_components(components)\n            .map_err(|e| D::Error::custom(format!(\"failed to construct RSA public key: {e}\")))?;\n        Ok(Self { inner: key })\n    }\n}\n\n/// The RSA private key type.\n#[derive(Clone)]\npub struct PrivateKey {\n    inner: BackendPrivateKey,\n}\n\nimpl PrivateKey {\n    /// Generate a new RSA key pair of the given bit size.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the key generation fails.\n    pub fn generate(bits: usize) -\u003e Result\u003cSelf\u003e {\n        let key = BackendPrivateKey::generate(bits)?;\n        Ok(Self { inner: key })\n    }\n\n    /// Get the public key corresponding to this private key.\n    pub fn to_public_key(\u0026self) -\u003e PublicKey {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n        }\n    }\n}\n\nimpl Eq for PrivateKey {}\nimpl PartialEq for PrivateKey {\n    fn eq(\u0026self, o: \u0026Self) -\u003e bool {\n        self.to_public_key() == o.to_public_key()\n    }\n}\n\nimpl From\u003cPrivateKey\u003e for jwk::JsonWebKeyType {\n    fn from(x: PrivateKey) -\u003e Self {\n        jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Private(\n            jwk::Private::Rsa(Box::new(x)),\n        )))\n    }\n}\n\nimpl fmt::Debug for PrivateKey {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let key = rsa::PrivateKey::public_components(\u0026self.inner);\n        let n = Base64UrlString::encode(key.n);\n        let e = Base64UrlString::encode(key.e);\n\n        f.debug_struct(\"PrivateKey\")\n            .field(\"n\", \u0026n)\n            .field(\"e\", \u0026e)\n            .field(\"primes\", \u0026\"[REDACTED]\")\n            .finish()\n    }\n}\n\nimpl crate::sealed::Sealed for PrivateKey {}\nimpl IntoJsonWebKey for PrivateKey {\n    type Algorithm = RsaSigning;\n    type Error = Infallible;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003ccrate::JsonWebKey, Self::Error\u003e {\n        let alg = alg.map(|rsa| {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(rsa.into()))\n        });\n\n        let key = jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Private(\n            jwk::Private::Rsa(Box::new(self)),\n        )));\n\n        Ok(crate::JsonWebKey::new_with_algorithm(key, alg))\n    }\n}\n\nimpl jwk::Thumbprint for PrivateKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.to_public_key().thumbprint_prehashed()\n    }\n}\n\nimpl Serialize for PrivateKey {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(Serialize)]\n        struct Repr {\n            kty: \u0026'static str,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n\n            d: SecretBase64UrlBytes,\n            p: SecretBase64UrlBytes,\n            q: SecretBase64UrlBytes,\n            dp: SecretBase64UrlBytes,\n            dq: SecretBase64UrlBytes,\n            qi: SecretBase64UrlBytes,\n        }\n\n        let pub_key = rsa::PrivateKey::public_components(\u0026self.inner);\n        let key = rsa::PrivateKey::private_components(\u0026self.inner).map_err(S::Error::custom)?;\n\n        let repr = Repr {\n            kty: \"RSA\",\n            n: Base64UrlBytes(pub_key.n),\n            e: Base64UrlBytes(pub_key.e),\n            d: SecretBase64UrlBytes(key.d),\n            p: SecretBase64UrlBytes(key.prime.p),\n            q: SecretBase64UrlBytes(key.prime.q),\n            dp: SecretBase64UrlBytes(key.prime.dp),\n            dq: SecretBase64UrlBytes(key.prime.dq),\n            qi: SecretBase64UrlBytes(key.prime.qi),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for PrivateKey {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            kty: String,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n            d: SecretBase64UrlBytes,\n\n            p: Option\u003cSecretBase64UrlBytes\u003e,\n            q: Option\u003cSecretBase64UrlBytes\u003e,\n            dp: Option\u003cSecretBase64UrlBytes\u003e,\n            dq: Option\u003cSecretBase64UrlBytes\u003e,\n            qi: Option\u003cSecretBase64UrlBytes\u003e,\n\n            oth: Option\u003cserde_json::Value\u003e,\n        }\n\n        let repr = Repr::deserialize(deserializer)?;\n\n        if \u0026*repr.kty != \"RSA\" {\n            return Err(D::Error::custom(\"`kty` field is required to be `RSA`\"));\n        }\n\n        // RFC:\n        //\n        // The parameter \"d\" is REQUIRED for RSA private keys.  The others enable\n        // optimizations and SHOULD be included by producers of JWKs\n        // representing RSA private keys.  If the producer includes any of the\n        // other private key parameters, then all of the others MUST be present,\n        // with the exception of \"oth\", which MUST only be present when more than two\n        // prime factors were used.\n\n        let any_prime_present = repr.p.is_some()\n            | repr.q.is_some()\n            | repr.dp.is_some()\n            | repr.dq.is_some()\n            | repr.qi.is_some();\n\n        let prime_info = if any_prime_present {\n            let err = |field: \u0026str| {\n                D::Error::custom(format!(\n                    \"expected `{field}` to be present because all prime fields must be set if one \\\n                     of them is set\"\n                ))\n            };\n\n            rsa::PrivateKeyPrimeComponents {\n                p: repr.p.ok_or_else(|| err(\"p\"))?.0,\n                q: repr.q.ok_or_else(|| err(\"q\"))?.0,\n                dp: repr.dp.ok_or_else(|| err(\"dp\"))?.0,\n                dq: repr.dq.ok_or_else(|| err(\"dq\"))?.0,\n                qi: repr.qi.ok_or_else(|| err(\"qi\"))?.0,\n            }\n        } else {\n            // FIXME: can we support RSA keys without any primes?\n            return Err(D::Error::custom(\n                \"RSA private keys without any primes are not supported\",\n            ));\n        };\n\n        if repr.oth.is_some() {\n            // FIXME: Support additional primes\n            return Err(D::Error::custom(\n                \"RSA private keys with `oth` field set are not supported\",\n            ));\n        }\n\n        let pub_components = rsa::PublicKeyComponents {\n            n: repr.n.0,\n            e: repr.e.0,\n        };\n\n        let priv_components = rsa::PrivateKeyComponents {\n            d: repr.d.0,\n            prime: prime_info,\n        };\n\n        let key = rsa::PrivateKey::from_components(priv_components, pub_components)\n            .map_err(|e| D::Error::custom(format!(\"failed to construct RSA private key: {e}\")))?;\n        Ok(Self { inner: key })\n    }\n}\n\n/// A [`Signer`](jws::Signer) using an [`PrivateKey`] and an RSA algorithm.\n#[derive(Debug)]\npub struct Signer {\n    key: PrivateKey,\n    alg: RsaSigning,\n}\n\nimpl FromKey\u003cPrivateKey\u003e for Signer {\n    type Error = InvalidSigningAlgorithmError;\n\n    fn from_key(value: PrivateKey, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(alg)) =\u003e {\n                Ok(Self { key: value, alg })\n            }\n            _ =\u003e Err(InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl jws::Signer\u003cSignature\u003e for Signer {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature\u003e {\n        let sig = self.key.inner.sign(self.alg, msg)?;\n        Ok(Signature { inner: sig })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::Rsa(self.alg)\n    }\n}\n\n/// A [`Verifier`](jws::Verifier) using an [`PublicKey`] and an RSA algorithm.\n#[derive(Debug)]\npub struct Verifier {\n    key: PublicKey,\n    alg: RsaSigning,\n}\n\nimpl FromKey\u003cPublicKey\u003e for Verifier {\n    type Error = InvalidSigningAlgorithmError;\n\n    fn from_key(value: PublicKey, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(alg)) =\u003e {\n                Ok(Self { key: value, alg })\n            }\n            _ =\u003e Err(InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl FromKey\u003cPrivateKey\u003e for Verifier {\n    type Error = InvalidSigningAlgorithmError;\n\n    /// Create a [`Verifier`] from the private key by\n    /// turning it into the public key and dropping the private parts afterwards\n    fn from_key(value: PrivateKey, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        Self::from_key(value.to_public_key(), alg)\n    }\n}\n\nimpl jws::Verifier for Verifier {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        match self.key.inner.verify(self.alg, msg, signature) {\n            Ok(true) =\u003e Ok(()),\n            Ok(false) =\u003e Err(jws::VerifyError::InvalidSignature),\n            Err(err) =\u003e Err(jws::VerifyError::CryptoBackend(err)),\n        }\n    }\n}\n","traces":[{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":15}},{"line":62,"address":[],"length":0,"stats":{"Line":15}},{"line":63,"address":[],"length":0,"stats":{"Line":15}},{"line":65,"address":[],"length":0,"stats":{"Line":15}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":23}},{"line":113,"address":[],"length":0,"stats":{"Line":23}},{"line":118,"address":[],"length":0,"stats":{"Line":33}},{"line":130,"address":[],"length":0,"stats":{"Line":33}},{"line":133,"address":[],"length":0,"stats":{"Line":33}},{"line":134,"address":[],"length":0,"stats":{"Line":33}},{"line":136,"address":[],"length":0,"stats":{"Line":33}},{"line":141,"address":[],"length":0,"stats":{"Line":33}},{"line":153,"address":[],"length":0,"stats":{"Line":66}},{"line":155,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":13}},{"line":161,"address":[],"length":0,"stats":{"Line":13}},{"line":163,"address":[],"length":0,"stats":{"Line":13}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":1}},{"line":182,"address":[],"length":0,"stats":{"Line":2}},{"line":187,"address":[],"length":0,"stats":{"Line":16}},{"line":189,"address":[],"length":0,"stats":{"Line":16}},{"line":196,"address":[],"length":0,"stats":{"Line":2}},{"line":197,"address":[],"length":0,"stats":{"Line":2}},{"line":202,"address":[],"length":0,"stats":{"Line":0}},{"line":203,"address":[],"length":0,"stats":{"Line":0}},{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":210,"address":[],"length":0,"stats":{"Line":0}},{"line":211,"address":[],"length":0,"stats":{"Line":0}},{"line":212,"address":[],"length":0,"stats":{"Line":0}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":217,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":228,"address":[],"length":0,"stats":{"Line":0}},{"line":232,"address":[],"length":0,"stats":{"Line":0}},{"line":233,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":0}},{"line":237,"address":[],"length":0,"stats":{"Line":0}},{"line":240,"address":[],"length":0,"stats":{"Line":0}},{"line":245,"address":[],"length":0,"stats":{"Line":7}},{"line":246,"address":[],"length":0,"stats":{"Line":7}},{"line":251,"address":[],"length":0,"stats":{"Line":4}},{"line":270,"address":[],"length":0,"stats":{"Line":4}},{"line":271,"address":[],"length":0,"stats":{"Line":8}},{"line":275,"address":[],"length":0,"stats":{"Line":0}},{"line":276,"address":[],"length":0,"stats":{"Line":0}},{"line":277,"address":[],"length":0,"stats":{"Line":0}},{"line":278,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":0}},{"line":280,"address":[],"length":0,"stats":{"Line":0}},{"line":281,"address":[],"length":0,"stats":{"Line":0}},{"line":282,"address":[],"length":0,"stats":{"Line":0}},{"line":285,"address":[],"length":0,"stats":{"Line":0}},{"line":290,"address":[],"length":0,"stats":{"Line":59}},{"line":311,"address":[],"length":0,"stats":{"Line":118}},{"line":313,"address":[],"length":0,"stats":{"Line":0}},{"line":314,"address":[],"length":0,"stats":{"Line":0}},{"line":326,"address":[],"length":0,"stats":{"Line":6}},{"line":327,"address":[],"length":0,"stats":{"Line":6}},{"line":328,"address":[],"length":0,"stats":{"Line":6}},{"line":329,"address":[],"length":0,"stats":{"Line":6}},{"line":330,"address":[],"length":0,"stats":{"Line":6}},{"line":332,"address":[],"length":0,"stats":{"Line":6}},{"line":333,"address":[],"length":0,"stats":{"Line":6}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":336,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":6}},{"line":342,"address":[],"length":0,"stats":{"Line":6}},{"line":343,"address":[],"length":0,"stats":{"Line":6}},{"line":344,"address":[],"length":0,"stats":{"Line":6}},{"line":345,"address":[],"length":0,"stats":{"Line":6}},{"line":349,"address":[],"length":0,"stats":{"Line":0}},{"line":350,"address":[],"length":0,"stats":{"Line":0}},{"line":354,"address":[],"length":0,"stats":{"Line":0}},{"line":356,"address":[],"length":0,"stats":{"Line":0}},{"line":357,"address":[],"length":0,"stats":{"Line":0}},{"line":362,"address":[],"length":0,"stats":{"Line":6}},{"line":363,"address":[],"length":0,"stats":{"Line":6}},{"line":367,"address":[],"length":0,"stats":{"Line":6}},{"line":371,"address":[],"length":0,"stats":{"Line":6}},{"line":372,"address":[],"length":0,"stats":{"Line":0}},{"line":373,"address":[],"length":0,"stats":{"Line":0}},{"line":387,"address":[],"length":0,"stats":{"Line":0}},{"line":388,"address":[],"length":0,"stats":{"Line":0}},{"line":389,"address":[],"length":0,"stats":{"Line":0}},{"line":390,"address":[],"length":0,"stats":{"Line":0}},{"line":392,"address":[],"length":0,"stats":{"Line":0}},{"line":398,"address":[],"length":0,"stats":{"Line":0}},{"line":399,"address":[],"length":0,"stats":{"Line":0}},{"line":403,"address":[],"length":0,"stats":{"Line":0}},{"line":404,"address":[],"length":0,"stats":{"Line":0}},{"line":418,"address":[],"length":0,"stats":{"Line":0}},{"line":419,"address":[],"length":0,"stats":{"Line":0}},{"line":420,"address":[],"length":0,"stats":{"Line":0}},{"line":421,"address":[],"length":0,"stats":{"Line":0}},{"line":423,"address":[],"length":0,"stats":{"Line":0}},{"line":433,"address":[],"length":0,"stats":{"Line":0}},{"line":434,"address":[],"length":0,"stats":{"Line":0}},{"line":439,"address":[],"length":0,"stats":{"Line":0}},{"line":440,"address":[],"length":0,"stats":{"Line":0}},{"line":441,"address":[],"length":0,"stats":{"Line":0}},{"line":442,"address":[],"length":0,"stats":{"Line":0}},{"line":443,"address":[],"length":0,"stats":{"Line":0}}],"covered":45,"coverable":130},{"path":["/","home","stu","dev","rust","jose","src","crypto.rs"],"content":"//! Cryptographic primitives.\n//!\n//! This module contains all primitives required for the JOSE RFCs. It abstracts\n//! away the different cryptographic libraries and provides a common interface\n//! for them. The goal is to make it easy to switch between different libraries\n//! and implementations without changing the code that uses them.\n//!\n//! ## Random Number Generation\n//!\n//! Many of the private key types provide `generate` functions. These functions\n//! require access to secure, random data. Each backend provides it own way of\n//! getting secure random data from the underlying system. The\n//! `crypto-rustcrypto` and `crypto-ring` use the [`getrandom`] crate to get\n//! random data. In order to use the `jose` crate on `no_std` systems, the user\n//! must supply a custom random number generator by using the\n//! [`register_custom_getrandom`] macro.\n//!\n//! **Note:** The current version `ring` and Rust Crypto crates use the `0.2`\n//! version of the `getrandom` crate.\n//!\n//! [`register_custom_getrandom`]: (https://docs.rs/getrandom/0.2.10/getrandom/macro.register_custom_getrandom.html)\n//! [`getrandom`]: (https://docs.rs/getrandom/0.2.10/getrandom/index.html)\n\npub(crate) mod backend;\npub mod ec;\npub mod hmac;\npub mod okp;\npub mod rsa;\n\nuse core::{error, fmt};\n\nuse backend::interface;\n\nuse self::backend::Backend;\n\n/// The result type used for cryptographic operations.\npub type Result\u003cT, E = Error\u003e = core::result::Result\u003cT, E\u003e;\n\n/// The erased error type that is used to generalize all errors that all the\n/// cryptographic libraries can return.\npub struct Error {\n    inner: \u003cBackend as interface::Backend\u003e::Error,\n}\n\nimpl fmt::Display for Error {\n    fn fmt(\u0026self, _f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Display::fmt(\u0026self.inner, _f)\n    }\n}\n\nimpl fmt::Debug for Error {\n    fn fmt(\u0026self, _f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(\u0026self.inner, _f)\n    }\n}\n\nimpl error::Error for Error {\n    fn source(\u0026self) -\u003e Option\u003c\u0026(dyn error::Error + 'static)\u003e {\n        error::Error::source(\u0026self.inner)\n    }\n}\n\nimpl\u003cE\u003e From\u003cE\u003e for Error\nwhere\n    \u003cBackend as interface::Backend\u003e::Error: From\u003cE\u003e,\n{\n    fn from(err: E) -\u003e Self {\n        Self {\n            inner: \u003cBackend as interface::Backend\u003e::Error::from(err),\n        }\n    }\n}\n\n/// Fills the given buffer with random data.\n#[inline]\n#[expect(unused)] // may be used in the future\npub(crate) fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c()\u003e {\n    \u003cBackend as interface::Backend\u003e::fill_random(buf).map_err(|e| Error { inner: e })\n}\n\n/// Performs a quick Sha256 of the given data.\n#[inline]\npub(crate) fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n    \u003cBackend as interface::Backend\u003e::sha256(data)\n}\n\n/// Performs a quick Sha384 of the given data.\n#[inline]\npub(crate) fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n    \u003cBackend as interface::Backend\u003e::sha384(data)\n}\n\n/// Performs a quick Sha512 of the given data.\n#[inline]\npub(crate) fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n    \u003cBackend as interface::Backend\u003e::sha512(data)\n}\n","traces":[{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":33}},{"line":84,"address":[],"length":0,"stats":{"Line":33}},{"line":89,"address":[],"length":0,"stats":{"Line":21}},{"line":90,"address":[],"length":0,"stats":{"Line":21}},{"line":95,"address":[],"length":0,"stats":{"Line":21}},{"line":96,"address":[],"length":0,"stats":{"Line":21}}],"covered":6,"coverable":16},{"path":["/","home","stu","dev","rust","jose","src","format","compact.rs"],"content":"use alloc::vec::Vec;\nuse core::{fmt, str::FromStr};\n\nuse super::{sealed, Format};\nuse crate::{\n    base64_url::NoBase64UrlString,\n    header,\n    jws::{PayloadData, SignError, Signer},\n    Base64UrlString, JoseHeader,\n};\n\n/// The compact representation is essentially a list of Base64Url\n/// strings that are separated by `.`.\n#[derive(Default, Debug, Clone, PartialEq, Eq, Hash)]\npub struct Compact {\n    parts: Vec\u003cBase64UrlString\u003e,\n}\n\nimpl Format for Compact {}\nimpl sealed::SealedFormat\u003cCompact\u003e for Compact {\n    type JwsHeader = JoseHeader\u003cCompact, header::Jws\u003e;\n    type SerializedJwsHeader = Base64UrlString;\n\n    fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(header: \u0026mut Self::JwsHeader, signer: \u0026dyn Signer\u003cS\u003e) {\n        header.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n    }\n\n    fn serialize_header(\n        header: Self::JwsHeader,\n    ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003ccore::convert::Infallible\u003e\u003e {\n        let (protected_header, _) = header.into_values().map_err(SignError::InvalidHeader)?;\n\n        if protected_header\n            .as_ref()\n            .map(|x| x.is_empty())\n            .unwrap_or(true)\n        {\n            return Err(SignError::EmptyProtectedHeader);\n        }\n\n        let header =\n            serde_json::to_string(\u0026protected_header).map_err(SignError::SerializeHeader)?;\n\n        let header = Base64UrlString::encode(header.as_bytes());\n\n        Ok(header)\n    }\n\n    fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e {\n        Some(hdr.as_bytes())\n    }\n\n    fn finalize(\n        header: Self::SerializedJwsHeader,\n        payload: Option\u003cPayloadData\u003e,\n        signature: \u0026[u8],\n    ) -\u003e Result\u003cSelf, serde_json::Error\u003e {\n        let mut compact = Compact::with_capacity(3);\n\n        compact.push_base64url(header);\n\n        let payload = match payload {\n            Some(PayloadData::Standard(b64)) =\u003e b64,\n            None =\u003e Base64UrlString::new(),\n        };\n\n        compact.parts.push(payload);\n        compact.push(signature);\n\n        Ok(compact)\n    }\n\n    fn finalize_jws_header_builder(\n        value_ref: \u0026mut Result\u003cSelf::JwsHeader, header::JoseHeaderBuilderError\u003e,\n        new_builder: header::JoseHeaderBuilder\u003cCompact, header::Jws\u003e,\n    ) {\n        *value_ref = new_builder.build();\n    }\n}\n\nimpl Compact {\n    pub(crate) fn with_capacity(cap: usize) -\u003e Self {\n        Compact {\n            parts: Vec::with_capacity(cap),\n        }\n    }\n\n    pub(crate) fn push_base64url(\u0026mut self, part: Base64UrlString) {\n        self.parts.push(part);\n    }\n\n    pub(crate) fn push(\u0026mut self, part: impl AsRef\u003c[u8]\u003e) {\n        self.parts.push(Base64UrlString::encode(part));\n    }\n\n    pub(crate) fn part(\u0026self, idx: usize) -\u003e Option\u003c\u0026Base64UrlString\u003e {\n        self.parts.get(idx)\n    }\n\n    pub(crate) fn len(\u0026self) -\u003e usize {\n        self.parts.len()\n    }\n}\n\nimpl FromStr for Compact {\n    type Err = NoBase64UrlString;\n\n    /// Verifies if every part of the string is valid base64url format\n    fn from_str(s: \u0026str) -\u003e Result\u003cSelf, Self::Err\u003e {\n        let parts = s\n            .split('.')\n            .map(Base64UrlString::from_str)\n            .collect::\u003cResult\u003cVec\u003c_\u003e, _\u003e\u003e()?;\n        Ok(Self { parts })\n    }\n}\n\nimpl fmt::Display for Compact {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let len = self.parts.len();\n\n        for (idx, part) in self.parts.iter().enumerate() {\n            fmt::Display::fmt(\u0026part, f)?;\n\n            if idx != len - 1 {\n                f.write_str(\".\")?;\n            }\n        }\n\n        Ok(())\n    }\n}\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":0}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":126,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":41},{"path":["/","home","stu","dev","rust","jose","src","format","json_flattened.rs"],"content":"use alloc::string::String;\nuse core::fmt;\n\nuse serde::{Deserialize, Serialize};\nuse serde_json::Value;\n\nuse super::{sealed, Format};\nuse crate::{\n    header,\n    jws::{PayloadData, SignError},\n    Base64UrlString, JoseHeader,\n};\n\n/// The flattened json serialization format.\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]\npub struct JsonFlattened {\n    pub(crate) payload: Option\u003cBase64UrlString\u003e,\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) protected: Option\u003cBase64UrlString\u003e,\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) header: Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    pub(crate) signature: Base64UrlString,\n}\n\nimpl Format for JsonFlattened {}\n\nimpl fmt::Display for JsonFlattened {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let repr = if f.alternate() {\n            serde_json::to_string_pretty(\u0026self).map_err(|_| fmt::Error)?\n        } else {\n            serde_json::to_string(\u0026self).map_err(|_| fmt::Error)?\n        };\n\n        f.write_str(\u0026repr)\n    }\n}\n\nimpl sealed::SealedFormat\u003cJsonFlattened\u003e for JsonFlattened {\n    type JwsHeader = JoseHeader\u003cJsonFlattened, header::Jws\u003e;\n    type SerializedJwsHeader = (\n        Option\u003cBase64UrlString\u003e,\n        Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    );\n\n    fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(\n        header: \u0026mut Self::JwsHeader,\n        signer: \u0026dyn crate::jws::Signer\u003cS\u003e,\n    ) {\n        header.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n    }\n\n    fn serialize_header(\n        header: Self::JwsHeader,\n    ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003ccore::convert::Infallible\u003e\u003e {\n        let (protected, unprotected) = header.into_values().map_err(SignError::InvalidHeader)?;\n\n        let protected = match protected {\n            Some(hdr) =\u003e {\n                let json = serde_json::to_string(\u0026hdr).map_err(SignError::SerializeHeader)?;\n\n                let encoded = Base64UrlString::encode(json);\n                Some(encoded)\n            }\n            None =\u003e None,\n        };\n\n        Ok((protected, unprotected))\n    }\n\n    fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e {\n        hdr.0.as_ref().map(|x| x.as_bytes())\n    }\n\n    fn finalize(\n        (protected, unprotected): Self::SerializedJwsHeader,\n        payload: Option\u003cPayloadData\u003e,\n        signature: \u0026[u8],\n    ) -\u003e Result\u003cSelf, serde_json::Error\u003e {\n        let payload = payload.map(|PayloadData::Standard(b64)| b64);\n\n        let signature = Base64UrlString::encode(signature);\n\n        Ok(JsonFlattened {\n            payload,\n            protected,\n            header: unprotected,\n            signature,\n        })\n    }\n\n    fn finalize_jws_header_builder(\n        value_ref: \u0026mut Result\u003cSelf::JwsHeader, header::JoseHeaderBuilderError\u003e,\n        new_builder: header::JoseHeaderBuilder\u003cJsonFlattened, header::Jws\u003e,\n    ) {\n        *value_ref = new_builder.build();\n    }\n}\n","traces":[{"line":28,"address":[],"length":0,"stats":{"Line":0}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}},{"line":32,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":24},{"path":["/","home","stu","dev","rust","jose","src","format","json_general.rs"],"content":"use alloc::{string::String, vec, vec::Vec};\nuse core::{convert::Infallible, fmt};\n\nuse serde::{Deserialize, Serialize};\nuse serde_json::Value;\n\nuse super::{sealed, Format};\nuse crate::{\n    header::{self, JoseHeaderBuilder, JoseHeaderBuilderError},\n    jws::{PayloadData, SignError, Signer},\n    Base64UrlString, JoseHeader,\n};\n\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]\npub(crate) struct Signature {\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) protected: Option\u003cBase64UrlString\u003e,\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) header: Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    pub(crate) signature: Base64UrlString,\n}\n\n/// The JSON General Serialization format as specified in [Section 7.2.1] in the\n/// JWS RFC.\n///\n/// [Section 7.2.1]: https://datatracker.ietf.org/doc/html/rfc7515#section-7.2.1\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]\npub struct JsonGeneral {\n    pub(crate) payload: Option\u003cBase64UrlString\u003e,\n    pub(crate) signatures: Vec\u003cSignature\u003e,\n}\n\nimpl fmt::Display for JsonGeneral {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let repr = if f.alternate() {\n            serde_json::to_string_pretty(\u0026self).map_err(|_| fmt::Error)?\n        } else {\n            serde_json::to_string(\u0026self).map_err(|_| fmt::Error)?\n        };\n\n        f.write_str(\u0026repr)\n    }\n}\n\nimpl Format for JsonGeneral {}\n\nimpl sealed::SealedFormat\u003cJsonGeneral\u003e for JsonGeneral {\n    type JwsHeader = Vec\u003cJoseHeader\u003cJsonGeneral, header::Jws\u003e\u003e;\n    // this only a single header, even though JsonGeneral supports multiple headers,\n    // because this trait implementation is only be used for a single signer.\n    type SerializedJwsHeader = (\n        Option\u003cBase64UrlString\u003e,\n        Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    );\n\n    fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(header: \u0026mut Self::JwsHeader, signer: \u0026dyn Signer\u003cS\u003e) {\n        let Some(first) = header.first_mut() else {\n            return;\n        };\n\n        first.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n    }\n\n    fn serialize_header(\n        mut header: Self::JwsHeader,\n    ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003cInfallible\u003e\u003e {\n        let len = header.len();\n\n        let Some(header) = header.pop().filter(|_| len == 1) else {\n            return Err(SignError::HeaderCountMismatch);\n        };\n\n        let (protected, unprotected) = header.into_values().map_err(SignError::InvalidHeader)?;\n\n        let protected = match protected {\n            Some(hdr) =\u003e {\n                let json = serde_json::to_string(\u0026hdr).map_err(SignError::SerializeHeader)?;\n\n                let encoded = Base64UrlString::encode(json);\n                Some(encoded)\n            }\n            None =\u003e None,\n        };\n\n        Ok((protected, unprotected))\n    }\n\n    fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e {\n        hdr.0.as_ref().map(|x| x.as_bytes())\n    }\n\n    fn finalize(\n        header: Self::SerializedJwsHeader,\n        payload: Option\u003cPayloadData\u003e,\n        signature: \u0026[u8],\n    ) -\u003e Result\u003cSelf, serde_json::Error\u003e {\n        let payload = payload.map(|PayloadData::Standard(b64)| b64);\n\n        let signature = Base64UrlString::encode(signature);\n\n        Ok(JsonGeneral {\n            payload,\n            signatures: vec![Signature {\n                protected: header.0,\n                header: header.1,\n                signature,\n            }],\n        })\n    }\n\n    fn finalize_jws_header_builder(\n        value_ref: \u0026mut Result\u003cSelf::JwsHeader, JoseHeaderBuilderError\u003e,\n        new_builder: JoseHeaderBuilder\u003cJsonGeneral, header::Jws\u003e,\n    ) {\n        let header = match new_builder.build() {\n            Ok(header) =\u003e header,\n            Err(err) =\u003e {\n                *value_ref = Err(err);\n                return;\n            }\n        };\n\n        match value_ref {\n            Ok(headers) =\u003e headers.push(header),\n            Err(_) =\u003e *value_ref = Ok(vec![header]),\n        }\n    }\n}\n","traces":[{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":35},{"path":["/","home","stu","dev","rust","jose","src","format.rs"],"content":"//! Contains abstractions for different kinds of\n//! serialization formats.\n//!\n//! Currently, the only two formats are [`Compact`] and [`JsonFlattened`].\n\nmod compact;\nmod json_flattened;\nmod json_general;\n\nuse core::fmt;\n\npub use compact::Compact;\npub use json_flattened::JsonFlattened;\npub use json_general::JsonGeneral;\npub(crate) use json_general::Signature as JsonGeneralSignature;\n\nuse crate::sealed::Sealed;\n\npub(crate) mod sealed {\n    use alloc::fmt;\n    use core::convert::Infallible;\n\n    use crate::{\n        header::{self, JoseHeaderBuilder, JoseHeaderBuilderError},\n        jws::{PayloadData, SignError, Signer},\n    };\n\n    // We put all methods, types, etc into a sealed trait, so\n    // the user is not able to access these thing as they should\n    // only be used internally by this crate\n    pub trait SealedFormat\u003cF\u003e: Sized {\n        type JwsHeader: fmt::Debug;\n        type SerializedJwsHeader: fmt::Debug;\n\n        fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(header: \u0026mut Self::JwsHeader, signer: \u0026dyn Signer\u003cS\u003e);\n\n        /// Serializes the header for this format.\n        ///\n        /// The returned values must be the serializd header and the\n        /// bytes that must be appended to the message for the signature.\n        fn serialize_header(\n            header: Self::JwsHeader,\n        ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003cInfallible\u003e\u003e;\n\n        /// This method converts a serialized header into the message bytes\n        /// that are used for the signature.\n        fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e;\n\n        fn finalize(\n            header: Self::SerializedJwsHeader,\n            payload: Option\u003cPayloadData\u003e,\n            signature: \u0026[u8],\n        ) -\u003e Result\u003cSelf, serde_json::Error\u003e;\n\n        fn finalize_jws_header_builder(\n            value_ref: \u0026mut Result\u003cSelf::JwsHeader, JoseHeaderBuilderError\u003e,\n            new_builder: JoseHeaderBuilder\u003cF, header::Jws\u003e,\n        );\n    }\n}\n\n/// This trait represents any possible format in which a JWS or JWE can be\n/// represented.\npub trait Format: fmt::Display + sealed::SealedFormat\u003cSelf\u003e + Sized {}\n\n/// Used to parse a [`Compact`] or another format representation\n/// into a concrete type.\npub trait DecodeFormat\u003cF\u003e: Sealed + Sized {\n    /// The error that can occurr while parsing `Self` from the input.\n    type Error;\n\n    /// The decoded type to return.\n    type Decoded\u003cT\u003e;\n\n    /// Parse the input into a new [`Decoded`](Self::Decoded) instance of\n    /// `Self`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// this type.\n    fn decode(input: F) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e;\n}\n\n/// Used to parse a [`Compact`] or another format representation\n/// into a concrete type.\npub trait DecodeFormatWithContext\u003cF, C\u003e: Sealed + Sized {\n    /// The error that can occurr while parsing `Self` from the input.\n    type Error;\n\n    /// The decoded type to return.\n    type Decoded\u003cT\u003e;\n\n    /// Parse the input into a new [`Decoded`](Self::Decoded) instance of\n    /// `Self`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// this type.\n    fn decode_with_context(input: F, context: \u0026C) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","builder.rs"],"content":"use alloc::{\n    collections::{BTreeMap, BTreeSet},\n    string::String,\n    vec::Vec,\n};\nuse core::marker::PhantomData;\n\nuse mediatype::MediaTypeBuf;\nuse serde_json::Value;\n\nuse super::{\n    parameters::MediaTypeWithMaybeStrippedApplicationTopLevel, HeaderValue, Jwe, Jws, Type,\n};\nuse crate::{\n    format::Format,\n    header::parameters::Parameters,\n    jwa::{JsonWebContentEncryptionAlgorithm, JsonWebEncryptionAlgorithm, JsonWebSigningAlgorithm},\n    jwk::serde_impl::Base64DerCertificate,\n    JoseHeader, JsonWebKey, UntypedAdditionalProperties, Uri,\n};\n\n/// A builder for a [`JoseHeader`].\n#[derive(Debug)]\n#[non_exhaustive]\npub struct JoseHeaderBuilder\u003cF, T\u003e {\n    // data\n    critical_headers: Option\u003cBTreeSet\u003cString\u003e\u003e,\n    jwk_set_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    json_web_key: Option\u003cHeaderValue\u003cJsonWebKey\u003cUntypedAdditionalProperties\u003e\u003e\u003e,\n    key_identifier: Option\u003cHeaderValue\u003cString\u003e\u003e,\n    x509_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    x509_certificate_chain: Option\u003cHeaderValue\u003cVec\u003cVec\u003cu8\u003e\u003e\u003e\u003e,\n    x509_certificate_sha1_thumbprint: Option\u003cHeaderValue\u003c[u8; 20]\u003e\u003e,\n    x509_certificate_sha256_thumbprint: Option\u003cHeaderValue\u003c[u8; 32]\u003e\u003e,\n    typ: Option\u003cHeaderValue\u003cMediaTypeBuf\u003e\u003e,\n    content_type: Option\u003cHeaderValue\u003cMediaTypeBuf\u003e\u003e,\n    additional: BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e,\n    specific: Specific,\n    _phantom: PhantomData\u003c(F, T)\u003e,\n}\n\nimpl\u003cF, T\u003e JoseHeaderBuilder\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    /// Set the [`critical_headers`](crate::JoseHeader::critical_headers)\n    /// parameter.\n    pub fn critical_headers(self, critical_headers: Option\u003cBTreeSet\u003cString\u003e\u003e) -\u003e Self {\n        // since `crit` header is not allowed to be an empty array, an empty set is\n        // discarded setting `None` will remove any existing critical headers\n        // that may already be present\n        Self {\n            critical_headers,\n            ..self\n        }\n    }\n\n    /// Set [additional](crate::JoseHeader::additional) parameters.\n    ///\n    /// Note: Do not push parameter names that are understood by this\n    /// implementation. Instead, use the appropriate method to set the parameter\n    /// directly.\n    pub fn additional(self, additional: BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e) -\u003e Self {\n        Self { additional, ..self }\n    }\n\n    /// Create a new [`JoseHeaderBuilder`] in order to build a [`JoseHeader`].\n    pub fn new() -\u003e Self {\n        Self {\n            critical_headers: None,\n            jwk_set_url: None,\n            json_web_key: None,\n            key_identifier: None,\n            x509_url: None,\n            x509_certificate_chain: None,\n            x509_certificate_sha1_thumbprint: None,\n            x509_certificate_sha256_thumbprint: None,\n            typ: None,\n            content_type: None,\n            additional: BTreeMap::new(),\n            specific: T::specific_default(),\n            _phantom: PhantomData,\n        }\n    }\n\n    fn build_parameters(self) -\u003e Result\u003c(Parameters\u003c()\u003e, Specific), JoseHeaderBuilderError\u003e {\n        // oh dear god\n        let x509_certificate_chain = self\n            .x509_certificate_chain\n            .map(|v| v.map(|v| v.into_iter().map(Base64DerCertificate).collect::\u003cVec\u003c_\u003e\u003e()));\n\n        // FIXME: check if additional parameters contain parameters that are understood\n        // by our implementation and that should be set via their methods instead.\n\n        let parameters = Parameters {\n            critical_headers: self.critical_headers,\n            jwk_set_url: self.jwk_set_url,\n            json_web_key: self.json_web_key,\n            key_id: self.key_identifier,\n            x509_url: self.x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n            typ: self\n                .typ\n                .map(|v| v.map(MediaTypeWithMaybeStrippedApplicationTopLevel)),\n            content_type: self\n                .content_type\n                .map(|v| v.map(MediaTypeWithMaybeStrippedApplicationTopLevel)),\n            specific: (),\n            additional: self.additional,\n        };\n        Ok((parameters, self.specific))\n    }\n\n    /// Create a [`JoseHeaderBuilder`] from a [`JoseHeader`] preserving the\n    /// parameters.\n    pub fn from_header(header: JoseHeader\u003cF, T\u003e) -\u003e Self {\n        let parameters = header.parameters;\n        let specific = parameters.specific.into_specific();\n\n        let x509_certificate_chain = parameters\n            .x509_certificate_chain\n            .map(|v| v.map(|v| v.into_iter().map(|v| v.0).collect::\u003cVec\u003c_\u003e\u003e()));\n        Self {\n            critical_headers: parameters.critical_headers,\n            jwk_set_url: parameters.jwk_set_url,\n            json_web_key: parameters.json_web_key,\n            key_identifier: parameters.key_id,\n            x509_url: parameters.x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: parameters.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: parameters.x509_certificate_sha256_thumbprint,\n            typ: parameters.typ.map(|v| v.map(|v| v.0)),\n            content_type: parameters.content_type.map(|v| v.map(|v| v.0)),\n            additional: parameters.additional,\n            specific,\n            _phantom: PhantomData,\n        }\n    }\n}\n\nimpl\u003cF, T\u003e Default for JoseHeaderBuilder\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    fn default() -\u003e Self {\n        Self::new()\n    }\n}\n\n/// Specific parameters for Jws and Jwe. See [`Jws`] and [`Jwe`]\n#[derive(Debug)]\n#[non_exhaustive]\npub enum Specific {\n    Jws {\n        algorithm: Option\u003cHeaderValue\u003cJsonWebSigningAlgorithm\u003e\u003e,\n        // default: true\n        payload_base64_url_encoded: Option\u003cbool\u003e,\n    },\n    Jwe {\n        algorithm: Option\u003cHeaderValue\u003cJsonWebEncryptionAlgorithm\u003e\u003e,\n        content_encryption_algorithm: Option\u003cHeaderValue\u003cJsonWebContentEncryptionAlgorithm\u003e\u003e,\n    },\n}\n\n/// Errors that may occur while building a [`JoseHeader`] via\n/// [`JoseHeaderBuilder::build`].\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum JoseHeaderBuilderError {\n    /// There is no algorithm specified. Specify an algorithm via\n    /// [`JoseHeaderBuilder::algorithm`].\n    #[error(\"no algorithm set\")]\n    MissingAlgorithm,\n    /// There is no content encryption algorithm specified. Specify an content\n    /// encryption algorithm via\n    /// [`JoseHeaderBuilder::content_encryption_algorithm`].\n    ///\n    /// Note: This error may only occur while building a [`JoseHeader`] for\n    /// [`Jwe`].\n    #[error(\"no content encryption algorithm set\")]\n    MissingContentEncryptionAlgorithm,\n    /// One or more certificates in the X.509 certificate chain (set via\n    /// [`JoseHeaderBuilder::x509_certificate_chain`]) are invalid. E.g. not\n    /// valid DER-encoded.\n    #[error(\"the certificates in the certificate chain are invalid\")]\n    InvalidX509CertificateChain,\n}\n\nimpl\u003cF\u003e JoseHeaderBuilder\u003cF, Jws\u003e\nwhere\n    F: Format,\n{\n    /// Set the [`algorithm`](crate::JoseHeader::algorithm) parameter for\n    /// [`Jws`].\n    pub fn algorithm(self, algorithm: HeaderValue\u003cJsonWebSigningAlgorithm\u003e) -\u003e Self {\n        let specific = Specific::Jws {\n            algorithm: Some(algorithm),\n            payload_base64_url_encoded: match self.specific {\n                Specific::Jws {\n                    algorithm: _,\n                    payload_base64_url_encoded,\n                } =\u003e payload_base64_url_encoded,\n                // implementation must ensure a JoseHeaderBuilder\u003cF, Jws\u003e cannot be turned into an\n                // JoseHeaderBuilder\u003cF, Jwe\u003e\n                _ =\u003e unreachable!(),\n            },\n        };\n        Self { specific, ..self }\n    }\n\n    /// Set the [`payload_base64_url_encoded`](crate::JoseHeader::payload_base64_url_encoded) parameter for [`Jws`].\n    pub fn payload_base64_url_encoded(self, payload_base64_url_encoded: bool) -\u003e Self {\n        let specific = Specific::Jws {\n            algorithm: match self.specific {\n                Specific::Jws {\n                    algorithm,\n                    payload_base64_url_encoded: _,\n                } =\u003e algorithm,\n                _ =\u003e unreachable!(),\n            },\n            payload_base64_url_encoded: Some(payload_base64_url_encoded),\n        };\n        Self { specific, ..self }\n    }\n\n    /// Try to build a [`JoseHeader`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any of the values provided by the builder are\n    /// invalid. See [`JoseHeaderBuilderError`] for details.\n    pub fn build(self) -\u003e Result\u003cJoseHeader\u003cF, Jws\u003e, JoseHeaderBuilderError\u003e {\n        let (parameters, specific) = self.build_parameters()?;\n\n        let (algorithm, payload_base64_url_encoded) = match specific {\n            Specific::Jws {\n                algorithm,\n                payload_base64_url_encoded,\n            } =\u003e (\n                algorithm.ok_or(JoseHeaderBuilderError::MissingAlgorithm)?,\n                payload_base64_url_encoded,\n            ),\n            _ =\u003e unreachable!(),\n        };\n        let specific = Jws {\n            algorithm,\n            payload_base64_url_encoded,\n        };\n        Ok(JoseHeader {\n            _format: PhantomData,\n            parameters: Parameters {\n                specific,\n                critical_headers: parameters.critical_headers,\n                jwk_set_url: parameters.jwk_set_url,\n                json_web_key: parameters.json_web_key,\n                key_id: parameters.key_id,\n                x509_url: parameters.x509_url,\n                x509_certificate_chain: parameters.x509_certificate_chain,\n                x509_certificate_sha1_thumbprint: parameters.x509_certificate_sha1_thumbprint,\n                x509_certificate_sha256_thumbprint: parameters.x509_certificate_sha256_thumbprint,\n                typ: parameters.typ,\n                content_type: parameters.content_type,\n                additional: parameters.additional,\n            },\n        })\n    }\n}\n\nimpl\u003cF\u003e JoseHeaderBuilder\u003cF, Jwe\u003e\nwhere\n    F: Format,\n{\n    /// Set the [`algorithm`](crate::JoseHeader::algorithm) parameter for\n    /// [`Jwe`].\n    pub fn algorithm(self, algorithm: HeaderValue\u003cJsonWebEncryptionAlgorithm\u003e) -\u003e Self {\n        let specific = Specific::Jwe {\n            algorithm: Some(algorithm),\n            content_encryption_algorithm: match self.specific {\n                Specific::Jwe {\n                    algorithm: _,\n                    content_encryption_algorithm,\n                } =\u003e content_encryption_algorithm,\n                _ =\u003e unreachable!(),\n            },\n        };\n        Self { specific, ..self }\n    }\n\n    /// Set the [`content_encryption_algorithm`](crate::JoseHeader::content_encryption_algorithm) parameter for [`Jwe`].\n    pub fn content_encryption_algorithm(\n        self,\n        content_encryption_algorithm: HeaderValue\u003cJsonWebContentEncryptionAlgorithm\u003e,\n    ) -\u003e Self {\n        let specific = Specific::Jwe {\n            algorithm: match self.specific {\n                Specific::Jwe {\n                    algorithm,\n                    content_encryption_algorithm: _,\n                } =\u003e algorithm,\n                _ =\u003e unreachable!(),\n            },\n            content_encryption_algorithm: Some(content_encryption_algorithm),\n        };\n        Self { specific, ..self }\n    }\n\n    /// Try to build a [`JoseHeader`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any of the values provided by the builder are\n    /// invalid. See [`JoseHeaderBuilderError`] for details.\n    pub fn build(self) -\u003e Result\u003cJoseHeader\u003cF, Jwe\u003e, JoseHeaderBuilderError\u003e {\n        let (parameters, specific) = self.build_parameters()?;\n        let (algorithm, content_encryption_algorithm) = match specific {\n            Specific::Jwe {\n                algorithm,\n                content_encryption_algorithm,\n            } =\u003e (\n                algorithm.ok_or(JoseHeaderBuilderError::MissingAlgorithm)?,\n                content_encryption_algorithm.ok_or(JoseHeaderBuilderError::MissingAlgorithm)?,\n            ),\n            _ =\u003e unreachable!(),\n        };\n        let specific = Jwe {\n            algorithm,\n            content_encryption_algorithm,\n        };\n\n        Ok(JoseHeader {\n            _format: PhantomData,\n            parameters: Parameters {\n                specific,\n                critical_headers: parameters.critical_headers,\n                jwk_set_url: parameters.jwk_set_url,\n                json_web_key: parameters.json_web_key,\n                key_id: parameters.key_id,\n                x509_url: parameters.x509_url,\n                x509_certificate_chain: parameters.x509_certificate_chain,\n                x509_certificate_sha1_thumbprint: parameters.x509_certificate_sha1_thumbprint,\n                x509_certificate_sha256_thumbprint: parameters.x509_certificate_sha256_thumbprint,\n                typ: parameters.typ,\n                content_type: parameters.content_type,\n                additional: parameters.additional,\n            },\n        })\n    }\n}\n\nmacro_rules! setter {\n    ($($parameter:ident: $parameter_typ:ty),+,) =\u003e {\n        impl\u003cF, T\u003e JoseHeaderBuilder\u003cF, T\u003e\n        where\n            F: Format,\n            T: Type,\n        {\n            $(\n            #[doc = concat!(\"Set the [`\", stringify!($parameter), \"`](crate::JoseHeader::\", stringify!($parameter), \") parameter.\")]\n            pub fn $parameter(self, $parameter: Option\u003cHeaderValue\u003c$parameter_typ\u003e\u003e) -\u003e Self {\n                Self {\n                    $parameter,\n                    ..self\n                }\n            }\n            )+\n        }\n    };\n}\n\nsetter! {\n    x509_certificate_chain: Vec\u003cVec\u003cu8\u003e\u003e,\n    jwk_set_url: Uri,\n    json_web_key: JsonWebKey\u003cUntypedAdditionalProperties\u003e,\n    key_identifier: String,\n    x509_url: Uri,\n    x509_certificate_sha1_thumbprint: [u8; 20],\n    x509_certificate_sha256_thumbprint: [u8; 32],\n    typ: MediaTypeBuf,\n    content_type: MediaTypeBuf,\n}\n","traces":[{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":1}},{"line":81,"address":[],"length":0,"stats":{"Line":1}},{"line":82,"address":[],"length":0,"stats":{"Line":1}},{"line":87,"address":[],"length":0,"stats":{"Line":1}},{"line":89,"address":[],"length":0,"stats":{"Line":1}},{"line":90,"address":[],"length":0,"stats":{"Line":1}},{"line":91,"address":[],"length":0,"stats":{"Line":1}},{"line":97,"address":[],"length":0,"stats":{"Line":1}},{"line":98,"address":[],"length":0,"stats":{"Line":1}},{"line":99,"address":[],"length":0,"stats":{"Line":1}},{"line":100,"address":[],"length":0,"stats":{"Line":1}},{"line":101,"address":[],"length":0,"stats":{"Line":1}},{"line":103,"address":[],"length":0,"stats":{"Line":1}},{"line":104,"address":[],"length":0,"stats":{"Line":1}},{"line":105,"address":[],"length":0,"stats":{"Line":1}},{"line":108,"address":[],"length":0,"stats":{"Line":1}},{"line":111,"address":[],"length":0,"stats":{"Line":1}},{"line":112,"address":[],"length":0,"stats":{"Line":1}},{"line":114,"address":[],"length":0,"stats":{"Line":1}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":121,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":135,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":1}},{"line":150,"address":[],"length":0,"stats":{"Line":1}},{"line":199,"address":[],"length":0,"stats":{"Line":1}},{"line":201,"address":[],"length":0,"stats":{"Line":1}},{"line":202,"address":[],"length":0,"stats":{"Line":1}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":225,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":1}},{"line":237,"address":[],"length":0,"stats":{"Line":2}},{"line":239,"address":[],"length":0,"stats":{"Line":1}},{"line":240,"address":[],"length":0,"stats":{"Line":0}},{"line":241,"address":[],"length":0,"stats":{"Line":1}},{"line":242,"address":[],"length":0,"stats":{"Line":1}},{"line":243,"address":[],"length":0,"stats":{"Line":1}},{"line":244,"address":[],"length":0,"stats":{"Line":1}},{"line":245,"address":[],"length":0,"stats":{"Line":0}},{"line":253,"address":[],"length":0,"stats":{"Line":0}},{"line":254,"address":[],"length":0,"stats":{"Line":0}},{"line":255,"address":[],"length":0,"stats":{"Line":0}},{"line":256,"address":[],"length":0,"stats":{"Line":0}},{"line":257,"address":[],"length":0,"stats":{"Line":0}},{"line":258,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":260,"address":[],"length":0,"stats":{"Line":0}},{"line":261,"address":[],"length":0,"stats":{"Line":0}},{"line":262,"address":[],"length":0,"stats":{"Line":0}},{"line":263,"address":[],"length":0,"stats":{"Line":0}},{"line":264,"address":[],"length":0,"stats":{"Line":0}},{"line":265,"address":[],"length":0,"stats":{"Line":0}},{"line":266,"address":[],"length":0,"stats":{"Line":0}},{"line":267,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":0}},{"line":281,"address":[],"length":0,"stats":{"Line":0}},{"line":282,"address":[],"length":0,"stats":{"Line":0}},{"line":294,"address":[],"length":0,"stats":{"Line":0}},{"line":299,"address":[],"length":0,"stats":{"Line":0}},{"line":306,"address":[],"length":0,"stats":{"Line":0}},{"line":317,"address":[],"length":0,"stats":{"Line":0}},{"line":318,"address":[],"length":0,"stats":{"Line":0}},{"line":319,"address":[],"length":0,"stats":{"Line":0}},{"line":320,"address":[],"length":0,"stats":{"Line":0}},{"line":321,"address":[],"length":0,"stats":{"Line":0}},{"line":322,"address":[],"length":0,"stats":{"Line":0}},{"line":323,"address":[],"length":0,"stats":{"Line":0}},{"line":324,"address":[],"length":0,"stats":{"Line":0}},{"line":325,"address":[],"length":0,"stats":{"Line":0}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":336,"address":[],"length":0,"stats":{"Line":0}},{"line":337,"address":[],"length":0,"stats":{"Line":0}},{"line":338,"address":[],"length":0,"stats":{"Line":0}},{"line":339,"address":[],"length":0,"stats":{"Line":0}},{"line":340,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":0}},{"line":342,"address":[],"length":0,"stats":{"Line":0}},{"line":343,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":347,"address":[],"length":0,"stats":{"Line":0}},{"line":348,"address":[],"length":0,"stats":{"Line":0}},{"line":363,"address":[],"length":0,"stats":{"Line":0}},{"line":364,"address":[],"length":0,"stats":{"Line":0}},{"line":365,"address":[],"length":0,"stats":{"Line":0}},{"line":366,"address":[],"length":0,"stats":{"Line":0}}],"covered":31,"coverable":103},{"path":["/","home","stu","dev","rust","jose","src","header","error.rs"],"content":"use alloc::string::String;\n\n/// Errors that may occur while working [`JoseHeader`](super::JoseHeader)\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum Error {\n    /// Found a header parameter that must be protected in the unprotected\n    /// `header` parameter\n    #[error(\"found an unprotected header parameter, that must be proctected\")]\n    ExpectedProtected,\n    /// The `protected` and (unprotected) `header` parameter share members with\n    /// the same name\n    #[error(\"the protected and unprotected header parameters share members with the same name\")]\n    NotDisjoint,\n    /// Both the `protected` and (unprotected) `header` members in a JWS or JWE\n    /// are empty.\n    #[error(\"both the protected and unprotected header parameters are empty\")]\n    NoHeader,\n    /// The `protected` or the (unprotected) `header` member is present but\n    /// contains no members (it is an empty object `{}`)\n    #[error(\"the protected or the unprotected header parameter is empty\")]\n    EmptyHeader,\n    /// Found a header parameter name that is forbidden as per [section 4.1.11\n    /// of RFC 7515]\n    ///\n    /// [section 4.1.11 of RFC 7515]: \u003chttps://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11\u003e\n    #[error(\"found a forbidden header parameter: {0}\")]\n    ForbiddenHeader(String),\n    /// A REQUIRED header is missing (e.g. the `alg` header)\n    #[error(\"a required header is missing: {0}\")]\n    MissingHeader(String),\n    /// The `crit` header is present but an empty list (`[]`)\n    #[error(\"the crit header is empty\")]\n    EmptyCriticalHeaders,\n    /// A JSON deserialization error, see [`serde_json::Error`] for details.\n    #[error(transparent)]\n    JsonError(#[from] serde_json::Error),\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","parameters.rs"],"content":"use alloc::{\n    borrow::Cow,\n    collections::{BTreeMap, BTreeSet},\n    string::{String, ToString},\n    vec::Vec,\n};\n\nuse mediatype::MediaTypeBuf;\nuse serde::{de::Error, Deserialize, Serialize};\nuse serde_json::Value;\n\nuse super::HeaderValue;\nuse crate::{jwk::serde_impl::Base64DerCertificate, JsonWebKey, UntypedAdditionalProperties, Uri};\n\n#[derive(Debug)]\n#[non_exhaustive]\npub(crate) struct Parameters\u003cT\u003e {\n    /// `crit` header MUST always be protected\n    pub(crate) critical_headers: Option\u003cBTreeSet\u003cString\u003e\u003e,\n    /// `jku` parameter defined in section 4.1.2 of JWS and section 4.1.4 of JWE\n    pub(crate) jwk_set_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    /// `jwk` parameter defined in section 4.1.3 of JWS and section 4.1.5 of JWE\n    pub(crate) json_web_key: Option\u003cHeaderValue\u003cJsonWebKey\u003cUntypedAdditionalProperties\u003e\u003e\u003e,\n    // `kid` parameter defined in section 4.1.4 of JWS and section 4.1.6 of JWE\n    pub(crate) key_id: Option\u003cHeaderValue\u003cString\u003e\u003e,\n    /// `x5u` parameter defined in section 4.1.5 of JWS and section 4.1.7 of JWE\n    // FIXME: use url type instead\n    pub(crate) x509_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    /// `x5c` parameter defined in section 4.1.6 of JWS and section 4.1.8 of JWE\n    pub(crate) x509_certificate_chain: Option\u003cHeaderValue\u003cVec\u003cBase64DerCertificate\u003e\u003e\u003e,\n    /// `x5t` parameter defined in section 4.1.7 of JWS and section 4.1.9 of JWE\n    pub(crate) x509_certificate_sha1_thumbprint: Option\u003cHeaderValue\u003c[u8; 20]\u003e\u003e,\n    /// `x5t#S256` parameter defined in section 4.1.8 of JWS and section 4.1.10\n    /// of JWE\n    pub(crate) x509_certificate_sha256_thumbprint: Option\u003cHeaderValue\u003c[u8; 32]\u003e\u003e,\n    /// `typ` parameter defined in section 4.1.9 of JWS and section 4.1.11 of\n    /// JWE\n    pub(crate) typ: Option\u003cHeaderValue\u003cMediaTypeWithMaybeStrippedApplicationTopLevel\u003e\u003e,\n    /// `cty` parameter defined in section 4.1.10 of JWS and section 4.1.12 of\n    /// JWE\n    pub(crate) content_type: Option\u003cHeaderValue\u003cMediaTypeWithMaybeStrippedApplicationTopLevel\u003e\u003e,\n    // additional parameters specific to JWS or JWE (e.g. `enc` in JWE)\n    pub(crate) specific: T,\n    // an untyped list of other values that are not understood by this implementation\n    pub(crate) additional: BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e,\n}\n\n/// A wrapper type that incorporates the special handling of `application/X`\n/// media types in `typ` and `cty` header parameters as defined in [Section\n/// 4.1.9 of RFC 7515][1].\n///\n/// See [#128].\n///\n/// If the mediatype starts with `application/` and no other `/` is present,\n/// implementations should strip the `application/` to save space.\n///\n/// Since this is a serialization detail, we abstract it away, because the\n/// meaning remains the same and this way users can easily use the mediatype\n/// crate.\n///\n/// [#128]: \u003chttps://github.com/minkan-chat/jose/issues/128\u003e\n/// [1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9\u003e\n#[derive(Debug)]\npub(crate) struct MediaTypeWithMaybeStrippedApplicationTopLevel(pub(crate) MediaTypeBuf);\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for MediaTypeWithMaybeStrippedApplicationTopLevel {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let raw: Cow\u003c'_, str\u003e = Cow::deserialize(deserializer)?;\n        // if there is no `/` in the media type the RFC dictates to prepend\n        // `application/`\n        let corrected = if !raw.contains('/') {\n            alloc::format!(\"application/{raw}\")\n        } else {\n            raw.to_string()\n        };\n        let inner = MediaTypeBuf::from_string(corrected).map_err(D::Error::custom)?;\n        Ok(Self(inner))\n    }\n}\n\nimpl Serialize for MediaTypeWithMaybeStrippedApplicationTopLevel {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let correct = self.0.to_string();\n        if self.0.ty() == mediatype::names::APPLICATION\n            // ensure media type contains exactly one slash (parameters included)\n            \u0026\u0026 correct.chars().filter(|c| *c == '/').count() == 1\n        {\n            let raw = correct.split_once('/').expect(\"contains one slash\").1;\n            // these should be UPPERCASE for interop with legacy implementation according to\n            // the JOSE RFCs..\n            const SHOULD_BE_UPPERCASE: [\u0026str; 2] = [\"jwt\", \"jose\"];\n            Ok(\n                if SHOULD_BE_UPPERCASE.contains(\u0026raw.to_lowercase().as_str()) {\n                    raw.to_uppercase().serialize(serializer)?\n                } else {\n                    raw.serialize(serializer)?\n                },\n            )\n        } else {\n            correct.serialize(serializer)\n        }\n    }\n}\n\n#[cfg(test)]\nmod tests {\n    use alloc::string::String;\n\n    use mediatype::{\n        names::{APPLICATION, JWT},\n        MediaType,\n    };\n    use serde::{Deserialize, Serialize};\n\n    use super::MediaTypeWithMaybeStrippedApplicationTopLevel;\n\n    #[derive(Deserialize, Serialize)]\n    struct Dummy {\n        typ: MediaTypeWithMaybeStrippedApplicationTopLevel,\n    }\n    #[test]\n    fn jwt_without_application_roundtrip() {\n        let payload = r#\"{\"typ\":\"JWT\"}\"#;\n        let a: Dummy = serde_json::from_str(payload).expect(\"valid\");\n        assert_eq!(a.typ.0, MediaType::new(APPLICATION, JWT));\n        let json: String = serde_json::to_string(\u0026a).expect(\"valid\");\n        assert_eq!(json, payload);\n    }\n}\n","traces":[{"line":67,"address":[],"length":0,"stats":{"Line":1}},{"line":71,"address":[],"length":0,"stats":{"Line":2}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":1}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":1}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":1}},{"line":89,"address":[],"length":0,"stats":{"Line":1}},{"line":90,"address":[],"length":0,"stats":{"Line":1}},{"line":92,"address":[],"length":0,"stats":{"Line":17}},{"line":94,"address":[],"length":0,"stats":{"Line":1}},{"line":99,"address":[],"length":0,"stats":{"Line":1}},{"line":100,"address":[],"length":0,"stats":{"Line":1}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}}],"covered":11,"coverable":16},{"path":["/","home","stu","dev","rust","jose","src","header","types","jwe.rs"],"content":"use crate::{\n    header::HeaderValue,\n    jwa::{JsonWebContentEncryptionAlgorithm, JsonWebEncryptionAlgorithm},\n    sealed::Sealed,\n};\n\n/// Parameters specific to Json Web Encryption\n#[derive(Debug)]\n#[non_exhaustive]\npub struct Jwe {\n    /// `alg` parameter\n    pub(crate) algorithm: HeaderValue\u003cJsonWebEncryptionAlgorithm\u003e,\n    /// `enc` parameter\n    pub(crate) content_encryption_algorithm: HeaderValue\u003cJsonWebContentEncryptionAlgorithm\u003e,\n    // FIXME: other JWE parameters (zip, epk, ...)\n}\n\nimpl Sealed for Jwe {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","types","jws.rs"],"content":"use crate::{header::HeaderValue, jwa::JsonWebSigningAlgorithm, sealed::Sealed};\n\n/// Parameters specific to Json Web Signatures\n#[derive(Debug)]\n#[non_exhaustive]\npub struct Jws {\n    // `alg` parameter\n    pub(crate) algorithm: HeaderValue\u003cJsonWebSigningAlgorithm\u003e,\n    /// `b64` parameter as defined by RFC 7797. This parameter is optional and\n    /// it's default value is `true`.\n    ///\n    /// If this value is `false`, the payload of the JWS is not base64 urlsafe\n    /// encoded. This can work for simple stuff like a hex string, but will\n    /// often cause parsing errors. Use of this option makes sense if the\n    /// payload of a JWS is detached.\n    ///\n    /// Note: In a JsonWebToken, this value MUST always be true. Therefore, the\n    /// payload MUST NOT use the unencoded payload option.\n    ///\n    /// Note: This header MUST be integrity protected.\n    pub(crate) payload_base64_url_encoded: Option\u003cbool\u003e,\n}\n\nimpl Sealed for Jws {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","types.rs"],"content":"mod jwe;\nmod jws;\n\nuse alloc::{\n    collections::BTreeMap,\n    string::{String, ToString},\n};\n\nuse serde_json::Value;\n\n#[doc(inline)]\npub use self::{jwe::*, jws::*};\nuse super::{builder::Specific, Error, HeaderDeserializer, HeaderValue};\nuse crate::sealed::Sealed;\n\n/// Trait used to specify where a [`JoseHeader`](super::JoseHeader) is being\n/// used. Implemented by [`Jws`] and [`Jwe`].\n///\n/// This trait is an implementation detailed and sealed. It is not relevant for\n/// developers using this crate.\npub trait Type: Sealed {\n    /// A list of parameters that are not allowed in the `crit` header.\n    ///\n    /// This list might grow or shrink. This is not considered a breaking\n    /// change.\n    fn forbidden_critical_headers() -\u003e \u0026'static [\u0026'static str];\n    /// Build the implementing type while preseving the [`HeaderDeserializer`]\n    ///\n    /// # Errors\n    ///\n    /// Should return an [`Error`] if deserialization fails or an invalid value\n    /// is detected.\n    fn from_deserializer(\n        de: HeaderDeserializer,\n    ) -\u003e Result\u003c(Self, HeaderDeserializer), (Error, HeaderDeserializer)\u003e\n    where\n        Self: Sized;\n\n    /// Implementation detail of\n    /// [`JoseHeaderBuilder`](super::JoseHeaderBuilder).\n    fn specific_default() -\u003e Specific;\n\n    /// Implementation detail of\n    /// [`JoseHeaderBuilder`](super::JoseHeaderBuilder).\n    fn into_specific(self) -\u003e Specific;\n\n    /// Convert fields into a Map that can be used for serialization\n    ///\n    /// # Errors\n    ///\n    /// May return an error if the conversion to [`Value`] fails.\n    fn into_map(self) -\u003e Result\u003cBTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e, Error\u003e;\n}\n\nimpl Type for Jws {\n    #[inline]\n    fn forbidden_critical_headers() -\u003e \u0026'static [\u0026'static str] {\n        // \u003chttps://www.rfc-editor.org/rfc/rfc7515.html#section-9.1.2\u003e\n        // FIXME: add parameters from JWA\n        \u0026[\n            \"alg\", \"jku\", \"jwk\", \"kid\", \"x5u\", \"x5c\", \"x5t\", \"x5t#S256\", \"typ\", \"cty\", \"crit\",\n        ]\n    }\n\n    fn from_deserializer(\n        mut de: HeaderDeserializer,\n    ) -\u003e Result\u003c(Self, HeaderDeserializer), (Error, HeaderDeserializer)\u003e\n    where\n        Self: Sized,\n    {\n        // \"try\" blocks hack\n        let mut t = || {\n            Ok(Self {\n                algorithm: de\n                    .deserialize_field(\"alg\")\n                    .transpose()?\n                    .ok_or(Error::MissingHeader(\"alg\".to_string()))?,\n                payload_base64_url_encoded: de\n                    .deserialize_field(\"b64\")\n                    .transpose()?\n                    // `b64` must be protected\n                    .map(|v| v.protected().ok_or(Error::ExpectedProtected))\n                    .transpose()?,\n            })\n        };\n        let s: Result\u003cJws, Error\u003e = t();\n        match s {\n            Ok(v) =\u003e Ok((v, de)),\n            Err(e) =\u003e Err((e, de)),\n        }\n    }\n\n    fn specific_default() -\u003e Specific {\n        Specific::Jws {\n            algorithm: None,\n            payload_base64_url_encoded: None,\n        }\n    }\n\n    fn into_specific(self) -\u003e Specific {\n        Specific::Jws {\n            algorithm: Some(self.algorithm),\n            payload_base64_url_encoded: self.payload_base64_url_encoded,\n        }\n    }\n\n    fn into_map(self) -\u003e Result\u003cBTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e, Error\u003e {\n        let mut map = BTreeMap::new();\n        map.insert(\n            \"alg\".to_string(),\n            self.algorithm.map(serde_json::to_value).transpose()?,\n        );\n\n        // if explictly set to true, set it even tho true is the default\n        if let Some(b64) = self.payload_base64_url_encoded {\n            map.insert(\n                \"b64\".to_string(),\n                HeaderValue::Protected(serde_json::to_value(b64)?),\n            );\n        }\n\n        Ok(map)\n    }\n}\n\nimpl Type for Jwe {\n    #[inline]\n    fn forbidden_critical_headers() -\u003e \u0026'static [\u0026'static str] {\n        // \u003chttps://www.rfc-editor.org/rfc/rfc7516.html#section-10.1.1\u003e\n        // FIXME: add parameters from JWA\n        \u0026[\n            \"alg\", \"enc\", \"zip\", \"jku\", \"jwk\", \"kid\", \"x5u\", \"x5c\", \"x5t\", \"x5t#S256\", \"typ\",\n            \"cty\", \"crit\",\n        ]\n    }\n\n    fn from_deserializer(\n        mut de: HeaderDeserializer,\n    ) -\u003e Result\u003c(Self, HeaderDeserializer), (Error, HeaderDeserializer)\u003e\n    where\n        Self: Sized,\n    {\n        // \"try\" blocks hack\n        let mut t = || {\n            Ok(Self {\n                algorithm: de\n                    .deserialize_field(\"alg\")\n                    .transpose()?\n                    .ok_or(Error::MissingHeader(\"alg\".to_string()))?,\n                content_encryption_algorithm: de\n                    .deserialize_field(\"enc\")\n                    .transpose()?\n                    .ok_or(Error::MissingHeader(\"enc\".to_string()))?,\n            })\n        };\n        let s: Result\u003cJwe, Error\u003e = t();\n        match s {\n            Ok(v) =\u003e Ok((v, de)),\n            Err(e) =\u003e Err((e, de)),\n        }\n    }\n\n    fn specific_default() -\u003e Specific {\n        Specific::Jwe {\n            algorithm: None,\n            content_encryption_algorithm: None,\n        }\n    }\n\n    fn into_specific(self) -\u003e Specific {\n        Specific::Jwe {\n            algorithm: Some(self.algorithm),\n            content_encryption_algorithm: Some(self.content_encryption_algorithm),\n        }\n    }\n\n    fn into_map(self) -\u003e Result\u003cBTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e, Error\u003e {\n        Ok([\n            (\n                \"alg\".to_string(),\n                self.algorithm.map(serde_json::to_value).transpose()?,\n            ),\n            (\n                \"enc\".to_string(),\n                self.content_encryption_algorithm\n                    .map(serde_json::to_value)\n                    .transpose()?,\n            ),\n        ]\n        .into_iter()\n        .collect())\n    }\n}\n","traces":[{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":1}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":145,"address":[],"length":0,"stats":{"Line":0}},{"line":146,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":148,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":173,"address":[],"length":0,"stats":{"Line":0}},{"line":177,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":0}},{"line":184,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}},{"line":187,"address":[],"length":0,"stats":{"Line":0}},{"line":190,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}}],"covered":1,"coverable":65},{"path":["/","home","stu","dev","rust","jose","src","header","value.rs"],"content":"use core::ops::Deref;\n\nuse crate::sealed::Sealed;\n\n/// Some value `T` in either the protected or unprotected header.\n#[derive(Debug, PartialEq, Eq, PartialOrd, Ord)]\npub enum HeaderValue\u003cT\u003e {\n    /// `T` is in the `protected` header parameter and integrity protected.\n    Protected(T),\n    /// `T` is in the unprotected `header` parameter and NOT integrity\n    /// protected.\n    Unprotected(T),\n}\n\nimpl\u003cT\u003e Sealed for HeaderValue\u003cT\u003e {}\n\nimpl\u003cT\u003e HeaderValue\u003cT\u003e {\n    /// Convert from `\u0026HeaderValue\u003cT\u003e` to `HeaderValue\u003c\u0026T\u003e`.\n    ///\n    /// Works like [`Option::as_ref`]\n    pub fn as_ref(\u0026self) -\u003e HeaderValue\u003c\u0026'_ T\u003e {\n        match self {\n            HeaderValue::Protected(v) =\u003e HeaderValue::Protected(v),\n            HeaderValue::Unprotected(v) =\u003e HeaderValue::Unprotected(v),\n        }\n    }\n\n    /// Converts from `\u0026HeaderValue\u003cT\u003e` to `HeaderValue\u003c\u0026T::Target\u003e`.\n    ///\n    /// Works like [`Option::as_deref`]\n    pub fn as_deref(\u0026self) -\u003e HeaderValue\u003c\u0026T::Target\u003e\n    where\n        T: Deref,\n    {\n        match self.as_ref() {\n            HeaderValue::Protected(t) =\u003e HeaderValue::Protected(t.deref()),\n            HeaderValue::Unprotected(t) =\u003e HeaderValue::Unprotected(t.deref()),\n        }\n    }\n\n    /// Maps an `HeaderValue\u003cT\u003e` to `HeaderValue\u003cU\u003e` by applying a function to a\n    /// contained value.\n    pub fn map\u003cU, F\u003e(self, f: F) -\u003e HeaderValue\u003cU\u003e\n    where\n        F: FnOnce(T) -\u003e U,\n    {\n        match self {\n            HeaderValue::Protected(t) =\u003e HeaderValue::Protected(f(t)),\n            HeaderValue::Unprotected(t) =\u003e HeaderValue::Unprotected(f(t)),\n        }\n    }\n\n    /// Returns [`Some`] if `T` is in the `protected` parameter.\n    pub fn protected(self) -\u003e Option\u003cT\u003e {\n        match self {\n            Self::Protected(p) =\u003e Some(p),\n            _ =\u003e None,\n        }\n    }\n\n    /// Returns [`Some`] if `T` is in the unprotected `header` parameter.\n    pub fn unprotected(self) -\u003e Option\u003cT\u003e {\n        match self {\n            Self::Unprotected(u) =\u003e Some(u),\n            _ =\u003e None,\n        }\n    }\n\n    /// Returns the inner type `T` discarding the information about where `T` is\n    /// stored.\n    pub fn into_inner(self) -\u003e T {\n        match self {\n            Self::Protected(t) =\u003e t,\n            Self::Unprotected(t) =\u003e t,\n        }\n    }\n}\n\nimpl\u003cT\u003e HeaderValue\u003cOption\u003cT\u003e\u003e {\n    /// Transpose a [`HeaderValue\u003cOption\u003cT\u003e\u003e`] into [`Option\u003cHeaderValue\u003cT\u003e\u003e`]\n    pub fn transpose(self) -\u003e Option\u003cHeaderValue\u003cT\u003e\u003e {\n        Some(match self {\n            HeaderValue::Protected(p) =\u003e HeaderValue::Protected(p?),\n            HeaderValue::Unprotected(u) =\u003e HeaderValue::Unprotected(u?),\n        })\n    }\n}\n\nimpl\u003cT, E\u003e HeaderValue\u003cResult\u003cT, E\u003e\u003e {\n    /// Transpose a [`HeaderValue\u003cResult\u003cT, E\u003e\u003e`] into\n    /// [`Result\u003cHeaderValue\u003c`T`\u003e, E\u003e`]\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the inner [`Result`] contains an error.\n    pub fn transpose(self) -\u003e Result\u003cHeaderValue\u003cT\u003e, E\u003e {\n        Ok(match self {\n            Self::Protected(p) =\u003e HeaderValue::Protected(p?),\n            Self::Unprotected(u) =\u003e HeaderValue::Unprotected(u?),\n        })\n    }\n}\n","traces":[{"line":21,"address":[],"length":0,"stats":{"Line":1}},{"line":22,"address":[],"length":0,"stats":{"Line":1}},{"line":23,"address":[],"length":0,"stats":{"Line":1}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":81,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}}],"covered":3,"coverable":32},{"path":["/","home","stu","dev","rust","jose","src","header.rs"],"content":"//! [`JoseHeader`] and associated abstractions as defined in [section 4 of RFC\n//! 7515].\n//!\n//! [section 4 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4\u003e\nuse alloc::{\n    collections::{BTreeMap, BTreeSet},\n    string::{String, ToString},\n};\nuse core::{marker::PhantomData, ops::Deref};\n\nuse mediatype::MediaType;\nuse serde::Deserialize;\nuse serde_json::{Map, Value};\n\nmod builder;\nmod error;\nmod parameters;\nmod types;\nmod value;\n\nuse self::parameters::Parameters;\n#[doc(inline)]\npub use self::{\n    builder::{JoseHeaderBuilder, JoseHeaderBuilderError},\n    error::Error,\n    types::*,\n    value::*,\n};\nuse crate::{\n    format::Format,\n    jwa::{JsonWebContentEncryptionAlgorithm, JsonWebEncryptionAlgorithm, JsonWebSigningAlgorithm},\n    uri::BorrowedUri,\n    JsonWebKey, UntypedAdditionalProperties,\n};\n\n/// A [`JoseHeader`] is primarily used to specify how a JSON Web Signature or\n/// JSON Web Encryption should be processed.\n///\n/// Besides the [`algorithm`](JoseHeader::algorithm) used for the cryptographic\n/// primitives, it can also store additional metadata that should not be part of\n/// the payload.\n/// For example, the [`typ`](JoseHeader::typ) parameter may be used to specify a\n/// content type for the payload.\n///\n/// # Structure\n///\n/// A [`JoseHeader`] may be a bit different, depending where it is being used.\n/// Therefore, [`JoseHeader\u003cF, T\u003e`] has two generic types that define where and\n/// how exactly it is being used. `F` defines the [`Format`] that this\n/// [`JoseHeader`] is being used in. `T` defines whether the [`JoseHeader`] is\n/// part of a [JSON Web Signature][Jws] or [JSON Web Encryption][Jwe].\n///\n/// A [`JoseHeader`] can store parameters in two ways:\n///\n/// * [protected](HeaderValue::Protected): Parameters stored in the protected\n///   part of a [`JoseHeader`] **cannot** be modified without knowledge of the\n///   cryptographic key that was used to protect the payload.\n///\n/// * [unprotected](HeaderValue::Unprotected): Parameters stored in the\n///   unprotected part of a [`JoseHeader`] **can** be modified by anybody and\n///   *changes cannot be detected*. You therefore *MUST NOT* trust them.\n///\n/// Since most parameters are allowed in both of the two header parts, each\n/// parameter is wrapped in a [`HeaderValue\u003cT\u003e`] that specifies the part in\n/// which the paramter is stored.\n///\n/// # Parameter classes\n///\n/// [Section 4 of RFC 7515] defines three classes of header parameters:\n///\n/// * [Registered header parameters]: these parameters are registerd in the\n///   [IANA `JSON Web Signature and Encryption Header Parameters` registry].\n///   Most of them are implemented by this library and can be directly accessed\n///   via the methods on [`JoseHeader`]. If you find a registered parameter you\n///   need missing, you are welcome to open an issue or even better a pull\n///   request to support it.\n///\n/// * [Public header parameters]: these parameters are not registered but use a\n///   \"Collision-Resistant Name\" (e.g. they are prefixed by a domain you\n///   control) as defined in [section 2 of RFC 7515]. You may access them using\n///   [`JoseHeader::additional`].\n///\n/// * [Private header parameters]: these parameters are not registered either\n///   but do not use a \"Collisin-Resistant Name\" and are therefore subject to\n///   collision. You can also use them via [`JoseHeader::additional`] but their\n///   use is not recommended and if new paramters are registered that collide\n///   with a private parameter, your implementation may break.\n///\n/// # Examples\n///\n///\n/// ```\n/// use jose::{\n///     format::Compact,\n///     header::{HeaderValue, JoseHeader, Jws},\n///     jwa::Hmac,\n/// };\n///\n/// // we are going to build a `JoseHeader` for a `Compact` `Jws`\n/// let header = JoseHeader::\u003cCompact, Jws\u003e::builder()\n///     // we set the `alg` header parameter as an unprotected parameter\n///     .algorithm(HeaderValue::Unprotected(Hmac::Hs256.into()))\n///     // we set the `kid` header parameter as an protected parameter\n///     .key_identifier(Some(HeaderValue::Protected(\"key-1\".to_string())))\n///     .build()\n///     .unwrap();\n///\n/// assert_eq!(\n///     header.algorithm(),\n///     HeaderValue::Unprotected(\u0026Hmac::Hs256.into())\n/// );\n/// assert_eq!(\n///     header.key_identifier(),\n///     Some(HeaderValue::Protected(\"key-1\"))\n/// );\n/// ```\n///\n/// [section 2 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-2\u003e\n/// [Section 4 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4\u003e\n/// [IANA `JSON Web Signature and Encryption Header Parameters` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-header-parameters\u003e\n/// [Registered header parameters]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1\u003e\n/// [Public header parameters]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.2\u003e\n/// [Private header parameters]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.3\u003e\n#[derive(Debug)]\npub struct JoseHeader\u003cF, T\u003e {\n    parameters: Parameters\u003cT\u003e,\n    // marker for the format (compact, json general, json flattened)\n    _format: PhantomData\u003cF\u003e,\n}\n\nimpl\u003cF\u003e JoseHeader\u003cF, Jws\u003e\nwhere\n    F: Format,\n{\n    /// Method to override the alg and kid fields.\n    /// Only intended for internal usage.\n    pub(crate) fn overwrite_alg_and_key_id(\n        \u0026mut self,\n        alg: JsonWebSigningAlgorithm,\n        kid: Option\u003c\u0026str\u003e,\n    ) {\n        let is_protected = matches!(self.algorithm(), HeaderValue::Protected(_));\n\n        let alg = if is_protected {\n            HeaderValue::Protected(alg)\n        } else {\n            HeaderValue::Unprotected(alg)\n        };\n\n        let kid = kid.map(|s| {\n            let kid = s.to_string();\n            if is_protected {\n                HeaderValue::Protected(kid)\n            } else {\n                HeaderValue::Unprotected(kid)\n            }\n        });\n\n        self.parameters.key_id = kid;\n        self.parameters.specific.algorithm = alg;\n    }\n}\n\nimpl\u003cF, T\u003e JoseHeader\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    /// Build a new [`JoseHeader`].\n    pub fn builder() -\u003e JoseHeaderBuilder\u003cF, T\u003e {\n        JoseHeaderBuilder::default()\n    }\n\n    /// Modify this [`JoseHeader`] by turning it back into a\n    /// [`JoseHeaderBuilder`].\n    pub fn into_builder(self) -\u003e JoseHeaderBuilder\u003cF, T\u003e {\n        JoseHeaderBuilder::from_header(self)\n    }\n\n    /// Returns a url containing a link to a JSON Web Key Set as defined in\n    /// [section 5 of RFC 7517].\n    ///\n    /// This parameter is serialized as `jku` and defined in [section 4.1.2 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.2 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.2\u003e\n    /// [section 5 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-5\u003e\n    // FIXME: use url type instead\n    pub fn jwk_set_url(\u0026self) -\u003e Option\u003cHeaderValue\u003cBorrowedUri\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .jwk_set_url\n            .as_ref()\n            .map(|x| x.as_ref().map(|x| x.borrow()))\n    }\n\n    /// Depending where this [`JoseHeader`] is being used, in JWE it contains\n    /// the recipient's public key and in JWS it contains the signer's public\n    /// key.\n    ///\n    /// This parameter is serialized as `jwk` and defined in [section 4.1.3 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.3 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.3\u003e\n    pub fn json_web_key(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026JsonWebKey\u003cUntypedAdditionalProperties\u003e\u003e\u003e {\n        self.parameters\n            .json_web_key\n            .as_ref()\n            .map(HeaderValue::as_ref)\n    }\n\n    /// The identifier of the key used in this JWE or JWS used to give a hint to\n    /// recipient.\n    ///\n    /// It is a case-sensitive string. When used together with a [`JsonWebKey`]\n    /// via the [`jwk`](Self::json_web_key) parameter, it is used to match the\n    /// [Key ID](JsonWebKey::key_id) of the [`JsonWebKey`].\n    ///\n    /// This parameter is serialized as `jwk` and defined in [section 4.1.4 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.4 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4\u003e\n    pub fn key_identifier(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026str\u003e\u003e {\n        self.parameters.key_id.as_ref().map(HeaderValue::as_deref)\n    }\n\n    /// The X.509 URL parameter is an URI (as defined in [RFC 3986]) that refers\n    /// to a resource for the X.509 public key certificate or certificate chain\n    /// (as defined in [RFC 5280]) of the public key used in this JWE or JWS.\n    ///\n    /// This parameter is serialized as `x5u` and defined in [section 4.1.5 of\n    /// RFC 7515].\n    ///\n    /// [RFC 3986]: \u003chttps://datatracker.ietf.org/doc/html/rfc3986\u003e\n    /// [RFC 5280]: \u003chttps://datatracker.ietf.org/doc/html/rfc5280\u003e\n    /// [section 4.1.5 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.5\u003e\n    pub fn x509_url(\u0026self) -\u003e Option\u003cHeaderValue\u003cBorrowedUri\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .x509_url\n            .as_ref()\n            .map(|x| x.as_ref().map(|x| x.borrow()))\n    }\n\n    /// An [`Iterator`] over a X.509 certificate chain that certify the public\n    /// key used in this JWE or JWS.\n    ///\n    /// The first certificate in the [`Iterator`] returned by this method is the\n    /// PKIX certificate containing the key value as required by the RFC.\n    ///\n    /// Each [`Item`](Iterator::Item) will be the byte representation of a\n    /// DER-encoded X.509 certificate. This parameter works the same as\n    /// [`JsonWebKey::x509_certificate_chain`].\n    ///\n    /// This parameter is serialized as `x5u` and defined in [section 4.1.6 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.6 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6\u003e\n    pub fn x509_certificate_chain(\u0026self) -\u003e Option\u003cHeaderValue\u003cimpl Iterator\u003cItem = \u0026[u8]\u003e\u003e\u003e {\n        self.parameters\n            .x509_certificate_chain\n            .as_ref()\n            .map(HeaderValue::as_deref)\n            .map(|value| value.map(|certs| certs.iter().map(Deref::deref)))\n    }\n\n    /// This parameter is the SHA-1 hash of the DER-encoded X.509 certificate\n    /// (X.509 Certificate SHA-1 Thumbprint).\n    ///\n    /// # Warning: Cryptographically broken!\n    ///\n    /// TL;DR: check if you can use the [SHA-256\n    /// thumbprint](Self::x509_certificate_sha256_thumbprint) instead.\n    ///\n    /// The following text is taken from the `sha1` crate: \\\n    /// The SHA-1 hash function should be considered cryptographically broken\n    /// and unsuitable for further use in any security critical capacity, as it\n    /// is [practically vulnerable to chosen-prefix collisions](https://sha-mbles.github.io/).\n    ///\n    /// This parameter is serialized as `x5t` and defined in [section 4.1.7 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.7 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.7\u003e\n    // replace the hardcoded output size with the Sha1::OutputsizeUser value then\n    // they use const generics\n    pub fn x509_certificate_sha1_thumbprint(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026[u8; 20]\u003e\u003e {\n        self.parameters\n            .x509_certificate_sha1_thumbprint\n            .as_ref()\n            .map(HeaderValue::as_ref)\n    }\n\n    /// This parameter is the SHA-256 hash of the DER-encoded X.509 certificate\n    /// (X.509 Certificate SHA-256 Thumbprint).\n    ///\n    /// This parameter is serialized as `x5t#S256` and defined in [section 4.1.8\n    /// of RFC 7515].\n    ///\n    /// [section 4.1.8 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.8\u003e\n    pub fn x509_certificate_sha256_thumbprint(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026[u8; 32]\u003e\u003e {\n        self.parameters\n            .x509_certificate_sha256_thumbprint\n            .as_ref()\n            .map(HeaderValue::as_ref)\n    }\n\n    /// The Type parameter is used to declare the [media type] of this\n    /// complete JWE or JWS.\n    ///\n    /// This parameter is serialized as `typ` and defined in [section 4.1.9 of\n    /// RFC 7515].\n    ///\n    /// # Note\n    ///\n    /// Media types that start with [`application`]`/` (top-level type) and\n    /// do not contain any other `/` are shortend to just the subtype according\n    /// to [section 4.1.9 of RFC 7515]. Therefore, for example,\n    /// `application/jwt` would become just `jwt`. However, since the RFC\n    /// recommends that the mediatype `jwt` and `jose` should be uppercase for\n    /// interop with legacy implementations, it would actually become `JWT`.\n    ///\n    ///\n    /// # Example\n    ///\n    /// When a [`JoseHeader`] is being used with a JSON Web Token and this\n    /// parameter is set, it is recommended that this type will be\n    /// [`application`]`/`[`jwt`] as defined in [section 5.1 of RFC 7519].\n    /// In the serialized form, `typ` will be `JWT`.\n    ///\n    /// [media type]: \u003chttps://www.iana.org/assignments/media-types\u003e\n    /// [section 4.1.9 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9\u003e\n    /// [`application`]: \u003cmediatype::names::APPLICATION\u003e\n    /// [`jwt`]: \u003cmediatype::names::JWT\u003e\n    /// [section 5.1 of RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519#section-5.1\u003e\n    pub fn typ(\u0026self) -\u003e Option\u003cHeaderValue\u003cMediaType\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .typ\n            .as_ref()\n            .map(|value| value.as_ref().map(|v| v.0.to_ref()))\n    }\n\n    /// The Content Type parameter is used to declare the [media type] of the\n    /// payload of a JWE or JWS.\n    ///\n    /// This parameter is serialized as `cty` and defined in [section 4.1.10 of\n    /// RFC 7515].\n    ///\n    /// # Example\n    ///\n    /// When a [`JoseHeader`] is being used with a JSON Web Token and nested\n    /// encryption or signing is employed, this parameter must be present and be\n    /// set to [`application`]`/`[`jwt`] as defined by [section 5.2 of RFC\n    /// 7519].\n    ///\n    /// [media type]: \u003chttps://www.iana.org/assignments/media-types\u003e\n    /// [section 4.1.10 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.10\u003e\n    /// [`application`]: \u003cmediatype::names::APPLICATION\u003e\n    /// [`jwt`]: \u003cmediatype::names::JWT\u003e\n    /// [section 5.2 of RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519#section-5.2\u003e\n    pub fn content_type(\u0026self) -\u003e Option\u003cHeaderValue\u003cMediaType\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .content_type\n            .as_ref()\n            .map(|value| value.as_ref().map(|v| v.0.to_ref()))\n    }\n\n    /// Get additional parameters by their serialized parameter name.\n    ///\n    /// Note: Parameters that are understood by this implementation (receivable\n    /// via the method on [`JoseHeader`]) will return [`None`]. Use the\n    /// appropriate method instead.\n    pub fn additional(\u0026self, parameter_name: impl AsRef\u003cstr\u003e) -\u003e Option\u003cHeaderValue\u003c\u0026Value\u003e\u003e {\n        self.parameters\n            .additional\n            .get(parameter_name.as_ref())\n            .map(|v| v.as_ref())\n    }\n\n    /// The Critical Header parameter is used to declare headers that must be\n    /// understood by an implementation.\n    ///\n    /// It is an [`Iterator`] over the parameter names of critical headers in\n    /// this [`JoseHeader`]. If there are no headers marked as critical, this\n    /// [`Iterator`] will be empty.\n    ///\n    /// This parameter is serialized as `crit` and defined in [section 4.1.11 of\n    /// RFC 7515].\n    ///\n    /// Note: Header names listed in this parameter have to be present and the\n    /// [`JoseHeader`] is considered invalid otherwise.\n    ///\n    /// Note: This header parameter is always integrity protected.\n    ///\n    /// [section 4.1.11 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.11\u003e\n    pub fn critical_headers(\u0026self) -\u003e impl Iterator\u003cItem = \u0026'_ str\u003e {\n        self.parameters\n            .critical_headers\n            .iter()\n            .flatten()\n            .map(Deref::deref)\n    }\n}\n\nimpl\u003cF\u003e JoseHeader\u003cF, Jws\u003e\nwhere\n    F: Format,\n{\n    /// The [signing algorithm](JsonWebSigningAlgorithm) used to create the\n    /// signature for the JWS this [`JoseHeader`] is contained in.\n    ///\n    /// This parameter is serialized as `alg` and defined in [section 4.1.1 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.1 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.1\u003e\n    pub fn algorithm(\u0026self) -\u003e HeaderValue\u003c\u0026JsonWebSigningAlgorithm\u003e {\n        self.parameters.specific.algorithm.as_ref()\n    }\n\n    /// Whether the payload is being base64url encoded or not.\n    ///\n    /// This parameter is serialized as `b64` and defined in [section 3 of RFC\n    /// 7797].\n    ///\n    /// Note: This header parameter is always integrity protected.\n    ///\n    /// Note: This header parameter is OPTIONAL and has a default value of\n    /// `true`.\n    ///\n    /// [section 3 of RFC 7797]: \u003chttps://datatracker.ietf.org/doc/html/rfc7797#section-3\u003e\n    pub fn payload_base64_url_encoded(\u0026self) -\u003e bool {\n        self.parameters\n            .specific\n            .payload_base64_url_encoded\n            .unwrap_or(true)\n    }\n}\n\nimpl\u003cF\u003e JoseHeader\u003cF, Jwe\u003e\nwhere\n    F: Format,\n{\n    /// The [encryption algorithm][JsonWebEncryptionAlgorithm] used to\n    /// encryption the content encryption key (CEK).\n    ///\n    /// This parameter is serialized as `alg` and defined in [section 4.1.1 of\n    /// RFC 7516].\n    ///\n    /// [section 4.1.1 of RFC 7516]: \u003chttps://datatracker.ietf.org/doc/html/rfc7516/#section-4.1.1\u003e\n    pub fn algorithm(\u0026self) -\u003e HeaderValue\u003c\u0026JsonWebEncryptionAlgorithm\u003e {\n        self.parameters.specific.algorithm.as_ref()\n    }\n\n    /// The [encryption algorithm](JsonWebContentEncryptionAlgorithm) used to\n    /// encryption the payload of a JWE.\n    ///\n    /// This parameter is serialized as `enc` and defined in [section 4.1.2 of\n    /// RFC 7516].\n    ///\n    /// [section 4.1.2 of RFC 7516]: \u003chttps://datatracker.ietf.org/doc/html/rfc7516/#section-4.1.2\u003e\n    pub fn content_encryption_algorithm(\u0026self) -\u003e HeaderValue\u003c\u0026JsonWebContentEncryptionAlgorithm\u003e {\n        self.parameters\n            .specific\n            .content_encryption_algorithm\n            .as_ref()\n    }\n}\n\nimpl\u003cF, T\u003e JoseHeader\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    /// Build a JoseHeader from its `header` and `protected` part.\n    ///\n    /// Note: The `protected` part must already be base64 decoded.\n    pub(crate) fn from_values(\n        protected: Option\u003cMap\u003cString, Value\u003e\u003e,\n        unprotected: Option\u003cMap\u003cString, Value\u003e\u003e,\n    ) -\u003e Result\u003cSelf, Error\u003e {\n        let de = HeaderDeserializer::from_values(protected, unprotected)?;\n        let (specific, mut de) = T::from_deserializer(de).map_err(|(e, _)| e)?;\n        Ok(Self {\n            parameters: Parameters {\n                critical_headers: de\n                    .deserialize_field(\"crit\")\n                    .transpose()?\n                    .map(|v| v.protected().ok_or(Error::ExpectedProtected))\n                    .transpose()?\n                    .map(|v: BTreeSet\u003c_\u003e| {\n                        // RFC 7515\n                        // `crit` must not be an empty list,\n                        // must not contain header names specified by the specification\n                        // FIXME: consider forbidden headers that are `Format` specific.\n                        if v.is_empty() {\n                            return Err(Error::EmptyCriticalHeaders);\n                        }\n                        for forbidden in T::forbidden_critical_headers() {\n                            if v.contains(*forbidden) {\n                                return Err(Error::ForbiddenHeader(forbidden.to_string()));\n                            }\n                        }\n                        Ok(v)\n                    })\n                    .transpose()?,\n                jwk_set_url: de.deserialize_field(\"jku\").transpose()?,\n                json_web_key: de.deserialize_field(\"jwk\").transpose()?,\n                key_id: de.deserialize_field(\"kid\").transpose()?,\n                x509_url: de.deserialize_field(\"x5u\").transpose()?,\n                x509_certificate_chain: de.deserialize_field(\"x5c\").transpose()?,\n                x509_certificate_sha1_thumbprint: de.deserialize_field(\"x5t\").transpose()?,\n                x509_certificate_sha256_thumbprint: de.deserialize_field(\"x5t#S256\").transpose()?,\n                typ: de.deserialize_field(\"typ\").transpose()?,\n                content_type: de.deserialize_field(\"cty\").transpose()?,\n                specific,\n                additional: de.additional(),\n            },\n            _format: PhantomData,\n        })\n    }\n\n    /// Returns `Result\u003c(Option\u003cProtected\u003e, Option\u003cUnprotected\u003e), Error\u003e`\n    #[allow(clippy::type_complexity)]\n    pub(crate) fn into_values(\n        self,\n    ) -\u003e Result\u003c(Option\u003cMap\u003cString, Value\u003e\u003e, Option\u003cMap\u003cString, Value\u003e\u003e), Error\u003e {\n        let parameters = self.parameters;\n\n        // use the existing Map with additional parameters. Parameters that collide with\n        // names understood by this library are replaced.\n        let mut collected_parameters = parameters.additional;\n\n        // insert crit header only if it is some and non empty as per RFC\n        if let Some(crit) = parameters.critical_headers {\n            if !crit.is_empty() {\n                collected_parameters.insert(\n                    \"crit\".to_string(),\n                    HeaderValue::Protected(serde_json::to_value(crit)?),\n                );\n            }\n        } else {\n            collected_parameters.remove(\"crit\");\n        }\n\n        // FIXME: optimize this code in a way that there are not this many inserts\n        macro_rules! insert {\n            ($($name:literal: $value:expr),+,) =\u003e {\n                $(if let Some(value) = $value {\n                    collected_parameters.insert(\n                        $name.to_string(),\n                        value.map(serde_json::to_value).transpose()?,\n                    );\n                } else {\n                    collected_parameters.remove($name);\n                })+\n            };\n        }\n        insert! {\n            \"jku\": parameters.jwk_set_url,\n            \"jwk\": parameters.json_web_key,\n            \"kid\": parameters.key_id,\n            \"x5u\": parameters.x509_url,\n            \"x5c\": parameters.x509_certificate_chain,\n            \"x5t\": parameters.x509_certificate_sha1_thumbprint,\n            \"x5t#S256\": parameters.x509_certificate_sha256_thumbprint,\n            \"typ\": parameters.typ,\n            \"cty\": parameters.content_type,\n        }\n\n        let mut protected = Map::new();\n        let mut unprotected = Map::new();\n        for (key, value) in collected_parameters\n            .into_iter()\n            .chain(parameters.specific.into_map()?)\n        {\n            match value {\n                HeaderValue::Protected(value) =\u003e protected.insert(key, value),\n                HeaderValue::Unprotected(value) =\u003e unprotected.insert(key, value),\n            };\n        }\n\n        let protected = match protected.is_empty() {\n            true =\u003e None,\n            false =\u003e Some(protected),\n        };\n\n        let unprotected = match unprotected.is_empty() {\n            true =\u003e None,\n            false =\u003e Some(unprotected),\n        };\n\n        Ok((protected, unprotected))\n    }\n}\n\n/// An implementation detail for [`JoseHeader`]\n#[derive(Debug)]\npub struct HeaderDeserializer {\n    protected: Map\u003cString, Value\u003e,\n    unprotected: Map\u003cString, Value\u003e,\n}\n\nimpl HeaderDeserializer {\n    /// Prepare the deserialize for deserialization and run a few checks\n    fn from_values(\n        protected: Option\u003cMap\u003cString, Value\u003e\u003e,\n        unprotected: Option\u003cMap\u003cString, Value\u003e\u003e,\n    ) -\u003e Result\u003cSelf, Error\u003e {\n        // ensure that if the header is present, it actually contains some members as\n        // per section 7.2.1 of RFC 7515\n        if let Some(ref p) = protected {\n            if p.is_empty() {\n                return Err(Error::EmptyHeader);\n            }\n        }\n        if let Some(ref u) = unprotected {\n            if u.is_empty() {\n                return Err(Error::EmptyHeader);\n            }\n        }\n\n        let (protected, unprotected) = match (protected, unprotected) {\n            (Some(protected), Some(unprotected)) =\u003e (protected, unprotected),\n            (Some(protected), None) =\u003e (protected, Map::new()),\n            (None, Some(unprotected)) =\u003e (Map::new(), unprotected),\n            (None, None) =\u003e return Err(Error::NoHeader),\n        };\n\n        let protected_keys: BTreeSet\u003c\u0026str\u003e = protected.keys().map(Deref::deref).collect();\n        let unprotected_keys: BTreeSet\u003c\u0026str\u003e = unprotected.keys().map(Deref::deref).collect();\n\n        // the members of `protected` and `header` must be disjoint, because otherwise\n        // an implementation must decide which header type takes priority\n        if !protected_keys.is_disjoint(\u0026unprotected_keys) {\n            return Err(Error::NotDisjoint);\n        }\n\n        Ok(Self {\n            protected,\n            unprotected,\n        })\n    }\n\n    fn deserialize_field\u003c'a, 'de, V\u003e(\n        \u0026'a mut self,\n        field: \u0026'a str,\n    ) -\u003e Option\u003cResult\u003cHeaderValue\u003cV\u003e, serde_json::Error\u003e\u003e\n    where\n        V: Deserialize\u003c'de\u003e,\n        'a: 'de,\n    {\n        // Security\n        //\n        // This method first looks at the `protected` header and if the requested field\n        // isn't in there, it looks in the `header` parameter (which is not integrity\n        // protected). A `HeaderDeserializer` should always ensure that the inner JSON\n        // Objects don't share the same parameters but even if they do, an attacker\n        // cannot overwrite protected headers via the unprotected header, because the\n        // protected header is searched first.\n\n        if let Some(p) = self.protected.remove(field) {\n            debug_assert_eq!(self.unprotected.remove(field), None);\n            return Some(V::deserialize(p).map(|v| HeaderValue::Protected(v)));\n        }\n\n        if let Some(u) = self.unprotected.remove(field) {\n            debug_assert_eq!(self.protected.remove(field), None);\n            return Some(V::deserialize(u).map(|v| HeaderValue::Unprotected(v)));\n        }\n\n        None\n    }\n\n    fn additional(self) -\u003e BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e {\n        self.protected\n            .into_iter()\n            .map(|(field, value)| (field, HeaderValue::Protected(value)))\n            .chain(\n                self.unprotected\n                    .into_iter()\n                    .map(|(field, value)| (field, HeaderValue::Unprotected(value))),\n            )\n            .collect()\n    }\n}\n","traces":[{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":145,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":155,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":1}},{"line":171,"address":[],"length":0,"stats":{"Line":1}},{"line":176,"address":[],"length":0,"stats":{"Line":0}},{"line":177,"address":[],"length":0,"stats":{"Line":0}},{"line":189,"address":[],"length":0,"stats":{"Line":0}},{"line":190,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":0}},{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":206,"address":[],"length":0,"stats":{"Line":0}},{"line":208,"address":[],"length":0,"stats":{"Line":0}},{"line":222,"address":[],"length":0,"stats":{"Line":0}},{"line":223,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":0}},{"line":237,"address":[],"length":0,"stats":{"Line":0}},{"line":238,"address":[],"length":0,"stats":{"Line":0}},{"line":240,"address":[],"length":0,"stats":{"Line":0}},{"line":257,"address":[],"length":0,"stats":{"Line":0}},{"line":258,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":261,"address":[],"length":0,"stats":{"Line":0}},{"line":262,"address":[],"length":0,"stats":{"Line":0}},{"line":284,"address":[],"length":0,"stats":{"Line":0}},{"line":285,"address":[],"length":0,"stats":{"Line":0}},{"line":286,"address":[],"length":0,"stats":{"Line":0}},{"line":288,"address":[],"length":0,"stats":{"Line":0}},{"line":298,"address":[],"length":0,"stats":{"Line":0}},{"line":299,"address":[],"length":0,"stats":{"Line":0}},{"line":300,"address":[],"length":0,"stats":{"Line":0}},{"line":302,"address":[],"length":0,"stats":{"Line":0}},{"line":333,"address":[],"length":0,"stats":{"Line":0}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":337,"address":[],"length":0,"stats":{"Line":0}},{"line":358,"address":[],"length":0,"stats":{"Line":0}},{"line":359,"address":[],"length":0,"stats":{"Line":0}},{"line":360,"address":[],"length":0,"stats":{"Line":0}},{"line":362,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":372,"address":[],"length":0,"stats":{"Line":0}},{"line":373,"address":[],"length":0,"stats":{"Line":0}},{"line":374,"address":[],"length":0,"stats":{"Line":0}},{"line":393,"address":[],"length":0,"stats":{"Line":0}},{"line":394,"address":[],"length":0,"stats":{"Line":0}},{"line":395,"address":[],"length":0,"stats":{"Line":0}},{"line":398,"address":[],"length":0,"stats":{"Line":0}},{"line":413,"address":[],"length":0,"stats":{"Line":1}},{"line":414,"address":[],"length":0,"stats":{"Line":1}},{"line":428,"address":[],"length":0,"stats":{"Line":0}},{"line":429,"address":[],"length":0,"stats":{"Line":0}},{"line":430,"address":[],"length":0,"stats":{"Line":0}},{"line":431,"address":[],"length":0,"stats":{"Line":0}},{"line":447,"address":[],"length":0,"stats":{"Line":0}},{"line":448,"address":[],"length":0,"stats":{"Line":0}},{"line":458,"address":[],"length":0,"stats":{"Line":0}},{"line":459,"address":[],"length":0,"stats":{"Line":0}},{"line":460,"address":[],"length":0,"stats":{"Line":0}},{"line":461,"address":[],"length":0,"stats":{"Line":0}},{"line":474,"address":[],"length":0,"stats":{"Line":0}},{"line":478,"address":[],"length":0,"stats":{"Line":0}},{"line":479,"address":[],"length":0,"stats":{"Line":0}},{"line":480,"address":[],"length":0,"stats":{"Line":0}},{"line":481,"address":[],"length":0,"stats":{"Line":0}},{"line":482,"address":[],"length":0,"stats":{"Line":0}},{"line":483,"address":[],"length":0,"stats":{"Line":0}},{"line":484,"address":[],"length":0,"stats":{"Line":0}},{"line":485,"address":[],"length":0,"stats":{"Line":0}},{"line":486,"address":[],"length":0,"stats":{"Line":0}},{"line":487,"address":[],"length":0,"stats":{"Line":0}},{"line":492,"address":[],"length":0,"stats":{"Line":0}},{"line":493,"address":[],"length":0,"stats":{"Line":0}},{"line":495,"address":[],"length":0,"stats":{"Line":0}},{"line":496,"address":[],"length":0,"stats":{"Line":0}},{"line":497,"address":[],"length":0,"stats":{"Line":0}},{"line":500,"address":[],"length":0,"stats":{"Line":0}},{"line":502,"address":[],"length":0,"stats":{"Line":0}},{"line":503,"address":[],"length":0,"stats":{"Line":0}},{"line":504,"address":[],"length":0,"stats":{"Line":0}},{"line":505,"address":[],"length":0,"stats":{"Line":0}},{"line":506,"address":[],"length":0,"stats":{"Line":0}},{"line":507,"address":[],"length":0,"stats":{"Line":0}},{"line":508,"address":[],"length":0,"stats":{"Line":0}},{"line":509,"address":[],"length":0,"stats":{"Line":0}},{"line":510,"address":[],"length":0,"stats":{"Line":0}},{"line":511,"address":[],"length":0,"stats":{"Line":0}},{"line":512,"address":[],"length":0,"stats":{"Line":0}},{"line":513,"address":[],"length":0,"stats":{"Line":0}},{"line":515,"address":[],"length":0,"stats":{"Line":0}},{"line":521,"address":[],"length":0,"stats":{"Line":0}},{"line":524,"address":[],"length":0,"stats":{"Line":0}},{"line":528,"address":[],"length":0,"stats":{"Line":0}},{"line":531,"address":[],"length":0,"stats":{"Line":0}},{"line":532,"address":[],"length":0,"stats":{"Line":0}},{"line":533,"address":[],"length":0,"stats":{"Line":0}},{"line":534,"address":[],"length":0,"stats":{"Line":0}},{"line":535,"address":[],"length":0,"stats":{"Line":0}},{"line":539,"address":[],"length":0,"stats":{"Line":0}},{"line":543,"address":[],"length":0,"stats":{"Line":0}},{"line":544,"address":[],"length":0,"stats":{"Line":0}},{"line":545,"address":[],"length":0,"stats":{"Line":0}},{"line":546,"address":[],"length":0,"stats":{"Line":0}},{"line":547,"address":[],"length":0,"stats":{"Line":0}},{"line":548,"address":[],"length":0,"stats":{"Line":0}},{"line":551,"address":[],"length":0,"stats":{"Line":0}},{"line":552,"address":[],"length":0,"stats":{"Line":0}},{"line":555,"address":[],"length":0,"stats":{"Line":0}},{"line":556,"address":[],"length":0,"stats":{"Line":0}},{"line":557,"address":[],"length":0,"stats":{"Line":0}},{"line":558,"address":[],"length":0,"stats":{"Line":0}},{"line":559,"address":[],"length":0,"stats":{"Line":0}},{"line":560,"address":[],"length":0,"stats":{"Line":0}},{"line":561,"address":[],"length":0,"stats":{"Line":0}},{"line":562,"address":[],"length":0,"stats":{"Line":0}},{"line":563,"address":[],"length":0,"stats":{"Line":0}},{"line":564,"address":[],"length":0,"stats":{"Line":0}},{"line":567,"address":[],"length":0,"stats":{"Line":0}},{"line":568,"address":[],"length":0,"stats":{"Line":0}},{"line":569,"address":[],"length":0,"stats":{"Line":0}},{"line":570,"address":[],"length":0,"stats":{"Line":0}},{"line":571,"address":[],"length":0,"stats":{"Line":0}},{"line":573,"address":[],"length":0,"stats":{"Line":0}},{"line":574,"address":[],"length":0,"stats":{"Line":0}},{"line":575,"address":[],"length":0,"stats":{"Line":0}},{"line":579,"address":[],"length":0,"stats":{"Line":0}},{"line":580,"address":[],"length":0,"stats":{"Line":0}},{"line":581,"address":[],"length":0,"stats":{"Line":0}},{"line":584,"address":[],"length":0,"stats":{"Line":0}},{"line":585,"address":[],"length":0,"stats":{"Line":0}},{"line":586,"address":[],"length":0,"stats":{"Line":0}},{"line":589,"address":[],"length":0,"stats":{"Line":0}},{"line":602,"address":[],"length":0,"stats":{"Line":0}},{"line":608,"address":[],"length":0,"stats":{"Line":0}},{"line":610,"address":[],"length":0,"stats":{"Line":0}},{"line":613,"address":[],"length":0,"stats":{"Line":0}},{"line":615,"address":[],"length":0,"stats":{"Line":0}},{"line":619,"address":[],"length":0,"stats":{"Line":0}},{"line":620,"address":[],"length":0,"stats":{"Line":0}},{"line":621,"address":[],"length":0,"stats":{"Line":0}},{"line":622,"address":[],"length":0,"stats":{"Line":0}},{"line":623,"address":[],"length":0,"stats":{"Line":0}},{"line":632,"address":[],"length":0,"stats":{"Line":0}},{"line":635,"address":[],"length":0,"stats":{"Line":0}},{"line":636,"address":[],"length":0,"stats":{"Line":0}},{"line":637,"address":[],"length":0,"stats":{"Line":0}},{"line":641,"address":[],"length":0,"stats":{"Line":0}},{"line":658,"address":[],"length":0,"stats":{"Line":0}},{"line":659,"address":[],"length":0,"stats":{"Line":0}},{"line":660,"address":[],"length":0,"stats":{"Line":0}},{"line":663,"address":[],"length":0,"stats":{"Line":0}},{"line":664,"address":[],"length":0,"stats":{"Line":0}},{"line":665,"address":[],"length":0,"stats":{"Line":0}},{"line":668,"address":[],"length":0,"stats":{"Line":0}},{"line":671,"address":[],"length":0,"stats":{"Line":0}},{"line":672,"address":[],"length":0,"stats":{"Line":0}},{"line":674,"address":[],"length":0,"stats":{"Line":0}},{"line":676,"address":[],"length":0,"stats":{"Line":0}},{"line":677,"address":[],"length":0,"stats":{"Line":0}},{"line":678,"address":[],"length":0,"stats":{"Line":0}}],"covered":4,"coverable":172},{"path":["/","home","stu","dev","rust","jose","src","jwa","aes_cbc_hs.rs"],"content":"/// Authenticated encryption algorithms built using a composition of AES in\n/// Cipher Block Chaining (CBC) mode and HMAC as defined in [section 5.2 of RFC\n/// 7518]\n///\n/// [section 5.2 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\npub enum AesCbcHs {\n    /// AES_128_CBC_HMAC_SHA_256 authenticated encryption as defined in [section\n    /// 5.2.3]\n    ///\n    /// [section 5.2.3]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2.3\u003e\n    Aes128CbcHs256,\n    /// AES_192_CBC_HMAC_SHA_384 authenticated encryption algorithm as defined\n    /// in [section 5.2.4]\n    ///\n    /// [section 5.2.4]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2.4\u003e\n    Aes192CbcHs384,\n\n    /// AES_256_CBC_HMAC_SHA_512 authenticated encryption algorithm as defined\n    /// in [section 5.2.5]\n    ///\n    /// [section 5.2.5]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2.5\u003e\n    Aes256CbcHs512,\n}\n\nimpl From\u003cAesCbcHs\u003e for super::JsonWebContentEncryptionAlgorithm {\n    fn from(x: AesCbcHs) -\u003e Self {\n        super::JsonWebContentEncryptionAlgorithm::AesCbcHs(x)\n    }\n}\n","traces":[{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":2},{"path":["/","home","stu","dev","rust","jose","src","jwa","aes_gcm.rs"],"content":"/// Different variants of AES GCM as in the table in [section 4.7 of RFC 7518]\n///\n/// [section 4.7 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.7\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum AesGcm {\n    /// Key wrapping with AES GCM using 128-bit key\n    Aes128,\n    /// Key wrapping with AES GCM using 192-bit key\n    Aes192,\n    /// Key wrapping with AES GCM using 256-bit key\n    Aes256,\n}\n\nimpl From\u003cAesGcm\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: AesGcm) -\u003e Self {\n        Self::AesGcmKw(x)\n    }\n}\n\nimpl From\u003cAesGcm\u003e for super::JsonWebAlgorithm {\n    fn from(x: AesGcm) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::AesGcmKw(x))\n    }\n}\n\nimpl From\u003cAesGcm\u003e for super::JsonWebContentEncryptionAlgorithm {\n    fn from(x: AesGcm) -\u003e Self {\n        super::JsonWebContentEncryptionAlgorithm::AesGcm(x)\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":6},{"path":["/","home","stu","dev","rust","jose","src","jwa","aes_kw.rs"],"content":"/// Key Wrapping with AES Key Wrap as defined in [section 4.4 of RFC 7518]\n///\n/// [section 4.4 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.4\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Copy, Hash)]\npub enum AesKw {\n    /// AES Key Wrap with default initial value using 128-bit key\n    Aes128,\n    /// AES Key Wrap with default initial value using 192-bit key\n    Aes192,\n    /// AES Key Wrap with default initial value using 256-bit key\n    Aes256,\n}\n\nimpl From\u003cAesKw\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: AesKw) -\u003e Self {\n        Self::AesKw(x)\n    }\n}\n\nimpl From\u003cAesKw\u003e for super::JsonWebAlgorithm {\n    fn from(x: AesKw) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::AesKw(x))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","ecdh_es.rs"],"content":"use super::AesKw;\n\n/// Different modes ECDH-ES can be used as defined in [section 4.6 of RFC 7518]\n///\n/// [section 4.6 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.6\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum EcDhES {\n    /// Using ECDH-ES directly without any wrapping\n    Direct,\n    /// ECDH-ES using Concat KDF and CEK wrapped with one variant of [AesKw]\n    AesKw(AesKw),\n}\n\nimpl From\u003cEcDhES\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: EcDhES) -\u003e Self {\n        Self::EcDhES(x)\n    }\n}\n\nimpl From\u003cEcDhES\u003e for super::JsonWebAlgorithm {\n    fn from(x: EcDhES) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::EcDhES(x))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","ecdsa.rs"],"content":"/// Digital Signature with ECDSA as defined in [section 3.4 of RFC 7518]\n///\n/// [section 3.4 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.4\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum EcDSA {\n    /// ECDSA using P-256 and SHA-256\n    Es256,\n    /// ECDSA using P-384 and SHA-384\n    Es384,\n    /// ECDSA using P-521 and SHA-512\n    Es512,\n    /// ECDSA using secp256k1 curve and SHA-256\n    ///\n    /// ECDSA with secp256k1 is defined in [RFC 8812 section 3]\n    ///\n    /// [RFC 8812 section 3]: \u003chttps://datatracker.ietf.org/doc/html/rfc8812#section-3\u003e\n    Es256K,\n}\n\nimpl From\u003cEcDSA\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: EcDSA) -\u003e Self {\n        Self::EcDSA(x)\n    }\n}\n\nimpl From\u003cEcDSA\u003e for super::JsonWebAlgorithm {\n    fn from(x: EcDSA) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::EcDSA(x))\n    }\n}\n","traces":[{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":6}},{"line":28,"address":[],"length":0,"stats":{"Line":6}}],"covered":2,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","hmac.rs"],"content":"/// HMAC with SHA-2 Functions as defined in [section 3.2 of RFC 7518]\n///\n/// [section 3.2 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.2\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum Hmac {\n    /// HMAC using SHA-256\n    Hs256,\n    /// HMAC using SHA-384\n    Hs384,\n    /// HMAC using SHA-512\n    Hs512,\n}\n\nimpl From\u003cHmac\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: Hmac) -\u003e Self {\n        Self::Hmac(x)\n    }\n}\n\nimpl From\u003cHmac\u003e for super::JsonWebAlgorithm {\n    fn from(x: Hmac) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Hmac(x))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":2}},{"line":22,"address":[],"length":0,"stats":{"Line":2}}],"covered":2,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","pbes2.rs"],"content":"/// A variant of Key Encryption with PBES2 as defined in the table of [section\n/// 4.8 of RFC 7518]\n///\n/// [section 4.8 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.8\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum Pbes2 {\n    /// PBES2 with HMAC SHA-256 and \"A128KW\" wrapping\n    Hs256Aes128,\n    /// PBES2 with HMAC SHA-384 and \"A192KW\" wrapping\n    Hs384Aes192,\n    /// PBES2 with HMAC SHA-512 and \"A256KW\" wrapping\n    Hs512Aes256,\n}\n\nimpl From\u003cPbes2\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: Pbes2) -\u003e Self {\n        Self::Pbes2(x)\n    }\n}\n\nimpl From\u003cPbes2\u003e for super::JsonWebAlgorithm {\n    fn from(x: Pbes2) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::Pbes2(x))\n    }\n}\n","traces":[{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":23,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa","rsaes_oaep.rs"],"content":"/// Key Encryption with RSAES OAEP as defined in [section 4.3 of RFC 7518]\n///\n/// [section 4.3 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.3\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsaesOaep {\n    /// RSAES OAEP using default parameters\n    RsaesOaep,\n    /// RSAES OAEP using SHA-256 and MGF1 with SHA-256\n    RsaesOaep256,\n}\n\nimpl From\u003cRsaesOaep\u003e for crate::jwa::JsonWebEncryptionAlgorithm {\n    fn from(x: RsaesOaep) -\u003e Self {\n        Self::RsaesOaep(x)\n    }\n}\n\nimpl From\u003cRsaesOaep\u003e for crate::jwa::JsonWebAlgorithm {\n    fn from(x: RsaesOaep) -\u003e Self {\n        Self::Encryption(crate::jwa::JsonWebEncryptionAlgorithm::RsaesOaep(x))\n    }\n}\n","traces":[{"line":13,"address":[],"length":0,"stats":{"Line":0}},{"line":14,"address":[],"length":0,"stats":{"Line":0}},{"line":19,"address":[],"length":0,"stats":{"Line":2}},{"line":20,"address":[],"length":0,"stats":{"Line":2}}],"covered":2,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa","rsassa_pkcs1_v1_5.rs"],"content":"/// Digital Signature with RSASSA-PKCS1-v1_5 as defined in [section 3.3 of RFC\n/// 7518]\n///\n/// [section 3.3 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.3\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsassaPkcs1V1_5 {\n    /// RSASSA-PKCS1-v1_5 using SHA-256\n    Rs256,\n    /// RSASSA-PKCS1-v1_5 using SHA-384\n    Rs384,\n    /// RSASSA-PKCS1-v1_5 using SHA-512\n    Rs512,\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa","rsassa_pss.rs"],"content":"/// Digital Signature with RSASSA-PSS as defined in [section 3.5 of RFC 7518]\n///\n/// [section 3.5 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.5\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsassaPss {\n    /// RSASSA-PSS using SHA-256 and MGF1 with SHA-256\n    Ps256,\n    /// RSASSA-PSS using SHA-384 and MGF1 with SHA-384\n    Ps384,\n    /// RSASSA-PSS using SHA-512 and MGF1 with SHA-512\n    Ps512,\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa.rs"],"content":"mod rsaes_oaep;\nmod rsassa_pkcs1_v1_5;\nmod rsassa_pss;\n\npub use self::{rsaes_oaep::RsaesOaep, rsassa_pkcs1_v1_5::RsassaPkcs1V1_5, rsassa_pss::RsassaPss};\n\n/// Some signing algorithm using a RSA key under the hood\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsaSigning {\n    /// Digital Signature with RSASSA-PSS\n    Pss(RsassaPss),\n    /// Digital Signature with RSASSA-PKCS1-v1_5\n    RsPkcs1V1_5(RsassaPkcs1V1_5),\n}\n\nimpl From\u003cRsaSigning\u003e for super::JsonWebAlgorithm {\n    fn from(x: RsaSigning) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Rsa(x))\n    }\n}\n\nimpl From\u003cRsaSigning\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: RsaSigning) -\u003e Self {\n        Self::Rsa(x)\n    }\n}\n\nimpl From\u003cRsassaPss\u003e for RsaSigning {\n    fn from(x: RsassaPss) -\u003e Self {\n        RsaSigning::Pss(x)\n    }\n}\n\nimpl From\u003cRsassaPss\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: RsassaPss) -\u003e Self {\n        Self::Rsa(RsaSigning::Pss(x))\n    }\n}\n\nimpl From\u003cRsassaPss\u003e for super::JsonWebAlgorithm {\n    fn from(x: RsassaPss) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Rsa(RsaSigning::Pss(x)))\n    }\n}\n\nimpl From\u003cRsassaPkcs1V1_5\u003e for RsaSigning {\n    fn from(x: RsassaPkcs1V1_5) -\u003e Self {\n        RsaSigning::RsPkcs1V1_5(x)\n    }\n}\n\nimpl From\u003cRsassaPkcs1V1_5\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: RsassaPkcs1V1_5) -\u003e Self {\n        Self::Rsa(RsaSigning::RsPkcs1V1_5(x))\n    }\n}\n\nimpl From\u003cRsassaPkcs1V1_5\u003e for super::JsonWebAlgorithm {\n    fn from(x: RsassaPkcs1V1_5) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Rsa(\n            RsaSigning::RsPkcs1V1_5(x),\n        ))\n    }\n}\n","traces":[{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":18,"address":[],"length":0,"stats":{"Line":0}},{"line":23,"address":[],"length":0,"stats":{"Line":0}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":1}},{"line":60,"address":[],"length":0,"stats":{"Line":1}},{"line":61,"address":[],"length":0,"stats":{"Line":1}}],"covered":3,"coverable":17},{"path":["/","home","stu","dev","rust","jose","src","jwa.rs"],"content":"//! Implementation of JSON Web Algorithms (JWA) as defined in [RFC 7518]\n//!\n//! [RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518\u003e\n\nmod aes_cbc_hs;\nmod aes_gcm;\nmod aes_kw;\nmod ecdh_es;\nmod ecdsa;\nmod hmac;\nmod pbes2;\nmod rsa;\n\nuse alloc::{borrow::Cow, string::String};\n\nuse serde::{Deserialize, Serialize};\n\n#[doc(inline)]\npub use self::{\n    aes_cbc_hs::AesCbcHs,\n    aes_gcm::AesGcm,\n    aes_kw::AesKw,\n    ecdh_es::EcDhES,\n    ecdsa::EcDSA,\n    hmac::Hmac,\n    pbes2::Pbes2,\n    rsa::{RsaSigning, RsaesOaep, RsassaPkcs1V1_5, RsassaPss},\n};\n\n/// Either a JSON Web Algorithm for signing operations, or an algorithm for\n/// encryption operations. Possible values should be registered in the [IANA\n/// `JSON Web Signature and Encryption Algorithms` registry][1].\n///\n/// [1]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize)]\n#[serde(untagged)]\npub enum JsonWebAlgorithm {\n    /// Signing algorithm.\n    Signing(JsonWebSigningAlgorithm),\n\n    /// Encryption algorithm.\n    Encryption(JsonWebEncryptionAlgorithm),\n\n    /// Unknown algorithm.\n    Other(String),\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for JsonWebAlgorithm {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let name = Cow::\u003c'_, str\u003e::deserialize(deserializer)?;\n\n        let sign =\n            JsonWebSigningAlgorithm::from_str_without_other(name.as_ref()).map(Self::Signing);\n        let enc =\n            JsonWebEncryptionAlgorithm::from_str_without_other(name.as_ref()).map(Self::Encryption);\n\n        let alg = sign\n            .or(enc)\n            .unwrap_or_else(|| Self::Other(name.into_owned()));\n        Ok(alg)\n    }\n}\n\n/// A JSON Web Algorithm (JWA) for singing operations (JWS) as defined in [RFC\n/// 7518 section 3]\n///\n/// This enum covers the `alg` Header Parameter Values for JWS. It represents\n/// the table from [section 3.1].\n///\n/// [RFC 7518 section 3]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3\u003e\n/// [section 3.1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.1\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\n#[non_exhaustive]\npub enum JsonWebSigningAlgorithm {\n    /// HMAC with SHA-2 Functions\n    Hmac(Hmac),\n    /// RSASSA-PKCS1-v1_5 using SHA-2 Functions\n    /// Digital Signature with RSASSA-PSS\n    Rsa(RsaSigning),\n    /// Digital Signature with ECDSA\n    EcDSA(EcDSA),\n    /// Digital Signature with Edwards-curve Digital Signature Algorithm (EdDSA)\n    /// as defined in [section 3.1 of RFC 8037]\n    ///\n    /// Note: `EdDSA` should not be confused with\n    /// [`EcDSA`](JsonWebSigningAlgorithm::EcDSA).\n    /// Also note that an EdDSA signature can either be made using `Ed25519` or\n    /// `Ed448` but this information is not included.\n    ///\n    /// [section 3.1 of RFC 8037]: \u003chttps://datatracker.ietf.org/doc/html/rfc8037#section-3.1\u003e\n    EdDSA,\n    /// The \"none\" algorithm as defined in [section 3.6 of RFC 7518].\n    ///\n    /// Using this algorithm essentially means that there is\n    /// no integrity protection for the JWS.\n    ///\n    /// [section 3.6 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.6\u003e\n    None,\n    /// JSON Web Algorithms that are not recognised by this implementation.\n    ///\n    /// If you want to implement custom algorithms via a custom\n    /// [`Signer`](crate::jws::Signer) and [`Verifier`](crate::jws::Verifier)\n    /// type, you should use this type to define an identifier for your\n    /// algorithm.\n    ///\n    /// Note: When you deserialize the `alg` header parameter via the\n    /// [`JsonWebAlgorithm`] enum, this variant will never be\n    /// constructed.\n    Other(String),\n}\n\nimpl From\u003cJsonWebSigningAlgorithm\u003e for JsonWebAlgorithm {\n    fn from(x: JsonWebSigningAlgorithm) -\u003e Self {\n        Self::Signing(x)\n    }\n}\n\n// don't judge this macro please.\n// its ugly but it works\nimpl_serde_jwa!(\n    JsonWebSigningAlgorithm,\n    [\n        \"HS256\" =\u003e Self::Hmac(Hmac::Hs256); Self::Hmac(Hmac::Hs256),\n        \"HS384\" =\u003e Self::Hmac(Hmac::Hs384); Self::Hmac(Hmac::Hs384),\n        \"HS512\" =\u003e Self::Hmac(Hmac::Hs512); Self::Hmac(Hmac::Hs512),\n\n        \"RS256\" =\u003e Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs256)); Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs256)),\n        \"RS384\" =\u003e Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs384)); Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs384)),\n        \"RS512\" =\u003e Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs512)); Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs512)),\n\n        \"ES256\" =\u003e Self::EcDSA(EcDSA::Es256); Self::EcDSA(EcDSA::Es256),\n        \"ES384\" =\u003e Self::EcDSA(EcDSA::Es384); Self::EcDSA(EcDSA::Es384),\n        \"ES512\" =\u003e Self::EcDSA(EcDSA::Es512); Self::EcDSA(EcDSA::Es512),\n        \"ES256K\" =\u003e Self::EcDSA(EcDSA::Es256K); Self::EcDSA(EcDSA::Es256K),\n\n        \"EdDSA\" =\u003e Self::EdDSA; Self::EdDSA,\n\n        \"PS256\" =\u003e Self::Rsa(RsaSigning::Pss(RsassaPss::Ps256)); Self::Rsa(RsaSigning::Pss(RsassaPss::Ps256)),\n        \"PS384\" =\u003e Self::Rsa(RsaSigning::Pss(RsassaPss::Ps384)); Self::Rsa(RsaSigning::Pss(RsassaPss::Ps384)),\n        \"PS512\" =\u003e Self::Rsa(RsaSigning::Pss(RsassaPss::Ps512)); Self::Rsa(RsaSigning::Pss(RsassaPss::Ps512)),\n\n\n        \"none\" =\u003e Self::None; Self::None,\n    ]\n);\n\n/// A JSON Web Algorithm (JWA) for encryption and decryption of Content\n/// Encryption Key (CEK) as defined in [RFC 7518 section 4]\n///\n/// This enum covers the `alg` Header Parameter Values for JWE. It represents\n/// the table from [section 4.1].\n///\n/// [RFC 7518 section 4]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4\u003e\n/// [section 4.1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.1\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\n#[non_exhaustive]\npub enum JsonWebEncryptionAlgorithm {\n    /// Key Encryption with RSAES-PKCS1-v1_5 as defined in [section 4.2]\n    ///\n    /// [section 4.2]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.2\u003e\n    Rsa1_5,\n    /// Key Encryption with RSAES OAEP\n    RsaesOaep(RsaesOaep),\n    /// AES Key Wrap\n    AesKw(AesKw),\n    /// Direct use of a shared symmetric key as the CEK as defined in [section\n    /// 4.5]\n    ///\n    /// [section 4.5]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.5\u003e\n    Direct,\n    /// Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES)\n    EcDhES(EcDhES),\n    /// Key wrapping with AES GCM\n    AesGcmKw(AesGcm),\n    /// PBES2 Key Encryption\n    Pbes2(Pbes2),\n    /// JSON Web Algorithms that are not recognised by this implementation.\n    ///\n    /// If you want to implement custom algorithms for use in JSON Web\n    /// encryption, you should use this variant to identify your algorithm.\n    ///\n    /// Note: When you deserialize the `alg` header parameter via the\n    /// [`JsonWebAlgorithm`] enum, this variant will never be\n    /// constructed.\n    Other(String),\n}\n\nimpl From\u003cJsonWebEncryptionAlgorithm\u003e for JsonWebAlgorithm {\n    fn from(x: JsonWebEncryptionAlgorithm) -\u003e Self {\n        Self::Encryption(x)\n    }\n}\n\nimpl_serde_jwa!(\n    JsonWebEncryptionAlgorithm,\n    [\n        \"RSA1_5\" =\u003e Self::Rsa1_5; Self::Rsa1_5,\n        \"RSA-OAEP\" =\u003e Self::RsaesOaep(RsaesOaep::RsaesOaep); Self::RsaesOaep(RsaesOaep::RsaesOaep),\n        \"RSA-OAEP-256\" =\u003e Self::RsaesOaep(RsaesOaep::RsaesOaep256); Self::RsaesOaep(RsaesOaep::RsaesOaep256),\n        \"A128KW\" =\u003e Self::AesKw(AesKw::Aes128); Self::AesKw(AesKw::Aes128),\n        \"A192KW\" =\u003e Self::AesKw(AesKw::Aes192); Self::AesKw(AesKw::Aes192),\n        \"A256KW\" =\u003e Self::AesKw(AesKw::Aes256); Self::AesKw(AesKw::Aes256),\n        \"dir\" =\u003e Self::Direct; Self::Direct,\n        \"ECDH-ES\" =\u003e Self::EcDhES(EcDhES::Direct); Self::EcDhES(EcDhES::Direct),\n        \"ECDH-ES+A128KW\" =\u003e Self::EcDhES(EcDhES::AesKw(AesKw::Aes128)); Self::EcDhES(EcDhES::AesKw(AesKw::Aes128)),\n        \"ECDH-ES+A192KW\" =\u003e Self::EcDhES(EcDhES::AesKw(AesKw::Aes192)); Self::EcDhES(EcDhES::AesKw(AesKw::Aes192)),\n        \"ECDH-ES+A256KW\" =\u003e Self::EcDhES(EcDhES::AesKw(AesKw::Aes256)); Self::EcDhES(EcDhES::AesKw(AesKw::Aes256)),\n        \"A128GCMKW\" =\u003e Self::AesGcmKw(AesGcm::Aes128); Self::AesGcmKw(AesGcm::Aes128),\n        \"A192GCMKW\" =\u003e Self::AesGcmKw(AesGcm::Aes192); Self::AesGcmKw(AesGcm::Aes192),\n        \"A256GCMKW\" =\u003e Self::AesGcmKw(AesGcm::Aes256); Self::AesGcmKw(AesGcm::Aes256),\n        \"PBES2-HS256+A128KW\" =\u003e Self::Pbes2(Pbes2::Hs256Aes128); Self::Pbes2(Pbes2::Hs256Aes128),\n        \"PBES2-HS384+A192KW\" =\u003e Self::Pbes2(Pbes2::Hs384Aes192); Self::Pbes2(Pbes2::Hs384Aes192),\n        \"PBES2-HS512+A256KW\" =\u003e Self::Pbes2(Pbes2::Hs512Aes256); Self::Pbes2(Pbes2::Hs512Aes256),\n    ]\n);\n\n/// A JSON Web Algorithm (JWA) for content encryption and decryption of a JWE as\n/// defined in [RFC 7518 section 5]\n///\n/// This enum covers the `enc` Header Parameter Values for JWE. It represents\n/// the table from [section 5.1].\n///\n/// [RFC 7518 section 5]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5\u003e\n/// [section 5.1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.1\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\n#[non_exhaustive]\npub enum JsonWebContentEncryptionAlgorithm {\n    /// Content Encryption using AES in CBC mode with HMAC\n    AesCbcHs(AesCbcHs),\n    /// Content Encryption using AES GCM\n    AesGcm(AesGcm),\n    /// JSON Web Algorithms that are not recognised by this implementation.\n    ///\n    /// Use this variant if you want to implement a custom content encryption\n    /// algorithm.\n    Other(String),\n}\n\nimpl_serde_jwa!(\n    JsonWebContentEncryptionAlgorithm,\n    [\n        \"A128CBC-HS256\" =\u003e Self::AesCbcHs(AesCbcHs::Aes128CbcHs256); Self::AesCbcHs(AesCbcHs::Aes128CbcHs256),\n        \"A192CBC-HS384\" =\u003e Self::AesCbcHs(AesCbcHs::Aes192CbcHs384); Self::AesCbcHs(AesCbcHs::Aes192CbcHs384),\n        \"A256CBC-HS512\" =\u003e Self::AesCbcHs(AesCbcHs::Aes256CbcHs512); Self::AesCbcHs(AesCbcHs::Aes256CbcHs512),\n\n        \"A128GCM\" =\u003e Self::AesGcm(AesGcm::Aes128); Self::AesGcm(AesGcm::Aes128),\n        \"A192GCM\" =\u003e Self::AesGcm(AesGcm::Aes192); Self::AesGcm(AesGcm::Aes192),\n        \"A256GCM\" =\u003e Self::AesGcm(AesGcm::Aes256); Self::AesGcm(AesGcm::Aes256),\n    ]\n);\n\n#[test]\nfn test_others_not_stealing() {\n    use alloc::string::ToString;\n    let jwe = \"dir\";\n    let jwa: JsonWebAlgorithm =\n        serde_json::from_value(serde_json::Value::String(jwe.to_string())).unwrap();\n    assert_eq!(\n        jwa,\n        JsonWebAlgorithm::Encryption(JsonWebEncryptionAlgorithm::Direct)\n    );\n}\n","traces":[{"line":49,"address":[],"length":0,"stats":{"Line":47}},{"line":53,"address":[],"length":0,"stats":{"Line":94}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":2}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":2}},{"line":117,"address":[],"length":0,"stats":{"Line":2}},{"line":192,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":0}}],"covered":5,"coverable":14},{"path":["/","home","stu","dev","rust","jose","src","jwe.rs"],"content":"//! Implementation of JSON Web Encryption (JWE) as defined in [RFC 7516]\n//!\n//! [RFC 7516]: \u003chttps://www.rfc-editor.org/rfc/rfc7516.html\u003e\n\n/// TODO\n#[derive(Debug)]\npub struct JsonWebEncryption {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","jwk","asymmetric.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\nuse super::{Private, Public, Thumbprint};\n\n/// Some kind of asymmetric cryptographic key which can be either [`Private`] or\n/// [`Public`]\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum AsymmetricJsonWebKey {\n    /// The private part of an asymmetric key\n    Private(Private),\n    /// The public part of an asymmetric key\n    Public(Public),\n}\n\nimpl crate::sealed::Sealed for AsymmetricJsonWebKey {}\nimpl Thumbprint for AsymmetricJsonWebKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            AsymmetricJsonWebKey::Private(key) =\u003e key.thumbprint_prehashed(),\n            AsymmetricJsonWebKey::Public(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cAsymmetricJsonWebKey\u003e for super::JsonWebKeyType {\n    fn from(x: AsymmetricJsonWebKey) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(x))\n    }\n}\n","traces":[{"line":20,"address":[],"length":0,"stats":{"Line":58}},{"line":21,"address":[],"length":0,"stats":{"Line":58}},{"line":22,"address":[],"length":0,"stats":{"Line":25}},{"line":23,"address":[],"length":0,"stats":{"Line":33}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}}],"covered":4,"coverable":6},{"path":["/","home","stu","dev","rust","jose","src","jwk","builder.rs"],"content":"use alloc::{string::String, vec::Vec};\nuse core::convert::Infallible;\n\nuse hashbrown::HashSet;\n\nuse super::{serde_impl::Base64DerCertificate, JsonWebKey, JsonWebKeyType, KeyOperation, KeyUsage};\nuse crate::{\n    jwa::JsonWebAlgorithm,\n    jwk::policy::{Checkable, Checked, Policy},\n    Uri,\n};\n\n/// Reasons the construction of a `JsonWebKey` via the\n/// [`JsonWebKeyBuilder::build`] method can fail.\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum JsonWebKeyBuildError\u003cP\u003e {\n    /// The [`JsonWebKeyType`] and [`JsonWebAlgorithm`] are not compatible.\n    ///\n    /// An example is usage of an RSA key with an Hmac Json web algorithm.\n    #[error(\"the `key_type` and `algorithm` are not compatible\")]\n    IncompatibleKeyType,\n    /// This error can only happen when using the\n    /// [`build_and_check`](JsonWebKeyBuilder::build_and_check) is used and the\n    /// policy check failed.\n    #[error(transparent)]\n    PolicyCheckFailed(P),\n}\n\n/// The builder for modifying a [`JsonWebKey`].\n#[derive(Debug, Clone)]\npub struct JsonWebKeyBuilder\u003cA\u003e {\n    pub(super) key_type: JsonWebKeyType,\n    pub(super) key_use: Option\u003cKeyUsage\u003e,\n    pub(super) key_operations: Option\u003cHashSet\u003cKeyOperation\u003e\u003e,\n    pub(super) algorithm: Option\u003cJsonWebAlgorithm\u003e,\n    pub(super) kid: Option\u003cString\u003e,\n    pub(super) x509_url: Option\u003cUri\u003e,\n    pub(super) x509_certificate_chain: Vec\u003cBase64DerCertificate\u003e,\n    pub(super) x509_certificate_sha1_thumbprint: Option\u003c[u8; 20]\u003e,\n    pub(super) x509_certificate_sha256_thumbprint: Option\u003c[u8; 32]\u003e,\n    pub(super) additional: A,\n}\n\nmacro_rules! gen_builder_methods {\n    ($($field:ident: $T:ty,)*) =\u003e {\n        $(#[doc = concat!(\"Override the `\", stringify!($field), \"` for this JWK.\")]\n        #[inline]\n        pub fn $field(mut self, $field: Option\u003cimpl Into\u003c$T\u003e\u003e) -\u003e Self {\n            self.$field = $field.map(Into::into);\n            self\n        })*\n    };\n}\n\nimpl JsonWebKeyBuilder\u003c()\u003e {\n    /// Create a new [`JsonWebKeyBuilder`] with the given key.\n    pub fn new(key_type: impl Into\u003cJsonWebKeyType\u003e) -\u003e Self {\n        Self {\n            key_type: key_type.into(),\n            key_use: None,\n            key_operations: None,\n            algorithm: None,\n            kid: None,\n            x509_url: None,\n            x509_certificate_chain: alloc::vec![],\n            x509_certificate_sha1_thumbprint: None,\n            x509_certificate_sha256_thumbprint: None,\n            additional: (),\n        }\n    }\n}\n\nimpl\u003cA\u003e JsonWebKeyBuilder\u003cA\u003e {\n    /// Try to construct the final [`JsonWebKey`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if any parameter is considered invalid. For example,\n    /// if a [`JsonWebKeyType`] is not compatible with the [`JsonWebAlgorithm`]\n    /// set.\n    pub fn build(self) -\u003e Result\u003cJsonWebKey\u003cA\u003e, JsonWebKeyBuildError\u003cInfallible\u003e\u003e {\n        let Self {\n            key_type,\n            key_use,\n            key_operations,\n            algorithm,\n            kid,\n            x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint,\n            additional,\n        } = self;\n\n        if let Some(ref algorithm) = algorithm {\n            if !key_type.compatible_with(algorithm) {\n                return Err(JsonWebKeyBuildError::IncompatibleKeyType);\n            }\n        }\n\n        Ok(JsonWebKey {\n            key_type,\n            key_use,\n            key_operations,\n            algorithm,\n            kid,\n            x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint,\n            additional,\n        })\n    }\n\n    /// Try to construct the final [`JsonWebKey`], and then validates the\n    /// resulting JWK using the given [`Policy`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if any parameter is considered invalid, or the policy\n    /// check failed. For example, if a [`JsonWebKeyType`] is not compatible\n    /// with the [`JsonWebAlgorithm`] set.\n    // We think that this degree of complexity is acceptable and a type alias would make things even\n    // more complex\n    #[allow(clippy::type_complexity, clippy::result_large_err)]\n    pub fn build_and_check\u003cP: Policy\u003e(\n        self,\n        policy: P,\n    ) -\u003e Result\u003cChecked\u003cJsonWebKey\u003cA\u003e, P\u003e, JsonWebKeyBuildError\u003cP::Error\u003e\u003e\n    where\n        A: Checkable,\n    {\n        self.build()\n            .map_err(|e| match e {\n                JsonWebKeyBuildError::IncompatibleKeyType =\u003e {\n                    JsonWebKeyBuildError::IncompatibleKeyType\n                }\n                JsonWebKeyBuildError::PolicyCheckFailed(x) =\u003e match x {},\n            })?\n            .check(policy)\n            .map_err(|(_, e)| JsonWebKeyBuildError::PolicyCheckFailed(e))\n    }\n}\n\nimpl\u003cA\u003e JsonWebKeyBuilder\u003cA\u003e {\n    gen_builder_methods! {\n        key_use: KeyUsage,\n        key_operations: HashSet\u003cKeyOperation\u003e,\n        algorithm: JsonWebAlgorithm,\n        kid: String,\n        x509_url: Uri,\n        x509_certificate_sha1_thumbprint: [u8; 20],\n        x509_certificate_sha256_thumbprint: [u8; 32],\n    }\n\n    /// Override the `key_type` for this JWK.\n    #[inline]\n    pub fn key_type(mut self, key_type: JsonWebKeyType) -\u003e Self {\n        self.key_type = key_type;\n        self\n    }\n\n    /// Override the `x509_certificate_chain` for this JWK.\n    #[inline]\n    pub fn x509_certificate_chain(mut self, x509_certificate_chain: Vec\u003cVec\u003cu8\u003e\u003e) -\u003e Self {\n        self.x509_certificate_chain = x509_certificate_chain\n            .into_iter()\n            .map(Base64DerCertificate)\n            .collect();\n        self\n    }\n\n    /// Override the additional parameters for this JWK.\n    #[inline]\n    pub fn additional\u003cN\u003e(self, additional: N) -\u003e JsonWebKeyBuilder\u003cN\u003e {\n        JsonWebKeyBuilder {\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n            additional,\n        }\n    }\n}\n","traces":[{"line":49,"address":[],"length":0,"stats":{"Line":42}},{"line":50,"address":[],"length":0,"stats":{"Line":42}},{"line":51,"address":[],"length":0,"stats":{"Line":42}},{"line":52,"address":[],"length":0,"stats":{"Line":42}},{"line":58,"address":[],"length":0,"stats":{"Line":21}},{"line":60,"address":[],"length":0,"stats":{"Line":21}},{"line":66,"address":[],"length":0,"stats":{"Line":21}},{"line":69,"address":[],"length":0,"stats":{"Line":21}},{"line":82,"address":[],"length":0,"stats":{"Line":42}},{"line":83,"address":[],"length":0,"stats":{"Line":42}},{"line":84,"address":[],"length":0,"stats":{"Line":42}},{"line":85,"address":[],"length":0,"stats":{"Line":42}},{"line":86,"address":[],"length":0,"stats":{"Line":42}},{"line":87,"address":[],"length":0,"stats":{"Line":42}},{"line":88,"address":[],"length":0,"stats":{"Line":42}},{"line":89,"address":[],"length":0,"stats":{"Line":42}},{"line":90,"address":[],"length":0,"stats":{"Line":42}},{"line":91,"address":[],"length":0,"stats":{"Line":42}},{"line":92,"address":[],"length":0,"stats":{"Line":42}},{"line":93,"address":[],"length":0,"stats":{"Line":42}},{"line":94,"address":[],"length":0,"stats":{"Line":42}},{"line":96,"address":[],"length":0,"stats":{"Line":84}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":42}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":135,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":141,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":166,"address":[],"length":0,"stats":{"Line":0}},{"line":167,"address":[],"length":0,"stats":{"Line":0}},{"line":168,"address":[],"length":0,"stats":{"Line":0}},{"line":169,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":0}},{"line":171,"address":[],"length":0,"stats":{"Line":0}},{"line":176,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":0}},{"line":179,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":0}},{"line":182,"address":[],"length":0,"stats":{"Line":0}},{"line":183,"address":[],"length":0,"stats":{"Line":0}},{"line":184,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}}],"covered":23,"coverable":62},{"path":["/","home","stu","dev","rust","jose","src","jwk","key_ops.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\n/// This enum represents the key operations (`key_ops`) parameter as defined in\n/// [Section 4.3 of RFC 7517]. All possible values are registered in the [IANA\n/// `JSON Web Key Operations` registry].\n///\n/// This enum SHOULD NOT be used together with the [`KeyUsage`](super::KeyUsage)\n/// enum. If they are both present, their information MUST be consistent.\n///\n/// [Section 4.3 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.3\u003e\n/// [IANA `JSON Web Key Operations` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-key-operations\u003e\n#[non_exhaustive]\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum KeyOperation {\n    /// This key may compute digital signatures or MACs\n    Sign,\n    /// This key may verify digital signatures or MACs\n    Verify,\n    /// This key may encrypt content\n    Encrypt,\n    /// This key may decrypt content and validate decryption, if applicable\n    Decrypt,\n    /// This key may encrypt a key\n    WrapKey,\n    /// This key may decrypt a key and validate the decryption, if applicable\n    UnwrapKey,\n    /// This key may derive a key\n    DeriveKey,\n    /// This key may derive bits not to be used as a key\n    DeriveBits,\n    /// Some other case-sensitive [`String`] that did not match any of the\n    /// publicly known key operations\n    Other(String),\n}\n\nimpl Serialize for KeyOperation {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        match self {\n            Self::Sign =\u003e \"sign\",\n            Self::Verify =\u003e \"verify\",\n            Self::Encrypt =\u003e \"encrypt\",\n            Self::Decrypt =\u003e \"decrypt\",\n            Self::WrapKey =\u003e \"wrapKey\",\n            Self::UnwrapKey =\u003e \"unwrapKey\",\n            Self::DeriveKey =\u003e \"deriveKey\",\n            Self::DeriveBits =\u003e \"deriveBits\",\n            Self::Other(s) =\u003e s,\n        }\n        .serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for KeyOperation {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let val = \u003calloc::borrow::Cow\u003c'_, str\u003e\u003e::deserialize(deserializer)?;\n        Ok(match \u0026*val {\n            \"sign\" =\u003e Self::Sign,\n            \"verify\" =\u003e Self::Verify,\n            \"encrypt\" =\u003e Self::Encrypt,\n            \"decrypt\" =\u003e Self::Decrypt,\n            \"wrapKey\" =\u003e Self::WrapKey,\n            \"unwrapKey\" =\u003e Self::UnwrapKey,\n            \"deriveKey\" =\u003e Self::DeriveKey,\n            \"deriveBits\" =\u003e Self::DeriveBits,\n            _ =\u003e Self::Other(val.into_owned()),\n        })\n    }\n}\n","traces":[{"line":39,"address":[],"length":0,"stats":{"Line":10}},{"line":43,"address":[],"length":0,"stats":{"Line":10}},{"line":44,"address":[],"length":0,"stats":{"Line":2}},{"line":45,"address":[],"length":0,"stats":{"Line":4}},{"line":46,"address":[],"length":0,"stats":{"Line":2}},{"line":47,"address":[],"length":0,"stats":{"Line":2}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":0}},{"line":51,"address":[],"length":0,"stats":{"Line":0}},{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":10}},{"line":59,"address":[],"length":0,"stats":{"Line":16}},{"line":63,"address":[],"length":0,"stats":{"Line":32}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":3}},{"line":66,"address":[],"length":0,"stats":{"Line":19}},{"line":67,"address":[],"length":0,"stats":{"Line":11}},{"line":68,"address":[],"length":0,"stats":{"Line":6}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}}],"covered":13,"coverable":24},{"path":["/","home","stu","dev","rust","jose","src","jwk","key_use.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\n/// This enum represents possible key usage (`use`) parameter as\n/// defined in [Section 4.2 of RFC 7517]. All possible values are registered in\n/// the [IANA `JSON Web Key Use` registry].\n///\n/// [Section 4.2 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.2\u003e\n/// [IANA `JSON Web Key Use` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-key-use\u003e\n#[non_exhaustive]\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum KeyUsage {\n    /// The `sig` (signature) value\n    Signing,\n    /// The `enc` (encryption) value\n    Encryption,\n    /// Some other case-sensitive [`String`] that did not match any of the\n    /// publicly known variants\n    Other(String),\n}\n\nimpl Serialize for KeyUsage {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        match self {\n            Self::Signing =\u003e \"sig\",\n            Self::Encryption =\u003e \"enc\",\n            Self::Other(s) =\u003e s,\n        }\n        .serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for KeyUsage {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let val = \u003calloc::borrow::Cow\u003c'_, str\u003e\u003e::deserialize(deserializer)?;\n        Ok(match \u0026*val {\n            \"sig\" =\u003e Self::Signing,\n            \"enc\" =\u003e Self::Encryption,\n            _ =\u003e Self::Other(val.into_owned()),\n        })\n    }\n}\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":34}},{"line":28,"address":[],"length":0,"stats":{"Line":34}},{"line":29,"address":[],"length":0,"stats":{"Line":28}},{"line":30,"address":[],"length":0,"stats":{"Line":6}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":34}},{"line":38,"address":[],"length":0,"stats":{"Line":50}},{"line":42,"address":[],"length":0,"stats":{"Line":100}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":44,"address":[],"length":0,"stats":{"Line":44}},{"line":45,"address":[],"length":0,"stats":{"Line":12}},{"line":46,"address":[],"length":0,"stats":{"Line":0}}],"covered":9,"coverable":12},{"path":["/","home","stu","dev","rust","jose","src","jwk","policy","standard.rs"],"content":"use alloc::string::{String, ToString};\nuse core::fmt::Display;\n\nuse hashbrown::HashSet;\nuse thiserror::Error;\n\nuse super::{CryptographicOperation, Policy, PolicyError};\nuse crate::{\n    jwa::{JsonWebAlgorithm, JsonWebEncryptionAlgorithm, JsonWebSigningAlgorithm},\n    jwk::{KeyOperation, KeyUsage},\n};\n\n/// Reasons a [`StandardPolicy`] can deny a JWK.\n#[derive(Debug, Error)]\npub enum StandardPolicyFail {\n    /// A [`JsonWebKey`](crate::jwk::JsonWebKey) may not perform a\n    /// [`CryptographicOperation`]\n    #[error(\"this key may not perform this cryptographic operation\")]\n    OperationNotAllowed,\n    /// The [`JsonWebSigningAlgorithm::None`] algorithm is not allowed as this\n    /// indicates an unverified/unencrypted JWS/JWE.\n    #[error(\"`none` algorithm is not allowed\")]\n    NoneAlgorithm,\n    /// [`KeyUsage::Other`] can not be verified by the standard policy, thus\n    /// it's simply declined and the user needs to use a custom policy to\n    /// check it.\n    #[error(\"`use` contained custom usage which can't be checked\")]\n    OtherKeyUsage,\n    /// [`KeyOperation::Other`] can not be verified by the standard policy, thus\n    /// it's simply declined and the user needs to use a custom policy to\n    /// check it.\n    #[error(\"`key_ops` contained custom operation which can't be checked\")]\n    OtherKeyOperation,\n    /// If any of [`JsonWebSigningAlgorithm`] or [`JsonWebEncryptionAlgorithm`]\n    /// contains the `Other` variant, this error will be raised by the\n    /// [`StandardPolicy`] because it is not understood by the implementations\n    /// provided by this library.\n    ///\n    /// If you use custom implementations (for example, via your own\n    /// [`Signer`](crate::jws::Signer) type) and use custom values for your\n    /// algorithm identification, you should provide our own [`Policy`] that\n    /// compares the `Other` variants against values understood by your\n    /// implementation.\n    #[error(\"`alg` header contains an unknown value\")]\n    OtherAlgorithm,\n    /// Used for the [`PolicyError`] implementation\n    #[error(\"{0}\")]\n    Custom(String),\n}\n\nimpl PolicyError for StandardPolicyFail {\n    fn custom\u003cT\u003e(msg: T) -\u003e Self\n    where\n        T: Display,\n    {\n        Self::Custom(msg.to_string())\n    }\n}\n\n/// A [`Policy`] with reasonable rules. Use this struct if you want to have some\n/// secure defaults.\n///\n/// # Included checks\n///\n/// - [`JsonWebSigningAlgorithm::None`] is not allowed\n/// - `use` field must not contain [`KeyUsage::Other`] because it can't be\n///   verified\n/// - `key_ops` field must not contain [`KeyOperation::Other`] because it can't\n///   be verified\n#[non_exhaustive]\n#[derive(Debug, Default, Clone)]\npub struct StandardPolicy;\n\nimpl StandardPolicy {\n    /// Create a [`StandardPolicy`]\n    pub const fn new() -\u003e Self {\n        Self\n    }\n}\n\n// TODO: StandardPolicy should check that the JsonWebKeyType and the provided\n// Algorithm make sense\nimpl Policy for StandardPolicy {\n    type Error = StandardPolicyFail;\n\n    fn algorithm(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e Result\u003c(), Self::Error\u003e {\n        match alg {\n            JsonWebAlgorithm::Encryption(JsonWebEncryptionAlgorithm::Other(_))\n            | JsonWebAlgorithm::Signing(JsonWebSigningAlgorithm::Other(_)) =\u003e {\n                Err(StandardPolicyFail::OtherAlgorithm)\n            }\n\n            JsonWebAlgorithm::Signing(JsonWebSigningAlgorithm::None) =\u003e {\n                Err(StandardPolicyFail::NoneAlgorithm)\n            }\n            JsonWebAlgorithm::Other(..) =\u003e Err(StandardPolicyFail::OtherAlgorithm),\n            _ =\u003e Ok(()),\n        }\n    }\n\n    fn compare_key_ops_and_use(\n        \u0026self,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        if matches!(key_use, KeyUsage::Other(..)) {\n            return Err(StandardPolicyFail::OtherKeyUsage);\n        }\n\n        if key_ops.iter().any(|o| matches!(o, KeyOperation::Other(..))) {\n            return Err(StandardPolicyFail::OtherKeyOperation);\n        }\n\n        // TODO: check that the typed variants of KeyUsage and KeyOperation\n        Ok(())\n    }\n\n    fn may_perform_operation_key_ops(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        use CryptographicOperation::*;\n        match operation {\n            Encrypt if key_ops.contains(\u0026KeyOperation::Encrypt) =\u003e Ok(()),\n            Decrypt if key_ops.contains(\u0026KeyOperation::Encrypt) =\u003e Ok(()),\n            Sign if key_ops.contains(\u0026KeyOperation::Sign) =\u003e Ok(()),\n            Verify if key_ops.contains(\u0026KeyOperation::Verify) =\u003e Ok(()),\n            _ =\u003e Err(StandardPolicyFail::OperationNotAllowed),\n        }\n    }\n\n    fn may_perform_operation_key_use(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        use CryptographicOperation::*;\n        match operation {\n            Decrypt | Encrypt if key_use == \u0026KeyUsage::Encryption =\u003e Ok(()),\n            Sign | Verify if key_use == \u0026KeyUsage::Signing =\u003e Ok(()),\n            _ =\u003e Err(StandardPolicyFail::OperationNotAllowed),\n        }\n    }\n}\n","traces":[{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":1}},{"line":77,"address":[],"length":0,"stats":{"Line":1}},{"line":86,"address":[],"length":0,"stats":{"Line":1}},{"line":87,"address":[],"length":0,"stats":{"Line":1}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":1}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":126,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":1}},{"line":139,"address":[],"length":0,"stats":{"Line":1}},{"line":140,"address":[],"length":0,"stats":{"Line":0}},{"line":141,"address":[],"length":0,"stats":{"Line":3}},{"line":142,"address":[],"length":0,"stats":{"Line":0}}],"covered":8,"coverable":28},{"path":["/","home","stu","dev","rust","jose","src","jwk","policy.rs"],"content":"//! Validate jose data against some [`Policy`]\n\nmod standard;\nuse core::{\n    fmt::{Debug, Display},\n    ops::{Deref, DerefMut},\n};\n\nuse hashbrown::HashSet;\npub use standard::{StandardPolicy, StandardPolicyFail};\n\nuse crate::{\n    jwa::JsonWebAlgorithm,\n    jwk::{KeyOperation, KeyUsage},\n};\n\n/// A type `T` that was checked against a [`Policy`] `P`\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub struct Checked\u003cT, P\u003e {\n    /// The [`Policy`] this `T` was checked against\n    policy: P,\n    /// The data that were checked\n    data: T,\n}\n\nimpl\u003cT, P\u003e Deref for Checked\u003cT, P\u003e\nwhere\n    P: Policy,\n{\n    type Target = T;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.data\n    }\n}\n\nimpl\u003cT, P\u003e DerefMut for Checked\u003cT, P\u003e\nwhere\n    P: Policy,\n{\n    fn deref_mut(\u0026mut self) -\u003e \u0026mut Self::Target {\n        \u0026mut self.data\n    }\n}\n\nimpl\u003cT, P\u003e Checked\u003cT, P\u003e {\n    /// Create a new [`Checked\u003cT, P\u003e`]\n    ///\n    /// **Warning**: This function can't perform any validation/checks and\n    /// therefore MUST only be used after sufficient validation is already done.\n    pub fn new(data: T, policy: P) -\u003e Self\n    where\n        P: Policy,\n    {\n        Self { policy, data }\n    }\n\n    /// Turns this `Checked` into it's underlying values. `T` is the type that\n    /// was checked and `P` the [`Policy`] used to check `T`\n    pub fn into_inner(self) -\u003e (T, P) {\n        (self.data, self.policy)\n    }\n\n    /// Turns this `Checked` into it's underlying checked type `T`\n    pub fn into_type(self) -\u003e T {\n        self.into_inner().0\n    }\n\n    /// Turns this `Checked` into it's underlying [`Policy`] `P` that was used\n    /// to check `T`\n    pub fn into_policy(self) -\u003e P {\n        self.into_inner().1\n    }\n\n    /// Returns the [`Policy`] that was used to validate `T`\n    pub fn policy(\u0026self) -\u003e \u0026P\n    where\n        P: Policy,\n    {\n        \u0026self.policy\n    }\n}\n\n/// A trait to enforce some rules in jose\npub trait Policy {\n    /// The error type returned when any check of this policy fails.\n    type Error: PolicyError;\n\n    /// Checks the `alg` header\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the algorithm is not accepted (e.g.\n    /// because it is considered insecure)\n    fn algorithm(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Compares the `use` and `key_ops` parameters\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if key_use and key_ops are inconsistent\n    /// with each other\n    fn compare_key_ops_and_use(\n        \u0026self,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Checks if a [`JsonWebKey`](crate::jwk::JsonWebKey) with the given\n    /// [`KeyOperation`]s is allowed to perform a certain\n    /// [`CryptographicOperation`]\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the given\n    /// [`JsonWebKey`](crate::jwk::JsonWebKey) with this specific set of\n    /// [`KeyOperation`]s is not allowed to perform the\n    /// [`CryptographicOperation`] For example, this might be the case if\n    /// key_ops only contain [`KeyOperation::Encrypt`] but the\n    /// [`CryptographicOperation`] is [`Sign`](CryptographicOperation::Sign).\n    fn may_perform_operation_key_ops(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Checks if a [`JsonWebKey`](crate::jwk::JsonWebKey) with the given\n    /// [`KeyUsage`] parameter is allowed to perform a certain\n    /// [`CryptographicOperation`]\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the given\n    /// [`JsonWebKey`](crate::jwk::JsonWebKey) with this specific [`KeyUsage`]\n    /// is not allowed to perform the [`CryptographicOperation`]\n    fn may_perform_operation_key_use(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n    ) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Checks both [`KeyUsage`] and [`KeyOperation`] for the given\n    /// [`CryptographicOperation`]\n    ///\n    /// The default implementation just calls\n    /// [`may_perform_operation_key_ops`](Self::may_perform_operation_key_ops)\n    /// and [`may_perform_operation_key_use`](Self::may_perform_operation_key_use).\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the [`KeyUsage`] and [`KeyOperation`]\n    /// do not allow for the [`CryptographicOperation`]\n    fn may_perform_operation(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        self.may_perform_operation_key_ops(operation, key_ops)?;\n        self.may_perform_operation_key_use(operation, key_use)\n    }\n}\n\n/// An enum used to specify a cryptographic operation\n#[non_exhaustive]\n#[derive(Debug, PartialEq, Eq, Hash, Clone, Copy)]\npub enum CryptographicOperation {\n    /// Create a signature (used in JWS)\n    Sign,\n    /// Verify a signature (used in JWS)\n    Verify,\n    /// Encrypt something (used in JWE)\n    Encrypt,\n    /// Decrypt some ciphertext (used in JWE)\n    Decrypt,\n    // TODO: possibly add derive key and derive bits in case they are ever needed (maybe in JWE?)\n}\n\nimpl\u003cP: Policy\u003e Policy for \u0026P {\n    type Error = P::Error;\n\n    fn algorithm(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e Result\u003c(), Self::Error\u003e {\n        P::algorithm(self, alg)\n    }\n\n    fn compare_key_ops_and_use(\n        \u0026self,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        P::compare_key_ops_and_use(self, key_use, key_ops)\n    }\n\n    fn may_perform_operation_key_ops(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        P::may_perform_operation_key_ops(self, operation, key_ops)\n    }\n\n    fn may_perform_operation_key_use(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        P::may_perform_operation_key_use(self, operation, key_use)\n    }\n}\n\n/// An error returned by the [`Policy`] trait\npub trait PolicyError {\n    /// A custom error message\n    fn custom\u003cT\u003e(msg: T) -\u003e Self\n    where\n        T: Display;\n}\n\n/// A type that can be checked against some [`Policy`]\npub trait Checkable: Sized {\n    /// Check [`self`] against a [`Policy`]\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any check against the [`Policy`] failed\n    fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e;\n}\n\n/// This implementation allows the default JsonWebKey (and others types with\n/// additional members) to implement Checkable where there are no additional\n/// members (`T = ()`)\nimpl Checkable for () {\n    fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n        Ok(Checked::new(self, policy))\n    }\n}\n","traces":[{"line":32,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":51,"address":[],"length":0,"stats":{"Line":2}},{"line":60,"address":[],"length":0,"stats":{"Line":1}},{"line":61,"address":[],"length":0,"stats":{"Line":1}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":182,"address":[],"length":0,"stats":{"Line":0}},{"line":183,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":194,"address":[],"length":0,"stats":{"Line":0}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":202,"address":[],"length":0,"stats":{"Line":0}},{"line":207,"address":[],"length":0,"stats":{"Line":0}},{"line":233,"address":[],"length":0,"stats":{"Line":0}},{"line":234,"address":[],"length":0,"stats":{"Line":0}}],"covered":3,"coverable":26},{"path":["/","home","stu","dev","rust","jose","src","jwk","private.rs"],"content":"use alloc::{boxed::Box, string::String};\n\nuse serde::{Deserialize, Serialize};\n\nuse super::Thumbprint;\nuse crate::crypto::{ec, okp, rsa};\n\n/// The `private` part of some asymmetric cryptographic key\n#[non_exhaustive]\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum Private {\n    /// The private part of a Rsa key\n    Rsa(Box\u003crsa::PrivateKey\u003e),\n    /// The private part of an elliptic curve\n    Ec(EcPrivate),\n    /// The private part of an `OKP` key type, probably the private part of a\n    /// curve25519 or curve448 key\n    Okp(OkpPrivate),\n}\n\nimpl From\u003cPrivate\u003e for super::JsonWebKeyType {\n    fn from(x: Private) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(Box::new(super::AsymmetricJsonWebKey::Private(x)))\n    }\n}\n\nimpl crate::sealed::Sealed for Private {}\nimpl Thumbprint for Private {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            Private::Rsa(key) =\u003e key.thumbprint_prehashed(),\n            Private::Ec(key) =\u003e key.thumbprint_prehashed(),\n            Private::Okp(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\n/// The private part of some elliptic curve\n///\n/// Note: This does not include Curve25519 and Curve448. For these, see the\n/// `Okp` variant of the [`Private`](super::Private)\n/// enum.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum EcPrivate {\n    /// Private part of the P-256 curve\n    P256(ec::P256PrivateKey),\n    /// Private part of the P-384 curve\n    P384(ec::P384PrivateKey),\n    /// Private part of the P-521 curve\n    P521(ec::P521PrivateKey),\n    /// Private part of the secp256k1 curve\n    Secp256k1(ec::Secp256k1PrivateKey),\n}\n\nimpl crate::sealed::Sealed for EcPrivate {}\nimpl Thumbprint for EcPrivate {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            EcPrivate::P256(key) =\u003e key.thumbprint_prehashed(),\n            EcPrivate::P384(key) =\u003e key.thumbprint_prehashed(),\n            EcPrivate::P521(key) =\u003e key.thumbprint_prehashed(),\n            EcPrivate::Secp256k1(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cEcPrivate\u003e for super::JsonWebKeyType {\n    fn from(x: EcPrivate) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Private(super::Private::Ec(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(EcPrivate, \"crv\", \"EcCurve\", [\n    \"P-256\" =\u003e P256,\n    \"P-384\" =\u003e P384,\n    \"P-521\" =\u003e P521,\n    \"secp256k1\" =\u003e Secp256k1,\n]);\n\n/// The private part of ED keys, whose type is `OKP`.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum OkpPrivate {\n    /// Private part of the Ed25519 curve\n    Ed25519(okp::Ed25519PrivateKey),\n\n    /// Private part of the Ed448 curve\n    Ed448(okp::Ed448PrivateKey),\n}\n\nimpl crate::sealed::Sealed for OkpPrivate {}\nimpl Thumbprint for OkpPrivate {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            OkpPrivate::Ed25519(key) =\u003e key.thumbprint_prehashed(),\n            OkpPrivate::Ed448(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cOkpPrivate\u003e for super::JsonWebKeyType {\n    fn from(x: OkpPrivate) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Private(super::Private::Okp(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(OkpPrivate, \"crv\", \"OkpCurve\", [\n    \"Ed25519\" =\u003e Ed25519,\n    \"Ed448\" =\u003e Ed448,\n]);\n","traces":[{"line":23,"address":[],"length":0,"stats":{"Line":0}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":25}},{"line":31,"address":[],"length":0,"stats":{"Line":25}},{"line":32,"address":[],"length":0,"stats":{"Line":6}},{"line":33,"address":[],"length":0,"stats":{"Line":13}},{"line":34,"address":[],"length":0,"stats":{"Line":6}},{"line":60,"address":[],"length":0,"stats":{"Line":13}},{"line":61,"address":[],"length":0,"stats":{"Line":13}},{"line":62,"address":[],"length":0,"stats":{"Line":4}},{"line":63,"address":[],"length":0,"stats":{"Line":3}},{"line":64,"address":[],"length":0,"stats":{"Line":3}},{"line":65,"address":[],"length":0,"stats":{"Line":3}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":6}},{"line":100,"address":[],"length":0,"stats":{"Line":6}},{"line":101,"address":[],"length":0,"stats":{"Line":3}},{"line":102,"address":[],"length":0,"stats":{"Line":3}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}}],"covered":15,"coverable":23},{"path":["/","home","stu","dev","rust","jose","src","jwk","public.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\nuse super::Thumbprint;\nuse crate::crypto::{ec, okp, rsa};\n\n/// The `public` part of some asymmetric cryptographic key\n#[non_exhaustive]\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum Public {\n    /// The public part of a Rsa key\n    Rsa(rsa::PublicKey),\n    /// The public part of an elliptic curve\n    Ec(EcPublic),\n    /// The public part of an `OKP` key type, probably the public part of a\n    /// curve25519 or curve448 key\n    Okp(OkpPublic),\n}\n\nimpl crate::sealed::Sealed for Public {}\nimpl Thumbprint for Public {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            Public::Rsa(key) =\u003e key.thumbprint_prehashed(),\n            Public::Ec(key) =\u003e key.thumbprint_prehashed(),\n            Public::Okp(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\n/// The public part of some elliptic curve\n///\n/// Note: This does not include Curve25519 and Curve448. For these, see the\n/// `Okp` variant of the [`Public`](super::Public) enum.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum EcPublic {\n    /// Public part of the P-256 curve\n    P256(ec::P256PublicKey),\n\n    /// Public part of the P-384 curve\n    P384(ec::P384PublicKey),\n\n    /// Public part of the P-521 curve\n    P521(ec::P521PublicKey),\n\n    /// Public part of the secp256k1 curve\n    Secp256k1(ec::Secp256k1PublicKey),\n}\n\nimpl crate::sealed::Sealed for EcPublic {}\nimpl Thumbprint for EcPublic {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            EcPublic::P256(key) =\u003e key.thumbprint_prehashed(),\n            EcPublic::P384(key) =\u003e key.thumbprint_prehashed(),\n            EcPublic::P521(key) =\u003e key.thumbprint_prehashed(),\n            EcPublic::Secp256k1(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cEcPublic\u003e for super::JsonWebKeyType {\n    fn from(x: EcPublic) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Public(super::Public::Ec(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(EcPublic, \"crv\", \"EcCurve\", [\n    \"P-256\" =\u003e P256,\n    \"P-384\" =\u003e P384,\n    \"P-521\" =\u003e P521,\n    \"secp256k1\" =\u003e Secp256k1,\n]);\n\n/// The public part of ED keys, whose type is `OKP`.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum OkpPublic {\n    /// Public part of the Ed25519 curve\n    Ed25519(okp::Ed25519PublicKey),\n\n    /// Public part of the Ed448 curve\n    Ed448(okp::Ed448PublicKey),\n}\n\nimpl crate::sealed::Sealed for OkpPublic {}\nimpl Thumbprint for OkpPublic {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            OkpPublic::Ed25519(key) =\u003e key.thumbprint_prehashed(),\n            OkpPublic::Ed448(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cOkpPublic\u003e for super::JsonWebKeyType {\n    fn from(x: OkpPublic) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Public(super::Public::Okp(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(OkpPublic, \"crv\", \"OkpCurve\", [\n    \"Ed25519\" =\u003e Ed25519,\n    \"Ed448\" =\u003e Ed448,\n]);\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":33}},{"line":25,"address":[],"length":0,"stats":{"Line":33}},{"line":26,"address":[],"length":0,"stats":{"Line":15}},{"line":27,"address":[],"length":0,"stats":{"Line":12}},{"line":28,"address":[],"length":0,"stats":{"Line":6}},{"line":56,"address":[],"length":0,"stats":{"Line":12}},{"line":57,"address":[],"length":0,"stats":{"Line":12}},{"line":58,"address":[],"length":0,"stats":{"Line":3}},{"line":59,"address":[],"length":0,"stats":{"Line":3}},{"line":60,"address":[],"length":0,"stats":{"Line":3}},{"line":61,"address":[],"length":0,"stats":{"Line":3}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":6}},{"line":96,"address":[],"length":0,"stats":{"Line":6}},{"line":97,"address":[],"length":0,"stats":{"Line":3}},{"line":98,"address":[],"length":0,"stats":{"Line":3}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}}],"covered":15,"coverable":21},{"path":["/","home","stu","dev","rust","jose","src","jwk","serde_impl.rs"],"content":"use alloc::{borrow::Cow, vec::Vec};\nuse core::ops::Deref;\n\nuse base64ct::{Base64, Base64UrlUnpadded, Encoding};\nuse hashbrown::HashSet;\nuse serde::{de::Error, Deserialize, Deserializer, Serialize, Serializer};\n\nuse super::KeyOperation;\n\n/// Helper function to ensure that a [`HashSet`] is created from a [`Vec`]\n/// without duplicates\npub fn deserialize_ensure_set\u003c'de, D\u003e(\n    deserializer: D,\n) -\u003e Result\u003cOption\u003cHashSet\u003cKeyOperation\u003e\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    match \u003cOption\u003cVec\u003cKeyOperation\u003e\u003e as Deserialize\u003e::deserialize(deserializer)? {\n        Some(val) =\u003e {\n            let mut set = HashSet::new();\n            for o in val {\n                // detect duplicates in `key_ops` parameter. according to the rfc,\n                // \u003e Duplicate key operation values MUST NOT be present in the array.\n                // means: this is a set\n                if !set.insert(o) {\n                    return Err(\u003cD::Error as Error\u003e::custom(\n                        \"found duplicate in `key_ops` parameter\",\n                    ));\n                }\n            }\n            Ok(Some(set))\n        }\n        None =\u003e Ok(None),\n    }\n}\n\n/// serialize a generic array to base64 urlsafe nopad\npub fn serialize_ga\u003cconst N: usize, S\u003e(\n    // \u0026Option needed because serde passes an \u0026Option\u003cT\u003e instead of Option\u003c\u0026T\u003e\n    v: \u0026Option\u003c[u8; N]\u003e,\n    serializer: S,\n) -\u003e Result\u003cS::Ok, S::Error\u003e\nwhere\n    S: Serializer,\n{\n    let v = v.as_ref();\n    v.map(|v| Base64UrlUnpadded::encode_string(v))\n        .serialize(serializer)\n}\n\n/// deserialize a generic array from base64 urlsafe nopad\npub fn deserialize_ga\u003c'de, D, const N: usize\u003e(deserializer: D) -\u003e Result\u003cOption\u003c[u8; N]\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    Ok(match Option::\u003cCow\u003c'_, str\u003e\u003e::deserialize(deserializer)? {\n        Some(val) =\u003e {\n            let mut buf = [0u8; N];\n            Base64UrlUnpadded::decode(\u0026*val, \u0026mut buf).map_err(\u003cD::Error as Error\u003e::custom)?;\n            Some(buf)\n        }\n        None =\u003e None,\n    })\n}\n\npub fn serialize_ga_sha1\u003cS\u003e(v: \u0026Option\u003c[u8; 20]\u003e, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\nwhere\n    S: Serializer,\n{\n    serialize_ga::\u003c20, _\u003e(v, serializer)\n}\n\npub fn serialize_ga_sha256\u003cS\u003e(v: \u0026Option\u003c[u8; 32]\u003e, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\nwhere\n    S: Serializer,\n{\n    serialize_ga::\u003c32, _\u003e(v, serializer)\n}\n\npub fn deserialize_ga_sha1\u003c'de, D\u003e(deserializer: D) -\u003e Result\u003cOption\u003c[u8; 20]\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    deserialize_ga::\u003c_, 20\u003e(deserializer)\n}\n\npub fn deserialize_ga_sha256\u003c'de, D\u003e(deserializer: D) -\u003e Result\u003cOption\u003c[u8; 32]\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    deserialize_ga::\u003c_, 32\u003e(deserializer)\n}\n\n#[derive(Debug, Hash, PartialEq, Eq, Clone)]\npub(crate) struct Base64DerCertificate(pub Vec\u003cu8\u003e);\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Base64DerCertificate {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let val = \u003calloc::borrow::Cow\u003c'_, str\u003e\u003e::deserialize(deserializer)?;\n        Ok(Self(\n            Base64::decode_vec(\u0026val).map_err(\u003cD::Error as Error\u003e::custom)?,\n        ))\n    }\n}\n\nimpl Deref for Base64DerCertificate {\n    type Target = [u8];\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        self.0.deref()\n    }\n}\n\nimpl Serialize for Base64DerCertificate {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: Serializer,\n    {\n        Base64::encode_string(\u0026self.0).serialize(serializer)\n    }\n}\n","traces":[{"line":12,"address":[],"length":0,"stats":{"Line":9}},{"line":18,"address":[],"length":0,"stats":{"Line":9}},{"line":19,"address":[],"length":0,"stats":{"Line":9}},{"line":20,"address":[],"length":0,"stats":{"Line":9}},{"line":21,"address":[],"length":0,"stats":{"Line":40}},{"line":25,"address":[],"length":0,"stats":{"Line":16}},{"line":26,"address":[],"length":0,"stats":{"Line":1}},{"line":27,"address":[],"length":0,"stats":{"Line":1}},{"line":31,"address":[],"length":0,"stats":{"Line":8}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":12}},{"line":46,"address":[],"length":0,"stats":{"Line":12}},{"line":47,"address":[],"length":0,"stats":{"Line":24}},{"line":48,"address":[],"length":0,"stats":{"Line":12}},{"line":52,"address":[],"length":0,"stats":{"Line":12}},{"line":56,"address":[],"length":0,"stats":{"Line":12}},{"line":57,"address":[],"length":0,"stats":{"Line":12}},{"line":58,"address":[],"length":0,"stats":{"Line":12}},{"line":59,"address":[],"length":0,"stats":{"Line":12}},{"line":60,"address":[],"length":0,"stats":{"Line":12}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":6}},{"line":70,"address":[],"length":0,"stats":{"Line":6}},{"line":73,"address":[],"length":0,"stats":{"Line":6}},{"line":77,"address":[],"length":0,"stats":{"Line":6}},{"line":80,"address":[],"length":0,"stats":{"Line":6}},{"line":84,"address":[],"length":0,"stats":{"Line":6}},{"line":87,"address":[],"length":0,"stats":{"Line":6}},{"line":91,"address":[],"length":0,"stats":{"Line":6}},{"line":98,"address":[],"length":0,"stats":{"Line":6}},{"line":102,"address":[],"length":0,"stats":{"Line":12}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":6}},{"line":122,"address":[],"length":0,"stats":{"Line":6}}],"covered":31,"coverable":37},{"path":["/","home","stu","dev","rust","jose","src","jwk","signer.rs"],"content":"use alloc::{borrow::ToOwned, string::String, vec::Vec};\n\nuse super::{\n    private::EcPrivate, symmetric::FromOctetSequenceError, AsymmetricJsonWebKey, FromKey,\n    JsonWebKeyType, OkpPrivate, Private, SymmetricJsonWebKey,\n};\nuse crate::{\n    crypto::{ec, hmac, okp, rsa},\n    jwa::{EcDSA, Hmac, JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::policy::{Checked, CryptographicOperation, Policy},\n    jws::{IntoSigner, InvalidSigningAlgorithmError, Signer},\n    JsonWebKey,\n};\n\n/// An abstract [`Signer`] over all possible [key types](JsonWebKeyType)\n// FIXME: make PR to dependencies to we can derive C-COMMON-TRAITS\n#[derive(Debug)]\npub struct JwkSigner {\n    inner: InnerSigner,\n    key_id: Option\u003cString\u003e,\n}\n\nimpl JwkSigner {\n    /// Create a [`JwkSigner`] from a [`JsonWebKeyType`] used with the provided\n    /// [`JsonWebAlgorithm`]\n    ///\n    /// # Errors\n    ///\n    /// This function returns an error if the provided [`JsonWebAlgorithm`] and\n    /// the actual [`JsonWebKeyType`] don't match. For example, you'll get an\n    /// error if you try to to use this function with a [symmetric\n    /// key](JsonWebKeyType::Symmetric) and an asymmetric key algorithm.\n    ///\n    /// E.g., this won't work:\n    ///     \n    /// ```\n    /// use jose::{\n    ///     jwa::{Hmac, JsonWebSigningAlgorithm},\n    ///     jwk::{FromJwkError, JsonWebKeyType, JwkSigner},\n    /// };\n    /// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n    /// let key: JsonWebKeyType = serde_json::from_str(\n    ///     r#\"\n    /// {\n    ///   \"kty\": \"EC\",\n    ///   \"kid\": \"6j1ImYAlN6DnVupozzN13UKnLR7BfEvngNmVl5bLlI0\",\n    ///   \"crv\": \"P-256\",\n    ///   \"x\": \"-HGJKqKLCoB6z4zlNKef927CODDulLcHdxNi2iUTi5g\",\n    ///   \"y\": \"GaVhYaBvIgSAaNLjXjVqOvtCGH56x5s4DnWMy9TXbTU\",\n    ///   \"d\": \"C6AV5ZvCGQevYYMJT15frXWuKaqEDthnSMtuJKEKykI\"\n    /// }\"#,\n    /// )?;\n    ///\n    /// // returns an error since a P-256 key cannot be used with Hmac\n    /// assert!(matches!(\n    ///     JwkSigner::new(key, JsonWebSigningAlgorithm::Hmac(Hmac::Hs256)),\n    ///     Err(FromJwkError::InvalidAlgorithm)\n    /// ));\n    /// # Ok(())\n    /// # }\n    /// ```\n    pub fn new(key: JsonWebKeyType, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cSelf, FromJwkError\u003e {\n        Ok(Self {\n            key_id: None,\n            inner: match key {\n                JsonWebKeyType::Asymmetric(key) =\u003e match *key {\n                    AsymmetricJsonWebKey::Public(_) =\u003e Err(FromJwkError::NoPrivateKey)?,\n                    AsymmetricJsonWebKey::Private(key) =\u003e match key {\n                        Private::Ec(key) =\u003e match key {\n                            EcPrivate::P256(key) =\u003e InnerSigner::Es256(key.into_signer(alg)?),\n                            EcPrivate::P384(key) =\u003e InnerSigner::Es384(key.into_signer(alg)?),\n                            EcPrivate::P521(key) =\u003e InnerSigner::Es512(key.into_signer(alg)?),\n                            EcPrivate::Secp256k1(key) =\u003e {\n                                InnerSigner::Secp256k1(key.into_signer(alg)?)\n                            }\n                        },\n                        Private::Rsa(key) =\u003e InnerSigner::Rsa((*key).into_signer(alg)?),\n                        Private::Okp(key) =\u003e match key {\n                            OkpPrivate::Ed25519(key) =\u003e InnerSigner::Ed25519(key.into_signer(alg)?),\n                            OkpPrivate::Ed448(key) =\u003e InnerSigner::Ed448(key.into_signer(alg)?),\n                        },\n                    },\n                },\n                JsonWebKeyType::Symmetric(key) =\u003e match key {\n                    SymmetricJsonWebKey::OctetSequence(ref key) =\u003e match alg {\n                        JsonWebSigningAlgorithm::Hmac(hs) =\u003e match hs {\n                            Hmac::Hs256 =\u003e InnerSigner::Hs256(key.into_signer(alg)?),\n                            Hmac::Hs384 =\u003e InnerSigner::Hs384(key.into_signer(alg)?),\n                            Hmac::Hs512 =\u003e InnerSigner::Hs512(key.into_signer(alg)?),\n                        },\n                        _ =\u003e Err(InvalidSigningAlgorithmError)?,\n                    },\n                },\n            },\n        })\n    }\n\n    /// Sets the key id for this [`Signer`].\n    ///\n    /// If this method is used, the [`kid`] header of the signed JWS will be set\n    /// to the given key id.\n    ///\n    /// [`kid`]: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4\n    pub fn with_key_id(mut self, key_id: String) -\u003e Self {\n        self.key_id = Some(key_id);\n        self\n    }\n\n    /// Sets the key id of this signer to `None`.\n    ///\n    /// Calling this method will result to omitting the [`kid`] header in the\n    /// signed JWS header.\n    ///\n    /// [`kid`]: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4\n    pub fn without_key_id(mut self) -\u003e Self {\n        self.key_id = None;\n        self\n    }\n}\n\nimpl Signer\u003cVec\u003cu8\u003e\u003e for JwkSigner {\n    fn sign(\u0026mut self, x: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, crate::crypto::Error\u003e {\n        match \u0026mut self.inner {\n            InnerSigner::Rsa(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Hs256(s) =\u003e s.sign(x).map(|x| x.as_ref().to_vec()),\n            InnerSigner::Hs384(s) =\u003e s.sign(x).map(|x| x.as_ref().to_vec()),\n            InnerSigner::Hs512(s) =\u003e s.sign(x).map(|x| x.as_ref().to_vec()),\n            InnerSigner::Es256(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Es384(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Es512(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Secp256k1(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Ed448(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Ed25519(s) =\u003e s.sign(x).map(|x| x.into()),\n        }\n    }\n\n    fn algorithm(\u0026self) -\u003e JsonWebSigningAlgorithm {\n        match self.inner {\n            InnerSigner::Hs256(_) =\u003e JsonWebSigningAlgorithm::Hmac(Hmac::Hs256),\n            InnerSigner::Hs384(_) =\u003e JsonWebSigningAlgorithm::Hmac(Hmac::Hs384),\n            InnerSigner::Hs512(_) =\u003e JsonWebSigningAlgorithm::Hmac(Hmac::Hs512),\n            InnerSigner::Es256(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256),\n            InnerSigner::Es384(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es384),\n            InnerSigner::Es512(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es512),\n            InnerSigner::Secp256k1(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256K),\n            InnerSigner::Rsa(ref rsa) =\u003e rsa.algorithm(),\n            InnerSigner::Ed25519(_) | InnerSigner::Ed448(_) =\u003e JsonWebSigningAlgorithm::EdDSA,\n        }\n    }\n\n    fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        self.key_id.as_deref()\n    }\n}\n\nimpl\u003cT, P\u003e TryFrom\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkSigner\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkSigner`] from a [`JsonWebKey`]\n    ///\n    /// # Errors\n    ///\n    /// This conversion fails if [`JsonWebKey::algorithm`] is [`None`]\n    fn try_from(jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e) -\u003e Result\u003cSelf, Self::Error\u003e {\n        let alg = jwk\n            .algorithm()\n            .ok_or(FromJwkError::InvalidAlgorithm)?\n            .to_owned();\n        let kid = jwk.kid.clone();\n        let mut signer = JwkSigner::from_key(jwk, alg)?;\n        signer.key_id = kid;\n        Ok(signer)\n    }\n}\n\nimpl\u003cT, P\u003e FromKey\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkSigner\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkSigner`] from a [`JsonWebKey`] overwriting\n    /// [`JsonWebKey::algorithm`] with `alg`.\n    fn from_key(\n        jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e,\n        alg: JsonWebAlgorithm,\n    ) -\u003e Result\u003cSelf, Self::Error\u003e {\n        if let Some(usage) = jwk.key_usage() {\n            jwk.policy()\n                .may_perform_operation_key_use(CryptographicOperation::Sign, usage)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        if let Some(ops) = jwk.key_operations() {\n            jwk.policy()\n                .may_perform_operation_key_ops(CryptographicOperation::Sign, ops)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        match alg {\n            JsonWebAlgorithm::Encryption(..) | JsonWebAlgorithm::Other(..) =\u003e {\n                Err(InvalidSigningAlgorithmError.into())\n            }\n            JsonWebAlgorithm::Signing(alg) =\u003e Self::new(jwk.into_type().key_type, alg),\n        }\n    }\n}\n\n/// An error returned when creating a [`JwkSigner`] from a [`JsonWebKeyType`]\n/// (or indirectly via [`JsonWebKey`])\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum FromJwkError {\n    /// A [`JsonWebKey`] has either the `use` or `key_ops` parameter set and one\n    /// of these parameters indicates that this key MAY NOT be used for signing\n    /// or verifying\n    #[error(\"key not allowed for signing\")]\n    OperationNotAllowed,\n    /// The algorithm can't be used with the provided [`JsonWebKeyType`]\n    #[error(\"this algorithm can't be used together with this JsonWebKey\")]\n    InvalidAlgorithm,\n    /// The provided [`JsonWebKeyType`] did not contain a [private\n    /// key](super::Private) which is needed by [`JwkSigner`] to create\n    /// signatures.\n    #[error(\"found variant which has no private key\")]\n    NoPrivateKey,\n    /// See the documentation of [`FromOctetSequenceError`] for details.\n    ///\n    /// Usually, [`FromOctetSequenceError::InvalidLength`] shouldn't be returend\n    /// since the key already exists at this point.\n    #[error(transparent)]\n    OctetSequence(#[from] FromOctetSequenceError),\n}\n\nimpl From\u003cInvalidSigningAlgorithmError\u003e for FromJwkError {\n    fn from(_: InvalidSigningAlgorithmError) -\u003e Self {\n        Self::InvalidAlgorithm\n    }\n}\n\n/// Abstract type with a variant for each [`Signer`]\n#[derive(Debug)]\nenum InnerSigner {\n    // symmetric algorithms\n    Hs256(hmac::Key\u003chmac::Hs256\u003e),\n    Hs384(hmac::Key\u003chmac::Hs384\u003e),\n    Hs512(hmac::Key\u003chmac::Hs512\u003e),\n    // asymmetric algorithms\n    Rsa(rsa::Signer),\n\n    Es256(ec::P256Signer),\n    Es384(ec::P384Signer),\n    Es512(ec::P521Signer),\n    Secp256k1(ec::Secp256k1Signer),\n\n    Ed25519(okp::Ed25519Signer),\n    Ed448(okp::Ed448Signer),\n}\n","traces":[{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":126,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":140,"address":[],"length":0,"stats":{"Line":0}},{"line":141,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":143,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":145,"address":[],"length":0,"stats":{"Line":0}},{"line":146,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":167,"address":[],"length":0,"stats":{"Line":0}},{"line":168,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":173,"address":[],"length":0,"stats":{"Line":0}},{"line":174,"address":[],"length":0,"stats":{"Line":0}},{"line":175,"address":[],"length":0,"stats":{"Line":0}},{"line":187,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":192,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":0}},{"line":194,"address":[],"length":0,"stats":{"Line":0}},{"line":197,"address":[],"length":0,"stats":{"Line":0}},{"line":198,"address":[],"length":0,"stats":{"Line":0}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":200,"address":[],"length":0,"stats":{"Line":0}},{"line":203,"address":[],"length":0,"stats":{"Line":0}},{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":207,"address":[],"length":0,"stats":{"Line":0}},{"line":239,"address":[],"length":0,"stats":{"Line":0}},{"line":240,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":77},{"path":["/","home","stu","dev","rust","jose","src","jwk","symmetric.rs"],"content":"//! Symmetric cryptography for JWS and JWE\n\nuse alloc::string::String;\n\nuse secrecy::{ExposeSecret, SecretBox};\nuse serde::{de::Error, Deserialize, Deserializer, Serialize};\nuse subtle::ConstantTimeEq;\nuse zeroize::Zeroize;\n\nuse super::thumbprint::{self, Thumbprint};\nuse crate::{base64_url::Base64UrlBytes, jws::InvalidSigningAlgorithmError};\n\n/// Symmetric Keys\n///\n/// Symmetric keys only have a secret value, therefore, they MUST only be used\n/// in a protected environment.\n/// For example, with a symmetric key, checking the validity of a\n/// [`JsonWebSignature`](crate::JsonWebSignature) cannot be done on the client\n/// side, because it leaks the key and the client can then create own\n/// signatures.\n///\n/// See \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6.4\u003e\n#[non_exhaustive]\n#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum SymmetricJsonWebKey {\n    /// `oct` \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6.4\u003e\n    OctetSequence(OctetSequence),\n}\n\nimpl crate::sealed::Sealed for SymmetricJsonWebKey {}\nimpl Thumbprint for SymmetricJsonWebKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            SymmetricJsonWebKey::OctetSequence(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\n/// [`OctetSequence`] is the simplest and only available\n/// [`SymmetricJsonWebKey`].\n///\n/// However, because its length is not defined, it cannot be generated directly.\n/// Instead, you should use [`HmacKey\u003cH\u003e`](crate::crypto::hmac::Key)\n/// with the appropriate key size, for example\n/// [`Hs512`](crate::crypto::hmac::Hs512) and then, if needed, convert\n/// it to a [`JsonWebKey`](crate::JsonWebKey) using\n/// [`IntoJsonWebKey`](crate::jwk::IntoJsonWebKey).\n///\n/// \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6.4.1\u003e\n#[derive(Debug, Clone, Zeroize)]\npub struct OctetSequence(SecretBox\u003c[u8]\u003e);\n\nimpl OctetSequence {\n    pub(crate) fn new(x: SecretBox\u003c[u8]\u003e) -\u003e Self {\n        Self(x)\n    }\n\n    /// Returns the bytes of this octet sequence.\n    pub(crate) fn bytes(\u0026self) -\u003e \u0026SecretBox\u003c[u8]\u003e {\n        \u0026self.0\n    }\n\n    /// Returns the bytes of this octet sequence.\n    pub(crate) fn into_bytes(self) -\u003e SecretBox\u003c[u8]\u003e {\n        self.0\n    }\n\n    /// Returns the number of bytes that are in this octet sequence.\n    #[inline]\n    pub fn len(\u0026self) -\u003e usize {\n        self.0.expose_secret().len()\n    }\n\n    /// Returns `true` if this octet sequence has a length of zero.\n    #[inline]\n    pub fn is_empty(\u0026self) -\u003e bool {\n        self.len() == 0\n    }\n}\n\nimpl PartialEq for OctetSequence {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        bool::from(self.0.expose_secret().ct_eq(other.0.expose_secret()))\n    }\n}\nimpl Eq for OctetSequence {}\n\nimpl crate::sealed::Sealed for OctetSequence {}\nimpl Thumbprint for OctetSequence {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\nimpl From\u003cSymmetricJsonWebKey\u003e for super::JsonWebKeyType {\n    fn from(x: SymmetricJsonWebKey) -\u003e Self {\n        super::JsonWebKeyType::Symmetric(x)\n    }\n}\n\nimpl From\u003cOctetSequence\u003e for super::JsonWebKeyType {\n    fn from(x: OctetSequence) -\u003e Self {\n        super::JsonWebKeyType::Symmetric(SymmetricJsonWebKey::OctetSequence(x))\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for OctetSequence {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            kty: String,\n            k: Base64UrlBytes,\n        }\n\n        let repr = Repr::deserialize(deserializer)?;\n        if repr.kty != \"oct\" {\n            return Err(D::Error::custom(\"`kty` field is required to be `oct`\"));\n        }\n        Ok(Self(SecretBox::new(repr.k.0.into_boxed_slice())))\n    }\n}\n\nimpl Serialize for OctetSequence {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(Serialize)]\n        struct Repr\u003c'a\u003e {\n            kty: \u0026'static str,\n            k: \u0026'a Base64UrlBytes,\n        }\n        Repr {\n            kty: \"oct\",\n            k: \u0026Base64UrlBytes(self.0.expose_secret().to_vec()),\n        }\n        .serialize(serializer)\n    }\n}\n\n/// An error that can occur when creating an\n/// [`HmacKey`](crate::crypto::hmac::Key) from an [`OctetSequence`].\n#[derive(Debug, thiserror::Error)]\npub enum FromOctetSequenceError {\n    /// An invalid signing algorithm was used\n    #[error(transparent)]\n    InvalidSigningAlgorithm(#[from] InvalidSigningAlgorithmError),\n\n    /// A key from which a signer should've been created had an invalid length\n    #[error(\"the length of the is invalid\")]\n    InvalidLength,\n\n    /// Crypto backend threw an unknown error.\n    #[error(\"the crypto backend failed\")]\n    Crypto(\n        #[from]\n        #[source]\n        crate::crypto::Error,\n    ),\n}\n","traces":[{"line":33,"address":[],"length":0,"stats":{"Line":6}},{"line":34,"address":[],"length":0,"stats":{"Line":6}},{"line":35,"address":[],"length":0,"stats":{"Line":6}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":1}},{"line":72,"address":[],"length":0,"stats":{"Line":1}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":3}},{"line":84,"address":[],"length":0,"stats":{"Line":3}},{"line":91,"address":[],"length":0,"stats":{"Line":6}},{"line":92,"address":[],"length":0,"stats":{"Line":6}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":65}},{"line":119,"address":[],"length":0,"stats":{"Line":130}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":121,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":6}},{"line":128,"address":[],"length":0,"stats":{"Line":10}},{"line":139,"address":[],"length":0,"stats":{"Line":10}},{"line":141,"address":[],"length":0,"stats":{"Line":10}}],"covered":15,"coverable":29},{"path":["/","home","stu","dev","rust","jose","src","jwk","thumbprint.rs"],"content":"use alloc::{collections::BTreeMap, string::String};\n\nuse serde::Serialize;\n\nuse crate::sealed::Sealed;\n\n/// This trait is implemented by all key types, and can be used\n/// to compute the thumbprint of any private, public or symmetric key.\n///\n/// If you want to use custom hashing functions, call the\n/// [`Self::thumbprint_prehashed`] method and hash the result yourself.\npub trait Thumbprint: Sealed {\n    /// Compute the thumbprint JSON string of this key.\n    ///\n    /// This method does not perform any hashing, it only returns\n    /// the constructed JSON string, so that it can be hashed\n    /// with some custom hashing algorithm that is not supported\n    /// natively by this crate.\n    ///\n    /// For common hashing methods have a look at these methods:\n    ///\n    /// - SHA256 - [`thumbprint_sha256`](Self::thumbprint_sha256)\n    /// - SHA384 - [`thumbprint_sha384`](Self::thumbprint_sha384)\n    /// - SHA512 - [`thumbprint_sha512`](Self::thumbprint_sha512)\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_prehashed(\u0026self) -\u003e String;\n\n    /// Computes the SHA256-hashed thumbprint of this key.\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_sha256(\u0026self) -\u003e [u8; 32] {\n        let msg = self.thumbprint_prehashed();\n        crate::crypto::sha256(msg.as_bytes())\n    }\n\n    /// Computes the SHA384-hashed thumbprint of this key.\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_sha384(\u0026self) -\u003e [u8; 48] {\n        let msg = self.thumbprint_prehashed();\n        crate::crypto::sha384(msg.as_bytes())\n    }\n\n    /// Computes the SHA512-hashed thumbprint of this key.\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_sha512(\u0026self) -\u003e [u8; 64] {\n        let msg = self.thumbprint_prehashed();\n        crate::crypto::sha512(msg.as_bytes())\n    }\n}\n\npub(crate) fn serialize_key_thumbprint\u003cT: Serialize\u003e(key: \u0026T) -\u003e String {\n    let obj = serde_json::to_value(key).expect(\"serialization of OctetSequence can not fail\");\n\n    let map = match obj {\n        serde_json::Value::Object(map) =\u003e BTreeMap::from_iter(map),\n        _ =\u003e unreachable!(\"all keytypes must serialize to structs\"),\n    };\n\n    serde_json::to_string(\u0026map).expect(\"BTreeMap serialization can not fail\")\n}\n","traces":[{"line":36,"address":[],"length":0,"stats":{"Line":33}},{"line":37,"address":[],"length":0,"stats":{"Line":33}},{"line":38,"address":[],"length":0,"stats":{"Line":33}},{"line":46,"address":[],"length":0,"stats":{"Line":21}},{"line":47,"address":[],"length":0,"stats":{"Line":21}},{"line":48,"address":[],"length":0,"stats":{"Line":21}},{"line":56,"address":[],"length":0,"stats":{"Line":21}},{"line":57,"address":[],"length":0,"stats":{"Line":21}},{"line":58,"address":[],"length":0,"stats":{"Line":21}},{"line":62,"address":[],"length":0,"stats":{"Line":78}},{"line":63,"address":[],"length":0,"stats":{"Line":78}},{"line":65,"address":[],"length":0,"stats":{"Line":156}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}}],"covered":12,"coverable":14},{"path":["/","home","stu","dev","rust","jose","src","jwk","verifier.rs"],"content":"use alloc::borrow::ToOwned;\n\nuse super::{\n    private::EcPrivate, public::EcPublic, AsymmetricJsonWebKey, FromJwkError, FromKey, OkpPrivate,\n    OkpPublic, Private, Public, SymmetricJsonWebKey,\n};\nuse crate::{\n    crypto::{ec, hmac, okp, rsa},\n    jwa::{Hmac, JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::{\n        policy::{Checked, CryptographicOperation, Policy},\n        JsonWebKeyType,\n    },\n    jws::{IntoVerifier, InvalidSigningAlgorithmError, Verifier, VerifyError},\n    JsonWebKey,\n};\n#[derive(Debug)]\n/// An abstract [`Verifier`] over all possible [key types](JsonWebKeyType)\npub struct JwkVerifier {\n    inner: InnerVerifier,\n}\n\nimpl JwkVerifier {\n    /// Create a [`JwkVerifier`] from a [`JsonWebKeyType`] used with the\n    /// provided [`JsonWebAlgorithm`].\n    ///\n    /// # Errors\n    ///\n    /// This function returns an error if the provided [`JsonWebAlgorithm`] and\n    /// the actual [`JsonWebKeyType`] don't match. Since this type is the\n    /// counterpart to [`JwkSigner`](super::JwkSigner) it behaves almost\n    /// identical. See it's error documentation for details.\n    pub fn new(key: JsonWebKeyType, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cSelf, FromJwkError\u003e {\n        Ok(Self {\n            inner: match key {\n                JsonWebKeyType::Asymmetric(key) =\u003e match *key {\n                    AsymmetricJsonWebKey::Public(key) =\u003e match key {\n                        Public::Ec(key) =\u003e match key {\n                            EcPublic::P256(key) =\u003e InnerVerifier::Es256(key.into_verifier(alg)?),\n                            EcPublic::P384(key) =\u003e InnerVerifier::Es384(key.into_verifier(alg)?),\n                            EcPublic::P521(key) =\u003e InnerVerifier::Es512(key.into_verifier(alg)?),\n                            EcPublic::Secp256k1(key) =\u003e {\n                                InnerVerifier::Secp256k1(key.into_verifier(alg)?)\n                            }\n                        },\n                        Public::Rsa(key) =\u003e InnerVerifier::Rsa(key.into_verifier(alg)?),\n                        Public::Okp(key) =\u003e match key {\n                            OkpPublic::Ed25519(key) =\u003e {\n                                InnerVerifier::Ed25519(key.into_verifier(alg)?)\n                            }\n                            OkpPublic::Ed448(key) =\u003e InnerVerifier::Ed448(key.into_verifier(alg)?),\n                        },\n                    },\n                    AsymmetricJsonWebKey::Private(key) =\u003e match key {\n                        Private::Ec(key) =\u003e match key {\n                            EcPrivate::P256(key) =\u003e InnerVerifier::Es256(key.into_verifier(alg)?),\n                            EcPrivate::P384(key) =\u003e InnerVerifier::Es384(key.into_verifier(alg)?),\n                            EcPrivate::P521(key) =\u003e InnerVerifier::Es512(key.into_verifier(alg)?),\n                            EcPrivate::Secp256k1(key) =\u003e {\n                                InnerVerifier::Secp256k1(key.into_verifier(alg)?)\n                            }\n                        },\n                        Private::Rsa(key) =\u003e InnerVerifier::Rsa((*key).into_verifier(alg)?),\n                        Private::Okp(key) =\u003e match key {\n                            OkpPrivate::Ed25519(key) =\u003e {\n                                InnerVerifier::Ed25519(key.into_verifier(alg)?)\n                            }\n                            OkpPrivate::Ed448(key) =\u003e InnerVerifier::Ed448(key.into_verifier(alg)?),\n                        },\n                    },\n                },\n                JsonWebKeyType::Symmetric(key) =\u003e match key {\n                    SymmetricJsonWebKey::OctetSequence(ref key) =\u003e match alg {\n                        JsonWebSigningAlgorithm::Hmac(hs) =\u003e match hs {\n                            Hmac::Hs256 =\u003e InnerVerifier::Hs256(key.into_verifier(alg)?),\n                            Hmac::Hs384 =\u003e InnerVerifier::Hs384(key.into_verifier(alg)?),\n                            Hmac::Hs512 =\u003e InnerVerifier::Hs512(key.into_verifier(alg)?),\n                        },\n                        _ =\u003e Err(InvalidSigningAlgorithmError)?,\n                    },\n                },\n            },\n        })\n    }\n}\n\nimpl Verifier for JwkVerifier {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), VerifyError\u003e {\n        match \u0026mut self.inner {\n            InnerVerifier::Hs256(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Hs384(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Hs512(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Rsa(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Es256(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Es384(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Es512(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Secp256k1(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Ed448(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Ed25519(verifier) =\u003e verifier.verify(msg, signature),\n        }\n    }\n}\n\nimpl\u003cT, P\u003e FromKey\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkVerifier\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkVerifier`] form a [`JsonWebKey`] overwriting\n    /// [`JsonWebKey::algorithm`] with `alg`.\n    fn from_key(\n        jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e,\n        alg: JsonWebAlgorithm,\n    ) -\u003e Result\u003cSelf, Self::Error\u003e {\n        if let Some(usage) = jwk.key_usage() {\n            jwk.policy()\n                .may_perform_operation_key_use(CryptographicOperation::Verify, usage)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        if let Some(ops) = jwk.key_operations() {\n            jwk.policy()\n                .may_perform_operation_key_ops(CryptographicOperation::Verify, ops)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        match alg {\n            JsonWebAlgorithm::Encryption(..) | JsonWebAlgorithm::Other(..) =\u003e {\n                Err(FromJwkError::InvalidAlgorithm)\n            }\n            JsonWebAlgorithm::Signing(alg) =\u003e Self::new(jwk.into_type().key_type, alg),\n        }\n    }\n}\n\nimpl\u003cT, P\u003e TryFrom\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkVerifier\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkVerifier`] from a [`JsonWebKey`]\n    ///\n    /// # Errors\n    ///\n    /// This conversion fails if [`JsonWebKey::algorithm`] is [`None`]\n    fn try_from(jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e) -\u003e Result\u003cSelf, Self::Error\u003e {\n        let alg = jwk\n            .algorithm()\n            .ok_or(FromJwkError::InvalidAlgorithm)?\n            .to_owned();\n        JwkVerifier::from_key(jwk, alg)\n    }\n}\n/// Abstract type with a variant for each [`Verifier`]\n#[derive(Debug)]\nenum InnerVerifier {\n    // symmetric algorithms\n    Hs256(hmac::Key\u003chmac::Hs256\u003e),\n    Hs384(hmac::Key\u003chmac::Hs384\u003e),\n    Hs512(hmac::Key\u003chmac::Hs512\u003e),\n    // asymmetric algorithms\n    Rsa(rsa::Verifier),\n\n    Es256(ec::P256Verifier),\n    Es384(ec::P384Verifier),\n    Es512(ec::P521Verifier),\n    Secp256k1(ec::Secp256k1Verifier),\n\n    Ed25519(okp::Ed25519Verifier),\n    Ed448(okp::Ed448Verifier),\n}\n","traces":[{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":0}},{"line":39,"address":[],"length":0,"stats":{"Line":0}},{"line":40,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":51,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":148,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":64},{"path":["/","home","stu","dev","rust","jose","src","jwk.rs"],"content":"//! [`JsonWebKey`] and connected things\n\nuse alloc::{boxed::Box, string::String, vec, vec::Vec};\nuse core::{\n    fmt::Debug,\n    ops::{ControlFlow, Deref},\n};\n\nuse hashbrown::HashSet;\nuse serde::{de::DeserializeOwned, Deserialize, Serialize};\n\nuse crate::{\n    crypto::hmac::{self, Variant as _},\n    jwa::{\n        AesGcm, AesKw, EcDSA, Hmac, JsonWebAlgorithm, JsonWebEncryptionAlgorithm,\n        JsonWebSigningAlgorithm, Pbes2,\n    },\n    sealed::Sealed,\n    uri::BorrowedUri,\n    UntypedAdditionalProperties, Uri,\n};\n\npub mod symmetric;\n\nmod asymmetric;\nmod builder;\nmod key_ops;\nmod key_use;\npub mod policy;\nmod private;\nmod public;\npub(crate) mod serde_impl;\nmod signer;\npub(crate) mod thumbprint;\nmod verifier;\n\n#[doc(inline)]\npub use self::{\n    asymmetric::AsymmetricJsonWebKey,\n    builder::{JsonWebKeyBuildError, JsonWebKeyBuilder},\n    key_ops::KeyOperation,\n    key_use::KeyUsage,\n    private::{EcPrivate, OkpPrivate, Private},\n    public::{EcPublic, OkpPublic, Public},\n    signer::{FromJwkError, JwkSigner},\n    symmetric::SymmetricJsonWebKey,\n    thumbprint::Thumbprint,\n    verifier::JwkVerifier,\n};\nuse self::{\n    policy::{Checkable, Checked, CryptographicOperation, Policy, PolicyError as _},\n    serde_impl::Base64DerCertificate,\n};\n\n/// A [`JsonWebKey`] is a [JSON Object](serde_json::Value::Object) representing\n/// the components of a cryptographic keys that can be used for\n/// [JWE](crate::jwe::JsonWebEncryption) and\n/// [JWS](crate::jws::JsonWebSignature).\n///\n/// The format of Json Web Keys is defined in [RFC 7517] with key specific\n/// parameters defined in [section 6 of RFC 7518]. The [`JsonWebKey`] struct is\n/// an abstract representation of all possible key types. The [`JsonWebKeyType`]\n/// enum is used to specialize on concrete key type.\n///\n/// # Comparison and equality\n///\n/// It is not defined how to determine if a [`JsonWebKey`] is [equal](PartialEq)\n/// to another. Therefore, [`JsonWebKey`] *does not* implement [`PartialEq`].\n/// If you want to compare a [`JsonWebKey`], you should either use something\n/// like the [`kid`](JsonWebKey::key_id) parameter or a [`Thumbprint`] of\n/// the key (or ideally, a [`Thumbprint`] as [`kid`](JsonWebKey::key_id)).\n///\n/// You should *avoid* comparing the serialized form of a [`JsonWebKey`] as it\n/// may contain optional parameters, which may not always be present and would\n/// lead to unexpected results.\n///\n/// # Examples\n///\n/// Parse a JsonWebKey from its json representation:\n///\n/// ```\n/// # // std is available in tests\n/// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n/// use jose::{jwk::KeyUsage, JsonWebKey};\n///\n/// // The following json object represents a RSA key used for signing\n/// let json = r#\"\n/// {\n///  \"kty\": \"RSA\",\n///  \"kid\": \"bilbo.baggins@hobbiton.example\",\n///  \"use\": \"sig\",\n///  \"n\": \"n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT-O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqVwGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuCLqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5gHdrNP5zw\",\n///  \"e\": \"AQAB\"\n/// }\"#;\n///\n/// // deserialize the key from it's json representation using serde_json\n/// let jwk: JsonWebKey = serde_json::from_str(json)?;\n///\n/// // You can use the JsonWebKey to access parameters defined by the spec.\n/// // For example, we might want to ensure that this key is for signing by\n/// // checking the `use` parameter\n/// assert_eq!(jwk.key_usage(), Some(\u0026KeyUsage::Signing));\n/// # Ok(())\n/// # }\n/// ```\n///\n/// ## Additional parameters\n///\n/// The spec allows custom/additional parameters that are not registered in the\n/// [IANA `JSON Web Key Parameters` registry]. The `A` generic parameter of\n/// [`JsonWebKey\u003cA\u003e`] allows you to bring your own type to do just that.\n///\n/// To do so, create a container type that holds all your parameters (and maybe\n/// even another container).\n/// Imagine we have a custom parameter `intended_party` which holds a [`String`]\n/// identifying the application which should use the [`JsonWebKey`]:\n///\n/// ```\n/// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n/// use jose::JsonWebKey;\n/// use serde::{Deserialize, Serialize};\n///\n/// // don't forget to derive or implement the serde traits since they are used for (de)serialization\n/// #[derive(Deserialize, Serialize)]\n/// struct MyCustomParameters {\n///     intended_party: String,\n/// }\n///\n/// /// A type alias so we dont have to type so much\n/// type MyJsonWebKey = JsonWebKey\u003cMyCustomParameters\u003e;\n///\n/// // consider the same key as before but this time it needs our custom parameter `intended_party`\n/// let json = r#\"\n/// {\n///  \"intended_party\": \"my_application\",\n///  \"kty\": \"RSA\",\n///  \"kid\": \"bilbo.baggins@hobbiton.example\",\n///  \"use\": \"sig\",\n///  \"n\": \"n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT-O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqVwGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuCLqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5gHdrNP5zw\",\n///  \"e\": \"AQAB\"\n/// }\"#;\n///\n/// let jwk: MyJsonWebKey = serde_json::from_str(json)?;\n///\n/// // access the custom parameter\n/// assert_eq!(\"my_application\", jwk.additional().intended_party.as_str());\n/// # Ok(())\n/// # }\n/// ```\n///\n/// ### Implementing [`Checkable`] for your additional type\n///\n/// The [`Checkable`] trait should be implemented by types that can utilize some\n/// (potentially expensive) checks to ensure their validity optionally using a\n/// [`Policy`]. For example, [`JsonWebKey`] implements the [`Checkable`] trait\n/// to validate some parameters which can't be validated during deserialization.\n///\n/// For [`JsonWebKey`] to implement [`Checkable`], your additional type also\n/// needs to implement [`Checkable`]. If we recall the example from before, we\n/// might want to ensure that our `intended_party` parameter containts only\n/// ascii characters. An implementation for that purpose might look like this:\n/// ```\n/// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n/// use jose::jwk::policy::{Checkable, Checked, Policy, PolicyError};\n/// use serde::{Deserialize, Serialize};\n/// // our type from before\n/// #[derive(Deserialize, Serialize)]\n/// struct MyCustomParameters {\n///     intended_party: String,\n/// }\n///\n/// impl Checkable for MyCustomParameters {\n///     fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n///         if self.intended_party.is_ascii() {\n///             Ok(Checked::new(self, policy))\n///         } else {\n///             Err((\n///                 self,\n///                 \u003cP::Error as PolicyError\u003e::custom(\n///                     \"`intended_party` parameter must contain ascii characters only\",\n///                 ),\n///             ))\n///         }\n///     }\n/// }\n/// # Ok(())\n/// # }\n/// ```\n///\n/// [RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517\u003e\n/// [section 6 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6\u003e\n/// [IANA `Json Web Key Parameters` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-key-parameters\u003e\n#[derive(Debug, Deserialize, Serialize, Clone)]\npub struct JsonWebKey\u003cA = ()\u003e {\n    /// Additional members in the JWK as permitted by the fourth paragraph of\n    /// [section 4]\n    ///\n    /// [section 4]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4\u003e\n    // Note: `A` is first because otherwise it is possible to overwrite parameters set by us\n    #[serde(flatten)]\n    additional: A,\n    /// `kty` parameter section 4.1\n    /// Note that the [`JsonWebKeyType`] enum does way more than just\n    /// checking/storing the `kty` parameter\n    #[serde(flatten)]\n    key_type: JsonWebKeyType,\n    /// `use` parameter section 4.2\n    #[serde(rename = \"use\", skip_serializing_if = \"Option::is_none\")]\n    key_use: Option\u003cKeyUsage\u003e,\n    /// `key_ops` parameter section 4.3\n    #[serde(\n        deserialize_with = \"serde_impl::deserialize_ensure_set\",\n        rename = \"key_ops\",\n        skip_serializing_if = \"Option::is_none\",\n        // default needed because else serde will error if the `key_ops` parameter is not present\n        default\n    )]\n    key_operations: Option\u003cHashSet\u003cKeyOperation\u003e\u003e,\n    /// `alg` parameter section 4.4\n    #[serde(rename = \"alg\", skip_serializing_if = \"Option::is_none\")]\n    algorithm: Option\u003cJsonWebAlgorithm\u003e,\n    /// `kid` parameter section 4.4\n    // FIXME: Consider an enum if this value is a valid JWK Thumbprint,\n    // see \u003chttps://www.rfc-editor.org/rfc/rfc7638\u003e\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    kid: Option\u003cString\u003e,\n    /// `x5u` parameter section 4.6\n    // FIXME: considerung to ensure the protocol\n    // uses TLS or some other form of integrity protection.\n    // There are other things to consider, see the relevant section in the RFC.\n    #[serde(rename = \"x5u\", skip_serializing_if = \"Option::is_none\")]\n    x509_url: Option\u003cUri\u003e,\n    /// `x5c` parameter section 4.7\n    // If the `x5c` parameter is not present, this will be an empty Vec\n    // FIXME: find a good way and crate to parse the DER-encoded X.509 certificate(s)\n    #[serde(rename = \"x5c\", skip_serializing_if = \"Vec::is_empty\", default)]\n    x509_certificate_chain: Vec\u003cBase64DerCertificate\u003e,\n    /// `x5t` parameter section 4.8\n    #[serde(\n        serialize_with = \"serde_impl::serialize_ga_sha1\",\n        deserialize_with = \"serde_impl::deserialize_ga_sha1\",\n        rename = \"x5t\",\n        default,\n        skip_serializing_if = \"Option::is_none\"\n    )]\n    x509_certificate_sha1_thumbprint: Option\u003c[u8; 20]\u003e,\n    /// `x5t#S256` parameter section 4.9\n    #[serde(\n        serialize_with = \"serde_impl::serialize_ga_sha256\",\n        deserialize_with = \"serde_impl::deserialize_ga_sha256\",\n        rename = \"x5t#S256\",\n        default,\n        skip_serializing_if = \"Option::is_none\"\n    )]\n    x509_certificate_sha256_thumbprint: Option\u003c[u8; 32]\u003e,\n}\n\nimpl JsonWebKey\u003c()\u003e {\n    pub(crate) fn new_with_algorithm(\n        key_type: JsonWebKeyType,\n        alg: Option\u003cJsonWebAlgorithm\u003e,\n    ) -\u003e Self {\n        Self {\n            key_type,\n            key_use: None,\n            key_operations: None,\n            algorithm: alg,\n            kid: None,\n            x509_url: None,\n            x509_certificate_chain: vec![],\n            x509_certificate_sha1_thumbprint: None,\n            x509_certificate_sha256_thumbprint: None,\n            additional: (),\n        }\n    }\n}\n\nimpl JsonWebKey\u003c()\u003e {\n    /// Create a [`JsonWebKeyBuilder`] to construct a new JWK.\n    pub fn builder(key_type: impl Into\u003cJsonWebKeyType\u003e) -\u003e JsonWebKeyBuilder\u003c()\u003e {\n        JsonWebKeyBuilder::new(key_type)\n    }\n}\n\nimpl\u003cT\u003e JsonWebKey\u003cT\u003e {\n    /// Turn this Json Web Key into a builder to modify it's contents.\n    pub fn into_builder(self) -\u003e JsonWebKeyBuilder\u003cT\u003e {\n        JsonWebKeyBuilder {\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n            additional: self.additional,\n        }\n    }\n\n    /// [Section 4.1 of RFC 7517] defines the `kty` (Key Type) Parameter.\n    ///\n    /// Since the `kty` parameter is used to distinguish different key types, we\n    /// use the [`JsonWebKeyType`] to also store key specific data. You can\n    /// match the [`JsonWebKeyType`] to determine the exact key type used.\n    ///\n    /// [Section 4.1 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.1\u003e\n    pub fn key_type(\u0026self) -\u003e \u0026JsonWebKeyType {\n        \u0026self.key_type\n    }\n\n    /// [Section 4.2 of RFC 7517] defines the `use` (Public Key Use) Parameter.\n    ///\n    /// See the documentation of [`KeyUsage`] for details.\n    ///\n    /// [Section 4.2 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.2\u003e\n    pub fn key_usage(\u0026self) -\u003e Option\u003c\u0026KeyUsage\u003e {\n        self.key_use.as_ref()\n    }\n\n    /// [Section 4.3 of RFC 7517] defines the `key_ops` (Key Operations)\n    /// Parameter.\n    ///\n    /// It is a set of different operations a key may perform.\n    /// See the documentation of [`KeyOperation`] for details.\n    ///\n    /// [Section 4.3 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.3\u003e\n    pub fn key_operations(\u0026self) -\u003e Option\u003c\u0026HashSet\u003cKeyOperation\u003e\u003e {\n        self.key_operations.as_ref()\n    }\n\n    /// [Section 4.4 of RFC 7517] defines the `alg` (Algorithm) Parameter.\n    ///\n    /// See the documentation of [`JsonWebAlgorithm`] for details.\n    ///\n    /// [Section 4.4 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.4\u003e\n    pub fn algorithm(\u0026self) -\u003e Option\u003c\u0026JsonWebAlgorithm\u003e {\n        self.algorithm.as_ref()\n    }\n\n    /// [Section 4.5 of RFC 7517] defines the `kid` (Key ID) Parameter.\n    ///\n    /// [Section 4.5 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.5\u003e\n    pub fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        self.kid.as_deref()\n    }\n\n    /// [Section 4.6 of RFC 7517] defines the `x5u` (X.509 URL) Parameter.\n    ///\n    /// [Section 4.6 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.6\u003e\n    pub fn x509_url(\u0026self) -\u003e Option\u003cBorrowedUri\u003c'_\u003e\u003e {\n        self.x509_url.as_ref().map(|x| x.borrow())\n    }\n\n    /// [Section 4.7 of RFC 7517] defines the `x5c` (X.509 Certificate Chain)\n    /// Parameter.\n    ///\n    /// This parameter is a list of X.509 certificates. The first certificate in\n    /// the [`ExactSizeIterator`] returned by this method is the PKIX\n    /// certificate containing the key value as required by the RFC. Note\n    /// that this parameter is OPTIONAL and if not present, this\n    /// [`ExactSizeIterator`] will be empty ([`next`](Iterator::next) will be\n    /// [`None`] and [`len`](ExactSizeIterator::len) will be `0`).\n    ///\n    /// Each [`Item`](Iterator::Item) will be the byte representation of a\n    /// DER-encoded X.509 certificate.\n    ///\n    /// [Section 4.7 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.7\u003e\n    pub fn x509_certificate_chain(\u0026self) -\u003e impl ExactSizeIterator\u003cItem = \u0026[u8]\u003e {\n        self.x509_certificate_chain.iter().map(Deref::deref)\n    }\n\n    /// [Section 4.8 of RFC 7517] defines the `x5t` (X.509 Certificate SHA-1\n    /// Thumbprint) Parameter.\n    ///\n    /// It is the SHA-1 hash of the DER-encoded X.509 certificate.\n    ///\n    /// # Warning: Cryptographically broken!\n    ///\n    /// TL;DR: check if you can use the [SHA-256\n    /// thumbprint](JsonWebKey::x509_certificate_sha256_thumbprint) instead.\n    ///\n    /// The following text is taken from the `sha1` crate: \\\n    /// The SHA-1 hash function should be considered cryptographically broken\n    /// and unsuitable for further use in any security critical capacity, as it\n    /// is [practically vulnerable to chosen-prefix collisions](https://sha-mbles.github.io/).\n    ///\n    /// [Section 4.8 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.8\u003e\n    // replace the hardcoded output size with the Sha1::OutputsizeUser value then\n    // they use const generics\n    pub fn x509_certificate_sha1_thumbprint(\u0026self) -\u003e Option\u003c\u0026[u8; 20]\u003e {\n        self.x509_certificate_sha1_thumbprint.as_ref()\n    }\n\n    /// [Section 4.9 of RFC 7517] defines the `x5t#S256` (X.509 Certificate\n    /// SHA-256 Thumbprint) Parameter.\n    ///\n    /// It is the SHA-256 hash of the DER-encoded X.509 certificate.\n    ///\n    /// [Section 4.9 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.9\u003e\n    pub fn x509_certificate_sha256_thumbprint(\u0026self) -\u003e Option\u003c\u0026[u8; 32]\u003e {\n        self.x509_certificate_sha256_thumbprint.as_ref()\n    }\n\n    /// Additional members in the [`JsonWebKey`] as permitted by the fourth\n    /// paragraph of [section 4 in RFC 7517]\n    ///\n    /// [section 4 in RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4\u003e\n    pub fn additional(\u0026self) -\u003e \u0026T {\n        \u0026self.additional\n    }\n\n    /// Checks if this [`JsonWebKey`] is a symmetric key.\n    #[inline]\n    pub fn is_symmetric(\u0026self) -\u003e bool {\n        matches!(self.key_type, JsonWebKeyType::Symmetric(_))\n    }\n\n    /// Checks if this [`JsonWebKey`] is an asymmetric key.\n    #[inline]\n    pub fn is_asymmetric(\u0026self) -\u003e bool {\n        matches!(self.key_type, JsonWebKeyType::Asymmetric(_))\n    }\n\n    /// Checks if this [`JsonWebKey`] can be used for signing.\n    ///\n    /// For asymmetric keys, this method is equivalent to checking\n    /// if this key is a private key.\n    /// For symmetric keys, this always returns `true`.\n    #[inline]\n    pub fn is_signing_key(\u0026self) -\u003e bool {\n        match self.key_type() {\n            JsonWebKeyType::Symmetric(_) =\u003e true,\n            JsonWebKeyType::Asymmetric(ref key) =\u003e match \u0026**key {\n                AsymmetricJsonWebKey::Private(_) =\u003e true,\n                AsymmetricJsonWebKey::Public(_) =\u003e false,\n            },\n        }\n    }\n\n    /// Strips the secret material from this [`JsonWebKey`].\n    ///\n    /// After calling this method, the key can safely be shared as it\n    /// only contains the public parts.\n    ///\n    /// For symmetric keys, this method returns [`None`], as symmetric\n    /// keys will always hold the secret material.\n    #[doc(alias = \"strip_private_material\")]\n    pub fn strip_secret_material(mut self) -\u003e Option\u003cSelf\u003e {\n        let key = match self.key_type {\n            JsonWebKeyType::Symmetric(_) =\u003e return None,\n            JsonWebKeyType::Asymmetric(ref key) =\u003e key,\n        };\n\n        match \u0026**key {\n            // public keys are no-ops\n            AsymmetricJsonWebKey::Public(_) =\u003e Some(self),\n            AsymmetricJsonWebKey::Private(Private::Okp(okp)) =\u003e {\n                let key = match okp {\n                    OkpPrivate::Ed25519(key) =\u003e OkpPublic::Ed25519(key.to_public_key()),\n                    OkpPrivate::Ed448(key) =\u003e OkpPublic::Ed448(key.to_public_key()),\n                };\n\n                self.key_type = JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(\n                    Public::Okp(key),\n                )));\n\n                Some(self)\n            }\n            AsymmetricJsonWebKey::Private(Private::Ec(ec)) =\u003e {\n                let pub_key = match ec {\n                    EcPrivate::P256(key) =\u003e EcPublic::P256(key.to_public_key()),\n                    EcPrivate::P384(key) =\u003e EcPublic::P384(key.to_public_key()),\n                    EcPrivate::P521(key) =\u003e EcPublic::P521(key.to_public_key()),\n                    EcPrivate::Secp256k1(key) =\u003e EcPublic::Secp256k1(key.to_public_key()),\n                };\n\n                self.key_type = JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(\n                    Public::Ec(pub_key),\n                )));\n\n                Some(self)\n            }\n            AsymmetricJsonWebKey::Private(Private::Rsa(rsa)) =\u003e {\n                let pub_key = Public::Rsa(rsa.to_public_key());\n\n                self.key_type =\n                    JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(pub_key)));\n\n                Some(self)\n            }\n        }\n    }\n\n    /// Converts this [`JsonWebKey`] into a [`JsonWebKey`] that is only meant to\n    /// be uesd for verifying signatures.\n    ///\n    /// For asymmetric keys, this operation is equivalent to converting a\n    /// private key into it's public key.\n    ///\n    /// For symmetric keys, this operation is a no-op, as the secret material\n    /// can not be removed from the key.\n    #[doc(alias = \"into_public_key\")]\n    pub fn into_verifying_key(mut self) -\u003e Self {\n        match self.key_type {\n            // symmetric keys are no-op\n            JsonWebKeyType::Symmetric(_) =\u003e self,\n            JsonWebKeyType::Asymmetric(ref key) =\u003e match \u0026**key {\n                // public keys are no-ops too\n                AsymmetricJsonWebKey::Public(_) =\u003e self,\n                AsymmetricJsonWebKey::Private(Private::Okp(okp)) =\u003e {\n                    let key = match okp {\n                        OkpPrivate::Ed25519(key) =\u003e OkpPublic::Ed25519(key.to_public_key()),\n                        OkpPrivate::Ed448(key) =\u003e OkpPublic::Ed448(key.to_public_key()),\n                    };\n\n                    self.key_type = JsonWebKeyType::Asymmetric(Box::new(\n                        AsymmetricJsonWebKey::Public(Public::Okp(key)),\n                    ));\n\n                    self\n                }\n                AsymmetricJsonWebKey::Private(Private::Ec(ec)) =\u003e {\n                    let pub_key = match ec {\n                        EcPrivate::P256(key) =\u003e EcPublic::P256(key.to_public_key()),\n                        EcPrivate::P384(key) =\u003e EcPublic::P384(key.to_public_key()),\n                        EcPrivate::P521(key) =\u003e EcPublic::P521(key.to_public_key()),\n                        EcPrivate::Secp256k1(key) =\u003e EcPublic::Secp256k1(key.to_public_key()),\n                    };\n\n                    self.key_type = JsonWebKeyType::Asymmetric(Box::new(\n                        AsymmetricJsonWebKey::Public(Public::Ec(pub_key)),\n                    ));\n\n                    self\n                }\n                AsymmetricJsonWebKey::Private(Private::Rsa(rsa)) =\u003e {\n                    let pub_key = Public::Rsa(rsa.to_public_key());\n\n                    self.key_type =\n                        JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(pub_key)));\n\n                    self\n                }\n            },\n        }\n    }\n}\n\nimpl\u003cT: Serialize\u003e JsonWebKey\u003cT\u003e {\n    /// Converts this [`JsonWebKey`] with custom additional parameters,\n    /// into a [`JsonWebKey`] with untyped additional parameters.\n    ///\n    /// # Errors\n    ///\n    /// This function fails if the serialization of the additional parameters\n    /// failed, or the serialization does not result in a JSON object.\n    pub fn into_untyped_additional(\n        self,\n    ) -\u003e Result\u003cJsonWebKey\u003cUntypedAdditionalProperties\u003e, serde_json::Error\u003e {\n        let value = serde_json::to_value(\u0026self.additional)?;\n        let additional: UntypedAdditionalProperties = serde_json::from_value(value)?;\n\n        Ok(JsonWebKey {\n            additional,\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n        })\n    }\n}\n\nimpl JsonWebKey\u003cUntypedAdditionalProperties\u003e {\n    /// Deserializes the additional members of this [`JsonWebKey`]\n    /// to the given type.\n    ///\n    /// # Errors\n    ///\n    /// The given type failed to be deserialized from the additional members.\n    pub fn deserialize_additional\u003cT: DeserializeOwned\u003e(\n        self,\n    ) -\u003e Result\u003cJsonWebKey\u003cT\u003e, serde_json::Error\u003e {\n        let additional = serde_json::from_value(self.additional.into())?;\n\n        Ok(JsonWebKey {\n            additional,\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n        })\n    }\n}\n\nimpl\u003cT\u003e Checkable for JsonWebKey\u003cT\u003e\nwhere\n    T: Checkable,\n{\n    fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n        if let Some(alg) = self.algorithm() {\n            if let Err(e) = policy.algorithm(alg) {\n                return Err((self, e));\n            }\n\n            let operations = match alg {\n                JsonWebAlgorithm::Encryption(..) =\u003e [\n                    CryptographicOperation::Encrypt,\n                    CryptographicOperation::Decrypt,\n                ],\n                JsonWebAlgorithm::Signing(..) =\u003e {\n                    [CryptographicOperation::Sign, CryptographicOperation::Verify]\n                }\n                JsonWebAlgorithm::Other(..) =\u003e {\n                    return Err((self, P::Error::custom(\"specified key algorithm is unknown\")))\n                }\n            };\n            debug_assert!(!operations.is_empty());\n\n            if let Some(key_use) = self.key_usage() {\n                // The following ensures that at least one `operation` is allowed with the\n                // current key usage (returns Ok(())). If Ok(()) is returned, it\n                // short-circuits\n                match operations.iter().try_fold(None, |_, operation| {\n                    match policy.may_perform_operation_key_use(*operation, key_use) {\n                        Ok(_) =\u003e ControlFlow::Break(()),\n                        Err(err) =\u003e ControlFlow::Continue(Some(err)),\n                    }\n                }) {\n                    ControlFlow::Break(_) =\u003e (),\n                    ControlFlow::Continue(err) =\u003e {\n                        return Err((\n                            self,\n                            // Safety\n                            //\n                            // First of, this could use unwrap_unchecked but doesn't since we\n                            // forbid unsafe code in this crate. However, it would be safe,\n                            // because: the call to the Policy returns\n                            // Result\u003c(), err\u003e and if it's Ok, it\n                            // will break and this branch will never get called. If the call\n                            // failed, the inital state of `None` will be set to\n                            // Continue(Some(err)), which will be the value in this branch\n                            err.expect(\"at least one call has been made to the Policy\"),\n                        ));\n                    }\n                }\n            }\n\n            if let Some(key_ops) = self.key_operations() {\n                // The following ensures tthat at loeast one `operation` is allowed with the\n                // current key operations. If Ok(()) is returned, it short-circuits.\n                // For example, a key might have a signing algorithm, but only\n                // `KeyOperation::Verify` is set since it is a public key and can't perform\n                // signing operations. In this case, it has the same signing algorithm.\n                match operations.iter().try_fold(None, |_, operation| {\n                    match policy.may_perform_operation_key_ops(*operation, key_ops) {\n                        Ok(_) =\u003e ControlFlow::Break(()),\n                        Err(err) =\u003e ControlFlow::Continue(Some(err)),\n                    }\n                }) {\n                    ControlFlow::Break(_) =\u003e (),\n                    ControlFlow::Continue(err) =\u003e {\n                        return Err((\n                            self,\n                            // Same rules as for the code with `key_usage` from above apply.\n                            err.expect(\"at leat one call has been made to the Policy\"),\n                        ));\n                    }\n                }\n            }\n        }\n\n        if let (Some(key_use), Some(key_ops)) = (self.key_usage(), self.key_operations()) {\n            if let Err(e) = policy.compare_key_ops_and_use(key_use, key_ops) {\n                return Err((self, e));\n            }\n        }\n\n        match self.additional.check(policy) {\n            Err(e) =\u003e Err((\n                Self {\n                    additional: e.0,\n                    ..self\n                },\n                e.1,\n            )),\n            Ok(o) =\u003e {\n                let (additional, p) = o.into_inner();\n                Ok(Checked::new(Self { additional, ..self }, p))\n            }\n        }\n    }\n}\n\nimpl Sealed for JsonWebKey {}\nimpl Thumbprint for JsonWebKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.key_type().thumbprint_prehashed()\n    }\n}\n\n/// A [`JsonWebKey`] represents a cryptographic key. It can either be symmetric\n/// or asymmetric. In the latter case, it can store public or private\n/// information about the key. This enum represents the key types as defined in\n/// [RFC 7518 section 6].\n///\n/// [RFC 7518 section 6]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6\u003e\n#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum JsonWebKeyType {\n    /// A symmetric cryptographic key\n    Symmetric(SymmetricJsonWebKey),\n    /// An asymmetric cryptographic key\n    Asymmetric(Box\u003cAsymmetricJsonWebKey\u003e),\n}\n\nimpl Sealed for JsonWebKeyType {}\nimpl Thumbprint for JsonWebKeyType {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            JsonWebKeyType::Symmetric(key) =\u003e key.thumbprint_prehashed(),\n            JsonWebKeyType::Asymmetric(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl JsonWebKeyType {\n    pub(self) fn compatible_with(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e bool {\n        use JsonWebAlgorithm::*;\n        use JsonWebKeyType::*;\n\n        // it is unreadable with the matches! macro and there's no benefit\n        #[allow(clippy::match_like_matches_macro)]\n        match (self, alg) {\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Signing(JsonWebSigningAlgorithm::Hmac(hmac)),\n            ) =\u003e match (hmac, key.len()) {\n                (Hmac::Hs256, hmac::Hs256::OUTPUT_SIZE_BYTES..)\n                | (Hmac::Hs384, hmac::Hs384::OUTPUT_SIZE_BYTES..)\n                | (Hmac::Hs512, hmac::Hs512::OUTPUT_SIZE_BYTES..) =\u003e true,\n                _ =\u003e false,\n            },\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Encryption(JsonWebEncryptionAlgorithm::AesKw(aes)),\n            ) =\u003e matches!(\n                (aes, key.len()),\n                (AesKw::Aes128, 16) | (AesKw::Aes192, 24) | (AesKw::Aes256, 32)\n            ),\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Encryption(JsonWebEncryptionAlgorithm::AesGcmKw(aes)),\n            ) =\u003e matches!(\n                (aes, key.len()),\n                (AesGcm::Aes128, 16) | (AesGcm::Aes192, 24) | (AesGcm::Aes256, 32)\n            ),\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Encryption(JsonWebEncryptionAlgorithm::Pbes2(pbes2)),\n            ) =\u003e matches!(\n                (pbes2, key.len()),\n                (Pbes2::Hs256Aes128, 16) | (Pbes2::Hs384Aes192, 24) | (Pbes2::Hs512Aes256, 32)\n            ),\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(..)),\n                Encryption(JsonWebEncryptionAlgorithm::Direct),\n            ) =\u003e true,\n            (Asymmetric(key), alg) =\u003e match (\u0026**key, alg) {\n                (\n                    AsymmetricJsonWebKey::Public(Public::Ec(..))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(..)),\n                    Encryption(JsonWebEncryptionAlgorithm::EcDhES(..)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::P256(..)))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::P256(..))),\n                    Signing(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::P384(..)))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::P384(..))),\n                    Signing(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es384)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::Secp256k1(..)))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::Secp256k1(..))),\n                    Signing(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256K)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Okp(\n                        OkpPublic::Ed25519(..) | OkpPublic::Ed448(..),\n                    ))\n                    | AsymmetricJsonWebKey::Private(Private::Okp(\n                        OkpPrivate::Ed25519(..) | OkpPrivate::Ed448(..),\n                    )),\n                    Signing(JsonWebSigningAlgorithm::EdDSA),\n                    // FIXME: look how encryption is handled and which algorithm is used\n                    //| Encryption(JsonWebEncryptionAlgorithm::EcDhES(..)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Rsa(..))\n                    | AsymmetricJsonWebKey::Private(Private::Rsa(..)),\n                    Signing(JsonWebSigningAlgorithm::Rsa(..))\n                    | Encryption(JsonWebEncryptionAlgorithm::Rsa1_5)\n                    | Encryption(JsonWebEncryptionAlgorithm::RsaesOaep(..)),\n                ) =\u003e true,\n                _ =\u003e false,\n            },\n            _ =\u003e false,\n        }\n    }\n}\n\n/// A trait for a [`Signer`](crate::jws::Signer) or\n/// [`Verifier`](crate::jws::Verifier) to implement if it can be created from\n/// key material as long as the algorithm is known\npub trait FromKey\u003cK\u003e: Sized {\n    /// The error returned if the conversion failed\n    type Error;\n\n    /// Turn `K` into this [`Signer`](crate::jws::Signer) or\n    /// [`Verifier`](crate::jws::Verifier).\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the conversion failed\n    fn from_key(value: K, alg: JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e;\n}\n\n/// A trait for different key types to implement if they can be converted into a\n/// [`JsonWebKey`].\n///\n/// This trait, and deserialization, is the only public way of creating a\n/// [`JsonWebKey`].\npub trait IntoJsonWebKey: Sealed {\n    /// One key type may be used for multiple [`JsonWebAlgorithm`]s.\n    ///\n    /// This algorithm can be specified using this type.\n    type Algorithm;\n\n    /// The error that can occurr when converting this key into a JWK.\n    type Error;\n\n    /// Turns this key mateiral into a [`JsonWebKey`] for the given algorithm.\n    ///\n    /// If the given argument is `None`, the `alg` header field of the resulting\n    /// JWK will be None.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the conversion fails.\n    fn into_jwk(self, alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e) -\u003e Result\u003cJsonWebKey, Self::Error\u003e;\n}\n\n/// Hash implementation for all types that implement `Thumbprint` trait\nmod hash_impl {\n    use core::hash::{Hash, Hasher};\n\n    use super::{symmetric::OctetSequence, JsonWebKey};\n    use crate::crypto::{ec, okp, rsa};\n\n    impl_thumbprint_hash_trait!(ec::P256PublicKey, ec::P256PrivateKey);\n    impl_thumbprint_hash_trait!(ec::P384PublicKey, ec::P384PrivateKey);\n    impl_thumbprint_hash_trait!(ec::P521PublicKey, ec::P521PrivateKey);\n    impl_thumbprint_hash_trait!(ec::Secp256k1PublicKey, ec::Secp256k1PrivateKey);\n    impl_thumbprint_hash_trait!(okp::Ed25519PublicKey, okp::Ed25519PrivateKey);\n    impl_thumbprint_hash_trait!(okp::Ed448PublicKey, okp::Ed448PrivateKey);\n    impl_thumbprint_hash_trait!(rsa::PublicKey, rsa::PrivateKey);\n    impl_thumbprint_hash_trait!(OctetSequence);\n\n    /// The [`Hash`] implementation of [`JsonWebKey`] uses the [`Hash`]\n    /// implementation of the underlying\n    /// [`JsonWebKeyType`](super::JsonWebKeyType).\n    ///\n    /// **Note**: [`Hash`] and [`Thumbprint`](super::Thumbprint) are used\n    /// differently. A [`Thumbprint`](super::Thumbprint) does does distinguish\n    /// between a private and a public key. But the [`Hash`] implementation of\n    /// all [`JsonWebKey`]s does, because otherwise two different versions of\n    /// [`JsonWebKey`] with different capabilities would have the same hash.\n    impl Hash for JsonWebKey {\n        fn hash\u003cH: Hasher\u003e(\u0026self, state: \u0026mut H) {\n            self.key_type.hash(state);\n        }\n    }\n\n    #[test]\n    fn smoke() {\n        use crate::{jwk::Thumbprint, JsonWebKey};\n\n        #[allow(unused_extern_crates)]\n        extern crate std;\n\n        // This is a serialized asymmetric key. The private key part is stored in\n        // the `d` parameter\n        let serialized_private_key = r#\"\n{\n    \"crv\": \"P-256\",\n    \"kty\": \"EC\",\n     \"x\": \"1uiXGPoQ3eLR3VOsCfnx1YzIJZGUQLbVfbl1CpCHcs0\",\n     \"y\": \"danaoyQqKi48vlB2jnCoFmq3PdIbYwIRJyNKWiindZM\",\n     \"d\": \"eLGzm5zd242okyN9SQBvmaC_4EPvASCgMhFgwtBvf3k\",\n     \"alg\": \"ES256\"\n}\n\"#;\n        let private_key: JsonWebKey =\n            serde_json::from_str(serialized_private_key).expect(\"valid key\");\n\n        let expected_prehash = r#\"{\"crv\":\"P-256\",\"kty\":\"EC\",\"x\":\"1uiXGPoQ3eLR3VOsCfnx1YzIJZGUQLbVfbl1CpCHcs0\",\"y\":\"danaoyQqKi48vlB2jnCoFmq3PdIbYwIRJyNKWiindZM\"}\"#;\n        assert_eq!(private_key.thumbprint_prehashed(), expected_prehash);\n\n        let mut hasher = std::hash::DefaultHasher::default();\n        private_key.hash(\u0026mut hasher);\n        let hash_private = hasher.finish();\n\n        let serialized_public_key = r#\"\n{\n    \"crv\": \"P-256\",\n    \"kty\": \"EC\",\n     \"x\": \"1uiXGPoQ3eLR3VOsCfnx1YzIJZGUQLbVfbl1CpCHcs0\",\n     \"y\": \"danaoyQqKi48vlB2jnCoFmq3PdIbYwIRJyNKWiindZM\",\n     \"alg\": \"ES256\"\n}\n\"#;\n\n        let public_key: JsonWebKey = serde_json::from_str(serialized_public_key).unwrap();\n        let mut hasher = std::hash::DefaultHasher::default();\n        public_key.hash(\u0026mut hasher);\n        let hash_public = hasher.finish();\n        assert_ne!(hash_private, hash_public);\n    }\n}\n","traces":[{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":270,"address":[],"length":0,"stats":{"Line":0}},{"line":273,"address":[],"length":0,"stats":{"Line":0}},{"line":280,"address":[],"length":0,"stats":{"Line":21}},{"line":281,"address":[],"length":0,"stats":{"Line":21}},{"line":287,"address":[],"length":0,"stats":{"Line":21}},{"line":289,"address":[],"length":0,"stats":{"Line":21}},{"line":290,"address":[],"length":0,"stats":{"Line":21}},{"line":291,"address":[],"length":0,"stats":{"Line":21}},{"line":292,"address":[],"length":0,"stats":{"Line":21}},{"line":293,"address":[],"length":0,"stats":{"Line":21}},{"line":294,"address":[],"length":0,"stats":{"Line":21}},{"line":295,"address":[],"length":0,"stats":{"Line":21}},{"line":296,"address":[],"length":0,"stats":{"Line":21}},{"line":297,"address":[],"length":0,"stats":{"Line":21}},{"line":298,"address":[],"length":0,"stats":{"Line":21}},{"line":309,"address":[],"length":0,"stats":{"Line":214}},{"line":310,"address":[],"length":0,"stats":{"Line":214}},{"line":318,"address":[],"length":0,"stats":{"Line":8}},{"line":319,"address":[],"length":0,"stats":{"Line":8}},{"line":329,"address":[],"length":0,"stats":{"Line":3}},{"line":330,"address":[],"length":0,"stats":{"Line":3}},{"line":338,"address":[],"length":0,"stats":{"Line":14}},{"line":339,"address":[],"length":0,"stats":{"Line":14}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":352,"address":[],"length":0,"stats":{"Line":0}},{"line":353,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":392,"address":[],"length":0,"stats":{"Line":2}},{"line":393,"address":[],"length":0,"stats":{"Line":2}},{"line":402,"address":[],"length":0,"stats":{"Line":2}},{"line":403,"address":[],"length":0,"stats":{"Line":2}},{"line":410,"address":[],"length":0,"stats":{"Line":5}},{"line":411,"address":[],"length":0,"stats":{"Line":5}},{"line":416,"address":[],"length":0,"stats":{"Line":17}},{"line":417,"address":[],"length":0,"stats":{"Line":33}},{"line":422,"address":[],"length":0,"stats":{"Line":16}},{"line":423,"address":[],"length":0,"stats":{"Line":16}},{"line":432,"address":[],"length":0,"stats":{"Line":17}},{"line":433,"address":[],"length":0,"stats":{"Line":17}},{"line":434,"address":[],"length":0,"stats":{"Line":1}},{"line":435,"address":[],"length":0,"stats":{"Line":16}},{"line":436,"address":[],"length":0,"stats":{"Line":8}},{"line":437,"address":[],"length":0,"stats":{"Line":8}},{"line":450,"address":[],"length":0,"stats":{"Line":18}},{"line":451,"address":[],"length":0,"stats":{"Line":35}},{"line":452,"address":[],"length":0,"stats":{"Line":1}},{"line":453,"address":[],"length":0,"stats":{"Line":17}},{"line":456,"address":[],"length":0,"stats":{"Line":9}},{"line":458,"address":[],"length":0,"stats":{"Line":8}},{"line":459,"address":[],"length":0,"stats":{"Line":2}},{"line":460,"address":[],"length":0,"stats":{"Line":4}},{"line":461,"address":[],"length":0,"stats":{"Line":1}},{"line":462,"address":[],"length":0,"stats":{"Line":1}},{"line":465,"address":[],"length":0,"stats":{"Line":2}},{"line":466,"address":[],"length":0,"stats":{"Line":2}},{"line":469,"address":[],"length":0,"stats":{"Line":2}},{"line":471,"address":[],"length":0,"stats":{"Line":5}},{"line":472,"address":[],"length":0,"stats":{"Line":10}},{"line":473,"address":[],"length":0,"stats":{"Line":2}},{"line":474,"address":[],"length":0,"stats":{"Line":1}},{"line":475,"address":[],"length":0,"stats":{"Line":1}},{"line":476,"address":[],"length":0,"stats":{"Line":1}},{"line":479,"address":[],"length":0,"stats":{"Line":5}},{"line":480,"address":[],"length":0,"stats":{"Line":5}},{"line":483,"address":[],"length":0,"stats":{"Line":5}},{"line":485,"address":[],"length":0,"stats":{"Line":2}},{"line":486,"address":[],"length":0,"stats":{"Line":2}},{"line":488,"address":[],"length":0,"stats":{"Line":2}},{"line":489,"address":[],"length":0,"stats":{"Line":2}},{"line":491,"address":[],"length":0,"stats":{"Line":2}},{"line":505,"address":[],"length":0,"stats":{"Line":18}},{"line":506,"address":[],"length":0,"stats":{"Line":18}},{"line":508,"address":[],"length":0,"stats":{"Line":1}},{"line":509,"address":[],"length":0,"stats":{"Line":26}},{"line":511,"address":[],"length":0,"stats":{"Line":8}},{"line":512,"address":[],"length":0,"stats":{"Line":2}},{"line":513,"address":[],"length":0,"stats":{"Line":4}},{"line":514,"address":[],"length":0,"stats":{"Line":1}},{"line":515,"address":[],"length":0,"stats":{"Line":1}},{"line":518,"address":[],"length":0,"stats":{"Line":2}},{"line":519,"address":[],"length":0,"stats":{"Line":2}},{"line":522,"address":[],"length":0,"stats":{"Line":2}},{"line":524,"address":[],"length":0,"stats":{"Line":5}},{"line":525,"address":[],"length":0,"stats":{"Line":10}},{"line":526,"address":[],"length":0,"stats":{"Line":2}},{"line":527,"address":[],"length":0,"stats":{"Line":1}},{"line":528,"address":[],"length":0,"stats":{"Line":1}},{"line":529,"address":[],"length":0,"stats":{"Line":1}},{"line":532,"address":[],"length":0,"stats":{"Line":5}},{"line":533,"address":[],"length":0,"stats":{"Line":5}},{"line":536,"address":[],"length":0,"stats":{"Line":5}},{"line":538,"address":[],"length":0,"stats":{"Line":2}},{"line":539,"address":[],"length":0,"stats":{"Line":2}},{"line":541,"address":[],"length":0,"stats":{"Line":2}},{"line":542,"address":[],"length":0,"stats":{"Line":2}},{"line":544,"address":[],"length":0,"stats":{"Line":2}},{"line":559,"address":[],"length":0,"stats":{"Line":1}},{"line":562,"address":[],"length":0,"stats":{"Line":2}},{"line":563,"address":[],"length":0,"stats":{"Line":1}},{"line":565,"address":[],"length":0,"stats":{"Line":0}},{"line":566,"address":[],"length":0,"stats":{"Line":0}},{"line":567,"address":[],"length":0,"stats":{"Line":0}},{"line":568,"address":[],"length":0,"stats":{"Line":0}},{"line":569,"address":[],"length":0,"stats":{"Line":0}},{"line":570,"address":[],"length":0,"stats":{"Line":0}},{"line":571,"address":[],"length":0,"stats":{"Line":0}},{"line":572,"address":[],"length":0,"stats":{"Line":0}},{"line":573,"address":[],"length":0,"stats":{"Line":0}},{"line":574,"address":[],"length":0,"stats":{"Line":0}},{"line":575,"address":[],"length":0,"stats":{"Line":0}},{"line":587,"address":[],"length":0,"stats":{"Line":1}},{"line":590,"address":[],"length":0,"stats":{"Line":2}},{"line":592,"address":[],"length":0,"stats":{"Line":0}},{"line":593,"address":[],"length":0,"stats":{"Line":0}},{"line":594,"address":[],"length":0,"stats":{"Line":0}},{"line":595,"address":[],"length":0,"stats":{"Line":0}},{"line":596,"address":[],"length":0,"stats":{"Line":0}},{"line":597,"address":[],"length":0,"stats":{"Line":0}},{"line":598,"address":[],"length":0,"stats":{"Line":0}},{"line":599,"address":[],"length":0,"stats":{"Line":0}},{"line":600,"address":[],"length":0,"stats":{"Line":0}},{"line":601,"address":[],"length":0,"stats":{"Line":0}},{"line":602,"address":[],"length":0,"stats":{"Line":0}},{"line":611,"address":[],"length":0,"stats":{"Line":1}},{"line":612,"address":[],"length":0,"stats":{"Line":2}},{"line":613,"address":[],"length":0,"stats":{"Line":0}},{"line":614,"address":[],"length":0,"stats":{"Line":0}},{"line":617,"address":[],"length":0,"stats":{"Line":2}},{"line":618,"address":[],"length":0,"stats":{"Line":0}},{"line":619,"address":[],"length":0,"stats":{"Line":0}},{"line":620,"address":[],"length":0,"stats":{"Line":0}},{"line":622,"address":[],"length":0,"stats":{"Line":0}},{"line":623,"address":[],"length":0,"stats":{"Line":1}},{"line":625,"address":[],"length":0,"stats":{"Line":0}},{"line":626,"address":[],"length":0,"stats":{"Line":0}},{"line":629,"address":[],"length":0,"stats":{"Line":0}},{"line":631,"address":[],"length":0,"stats":{"Line":2}},{"line":635,"address":[],"length":0,"stats":{"Line":1}},{"line":636,"address":[],"length":0,"stats":{"Line":1}},{"line":637,"address":[],"length":0,"stats":{"Line":1}},{"line":638,"address":[],"length":0,"stats":{"Line":0}},{"line":641,"address":[],"length":0,"stats":{"Line":1}},{"line":642,"address":[],"length":0,"stats":{"Line":0}},{"line":643,"address":[],"length":0,"stats":{"Line":0}},{"line":644,"address":[],"length":0,"stats":{"Line":0}},{"line":654,"address":[],"length":0,"stats":{"Line":0}},{"line":660,"address":[],"length":0,"stats":{"Line":1}},{"line":666,"address":[],"length":0,"stats":{"Line":0}},{"line":667,"address":[],"length":0,"stats":{"Line":0}},{"line":668,"address":[],"length":0,"stats":{"Line":0}},{"line":669,"address":[],"length":0,"stats":{"Line":0}},{"line":672,"address":[],"length":0,"stats":{"Line":0}},{"line":673,"address":[],"length":0,"stats":{"Line":0}},{"line":674,"address":[],"length":0,"stats":{"Line":0}},{"line":675,"address":[],"length":0,"stats":{"Line":0}},{"line":677,"address":[],"length":0,"stats":{"Line":0}},{"line":684,"address":[],"length":0,"stats":{"Line":1}},{"line":685,"address":[],"length":0,"stats":{"Line":0}},{"line":686,"address":[],"length":0,"stats":{"Line":0}},{"line":690,"address":[],"length":0,"stats":{"Line":1}},{"line":691,"address":[],"length":0,"stats":{"Line":0}},{"line":692,"address":[],"length":0,"stats":{"Line":0}},{"line":693,"address":[],"length":0,"stats":{"Line":0}},{"line":694,"address":[],"length":0,"stats":{"Line":0}},{"line":696,"address":[],"length":0,"stats":{"Line":0}},{"line":698,"address":[],"length":0,"stats":{"Line":1}},{"line":699,"address":[],"length":0,"stats":{"Line":1}},{"line":700,"address":[],"length":0,"stats":{"Line":1}},{"line":708,"address":[],"length":0,"stats":{"Line":64}},{"line":709,"address":[],"length":0,"stats":{"Line":64}},{"line":730,"address":[],"length":0,"stats":{"Line":64}},{"line":731,"address":[],"length":0,"stats":{"Line":64}},{"line":732,"address":[],"length":0,"stats":{"Line":6}},{"line":733,"address":[],"length":0,"stats":{"Line":58}},{"line":739,"address":[],"length":0,"stats":{"Line":42}},{"line":745,"address":[],"length":0,"stats":{"Line":42}},{"line":747,"address":[],"length":0,"stats":{"Line":0}},{"line":748,"address":[],"length":0,"stats":{"Line":0}},{"line":749,"address":[],"length":0,"stats":{"Line":0}},{"line":750,"address":[],"length":0,"stats":{"Line":0}},{"line":751,"address":[],"length":0,"stats":{"Line":0}},{"line":752,"address":[],"length":0,"stats":{"Line":0}},{"line":753,"address":[],"length":0,"stats":{"Line":0}},{"line":756,"address":[],"length":0,"stats":{"Line":0}},{"line":757,"address":[],"length":0,"stats":{"Line":0}},{"line":758,"address":[],"length":0,"stats":{"Line":0}},{"line":759,"address":[],"length":0,"stats":{"Line":0}},{"line":763,"address":[],"length":0,"stats":{"Line":0}},{"line":764,"address":[],"length":0,"stats":{"Line":0}},{"line":765,"address":[],"length":0,"stats":{"Line":0}},{"line":766,"address":[],"length":0,"stats":{"Line":0}},{"line":770,"address":[],"length":0,"stats":{"Line":0}},{"line":771,"address":[],"length":0,"stats":{"Line":0}},{"line":772,"address":[],"length":0,"stats":{"Line":0}},{"line":773,"address":[],"length":0,"stats":{"Line":0}},{"line":779,"address":[],"length":0,"stats":{"Line":0}},{"line":780,"address":[],"length":0,"stats":{"Line":38}},{"line":818,"address":[],"length":0,"stats":{"Line":0}},{"line":819,"address":[],"length":0,"stats":{"Line":38}},{"line":821,"address":[],"length":0,"stats":{"Line":4}},{"line":893,"address":[],"length":0,"stats":{"Line":2}},{"line":894,"address":[],"length":0,"stats":{"Line":2}}],"covered":123,"coverable":205},{"path":["/","home","stu","dev","rust","jose","src","jws","builder.rs"],"content":"use crate::{\n    format::Format,\n    header::{self, HeaderValue, JoseHeaderBuilder, JoseHeaderBuilderError},\n    jwa::JsonWebSigningAlgorithm,\n    JoseHeader, JsonWebSignature,\n};\n\n/// Builds a [`JsonWebSignature`] with custom header parameters.\n#[derive(Debug)]\npub struct JsonWebSignatureBuilder\u003cF: Format\u003e {\n    header: Option\u003cResult\u003cF::JwsHeader, JoseHeaderBuilderError\u003e\u003e,\n}\n\nimpl\u003cF: Format\u003e JsonWebSignatureBuilder\u003cF\u003e {\n    pub(super) fn new() -\u003e Self {\n        Self { header: None }\n    }\n\n    /// Configures the custom header for this [`JsonWebSignature`].\n    ///\n    /// For [`Compact`](crate::format::Compact) and\n    /// [`JsonFlattened`](crate::format::JsonFlattened) format, this method\n    /// will set the single protected, and unprotected header if JSON flattened,\n    /// header.\n    ///\n    /// ## Support for empty protected headers\n    ///\n    /// The [JWS RFC] allows for the protected header to be empty, and instead\n    /// supply all necessary parameters in the unprotected header. By\n    /// default, the `jose` crate will overwrite the `alg` field (and\n    /// optionally `kid` field) in the protected header, with the signing\n    /// algorithm used in the signing operation.\n    /// To achieve that the `alg` field is set on the unprotected header, one\n    /// must set the `alg`\n    /// field to `HeaderValue::Protected(JsonWebSigningAlgorithm::None)`\n    /// manually.\n    ///\n    /// However, you must note, that this feature is not supported for the\n    /// [`Compact`](crate::format::Compact) format, becuase that format can only\n    /// have a protected header.\n    ///\n    /// ```\n    /// # use jose::{format::*, jws::*, header::HeaderValue, jwa::*};\n    /// # fn main() {\n    /// let jws = JsonWebSignature::\u003cJsonFlattened, _\u003e::builder()\n    ///     .header(|b| b.algorithm(HeaderValue::Unprotected(JsonWebSigningAlgorithm::None)))\n    ///     .build(())\n    ///     .unwrap();\n    /// # }\n    /// ```\n    ///\n    /// [JWS RFC]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515\u003e\n    pub fn header\u003c\n        CB: FnOnce(JoseHeaderBuilder\u003cF, header::Jws\u003e) -\u003e JoseHeaderBuilder\u003cF, header::Jws\u003e,\n    \u003e(\n        mut self,\n        callback: CB,\n    ) -\u003e Self {\n        let mut header = match self.header {\n            Some(Ok(hdr)) =\u003e Ok(hdr),\n\n            // when there was an error setting the previous header,\n            // do not overwrite the header value, because we want\n            // to keep the error and report it in the `build` method\n            Some(Err(_)) =\u003e return self,\n\n            // this `Err` value is just used as a placeholder to be replaced\n            None =\u003e Err(JoseHeaderBuilderError::MissingAlgorithm),\n        };\n\n        let builder = JoseHeader::\u003cF, header::Jws\u003e::builder()\n            .algorithm(HeaderValue::Protected(JsonWebSigningAlgorithm::None));\n        let builder = callback(builder);\n\n        F::finalize_jws_header_builder(\u0026mut header, builder);\n        self.header = Some(header);\n\n        self\n    }\n\n    /// Finalizes this builder and returns the creates [`JsonWebSignature`].\n    ///\n    /// # Errors\n    ///\n    /// Fails if the supplied header parameters were invalid.\n    pub fn build\u003cT\u003e(self, payload: T) -\u003e Result\u003cJsonWebSignature\u003cF, T\u003e, JoseHeaderBuilderError\u003e {\n        let header = match self.header {\n            Some(hdr) =\u003e hdr?,\n            None =\u003e {\n                let default_header = JoseHeader::\u003cF, header::Jws\u003e::builder()\n                    .algorithm(HeaderValue::Protected(JsonWebSigningAlgorithm::None));\n\n                let mut header = Err(JoseHeaderBuilderError::MissingAlgorithm);\n                F::finalize_jws_header_builder(\u0026mut header, default_header);\n                header?\n            }\n        };\n\n        Ok(JsonWebSignature::new(header, payload))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":22},{"path":["/","home","stu","dev","rust","jose","src","jws","sign.rs"],"content":"use core::fmt;\n\nuse crate::{\n    crypto,\n    format::Format,\n    jwa::{JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::FromKey,\n};\n\n/// This type indicates that the inner value is signed using a [signing\n/// algorithm].\n///\n/// # Generic Arguments\n///\n/// - `T` is the inner type that is signed\n/// - `S` is the signature\n///\n/// [signing algorithm]: crate::jwa::JsonWebSigningAlgorithm\n#[derive(Debug, PartialEq, Eq, Hash)]\npub struct Signed\u003cF\u003e {\n    pub(crate) value: F,\n}\n\nimpl\u003cF: Format\u003e fmt::Display for Signed\u003cF\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Display::fmt(\u0026self.value, f)\n    }\n}\n\nimpl\u003cF: Format\u003e Signed\u003cF\u003e {\n    /// Encodes this signed value into the format of the signed JWS.\n    #[inline]\n    pub fn encode(self) -\u003e F {\n        self.value\n    }\n}\n\n/// This trait represents anything that can be used to sign a JWS, JWE, or\n/// whatever.\n///\n/// A message is signed by just passing the raw bytes that should be signed.\n///\n/// To be able to be used as a [`Signer`], one must provide the sign operation\n/// itself, and also needs to [specify the algorithm] used for signing. The\n/// algorithm will be used as the value for the `alg` field inside the\n/// [`JoseHeader`](crate::header::JoseHeader) for the signed type.\n///\n/// [specify the algorithm]: Signer::algorithm\npub trait Signer\u003cS: AsRef\u003c[u8]\u003e\u003e {\n    /// Signs a raw byte message using this signer, returning a signature.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the signing operation fails.\n    /// An error usually only appears when communicating with external signers.\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cS, crypto::Error\u003e;\n\n    /// Return the type of signing algorithm used by this signer.\n    fn algorithm(\u0026self) -\u003e JsonWebSigningAlgorithm;\n\n    /// JsonWebSignatures *can* contain a key id which is specified\n    /// by this method.\n    fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        None\n    }\n\n    /// Returns a new [`Signer`] that wraps `self`, but returns `None` when\n    /// calling the `key_id` method.\n    fn without_key_id(self) -\u003e SignerWithoutKeyId\u003cSelf\u003e\n    where\n        Self: Sized,\n    {\n        SignerWithoutKeyId { inner: self }\n    }\n}\n\n/// Wrapper type around an existing [`Signer`] that will always return `None`\n/// for the key id.\n///\n/// This is useful if you parse a JWK, which has a Key ID, but you do not want\n/// to add this ID to the header in a JWS.\n#[derive(Debug, Clone)]\npub struct SignerWithoutKeyId\u003cS\u003e {\n    inner: S,\n}\n\nimpl\u003cSIG: AsRef\u003c[u8]\u003e, S: Signer\u003cSIG\u003e\u003e Signer\u003cSIG\u003e for SignerWithoutKeyId\u003cS\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSIG, crypto::Error\u003e {\n        S::sign(\u0026mut self.inner, msg)\n    }\n\n    fn algorithm(\u0026self) -\u003e JsonWebSigningAlgorithm {\n        S::algorithm(\u0026self.inner)\n    }\n\n    fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        None\n    }\n}\n\n/// An error returned if something expected a different\n/// [`JsonWebAlgorithm`]\n#[derive(Debug, thiserror::Error, PartialEq, Eq)]\n#[error(\"Invalid algorithm\")]\npub struct InvalidSigningAlgorithmError;\n\n/// A trait to turn something into a [`Signer`].\n///\n/// Some key types like the [`Rsa`](crate::crypto::rsa::PrivateKey) key type\n/// need to know which [algorithm](JsonWebSigningAlgorithm) to use.\npub trait IntoSigner\u003cT, S\u003e\nwhere\n    T: Signer\u003cS\u003e,\n    S: AsRef\u003c[u8]\u003e,\n{\n    /// The error returned if the conversion failed\n    type Error;\n\n    /// Turn `self` into the [`Signer`] `T`\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the conversion failed\n    fn into_signer(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cT, Self::Error\u003e;\n}\n\nimpl\u003cK, T, S\u003e IntoSigner\u003cT, S\u003e for K\nwhere\n    T: FromKey\u003cK\u003e + Signer\u003cS\u003e,\n    S: AsRef\u003c[u8]\u003e,\n{\n    type Error = \u003cT as FromKey\u003cK\u003e\u003e::Error;\n\n    fn into_signer(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cT, Self::Error\u003e {\n        T::from_key(self, JsonWebAlgorithm::Signing(alg))\n    }\n}\n","traces":[{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":135,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":15},{"path":["/","home","stu","dev","rust","jose","src","jws","verify.rs"],"content":"use alloc::vec::Vec;\nuse core::ops::{Deref, DerefMut};\n\nuse thiserror::Error;\n\nuse super::JsonWebSignature;\nuse crate::{\n    crypto,\n    format::{DecodeFormat, DecodeFormatWithContext, Format, JsonGeneral},\n    jwa::{JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::FromKey,\n};\n\n/// The error indicating if either the signature is invalid, or if the\n/// cyptographic operation failed.\n#[derive(Debug, Error)]\npub enum VerifyError {\n    /// The signature is invalid.\n    #[error(\"signature is invalid\")]\n    InvalidSignature,\n\n    /// The crypto backend threw an error.\n    #[error(\"crypto backend error\")]\n    CryptoBackend(\n        #[from]\n        #[source]\n        crypto::Error,\n    ),\n}\n\n/// This trait represents anything that can be used to verify a JWS, JWE, or\n/// whatever.\npub trait Verifier {\n    /// The `verify` operation.\n    ///\n    /// If the message is valid, returns `Ok(())`.\n    ///\n    /// # Errors\n    ///\n    /// Returns [`VerifyError`] if anything went wrong during signature\n    /// verification or if the signature is just invalid.\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), VerifyError\u003e;\n}\n\n/// This wrapper type represents a [JWS](crate::JsonWebSignature) that was\n/// parsed from user input, but the data integrity was not verified, thus it\n/// might contain corrupted or malicious data.\n///\n/// An [`Unverified`] struct can be verified using the [`verify`](Self::verify)\n/// method.\n#[derive(Debug)]\npub struct Unverified\u003cT\u003e {\n    pub(crate) value: T,\n    pub(crate) signature: Vec\u003cu8\u003e,\n    pub(crate) msg: Vec\u003cu8\u003e,\n}\n\nimpl\u003cT\u003e Unverified\u003cT\u003e {\n    /// Parse the input format to an unverified representation of `T`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// the `T` type.\n    pub fn decode\u003cF: Format\u003e(input: F) -\u003e Result\u003cSelf, T::Error\u003e\n    where\n        T: DecodeFormat\u003cF, Decoded\u003cT\u003e = Unverified\u003cT\u003e\u003e,\n    {\n        T::decode(input)\n    }\n\n    /// Parse the input format to an unverified representation of `T`, with the\n    /// given context.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// the `T` type.\n    pub fn decode_with_context\u003cF: Format, C\u003e(input: F, context: \u0026C) -\u003e Result\u003cSelf, T::Error\u003e\n    where\n        T: DecodeFormatWithContext\u003cF, C, Decoded\u003cT\u003e = Unverified\u003cT\u003e\u003e,\n    {\n        T::decode_with_context(input, context)\n    }\n\n    /// Verify this struct using the given verifier, returning a [`Verified`]\n    /// representation of the inner type.\n    ///\n    /// # Errors\n    ///\n    /// Returns [`VerifyError`] if anything went wrong during signature\n    /// verification or if the signature is just invalid.\n    pub fn verify(self, verifier: \u0026mut dyn Verifier) -\u003e Result\u003cVerified\u003cT\u003e, VerifyError\u003e {\n        verifier.verify(\u0026self.msg, \u0026self.signature)?;\n        Ok(Verified(self.value))\n    }\n}\n\nimpl\u003cT, F\u003e Unverified\u003cJsonWebSignature\u003cF, T\u003e\u003e\nwhere\n    F: Format,\n{\n    /// Exposes the **unverified** [`JoseHeader`](crate::JoseHeader) of this\n    /// [`JsonWebSignature`]\n    ///\n    /// You usually **should not use this method**. Instead, verify the\n    /// [`JsonWebSignature`] and potentially protected headers first, to avoid\n    /// creating security vulnerabilities.\n    ///\n    /// # When to use\n    ///\n    /// One use case is to determine which key was used to create this signature\n    /// in the first place. For example, consider you have a list of public\n    /// keys used by the same party. If you were not able to peek inside to\n    /// get a hint of the key used, for example via\n    /// [`JoseHeader::key_identifier`](crate::JoseHeader::key_identifier), you\n    /// would have to try each key until either a signature is valid or\n    /// there are no keys left.\n    ///\n    /// However, note that, since the header is not verified yet, an attacker\n    /// can spoof the key hint. For example, you MUST still make sure that the\n    /// key in the hint is actually established and does not belong to some\n    /// other party which might still be in your list of keys but is unrelated.\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// [`JoseHeader`](crate::JoseHeader), including\n    /// [`HeaderValue::Protected`](crate::header::HeaderValue). Thus, you should\n    /// use this method only within isolated code regions.\n    pub fn expose_unverified_header(\u0026self) -\u003e \u0026F::JwsHeader {\n        \u0026self.value.header\n    }\n\n    /// Exposes the **unverified** [`payload`](JsonWebSignature::payload) of\n    /// this [`JsonWebSignature`]\n    ///\n    /// You **should never have the need to use this method**. If you have\n    /// information in the payload that you need in order to verify the\n    /// signature, you are using it wrong. Instead, such information should be\n    /// put in the [`JoseHeader`](crate::JoseHeader) and can be accessed via\n    /// [`expose_unverified_header]`](Self::expose_unverified_header).\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// payload `T`. Thus, you should use this method only within isolated code\n    /// regions.\n    pub fn expose_unverified_payload(\u0026self) -\u003e \u0026T {\n        \u0026self.value.payload\n    }\n\n    /// Exposes the **unverified** raw signature in its byte representation\n    ///\n    /// Note: raw means that it is already base64 decoded.\n    ///\n    /// There is absolutely no reason to use this method. If you want to use\n    /// your own code for verification, you should create your own [`Verifier`]\n    /// instead.\n    pub fn expose_unverified_raw_signature(\u0026self) -\u003e \u0026[u8] {\n        self.signature.as_slice()\n    }\n}\n\n/// This wrapper type represents a [JWS](crate::JsonWebSignature) that was\n/// parsed from user input, but the data integrity was not verified, thus it\n/// might contain corrupted or malicious data.\n///\n/// Compared to [`Unverified`] this type can contain multiple signatures that\n/// need to be verified. An instance of this type can only be obtained by\n/// decoding a JWS using the [`JsonGeneral`] format.\n#[derive(Debug)]\npub struct ManyUnverified\u003cT\u003e {\n    pub(crate) value: T,\n    // Vec\u003c(msg, signature)\u003e\n    pub(crate) signatures: Vec\u003c(Vec\u003cu8\u003e, Vec\u003cu8\u003e)\u003e,\n}\n\nimpl\u003cT\u003e ManyUnverified\u003cT\u003e {\n    /// Parses a JWS in the [`JsonGeneral`] format into an unverified\n    /// representation of `T`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// the `T` type.\n    pub fn decode(input: JsonGeneral) -\u003e Result\u003cSelf, T::Error\u003e\n    where\n        T: DecodeFormat\u003cJsonGeneral, Decoded\u003cT\u003e = ManyUnverified\u003cT\u003e\u003e,\n    {\n        T::decode(input)\n    }\n\n    /// Returns the number of signatures in this JWS.\n    pub fn signature_count(\u0026self) -\u003e usize {\n        self.signatures.len()\n    }\n\n    /// Verify this struct using the given verifies, returning a [`Verified`]\n    /// representation of the inner type.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the number of verifiers does not match the number of\n    /// signatures, or if anything went wrong during a signature\n    /// verification or if one of the signatures is just invalid.\n    // TODO: consider using a more specific error type to give the usermore\n    // information about the error\n    pub fn verify_many\u003c'a\u003e(\n        self,\n        verifiers: impl IntoIterator\u003cItem = \u0026'a mut dyn Verifier\u003e,\n    ) -\u003e Result\u003cVerified\u003cT\u003e, VerifyError\u003e {\n        let verifiers = verifiers.into_iter().collect::\u003cVec\u003c_\u003e\u003e();\n        if verifiers.len() != self.signatures.len() {\n            return Err(VerifyError::InvalidSignature);\n        }\n\n        for (verifier, (msg, signature)) in verifiers.into_iter().zip(self.signatures) {\n            verifier.verify(\u0026msg, \u0026signature)?;\n        }\n\n        Ok(Verified(self.value))\n    }\n}\n\nimpl\u003cT, F\u003e ManyUnverified\u003cJsonWebSignature\u003cF, T\u003e\u003e\nwhere\n    F: Format,\n{\n    /// Exposes the **unverified** [`JoseHeader`](crate::JoseHeader) of this\n    /// [`JsonWebSignature`]\n    ///\n    /// You usually **should not use this method**. Instead, verify the\n    /// [`JsonWebSignature`] and potentially protected headers first, to avoid\n    /// creating security vulnerabilities.\n    ///\n    /// # When to use\n    ///\n    /// One use case is to determine which key was used to create this signature\n    /// in the first place. For example, consider you have a list of public\n    /// keys used by the same party. If you were not able to peek inside to\n    /// get a hint of the key used, for example via\n    /// [`JoseHeader::key_identifier`](crate::JoseHeader::key_identifier), you\n    /// would have to try each key until either a signature is valid or\n    /// there are no keys left.\n    ///\n    /// However, note that, since the header is not verified yet, an attacker\n    /// can spoof the key hint. For example, you MUST still make sure that the\n    /// key in the hint is actually established and does not belong to some\n    /// other party which might still be in your list of keys but is unrelated.\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// [`JoseHeader`](crate::JoseHeader), including\n    /// [`HeaderValue::Protected`](crate::header::HeaderValue). Thus, you should\n    /// use this method only within isolated code regions.\n    pub fn expose_unverified_header(\u0026self) -\u003e \u0026F::JwsHeader {\n        \u0026self.value.header\n    }\n\n    /// Exposes the **unverified** [`payload`](JsonWebSignature::payload) of\n    /// this [`JsonWebSignature`]\n    ///\n    /// You **should never have the need to use this method**. If you have\n    /// information in the payload that you need in order to verify the\n    /// signature, you are using it wrong. Instead, such information should be\n    /// put in the [`JoseHeader`](crate::JoseHeader) and can be accessed via\n    /// [`expose_unverified_header]`](Self::expose_unverified_header).\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// payload `T`. Thus, you should use this method only within isolated code\n    /// regions.\n    pub fn expose_unverified_payload(\u0026self) -\u003e \u0026T {\n        \u0026self.value.payload\n    }\n\n    /// Exposes an [`Iterator`] over the **unverified** signatures and their\n    /// corresponding messages.\n    ///\n    /// It returns an [`Iterator`] over `(message, signature)` for each\n    /// signature. Note: raw means that they are already base64 decoded.\n    ///\n    /// There is absolutely no reason to use this method. If you want to use\n    /// your own code for verification, you should create your own [`Verifier`]\n    /// instead.\n    pub fn expose_unverified_raw_signatures(\u0026self) -\u003e impl Iterator\u003cItem = (\u0026[u8], \u0026[u8])\u003e {\n        self.signatures\n            .iter()\n            .map(|(msg, sig)| (msg.as_slice(), sig.as_slice()))\n    }\n}\n\n/// Wrapper type around a JWS, or JWE that was verified using a [`Verifier`].\n#[derive(Debug)]\npub struct Verified\u003cT\u003e(T);\n\nimpl\u003cT\u003e Verified\u003cT\u003e {\n    /// Turns self into it's inner `T`.\n    pub fn into_inner(self) -\u003e T {\n        self.0\n    }\n}\n\nimpl\u003cT\u003e Deref for Verified\u003cT\u003e {\n    type Target = T;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\nimpl\u003cT\u003e DerefMut for Verified\u003cT\u003e {\n    fn deref_mut(\u0026mut self) -\u003e \u0026mut Self::Target {\n        \u0026mut self.0\n    }\n}\n\n/// A trait to turn something into a [`Verifier`]\n///\n/// Some key types like the [`Rsa`](crate::crypto::rsa::PublicKey) key type need\n/// to know which [algorithm](JsonWebSigningAlgorithm) to use.\npub trait IntoVerifier\u003cV\u003e\nwhere\n    V: Verifier,\n{\n    /// The error returned if the conversion failed\n    type Error;\n\n    /// Turn `self` into the [`Verifier`] `V`\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the conversion failed\n    fn into_verifier(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cV, Self::Error\u003e;\n}\n\nimpl\u003cK, V\u003e IntoVerifier\u003cV\u003e for K\nwhere\n    V: FromKey\u003cK\u003e + Verifier,\n{\n    type Error = \u003cV as FromKey\u003cK\u003e\u003e::Error;\n\n    fn into_verifier(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cV, Self::Error\u003e {\n        V::from_key(self, JsonWebAlgorithm::Signing(alg))\n    }\n}\n","traces":[{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":187,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":195,"address":[],"length":0,"stats":{"Line":0}},{"line":196,"address":[],"length":0,"stats":{"Line":0}},{"line":209,"address":[],"length":0,"stats":{"Line":0}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":214,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":219,"address":[],"length":0,"stats":{"Line":0}},{"line":222,"address":[],"length":0,"stats":{"Line":0}},{"line":258,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":276,"address":[],"length":0,"stats":{"Line":0}},{"line":277,"address":[],"length":0,"stats":{"Line":0}},{"line":289,"address":[],"length":0,"stats":{"Line":0}},{"line":290,"address":[],"length":0,"stats":{"Line":0}},{"line":292,"address":[],"length":0,"stats":{"Line":0}},{"line":302,"address":[],"length":0,"stats":{"Line":0}},{"line":303,"address":[],"length":0,"stats":{"Line":0}},{"line":310,"address":[],"length":0,"stats":{"Line":0}},{"line":311,"address":[],"length":0,"stats":{"Line":0}},{"line":316,"address":[],"length":0,"stats":{"Line":0}},{"line":317,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":347,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":39},{"path":["/","home","stu","dev","rust","jose","src","jws.rs"],"content":"//! Implementation of JSON Web Signature (JWS) as defined in [RFC 7515]\n//!\n//! [RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515\u003e\n\nuse alloc::{format, string::String, vec, vec::Vec};\n\nuse thiserror::Error;\n\nuse crate::{\n    crypto,\n    format::{\n        Compact, DecodeFormat, DecodeFormatWithContext, Format, JsonFlattened, JsonGeneral,\n        JsonGeneralSignature,\n    },\n    header, Base64UrlString, JoseHeader,\n};\n\nmod builder;\nmod sign;\nmod verify;\n\n#[doc(inline)]\npub use {builder::*, sign::*, verify::*};\n\n// FIXME: check section 5.3. (string comparison) and verify correctness\n// FIXME: protected headers\n// FIXME: unencoded payload (IMPORTANT: check that string is all ascii, except\n// `.` character)\n\n/// The kind of payload used in a JWS.\n///\n/// Kind means that a payload data is either attached, or detached.\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum PayloadKind {\n    /// Attached payload.\n    ///\n    /// The payload data will be put into the JWS.\n    /// This is the standard kind.\n    Attached(PayloadData),\n\n    /// Detached payload.\n    ///\n    /// Detached payload is a special payload\n    /// representation of a JWS, specified\n    /// in [Appendix F](https://datatracker.ietf.org/doc/html/rfc7515#appendix-F)\n    /// of the JWS RFC.\n    ///\n    /// Essentially, the payload is not put into the JWS,\n    /// instead it's only used for signing.\n    Detached(PayloadData),\n}\n\n/// The raw payload data that should be stored in the JWS.\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum PayloadData {\n    /// The given base64 string will just be used as the payload.\n    Standard(Base64UrlString),\n}\n\n/// Represents anything that can be serialized into a raw payload.\n///\n/// This is required to be implemented when trying to sign a JWS, or encrypt a\n/// JWE.\n///\n/// # Examples\n///\n/// ```\n/// # extern crate alloc;\n/// # use alloc::string::{FromUtf8Error, String};\n/// # use core::convert::Infallible;\n/// # use jose::Base64UrlString;\n/// # use jose::jws::{FromRawPayload, IntoPayload, PayloadKind, PayloadData};\n///\n/// #[derive(Debug, PartialEq, Eq)]\n/// struct StringPayload(String);\n///\n/// impl IntoPayload for StringPayload {\n///     type Error = Infallible;\n///\n///     fn into_payload(self) -\u003e Result\u003cPayloadKind, Self::Error\u003e {\n///         let s = Base64UrlString::encode(self.0);\n///         Ok(PayloadKind::Attached(PayloadData::Standard(s)))\n///     }\n/// }\n/// ```\npub trait IntoPayload {\n    /// The error that can occurr while providing the payload in the\n    /// [`Self::into_payload`] method.\n    type Error;\n\n    /// First, this method must insert the raw bytes representation of this\n    /// payload into the given `digest`, which is later used for creating the\n    /// signature. Then the method must return the [kind of\n    /// payload](PayloadKind) to use in the resulting JWS.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if it failed to provide the payload.\n    fn into_payload(self) -\u003e Result\u003cPayloadKind, Self::Error\u003e;\n}\n\n/// Represents anything that can be parsed from a raw payload.\n///\n/// This is required to be implemented when trying to decoe a JWS, or encrypt a\n/// JWE, from it's format representation.\npub trait FromRawPayload: Sized {\n    /// The error that can occurr in any of the `from_*` methods.\n    type Error;\n\n    /// The additional context that is passed when decoding a payload.\n    type Context;\n\n    /// Converts a standard, attached [`PayloadData`] into this payload type.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the operation failed.\n    fn from_attached(context: \u0026Self::Context, payload: PayloadData) -\u003e Result\u003cSelf, Self::Error\u003e;\n\n    /// Construts this payload type from a detached content.\n    ///\n    /// For context, the header of the JWS will be provided,\n    /// to get / construct the payload.\n    ///\n    /// In addition to `Self`, the raw payload data must be\n    /// returned, in order to verify the signature.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the operation failed.\n    fn from_detached\u003cF, T\u003e(\n        context: \u0026Self::Context,\n        header: \u0026JoseHeader\u003cF, T\u003e,\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e;\n\n    /// Construts this payload type from a detached content.\n    ///\n    /// This method is only used when verifying JWS in JSON General format.\n    /// For context, all the header of the JWS will be provided,\n    /// to get / construct the payload.\n    ///\n    /// In addition to `Self`, the raw payload data must be\n    /// returned, in order to verify the signature.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the operation failed.\n    fn from_detached_many\u003cF, T\u003e(\n        context: \u0026Self::Context,\n        headers: \u0026[JoseHeader\u003cF, T\u003e],\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e;\n}\n\n/// Different kinds of errors that can occurr while signing a JWS.\n#[derive(Debug, Error)]\npub enum SignError\u003cP\u003e {\n    /// The number of headers in the JWS does not match the number of\n    /// [`Signer`]s.\n    ///\n    /// This error is only possible when using the [`JsonGeneral`] format.\n    #[error(\"the number of headers does not match the number of signers\")]\n    HeaderCountMismatch,\n    /// Failed to serialize the [`JoseHeader`].\n    #[error(\"failed to serialize header: {0}\")]\n    SerializeHeader(#[source] serde_json::Error),\n    /// The `protected` part of the header was empty, which is disallowed in the\n    /// compact format.\n    #[error(\"the protected header was empty on a compact JWS\")]\n    EmptyProtectedHeader,\n    /// The header of the JWS is invalid.\n    #[error(\"invalid JWS header: {0}\")]\n    InvalidHeader(#[source] header::Error),\n    /// The underlying signing operation of the given signer failed.\n    #[error(transparent)]\n    Sign(crypto::Error),\n    /// Failed to convert payload into it's raw byte representation.\n    #[error(transparent)]\n    Payload(P),\n}\n\n/// Represents a JSON Web Signature (JWS) as defined in [RFC 7515].\n///\n/// The JWS is a format for representing digitally signed or MACed (Message\n/// Authentication Code) content using JSON. The JSON representation is used\n/// to convey the payload, the signature, and optionally additional meta-data\n/// about the payload and signature.\n///\n/// The [`JsonWebSignature`] struct has two type parameters:\n///\n/// * `F`: The format of the JWS. This can be either [`Compact`] or\n///   [`JsonFlattened`].\n/// * `T`: The type of the payload. This can be any type that implements the\n///   [`IntoPayload`] trait and also the [`FromRawPayload`] trait.\n///\n/// [RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515\u003e\n#[derive(Debug)]\npub struct JsonWebSignature\u003cF: Format, T = ()\u003e {\n    header: F::JwsHeader,\n    payload: T,\n}\n\nimpl\u003cF: Format\u003e JsonWebSignature\u003cF, ()\u003e {\n    /// Constructs a [`JsonWebSignatureBuilder`].\n    pub fn builder() -\u003e JsonWebSignatureBuilder\u003cF\u003e {\n        JsonWebSignatureBuilder::new()\n    }\n}\n\nimpl\u003cF: Format, T\u003e JsonWebSignature\u003cF, T\u003e {\n    pub(crate) fn new(header: F::JwsHeader, payload: T) -\u003e Self {\n        Self { header, payload }\n    }\n\n    /// Returns a reference to the payload of this JWS.\n    pub fn payload(\u0026self) -\u003e \u0026T {\n        \u0026self.payload\n    }\n}\n\nimpl\u003cT\u003e JsonWebSignature\u003cCompact, T\u003e {\n    /// Returns a reference to the [`JoseHeader`] of\n    /// this JWS.\n    pub fn header(\u0026self) -\u003e \u0026JoseHeader\u003cCompact, header::Jws\u003e {\n        \u0026self.header\n    }\n}\n\nimpl\u003cT\u003e JsonWebSignature\u003cJsonFlattened, T\u003e {\n    /// Returns a reference to the [`JoseHeader`] of\n    /// this JWS.\n    pub fn header(\u0026self) -\u003e \u0026JoseHeader\u003cJsonFlattened, header::Jws\u003e {\n        \u0026self.header\n    }\n}\n\nimpl\u003cT\u003e JsonWebSignature\u003cJsonGeneral, T\u003e {\n    /// Returns a reference to the list of [`JoseHeader`] of this JWS.\n    pub fn header(\u0026self) -\u003e \u0026Vec\u003cJoseHeader\u003cJsonGeneral, header::Jws\u003e\u003e {\n        \u0026self.header\n    }\n}\n\nimpl\u003cF: Format, T: IntoPayload\u003e JsonWebSignature\u003cF, T\u003e {\n    /// Signs this [`JsonWebSignature`] using the given `signer`.\n    ///\n    /// When signing the JWS, some fields of the header of this JWS may be\n    /// updated. For example, the `alg` header parameter will be updated to\n    /// reflect the algorithm used to sign the JWS, and the `kid` header\n    /// parameter may be updated using the value from the given [`Signer`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any step of the signing operation failed.\n    /// This may include:\n    /// - The header is invalid or failed to serialize.\n    /// - The header is invalid after updating it with the given signer.\n    /// - The underlying signing operation of the given signer failed.\n    /// - The payload failed to provide it's raw byte representation.\n    pub fn sign\u003cS: AsRef\u003c[u8]\u003e\u003e(\n        mut self,\n        signer: \u0026mut dyn Signer\u003cS\u003e,\n    ) -\u003e Result\u003cSigned\u003cF\u003e, SignError\u003cT::Error\u003e\u003e {\n        F::update_header(\u0026mut self.header, signer);\n\n        let serialized_header = F::serialize_header(self.header).map_err(|x| match x {\n            SignError::HeaderCountMismatch =\u003e SignError::HeaderCountMismatch,\n            SignError::SerializeHeader(x) =\u003e SignError::SerializeHeader(x),\n            SignError::InvalidHeader(x) =\u003e SignError::InvalidHeader(x),\n            SignError::EmptyProtectedHeader =\u003e SignError::EmptyProtectedHeader,\n            SignError::Sign(x) =\u003e SignError::Sign(x),\n            SignError::Payload(x) =\u003e match x {},\n        })?;\n\n        let mut msg = F::message_from_header(\u0026serialized_header)\n            .map(|x| x.to_vec())\n            .unwrap_or_default();\n        msg.push(b'.');\n\n        let payload = self.payload.into_payload().map_err(SignError::Payload)?;\n        let payload = match payload {\n            PayloadKind::Attached(PayloadData::Standard(b64)) =\u003e {\n                msg.extend(b64.as_bytes());\n                Some(PayloadData::Standard(b64))\n            }\n            PayloadKind::Detached(PayloadData::Standard(b64)) =\u003e {\n                msg.extend(b64.as_bytes());\n                None\n            }\n        };\n\n        let signature = signer.sign(\u0026msg).map_err(SignError::Sign)?;\n\n        Ok(Signed {\n            value: F::finalize(serialized_header, payload, signature.as_ref())\n                .map_err(SignError::SerializeHeader)?,\n        })\n    }\n}\n\nimpl\u003cT: IntoPayload\u003e JsonWebSignature\u003cJsonGeneral, T\u003e {\n    /// Signs this JWS using multiple signers.\n    ///\n    /// This is only supported when the JWS is in the [`JsonGeneral`] format.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the length of the given iterator of signers does\n    /// not match the number of headers in this JWS.\n    /// Otherwise, this method may return the same errors as the normal sign\n    /// operation.\n    pub fn sign_many\u003c's, S: AsRef\u003c[u8]\u003e + 's\u003e(\n        self,\n        signers: impl IntoIterator\u003cItem = \u0026's mut dyn Signer\u003cS\u003e\u003e,\n    ) -\u003e Result\u003cSigned\u003cJsonGeneral\u003e, SignError\u003cT::Error\u003e\u003e {\n        if self.header.is_empty() {\n            // this is unreachable right now, but we don't want to panic, so just return a\n            // kind of matching error\n            return Err(SignError::HeaderCountMismatch);\n        }\n\n        let signers = signers.into_iter().collect::\u003cVec\u003c_\u003e\u003e();\n\n        if signers.len() != self.header.len() {\n            return Err(SignError::HeaderCountMismatch);\n        }\n\n        let payload = self.payload.into_payload().map_err(SignError::Payload)?;\n        let payload_msg = match payload {\n            PayloadKind::Attached(PayloadData::Standard(ref b64)) =\u003e b64.as_bytes(),\n            PayloadKind::Detached(PayloadData::Standard(ref b64)) =\u003e b64.as_bytes(),\n        };\n\n        let mut signatures = vec![];\n\n        for (mut hdr, signer) in self.header.into_iter().zip(signers) {\n            hdr.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n\n            let mut msg = vec![];\n\n            let serialized_hdr = {\n                let (protected, unprotected) =\n                    hdr.into_values().map_err(SignError::InvalidHeader)?;\n\n                let protected = match protected {\n                    Some(hdr) =\u003e {\n                        let json =\n                            serde_json::to_string(\u0026hdr).map_err(SignError::SerializeHeader)?;\n\n                        let encoded = Base64UrlString::encode(json);\n                        msg.extend(encoded.as_bytes());\n                        Some(encoded)\n                    }\n                    None =\u003e None,\n                };\n\n                (protected, unprotected)\n            };\n\n            msg.push(b'.');\n            msg.extend(payload_msg);\n\n            let signature = signer.sign(\u0026msg).map_err(SignError::Sign)?;\n\n            signatures.push(JsonGeneralSignature {\n                protected: serialized_hdr.0,\n                header: serialized_hdr.1,\n                signature: Base64UrlString::encode(signature.as_ref()),\n            });\n        }\n\n        let payload = match payload {\n            PayloadKind::Attached(PayloadData::Standard(s)) =\u003e Some(s),\n            PayloadKind::Detached(_) =\u003e None,\n        };\n\n        Ok(Signed {\n            value: JsonGeneral {\n                payload,\n                signatures,\n            },\n        })\n    }\n}\n\n/// Different kinds of errors that can occurr while parsing a JWS from it's\n/// compact format.\n#[derive(Debug, Error)]\npub enum ParseCompactError\u003cP\u003e {\n    /// `crit` header field contained an unsupported name.\n    #[error(\"encountered unsupported critical headers (crit header field)\")]\n    UnsupportedCriticalHeader,\n    /// One of the parts was invalid UTF8\n    #[error(\"one of the parts was an invalid UTF-8 byte sequence\")]\n    InvalidUtf8Encoding,\n    /// One of the parts was an invalid Json string\n    #[error(\"one of the parts was an invalid json string\")]\n    InvalidJson(#[source] serde_json::Error),\n    /// The header of the JWS is invalid.\n    #[error(\"invalid JWS header: {0}\")]\n    InvalidHeader(#[source] header::Error),\n    /// Got a `Compact` with less or more than three elements.\n    #[error(\"got compact representation that didn't have 3 parts\")]\n    InvalidLength,\n    /// Failed to parse the payload.\n    #[error(transparent)]\n    Payload(P),\n}\n\nimpl\u003cF: Format, T\u003e crate::sealed::Sealed for JsonWebSignature\u003cF, T\u003e {}\n\nimpl\u003cT: FromRawPayload\u003cContext = ()\u003e\u003e DecodeFormat\u003cCompact\u003e for JsonWebSignature\u003cCompact, T\u003e {\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseCompactError\u003cT::Error\u003e;\n\n    fn decode(input: Compact) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        Self::decode_with_context(input, \u0026())\n    }\n}\n\nimpl\u003cC, T: FromRawPayload\u003cContext = C\u003e\u003e DecodeFormatWithContext\u003cCompact, C\u003e\n    for JsonWebSignature\u003cCompact, T\u003e\n{\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseCompactError\u003cT::Error\u003e;\n\n    fn decode_with_context(input: Compact, context: \u0026C) -\u003e Result\u003cUnverified\u003cSelf\u003e, Self::Error\u003e {\n        if input.len() != 3 {\n            return Err(ParseCompactError::InvalidLength);\n        }\n\n        let (header, raw_header) = {\n            let raw = input.part(0).expect(\"`len()` is checked above to be 3\");\n            let json = String::from_utf8(raw.decode())\n                .map_err(|_| ParseCompactError::InvalidUtf8Encoding)?;\n\n            let header = serde_json::from_str::\u003cserde_json::Map\u003cString, serde_json::Value\u003e\u003e(\u0026json)\n                .map_err(ParseCompactError::InvalidJson)?;\n\n            let header = JoseHeader::from_values(Some(header), None)\n                .map_err(ParseCompactError::InvalidHeader)?;\n\n            (header, raw)\n        };\n\n        let (payload, raw_payload) = {\n            let raw = input.part(1).expect(\"`len()` is checked above to be 3\");\n\n            // if payload is empty, detached payload\n            let (payload, raw) = if raw.is_empty() {\n                T::from_detached(context, \u0026header).map_err(ParseCompactError::Payload)?\n            } else {\n                let data = PayloadData::Standard(raw.clone());\n\n                (\n                    T::from_attached(context, data.clone()).map_err(ParseCompactError::Payload)?,\n                    data,\n                )\n            };\n\n            (payload, raw)\n        };\n        let PayloadData::Standard(raw_payload) = raw_payload;\n\n        let signature = input.part(2).expect(\"`len()` is checked above to be 3\");\n\n        let msg = format!(\"{raw_header}.{raw_payload}\");\n\n        Ok(Unverified {\n            value: JsonWebSignature { header, payload },\n            signature: signature.decode(),\n            msg: msg.into_bytes(),\n        })\n    }\n}\n\nfn parse_json_header\u003cF: Format, E\u003e(\n    protected: Option\u003c\u0026Base64UrlString\u003e,\n    header: Option\u003cserde_json::Map\u003cString, serde_json::Value\u003e\u003e,\n) -\u003e Result\u003cJoseHeader\u003cF, header::Jws\u003e, ParseJsonError\u003cE\u003e\u003e {\n    let protected = match protected {\n        Some(encoded) =\u003e {\n            let json = String::from_utf8(encoded.decode())\n                .map_err(|_| ParseJsonError::InvalidUtf8Encoding)?;\n\n            let values = serde_json::from_str::\u003cserde_json::Map\u003cString, serde_json::Value\u003e\u003e(\u0026json)\n                .map_err(ParseJsonError::InvalidJson)?;\n            Some(values)\n        }\n        None =\u003e None,\n    };\n\n    JoseHeader::from_values(protected, header).map_err(ParseJsonError::InvalidHeader)\n}\n\n/// Different kinds of errors that can occurr while parsing a JWS from it's\n/// JSON, general or flattened, format.\n#[derive(Debug, Error)]\npub enum ParseJsonError\u003cP\u003e {\n    /// The `signatures` array was empty.\n    ///\n    /// This error can only happen when decoding the [`JsonGeneral`] format.\n    #[error(\"the signatures array was empty\")]\n    EmptySignatures,\n    /// The header of the JWS is invalid.\n    #[error(\"invalid JWS header: {0}\")]\n    InvalidHeader(#[source] header::Error),\n    /// The protected header or signature contained invalid UTF-8\n    #[error(\"protected header or signature contained invalid UTF-8\")]\n    InvalidUtf8Encoding,\n    /// The protected header contained invalid JSON\n    #[error(\"protected header contained invalid JSON\")]\n    InvalidJson(#[source] serde_json::Error),\n    /// Failed to parse the payload.\n    #[error(transparent)]\n    Payload(P),\n}\n\nimpl\u003cT: FromRawPayload\u003cContext = ()\u003e\u003e DecodeFormat\u003cJsonFlattened\u003e\n    for JsonWebSignature\u003cJsonFlattened, T\u003e\n{\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode(input: JsonFlattened) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        Self::decode_with_context(input, \u0026())\n    }\n}\n\nimpl\u003cC, T: FromRawPayload\u003cContext = C\u003e\u003e DecodeFormatWithContext\u003cJsonFlattened, C\u003e\n    for JsonWebSignature\u003cJsonFlattened, T\u003e\n{\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode_with_context(\n        JsonFlattened {\n            payload,\n            protected,\n            header,\n            signature,\n        }: JsonFlattened,\n        context: \u0026C,\n    ) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        let protected_str = protected.clone().unwrap_or_default().into_inner();\n        let header = parse_json_header(protected.as_ref(), header)?;\n\n        let (payload, raw_payload) = match payload {\n            Some(b64) =\u003e (\n                T::from_attached(context, PayloadData::Standard(b64.clone()))\n                    .map_err(ParseJsonError::Payload)?,\n                PayloadData::Standard(b64),\n            ),\n            None =\u003e T::from_detached(context, \u0026header).map_err(ParseJsonError::Payload)?,\n        };\n        let PayloadData::Standard(raw_payload) = raw_payload;\n\n        let msg = format!(\"{protected_str}.{raw_payload}\");\n        Ok(Unverified {\n            value: JsonWebSignature { header, payload },\n            signature: signature.decode(),\n            msg: msg.into_bytes(),\n        })\n    }\n}\n\nimpl\u003cT: FromRawPayload\u003cContext = ()\u003e\u003e DecodeFormat\u003cJsonGeneral\u003e\n    for JsonWebSignature\u003cJsonGeneral, T\u003e\n{\n    type Decoded\u003cD\u003e = ManyUnverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode(input: JsonGeneral) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        Self::decode_with_context(input, \u0026())\n    }\n}\n\nimpl\u003cC, T: FromRawPayload\u003cContext = C\u003e\u003e DecodeFormatWithContext\u003cJsonGeneral, C\u003e\n    for JsonWebSignature\u003cJsonGeneral, T\u003e\n{\n    type Decoded\u003cD\u003e = ManyUnverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode_with_context(\n        JsonGeneral {\n            payload,\n            signatures,\n        }: JsonGeneral,\n        context: \u0026C,\n    ) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        if signatures.is_empty() {\n            return Err(ParseJsonError::EmptySignatures);\n        }\n\n        let mut headers = Vec::with_capacity(signatures.len());\n        let mut sigs = Vec::with_capacity(signatures.len());\n\n        for sig in signatures {\n            let header = parse_json_header(sig.protected.as_ref(), sig.header)?;\n\n            headers.push(header);\n            sigs.push((sig.protected.unwrap_or_default(), sig.signature.decode()));\n        }\n\n        let (payload, raw_payload) = match payload {\n            Some(b64) =\u003e (\n                T::from_attached(context, PayloadData::Standard(b64.clone()))\n                    .map_err(ParseJsonError::Payload)?,\n                PayloadData::Standard(b64),\n            ),\n            None =\u003e T::from_detached_many(context, \u0026headers).map_err(ParseJsonError::Payload)?,\n        };\n        let PayloadData::Standard(raw_payload) = raw_payload;\n\n        let unverified_signatures = sigs\n            .into_iter()\n            .map(|(protected, signature)| {\n                let msg = format!(\"{protected}.{raw_payload}\");\n\n                (msg.into_bytes(), signature)\n            })\n            .collect();\n\n        Ok(ManyUnverified {\n            value: JsonWebSignature {\n                header: headers,\n                payload,\n            },\n            signatures: unverified_signatures,\n        })\n    }\n}\n","traces":[{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":210,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":223,"address":[],"length":0,"stats":{"Line":0}},{"line":224,"address":[],"length":0,"stats":{"Line":0}},{"line":231,"address":[],"length":0,"stats":{"Line":0}},{"line":232,"address":[],"length":0,"stats":{"Line":0}},{"line":238,"address":[],"length":0,"stats":{"Line":0}},{"line":239,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":263,"address":[],"length":0,"stats":{"Line":0}},{"line":265,"address":[],"length":0,"stats":{"Line":0}},{"line":266,"address":[],"length":0,"stats":{"Line":0}},{"line":267,"address":[],"length":0,"stats":{"Line":0}},{"line":268,"address":[],"length":0,"stats":{"Line":0}},{"line":269,"address":[],"length":0,"stats":{"Line":0}},{"line":270,"address":[],"length":0,"stats":{"Line":0}},{"line":271,"address":[],"length":0,"stats":{"Line":0}},{"line":274,"address":[],"length":0,"stats":{"Line":0}},{"line":275,"address":[],"length":0,"stats":{"Line":0}},{"line":277,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":0}},{"line":280,"address":[],"length":0,"stats":{"Line":0}},{"line":281,"address":[],"length":0,"stats":{"Line":0}},{"line":282,"address":[],"length":0,"stats":{"Line":0}},{"line":283,"address":[],"length":0,"stats":{"Line":0}},{"line":285,"address":[],"length":0,"stats":{"Line":0}},{"line":286,"address":[],"length":0,"stats":{"Line":0}},{"line":287,"address":[],"length":0,"stats":{"Line":0}},{"line":291,"address":[],"length":0,"stats":{"Line":0}},{"line":293,"address":[],"length":0,"stats":{"Line":0}},{"line":294,"address":[],"length":0,"stats":{"Line":0}},{"line":295,"address":[],"length":0,"stats":{"Line":0}},{"line":311,"address":[],"length":0,"stats":{"Line":0}},{"line":315,"address":[],"length":0,"stats":{"Line":0}},{"line":318,"address":[],"length":0,"stats":{"Line":0}},{"line":321,"address":[],"length":0,"stats":{"Line":0}},{"line":323,"address":[],"length":0,"stats":{"Line":0}},{"line":324,"address":[],"length":0,"stats":{"Line":0}},{"line":327,"address":[],"length":0,"stats":{"Line":0}},{"line":328,"address":[],"length":0,"stats":{"Line":0}},{"line":329,"address":[],"length":0,"stats":{"Line":0}},{"line":330,"address":[],"length":0,"stats":{"Line":0}},{"line":333,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":336,"address":[],"length":0,"stats":{"Line":0}},{"line":338,"address":[],"length":0,"stats":{"Line":0}},{"line":340,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":0}},{"line":342,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":347,"address":[],"length":0,"stats":{"Line":0}},{"line":349,"address":[],"length":0,"stats":{"Line":0}},{"line":350,"address":[],"length":0,"stats":{"Line":0}},{"line":351,"address":[],"length":0,"stats":{"Line":0}},{"line":353,"address":[],"length":0,"stats":{"Line":0}},{"line":356,"address":[],"length":0,"stats":{"Line":0}},{"line":359,"address":[],"length":0,"stats":{"Line":0}},{"line":360,"address":[],"length":0,"stats":{"Line":0}},{"line":362,"address":[],"length":0,"stats":{"Line":0}},{"line":364,"address":[],"length":0,"stats":{"Line":0}},{"line":365,"address":[],"length":0,"stats":{"Line":0}},{"line":366,"address":[],"length":0,"stats":{"Line":0}},{"line":367,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":372,"address":[],"length":0,"stats":{"Line":0}},{"line":373,"address":[],"length":0,"stats":{"Line":0}},{"line":376,"address":[],"length":0,"stats":{"Line":0}},{"line":377,"address":[],"length":0,"stats":{"Line":0}},{"line":378,"address":[],"length":0,"stats":{"Line":0}},{"line":379,"address":[],"length":0,"stats":{"Line":0}},{"line":415,"address":[],"length":0,"stats":{"Line":0}},{"line":416,"address":[],"length":0,"stats":{"Line":0}},{"line":426,"address":[],"length":0,"stats":{"Line":0}},{"line":427,"address":[],"length":0,"stats":{"Line":0}},{"line":428,"address":[],"length":0,"stats":{"Line":0}},{"line":431,"address":[],"length":0,"stats":{"Line":0}},{"line":432,"address":[],"length":0,"stats":{"Line":0}},{"line":433,"address":[],"length":0,"stats":{"Line":0}},{"line":434,"address":[],"length":0,"stats":{"Line":0}},{"line":436,"address":[],"length":0,"stats":{"Line":0}},{"line":437,"address":[],"length":0,"stats":{"Line":0}},{"line":439,"address":[],"length":0,"stats":{"Line":0}},{"line":440,"address":[],"length":0,"stats":{"Line":0}},{"line":442,"address":[],"length":0,"stats":{"Line":0}},{"line":445,"address":[],"length":0,"stats":{"Line":0}},{"line":446,"address":[],"length":0,"stats":{"Line":0}},{"line":449,"address":[],"length":0,"stats":{"Line":0}},{"line":450,"address":[],"length":0,"stats":{"Line":0}},{"line":452,"address":[],"length":0,"stats":{"Line":0}},{"line":455,"address":[],"length":0,"stats":{"Line":0}},{"line":456,"address":[],"length":0,"stats":{"Line":0}},{"line":460,"address":[],"length":0,"stats":{"Line":0}},{"line":462,"address":[],"length":0,"stats":{"Line":0}},{"line":464,"address":[],"length":0,"stats":{"Line":0}},{"line":466,"address":[],"length":0,"stats":{"Line":0}},{"line":468,"address":[],"length":0,"stats":{"Line":0}},{"line":469,"address":[],"length":0,"stats":{"Line":0}},{"line":470,"address":[],"length":0,"stats":{"Line":0}},{"line":471,"address":[],"length":0,"stats":{"Line":0}},{"line":476,"address":[],"length":0,"stats":{"Line":0}},{"line":480,"address":[],"length":0,"stats":{"Line":0}},{"line":481,"address":[],"length":0,"stats":{"Line":0}},{"line":482,"address":[],"length":0,"stats":{"Line":0}},{"line":483,"address":[],"length":0,"stats":{"Line":0}},{"line":485,"address":[],"length":0,"stats":{"Line":0}},{"line":486,"address":[],"length":0,"stats":{"Line":0}},{"line":487,"address":[],"length":0,"stats":{"Line":0}},{"line":489,"address":[],"length":0,"stats":{"Line":0}},{"line":492,"address":[],"length":0,"stats":{"Line":0}},{"line":524,"address":[],"length":0,"stats":{"Line":0}},{"line":525,"address":[],"length":0,"stats":{"Line":0}},{"line":535,"address":[],"length":0,"stats":{"Line":0}},{"line":544,"address":[],"length":0,"stats":{"Line":0}},{"line":545,"address":[],"length":0,"stats":{"Line":0}},{"line":547,"address":[],"length":0,"stats":{"Line":0}},{"line":548,"address":[],"length":0,"stats":{"Line":0}},{"line":549,"address":[],"length":0,"stats":{"Line":0}},{"line":550,"address":[],"length":0,"stats":{"Line":0}},{"line":551,"address":[],"length":0,"stats":{"Line":0}},{"line":553,"address":[],"length":0,"stats":{"Line":0}},{"line":555,"address":[],"length":0,"stats":{"Line":0}},{"line":557,"address":[],"length":0,"stats":{"Line":0}},{"line":558,"address":[],"length":0,"stats":{"Line":0}},{"line":559,"address":[],"length":0,"stats":{"Line":0}},{"line":560,"address":[],"length":0,"stats":{"Line":0}},{"line":561,"address":[],"length":0,"stats":{"Line":0}},{"line":572,"address":[],"length":0,"stats":{"Line":0}},{"line":573,"address":[],"length":0,"stats":{"Line":0}},{"line":583,"address":[],"length":0,"stats":{"Line":0}},{"line":590,"address":[],"length":0,"stats":{"Line":0}},{"line":591,"address":[],"length":0,"stats":{"Line":0}},{"line":594,"address":[],"length":0,"stats":{"Line":0}},{"line":595,"address":[],"length":0,"stats":{"Line":0}},{"line":597,"address":[],"length":0,"stats":{"Line":0}},{"line":598,"address":[],"length":0,"stats":{"Line":0}},{"line":600,"address":[],"length":0,"stats":{"Line":0}},{"line":601,"address":[],"length":0,"stats":{"Line":0}},{"line":604,"address":[],"length":0,"stats":{"Line":0}},{"line":605,"address":[],"length":0,"stats":{"Line":0}},{"line":606,"address":[],"length":0,"stats":{"Line":0}},{"line":607,"address":[],"length":0,"stats":{"Line":0}},{"line":608,"address":[],"length":0,"stats":{"Line":0}},{"line":610,"address":[],"length":0,"stats":{"Line":0}},{"line":612,"address":[],"length":0,"stats":{"Line":0}},{"line":614,"address":[],"length":0,"stats":{"Line":0}},{"line":616,"address":[],"length":0,"stats":{"Line":0}},{"line":617,"address":[],"length":0,"stats":{"Line":0}},{"line":619,"address":[],"length":0,"stats":{"Line":0}},{"line":623,"address":[],"length":0,"stats":{"Line":0}},{"line":624,"address":[],"length":0,"stats":{"Line":0}},{"line":625,"address":[],"length":0,"stats":{"Line":0}},{"line":626,"address":[],"length":0,"stats":{"Line":0}},{"line":628,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":158},{"path":["/","home","stu","dev","rust","jose","src","jwt.rs"],"content":"//! JsonWebToken (JWT) implementation\n//!\n//! JWTs are the most common use of JOSE.\n\nuse alloc::string::String;\n\nuse serde::{de::DeserializeOwned, Deserialize, Serialize};\n\nuse crate::{\n    format::{self, Compact},\n    jws::{FromRawPayload, IntoPayload, JsonWebSignatureBuilder, PayloadData, PayloadKind},\n    Base64UrlString, JsonWebSignature, Jws,\n};\n\n/// A JSON Web Token (JWT) as defined in [RFC 7519].\n///\n/// Since a JWT is only allowed to be serialized in the compact format, the\n/// `F` type parameter is fixed to [`Compact`] in this type\n/// alias.\n///\n/// [RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519\u003e\npub type JsonWebToken\u003cA\u003e = JsonWebSignature\u003cformat::Compact, Claims\u003cA\u003e\u003e;\n\nimpl JsonWebToken\u003c()\u003e {\n    /// Returns a [`JsonWebSignatureBuilder`] for a [`JsonWebToken`]\n    // this method is needed because of interference problems if it is named\n    // builder directly.\n    pub fn builder_jwt() -\u003e JsonWebSignatureBuilder\u003cCompact\u003e {\n        Jws::builder()\n    }\n}\n\n/// The claims of a JSON Web Token (JWT) as defined in [RFC 7519].\n///\n/// The `A` type parameter is used to specify the type of the additional\n/// parameters of the claims. If no additional parameters are required,\n/// the unit type `()` can be used.\n///\n/// [RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Default)]\npub struct Claims\u003cA = ()\u003e {\n    /// The \"iss\" (issuer) claim identifies the principal that issued the JWT.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1).\n    #[serde(rename = \"iss\", skip_serializing_if = \"Option::is_none\")]\n    pub issuer: Option\u003cString\u003e,\n\n    /// The \"sub\" (subject) claim identifies the principal that is the subject\n    /// of the JWT.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.2](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2).\n    #[serde(rename = \"sub\", skip_serializing_if = \"Option::is_none\")]\n    pub subject: Option\u003cString\u003e,\n\n    /// The \"aud\" (audience) claim identifies the recipients that the JWT is\n    /// intended for.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3).\n    #[serde(rename = \"aud\", skip_serializing_if = \"Option::is_none\")]\n    pub audience: Option\u003cString\u003e,\n\n    /// The \"exp\" (expiration time) claim identifies the expiration time on or\n    /// after which the JWT MUST NOT be accepted for processing.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.4](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4).\n    #[serde(rename = \"exp\", skip_serializing_if = \"Option::is_none\")]\n    pub expiration: Option\u003cu64\u003e,\n\n    /// The \"nbf\" (not before) claim identifies the time before which the JWT\n    /// MUST NOT be accepted for processing.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.5](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5).\n    #[serde(rename = \"nbf\", skip_serializing_if = \"Option::is_none\")]\n    pub not_before: Option\u003cu64\u003e,\n\n    /// The \"iat\" (issued at) claim identifies the time at which the JWT was\n    /// issued.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.6](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6).\n    #[serde(rename = \"iat\", skip_serializing_if = \"Option::is_none\")]\n    pub issued_at: Option\u003cu64\u003e,\n\n    /// The \"jti\" (JWT ID) claim provides a unique identifier for the JWT.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.7](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7).\n    #[serde(rename = \"jti\", skip_serializing_if = \"Option::is_none\")]\n    pub jwt_id: Option\u003cString\u003e,\n\n    /// Additional, potentially unregistered JWT claims.\n    #[serde(flatten)]\n    pub additional: A,\n}\n\nimpl\u003cA\u003e IntoPayload for Claims\u003cA\u003e\nwhere\n    A: Serialize,\n{\n    type Error = serde_json::Error;\n\n    fn into_payload(self) -\u003e Result\u003cPayloadKind, Self::Error\u003e {\n        let encoded = serde_json::to_vec(\u0026self)?;\n        Ok(PayloadKind::Attached(PayloadData::Standard(\n            Base64UrlString::encode(encoded),\n        )))\n    }\n}\n\n/// Error returned by [`FromRawPayload`] implementation of [`Claims`]\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum ClaimsDecodeError {\n    /// [`Claims`] does not support this operation.\n    #[error(\"Operation not supported.\")]\n    OperationUnsupported,\n    /// Error while deserializing underlying Json\n    #[error(transparent)]\n    Json(#[from] serde_json::Error),\n}\n\nimpl\u003cA\u003e FromRawPayload for Claims\u003cA\u003e\nwhere\n    A: DeserializeOwned,\n{\n    type Context = ();\n    type Error = ClaimsDecodeError;\n\n    fn from_attached(_: \u0026Self::Context, payload: PayloadData) -\u003e Result\u003cSelf, Self::Error\u003e {\n        let data = match payload {\n            PayloadData::Standard(data) =\u003e data.decode(),\n        };\n        let claims: Claims\u003cA\u003e = serde_json::from_slice(\u0026data)?;\n        Ok(claims)\n    }\n\n    /// Detached is not supported with [`JsonWebToken`]\n    ///\n    /// # Returns\n    ///\n    /// Always returns [`ClaimsDecodeError::OperationUnsupported`]\n    fn from_detached\u003cF, T\u003e(\n        _: \u0026Self::Context,\n        _: \u0026crate::JoseHeader\u003cF, T\u003e,\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e {\n        Err(ClaimsDecodeError::OperationUnsupported)\n    }\n\n    /// Detached is not supported with [`JsonWebToken`]\n    ///\n    /// # Returns\n    ///\n    /// Always returns [`ClaimsDecodeError::OperationUnsupported`]\n    fn from_detached_many\u003cF, T\u003e(\n        _: \u0026Self::Context,\n        _: \u0026[crate::JoseHeader\u003cF, T\u003e],\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e {\n        Err(ClaimsDecodeError::OperationUnsupported)\n    }\n}\n","traces":[{"line":28,"address":[],"length":0,"stats":{"Line":0}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":140,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":15},{"path":["/","home","stu","dev","rust","jose","src","lib.rs"],"content":"#![doc = include_str!(\"../README.md\")]\n#![allow(clippy::doc_overindented_list_items)]\n#![warn(\n    missing_docs,\n    missing_debug_implementations,\n    trivial_casts,\n    trivial_numeric_casts,\n    unused_extern_crates,\n    unused_import_braces,\n    explicit_outlives_requirements,\n    clippy::missing_errors_doc\n)]\n#![deny(\n    rustdoc::broken_intra_doc_links,\n    rustdoc::bare_urls,\n    macro_use_extern_crate,\n    non_ascii_idents,\n    elided_lifetimes_in_paths\n)]\n#![forbid(unsafe_code)]\n#![cfg_attr(not(feature = \"std\"), no_std)]\n#![cfg_attr(feature = \"std\", allow(unused_qualifications))]\n#![cfg_attr(docsrs, feature(doc_auto_cfg))]\n\nextern crate alloc;\n\n#[macro_use]\nmod macros;\n\npub(crate) mod base64_url;\n#[macro_use]\npub(crate) mod tagged_visitor;\npub(crate) mod sealed;\n\npub mod crypto;\npub mod format;\npub mod header;\npub mod jwa;\npub mod jwe;\npub mod jwk;\npub mod jws;\npub mod jwt;\nmod uri;\n\nuse alloc::string::String;\n\npub use base64_url::Base64UrlString;\npub use uri::Uri;\n\n#[doc(inline)]\npub use self::{header::JoseHeader, jwk::JsonWebKey, jws::JsonWebSignature, jwt::JsonWebToken};\n\n/// Type alias to make [`JsonWebSignature`] easier to access.\npub type Jws\u003cF = format::Compact, T = ()\u003e = JsonWebSignature\u003cF, T\u003e;\n\n/// Type alias to make [`JsonWebToken`] easier to access.\npub type Jwt\u003cA = ()\u003e = JsonWebToken\u003cA\u003e;\n\n/// Type alias to make [`JsonWebKey`] easier to access.\npub type Jwk\u003cA = ()\u003e = JsonWebKey\u003cA\u003e;\n\n/// This type is used when the type of the additional parameters\n/// of a [`JsonWebKey`], or a [`JoseHeader`] can not be\n/// specified, but must not be discarded.\npub type UntypedAdditionalProperties = serde_json::Map\u003cString, serde_json::Value\u003e;\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","macros.rs"],"content":"macro_rules! impl_serde_jwa {\n    ($T:ty, [\n        $($name:literal =\u003e $val:expr; $valp:pat,)*\n    ]) =\u003e {\n\n        impl core::fmt::Display for $T {\n            fn fmt(\u0026self, f: \u0026mut core::fmt::Formatter\u003c'_\u003e) -\u003e core::fmt::Result {\n                match \u0026self {\n                    $($valp =\u003e write!(f, \"{}\", $name),)*\n                    Self::Other(other) =\u003e write!(f, \"{}\", other),\n                }\n            }\n        }\n        #[allow(unused_qualifications)]\n        impl\u003c'de\u003e serde::Deserialize\u003c'de\u003e for $T {\n            fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n            where\n                D: serde::Deserializer\u003c'de\u003e,\n            {\n                let name = \u003calloc::borrow::Cow\u003c'_, str\u003e as serde::Deserialize\u003e::deserialize(deserializer)?;\n\n                Ok(Self::from_str_without_other(\u0026name).unwrap_or_else(|| {\n                    Self::Other(name.into_owned())\n                }))\n            }\n        }\n\n        #[allow(unused_qualifications)]\n        impl serde::Serialize for $T {\n            fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n            where\n                S: serde::Serializer,\n            {\n                let name = match self {\n                    $($valp =\u003e $name,)*\n                    Self::Other(custom) =\u003e custom,\n                };\n                \u003c\u0026str as serde::Serialize\u003e::serialize(\u0026name, serializer)\n            }\n        }\n\n        impl $T {\n            /// Tries to parse the given name into a variant, and returns `None`\n            /// if no variant matched.\n            pub(crate) fn from_str_without_other(name: \u0026str) -\u003e Option\u003cSelf\u003e {\n                match name {\n                    $($name =\u003e Some($val),)*\n                    _ =\u003e None,\n                }\n            }\n        }\n    };\n}\n\nmacro_rules! impl_internally_tagged_deserialize {\n    ($T:ty, $tag:literal, $expecting:literal, [$($name:literal =\u003e $i:ident),* $(,)?]) =\u003e {\n        #[allow(unused_qualifications)]\n        impl\u003c'de\u003e serde::Deserialize\u003c'de\u003e for $T {\n            fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n            where\n                D: serde::Deserializer\u003c'de\u003e,\n            {\n                #[derive(Clone, Copy, Deserialize)]\n                enum Tag {\n                    $(#[serde(rename = $name)]\n                    $i,)*\n                }\n\n                let tagged =\n                    deserializer.deserialize_any(crate::tagged_visitor::TaggedContentVisitor::new($tag, $expecting))?;\n\n                match tagged.tag {\n                    $(Tag::$i =\u003e Deserialize::deserialize(tagged.content).map(\u003c$T\u003e::$i),)*\n                }\n                .map_err(|x| x.into_error())\n            }\n        }\n    };\n}\n\nmacro_rules! impl_thumbprint_hash_trait {\n    ($symmetric:ty) =\u003e {\n        #[allow(rustdoc::redundant_explicit_links)]\n        /// The [`Hash`](core::hash::Hash) implementation uses\n        /// [`Thumbprint::thumbprint_prehashed`](crate::jwk::Thumbprint::thumbprint_prehashed)\n        impl core::hash::Hash for $symmetric {\n            fn hash\u003cH\u003e(\u0026self, state: \u0026mut H)\n            where\n                H: core::hash::Hasher,\n            {\n                alloc::format!(\n                    \"symmetric:{}\",\n                    \u003c$symmetric as crate::jwk::Thumbprint\u003e::thumbprint_prehashed(\u0026self)\n                )\n                .hash(state)\n            }\n        }\n    };\n    ($public:ty, $private:ty) =\u003e {\n        #[allow(rustdoc::redundant_explicit_links)]\n        /// The [`Hash`](core::hash::Hash) implementation uses\n        /// [`Thumbprint::thumbprint_prehashed`](crate::jwk::Thumbprint::thumbprint_prehashed)\n        impl core::hash::Hash for $public {\n            fn hash\u003cH\u003e(\u0026self, state: \u0026mut H)\n            where\n                H: core::hash::Hasher,\n            {\n                alloc::format!(\n                    \"public:{}\",\n                    \u003c$public as crate::jwk::Thumbprint\u003e::thumbprint_prehashed(\u0026self)\n                )\n                .hash(state)\n            }\n        }\n        #[allow(rustdoc::redundant_explicit_links)]\n        /// The [`Hash`](core::hash::Hash) implementation uses\n        /// [`Thumbprint::thumbprint_prehashed`](crate::jwk::Thumbprint::thumbprint_prehashed)\n        impl core::hash::Hash for $private {\n            fn hash\u003cH\u003e(\u0026self, state: \u0026mut H)\n            where\n                H: core::hash::Hasher,\n            {\n                alloc::format!(\n                    \"private:{}\",\n                    \u003c$private as crate::jwk::Thumbprint\u003e::thumbprint_prehashed(\u0026self)\n                )\n                .hash(state)\n            }\n        }\n    };\n}\n","traces":[{"line":7,"address":[],"length":0,"stats":{"Line":0}},{"line":8,"address":[],"length":0,"stats":{"Line":0}},{"line":9,"address":[],"length":0,"stats":{"Line":0}},{"line":10,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":18,"address":[],"length":0,"stats":{"Line":0}},{"line":20,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":23,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":28}},{"line":31,"address":[],"length":0,"stats":{"Line":28}},{"line":32,"address":[],"length":0,"stats":{"Line":28}},{"line":34,"address":[],"length":0,"stats":{"Line":34}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":28}},{"line":45,"address":[],"length":0,"stats":{"Line":94}},{"line":46,"address":[],"length":0,"stats":{"Line":94}},{"line":47,"address":[],"length":0,"stats":{"Line":49}},{"line":48,"address":[],"length":0,"stats":{"Line":49}},{"line":59,"address":[],"length":0,"stats":{"Line":118}},{"line":60,"address":[],"length":0,"stats":{"Line":118}},{"line":61,"address":[],"length":0,"stats":{"Line":118}},{"line":69,"address":[],"length":0,"stats":{"Line":60}},{"line":70,"address":[],"length":0,"stats":{"Line":176}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":24}},{"line":75,"address":[],"length":0,"stats":{"Line":20}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":1}},{"line":105,"address":[],"length":0,"stats":{"Line":1}},{"line":106,"address":[],"length":0,"stats":{"Line":1}},{"line":108,"address":[],"length":0,"stats":{"Line":1}},{"line":109,"address":[],"length":0,"stats":{"Line":1}},{"line":110,"address":[],"length":0,"stats":{"Line":1}},{"line":112,"address":[],"length":0,"stats":{"Line":1}},{"line":119,"address":[],"length":0,"stats":{"Line":1}},{"line":120,"address":[],"length":0,"stats":{"Line":1}},{"line":121,"address":[],"length":0,"stats":{"Line":1}},{"line":123,"address":[],"length":0,"stats":{"Line":1}},{"line":124,"address":[],"length":0,"stats":{"Line":1}},{"line":125,"address":[],"length":0,"stats":{"Line":1}},{"line":127,"address":[],"length":0,"stats":{"Line":1}}],"covered":30,"coverable":49},{"path":["/","home","stu","dev","rust","jose","src","sealed.rs"],"content":"/// A trait to protect traits meant only to be implemented by types from this\n/// crate from types outside this crate ([`C-SEALED`])\n///\n/// [`C-SEALED`]: \u003chttps://rust-lang.github.io/api-guidelines/future-proofing.html\u003e\npub trait Sealed {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","tagged_visitor.rs"],"content":"use alloc::{collections::BTreeMap, fmt};\nuse core::marker::PhantomData;\n\nuse serde::{\n    de::{self, DeserializeSeed, MapAccess, Visitor},\n    Deserialize, Deserializer,\n};\nuse serde_value::Value;\n\npub(crate) struct TaggedContent\u003cT\u003e {\n    pub tag: T,\n    pub content: Value,\n}\n\npub(crate) struct TaggedContentVisitor\u003c'de, T\u003e {\n    tag_name: \u0026'static str,\n    expecting: \u0026'static str,\n    _tag: PhantomData\u003cT\u003e,\n    _content: PhantomData\u003c\u0026'de [u8]\u003e,\n}\n\nimpl\u003cT\u003e TaggedContentVisitor\u003c'_, T\u003e {\n    pub fn new(tag_name: \u0026'static str, expecting: \u0026'static str) -\u003e Self {\n        Self {\n            tag_name,\n            expecting,\n            _tag: PhantomData,\n            _content: PhantomData,\n        }\n    }\n}\n\nimpl\u003c'de, T\u003e DeserializeSeed\u003c'de\u003e for TaggedContentVisitor\u003c'de, T\u003e\nwhere\n    T: Deserialize\u003c'de\u003e + Clone,\n{\n    type Value = TaggedContent\u003cT\u003e;\n\n    fn deserialize\u003cD\u003e(self, deserializer: D) -\u003e Result\u003cSelf::Value, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        // Internally tagged enums are only supported in self-describing\n        // formats.\n        deserializer.deserialize_any(self)\n    }\n}\n\nimpl\u003c'de, T\u003e Visitor\u003c'de\u003e for TaggedContentVisitor\u003c'de, T\u003e\nwhere\n    T: Deserialize\u003c'de\u003e + Clone,\n{\n    type Value = TaggedContent\u003cT\u003e;\n\n    fn expecting(\u0026self, fmt: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt.write_str(self.expecting)\n    }\n\n    fn visit_map\u003cM\u003e(self, mut map: M) -\u003e Result\u003cSelf::Value, M::Error\u003e\n    where\n        M: MapAccess\u003c'de\u003e,\n    {\n        let mut tag = None;\n        let mut content = BTreeMap::new();\n\n        while let Some(k) = map.next_key::\u003cValue\u003e()? {\n            let val = if matches!(k, Value::String(ref s) if s == self.tag_name) {\n                let val = map.next_value::\u003cValue\u003e()?;\n                tag = Some(val.clone().deserialize_into().map_err(|e| e.into_error())?);\n                val\n            } else {\n                map.next_value()?\n            };\n\n            content.insert(k, val);\n        }\n\n        match tag {\n            None =\u003e Err(de::Error::missing_field(self.tag_name)),\n            Some(tag) =\u003e Ok(TaggedContent {\n                tag,\n                content: Value::Map(content),\n            }),\n        }\n    }\n}\n","traces":[{"line":23,"address":[],"length":0,"stats":{"Line":118}},{"line":39,"address":[],"length":0,"stats":{"Line":0}},{"line":45,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":118}},{"line":63,"address":[],"length":0,"stats":{"Line":118}},{"line":64,"address":[],"length":0,"stats":{"Line":118}},{"line":66,"address":[],"length":0,"stats":{"Line":790}},{"line":67,"address":[],"length":0,"stats":{"Line":856}},{"line":68,"address":[],"length":0,"stats":{"Line":184}},{"line":69,"address":[],"length":0,"stats":{"Line":124}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":260}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":86}},{"line":79,"address":[],"length":0,"stats":{"Line":26}},{"line":80,"address":[],"length":0,"stats":{"Line":60}},{"line":81,"address":[],"length":0,"stats":{"Line":60}},{"line":82,"address":[],"length":0,"stats":{"Line":60}}],"covered":14,"coverable":20},{"path":["/","home","stu","dev","rust","jose","src","uri.rs"],"content":"use alloc::string::String;\nuse core::{fmt, ops::Deref};\n\nuse serde::{Deserialize, Serialize};\n\n/// A serializable URI type implemented using [`serde`] and [`fluent_uri`].\n///\n/// This is a thing wrapper around a [`fluent_uri::Uri\u003cString\u003e`] that implements\n/// [`Serialize`] and [`Deserialize`].\n#[derive(Debug, Clone, Default)]\npub struct Uri(fluent_uri::Uri\u003cString\u003e);\n\nimpl Uri {\n    /// Borrows this URI.\n    pub fn borrow(\u0026self) -\u003e BorrowedUri\u003c'_\u003e {\n        BorrowedUri(self.0.borrow())\n    }\n\n    /// Turns this URI into the underlying [`fluent_uri::Uri\u003cString\u003e`].\n    pub fn into_inner(self) -\u003e fluent_uri::Uri\u003cString\u003e {\n        self.0\n    }\n}\n\nimpl PartialEq for Uri {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.0.as_str().eq(other.0.as_str())\n    }\n}\nimpl Eq for Uri {}\n\nimpl Deref for Uri {\n    type Target = fluent_uri::Uri\u003cString\u003e;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\nimpl From\u003cfluent_uri::Uri\u003cString\u003e\u003e for Uri {\n    fn from(uri: fluent_uri::Uri\u003cString\u003e) -\u003e Self {\n        Self(uri)\n    }\n}\n\nimpl fmt::Display for Uri {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        self.0.fmt(f)\n    }\n}\n\nimpl Serialize for Uri {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        self.0.as_str().serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Uri {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cUri, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let uri = String::deserialize(deserializer)?;\n\n        Ok(Uri(\n            fluent_uri::Uri::parse(uri).map_err(serde::de::Error::custom)?\n        ))\n    }\n}\n\n/// A borrowed version of the [`Uri`].\n///\n/// This is a thing wrapper around a [`fluent_uri::Uri\u003c\u0026str\u003e`] that implements\n/// [`Serialize`].\n#[derive(Debug)]\npub struct BorrowedUri\u003c's\u003e(fluent_uri::Uri\u003c\u0026's str\u003e);\n\nimpl BorrowedUri\u003c'_\u003e {\n    /// Turns this borrowed URI into an owned [`Uri`].\n    pub fn to_owned(\u0026self) -\u003e Uri {\n        Uri(self.0.to_owned())\n    }\n}\n\nimpl\u003c's\u003e Deref for BorrowedUri\u003c's\u003e {\n    type Target = fluent_uri::Uri\u003c\u0026's str\u003e;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\nimpl fmt::Display for BorrowedUri\u003c'_\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        self.0.fmt(f)\n    }\n}\n\nimpl Serialize for BorrowedUri\u003c'_\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        self.0.as_str().serialize(serializer)\n    }\n}\n\nimpl PartialEq for BorrowedUri\u003c'_\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.0.as_str().eq(other.0.as_str())\n    }\n}\nimpl Eq for BorrowedUri\u003c'_\u003e {}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":20,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":28},{"path":["/","home","stu","dev","rust","jose","target","debug","build","eyre-43034007078a440d","out","probe.rs"],"content":"\n    #![allow(dead_code)]\n\n    #[track_caller]\n    fn foo() {\n        let _location = std::panic::Location::caller();\n    }\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","target","debug","build","eyre-75120121d1e0e56e","out","probe.rs"],"content":"\n    #![allow(dead_code)]\n\n    #[track_caller]\n    fn foo() {\n        let _location = std::panic::Location::caller();\n    }\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","common","mod.rs"],"content":"//! Common test helpers.\n\nuse serde_json::Value;\n\npub type TestResult\u003cT = ()\u003e = Result\u003cT, Box\u003cdyn std::error::Error\u003e\u003e;\n\n/// Reads a key file from the `tests/vectors/jwk` directory.\npub fn read_jwk(name: \u0026str) -\u003e TestResult\u003cValue\u003e {\n    let json = std::fs::read_to_string(format!(\n        \"{}/tests/vectors/jwk/{name}.json\",\n        env!(\"CARGO_MANIFEST_DIR\"),\n    ))?;\n    let key: Value = serde_json::from_str(\u0026json)?;\n\n    Ok(key)\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","header.rs"],"content":"use jose::{\n    format::Compact,\n    header::{HeaderValue, Jws},\n    jwa::JsonWebSigningAlgorithm,\n    JoseHeader,\n};\n\n#[test]\nfn build_header() {\n    let builder = JoseHeader::\u003cCompact, Jws\u003e::builder();\n    let header = builder\n        .algorithm(HeaderValue::Protected(JsonWebSigningAlgorithm::None))\n        .build()\n        .unwrap();\n    assert_eq!(\n        header.algorithm(),\n        HeaderValue::Protected(\u0026JsonWebSigningAlgorithm::None)\n    );\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","jwk.rs"],"content":"use jose::{\n    crypto::hmac,\n    jwa::{self, JsonWebAlgorithm},\n    jwk::{self, policy::Checkable, FromKey as _, Thumbprint as _},\n    Base64UrlString, JsonWebKey,\n};\nuse pretty_assertions::assert_eq;\nuse serde::{Deserialize, Serialize};\n\nuse crate::common::{read_jwk, TestResult};\n\nmod common;\n\nfn roundtrip(file: \u0026str, unsupported: bool, check: fn(\u0026JsonWebKey)) -\u003e TestResult {\n    let mut json_key = read_jwk(file)?;\n    let json_key_str = serde_json::to_string(\u0026json_key)?;\n\n    let jwk = match serde_json::from_value::\u003cJsonWebKey\u003e(json_key.clone()) {\n        Ok(..) if unsupported =\u003e panic!(\"Unsupported key type was successful\"),\n        Ok(jwk) =\u003e jwk,\n        Err(..) if unsupported =\u003e return Ok(()),\n        Err(e) =\u003e return Err(e.into()),\n    };\n    check(\u0026jwk);\n\n    // we want to deserialize the JWK from an owned value, and a borrowed value\n    let jwk_from_str = serde_json::from_str::\u003cJsonWebKey\u003e(\u0026json_key_str)?;\n    assert_eq!(jwk.key_type(), jwk_from_str.key_type());\n\n    let mut serialized = serde_json::to_value(\u0026jwk)?;\n    let mut serialized_from_str = serde_json::to_value(\u0026jwk_from_str)?;\n\n    // removes the field `name` from the given json value, mostly because some\n    // fields are serialized non-deterministic (key_ops), because the order is\n    // random\n    let remove_field = |value: \u0026mut serde_json::Value, name: \u0026str| {\n        if let Some(obj) = value.as_object_mut() {\n            obj.remove(name);\n        }\n    };\n\n    let mut remove_field_from_all = |name: \u0026str| {\n        remove_field(\u0026mut json_key, name);\n        remove_field(\u0026mut serialized, name);\n        remove_field(\u0026mut serialized_from_str, name);\n    };\n\n    remove_field_from_all(\"key_ops\");\n\n    assert_eq!(json_key, serialized);\n    assert_eq!(json_key, serialized_from_str);\n\n    // now try constructing a builder using this key, and check invalid\n    // algorithm\n    let err = JsonWebKey::builder(jwk.key_type().clone())\n        .algorithm(Some(JsonWebAlgorithm::Other(\"foo\".to_string())))\n        .build()\n        .unwrap_err();\n    assert!(matches!(\n        err,\n        jwk::JsonWebKeyBuildError::IncompatibleKeyType\n    ));\n\n    let err = jwk\n        .into_builder()\n        .algorithm(Some(JsonWebAlgorithm::Other(\"foo\".to_string())))\n        .build()\n        .unwrap_err();\n    assert!(matches!(\n        err,\n        jwk::JsonWebKeyBuildError::IncompatibleKeyType\n    ));\n\n    Ok(())\n}\n\nfn roundtrip_pair(\n    private: \u0026str,\n    public: \u0026str,\n    unsupported: bool,\n    check: fn(\u0026JsonWebKey),\n) -\u003e TestResult {\n    roundtrip(private, unsupported, check)?;\n    roundtrip(public, unsupported, check)?;\n\n    let private_key: JsonWebKey = serde_json::from_value(read_jwk(private)?)?;\n    let public_key: JsonWebKey = serde_json::from_value(read_jwk(public)?)?;\n\n    assert!(private_key.is_signing_key());\n    assert!(!public_key.is_signing_key());\n\n    assert!(!private_key.is_symmetric());\n    assert!(!public_key.is_symmetric());\n\n    assert!(private_key.is_asymmetric());\n    assert!(public_key.is_asymmetric());\n\n    let stripped = private_key.clone().strip_secret_material().unwrap();\n    assert_eq!(stripped.key_type(), public_key.key_type());\n\n    let stripped_from_public = public_key.clone().strip_secret_material().unwrap();\n    assert_eq!(stripped_from_public.key_type(), public_key.key_type());\n\n    let into_verifying = private_key.into_verifying_key();\n    assert_eq!(into_verifying.key_type(), public_key.key_type());\n\n    let public_into_verifying = public_key.clone().into_verifying_key();\n    assert_eq!(public_into_verifying.key_type(), public_key.key_type());\n\n    Ok(())\n}\n\nfn assert_thumbprint(jwk: \u0026JsonWebKey, sha256: \u0026str, sha384: \u0026str, sha512: \u0026str) {\n    let print_sha256 = Base64UrlString::encode(jwk.thumbprint_sha256());\n    assert_eq!(\u0026*print_sha256, sha256);\n\n    let print_sha384 = Base64UrlString::encode(jwk.thumbprint_sha384());\n    assert_eq!(\u0026*print_sha384, sha384);\n\n    let print_sha512 = Base64UrlString::encode(jwk.thumbprint_sha512());\n    assert_eq!(\u0026*print_sha512, sha512);\n}\n\npub mod roundtrip {\n    use jose::{jwa, jwk};\n    use pretty_assertions::assert_eq;\n\n    use crate::{assert_thumbprint, common::TestResult, roundtrip, roundtrip_pair};\n\n    #[test]\n    fn _3_1_and_2_ec() -\u003e TestResult {\n        roundtrip_pair(\n            \"3_2.ec_private_key\",\n            \"3_1.ec_public_key\",\n            // RustCrypto and ring do not support P-521 curve\n            cfg!(feature = \"crypto-rustcrypto\") || cfg!(feature = \"crypto-ring\"),\n            |jwk| {\n                assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Signing));\n                assert_thumbprint(\n                    jwk,\n                    \"dHri3SADZkrush5HU_50AoRhcKFryN-PI6jPBtPL55M\",\n                    \"HncTFMje-quVjjwt2ufqfFb75ZwHLDh9M-VY4wJ9awQkfbu194TmVpeGbG6Ykb9b\",\n                    \"i8RIsIb6HVP2AO9o38HtraybJAP5veAfBIgynNUqpxlhuvq2UDgSA3JFgGgle1YvmCQDHllAn7MG52Idb8B4fA\"\n                );\n            },\n        )\n    }\n\n    #[test]\n    fn _3_3_and_4_rsa() -\u003e TestResult {\n        roundtrip_pair(\"3_4.rsa_private_key\", \"3_3.rsa_public_key\", false, |jwk| {\n            assert_thumbprint(\n                jwk,\n                \"9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI\",\n                \"iRBthSmwxk6o9pTGF6a9yLHohmMXSFRvKoN9rgcbOWFgLldwqED1DrOgDtLq5Q4R\",\n                \"FerGBUpYnzT0ptNAC7Y3qNpGINqILXdZ_9-Na3UkPUtDznnAChw7NWluNRjx-lmKDnuO1CpmIZL7e2bzRkQBew\",\n            );\n        })\n    }\n\n    #[test]\n    fn _3_5_symmetric_key_mac() -\u003e TestResult {\n        roundtrip(\"3_5.symmetric_key_mac_computation\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::Hmac::Hs256))\n            );\n\n            assert!(jwk.is_symmetric());\n            assert!(jwk.is_signing_key());\n\n            assert_eq!(jwk.key_type(), jwk.clone().into_verifying_key().key_type());\n\n            assert_thumbprint(\n                jwk,\n                \"RtoRur_1Dir5M4wuOfqNkDYOf9O_4RJ-aHkTA75RLA8\",\n                \"KG7sBEFjGfsIG21uR9cggZfOEIdKSvylcD7ndWgQsnG2k_5Wpw700r__c63SBBwf\",\n                \"EI4XUPoajddrVSS3fgSS6AcPt1uuacMmuYIi9i4A2CgjnWHuUV1qyNks84w03blKdF75HPSTJTJWgqRNEU_ZIg\"\n            );\n        })\n    }\n\n    #[test]\n    fn _3_6_symmetric_key_encryption() -\u003e TestResult {\n        roundtrip(\"3_6.symmetric_key_encryption\", false, |jwk| {\n            // NOTE: We do not support A256GCM as a JWK, because it's a one-time use\n            // session key, and must not be stored or reused\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::Other(\"A256GCM\".to_string()))\n            );\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Encryption));\n\n            assert_thumbprint(\n                jwk,\n                \"VDMp1ZgGGv1OKgOeDc1EUKHXNQzMdLkCnxPETHdA4v0\",\n                \"4YmDfp3zlozmoDxrRxpMBiU6XHA9X82IKNW3bWiitdnudrwmAiKOi4yWWj4fyeYm\",\n                \"FmHGxbagOqt0LS__rv4hIpgnQ9pAB7nDneYNPN9i1gHIbvJJILw-VyyYIP_RTgsOU7K683SdE5aeplCUqz4ZaA\"\n            );\n        })\n    }\n\n    #[test]\n    fn ed25519() -\u003e TestResult {\n        roundtrip_pair(\"ed25519\", \"ed25519.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(\n                    jwa::JsonWebSigningAlgorithm::EdDSA\n                ))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"IpNACexNZWO9hVeADtTT0Nvturu6OtMV3B4u1OVr1fU\",\n                \"NibgvGWph4nhazrZ1PcyRXYy55bdTotSDi1L4iE8gB0VtxDhh_a-du0fSnGExFwa\",\n                \"uS4j-x1iQUeF2a4a7M3iHZhPQGwyKgXU2Fh_GeNn9_uw_KAj1VTmNVenxTiFdDqcDHoWBemcLjioFY4slFbIZA\",\n            );\n        })\n    }\n\n    #[test]\n    fn rsa_enc_optional_parameters() -\u003e TestResult {\n        roundtrip(\"jwk_optional_parameters_rsa_enc.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::RsaesOaep::RsaesOaep))\n            );\n\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Encryption));\n            assert!(jwk.x509_certificate_sha1_thumbprint().is_some());\n            assert!(jwk.x509_certificate_sha256_thumbprint().is_some());\n\n            assert_thumbprint(\n                jwk,\n                \"ZwmJSHbFy5nl7WenHepIG5N9Rz16NH8SPGeqoZPTTuc\",\n                \"06f-mujFCZ0cUPKCgm0m7EuE0TW2mUmoQ0I519rD73v5JDAWti5QsuOX2PqTYuhV\",\n                \"EaW6WfYvQ5rauUmOYPZi82-ADGjmOb3Jz76jNVHUIQ_vA42s7CFve47jVTyb1n3UQbqLw3DDguD4u0wlFL4sbg\"\n            );\n        })\n    }\n\n    #[test]\n    fn rsa_sign_optional_parameters() -\u003e TestResult {\n        roundtrip(\"jwk_optional_parameters_rsa_sig.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::RsassaPkcs1V1_5::Rs256))\n            );\n\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Signing));\n            assert!(jwk.x509_certificate_sha1_thumbprint().is_some());\n            assert!(jwk.x509_certificate_sha256_thumbprint().is_some());\n\n            assert_thumbprint(\n                jwk,\n                \"bVeakRIe7OjtcR6E5FfkZvFAhEXfhIboYrcZ7OhZ1UY\",\n                \"_jnSoeQaW04m5PzXFnP7w2Zl_WFEop1UEKZ2vGHtQCdfsSqOkLhTbn2vyaDcMbHQ\",\n                \"cHiM1PMNsVve19_e5cfCiJqIMnQhYx0CkcvmiNCdwulCJ5B5ftaAvFYwr7_NQCMTQeXMcTKdbsP2a4mEKojPaQ\"\n            );\n        })\n    }\n\n    #[test]\n    fn rsa_with_key_ops_for_enc() -\u003e TestResult {\n        roundtrip(\"key_ops_rsa_enc.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::RsaesOaep::RsaesOaep))\n            );\n\n            let ops = jwk.key_operations().unwrap();\n\n            assert_eq!(ops.len(), 2);\n            assert!(ops.contains(\u0026jwk::KeyOperation::Encrypt));\n            assert!(ops.contains(\u0026jwk::KeyOperation::Decrypt));\n\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Encryption));\n\n            assert_thumbprint(\n                jwk,\n                \"ZwmJSHbFy5nl7WenHepIG5N9Rz16NH8SPGeqoZPTTuc\",\n                \"06f-mujFCZ0cUPKCgm0m7EuE0TW2mUmoQ0I519rD73v5JDAWti5QsuOX2PqTYuhV\",\n                \"EaW6WfYvQ5rauUmOYPZi82-ADGjmOb3Jz76jNVHUIQ_vA42s7CFve47jVTyb1n3UQbqLw3DDguD4u0wlFL4sbg\"\n            );\n        })\n    }\n\n    #[test]\n    fn p256() -\u003e TestResult {\n        roundtrip_pair(\"p256\", \"p256.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es256))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"6j1ImYAlN6DnVupozzN13UKnLR7BfEvngNmVl5bLlI0\",\n                \"u5W5WvG_wZc2u18HY0hqP48hVOOwytBz3BZzBimJl43SA3A4l-INFnhMNLEWL8a3\",\n                \"8fmi-z_V-FykWlKQAscDYj3I_uonEd2-0ChLqb7BwRJqnQiitQ9widx6Pk9ewMkhFk8NnBr1hCFa51kyrg7Pyw\"\n            );\n        })\n    }\n\n    #[test]\n    fn p384() -\u003e TestResult {\n        roundtrip_pair(\"p384\", \"p384.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es384))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"B_9VooM6jEuy9OvK_plFUDVADfKKnjCUPrqfc5Wtgq4\",\n                \"TXXx3K1KOHjCKWt_bY9cFZfsI9E8NUw8sK1xSOfd0jVgaBMiCP1hFvsxaamAQfK5\",\n                \"AtsWpt8bdnsqT49ovBfv67rhq_PB2eqnhvJ4F-uH-STeCZTVO97hWeEc0zGoOT18XtmHf_2o6ENmwIv9gcXyRQ\"\n            );\n        })\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn secp256k1() -\u003e TestResult {\n        roundtrip_pair(\"k256\", \"k256.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es256K))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"i0H0zy_Zyc4g9gUfIU3ZgSk21eC_a9B-J_keq5eRVq4\",\n                \"NWo1frAmwhk6vYKYK0YCTpJWbgvI-EDV5ZvEFvA_7V4y6VRAG0l4Q_uNkFIiisuL\",\n                \"E1oJ78FUrNMsq66wi7AT8jIU4QUMoV_JnYiCqwy2vgDod7yDHMXLkweJ0Vhd1A1TJysPMFNr4Q8yVvQ4Q1fXKg\"\n            );\n        })\n    }\n\n    #[test]\n    fn rsa() -\u003e TestResult {\n        roundtrip_pair(\"rsa\", \"rsa.pub\", false, |jwk| {\n            assert_thumbprint(\n                jwk,\n                \"nYPs6qc5zj3VOVKr4yY-EzirO-AcdUl0JC5bcXKGE6Y\",\n                \"JhX_riWIrTLs3p7SnueDgpcO27pDgXh1xQOivPzOKsU3CaQgHoLgiKIinmb2CMoE\",\n                \"DQd_FsR8hTwlVrv3WGQP2E1KQejcBbJCFtqWy489xmmPm8LdNT91zYFX-yTghCtq2zutBGYY2mkwIWN-VQWYyQ\"\n            );\n        })\n    }\n\n    #[test]\n    #[cfg_attr(\n        any(\n            feature = \"crypto-ring\",\n            feature = \"crypto-aws-lc\",\n            feature = \"crypto-rustcrypto\"\n        ),\n        ignore\n    )]\n    fn ed448() -\u003e TestResult {\n        roundtrip_pair(\"ed448\", \"ed448.pub\", false, |jwk| {\n            assert_thumbprint(\n                jwk,\n                \"-K8d13H2SA_vuRYSxn05sQN4hAkeWXFt5XainSnkfZc\",\n                \"a_AWZk_w5qSm2XziCOKyHRLU1amUzTlbb1df8Q0JCx3bOaQp0YcLqdHS2Sbyw2PQ\",\n                \"qM1ai1zIZ-NRzbkOKxVkOY6DXVXmDWsSXMCQRRy7oIZEwRzQ0gQK5c-cruMkpyYcBs7ftQcofV_YXWfCdKhSWw\",\n            );\n        })\n    }\n}\n\n// TODO: test to ensure correct length of x, y, d\n\n#[test]\nfn deny_duplicates_key_operations() {\n    let key = r#\"\n{\n    \"key_ops\": [\"encrypt\", \"decrypt\", \"encrypt\"],\n    \"kty\": \"oct\",\n    \"alg\": \"HS256\",\n    \"k\": \"hJtXIZ2uSN5kbQfbtTNWbpdmhkV8FJG-Onbc6mxCcYg\"\n}\n\"#;\n\n    serde_json::from_str::\u003cJsonWebKey\u003e(key).unwrap_err();\n}\n\n#[test]\nfn deny_hmac_key_with_short_key() -\u003e TestResult {\n    let raw_key = r#\"{\"kty\": \"oct\", \"k\": \"QUFBQQ\"}\"#;\n    let key = serde_json::from_str::\u003cjwk::symmetric::OctetSequence\u003e(raw_key)?;\n\n    let hmac = hmac::Key::\u003chmac::Hs256\u003e::from_key(\u0026key, jwa::Hmac::Hs256.into());\n\n    assert!(matches!(\n        hmac.unwrap_err(),\n        jwk::symmetric::FromOctetSequenceError::InvalidLength\n    ));\n\n    Ok(())\n}\n\npub mod generate {\n    use jose::{\n        crypto::{\n            ec::{P256PrivateKey, P384PrivateKey, P521PrivateKey},\n            hmac, okp, rsa,\n        },\n        jwk::Thumbprint as _,\n    };\n\n    use crate::common::TestResult;\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn ec_p256() -\u003e TestResult {\n        let p256 = P256PrivateKey::generate()?;\n        let p256_pub = p256.to_public_key();\n        assert_eq!(p256.thumbprint_sha256(), p256_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn ec_p384() -\u003e TestResult {\n        let p384 = P384PrivateKey::generate()?;\n        let p384_pub = p384.to_public_key();\n        assert_eq!(p384.thumbprint_sha256(), p384_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(any(feature = \"crypto-rustcrypto\", feature = \"crypto-ring\"), ignore)]\n    fn ec_p521() -\u003e TestResult {\n        let p521 = P521PrivateKey::generate()?;\n        let p521_pub = p521.to_public_key();\n        assert_eq!(p521.thumbprint_sha256(), p521_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn rsa() -\u003e TestResult {\n        let rsa = rsa::PrivateKey::generate(4096)?;\n        let rsa_pub = rsa.to_public_key();\n        assert_eq!(rsa.thumbprint_sha256(), rsa_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    fn hmac() -\u003e TestResult {\n        let _hmac = hmac::Key::\u003chmac::Hs256\u003e::generate()?;\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn ed25519() -\u003e TestResult {\n        let ed25519 = okp::PrivateKey::\u003cokp::Ed25519\u003e::generate()?;\n        let ed25519_pub = ed25519.to_public_key();\n        assert_eq!(ed25519.thumbprint_sha256(), ed25519_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(\n        any(\n            feature = \"crypto-rustcrypto\",\n            feature = \"crypto-ring\",\n            feature = \"crypto-aws-lc\"\n        ),\n        ignore\n    )]\n    fn ed448() -\u003e TestResult {\n        let ed448 = okp::PrivateKey::\u003cokp::Ed448\u003e::generate()?;\n        let ed448_pub = ed448.to_public_key();\n        assert_eq!(ed448.thumbprint_sha256(), ed448_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n}\n\n#[test]\nfn convert_to_public_key() -\u003e TestResult {\n    let private_json = read_jwk(\"p256\")?;\n    let public_json = read_jwk(\"p256.pub\")?;\n\n    let private: JsonWebKey = serde_json::from_value(private_json)?;\n    let public: JsonWebKey = serde_json::from_value(public_json)?;\n\n    let public_converted = private.clone().into_verifying_key();\n    assert_eq!(public.key_type(), public_converted.key_type());\n\n    let public_converted = private.strip_secret_material().unwrap();\n    assert_eq!(public.key_type(), public_converted.key_type());\n\n    Ok(())\n}\n\n#[test]\nfn symmetric_key_can_not_strip_secret() -\u003e TestResult {\n    let key = read_jwk(\"3_5.symmetric_key_mac_computation\")?;\n    let key: JsonWebKey = serde_json::from_value(key)?;\n    assert!(key.strip_secret_material().is_none());\n\n    Ok(())\n}\n\n#[test]\nfn additional_properties() -\u003e TestResult {\n    #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]\n    struct Additional {\n        #[serde(rename = \"additional/one\")]\n        one: String,\n        another_additional: i32,\n    }\n\n    impl Checkable for Additional {\n        fn check\u003cP: jwk::policy::Policy\u003e(\n            self,\n            policy: P,\n        ) -\u003e Result\u003cjwk::policy::Checked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n            Ok(jwk::policy::Checked::new(self, policy))\n        }\n    }\n\n    let key = read_jwk(\"rsa_with_additional_props.pub\")?;\n    let key: JsonWebKey\u003cAdditional\u003e = serde_json::from_value(key)?;\n\n    assert_eq!(key.additional().one.as_str(), \"my rsa key\");\n    assert_eq!(key.additional().another_additional, 1);\n\n    let untyped = key.clone().into_untyped_additional()?;\n    assert_eq!(\n        untyped\n            .clone()\n            .deserialize_additional::\u003cAdditional\u003e()?\n            .additional(),\n        key.additional()\n    );\n\n    let untyped = untyped.additional();\n\n    assert_eq!(untyped[\"additional/one\"], \"my rsa key\");\n    assert_eq!(untyped[\"another_additional\"], 1);\n\n    let _checked = key.check(jwk::policy::StandardPolicy::new()).unwrap();\n\n    Ok(())\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","jws.rs"],"content":"","traces":[],"covered":0,"coverable":0}]};
+    </script>
+    <script crossorigin>/** @license React v16.13.1
+ * react.production.min.js
+ *
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+'use strict';(function(d,r){"object"===typeof exports&&"undefined"!==typeof module?r(exports):"function"===typeof define&&define.amd?define(["exports"],r):(d=d||self,r(d.React={}))})(this,function(d){function r(a){for(var b="https://reactjs.org/docs/error-decoder.html?invariant="+a,c=1;c<arguments.length;c++)b+="&args[]="+encodeURIComponent(arguments[c]);return"Minified React error #"+a+"; visit "+b+" for the full message or use the non-minified dev environment for full errors and additional helpful warnings."}
+function w(a,b,c){this.props=a;this.context=b;this.refs=ba;this.updater=c||ca}function da(){}function L(a,b,c){this.props=a;this.context=b;this.refs=ba;this.updater=c||ca}function ea(a,b,c){var g,e={},fa=null,d=null;if(null!=b)for(g in void 0!==b.ref&&(d=b.ref),void 0!==b.key&&(fa=""+b.key),b)ha.call(b,g)&&!ia.hasOwnProperty(g)&&(e[g]=b[g]);var h=arguments.length-2;if(1===h)e.children=c;else if(1<h){for(var k=Array(h),f=0;f<h;f++)k[f]=arguments[f+2];e.children=k}if(a&&a.defaultProps)for(g in h=a.defaultProps,
+h)void 0===e[g]&&(e[g]=h[g]);return{$$typeof:x,type:a,key:fa,ref:d,props:e,_owner:M.current}}function va(a,b){return{$$typeof:x,type:a.type,key:b,ref:a.ref,props:a.props,_owner:a._owner}}function N(a){return"object"===typeof a&&null!==a&&a.$$typeof===x}function wa(a){var b={"=":"=0",":":"=2"};return"$"+(""+a).replace(/[=:]/g,function(a){return b[a]})}function ja(a,b,c,g){if(C.length){var e=C.pop();e.result=a;e.keyPrefix=b;e.func=c;e.context=g;e.count=0;return e}return{result:a,keyPrefix:b,func:c,
+context:g,count:0}}function ka(a){a.result=null;a.keyPrefix=null;a.func=null;a.context=null;a.count=0;10>C.length&&C.push(a)}function O(a,b,c,g){var e=typeof a;if("undefined"===e||"boolean"===e)a=null;var d=!1;if(null===a)d=!0;else switch(e){case "string":case "number":d=!0;break;case "object":switch(a.$$typeof){case x:case xa:d=!0}}if(d)return c(g,a,""===b?"."+P(a,0):b),1;d=0;b=""===b?".":b+":";if(Array.isArray(a))for(var f=0;f<a.length;f++){e=a[f];var h=b+P(e,f);d+=O(e,h,c,g)}else if(null===a||
+"object"!==typeof a?h=null:(h=la&&a[la]||a["@@iterator"],h="function"===typeof h?h:null),"function"===typeof h)for(a=h.call(a),f=0;!(e=a.next()).done;)e=e.value,h=b+P(e,f++),d+=O(e,h,c,g);else if("object"===e)throw c=""+a,Error(r(31,"[object Object]"===c?"object with keys {"+Object.keys(a).join(", ")+"}":c,""));return d}function Q(a,b,c){return null==a?0:O(a,"",b,c)}function P(a,b){return"object"===typeof a&&null!==a&&null!=a.key?wa(a.key):b.toString(36)}function ya(a,b,c){a.func.call(a.context,b,
+a.count++)}function za(a,b,c){var g=a.result,e=a.keyPrefix;a=a.func.call(a.context,b,a.count++);Array.isArray(a)?R(a,g,c,function(a){return a}):null!=a&&(N(a)&&(a=va(a,e+(!a.key||b&&b.key===a.key?"":(""+a.key).replace(ma,"$&/")+"/")+c)),g.push(a))}function R(a,b,c,g,e){var d="";null!=c&&(d=(""+c).replace(ma,"$&/")+"/");b=ja(b,d,g,e);Q(a,za,b);ka(b)}function t(){var a=na.current;if(null===a)throw Error(r(321));return a}function S(a,b){var c=a.length;a.push(b);a:for(;;){var g=c-1>>>1,e=a[g];if(void 0!==
+e&&0<D(e,b))a[g]=b,a[c]=e,c=g;else break a}}function n(a){a=a[0];return void 0===a?null:a}function E(a){var b=a[0];if(void 0!==b){var c=a.pop();if(c!==b){a[0]=c;a:for(var g=0,e=a.length;g<e;){var d=2*(g+1)-1,f=a[d],h=d+1,k=a[h];if(void 0!==f&&0>D(f,c))void 0!==k&&0>D(k,f)?(a[g]=k,a[h]=c,g=h):(a[g]=f,a[d]=c,g=d);else if(void 0!==k&&0>D(k,c))a[g]=k,a[h]=c,g=h;else break a}}return b}return null}function D(a,b){var c=a.sortIndex-b.sortIndex;return 0!==c?c:a.id-b.id}function F(a){for(var b=n(u);null!==
+b;){if(null===b.callback)E(u);else if(b.startTime<=a)E(u),b.sortIndex=b.expirationTime,S(p,b);else break;b=n(u)}}function T(a){y=!1;F(a);if(!v)if(null!==n(p))v=!0,z(U);else{var b=n(u);null!==b&&G(T,b.startTime-a)}}function U(a,b){v=!1;y&&(y=!1,V());H=!0;var c=m;try{F(b);for(l=n(p);null!==l&&(!(l.expirationTime>b)||a&&!W());){var g=l.callback;if(null!==g){l.callback=null;m=l.priorityLevel;var e=g(l.expirationTime<=b);b=q();"function"===typeof e?l.callback=e:l===n(p)&&E(p);F(b)}else E(p);l=n(p)}if(null!==
+l)var d=!0;else{var f=n(u);null!==f&&G(T,f.startTime-b);d=!1}return d}finally{l=null,m=c,H=!1}}function oa(a){switch(a){case 1:return-1;case 2:return 250;case 5:return 1073741823;case 4:return 1E4;default:return 5E3}}var f="function"===typeof Symbol&&Symbol.for,x=f?Symbol.for("react.element"):60103,xa=f?Symbol.for("react.portal"):60106,Aa=f?Symbol.for("react.fragment"):60107,Ba=f?Symbol.for("react.strict_mode"):60108,Ca=f?Symbol.for("react.profiler"):60114,Da=f?Symbol.for("react.provider"):60109,
+Ea=f?Symbol.for("react.context"):60110,Fa=f?Symbol.for("react.forward_ref"):60112,Ga=f?Symbol.for("react.suspense"):60113,Ha=f?Symbol.for("react.memo"):60115,Ia=f?Symbol.for("react.lazy"):60116,la="function"===typeof Symbol&&Symbol.iterator,pa=Object.getOwnPropertySymbols,Ja=Object.prototype.hasOwnProperty,Ka=Object.prototype.propertyIsEnumerable,I=function(){try{if(!Object.assign)return!1;var a=new String("abc");a[5]="de";if("5"===Object.getOwnPropertyNames(a)[0])return!1;var b={};for(a=0;10>a;a++)b["_"+
+String.fromCharCode(a)]=a;if("0123456789"!==Object.getOwnPropertyNames(b).map(function(a){return b[a]}).join(""))return!1;var c={};"abcdefghijklmnopqrst".split("").forEach(function(a){c[a]=a});return"abcdefghijklmnopqrst"!==Object.keys(Object.assign({},c)).join("")?!1:!0}catch(g){return!1}}()?Object.assign:function(a,b){if(null===a||void 0===a)throw new TypeError("Object.assign cannot be called with null or undefined");var c=Object(a);for(var g,e=1;e<arguments.length;e++){var d=Object(arguments[e]);
+for(var f in d)Ja.call(d,f)&&(c[f]=d[f]);if(pa){g=pa(d);for(var h=0;h<g.length;h++)Ka.call(d,g[h])&&(c[g[h]]=d[g[h]])}}return c},ca={isMounted:function(a){return!1},enqueueForceUpdate:function(a,b,c){},enqueueReplaceState:function(a,b,c,d){},enqueueSetState:function(a,b,c,d){}},ba={};w.prototype.isReactComponent={};w.prototype.setState=function(a,b){if("object"!==typeof a&&"function"!==typeof a&&null!=a)throw Error(r(85));this.updater.enqueueSetState(this,a,b,"setState")};w.prototype.forceUpdate=
+function(a){this.updater.enqueueForceUpdate(this,a,"forceUpdate")};da.prototype=w.prototype;f=L.prototype=new da;f.constructor=L;I(f,w.prototype);f.isPureReactComponent=!0;var M={current:null},ha=Object.prototype.hasOwnProperty,ia={key:!0,ref:!0,__self:!0,__source:!0},ma=/\/+/g,C=[],na={current:null},X;if("undefined"===typeof window||"function"!==typeof MessageChannel){var A=null,qa=null,ra=function(){if(null!==A)try{var a=q();A(!0,a);A=null}catch(b){throw setTimeout(ra,0),b;}},La=Date.now();var q=
+function(){return Date.now()-La};var z=function(a){null!==A?setTimeout(z,0,a):(A=a,setTimeout(ra,0))};var G=function(a,b){qa=setTimeout(a,b)};var V=function(){clearTimeout(qa)};var W=function(){return!1};f=X=function(){}}else{var Y=window.performance,sa=window.Date,Ma=window.setTimeout,Na=window.clearTimeout;"undefined"!==typeof console&&(f=window.cancelAnimationFrame,"function"!==typeof window.requestAnimationFrame&&console.error("This browser doesn't support requestAnimationFrame. Make sure that you load a polyfill in older browsers. https://fb.me/react-polyfills"),
+"function"!==typeof f&&console.error("This browser doesn't support cancelAnimationFrame. Make sure that you load a polyfill in older browsers. https://fb.me/react-polyfills"));if("object"===typeof Y&&"function"===typeof Y.now)q=function(){return Y.now()};else{var Oa=sa.now();q=function(){return sa.now()-Oa}}var J=!1,K=null,Z=-1,ta=5,ua=0;W=function(){return q()>=ua};f=function(){};X=function(a){0>a||125<a?console.error("forceFrameRate takes a positive int between 0 and 125, forcing framerates higher than 125 fps is not unsupported"):
+ta=0<a?Math.floor(1E3/a):5};var B=new MessageChannel,aa=B.port2;B.port1.onmessage=function(){if(null!==K){var a=q();ua=a+ta;try{K(!0,a)?aa.postMessage(null):(J=!1,K=null)}catch(b){throw aa.postMessage(null),b;}}else J=!1};z=function(a){K=a;J||(J=!0,aa.postMessage(null))};G=function(a,b){Z=Ma(function(){a(q())},b)};V=function(){Na(Z);Z=-1}}var p=[],u=[],Pa=1,l=null,m=3,H=!1,v=!1,y=!1,Qa=0;B={ReactCurrentDispatcher:na,ReactCurrentOwner:M,IsSomeRendererActing:{current:!1},assign:I};I(B,{Scheduler:{__proto__:null,
+unstable_ImmediatePriority:1,unstable_UserBlockingPriority:2,unstable_NormalPriority:3,unstable_IdlePriority:5,unstable_LowPriority:4,unstable_runWithPriority:function(a,b){switch(a){case 1:case 2:case 3:case 4:case 5:break;default:a=3}var c=m;m=a;try{return b()}finally{m=c}},unstable_next:function(a){switch(m){case 1:case 2:case 3:var b=3;break;default:b=m}var c=m;m=b;try{return a()}finally{m=c}},unstable_scheduleCallback:function(a,b,c){var d=q();if("object"===typeof c&&null!==c){var e=c.delay;
+e="number"===typeof e&&0<e?d+e:d;c="number"===typeof c.timeout?c.timeout:oa(a)}else c=oa(a),e=d;c=e+c;a={id:Pa++,callback:b,priorityLevel:a,startTime:e,expirationTime:c,sortIndex:-1};e>d?(a.sortIndex=e,S(u,a),null===n(p)&&a===n(u)&&(y?V():y=!0,G(T,e-d))):(a.sortIndex=c,S(p,a),v||H||(v=!0,z(U)));return a},unstable_cancelCallback:function(a){a.callback=null},unstable_wrapCallback:function(a){var b=m;return function(){var c=m;m=b;try{return a.apply(this,arguments)}finally{m=c}}},unstable_getCurrentPriorityLevel:function(){return m},
+unstable_shouldYield:function(){var a=q();F(a);var b=n(p);return b!==l&&null!==l&&null!==b&&null!==b.callback&&b.startTime<=a&&b.expirationTime<l.expirationTime||W()},unstable_requestPaint:f,unstable_continueExecution:function(){v||H||(v=!0,z(U))},unstable_pauseExecution:function(){},unstable_getFirstCallbackNode:function(){return n(p)},get unstable_now(){return q},get unstable_forceFrameRate(){return X},unstable_Profiling:null},SchedulerTracing:{__proto__:null,__interactionsRef:null,__subscriberRef:null,
+unstable_clear:function(a){return a()},unstable_getCurrent:function(){return null},unstable_getThreadID:function(){return++Qa},unstable_trace:function(a,b,c){return c()},unstable_wrap:function(a){return a},unstable_subscribe:function(a){},unstable_unsubscribe:function(a){}}});d.Children={map:function(a,b,c){if(null==a)return a;var d=[];R(a,d,null,b,c);return d},forEach:function(a,b,c){if(null==a)return a;b=ja(null,null,b,c);Q(a,ya,b);ka(b)},count:function(a){return Q(a,function(){return null},null)},
+toArray:function(a){var b=[];R(a,b,null,function(a){return a});return b},only:function(a){if(!N(a))throw Error(r(143));return a}};d.Component=w;d.Fragment=Aa;d.Profiler=Ca;d.PureComponent=L;d.StrictMode=Ba;d.Suspense=Ga;d.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED=B;d.cloneElement=function(a,b,c){if(null===a||void 0===a)throw Error(r(267,a));var d=I({},a.props),e=a.key,f=a.ref,m=a._owner;if(null!=b){void 0!==b.ref&&(f=b.ref,m=M.current);void 0!==b.key&&(e=""+b.key);if(a.type&&a.type.defaultProps)var h=
+a.type.defaultProps;for(k in b)ha.call(b,k)&&!ia.hasOwnProperty(k)&&(d[k]=void 0===b[k]&&void 0!==h?h[k]:b[k])}var k=arguments.length-2;if(1===k)d.children=c;else if(1<k){h=Array(k);for(var l=0;l<k;l++)h[l]=arguments[l+2];d.children=h}return{$$typeof:x,type:a.type,key:e,ref:f,props:d,_owner:m}};d.createContext=function(a,b){void 0===b&&(b=null);a={$$typeof:Ea,_calculateChangedBits:b,_currentValue:a,_currentValue2:a,_threadCount:0,Provider:null,Consumer:null};a.Provider={$$typeof:Da,_context:a};return a.Consumer=
+a};d.createElement=ea;d.createFactory=function(a){var b=ea.bind(null,a);b.type=a;return b};d.createRef=function(){return{current:null}};d.forwardRef=function(a){return{$$typeof:Fa,render:a}};d.isValidElement=N;d.lazy=function(a){return{$$typeof:Ia,_ctor:a,_status:-1,_result:null}};d.memo=function(a,b){return{$$typeof:Ha,type:a,compare:void 0===b?null:b}};d.useCallback=function(a,b){return t().useCallback(a,b)};d.useContext=function(a,b){return t().useContext(a,b)};d.useDebugValue=function(a,b){};
+d.useEffect=function(a,b){return t().useEffect(a,b)};d.useImperativeHandle=function(a,b,c){return t().useImperativeHandle(a,b,c)};d.useLayoutEffect=function(a,b){return t().useLayoutEffect(a,b)};d.useMemo=function(a,b){return t().useMemo(a,b)};d.useReducer=function(a,b,c){return t().useReducer(a,b,c)};d.useRef=function(a){return t().useRef(a)};d.useState=function(a){return t().useState(a)};d.version="16.13.1"});
+</script>
+    <script crossorigin>/** @license React v16.13.1
+ * react-dom.production.min.js
+ *
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+/*
+ Modernizr 3.0.0pre (Custom Build) | MIT
+*/
+'use strict';(function(I,ea){"object"===typeof exports&&"undefined"!==typeof module?ea(exports,require("react")):"function"===typeof define&&define.amd?define(["exports","react"],ea):(I=I||self,ea(I.ReactDOM={},I.React))})(this,function(I,ea){function k(a){for(var b="https://reactjs.org/docs/error-decoder.html?invariant="+a,c=1;c<arguments.length;c++)b+="&args[]="+encodeURIComponent(arguments[c]);return"Minified React error #"+a+"; visit "+b+" for the full message or use the non-minified dev environment for full errors and additional helpful warnings."}
+function ji(a,b,c,d,e,f,g,h,m){yb=!1;gc=null;ki.apply(li,arguments)}function mi(a,b,c,d,e,f,g,h,m){ji.apply(this,arguments);if(yb){if(yb){var n=gc;yb=!1;gc=null}else throw Error(k(198));hc||(hc=!0,pd=n)}}function lf(a,b,c){var d=a.type||"unknown-event";a.currentTarget=mf(c);mi(d,b,void 0,a);a.currentTarget=null}function nf(){if(ic)for(var a in cb){var b=cb[a],c=ic.indexOf(a);if(!(-1<c))throw Error(k(96,a));if(!jc[c]){if(!b.extractEvents)throw Error(k(97,a));jc[c]=b;c=b.eventTypes;for(var d in c){var e=
+void 0;var f=c[d],g=b,h=d;if(qd.hasOwnProperty(h))throw Error(k(99,h));qd[h]=f;var m=f.phasedRegistrationNames;if(m){for(e in m)m.hasOwnProperty(e)&&of(m[e],g,h);e=!0}else f.registrationName?(of(f.registrationName,g,h),e=!0):e=!1;if(!e)throw Error(k(98,d,a));}}}}function of(a,b,c){if(db[a])throw Error(k(100,a));db[a]=b;rd[a]=b.eventTypes[c].dependencies}function pf(a){var b=!1,c;for(c in a)if(a.hasOwnProperty(c)){var d=a[c];if(!cb.hasOwnProperty(c)||cb[c]!==d){if(cb[c])throw Error(k(102,c));cb[c]=
+d;b=!0}}b&&nf()}function qf(a){if(a=rf(a)){if("function"!==typeof sd)throw Error(k(280));var b=a.stateNode;b&&(b=td(b),sd(a.stateNode,a.type,b))}}function sf(a){eb?fb?fb.push(a):fb=[a]:eb=a}function tf(){if(eb){var a=eb,b=fb;fb=eb=null;qf(a);if(b)for(a=0;a<b.length;a++)qf(b[a])}}function ud(){if(null!==eb||null!==fb)vd(),tf()}function uf(a,b,c){if(wd)return a(b,c);wd=!0;try{return vf(a,b,c)}finally{wd=!1,ud()}}function ni(a){if(wf.call(xf,a))return!0;if(wf.call(yf,a))return!1;if(oi.test(a))return xf[a]=
+!0;yf[a]=!0;return!1}function pi(a,b,c,d){if(null!==c&&0===c.type)return!1;switch(typeof b){case "function":case "symbol":return!0;case "boolean":if(d)return!1;if(null!==c)return!c.acceptsBooleans;a=a.toLowerCase().slice(0,5);return"data-"!==a&&"aria-"!==a;default:return!1}}function qi(a,b,c,d){if(null===b||"undefined"===typeof b||pi(a,b,c,d))return!0;if(d)return!1;if(null!==c)switch(c.type){case 3:return!b;case 4:return!1===b;case 5:return isNaN(b);case 6:return isNaN(b)||1>b}return!1}function L(a,
+b,c,d,e,f){this.acceptsBooleans=2===b||3===b||4===b;this.attributeName=d;this.attributeNamespace=e;this.mustUseProperty=c;this.propertyName=a;this.type=b;this.sanitizeURL=f}function xd(a,b,c,d){var e=E.hasOwnProperty(b)?E[b]:null;var f=null!==e?0===e.type:d?!1:!(2<b.length)||"o"!==b[0]&&"O"!==b[0]||"n"!==b[1]&&"N"!==b[1]?!1:!0;f||(qi(b,c,e,d)&&(c=null),d||null===e?ni(b)&&(null===c?a.removeAttribute(b):a.setAttribute(b,""+c)):e.mustUseProperty?a[e.propertyName]=null===c?3===e.type?!1:"":c:(b=e.attributeName,
+d=e.attributeNamespace,null===c?a.removeAttribute(b):(e=e.type,c=3===e||4===e&&!0===c?"":""+c,d?a.setAttributeNS(d,b,c):a.setAttribute(b,c))))}function zb(a){if(null===a||"object"!==typeof a)return null;a=zf&&a[zf]||a["@@iterator"];return"function"===typeof a?a:null}function ri(a){if(-1===a._status){a._status=0;var b=a._ctor;b=b();a._result=b;b.then(function(b){0===a._status&&(b=b.default,a._status=1,a._result=b)},function(b){0===a._status&&(a._status=2,a._result=b)})}}function na(a){if(null==a)return null;
+if("function"===typeof a)return a.displayName||a.name||null;if("string"===typeof a)return a;switch(a){case Ma:return"Fragment";case gb:return"Portal";case kc:return"Profiler";case Af:return"StrictMode";case lc:return"Suspense";case yd:return"SuspenseList"}if("object"===typeof a)switch(a.$$typeof){case Bf:return"Context.Consumer";case Cf:return"Context.Provider";case zd:var b=a.render;b=b.displayName||b.name||"";return a.displayName||(""!==b?"ForwardRef("+b+")":"ForwardRef");case Ad:return na(a.type);
+case Df:return na(a.render);case Ef:if(a=1===a._status?a._result:null)return na(a)}return null}function Bd(a){var b="";do{a:switch(a.tag){case 3:case 4:case 6:case 7:case 10:case 9:var c="";break a;default:var d=a._debugOwner,e=a._debugSource,f=na(a.type);c=null;d&&(c=na(d.type));d=f;f="";e?f=" (at "+e.fileName.replace(si,"")+":"+e.lineNumber+")":c&&(f=" (created by "+c+")");c="\n    in "+(d||"Unknown")+f}b+=c;a=a.return}while(a);return b}function va(a){switch(typeof a){case "boolean":case "number":case "object":case "string":case "undefined":return a;
+default:return""}}function Ff(a){var b=a.type;return(a=a.nodeName)&&"input"===a.toLowerCase()&&("checkbox"===b||"radio"===b)}function ti(a){var b=Ff(a)?"checked":"value",c=Object.getOwnPropertyDescriptor(a.constructor.prototype,b),d=""+a[b];if(!a.hasOwnProperty(b)&&"undefined"!==typeof c&&"function"===typeof c.get&&"function"===typeof c.set){var e=c.get,f=c.set;Object.defineProperty(a,b,{configurable:!0,get:function(){return e.call(this)},set:function(a){d=""+a;f.call(this,a)}});Object.defineProperty(a,
+b,{enumerable:c.enumerable});return{getValue:function(){return d},setValue:function(a){d=""+a},stopTracking:function(){a._valueTracker=null;delete a[b]}}}}function mc(a){a._valueTracker||(a._valueTracker=ti(a))}function Gf(a){if(!a)return!1;var b=a._valueTracker;if(!b)return!0;var c=b.getValue();var d="";a&&(d=Ff(a)?a.checked?"true":"false":a.value);a=d;return a!==c?(b.setValue(a),!0):!1}function Cd(a,b){var c=b.checked;return M({},b,{defaultChecked:void 0,defaultValue:void 0,value:void 0,checked:null!=
+c?c:a._wrapperState.initialChecked})}function Hf(a,b){var c=null==b.defaultValue?"":b.defaultValue,d=null!=b.checked?b.checked:b.defaultChecked;c=va(null!=b.value?b.value:c);a._wrapperState={initialChecked:d,initialValue:c,controlled:"checkbox"===b.type||"radio"===b.type?null!=b.checked:null!=b.value}}function If(a,b){b=b.checked;null!=b&&xd(a,"checked",b,!1)}function Dd(a,b){If(a,b);var c=va(b.value),d=b.type;if(null!=c)if("number"===d){if(0===c&&""===a.value||a.value!=c)a.value=""+c}else a.value!==
+""+c&&(a.value=""+c);else if("submit"===d||"reset"===d){a.removeAttribute("value");return}b.hasOwnProperty("value")?Ed(a,b.type,c):b.hasOwnProperty("defaultValue")&&Ed(a,b.type,va(b.defaultValue));null==b.checked&&null!=b.defaultChecked&&(a.defaultChecked=!!b.defaultChecked)}function Jf(a,b,c){if(b.hasOwnProperty("value")||b.hasOwnProperty("defaultValue")){var d=b.type;if(!("submit"!==d&&"reset"!==d||void 0!==b.value&&null!==b.value))return;b=""+a._wrapperState.initialValue;c||b===a.value||(a.value=
+b);a.defaultValue=b}c=a.name;""!==c&&(a.name="");a.defaultChecked=!!a._wrapperState.initialChecked;""!==c&&(a.name=c)}function Ed(a,b,c){if("number"!==b||a.ownerDocument.activeElement!==a)null==c?a.defaultValue=""+a._wrapperState.initialValue:a.defaultValue!==""+c&&(a.defaultValue=""+c)}function ui(a){var b="";ea.Children.forEach(a,function(a){null!=a&&(b+=a)});return b}function Fd(a,b){a=M({children:void 0},b);if(b=ui(b.children))a.children=b;return a}function hb(a,b,c,d){a=a.options;if(b){b={};
+for(var e=0;e<c.length;e++)b["$"+c[e]]=!0;for(c=0;c<a.length;c++)e=b.hasOwnProperty("$"+a[c].value),a[c].selected!==e&&(a[c].selected=e),e&&d&&(a[c].defaultSelected=!0)}else{c=""+va(c);b=null;for(e=0;e<a.length;e++){if(a[e].value===c){a[e].selected=!0;d&&(a[e].defaultSelected=!0);return}null!==b||a[e].disabled||(b=a[e])}null!==b&&(b.selected=!0)}}function Gd(a,b){if(null!=b.dangerouslySetInnerHTML)throw Error(k(91));return M({},b,{value:void 0,defaultValue:void 0,children:""+a._wrapperState.initialValue})}
+function Kf(a,b){var c=b.value;if(null==c){c=b.children;b=b.defaultValue;if(null!=c){if(null!=b)throw Error(k(92));if(Array.isArray(c)){if(!(1>=c.length))throw Error(k(93));c=c[0]}b=c}null==b&&(b="");c=b}a._wrapperState={initialValue:va(c)}}function Lf(a,b){var c=va(b.value),d=va(b.defaultValue);null!=c&&(c=""+c,c!==a.value&&(a.value=c),null==b.defaultValue&&a.defaultValue!==c&&(a.defaultValue=c));null!=d&&(a.defaultValue=""+d)}function Mf(a,b){b=a.textContent;b===a._wrapperState.initialValue&&""!==
+b&&null!==b&&(a.value=b)}function Nf(a){switch(a){case "svg":return"http://www.w3.org/2000/svg";case "math":return"http://www.w3.org/1998/Math/MathML";default:return"http://www.w3.org/1999/xhtml"}}function Hd(a,b){return null==a||"http://www.w3.org/1999/xhtml"===a?Nf(b):"http://www.w3.org/2000/svg"===a&&"foreignObject"===b?"http://www.w3.org/1999/xhtml":a}function nc(a,b){var c={};c[a.toLowerCase()]=b.toLowerCase();c["Webkit"+a]="webkit"+b;c["Moz"+a]="moz"+b;return c}function oc(a){if(Id[a])return Id[a];
+if(!ib[a])return a;var b=ib[a],c;for(c in b)if(b.hasOwnProperty(c)&&c in Of)return Id[a]=b[c];return a}function Jd(a){var b=Pf.get(a);void 0===b&&(b=new Map,Pf.set(a,b));return b}function Na(a){var b=a,c=a;if(a.alternate)for(;b.return;)b=b.return;else{a=b;do b=a,0!==(b.effectTag&1026)&&(c=b.return),a=b.return;while(a)}return 3===b.tag?c:null}function Qf(a){if(13===a.tag){var b=a.memoizedState;null===b&&(a=a.alternate,null!==a&&(b=a.memoizedState));if(null!==b)return b.dehydrated}return null}function Rf(a){if(Na(a)!==
+a)throw Error(k(188));}function vi(a){var b=a.alternate;if(!b){b=Na(a);if(null===b)throw Error(k(188));return b!==a?null:a}for(var c=a,d=b;;){var e=c.return;if(null===e)break;var f=e.alternate;if(null===f){d=e.return;if(null!==d){c=d;continue}break}if(e.child===f.child){for(f=e.child;f;){if(f===c)return Rf(e),a;if(f===d)return Rf(e),b;f=f.sibling}throw Error(k(188));}if(c.return!==d.return)c=e,d=f;else{for(var g=!1,h=e.child;h;){if(h===c){g=!0;c=e;d=f;break}if(h===d){g=!0;d=e;c=f;break}h=h.sibling}if(!g){for(h=
+f.child;h;){if(h===c){g=!0;c=f;d=e;break}if(h===d){g=!0;d=f;c=e;break}h=h.sibling}if(!g)throw Error(k(189));}}if(c.alternate!==d)throw Error(k(190));}if(3!==c.tag)throw Error(k(188));return c.stateNode.current===c?a:b}function Sf(a){a=vi(a);if(!a)return null;for(var b=a;;){if(5===b.tag||6===b.tag)return b;if(b.child)b.child.return=b,b=b.child;else{if(b===a)break;for(;!b.sibling;){if(!b.return||b.return===a)return null;b=b.return}b.sibling.return=b.return;b=b.sibling}}return null}function jb(a,b){if(null==
+b)throw Error(k(30));if(null==a)return b;if(Array.isArray(a)){if(Array.isArray(b))return a.push.apply(a,b),a;a.push(b);return a}return Array.isArray(b)?[a].concat(b):[a,b]}function Kd(a,b,c){Array.isArray(a)?a.forEach(b,c):a&&b.call(c,a)}function pc(a){null!==a&&(Ab=jb(Ab,a));a=Ab;Ab=null;if(a){Kd(a,wi);if(Ab)throw Error(k(95));if(hc)throw a=pd,hc=!1,pd=null,a;}}function Ld(a){a=a.target||a.srcElement||window;a.correspondingUseElement&&(a=a.correspondingUseElement);return 3===a.nodeType?a.parentNode:
+a}function Tf(a){if(!wa)return!1;a="on"+a;var b=a in document;b||(b=document.createElement("div"),b.setAttribute(a,"return;"),b="function"===typeof b[a]);return b}function Uf(a){a.topLevelType=null;a.nativeEvent=null;a.targetInst=null;a.ancestors.length=0;10>qc.length&&qc.push(a)}function Vf(a,b,c,d){if(qc.length){var e=qc.pop();e.topLevelType=a;e.eventSystemFlags=d;e.nativeEvent=b;e.targetInst=c;return e}return{topLevelType:a,eventSystemFlags:d,nativeEvent:b,targetInst:c,ancestors:[]}}function Wf(a){var b=
+a.targetInst,c=b;do{if(!c){a.ancestors.push(c);break}var d=c;if(3===d.tag)d=d.stateNode.containerInfo;else{for(;d.return;)d=d.return;d=3!==d.tag?null:d.stateNode.containerInfo}if(!d)break;b=c.tag;5!==b&&6!==b||a.ancestors.push(c);c=Bb(d)}while(c);for(c=0;c<a.ancestors.length;c++){b=a.ancestors[c];var e=Ld(a.nativeEvent);d=a.topLevelType;var f=a.nativeEvent,g=a.eventSystemFlags;0===c&&(g|=64);for(var h=null,m=0;m<jc.length;m++){var n=jc[m];n&&(n=n.extractEvents(d,b,f,e,g))&&(h=jb(h,n))}pc(h)}}function Md(a,
+b,c){if(!c.has(a)){switch(a){case "scroll":Cb(b,"scroll",!0);break;case "focus":case "blur":Cb(b,"focus",!0);Cb(b,"blur",!0);c.set("blur",null);c.set("focus",null);break;case "cancel":case "close":Tf(a)&&Cb(b,a,!0);break;case "invalid":case "submit":case "reset":break;default:-1===Db.indexOf(a)&&w(a,b)}c.set(a,null)}}function xi(a,b){var c=Jd(b);Nd.forEach(function(a){Md(a,b,c)});yi.forEach(function(a){Md(a,b,c)})}function Od(a,b,c,d,e){return{blockedOn:a,topLevelType:b,eventSystemFlags:c|32,nativeEvent:e,
+container:d}}function Xf(a,b){switch(a){case "focus":case "blur":xa=null;break;case "dragenter":case "dragleave":ya=null;break;case "mouseover":case "mouseout":za=null;break;case "pointerover":case "pointerout":Eb.delete(b.pointerId);break;case "gotpointercapture":case "lostpointercapture":Fb.delete(b.pointerId)}}function Gb(a,b,c,d,e,f){if(null===a||a.nativeEvent!==f)return a=Od(b,c,d,e,f),null!==b&&(b=Hb(b),null!==b&&Yf(b)),a;a.eventSystemFlags|=d;return a}function zi(a,b,c,d,e){switch(b){case "focus":return xa=
+Gb(xa,a,b,c,d,e),!0;case "dragenter":return ya=Gb(ya,a,b,c,d,e),!0;case "mouseover":return za=Gb(za,a,b,c,d,e),!0;case "pointerover":var f=e.pointerId;Eb.set(f,Gb(Eb.get(f)||null,a,b,c,d,e));return!0;case "gotpointercapture":return f=e.pointerId,Fb.set(f,Gb(Fb.get(f)||null,a,b,c,d,e)),!0}return!1}function Ai(a){var b=Bb(a.target);if(null!==b){var c=Na(b);if(null!==c)if(b=c.tag,13===b){if(b=Qf(c),null!==b){a.blockedOn=b;Pd(a.priority,function(){Bi(c)});return}}else if(3===b&&c.stateNode.hydrate){a.blockedOn=
+3===c.tag?c.stateNode.containerInfo:null;return}}a.blockedOn=null}function rc(a){if(null!==a.blockedOn)return!1;var b=Qd(a.topLevelType,a.eventSystemFlags,a.container,a.nativeEvent);if(null!==b){var c=Hb(b);null!==c&&Yf(c);a.blockedOn=b;return!1}return!0}function Zf(a,b,c){rc(a)&&c.delete(b)}function Ci(){for(Rd=!1;0<fa.length;){var a=fa[0];if(null!==a.blockedOn){a=Hb(a.blockedOn);null!==a&&Di(a);break}var b=Qd(a.topLevelType,a.eventSystemFlags,a.container,a.nativeEvent);null!==b?a.blockedOn=b:fa.shift()}null!==
+xa&&rc(xa)&&(xa=null);null!==ya&&rc(ya)&&(ya=null);null!==za&&rc(za)&&(za=null);Eb.forEach(Zf);Fb.forEach(Zf)}function Ib(a,b){a.blockedOn===b&&(a.blockedOn=null,Rd||(Rd=!0,$f(ag,Ci)))}function bg(a){if(0<fa.length){Ib(fa[0],a);for(var b=1;b<fa.length;b++){var c=fa[b];c.blockedOn===a&&(c.blockedOn=null)}}null!==xa&&Ib(xa,a);null!==ya&&Ib(ya,a);null!==za&&Ib(za,a);b=function(b){return Ib(b,a)};Eb.forEach(b);Fb.forEach(b);for(b=0;b<Jb.length;b++)c=Jb[b],c.blockedOn===a&&(c.blockedOn=null);for(;0<Jb.length&&
+(b=Jb[0],null===b.blockedOn);)Ai(b),null===b.blockedOn&&Jb.shift()}function Sd(a,b){for(var c=0;c<a.length;c+=2){var d=a[c],e=a[c+1],f="on"+(e[0].toUpperCase()+e.slice(1));f={phasedRegistrationNames:{bubbled:f,captured:f+"Capture"},dependencies:[d],eventPriority:b};Td.set(d,b);cg.set(d,f);dg[e]=f}}function w(a,b){Cb(b,a,!1)}function Cb(a,b,c){var d=Td.get(b);switch(void 0===d?2:d){case 0:d=Ei.bind(null,b,1,a);break;case 1:d=Fi.bind(null,b,1,a);break;default:d=sc.bind(null,b,1,a)}c?a.addEventListener(b,
+d,!0):a.addEventListener(b,d,!1)}function Ei(a,b,c,d){Oa||vd();var e=sc,f=Oa;Oa=!0;try{eg(e,a,b,c,d)}finally{(Oa=f)||ud()}}function Fi(a,b,c,d){Gi(Hi,sc.bind(null,a,b,c,d))}function sc(a,b,c,d){if(tc)if(0<fa.length&&-1<Nd.indexOf(a))a=Od(null,a,b,c,d),fa.push(a);else{var e=Qd(a,b,c,d);if(null===e)Xf(a,d);else if(-1<Nd.indexOf(a))a=Od(e,a,b,c,d),fa.push(a);else if(!zi(e,a,b,c,d)){Xf(a,d);a=Vf(a,d,null,b);try{uf(Wf,a)}finally{Uf(a)}}}}function Qd(a,b,c,d){c=Ld(d);c=Bb(c);if(null!==c){var e=Na(c);if(null===
+e)c=null;else{var f=e.tag;if(13===f){c=Qf(e);if(null!==c)return c;c=null}else if(3===f){if(e.stateNode.hydrate)return 3===e.tag?e.stateNode.containerInfo:null;c=null}else e!==c&&(c=null)}}a=Vf(a,d,c,b);try{uf(Wf,a)}finally{Uf(a)}return null}function fg(a,b,c){return null==b||"boolean"===typeof b||""===b?"":c||"number"!==typeof b||0===b||Kb.hasOwnProperty(a)&&Kb[a]?(""+b).trim():b+"px"}function gg(a,b){a=a.style;for(var c in b)if(b.hasOwnProperty(c)){var d=0===c.indexOf("--"),e=fg(c,b[c],d);"float"===
+c&&(c="cssFloat");d?a.setProperty(c,e):a[c]=e}}function Ud(a,b){if(b){if(Ii[a]&&(null!=b.children||null!=b.dangerouslySetInnerHTML))throw Error(k(137,a,""));if(null!=b.dangerouslySetInnerHTML){if(null!=b.children)throw Error(k(60));if(!("object"===typeof b.dangerouslySetInnerHTML&&"__html"in b.dangerouslySetInnerHTML))throw Error(k(61));}if(null!=b.style&&"object"!==typeof b.style)throw Error(k(62,""));}}function Vd(a,b){if(-1===a.indexOf("-"))return"string"===typeof b.is;switch(a){case "annotation-xml":case "color-profile":case "font-face":case "font-face-src":case "font-face-uri":case "font-face-format":case "font-face-name":case "missing-glyph":return!1;
+default:return!0}}function oa(a,b){a=9===a.nodeType||11===a.nodeType?a:a.ownerDocument;var c=Jd(a);b=rd[b];for(var d=0;d<b.length;d++)Md(b[d],a,c)}function uc(){}function Wd(a){a=a||("undefined"!==typeof document?document:void 0);if("undefined"===typeof a)return null;try{return a.activeElement||a.body}catch(b){return a.body}}function hg(a){for(;a&&a.firstChild;)a=a.firstChild;return a}function ig(a,b){var c=hg(a);a=0;for(var d;c;){if(3===c.nodeType){d=a+c.textContent.length;if(a<=b&&d>=b)return{node:c,
+offset:b-a};a=d}a:{for(;c;){if(c.nextSibling){c=c.nextSibling;break a}c=c.parentNode}c=void 0}c=hg(c)}}function jg(a,b){return a&&b?a===b?!0:a&&3===a.nodeType?!1:b&&3===b.nodeType?jg(a,b.parentNode):"contains"in a?a.contains(b):a.compareDocumentPosition?!!(a.compareDocumentPosition(b)&16):!1:!1}function kg(){for(var a=window,b=Wd();b instanceof a.HTMLIFrameElement;){try{var c="string"===typeof b.contentWindow.location.href}catch(d){c=!1}if(c)a=b.contentWindow;else break;b=Wd(a.document)}return b}
+function Xd(a){var b=a&&a.nodeName&&a.nodeName.toLowerCase();return b&&("input"===b&&("text"===a.type||"search"===a.type||"tel"===a.type||"url"===a.type||"password"===a.type)||"textarea"===b||"true"===a.contentEditable)}function lg(a,b){switch(a){case "button":case "input":case "select":case "textarea":return!!b.autoFocus}return!1}function Yd(a,b){return"textarea"===a||"option"===a||"noscript"===a||"string"===typeof b.children||"number"===typeof b.children||"object"===typeof b.dangerouslySetInnerHTML&&
+null!==b.dangerouslySetInnerHTML&&null!=b.dangerouslySetInnerHTML.__html}function kb(a){for(;null!=a;a=a.nextSibling){var b=a.nodeType;if(1===b||3===b)break}return a}function mg(a){a=a.previousSibling;for(var b=0;a;){if(8===a.nodeType){var c=a.data;if(c===ng||c===Zd||c===$d){if(0===b)return a;b--}else c===og&&b++}a=a.previousSibling}return null}function Bb(a){var b=a[Aa];if(b)return b;for(var c=a.parentNode;c;){if(b=c[Lb]||c[Aa]){c=b.alternate;if(null!==b.child||null!==c&&null!==c.child)for(a=mg(a);null!==
+a;){if(c=a[Aa])return c;a=mg(a)}return b}a=c;c=a.parentNode}return null}function Hb(a){a=a[Aa]||a[Lb];return!a||5!==a.tag&&6!==a.tag&&13!==a.tag&&3!==a.tag?null:a}function Pa(a){if(5===a.tag||6===a.tag)return a.stateNode;throw Error(k(33));}function ae(a){return a[vc]||null}function pa(a){do a=a.return;while(a&&5!==a.tag);return a?a:null}function pg(a,b){var c=a.stateNode;if(!c)return null;var d=td(c);if(!d)return null;c=d[b];a:switch(b){case "onClick":case "onClickCapture":case "onDoubleClick":case "onDoubleClickCapture":case "onMouseDown":case "onMouseDownCapture":case "onMouseMove":case "onMouseMoveCapture":case "onMouseUp":case "onMouseUpCapture":case "onMouseEnter":(d=
+!d.disabled)||(a=a.type,d=!("button"===a||"input"===a||"select"===a||"textarea"===a));a=!d;break a;default:a=!1}if(a)return null;if(c&&"function"!==typeof c)throw Error(k(231,b,typeof c));return c}function qg(a,b,c){if(b=pg(a,c.dispatchConfig.phasedRegistrationNames[b]))c._dispatchListeners=jb(c._dispatchListeners,b),c._dispatchInstances=jb(c._dispatchInstances,a)}function Ji(a){if(a&&a.dispatchConfig.phasedRegistrationNames){for(var b=a._targetInst,c=[];b;)c.push(b),b=pa(b);for(b=c.length;0<b--;)qg(c[b],
+"captured",a);for(b=0;b<c.length;b++)qg(c[b],"bubbled",a)}}function be(a,b,c){a&&c&&c.dispatchConfig.registrationName&&(b=pg(a,c.dispatchConfig.registrationName))&&(c._dispatchListeners=jb(c._dispatchListeners,b),c._dispatchInstances=jb(c._dispatchInstances,a))}function Ki(a){a&&a.dispatchConfig.registrationName&&be(a._targetInst,null,a)}function lb(a){Kd(a,Ji)}function rg(){if(wc)return wc;var a,b=ce,c=b.length,d,e="value"in Ba?Ba.value:Ba.textContent,f=e.length;for(a=0;a<c&&b[a]===e[a];a++);var g=
+c-a;for(d=1;d<=g&&b[c-d]===e[f-d];d++);return wc=e.slice(a,1<d?1-d:void 0)}function xc(){return!0}function yc(){return!1}function R(a,b,c,d){this.dispatchConfig=a;this._targetInst=b;this.nativeEvent=c;a=this.constructor.Interface;for(var e in a)a.hasOwnProperty(e)&&((b=a[e])?this[e]=b(c):"target"===e?this.target=d:this[e]=c[e]);this.isDefaultPrevented=(null!=c.defaultPrevented?c.defaultPrevented:!1===c.returnValue)?xc:yc;this.isPropagationStopped=yc;return this}function Li(a,b,c,d){if(this.eventPool.length){var e=
+this.eventPool.pop();this.call(e,a,b,c,d);return e}return new this(a,b,c,d)}function Mi(a){if(!(a instanceof this))throw Error(k(279));a.destructor();10>this.eventPool.length&&this.eventPool.push(a)}function sg(a){a.eventPool=[];a.getPooled=Li;a.release=Mi}function tg(a,b){switch(a){case "keyup":return-1!==Ni.indexOf(b.keyCode);case "keydown":return 229!==b.keyCode;case "keypress":case "mousedown":case "blur":return!0;default:return!1}}function ug(a){a=a.detail;return"object"===typeof a&&"data"in
+a?a.data:null}function Oi(a,b){switch(a){case "compositionend":return ug(b);case "keypress":if(32!==b.which)return null;vg=!0;return wg;case "textInput":return a=b.data,a===wg&&vg?null:a;default:return null}}function Pi(a,b){if(mb)return"compositionend"===a||!de&&tg(a,b)?(a=rg(),wc=ce=Ba=null,mb=!1,a):null;switch(a){case "paste":return null;case "keypress":if(!(b.ctrlKey||b.altKey||b.metaKey)||b.ctrlKey&&b.altKey){if(b.char&&1<b.char.length)return b.char;if(b.which)return String.fromCharCode(b.which)}return null;
+case "compositionend":return xg&&"ko"!==b.locale?null:b.data;default:return null}}function yg(a){var b=a&&a.nodeName&&a.nodeName.toLowerCase();return"input"===b?!!Qi[a.type]:"textarea"===b?!0:!1}function zg(a,b,c){a=R.getPooled(Ag.change,a,b,c);a.type="change";sf(c);lb(a);return a}function Ri(a){pc(a)}function zc(a){var b=Pa(a);if(Gf(b))return a}function Si(a,b){if("change"===a)return b}function Bg(){Mb&&(Mb.detachEvent("onpropertychange",Cg),Nb=Mb=null)}function Cg(a){if("value"===a.propertyName&&
+zc(Nb))if(a=zg(Nb,a,Ld(a)),Oa)pc(a);else{Oa=!0;try{ee(Ri,a)}finally{Oa=!1,ud()}}}function Ti(a,b,c){"focus"===a?(Bg(),Mb=b,Nb=c,Mb.attachEvent("onpropertychange",Cg)):"blur"===a&&Bg()}function Ui(a,b){if("selectionchange"===a||"keyup"===a||"keydown"===a)return zc(Nb)}function Vi(a,b){if("click"===a)return zc(b)}function Wi(a,b){if("input"===a||"change"===a)return zc(b)}function Xi(a){var b=this.nativeEvent;return b.getModifierState?b.getModifierState(a):(a=Yi[a])?!!b[a]:!1}function fe(a){return Xi}
+function Zi(a,b){return a===b&&(0!==a||1/a===1/b)||a!==a&&b!==b}function Ob(a,b){if(Qa(a,b))return!0;if("object"!==typeof a||null===a||"object"!==typeof b||null===b)return!1;var c=Object.keys(a),d=Object.keys(b);if(c.length!==d.length)return!1;for(d=0;d<c.length;d++)if(!$i.call(b,c[d])||!Qa(a[c[d]],b[c[d]]))return!1;return!0}function Dg(a,b){var c=b.window===b?b.document:9===b.nodeType?b:b.ownerDocument;if(ge||null==nb||nb!==Wd(c))return null;c=nb;"selectionStart"in c&&Xd(c)?c={start:c.selectionStart,
+end:c.selectionEnd}:(c=(c.ownerDocument&&c.ownerDocument.defaultView||window).getSelection(),c={anchorNode:c.anchorNode,anchorOffset:c.anchorOffset,focusNode:c.focusNode,focusOffset:c.focusOffset});return Pb&&Ob(Pb,c)?null:(Pb=c,a=R.getPooled(Eg.select,he,a,b),a.type="select",a.target=nb,lb(a),a)}function Ac(a){var b=a.keyCode;"charCode"in a?(a=a.charCode,0===a&&13===b&&(a=13)):a=b;10===a&&(a=13);return 32<=a||13===a?a:0}function q(a,b){0>ob||(a.current=ie[ob],ie[ob]=null,ob--)}function y(a,b,c){ob++;
+ie[ob]=a.current;a.current=b}function pb(a,b){var c=a.type.contextTypes;if(!c)return Ca;var d=a.stateNode;if(d&&d.__reactInternalMemoizedUnmaskedChildContext===b)return d.__reactInternalMemoizedMaskedChildContext;var e={},f;for(f in c)e[f]=b[f];d&&(a=a.stateNode,a.__reactInternalMemoizedUnmaskedChildContext=b,a.__reactInternalMemoizedMaskedChildContext=e);return e}function N(a){a=a.childContextTypes;return null!==a&&void 0!==a}function Fg(a,b,c){if(B.current!==Ca)throw Error(k(168));y(B,b);y(G,c)}
+function Gg(a,b,c){var d=a.stateNode;a=b.childContextTypes;if("function"!==typeof d.getChildContext)return c;d=d.getChildContext();for(var e in d)if(!(e in a))throw Error(k(108,na(b)||"Unknown",e));return M({},c,{},d)}function Bc(a){a=(a=a.stateNode)&&a.__reactInternalMemoizedMergedChildContext||Ca;Ra=B.current;y(B,a);y(G,G.current);return!0}function Hg(a,b,c){var d=a.stateNode;if(!d)throw Error(k(169));c?(a=Gg(a,b,Ra),d.__reactInternalMemoizedMergedChildContext=a,q(G),q(B),y(B,a)):q(G);y(G,c)}function Cc(){switch(aj()){case Dc:return 99;
+case Ig:return 98;case Jg:return 97;case Kg:return 96;case Lg:return 95;default:throw Error(k(332));}}function Mg(a){switch(a){case 99:return Dc;case 98:return Ig;case 97:return Jg;case 96:return Kg;case 95:return Lg;default:throw Error(k(332));}}function Da(a,b){a=Mg(a);return bj(a,b)}function Ng(a,b,c){a=Mg(a);return je(a,b,c)}function Og(a){null===qa?(qa=[a],Ec=je(Dc,Pg)):qa.push(a);return Qg}function ha(){if(null!==Ec){var a=Ec;Ec=null;Rg(a)}Pg()}function Pg(){if(!ke&&null!==qa){ke=!0;var a=0;
+try{var b=qa;Da(99,function(){for(;a<b.length;a++){var c=b[a];do c=c(!0);while(null!==c)}});qa=null}catch(c){throw null!==qa&&(qa=qa.slice(a+1)),je(Dc,ha),c;}finally{ke=!1}}}function Fc(a,b,c){c/=10;return 1073741821-(((1073741821-a+b/10)/c|0)+1)*c}function aa(a,b){if(a&&a.defaultProps){b=M({},b);a=a.defaultProps;for(var c in a)void 0===b[c]&&(b[c]=a[c])}return b}function le(){Gc=qb=Hc=null}function me(a){var b=Ic.current;q(Ic);a.type._context._currentValue=b}function Sg(a,b){for(;null!==a;){var c=
+a.alternate;if(a.childExpirationTime<b)a.childExpirationTime=b,null!==c&&c.childExpirationTime<b&&(c.childExpirationTime=b);else if(null!==c&&c.childExpirationTime<b)c.childExpirationTime=b;else break;a=a.return}}function rb(a,b){Hc=a;Gc=qb=null;a=a.dependencies;null!==a&&null!==a.firstContext&&(a.expirationTime>=b&&(ia=!0),a.firstContext=null)}function W(a,b){if(Gc!==a&&!1!==b&&0!==b){if("number"!==typeof b||1073741823===b)Gc=a,b=1073741823;b={context:a,observedBits:b,next:null};if(null===qb){if(null===
+Hc)throw Error(k(308));qb=b;Hc.dependencies={expirationTime:0,firstContext:b,responders:null}}else qb=qb.next=b}return a._currentValue}function ne(a){a.updateQueue={baseState:a.memoizedState,baseQueue:null,shared:{pending:null},effects:null}}function oe(a,b){a=a.updateQueue;b.updateQueue===a&&(b.updateQueue={baseState:a.baseState,baseQueue:a.baseQueue,shared:a.shared,effects:a.effects})}function Ea(a,b){a={expirationTime:a,suspenseConfig:b,tag:Tg,payload:null,callback:null,next:null};return a.next=
+a}function Fa(a,b){a=a.updateQueue;if(null!==a){a=a.shared;var c=a.pending;null===c?b.next=b:(b.next=c.next,c.next=b);a.pending=b}}function Ug(a,b){var c=a.alternate;null!==c&&oe(c,a);a=a.updateQueue;c=a.baseQueue;null===c?(a.baseQueue=b.next=b,b.next=b):(b.next=c.next,c.next=b)}function Qb(a,b,c,d){var e=a.updateQueue;Ga=!1;var f=e.baseQueue,g=e.shared.pending;if(null!==g){if(null!==f){var h=f.next;f.next=g.next;g.next=h}f=g;e.shared.pending=null;h=a.alternate;null!==h&&(h=h.updateQueue,null!==h&&
+(h.baseQueue=g))}if(null!==f){h=f.next;var m=e.baseState,n=0,k=null,ba=null,l=null;if(null!==h){var p=h;do{g=p.expirationTime;if(g<d){var t={expirationTime:p.expirationTime,suspenseConfig:p.suspenseConfig,tag:p.tag,payload:p.payload,callback:p.callback,next:null};null===l?(ba=l=t,k=m):l=l.next=t;g>n&&(n=g)}else{null!==l&&(l=l.next={expirationTime:1073741823,suspenseConfig:p.suspenseConfig,tag:p.tag,payload:p.payload,callback:p.callback,next:null});Vg(g,p.suspenseConfig);a:{var q=a,r=p;g=b;t=c;switch(r.tag){case 1:q=
+r.payload;if("function"===typeof q){m=q.call(t,m,g);break a}m=q;break a;case 3:q.effectTag=q.effectTag&-4097|64;case Tg:q=r.payload;g="function"===typeof q?q.call(t,m,g):q;if(null===g||void 0===g)break a;m=M({},m,g);break a;case Jc:Ga=!0}}null!==p.callback&&(a.effectTag|=32,g=e.effects,null===g?e.effects=[p]:g.push(p))}p=p.next;if(null===p||p===h)if(g=e.shared.pending,null===g)break;else p=f.next=g.next,g.next=h,e.baseQueue=f=g,e.shared.pending=null}while(1)}null===l?k=m:l.next=ba;e.baseState=k;e.baseQueue=
+l;Kc(n);a.expirationTime=n;a.memoizedState=m}}function Wg(a,b,c){a=b.effects;b.effects=null;if(null!==a)for(b=0;b<a.length;b++){var d=a[b],e=d.callback;if(null!==e){d.callback=null;d=e;e=c;if("function"!==typeof d)throw Error(k(191,d));d.call(e)}}}function Lc(a,b,c,d){b=a.memoizedState;c=c(d,b);c=null===c||void 0===c?b:M({},b,c);a.memoizedState=c;0===a.expirationTime&&(a.updateQueue.baseState=c)}function Xg(a,b,c,d,e,f,g){a=a.stateNode;return"function"===typeof a.shouldComponentUpdate?a.shouldComponentUpdate(d,
+f,g):b.prototype&&b.prototype.isPureReactComponent?!Ob(c,d)||!Ob(e,f):!0}function Yg(a,b,c){var d=!1,e=Ca;var f=b.contextType;"object"===typeof f&&null!==f?f=W(f):(e=N(b)?Ra:B.current,d=b.contextTypes,f=(d=null!==d&&void 0!==d)?pb(a,e):Ca);b=new b(c,f);a.memoizedState=null!==b.state&&void 0!==b.state?b.state:null;b.updater=Mc;a.stateNode=b;b._reactInternalFiber=a;d&&(a=a.stateNode,a.__reactInternalMemoizedUnmaskedChildContext=e,a.__reactInternalMemoizedMaskedChildContext=f);return b}function Zg(a,
+b,c,d){a=b.state;"function"===typeof b.componentWillReceiveProps&&b.componentWillReceiveProps(c,d);"function"===typeof b.UNSAFE_componentWillReceiveProps&&b.UNSAFE_componentWillReceiveProps(c,d);b.state!==a&&Mc.enqueueReplaceState(b,b.state,null)}function pe(a,b,c,d){var e=a.stateNode;e.props=c;e.state=a.memoizedState;e.refs=$g;ne(a);var f=b.contextType;"object"===typeof f&&null!==f?e.context=W(f):(f=N(b)?Ra:B.current,e.context=pb(a,f));Qb(a,c,e,d);e.state=a.memoizedState;f=b.getDerivedStateFromProps;
+"function"===typeof f&&(Lc(a,b,f,c),e.state=a.memoizedState);"function"===typeof b.getDerivedStateFromProps||"function"===typeof e.getSnapshotBeforeUpdate||"function"!==typeof e.UNSAFE_componentWillMount&&"function"!==typeof e.componentWillMount||(b=e.state,"function"===typeof e.componentWillMount&&e.componentWillMount(),"function"===typeof e.UNSAFE_componentWillMount&&e.UNSAFE_componentWillMount(),b!==e.state&&Mc.enqueueReplaceState(e,e.state,null),Qb(a,c,e,d),e.state=a.memoizedState);"function"===
+typeof e.componentDidMount&&(a.effectTag|=4)}function Rb(a,b,c){a=c.ref;if(null!==a&&"function"!==typeof a&&"object"!==typeof a){if(c._owner){c=c._owner;if(c){if(1!==c.tag)throw Error(k(309));var d=c.stateNode}if(!d)throw Error(k(147,a));var e=""+a;if(null!==b&&null!==b.ref&&"function"===typeof b.ref&&b.ref._stringRef===e)return b.ref;b=function(a){var b=d.refs;b===$g&&(b=d.refs={});null===a?delete b[e]:b[e]=a};b._stringRef=e;return b}if("string"!==typeof a)throw Error(k(284));if(!c._owner)throw Error(k(290,
+a));}return a}function Nc(a,b){if("textarea"!==a.type)throw Error(k(31,"[object Object]"===Object.prototype.toString.call(b)?"object with keys {"+Object.keys(b).join(", ")+"}":b,""));}function ah(a){function b(b,c){if(a){var d=b.lastEffect;null!==d?(d.nextEffect=c,b.lastEffect=c):b.firstEffect=b.lastEffect=c;c.nextEffect=null;c.effectTag=8}}function c(c,d){if(!a)return null;for(;null!==d;)b(c,d),d=d.sibling;return null}function d(a,b){for(a=new Map;null!==b;)null!==b.key?a.set(b.key,b):a.set(b.index,
+b),b=b.sibling;return a}function e(a,b){a=Sa(a,b);a.index=0;a.sibling=null;return a}function f(b,c,d){b.index=d;if(!a)return c;d=b.alternate;if(null!==d)return d=d.index,d<c?(b.effectTag=2,c):d;b.effectTag=2;return c}function g(b){a&&null===b.alternate&&(b.effectTag=2);return b}function h(a,b,c,d){if(null===b||6!==b.tag)return b=qe(c,a.mode,d),b.return=a,b;b=e(b,c);b.return=a;return b}function m(a,b,c,d){if(null!==b&&b.elementType===c.type)return d=e(b,c.props),d.ref=Rb(a,b,c),d.return=a,d;d=Oc(c.type,
+c.key,c.props,null,a.mode,d);d.ref=Rb(a,b,c);d.return=a;return d}function n(a,b,c,d){if(null===b||4!==b.tag||b.stateNode.containerInfo!==c.containerInfo||b.stateNode.implementation!==c.implementation)return b=re(c,a.mode,d),b.return=a,b;b=e(b,c.children||[]);b.return=a;return b}function l(a,b,c,d,f){if(null===b||7!==b.tag)return b=Ha(c,a.mode,d,f),b.return=a,b;b=e(b,c);b.return=a;return b}function ba(a,b,c){if("string"===typeof b||"number"===typeof b)return b=qe(""+b,a.mode,c),b.return=a,b;if("object"===
+typeof b&&null!==b){switch(b.$$typeof){case Pc:return c=Oc(b.type,b.key,b.props,null,a.mode,c),c.ref=Rb(a,null,b),c.return=a,c;case gb:return b=re(b,a.mode,c),b.return=a,b}if(Qc(b)||zb(b))return b=Ha(b,a.mode,c,null),b.return=a,b;Nc(a,b)}return null}function p(a,b,c,d){var e=null!==b?b.key:null;if("string"===typeof c||"number"===typeof c)return null!==e?null:h(a,b,""+c,d);if("object"===typeof c&&null!==c){switch(c.$$typeof){case Pc:return c.key===e?c.type===Ma?l(a,b,c.props.children,d,e):m(a,b,c,
+d):null;case gb:return c.key===e?n(a,b,c,d):null}if(Qc(c)||zb(c))return null!==e?null:l(a,b,c,d,null);Nc(a,c)}return null}function t(a,b,c,d,e){if("string"===typeof d||"number"===typeof d)return a=a.get(c)||null,h(b,a,""+d,e);if("object"===typeof d&&null!==d){switch(d.$$typeof){case Pc:return a=a.get(null===d.key?c:d.key)||null,d.type===Ma?l(b,a,d.props.children,e,d.key):m(b,a,d,e);case gb:return a=a.get(null===d.key?c:d.key)||null,n(b,a,d,e)}if(Qc(d)||zb(d))return a=a.get(c)||null,l(b,a,d,e,null);
+Nc(b,d)}return null}function q(e,g,h,m){for(var n=null,k=null,l=g,r=g=0,C=null;null!==l&&r<h.length;r++){l.index>r?(C=l,l=null):C=l.sibling;var O=p(e,l,h[r],m);if(null===O){null===l&&(l=C);break}a&&l&&null===O.alternate&&b(e,l);g=f(O,g,r);null===k?n=O:k.sibling=O;k=O;l=C}if(r===h.length)return c(e,l),n;if(null===l){for(;r<h.length;r++)l=ba(e,h[r],m),null!==l&&(g=f(l,g,r),null===k?n=l:k.sibling=l,k=l);return n}for(l=d(e,l);r<h.length;r++)C=t(l,e,r,h[r],m),null!==C&&(a&&null!==C.alternate&&l.delete(null===
+C.key?r:C.key),g=f(C,g,r),null===k?n=C:k.sibling=C,k=C);a&&l.forEach(function(a){return b(e,a)});return n}function w(e,g,h,n){var m=zb(h);if("function"!==typeof m)throw Error(k(150));h=m.call(h);if(null==h)throw Error(k(151));for(var l=m=null,r=g,C=g=0,O=null,v=h.next();null!==r&&!v.done;C++,v=h.next()){r.index>C?(O=r,r=null):O=r.sibling;var q=p(e,r,v.value,n);if(null===q){null===r&&(r=O);break}a&&r&&null===q.alternate&&b(e,r);g=f(q,g,C);null===l?m=q:l.sibling=q;l=q;r=O}if(v.done)return c(e,r),m;
+if(null===r){for(;!v.done;C++,v=h.next())v=ba(e,v.value,n),null!==v&&(g=f(v,g,C),null===l?m=v:l.sibling=v,l=v);return m}for(r=d(e,r);!v.done;C++,v=h.next())v=t(r,e,C,v.value,n),null!==v&&(a&&null!==v.alternate&&r.delete(null===v.key?C:v.key),g=f(v,g,C),null===l?m=v:l.sibling=v,l=v);a&&r.forEach(function(a){return b(e,a)});return m}return function(a,d,f,h){var m="object"===typeof f&&null!==f&&f.type===Ma&&null===f.key;m&&(f=f.props.children);var n="object"===typeof f&&null!==f;if(n)switch(f.$$typeof){case Pc:a:{n=
+f.key;for(m=d;null!==m;){if(m.key===n){switch(m.tag){case 7:if(f.type===Ma){c(a,m.sibling);d=e(m,f.props.children);d.return=a;a=d;break a}break;default:if(m.elementType===f.type){c(a,m.sibling);d=e(m,f.props);d.ref=Rb(a,m,f);d.return=a;a=d;break a}}c(a,m);break}else b(a,m);m=m.sibling}f.type===Ma?(d=Ha(f.props.children,a.mode,h,f.key),d.return=a,a=d):(h=Oc(f.type,f.key,f.props,null,a.mode,h),h.ref=Rb(a,d,f),h.return=a,a=h)}return g(a);case gb:a:{for(m=f.key;null!==d;){if(d.key===m)if(4===d.tag&&d.stateNode.containerInfo===
+f.containerInfo&&d.stateNode.implementation===f.implementation){c(a,d.sibling);d=e(d,f.children||[]);d.return=a;a=d;break a}else{c(a,d);break}else b(a,d);d=d.sibling}d=re(f,a.mode,h);d.return=a;a=d}return g(a)}if("string"===typeof f||"number"===typeof f)return f=""+f,null!==d&&6===d.tag?(c(a,d.sibling),d=e(d,f),d.return=a,a=d):(c(a,d),d=qe(f,a.mode,h),d.return=a,a=d),g(a);if(Qc(f))return q(a,d,f,h);if(zb(f))return w(a,d,f,h);n&&Nc(a,f);if("undefined"===typeof f&&!m)switch(a.tag){case 1:case 0:throw a=
+a.type,Error(k(152,a.displayName||a.name||"Component"));}return c(a,d)}}function Ta(a){if(a===Sb)throw Error(k(174));return a}function se(a,b){y(Tb,b);y(Ub,a);y(ja,Sb);a=b.nodeType;switch(a){case 9:case 11:b=(b=b.documentElement)?b.namespaceURI:Hd(null,"");break;default:a=8===a?b.parentNode:b,b=a.namespaceURI||null,a=a.tagName,b=Hd(b,a)}q(ja);y(ja,b)}function tb(a){q(ja);q(Ub);q(Tb)}function bh(a){Ta(Tb.current);var b=Ta(ja.current);var c=Hd(b,a.type);b!==c&&(y(Ub,a),y(ja,c))}function te(a){Ub.current===
+a&&(q(ja),q(Ub))}function Rc(a){for(var b=a;null!==b;){if(13===b.tag){var c=b.memoizedState;if(null!==c&&(c=c.dehydrated,null===c||c.data===$d||c.data===Zd))return b}else if(19===b.tag&&void 0!==b.memoizedProps.revealOrder){if(0!==(b.effectTag&64))return b}else if(null!==b.child){b.child.return=b;b=b.child;continue}if(b===a)break;for(;null===b.sibling;){if(null===b.return||b.return===a)return null;b=b.return}b.sibling.return=b.return;b=b.sibling}return null}function ue(a,b){return{responder:a,props:b}}
+function S(){throw Error(k(321));}function ve(a,b){if(null===b)return!1;for(var c=0;c<b.length&&c<a.length;c++)if(!Qa(a[c],b[c]))return!1;return!0}function we(a,b,c,d,e,f){Ia=f;z=b;b.memoizedState=null;b.updateQueue=null;b.expirationTime=0;Sc.current=null===a||null===a.memoizedState?dj:ej;a=c(d,e);if(b.expirationTime===Ia){f=0;do{b.expirationTime=0;if(!(25>f))throw Error(k(301));f+=1;J=K=null;b.updateQueue=null;Sc.current=fj;a=c(d,e)}while(b.expirationTime===Ia)}Sc.current=Tc;b=null!==K&&null!==K.next;
+Ia=0;J=K=z=null;Uc=!1;if(b)throw Error(k(300));return a}function ub(){var a={memoizedState:null,baseState:null,baseQueue:null,queue:null,next:null};null===J?z.memoizedState=J=a:J=J.next=a;return J}function vb(){if(null===K){var a=z.alternate;a=null!==a?a.memoizedState:null}else a=K.next;var b=null===J?z.memoizedState:J.next;if(null!==b)J=b,K=a;else{if(null===a)throw Error(k(310));K=a;a={memoizedState:K.memoizedState,baseState:K.baseState,baseQueue:K.baseQueue,queue:K.queue,next:null};null===J?z.memoizedState=
+J=a:J=J.next=a}return J}function Ua(a,b){return"function"===typeof b?b(a):b}function Vc(a,b,c){b=vb();c=b.queue;if(null===c)throw Error(k(311));c.lastRenderedReducer=a;var d=K,e=d.baseQueue,f=c.pending;if(null!==f){if(null!==e){var g=e.next;e.next=f.next;f.next=g}d.baseQueue=e=f;c.pending=null}if(null!==e){e=e.next;d=d.baseState;var h=g=f=null,m=e;do{var n=m.expirationTime;if(n<Ia){var l={expirationTime:m.expirationTime,suspenseConfig:m.suspenseConfig,action:m.action,eagerReducer:m.eagerReducer,eagerState:m.eagerState,
+next:null};null===h?(g=h=l,f=d):h=h.next=l;n>z.expirationTime&&(z.expirationTime=n,Kc(n))}else null!==h&&(h=h.next={expirationTime:1073741823,suspenseConfig:m.suspenseConfig,action:m.action,eagerReducer:m.eagerReducer,eagerState:m.eagerState,next:null}),Vg(n,m.suspenseConfig),d=m.eagerReducer===a?m.eagerState:a(d,m.action);m=m.next}while(null!==m&&m!==e);null===h?f=d:h.next=g;Qa(d,b.memoizedState)||(ia=!0);b.memoizedState=d;b.baseState=f;b.baseQueue=h;c.lastRenderedState=d}return[b.memoizedState,
+c.dispatch]}function Wc(a,b,c){b=vb();c=b.queue;if(null===c)throw Error(k(311));c.lastRenderedReducer=a;var d=c.dispatch,e=c.pending,f=b.memoizedState;if(null!==e){c.pending=null;var g=e=e.next;do f=a(f,g.action),g=g.next;while(g!==e);Qa(f,b.memoizedState)||(ia=!0);b.memoizedState=f;null===b.baseQueue&&(b.baseState=f);c.lastRenderedState=f}return[f,d]}function xe(a){var b=ub();"function"===typeof a&&(a=a());b.memoizedState=b.baseState=a;a=b.queue={pending:null,dispatch:null,lastRenderedReducer:Ua,
+lastRenderedState:a};a=a.dispatch=ch.bind(null,z,a);return[b.memoizedState,a]}function ye(a,b,c,d){a={tag:a,create:b,destroy:c,deps:d,next:null};b=z.updateQueue;null===b?(b={lastEffect:null},z.updateQueue=b,b.lastEffect=a.next=a):(c=b.lastEffect,null===c?b.lastEffect=a.next=a:(d=c.next,c.next=a,a.next=d,b.lastEffect=a));return a}function dh(a){return vb().memoizedState}function ze(a,b,c,d){var e=ub();z.effectTag|=a;e.memoizedState=ye(1|b,c,void 0,void 0===d?null:d)}function Ae(a,b,c,d){var e=vb();
+d=void 0===d?null:d;var f=void 0;if(null!==K){var g=K.memoizedState;f=g.destroy;if(null!==d&&ve(d,g.deps)){ye(b,c,f,d);return}}z.effectTag|=a;e.memoizedState=ye(1|b,c,f,d)}function eh(a,b){return ze(516,4,a,b)}function Xc(a,b){return Ae(516,4,a,b)}function fh(a,b){return Ae(4,2,a,b)}function gh(a,b){if("function"===typeof b)return a=a(),b(a),function(){b(null)};if(null!==b&&void 0!==b)return a=a(),b.current=a,function(){b.current=null}}function hh(a,b,c){c=null!==c&&void 0!==c?c.concat([a]):null;
+return Ae(4,2,gh.bind(null,b,a),c)}function Be(a,b){}function ih(a,b){ub().memoizedState=[a,void 0===b?null:b];return a}function Yc(a,b){var c=vb();b=void 0===b?null:b;var d=c.memoizedState;if(null!==d&&null!==b&&ve(b,d[1]))return d[0];c.memoizedState=[a,b];return a}function jh(a,b){var c=vb();b=void 0===b?null:b;var d=c.memoizedState;if(null!==d&&null!==b&&ve(b,d[1]))return d[0];a=a();c.memoizedState=[a,b];return a}function Ce(a,b,c){var d=Cc();Da(98>d?98:d,function(){a(!0)});Da(97<d?97:d,function(){var d=
+X.suspense;X.suspense=void 0===b?null:b;try{a(!1),c()}finally{X.suspense=d}})}function ch(a,b,c){var d=ka(),e=Vb.suspense;d=Va(d,a,e);e={expirationTime:d,suspenseConfig:e,action:c,eagerReducer:null,eagerState:null,next:null};var f=b.pending;null===f?e.next=e:(e.next=f.next,f.next=e);b.pending=e;f=a.alternate;if(a===z||null!==f&&f===z)Uc=!0,e.expirationTime=Ia,z.expirationTime=Ia;else{if(0===a.expirationTime&&(null===f||0===f.expirationTime)&&(f=b.lastRenderedReducer,null!==f))try{var g=b.lastRenderedState,
+h=f(g,c);e.eagerReducer=f;e.eagerState=h;if(Qa(h,g))return}catch(m){}finally{}Ja(a,d)}}function kh(a,b){var c=la(5,null,null,0);c.elementType="DELETED";c.type="DELETED";c.stateNode=b;c.return=a;c.effectTag=8;null!==a.lastEffect?(a.lastEffect.nextEffect=c,a.lastEffect=c):a.firstEffect=a.lastEffect=c}function lh(a,b){switch(a.tag){case 5:var c=a.type;b=1!==b.nodeType||c.toLowerCase()!==b.nodeName.toLowerCase()?null:b;return null!==b?(a.stateNode=b,!0):!1;case 6:return b=""===a.pendingProps||3!==b.nodeType?
+null:b,null!==b?(a.stateNode=b,!0):!1;case 13:return!1;default:return!1}}function De(a){if(Wa){var b=Ka;if(b){var c=b;if(!lh(a,b)){b=kb(c.nextSibling);if(!b||!lh(a,b)){a.effectTag=a.effectTag&-1025|2;Wa=!1;ra=a;return}kh(ra,c)}ra=a;Ka=kb(b.firstChild)}else a.effectTag=a.effectTag&-1025|2,Wa=!1,ra=a}}function mh(a){for(a=a.return;null!==a&&5!==a.tag&&3!==a.tag&&13!==a.tag;)a=a.return;ra=a}function Zc(a){if(a!==ra)return!1;if(!Wa)return mh(a),Wa=!0,!1;var b=a.type;if(5!==a.tag||"head"!==b&&"body"!==
+b&&!Yd(b,a.memoizedProps))for(b=Ka;b;)kh(a,b),b=kb(b.nextSibling);mh(a);if(13===a.tag){a=a.memoizedState;a=null!==a?a.dehydrated:null;if(!a)throw Error(k(317));a:{a=a.nextSibling;for(b=0;a;){if(8===a.nodeType){var c=a.data;if(c===og){if(0===b){Ka=kb(a.nextSibling);break a}b--}else c!==ng&&c!==Zd&&c!==$d||b++}a=a.nextSibling}Ka=null}}else Ka=ra?kb(a.stateNode.nextSibling):null;return!0}function Ee(){Ka=ra=null;Wa=!1}function T(a,b,c,d){b.child=null===a?Fe(b,null,c,d):wb(b,a.child,c,d)}function nh(a,
+b,c,d,e){c=c.render;var f=b.ref;rb(b,e);d=we(a,b,c,d,f,e);if(null!==a&&!ia)return b.updateQueue=a.updateQueue,b.effectTag&=-517,a.expirationTime<=e&&(a.expirationTime=0),sa(a,b,e);b.effectTag|=1;T(a,b,d,e);return b.child}function oh(a,b,c,d,e,f){if(null===a){var g=c.type;if("function"===typeof g&&!Ge(g)&&void 0===g.defaultProps&&null===c.compare&&void 0===c.defaultProps)return b.tag=15,b.type=g,ph(a,b,g,d,e,f);a=Oc(c.type,null,d,null,b.mode,f);a.ref=b.ref;a.return=b;return b.child=a}g=a.child;if(e<
+f&&(e=g.memoizedProps,c=c.compare,c=null!==c?c:Ob,c(e,d)&&a.ref===b.ref))return sa(a,b,f);b.effectTag|=1;a=Sa(g,d);a.ref=b.ref;a.return=b;return b.child=a}function ph(a,b,c,d,e,f){return null!==a&&Ob(a.memoizedProps,d)&&a.ref===b.ref&&(ia=!1,e<f)?(b.expirationTime=a.expirationTime,sa(a,b,f)):He(a,b,c,d,f)}function qh(a,b){var c=b.ref;if(null===a&&null!==c||null!==a&&a.ref!==c)b.effectTag|=128}function He(a,b,c,d,e){var f=N(c)?Ra:B.current;f=pb(b,f);rb(b,e);c=we(a,b,c,d,f,e);if(null!==a&&!ia)return b.updateQueue=
+a.updateQueue,b.effectTag&=-517,a.expirationTime<=e&&(a.expirationTime=0),sa(a,b,e);b.effectTag|=1;T(a,b,c,e);return b.child}function rh(a,b,c,d,e){if(N(c)){var f=!0;Bc(b)}else f=!1;rb(b,e);if(null===b.stateNode)null!==a&&(a.alternate=null,b.alternate=null,b.effectTag|=2),Yg(b,c,d),pe(b,c,d,e),d=!0;else if(null===a){var g=b.stateNode,h=b.memoizedProps;g.props=h;var m=g.context,n=c.contextType;"object"===typeof n&&null!==n?n=W(n):(n=N(c)?Ra:B.current,n=pb(b,n));var l=c.getDerivedStateFromProps,k="function"===
+typeof l||"function"===typeof g.getSnapshotBeforeUpdate;k||"function"!==typeof g.UNSAFE_componentWillReceiveProps&&"function"!==typeof g.componentWillReceiveProps||(h!==d||m!==n)&&Zg(b,g,d,n);Ga=!1;var p=b.memoizedState;g.state=p;Qb(b,d,g,e);m=b.memoizedState;h!==d||p!==m||G.current||Ga?("function"===typeof l&&(Lc(b,c,l,d),m=b.memoizedState),(h=Ga||Xg(b,c,h,d,p,m,n))?(k||"function"!==typeof g.UNSAFE_componentWillMount&&"function"!==typeof g.componentWillMount||("function"===typeof g.componentWillMount&&
+g.componentWillMount(),"function"===typeof g.UNSAFE_componentWillMount&&g.UNSAFE_componentWillMount()),"function"===typeof g.componentDidMount&&(b.effectTag|=4)):("function"===typeof g.componentDidMount&&(b.effectTag|=4),b.memoizedProps=d,b.memoizedState=m),g.props=d,g.state=m,g.context=n,d=h):("function"===typeof g.componentDidMount&&(b.effectTag|=4),d=!1)}else g=b.stateNode,oe(a,b),h=b.memoizedProps,g.props=b.type===b.elementType?h:aa(b.type,h),m=g.context,n=c.contextType,"object"===typeof n&&null!==
+n?n=W(n):(n=N(c)?Ra:B.current,n=pb(b,n)),l=c.getDerivedStateFromProps,(k="function"===typeof l||"function"===typeof g.getSnapshotBeforeUpdate)||"function"!==typeof g.UNSAFE_componentWillReceiveProps&&"function"!==typeof g.componentWillReceiveProps||(h!==d||m!==n)&&Zg(b,g,d,n),Ga=!1,m=b.memoizedState,g.state=m,Qb(b,d,g,e),p=b.memoizedState,h!==d||m!==p||G.current||Ga?("function"===typeof l&&(Lc(b,c,l,d),p=b.memoizedState),(l=Ga||Xg(b,c,h,d,m,p,n))?(k||"function"!==typeof g.UNSAFE_componentWillUpdate&&
+"function"!==typeof g.componentWillUpdate||("function"===typeof g.componentWillUpdate&&g.componentWillUpdate(d,p,n),"function"===typeof g.UNSAFE_componentWillUpdate&&g.UNSAFE_componentWillUpdate(d,p,n)),"function"===typeof g.componentDidUpdate&&(b.effectTag|=4),"function"===typeof g.getSnapshotBeforeUpdate&&(b.effectTag|=256)):("function"!==typeof g.componentDidUpdate||h===a.memoizedProps&&m===a.memoizedState||(b.effectTag|=4),"function"!==typeof g.getSnapshotBeforeUpdate||h===a.memoizedProps&&m===
+a.memoizedState||(b.effectTag|=256),b.memoizedProps=d,b.memoizedState=p),g.props=d,g.state=p,g.context=n,d=l):("function"!==typeof g.componentDidUpdate||h===a.memoizedProps&&m===a.memoizedState||(b.effectTag|=4),"function"!==typeof g.getSnapshotBeforeUpdate||h===a.memoizedProps&&m===a.memoizedState||(b.effectTag|=256),d=!1);return Ie(a,b,c,d,f,e)}function Ie(a,b,c,d,e,f){qh(a,b);var g=0!==(b.effectTag&64);if(!d&&!g)return e&&Hg(b,c,!1),sa(a,b,f);d=b.stateNode;gj.current=b;var h=g&&"function"!==typeof c.getDerivedStateFromError?
+null:d.render();b.effectTag|=1;null!==a&&g?(b.child=wb(b,a.child,null,f),b.child=wb(b,null,h,f)):T(a,b,h,f);b.memoizedState=d.state;e&&Hg(b,c,!0);return b.child}function sh(a){var b=a.stateNode;b.pendingContext?Fg(a,b.pendingContext,b.pendingContext!==b.context):b.context&&Fg(a,b.context,!1);se(a,b.containerInfo)}function th(a,b,c){var d=b.mode,e=b.pendingProps,f=D.current,g=!1,h;(h=0!==(b.effectTag&64))||(h=0!==(f&2)&&(null===a||null!==a.memoizedState));h?(g=!0,b.effectTag&=-65):null!==a&&null===
+a.memoizedState||void 0===e.fallback||!0===e.unstable_avoidThisFallback||(f|=1);y(D,f&1);if(null===a){void 0!==e.fallback&&De(b);if(g){g=e.fallback;e=Ha(null,d,0,null);e.return=b;if(0===(b.mode&2))for(a=null!==b.memoizedState?b.child.child:b.child,e.child=a;null!==a;)a.return=e,a=a.sibling;c=Ha(g,d,c,null);c.return=b;e.sibling=c;b.memoizedState=Je;b.child=e;return c}d=e.children;b.memoizedState=null;return b.child=Fe(b,null,d,c)}if(null!==a.memoizedState){a=a.child;d=a.sibling;if(g){e=e.fallback;
+c=Sa(a,a.pendingProps);c.return=b;if(0===(b.mode&2)&&(g=null!==b.memoizedState?b.child.child:b.child,g!==a.child))for(c.child=g;null!==g;)g.return=c,g=g.sibling;d=Sa(d,e);d.return=b;c.sibling=d;c.childExpirationTime=0;b.memoizedState=Je;b.child=c;return d}c=wb(b,a.child,e.children,c);b.memoizedState=null;return b.child=c}a=a.child;if(g){g=e.fallback;e=Ha(null,d,0,null);e.return=b;e.child=a;null!==a&&(a.return=e);if(0===(b.mode&2))for(a=null!==b.memoizedState?b.child.child:b.child,e.child=a;null!==
+a;)a.return=e,a=a.sibling;c=Ha(g,d,c,null);c.return=b;e.sibling=c;c.effectTag|=2;e.childExpirationTime=0;b.memoizedState=Je;b.child=e;return c}b.memoizedState=null;return b.child=wb(b,a,e.children,c)}function uh(a,b){a.expirationTime<b&&(a.expirationTime=b);var c=a.alternate;null!==c&&c.expirationTime<b&&(c.expirationTime=b);Sg(a.return,b)}function Ke(a,b,c,d,e,f){var g=a.memoizedState;null===g?a.memoizedState={isBackwards:b,rendering:null,renderingStartTime:0,last:d,tail:c,tailExpiration:0,tailMode:e,
+lastEffect:f}:(g.isBackwards=b,g.rendering=null,g.renderingStartTime=0,g.last=d,g.tail=c,g.tailExpiration=0,g.tailMode=e,g.lastEffect=f)}function vh(a,b,c){var d=b.pendingProps,e=d.revealOrder,f=d.tail;T(a,b,d.children,c);d=D.current;if(0!==(d&2))d=d&1|2,b.effectTag|=64;else{if(null!==a&&0!==(a.effectTag&64))a:for(a=b.child;null!==a;){if(13===a.tag)null!==a.memoizedState&&uh(a,c);else if(19===a.tag)uh(a,c);else if(null!==a.child){a.child.return=a;a=a.child;continue}if(a===b)break a;for(;null===a.sibling;){if(null===
+a.return||a.return===b)break a;a=a.return}a.sibling.return=a.return;a=a.sibling}d&=1}y(D,d);if(0===(b.mode&2))b.memoizedState=null;else switch(e){case "forwards":c=b.child;for(e=null;null!==c;)a=c.alternate,null!==a&&null===Rc(a)&&(e=c),c=c.sibling;c=e;null===c?(e=b.child,b.child=null):(e=c.sibling,c.sibling=null);Ke(b,!1,e,c,f,b.lastEffect);break;case "backwards":c=null;e=b.child;for(b.child=null;null!==e;){a=e.alternate;if(null!==a&&null===Rc(a)){b.child=e;break}a=e.sibling;e.sibling=c;c=e;e=a}Ke(b,
+!0,c,null,f,b.lastEffect);break;case "together":Ke(b,!1,null,null,void 0,b.lastEffect);break;default:b.memoizedState=null}return b.child}function sa(a,b,c){null!==a&&(b.dependencies=a.dependencies);var d=b.expirationTime;0!==d&&Kc(d);if(b.childExpirationTime<c)return null;if(null!==a&&b.child!==a.child)throw Error(k(153));if(null!==b.child){a=b.child;c=Sa(a,a.pendingProps);b.child=c;for(c.return=b;null!==a.sibling;)a=a.sibling,c=c.sibling=Sa(a,a.pendingProps),c.return=b;c.sibling=null}return b.child}
+function $c(a,b){switch(a.tailMode){case "hidden":b=a.tail;for(var c=null;null!==b;)null!==b.alternate&&(c=b),b=b.sibling;null===c?a.tail=null:c.sibling=null;break;case "collapsed":c=a.tail;for(var d=null;null!==c;)null!==c.alternate&&(d=c),c=c.sibling;null===d?b||null===a.tail?a.tail=null:a.tail.sibling=null:d.sibling=null}}function hj(a,b,c){var d=b.pendingProps;switch(b.tag){case 2:case 16:case 15:case 0:case 11:case 7:case 8:case 12:case 9:case 14:return null;case 1:return N(b.type)&&(q(G),q(B)),
+null;case 3:return tb(),q(G),q(B),c=b.stateNode,c.pendingContext&&(c.context=c.pendingContext,c.pendingContext=null),null!==a&&null!==a.child||!Zc(b)||(b.effectTag|=4),wh(b),null;case 5:te(b);c=Ta(Tb.current);var e=b.type;if(null!==a&&null!=b.stateNode)ij(a,b,e,d,c),a.ref!==b.ref&&(b.effectTag|=128);else{if(!d){if(null===b.stateNode)throw Error(k(166));return null}a=Ta(ja.current);if(Zc(b)){d=b.stateNode;e=b.type;var f=b.memoizedProps;d[Aa]=b;d[vc]=f;switch(e){case "iframe":case "object":case "embed":w("load",
+d);break;case "video":case "audio":for(a=0;a<Db.length;a++)w(Db[a],d);break;case "source":w("error",d);break;case "img":case "image":case "link":w("error",d);w("load",d);break;case "form":w("reset",d);w("submit",d);break;case "details":w("toggle",d);break;case "input":Hf(d,f);w("invalid",d);oa(c,"onChange");break;case "select":d._wrapperState={wasMultiple:!!f.multiple};w("invalid",d);oa(c,"onChange");break;case "textarea":Kf(d,f),w("invalid",d),oa(c,"onChange")}Ud(e,f);a=null;for(var g in f)if(f.hasOwnProperty(g)){var h=
+f[g];"children"===g?"string"===typeof h?d.textContent!==h&&(a=["children",h]):"number"===typeof h&&d.textContent!==""+h&&(a=["children",""+h]):db.hasOwnProperty(g)&&null!=h&&oa(c,g)}switch(e){case "input":mc(d);Jf(d,f,!0);break;case "textarea":mc(d);Mf(d);break;case "select":case "option":break;default:"function"===typeof f.onClick&&(d.onclick=uc)}c=a;b.updateQueue=c;null!==c&&(b.effectTag|=4)}else{g=9===c.nodeType?c:c.ownerDocument;"http://www.w3.org/1999/xhtml"===a&&(a=Nf(e));"http://www.w3.org/1999/xhtml"===
+a?"script"===e?(a=g.createElement("div"),a.innerHTML="<script>\x3c/script>",a=a.removeChild(a.firstChild)):"string"===typeof d.is?a=g.createElement(e,{is:d.is}):(a=g.createElement(e),"select"===e&&(g=a,d.multiple?g.multiple=!0:d.size&&(g.size=d.size))):a=g.createElementNS(a,e);a[Aa]=b;a[vc]=d;jj(a,b,!1,!1);b.stateNode=a;g=Vd(e,d);switch(e){case "iframe":case "object":case "embed":w("load",a);h=d;break;case "video":case "audio":for(h=0;h<Db.length;h++)w(Db[h],a);h=d;break;case "source":w("error",a);
+h=d;break;case "img":case "image":case "link":w("error",a);w("load",a);h=d;break;case "form":w("reset",a);w("submit",a);h=d;break;case "details":w("toggle",a);h=d;break;case "input":Hf(a,d);h=Cd(a,d);w("invalid",a);oa(c,"onChange");break;case "option":h=Fd(a,d);break;case "select":a._wrapperState={wasMultiple:!!d.multiple};h=M({},d,{value:void 0});w("invalid",a);oa(c,"onChange");break;case "textarea":Kf(a,d);h=Gd(a,d);w("invalid",a);oa(c,"onChange");break;default:h=d}Ud(e,h);var m=h;for(f in m)if(m.hasOwnProperty(f)){var n=
+m[f];"style"===f?gg(a,n):"dangerouslySetInnerHTML"===f?(n=n?n.__html:void 0,null!=n&&xh(a,n)):"children"===f?"string"===typeof n?("textarea"!==e||""!==n)&&Wb(a,n):"number"===typeof n&&Wb(a,""+n):"suppressContentEditableWarning"!==f&&"suppressHydrationWarning"!==f&&"autoFocus"!==f&&(db.hasOwnProperty(f)?null!=n&&oa(c,f):null!=n&&xd(a,f,n,g))}switch(e){case "input":mc(a);Jf(a,d,!1);break;case "textarea":mc(a);Mf(a);break;case "option":null!=d.value&&a.setAttribute("value",""+va(d.value));break;case "select":a.multiple=
+!!d.multiple;c=d.value;null!=c?hb(a,!!d.multiple,c,!1):null!=d.defaultValue&&hb(a,!!d.multiple,d.defaultValue,!0);break;default:"function"===typeof h.onClick&&(a.onclick=uc)}lg(e,d)&&(b.effectTag|=4)}null!==b.ref&&(b.effectTag|=128)}return null;case 6:if(a&&null!=b.stateNode)kj(a,b,a.memoizedProps,d);else{if("string"!==typeof d&&null===b.stateNode)throw Error(k(166));c=Ta(Tb.current);Ta(ja.current);Zc(b)?(c=b.stateNode,d=b.memoizedProps,c[Aa]=b,c.nodeValue!==d&&(b.effectTag|=4)):(c=(9===c.nodeType?
+c:c.ownerDocument).createTextNode(d),c[Aa]=b,b.stateNode=c)}return null;case 13:q(D);d=b.memoizedState;if(0!==(b.effectTag&64))return b.expirationTime=c,b;c=null!==d;d=!1;null===a?void 0!==b.memoizedProps.fallback&&Zc(b):(e=a.memoizedState,d=null!==e,c||null===e||(e=a.child.sibling,null!==e&&(f=b.firstEffect,null!==f?(b.firstEffect=e,e.nextEffect=f):(b.firstEffect=b.lastEffect=e,e.nextEffect=null),e.effectTag=8)));if(c&&!d&&0!==(b.mode&2))if(null===a&&!0!==b.memoizedProps.unstable_avoidThisFallback||
+0!==(D.current&1))F===Xa&&(F=ad);else{if(F===Xa||F===ad)F=bd;0!==Xb&&null!==U&&(Ya(U,P),yh(U,Xb))}if(c||d)b.effectTag|=4;return null;case 4:return tb(),wh(b),null;case 10:return me(b),null;case 17:return N(b.type)&&(q(G),q(B)),null;case 19:q(D);d=b.memoizedState;if(null===d)return null;e=0!==(b.effectTag&64);f=d.rendering;if(null===f)if(e)$c(d,!1);else{if(F!==Xa||null!==a&&0!==(a.effectTag&64))for(f=b.child;null!==f;){a=Rc(f);if(null!==a){b.effectTag|=64;$c(d,!1);e=a.updateQueue;null!==e&&(b.updateQueue=
+e,b.effectTag|=4);null===d.lastEffect&&(b.firstEffect=null);b.lastEffect=d.lastEffect;for(d=b.child;null!==d;)e=d,f=c,e.effectTag&=2,e.nextEffect=null,e.firstEffect=null,e.lastEffect=null,a=e.alternate,null===a?(e.childExpirationTime=0,e.expirationTime=f,e.child=null,e.memoizedProps=null,e.memoizedState=null,e.updateQueue=null,e.dependencies=null):(e.childExpirationTime=a.childExpirationTime,e.expirationTime=a.expirationTime,e.child=a.child,e.memoizedProps=a.memoizedProps,e.memoizedState=a.memoizedState,
+e.updateQueue=a.updateQueue,f=a.dependencies,e.dependencies=null===f?null:{expirationTime:f.expirationTime,firstContext:f.firstContext,responders:f.responders}),d=d.sibling;y(D,D.current&1|2);return b.child}f=f.sibling}}else{if(!e)if(a=Rc(f),null!==a){if(b.effectTag|=64,e=!0,c=a.updateQueue,null!==c&&(b.updateQueue=c,b.effectTag|=4),$c(d,!0),null===d.tail&&"hidden"===d.tailMode&&!f.alternate)return b=b.lastEffect=d.lastEffect,null!==b&&(b.nextEffect=null),null}else 2*Y()-d.renderingStartTime>d.tailExpiration&&
+1<c&&(b.effectTag|=64,e=!0,$c(d,!1),b.expirationTime=b.childExpirationTime=c-1);d.isBackwards?(f.sibling=b.child,b.child=f):(c=d.last,null!==c?c.sibling=f:b.child=f,d.last=f)}return null!==d.tail?(0===d.tailExpiration&&(d.tailExpiration=Y()+500),c=d.tail,d.rendering=c,d.tail=c.sibling,d.lastEffect=b.lastEffect,d.renderingStartTime=Y(),c.sibling=null,b=D.current,y(D,e?b&1|2:b&1),c):null}throw Error(k(156,b.tag));}function lj(a,b){switch(a.tag){case 1:return N(a.type)&&(q(G),q(B)),b=a.effectTag,b&4096?
+(a.effectTag=b&-4097|64,a):null;case 3:tb();q(G);q(B);b=a.effectTag;if(0!==(b&64))throw Error(k(285));a.effectTag=b&-4097|64;return a;case 5:return te(a),null;case 13:return q(D),b=a.effectTag,b&4096?(a.effectTag=b&-4097|64,a):null;case 19:return q(D),null;case 4:return tb(),null;case 10:return me(a),null;default:return null}}function Le(a,b){return{value:a,source:b,stack:Bd(b)}}function Me(a,b){var c=b.source,d=b.stack;null===d&&null!==c&&(d=Bd(c));null!==c&&na(c.type);b=b.value;null!==a&&1===a.tag&&
+na(a.type);try{console.error(b)}catch(e){setTimeout(function(){throw e;})}}function mj(a,b){try{b.props=a.memoizedProps,b.state=a.memoizedState,b.componentWillUnmount()}catch(c){Za(a,c)}}function zh(a){var b=a.ref;if(null!==b)if("function"===typeof b)try{b(null)}catch(c){Za(a,c)}else b.current=null}function nj(a,b){switch(b.tag){case 0:case 11:case 15:case 22:return;case 1:if(b.effectTag&256&&null!==a){var c=a.memoizedProps,d=a.memoizedState;a=b.stateNode;b=a.getSnapshotBeforeUpdate(b.elementType===
+b.type?c:aa(b.type,c),d);a.__reactInternalSnapshotBeforeUpdate=b}return;case 3:case 5:case 6:case 4:case 17:return}throw Error(k(163));}function Ah(a,b){b=b.updateQueue;b=null!==b?b.lastEffect:null;if(null!==b){var c=b=b.next;do{if((c.tag&a)===a){var d=c.destroy;c.destroy=void 0;void 0!==d&&d()}c=c.next}while(c!==b)}}function Bh(a,b){b=b.updateQueue;b=null!==b?b.lastEffect:null;if(null!==b){var c=b=b.next;do{if((c.tag&a)===a){var d=c.create;c.destroy=d()}c=c.next}while(c!==b)}}function oj(a,b,c,d){switch(c.tag){case 0:case 11:case 15:case 22:Bh(3,
+c);return;case 1:a=c.stateNode;c.effectTag&4&&(null===b?a.componentDidMount():(d=c.elementType===c.type?b.memoizedProps:aa(c.type,b.memoizedProps),a.componentDidUpdate(d,b.memoizedState,a.__reactInternalSnapshotBeforeUpdate)));b=c.updateQueue;null!==b&&Wg(c,b,a);return;case 3:b=c.updateQueue;if(null!==b){a=null;if(null!==c.child)switch(c.child.tag){case 5:a=c.child.stateNode;break;case 1:a=c.child.stateNode}Wg(c,b,a)}return;case 5:a=c.stateNode;null===b&&c.effectTag&4&&lg(c.type,c.memoizedProps)&&
+a.focus();return;case 6:return;case 4:return;case 12:return;case 13:null===c.memoizedState&&(c=c.alternate,null!==c&&(c=c.memoizedState,null!==c&&(c=c.dehydrated,null!==c&&bg(c))));return;case 19:case 17:case 20:case 21:return}throw Error(k(163));}function Ch(a,b,c){"function"===typeof Ne&&Ne(b);switch(b.tag){case 0:case 11:case 14:case 15:case 22:a=b.updateQueue;if(null!==a&&(a=a.lastEffect,null!==a)){var d=a.next;Da(97<c?97:c,function(){var a=d;do{var c=a.destroy;if(void 0!==c){var g=b;try{c()}catch(h){Za(g,
+h)}}a=a.next}while(a!==d)})}break;case 1:zh(b);c=b.stateNode;"function"===typeof c.componentWillUnmount&&mj(b,c);break;case 5:zh(b);break;case 4:Dh(a,b,c)}}function Eh(a){var b=a.alternate;a.return=null;a.child=null;a.memoizedState=null;a.updateQueue=null;a.dependencies=null;a.alternate=null;a.firstEffect=null;a.lastEffect=null;a.pendingProps=null;a.memoizedProps=null;a.stateNode=null;null!==b&&Eh(b)}function Fh(a){return 5===a.tag||3===a.tag||4===a.tag}function Gh(a){a:{for(var b=a.return;null!==
+b;){if(Fh(b)){var c=b;break a}b=b.return}throw Error(k(160));}b=c.stateNode;switch(c.tag){case 5:var d=!1;break;case 3:b=b.containerInfo;d=!0;break;case 4:b=b.containerInfo;d=!0;break;default:throw Error(k(161));}c.effectTag&16&&(Wb(b,""),c.effectTag&=-17);a:b:for(c=a;;){for(;null===c.sibling;){if(null===c.return||Fh(c.return)){c=null;break a}c=c.return}c.sibling.return=c.return;for(c=c.sibling;5!==c.tag&&6!==c.tag&&18!==c.tag;){if(c.effectTag&2)continue b;if(null===c.child||4===c.tag)continue b;
+else c.child.return=c,c=c.child}if(!(c.effectTag&2)){c=c.stateNode;break a}}d?Oe(a,c,b):Pe(a,c,b)}function Oe(a,b,c){var d=a.tag,e=5===d||6===d;if(e)a=e?a.stateNode:a.stateNode.instance,b?8===c.nodeType?c.parentNode.insertBefore(a,b):c.insertBefore(a,b):(8===c.nodeType?(b=c.parentNode,b.insertBefore(a,c)):(b=c,b.appendChild(a)),c=c._reactRootContainer,null!==c&&void 0!==c||null!==b.onclick||(b.onclick=uc));else if(4!==d&&(a=a.child,null!==a))for(Oe(a,b,c),a=a.sibling;null!==a;)Oe(a,b,c),a=a.sibling}
+function Pe(a,b,c){var d=a.tag,e=5===d||6===d;if(e)a=e?a.stateNode:a.stateNode.instance,b?c.insertBefore(a,b):c.appendChild(a);else if(4!==d&&(a=a.child,null!==a))for(Pe(a,b,c),a=a.sibling;null!==a;)Pe(a,b,c),a=a.sibling}function Dh(a,b,c){for(var d=b,e=!1,f,g;;){if(!e){e=d.return;a:for(;;){if(null===e)throw Error(k(160));f=e.stateNode;switch(e.tag){case 5:g=!1;break a;case 3:f=f.containerInfo;g=!0;break a;case 4:f=f.containerInfo;g=!0;break a}e=e.return}e=!0}if(5===d.tag||6===d.tag){a:for(var h=
+a,m=d,n=c,l=m;;)if(Ch(h,l,n),null!==l.child&&4!==l.tag)l.child.return=l,l=l.child;else{if(l===m)break a;for(;null===l.sibling;){if(null===l.return||l.return===m)break a;l=l.return}l.sibling.return=l.return;l=l.sibling}g?(h=f,m=d.stateNode,8===h.nodeType?h.parentNode.removeChild(m):h.removeChild(m)):f.removeChild(d.stateNode)}else if(4===d.tag){if(null!==d.child){f=d.stateNode.containerInfo;g=!0;d.child.return=d;d=d.child;continue}}else if(Ch(a,d,c),null!==d.child){d.child.return=d;d=d.child;continue}if(d===
+b)break;for(;null===d.sibling;){if(null===d.return||d.return===b)return;d=d.return;4===d.tag&&(e=!1)}d.sibling.return=d.return;d=d.sibling}}function Qe(a,b){switch(b.tag){case 0:case 11:case 14:case 15:case 22:Ah(3,b);return;case 1:return;case 5:var c=b.stateNode;if(null!=c){var d=b.memoizedProps,e=null!==a?a.memoizedProps:d;a=b.type;var f=b.updateQueue;b.updateQueue=null;if(null!==f){c[vc]=d;"input"===a&&"radio"===d.type&&null!=d.name&&If(c,d);Vd(a,e);b=Vd(a,d);for(e=0;e<f.length;e+=2){var g=f[e],
+h=f[e+1];"style"===g?gg(c,h):"dangerouslySetInnerHTML"===g?xh(c,h):"children"===g?Wb(c,h):xd(c,g,h,b)}switch(a){case "input":Dd(c,d);break;case "textarea":Lf(c,d);break;case "select":b=c._wrapperState.wasMultiple,c._wrapperState.wasMultiple=!!d.multiple,a=d.value,null!=a?hb(c,!!d.multiple,a,!1):b!==!!d.multiple&&(null!=d.defaultValue?hb(c,!!d.multiple,d.defaultValue,!0):hb(c,!!d.multiple,d.multiple?[]:"",!1))}}}return;case 6:if(null===b.stateNode)throw Error(k(162));b.stateNode.nodeValue=b.memoizedProps;
+return;case 3:b=b.stateNode;b.hydrate&&(b.hydrate=!1,bg(b.containerInfo));return;case 12:return;case 13:c=b;null===b.memoizedState?d=!1:(d=!0,c=b.child,Re=Y());if(null!==c)a:for(a=c;;){if(5===a.tag)f=a.stateNode,d?(f=f.style,"function"===typeof f.setProperty?f.setProperty("display","none","important"):f.display="none"):(f=a.stateNode,e=a.memoizedProps.style,e=void 0!==e&&null!==e&&e.hasOwnProperty("display")?e.display:null,f.style.display=fg("display",e));else if(6===a.tag)a.stateNode.nodeValue=d?
+"":a.memoizedProps;else if(13===a.tag&&null!==a.memoizedState&&null===a.memoizedState.dehydrated){f=a.child.sibling;f.return=a;a=f;continue}else if(null!==a.child){a.child.return=a;a=a.child;continue}if(a===c)break;for(;null===a.sibling;){if(null===a.return||a.return===c)break a;a=a.return}a.sibling.return=a.return;a=a.sibling}Hh(b);return;case 19:Hh(b);return;case 17:return}throw Error(k(163));}function Hh(a){var b=a.updateQueue;if(null!==b){a.updateQueue=null;var c=a.stateNode;null===c&&(c=a.stateNode=
+new pj);b.forEach(function(b){var d=qj.bind(null,a,b);c.has(b)||(c.add(b),b.then(d,d))})}}function Ih(a,b,c){c=Ea(c,null);c.tag=3;c.payload={element:null};var d=b.value;c.callback=function(){cd||(cd=!0,Se=d);Me(a,b)};return c}function Jh(a,b,c){c=Ea(c,null);c.tag=3;var d=a.type.getDerivedStateFromError;if("function"===typeof d){var e=b.value;c.payload=function(){Me(a,b);return d(e)}}var f=a.stateNode;null!==f&&"function"===typeof f.componentDidCatch&&(c.callback=function(){"function"!==typeof d&&
+(null===La?La=new Set([this]):La.add(this),Me(a,b));var c=b.stack;this.componentDidCatch(b.value,{componentStack:null!==c?c:""})});return c}function ka(){return(p&(ca|ma))!==H?1073741821-(Y()/10|0):0!==dd?dd:dd=1073741821-(Y()/10|0)}function Va(a,b,c){b=b.mode;if(0===(b&2))return 1073741823;var d=Cc();if(0===(b&4))return 99===d?1073741823:1073741822;if((p&ca)!==H)return P;if(null!==c)a=Fc(a,c.timeoutMs|0||5E3,250);else switch(d){case 99:a=1073741823;break;case 98:a=Fc(a,150,100);break;case 97:case 96:a=
+Fc(a,5E3,250);break;case 95:a=2;break;default:throw Error(k(326));}null!==U&&a===P&&--a;return a}function ed(a,b){a.expirationTime<b&&(a.expirationTime=b);var c=a.alternate;null!==c&&c.expirationTime<b&&(c.expirationTime=b);var d=a.return,e=null;if(null===d&&3===a.tag)e=a.stateNode;else for(;null!==d;){c=d.alternate;d.childExpirationTime<b&&(d.childExpirationTime=b);null!==c&&c.childExpirationTime<b&&(c.childExpirationTime=b);if(null===d.return&&3===d.tag){e=d.stateNode;break}d=d.return}null!==e&&
+(U===e&&(Kc(b),F===bd&&Ya(e,P)),yh(e,b));return e}function fd(a){var b=a.lastExpiredTime;if(0!==b)return b;b=a.firstPendingTime;if(!Kh(a,b))return b;var c=a.lastPingedTime;a=a.nextKnownPendingLevel;a=c>a?c:a;return 2>=a&&b!==a?0:a}function V(a){if(0!==a.lastExpiredTime)a.callbackExpirationTime=1073741823,a.callbackPriority=99,a.callbackNode=Og(Te.bind(null,a));else{var b=fd(a),c=a.callbackNode;if(0===b)null!==c&&(a.callbackNode=null,a.callbackExpirationTime=0,a.callbackPriority=90);else{var d=ka();
+1073741823===b?d=99:1===b||2===b?d=95:(d=10*(1073741821-b)-10*(1073741821-d),d=0>=d?99:250>=d?98:5250>=d?97:95);if(null!==c){var e=a.callbackPriority;if(a.callbackExpirationTime===b&&e>=d)return;c!==Qg&&Rg(c)}a.callbackExpirationTime=b;a.callbackPriority=d;b=1073741823===b?Og(Te.bind(null,a)):Ng(d,Lh.bind(null,a),{timeout:10*(1073741821-b)-Y()});a.callbackNode=b}}}function Lh(a,b){dd=0;if(b)return b=ka(),Ue(a,b),V(a),null;var c=fd(a);if(0!==c){b=a.callbackNode;if((p&(ca|ma))!==H)throw Error(k(327));
+xb();a===U&&c===P||$a(a,c);if(null!==t){var d=p;p|=ca;var e=Mh();do try{rj();break}catch(h){Nh(a,h)}while(1);le();p=d;gd.current=e;if(F===hd)throw b=id,$a(a,c),Ya(a,c),V(a),b;if(null===t)switch(e=a.finishedWork=a.current.alternate,a.finishedExpirationTime=c,d=F,U=null,d){case Xa:case hd:throw Error(k(345));case Oh:Ue(a,2<c?2:c);break;case ad:Ya(a,c);d=a.lastSuspendedTime;c===d&&(a.nextKnownPendingLevel=Ve(e));if(1073741823===ta&&(e=Re+Ph-Y(),10<e)){if(jd){var f=a.lastPingedTime;if(0===f||f>=c){a.lastPingedTime=
+c;$a(a,c);break}}f=fd(a);if(0!==f&&f!==c)break;if(0!==d&&d!==c){a.lastPingedTime=d;break}a.timeoutHandle=We(ab.bind(null,a),e);break}ab(a);break;case bd:Ya(a,c);d=a.lastSuspendedTime;c===d&&(a.nextKnownPendingLevel=Ve(e));if(jd&&(e=a.lastPingedTime,0===e||e>=c)){a.lastPingedTime=c;$a(a,c);break}e=fd(a);if(0!==e&&e!==c)break;if(0!==d&&d!==c){a.lastPingedTime=d;break}1073741823!==Yb?d=10*(1073741821-Yb)-Y():1073741823===ta?d=0:(d=10*(1073741821-ta)-5E3,e=Y(),c=10*(1073741821-c)-e,d=e-d,0>d&&(d=0),d=
+(120>d?120:480>d?480:1080>d?1080:1920>d?1920:3E3>d?3E3:4320>d?4320:1960*sj(d/1960))-d,c<d&&(d=c));if(10<d){a.timeoutHandle=We(ab.bind(null,a),d);break}ab(a);break;case Xe:if(1073741823!==ta&&null!==kd){f=ta;var g=kd;d=g.busyMinDurationMs|0;0>=d?d=0:(e=g.busyDelayMs|0,f=Y()-(10*(1073741821-f)-(g.timeoutMs|0||5E3)),d=f<=e?0:e+d-f);if(10<d){Ya(a,c);a.timeoutHandle=We(ab.bind(null,a),d);break}}ab(a);break;default:throw Error(k(329));}V(a);if(a.callbackNode===b)return Lh.bind(null,a)}}return null}function Te(a){var b=
+a.lastExpiredTime;b=0!==b?b:1073741823;if((p&(ca|ma))!==H)throw Error(k(327));xb();a===U&&b===P||$a(a,b);if(null!==t){var c=p;p|=ca;var d=Mh();do try{tj();break}catch(e){Nh(a,e)}while(1);le();p=c;gd.current=d;if(F===hd)throw c=id,$a(a,b),Ya(a,b),V(a),c;if(null!==t)throw Error(k(261));a.finishedWork=a.current.alternate;a.finishedExpirationTime=b;U=null;ab(a);V(a)}return null}function uj(){if(null!==bb){var a=bb;bb=null;a.forEach(function(a,c){Ue(c,a);V(c)});ha()}}function Qh(a,b){var c=p;p|=1;try{return a(b)}finally{p=
+c,p===H&&ha()}}function Rh(a,b){var c=p;p&=-2;p|=Ye;try{return a(b)}finally{p=c,p===H&&ha()}}function $a(a,b){a.finishedWork=null;a.finishedExpirationTime=0;var c=a.timeoutHandle;-1!==c&&(a.timeoutHandle=-1,vj(c));if(null!==t)for(c=t.return;null!==c;){var d=c;switch(d.tag){case 1:d=d.type.childContextTypes;null!==d&&void 0!==d&&(q(G),q(B));break;case 3:tb();q(G);q(B);break;case 5:te(d);break;case 4:tb();break;case 13:q(D);break;case 19:q(D);break;case 10:me(d)}c=c.return}U=a;t=Sa(a.current,null);
+P=b;F=Xa;id=null;Yb=ta=1073741823;kd=null;Xb=0;jd=!1}function Nh(a,b){do{try{le();Sc.current=Tc;if(Uc)for(var c=z.memoizedState;null!==c;){var d=c.queue;null!==d&&(d.pending=null);c=c.next}Ia=0;J=K=z=null;Uc=!1;if(null===t||null===t.return)return F=hd,id=b,t=null;a:{var e=a,f=t.return,g=t,h=b;b=P;g.effectTag|=2048;g.firstEffect=g.lastEffect=null;if(null!==h&&"object"===typeof h&&"function"===typeof h.then){var m=h;if(0===(g.mode&2)){var n=g.alternate;n?(g.updateQueue=n.updateQueue,g.memoizedState=
+n.memoizedState,g.expirationTime=n.expirationTime):(g.updateQueue=null,g.memoizedState=null)}var l=0!==(D.current&1),k=f;do{var p;if(p=13===k.tag){var q=k.memoizedState;if(null!==q)p=null!==q.dehydrated?!0:!1;else{var w=k.memoizedProps;p=void 0===w.fallback?!1:!0!==w.unstable_avoidThisFallback?!0:l?!1:!0}}if(p){var y=k.updateQueue;if(null===y){var r=new Set;r.add(m);k.updateQueue=r}else y.add(m);if(0===(k.mode&2)){k.effectTag|=64;g.effectTag&=-2981;if(1===g.tag)if(null===g.alternate)g.tag=17;else{var O=
+Ea(1073741823,null);O.tag=Jc;Fa(g,O)}g.expirationTime=1073741823;break a}h=void 0;g=b;var v=e.pingCache;null===v?(v=e.pingCache=new wj,h=new Set,v.set(m,h)):(h=v.get(m),void 0===h&&(h=new Set,v.set(m,h)));if(!h.has(g)){h.add(g);var x=xj.bind(null,e,m,g);m.then(x,x)}k.effectTag|=4096;k.expirationTime=b;break a}k=k.return}while(null!==k);h=Error((na(g.type)||"A React component")+" suspended while rendering, but no fallback UI was specified.\n\nAdd a <Suspense fallback=...> component higher in the tree to provide a loading indicator or placeholder to display."+
+Bd(g))}F!==Xe&&(F=Oh);h=Le(h,g);k=f;do{switch(k.tag){case 3:m=h;k.effectTag|=4096;k.expirationTime=b;var A=Ih(k,m,b);Ug(k,A);break a;case 1:m=h;var u=k.type,B=k.stateNode;if(0===(k.effectTag&64)&&("function"===typeof u.getDerivedStateFromError||null!==B&&"function"===typeof B.componentDidCatch&&(null===La||!La.has(B)))){k.effectTag|=4096;k.expirationTime=b;var H=Jh(k,m,b);Ug(k,H);break a}}k=k.return}while(null!==k)}t=Sh(t)}catch(cj){b=cj;continue}break}while(1)}function Mh(a){a=gd.current;gd.current=
+Tc;return null===a?Tc:a}function Vg(a,b){a<ta&&2<a&&(ta=a);null!==b&&a<Yb&&2<a&&(Yb=a,kd=b)}function Kc(a){a>Xb&&(Xb=a)}function tj(){for(;null!==t;)t=Th(t)}function rj(){for(;null!==t&&!yj();)t=Th(t)}function Th(a){var b=zj(a.alternate,a,P);a.memoizedProps=a.pendingProps;null===b&&(b=Sh(a));Uh.current=null;return b}function Sh(a){t=a;do{var b=t.alternate;a=t.return;if(0===(t.effectTag&2048)){b=hj(b,t,P);if(1===P||1!==t.childExpirationTime){for(var c=0,d=t.child;null!==d;){var e=d.expirationTime,
+f=d.childExpirationTime;e>c&&(c=e);f>c&&(c=f);d=d.sibling}t.childExpirationTime=c}if(null!==b)return b;null!==a&&0===(a.effectTag&2048)&&(null===a.firstEffect&&(a.firstEffect=t.firstEffect),null!==t.lastEffect&&(null!==a.lastEffect&&(a.lastEffect.nextEffect=t.firstEffect),a.lastEffect=t.lastEffect),1<t.effectTag&&(null!==a.lastEffect?a.lastEffect.nextEffect=t:a.firstEffect=t,a.lastEffect=t))}else{b=lj(t);if(null!==b)return b.effectTag&=2047,b;null!==a&&(a.firstEffect=a.lastEffect=null,a.effectTag|=
+2048)}b=t.sibling;if(null!==b)return b;t=a}while(null!==t);F===Xa&&(F=Xe);return null}function Ve(a){var b=a.expirationTime;a=a.childExpirationTime;return b>a?b:a}function ab(a){var b=Cc();Da(99,Aj.bind(null,a,b));return null}function Aj(a,b){do xb();while(null!==Zb);if((p&(ca|ma))!==H)throw Error(k(327));var c=a.finishedWork,d=a.finishedExpirationTime;if(null===c)return null;a.finishedWork=null;a.finishedExpirationTime=0;if(c===a.current)throw Error(k(177));a.callbackNode=null;a.callbackExpirationTime=
+0;a.callbackPriority=90;a.nextKnownPendingLevel=0;var e=Ve(c);a.firstPendingTime=e;d<=a.lastSuspendedTime?a.firstSuspendedTime=a.lastSuspendedTime=a.nextKnownPendingLevel=0:d<=a.firstSuspendedTime&&(a.firstSuspendedTime=d-1);d<=a.lastPingedTime&&(a.lastPingedTime=0);d<=a.lastExpiredTime&&(a.lastExpiredTime=0);a===U&&(t=U=null,P=0);1<c.effectTag?null!==c.lastEffect?(c.lastEffect.nextEffect=c,e=c.firstEffect):e=c:e=c.firstEffect;if(null!==e){var f=p;p|=ma;Uh.current=null;Ze=tc;var g=kg();if(Xd(g)){if("selectionStart"in
+g)var h={start:g.selectionStart,end:g.selectionEnd};else a:{h=(h=g.ownerDocument)&&h.defaultView||window;var m=h.getSelection&&h.getSelection();if(m&&0!==m.rangeCount){h=m.anchorNode;var n=m.anchorOffset,q=m.focusNode;m=m.focusOffset;try{h.nodeType,q.nodeType}catch(sb){h=null;break a}var ba=0,w=-1,y=-1,B=0,D=0,r=g,z=null;b:for(;;){for(var v;;){r!==h||0!==n&&3!==r.nodeType||(w=ba+n);r!==q||0!==m&&3!==r.nodeType||(y=ba+m);3===r.nodeType&&(ba+=r.nodeValue.length);if(null===(v=r.firstChild))break;z=r;
+r=v}for(;;){if(r===g)break b;z===h&&++B===n&&(w=ba);z===q&&++D===m&&(y=ba);if(null!==(v=r.nextSibling))break;r=z;z=r.parentNode}r=v}h=-1===w||-1===y?null:{start:w,end:y}}else h=null}h=h||{start:0,end:0}}else h=null;$e={activeElementDetached:null,focusedElem:g,selectionRange:h};tc=!1;l=e;do try{Bj()}catch(sb){if(null===l)throw Error(k(330));Za(l,sb);l=l.nextEffect}while(null!==l);l=e;do try{for(g=a,h=b;null!==l;){var x=l.effectTag;x&16&&Wb(l.stateNode,"");if(x&128){var A=l.alternate;if(null!==A){var u=
+A.ref;null!==u&&("function"===typeof u?u(null):u.current=null)}}switch(x&1038){case 2:Gh(l);l.effectTag&=-3;break;case 6:Gh(l);l.effectTag&=-3;Qe(l.alternate,l);break;case 1024:l.effectTag&=-1025;break;case 1028:l.effectTag&=-1025;Qe(l.alternate,l);break;case 4:Qe(l.alternate,l);break;case 8:n=l,Dh(g,n,h),Eh(n)}l=l.nextEffect}}catch(sb){if(null===l)throw Error(k(330));Za(l,sb);l=l.nextEffect}while(null!==l);u=$e;A=kg();x=u.focusedElem;h=u.selectionRange;if(A!==x&&x&&x.ownerDocument&&jg(x.ownerDocument.documentElement,
+x)){null!==h&&Xd(x)&&(A=h.start,u=h.end,void 0===u&&(u=A),"selectionStart"in x?(x.selectionStart=A,x.selectionEnd=Math.min(u,x.value.length)):(u=(A=x.ownerDocument||document)&&A.defaultView||window,u.getSelection&&(u=u.getSelection(),n=x.textContent.length,g=Math.min(h.start,n),h=void 0===h.end?g:Math.min(h.end,n),!u.extend&&g>h&&(n=h,h=g,g=n),n=ig(x,g),q=ig(x,h),n&&q&&(1!==u.rangeCount||u.anchorNode!==n.node||u.anchorOffset!==n.offset||u.focusNode!==q.node||u.focusOffset!==q.offset)&&(A=A.createRange(),
+A.setStart(n.node,n.offset),u.removeAllRanges(),g>h?(u.addRange(A),u.extend(q.node,q.offset)):(A.setEnd(q.node,q.offset),u.addRange(A))))));A=[];for(u=x;u=u.parentNode;)1===u.nodeType&&A.push({element:u,left:u.scrollLeft,top:u.scrollTop});"function"===typeof x.focus&&x.focus();for(x=0;x<A.length;x++)u=A[x],u.element.scrollLeft=u.left,u.element.scrollTop=u.top}tc=!!Ze;$e=Ze=null;a.current=c;l=e;do try{for(x=a;null!==l;){var F=l.effectTag;F&36&&oj(x,l.alternate,l);if(F&128){A=void 0;var E=l.ref;if(null!==
+E){var G=l.stateNode;switch(l.tag){case 5:A=G;break;default:A=G}"function"===typeof E?E(A):E.current=A}}l=l.nextEffect}}catch(sb){if(null===l)throw Error(k(330));Za(l,sb);l=l.nextEffect}while(null!==l);l=null;Cj();p=f}else a.current=c;if(ld)ld=!1,Zb=a,$b=b;else for(l=e;null!==l;)b=l.nextEffect,l.nextEffect=null,l=b;b=a.firstPendingTime;0===b&&(La=null);1073741823===b?a===af?ac++:(ac=0,af=a):ac=0;"function"===typeof bf&&bf(c.stateNode,d);V(a);if(cd)throw cd=!1,a=Se,Se=null,a;if((p&Ye)!==H)return null;
+ha();return null}function Bj(){for(;null!==l;){var a=l.effectTag;0!==(a&256)&&nj(l.alternate,l);0===(a&512)||ld||(ld=!0,Ng(97,function(){xb();return null}));l=l.nextEffect}}function xb(){if(90!==$b){var a=97<$b?97:$b;$b=90;return Da(a,Dj)}}function Dj(){if(null===Zb)return!1;var a=Zb;Zb=null;if((p&(ca|ma))!==H)throw Error(k(331));var b=p;p|=ma;for(a=a.current.firstEffect;null!==a;){try{var c=a;if(0!==(c.effectTag&512))switch(c.tag){case 0:case 11:case 15:case 22:Ah(5,c),Bh(5,c)}}catch(d){if(null===
+a)throw Error(k(330));Za(a,d)}c=a.nextEffect;a.nextEffect=null;a=c}p=b;ha();return!0}function Vh(a,b,c){b=Le(c,b);b=Ih(a,b,1073741823);Fa(a,b);a=ed(a,1073741823);null!==a&&V(a)}function Za(a,b){if(3===a.tag)Vh(a,a,b);else for(var c=a.return;null!==c;){if(3===c.tag){Vh(c,a,b);break}else if(1===c.tag){var d=c.stateNode;if("function"===typeof c.type.getDerivedStateFromError||"function"===typeof d.componentDidCatch&&(null===La||!La.has(d))){a=Le(b,a);a=Jh(c,a,1073741823);Fa(c,a);c=ed(c,1073741823);null!==
+c&&V(c);break}}c=c.return}}function xj(a,b,c){var d=a.pingCache;null!==d&&d.delete(b);U===a&&P===c?F===bd||F===ad&&1073741823===ta&&Y()-Re<Ph?$a(a,P):jd=!0:Kh(a,c)&&(b=a.lastPingedTime,0!==b&&b<c||(a.lastPingedTime=c,V(a)))}function qj(a,b){var c=a.stateNode;null!==c&&c.delete(b);b=0;0===b&&(b=ka(),b=Va(b,a,null));a=ed(a,b);null!==a&&V(a)}function Ej(a){if("undefined"===typeof __REACT_DEVTOOLS_GLOBAL_HOOK__)return!1;var b=__REACT_DEVTOOLS_GLOBAL_HOOK__;if(b.isDisabled||!b.supportsFiber)return!0;try{var c=
+b.inject(a);bf=function(a,e){try{b.onCommitFiberRoot(c,a,void 0,64===(a.current.effectTag&64))}catch(f){}};Ne=function(a){try{b.onCommitFiberUnmount(c,a)}catch(e){}}}catch(d){}return!0}function Fj(a,b,c,d){this.tag=a;this.key=c;this.sibling=this.child=this.return=this.stateNode=this.type=this.elementType=null;this.index=0;this.ref=null;this.pendingProps=b;this.dependencies=this.memoizedState=this.updateQueue=this.memoizedProps=null;this.mode=d;this.effectTag=0;this.lastEffect=this.firstEffect=this.nextEffect=
+null;this.childExpirationTime=this.expirationTime=0;this.alternate=null}function Ge(a){a=a.prototype;return!(!a||!a.isReactComponent)}function Gj(a){if("function"===typeof a)return Ge(a)?1:0;if(void 0!==a&&null!==a){a=a.$$typeof;if(a===zd)return 11;if(a===Ad)return 14}return 2}function Sa(a,b){var c=a.alternate;null===c?(c=la(a.tag,b,a.key,a.mode),c.elementType=a.elementType,c.type=a.type,c.stateNode=a.stateNode,c.alternate=a,a.alternate=c):(c.pendingProps=b,c.effectTag=0,c.nextEffect=null,c.firstEffect=
+null,c.lastEffect=null);c.childExpirationTime=a.childExpirationTime;c.expirationTime=a.expirationTime;c.child=a.child;c.memoizedProps=a.memoizedProps;c.memoizedState=a.memoizedState;c.updateQueue=a.updateQueue;b=a.dependencies;c.dependencies=null===b?null:{expirationTime:b.expirationTime,firstContext:b.firstContext,responders:b.responders};c.sibling=a.sibling;c.index=a.index;c.ref=a.ref;return c}function Oc(a,b,c,d,e,f){var g=2;d=a;if("function"===typeof a)Ge(a)&&(g=1);else if("string"===typeof a)g=
+5;else a:switch(a){case Ma:return Ha(c.children,e,f,b);case Hj:g=8;e|=7;break;case Af:g=8;e|=1;break;case kc:return a=la(12,c,b,e|8),a.elementType=kc,a.type=kc,a.expirationTime=f,a;case lc:return a=la(13,c,b,e),a.type=lc,a.elementType=lc,a.expirationTime=f,a;case yd:return a=la(19,c,b,e),a.elementType=yd,a.expirationTime=f,a;default:if("object"===typeof a&&null!==a)switch(a.$$typeof){case Cf:g=10;break a;case Bf:g=9;break a;case zd:g=11;break a;case Ad:g=14;break a;case Ef:g=16;d=null;break a;case Df:g=
+22;break a}throw Error(k(130,null==a?a:typeof a,""));}b=la(g,c,b,e);b.elementType=a;b.type=d;b.expirationTime=f;return b}function Ha(a,b,c,d){a=la(7,a,d,b);a.expirationTime=c;return a}function qe(a,b,c){a=la(6,a,null,b);a.expirationTime=c;return a}function re(a,b,c){b=la(4,null!==a.children?a.children:[],a.key,b);b.expirationTime=c;b.stateNode={containerInfo:a.containerInfo,pendingChildren:null,implementation:a.implementation};return b}function Ij(a,b,c){this.tag=b;this.current=null;this.containerInfo=
+a;this.pingCache=this.pendingChildren=null;this.finishedExpirationTime=0;this.finishedWork=null;this.timeoutHandle=-1;this.pendingContext=this.context=null;this.hydrate=c;this.callbackNode=null;this.callbackPriority=90;this.lastExpiredTime=this.lastPingedTime=this.nextKnownPendingLevel=this.lastSuspendedTime=this.firstSuspendedTime=this.firstPendingTime=0}function Kh(a,b){var c=a.firstSuspendedTime;a=a.lastSuspendedTime;return 0!==c&&c>=b&&a<=b}function Ya(a,b){var c=a.firstSuspendedTime,d=a.lastSuspendedTime;
+c<b&&(a.firstSuspendedTime=b);if(d>b||0===c)a.lastSuspendedTime=b;b<=a.lastPingedTime&&(a.lastPingedTime=0);b<=a.lastExpiredTime&&(a.lastExpiredTime=0)}function yh(a,b){b>a.firstPendingTime&&(a.firstPendingTime=b);var c=a.firstSuspendedTime;0!==c&&(b>=c?a.firstSuspendedTime=a.lastSuspendedTime=a.nextKnownPendingLevel=0:b>=a.lastSuspendedTime&&(a.lastSuspendedTime=b+1),b>a.nextKnownPendingLevel&&(a.nextKnownPendingLevel=b))}function Ue(a,b){var c=a.lastExpiredTime;if(0===c||c>b)a.lastExpiredTime=b}
+function md(a,b,c,d){var e=b.current,f=ka(),g=Vb.suspense;f=Va(f,e,g);a:if(c){c=c._reactInternalFiber;b:{if(Na(c)!==c||1!==c.tag)throw Error(k(170));var h=c;do{switch(h.tag){case 3:h=h.stateNode.context;break b;case 1:if(N(h.type)){h=h.stateNode.__reactInternalMemoizedMergedChildContext;break b}}h=h.return}while(null!==h);throw Error(k(171));}if(1===c.tag){var m=c.type;if(N(m)){c=Gg(c,m,h);break a}}c=h}else c=Ca;null===b.context?b.context=c:b.pendingContext=c;b=Ea(f,g);b.payload={element:a};d=void 0===
+d?null:d;null!==d&&(b.callback=d);Fa(e,b);Ja(e,f);return f}function cf(a){a=a.current;if(!a.child)return null;switch(a.child.tag){case 5:return a.child.stateNode;default:return a.child.stateNode}}function Wh(a,b){a=a.memoizedState;null!==a&&null!==a.dehydrated&&a.retryTime<b&&(a.retryTime=b)}function df(a,b){Wh(a,b);(a=a.alternate)&&Wh(a,b)}function ef(a,b,c){c=null!=c&&!0===c.hydrate;var d=new Ij(a,b,c),e=la(3,null,null,2===b?7:1===b?3:0);d.current=e;e.stateNode=d;ne(e);a[Lb]=d.current;c&&0!==b&&
+xi(a,9===a.nodeType?a:a.ownerDocument);this._internalRoot=d}function bc(a){return!(!a||1!==a.nodeType&&9!==a.nodeType&&11!==a.nodeType&&(8!==a.nodeType||" react-mount-point-unstable "!==a.nodeValue))}function Jj(a,b){b||(b=a?9===a.nodeType?a.documentElement:a.firstChild:null,b=!(!b||1!==b.nodeType||!b.hasAttribute("data-reactroot")));if(!b)for(var c;c=a.lastChild;)a.removeChild(c);return new ef(a,0,b?{hydrate:!0}:void 0)}function nd(a,b,c,d,e){var f=c._reactRootContainer;if(f){var g=f._internalRoot;
+if("function"===typeof e){var h=e;e=function(){var a=cf(g);h.call(a)}}md(b,g,a,e)}else{f=c._reactRootContainer=Jj(c,d);g=f._internalRoot;if("function"===typeof e){var m=e;e=function(){var a=cf(g);m.call(a)}}Rh(function(){md(b,g,a,e)})}return cf(g)}function Kj(a,b,c){var d=3<arguments.length&&void 0!==arguments[3]?arguments[3]:null;return{$$typeof:gb,key:null==d?null:""+d,children:a,containerInfo:b,implementation:c}}function Xh(a,b){var c=2<arguments.length&&void 0!==arguments[2]?arguments[2]:null;
+if(!bc(b))throw Error(k(200));return Kj(a,b,null,c)}if(!ea)throw Error(k(227));var ki=function(a,b,c,d,e,f,g,h,m){var n=Array.prototype.slice.call(arguments,3);try{b.apply(c,n)}catch(C){this.onError(C)}},yb=!1,gc=null,hc=!1,pd=null,li={onError:function(a){yb=!0;gc=a}},td=null,rf=null,mf=null,ic=null,cb={},jc=[],qd={},db={},rd={},wa=!("undefined"===typeof window||"undefined"===typeof window.document||"undefined"===typeof window.document.createElement),M=ea.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED.assign,
+sd=null,eb=null,fb=null,ee=function(a,b){return a(b)},eg=function(a,b,c,d,e){return a(b,c,d,e)},vd=function(){},vf=ee,Oa=!1,wd=!1,Z=ea.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED.Scheduler,Lj=Z.unstable_cancelCallback,ff=Z.unstable_now,$f=Z.unstable_scheduleCallback,Mj=Z.unstable_shouldYield,Yh=Z.unstable_requestPaint,Pd=Z.unstable_runWithPriority,Nj=Z.unstable_getCurrentPriorityLevel,Oj=Z.unstable_ImmediatePriority,Zh=Z.unstable_UserBlockingPriority,ag=Z.unstable_NormalPriority,Pj=Z.unstable_LowPriority,
+Qj=Z.unstable_IdlePriority,oi=/^[:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$/,wf=Object.prototype.hasOwnProperty,yf={},xf={},E={};"children dangerouslySetInnerHTML defaultValue defaultChecked innerHTML suppressContentEditableWarning suppressHydrationWarning style".split(" ").forEach(function(a){E[a]=
+new L(a,0,!1,a,null,!1)});[["acceptCharset","accept-charset"],["className","class"],["htmlFor","for"],["httpEquiv","http-equiv"]].forEach(function(a){var b=a[0];E[b]=new L(b,1,!1,a[1],null,!1)});["contentEditable","draggable","spellCheck","value"].forEach(function(a){E[a]=new L(a,2,!1,a.toLowerCase(),null,!1)});["autoReverse","externalResourcesRequired","focusable","preserveAlpha"].forEach(function(a){E[a]=new L(a,2,!1,a,null,!1)});"allowFullScreen async autoFocus autoPlay controls default defer disabled disablePictureInPicture formNoValidate hidden loop noModule noValidate open playsInline readOnly required reversed scoped seamless itemScope".split(" ").forEach(function(a){E[a]=
+new L(a,3,!1,a.toLowerCase(),null,!1)});["checked","multiple","muted","selected"].forEach(function(a){E[a]=new L(a,3,!0,a,null,!1)});["capture","download"].forEach(function(a){E[a]=new L(a,4,!1,a,null,!1)});["cols","rows","size","span"].forEach(function(a){E[a]=new L(a,6,!1,a,null,!1)});["rowSpan","start"].forEach(function(a){E[a]=new L(a,5,!1,a.toLowerCase(),null,!1)});var gf=/[\-:]([a-z])/g,hf=function(a){return a[1].toUpperCase()};"accent-height alignment-baseline arabic-form baseline-shift cap-height clip-path clip-rule color-interpolation color-interpolation-filters color-profile color-rendering dominant-baseline enable-background fill-opacity fill-rule flood-color flood-opacity font-family font-size font-size-adjust font-stretch font-style font-variant font-weight glyph-name glyph-orientation-horizontal glyph-orientation-vertical horiz-adv-x horiz-origin-x image-rendering letter-spacing lighting-color marker-end marker-mid marker-start overline-position overline-thickness paint-order panose-1 pointer-events rendering-intent shape-rendering stop-color stop-opacity strikethrough-position strikethrough-thickness stroke-dasharray stroke-dashoffset stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity stroke-width text-anchor text-decoration text-rendering underline-position underline-thickness unicode-bidi unicode-range units-per-em v-alphabetic v-hanging v-ideographic v-mathematical vector-effect vert-adv-y vert-origin-x vert-origin-y word-spacing writing-mode xmlns:xlink x-height".split(" ").forEach(function(a){var b=
+a.replace(gf,hf);E[b]=new L(b,1,!1,a,null,!1)});"xlink:actuate xlink:arcrole xlink:role xlink:show xlink:title xlink:type".split(" ").forEach(function(a){var b=a.replace(gf,hf);E[b]=new L(b,1,!1,a,"http://www.w3.org/1999/xlink",!1)});["xml:base","xml:lang","xml:space"].forEach(function(a){var b=a.replace(gf,hf);E[b]=new L(b,1,!1,a,"http://www.w3.org/XML/1998/namespace",!1)});["tabIndex","crossOrigin"].forEach(function(a){E[a]=new L(a,1,!1,a.toLowerCase(),null,!1)});E.xlinkHref=new L("xlinkHref",1,
+!1,"xlink:href","http://www.w3.org/1999/xlink",!0);["src","href","action","formAction"].forEach(function(a){E[a]=new L(a,1,!1,a.toLowerCase(),null,!0)});var da=ea.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED;da.hasOwnProperty("ReactCurrentDispatcher")||(da.ReactCurrentDispatcher={current:null});da.hasOwnProperty("ReactCurrentBatchConfig")||(da.ReactCurrentBatchConfig={suspense:null});var si=/^(.*)[\\\/]/,Q="function"===typeof Symbol&&Symbol.for,Pc=Q?Symbol.for("react.element"):60103,gb=Q?Symbol.for("react.portal"):
+60106,Ma=Q?Symbol.for("react.fragment"):60107,Af=Q?Symbol.for("react.strict_mode"):60108,kc=Q?Symbol.for("react.profiler"):60114,Cf=Q?Symbol.for("react.provider"):60109,Bf=Q?Symbol.for("react.context"):60110,Hj=Q?Symbol.for("react.concurrent_mode"):60111,zd=Q?Symbol.for("react.forward_ref"):60112,lc=Q?Symbol.for("react.suspense"):60113,yd=Q?Symbol.for("react.suspense_list"):60120,Ad=Q?Symbol.for("react.memo"):60115,Ef=Q?Symbol.for("react.lazy"):60116,Df=Q?Symbol.for("react.block"):60121,zf="function"===
+typeof Symbol&&Symbol.iterator,od,xh=function(a){return"undefined"!==typeof MSApp&&MSApp.execUnsafeLocalFunction?function(b,c,d,e){MSApp.execUnsafeLocalFunction(function(){return a(b,c,d,e)})}:a}(function(a,b){if("http://www.w3.org/2000/svg"!==a.namespaceURI||"innerHTML"in a)a.innerHTML=b;else{od=od||document.createElement("div");od.innerHTML="<svg>"+b.valueOf().toString()+"</svg>";for(b=od.firstChild;a.firstChild;)a.removeChild(a.firstChild);for(;b.firstChild;)a.appendChild(b.firstChild)}}),Wb=function(a,
+b){if(b){var c=a.firstChild;if(c&&c===a.lastChild&&3===c.nodeType){c.nodeValue=b;return}}a.textContent=b},ib={animationend:nc("Animation","AnimationEnd"),animationiteration:nc("Animation","AnimationIteration"),animationstart:nc("Animation","AnimationStart"),transitionend:nc("Transition","TransitionEnd")},Id={},Of={};wa&&(Of=document.createElement("div").style,"AnimationEvent"in window||(delete ib.animationend.animation,delete ib.animationiteration.animation,delete ib.animationstart.animation),"TransitionEvent"in
+window||delete ib.transitionend.transition);var $h=oc("animationend"),ai=oc("animationiteration"),bi=oc("animationstart"),ci=oc("transitionend"),Db="abort canplay canplaythrough durationchange emptied encrypted ended error loadeddata loadedmetadata loadstart pause play playing progress ratechange seeked seeking stalled suspend timeupdate volumechange waiting".split(" "),Pf=new ("function"===typeof WeakMap?WeakMap:Map),Ab=null,wi=function(a){if(a){var b=a._dispatchListeners,c=a._dispatchInstances;
+if(Array.isArray(b))for(var d=0;d<b.length&&!a.isPropagationStopped();d++)lf(a,b[d],c[d]);else b&&lf(a,b,c);a._dispatchListeners=null;a._dispatchInstances=null;a.isPersistent()||a.constructor.release(a)}},qc=[],Rd=!1,fa=[],xa=null,ya=null,za=null,Eb=new Map,Fb=new Map,Jb=[],Nd="mousedown mouseup touchcancel touchend touchstart auxclick dblclick pointercancel pointerdown pointerup dragend dragstart drop compositionend compositionstart keydown keypress keyup input textInput close cancel copy cut paste click change contextmenu reset submit".split(" "),
+yi="focus blur dragenter dragleave mouseover mouseout pointerover pointerout gotpointercapture lostpointercapture".split(" "),dg={},cg=new Map,Td=new Map,Rj=["abort","abort",$h,"animationEnd",ai,"animationIteration",bi,"animationStart","canplay","canPlay","canplaythrough","canPlayThrough","durationchange","durationChange","emptied","emptied","encrypted","encrypted","ended","ended","error","error","gotpointercapture","gotPointerCapture","load","load","loadeddata","loadedData","loadedmetadata","loadedMetadata",
+"loadstart","loadStart","lostpointercapture","lostPointerCapture","playing","playing","progress","progress","seeking","seeking","stalled","stalled","suspend","suspend","timeupdate","timeUpdate",ci,"transitionEnd","waiting","waiting"];Sd("blur blur cancel cancel click click close close contextmenu contextMenu copy copy cut cut auxclick auxClick dblclick doubleClick dragend dragEnd dragstart dragStart drop drop focus focus input input invalid invalid keydown keyDown keypress keyPress keyup keyUp mousedown mouseDown mouseup mouseUp paste paste pause pause play play pointercancel pointerCancel pointerdown pointerDown pointerup pointerUp ratechange rateChange reset reset seeked seeked submit submit touchcancel touchCancel touchend touchEnd touchstart touchStart volumechange volumeChange".split(" "),
+0);Sd("drag drag dragenter dragEnter dragexit dragExit dragleave dragLeave dragover dragOver mousemove mouseMove mouseout mouseOut mouseover mouseOver pointermove pointerMove pointerout pointerOut pointerover pointerOver scroll scroll toggle toggle touchmove touchMove wheel wheel".split(" "),1);Sd(Rj,2);(function(a,b){for(var c=0;c<a.length;c++)Td.set(a[c],b)})("change selectionchange textInput compositionstart compositionend compositionupdate".split(" "),0);var Hi=Zh,Gi=Pd,tc=!0,Kb={animationIterationCount:!0,
+borderImageOutset:!0,borderImageSlice:!0,borderImageWidth:!0,boxFlex:!0,boxFlexGroup:!0,boxOrdinalGroup:!0,columnCount:!0,columns:!0,flex:!0,flexGrow:!0,flexPositive:!0,flexShrink:!0,flexNegative:!0,flexOrder:!0,gridArea:!0,gridRow:!0,gridRowEnd:!0,gridRowSpan:!0,gridRowStart:!0,gridColumn:!0,gridColumnEnd:!0,gridColumnSpan:!0,gridColumnStart:!0,fontWeight:!0,lineClamp:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,tabSize:!0,widows:!0,zIndex:!0,zoom:!0,fillOpacity:!0,floodOpacity:!0,stopOpacity:!0,
+strokeDasharray:!0,strokeDashoffset:!0,strokeMiterlimit:!0,strokeOpacity:!0,strokeWidth:!0},Sj=["Webkit","ms","Moz","O"];Object.keys(Kb).forEach(function(a){Sj.forEach(function(b){b=b+a.charAt(0).toUpperCase()+a.substring(1);Kb[b]=Kb[a]})});var Ii=M({menuitem:!0},{area:!0,base:!0,br:!0,col:!0,embed:!0,hr:!0,img:!0,input:!0,keygen:!0,link:!0,meta:!0,param:!0,source:!0,track:!0,wbr:!0}),ng="$",og="/$",$d="$?",Zd="$!",Ze=null,$e=null,We="function"===typeof setTimeout?setTimeout:void 0,vj="function"===
+typeof clearTimeout?clearTimeout:void 0,jf=Math.random().toString(36).slice(2),Aa="__reactInternalInstance$"+jf,vc="__reactEventHandlers$"+jf,Lb="__reactContainere$"+jf,Ba=null,ce=null,wc=null;M(R.prototype,{preventDefault:function(){this.defaultPrevented=!0;var a=this.nativeEvent;a&&(a.preventDefault?a.preventDefault():"unknown"!==typeof a.returnValue&&(a.returnValue=!1),this.isDefaultPrevented=xc)},stopPropagation:function(){var a=this.nativeEvent;a&&(a.stopPropagation?a.stopPropagation():"unknown"!==
+typeof a.cancelBubble&&(a.cancelBubble=!0),this.isPropagationStopped=xc)},persist:function(){this.isPersistent=xc},isPersistent:yc,destructor:function(){var a=this.constructor.Interface,b;for(b in a)this[b]=null;this.nativeEvent=this._targetInst=this.dispatchConfig=null;this.isPropagationStopped=this.isDefaultPrevented=yc;this._dispatchInstances=this._dispatchListeners=null}});R.Interface={type:null,target:null,currentTarget:function(){return null},eventPhase:null,bubbles:null,cancelable:null,timeStamp:function(a){return a.timeStamp||
+Date.now()},defaultPrevented:null,isTrusted:null};R.extend=function(a){function b(){return c.apply(this,arguments)}var c=this,d=function(){};d.prototype=c.prototype;d=new d;M(d,b.prototype);b.prototype=d;b.prototype.constructor=b;b.Interface=M({},c.Interface,a);b.extend=c.extend;sg(b);return b};sg(R);var Tj=R.extend({data:null}),Uj=R.extend({data:null}),Ni=[9,13,27,32],de=wa&&"CompositionEvent"in window,cc=null;wa&&"documentMode"in document&&(cc=document.documentMode);var Vj=wa&&"TextEvent"in window&&
+!cc,xg=wa&&(!de||cc&&8<cc&&11>=cc),wg=String.fromCharCode(32),ua={beforeInput:{phasedRegistrationNames:{bubbled:"onBeforeInput",captured:"onBeforeInputCapture"},dependencies:["compositionend","keypress","textInput","paste"]},compositionEnd:{phasedRegistrationNames:{bubbled:"onCompositionEnd",captured:"onCompositionEndCapture"},dependencies:"blur compositionend keydown keypress keyup mousedown".split(" ")},compositionStart:{phasedRegistrationNames:{bubbled:"onCompositionStart",captured:"onCompositionStartCapture"},
+dependencies:"blur compositionstart keydown keypress keyup mousedown".split(" ")},compositionUpdate:{phasedRegistrationNames:{bubbled:"onCompositionUpdate",captured:"onCompositionUpdateCapture"},dependencies:"blur compositionupdate keydown keypress keyup mousedown".split(" ")}},vg=!1,mb=!1,Wj={eventTypes:ua,extractEvents:function(a,b,c,d,e){var f;if(de)b:{switch(a){case "compositionstart":var g=ua.compositionStart;break b;case "compositionend":g=ua.compositionEnd;break b;case "compositionupdate":g=
+ua.compositionUpdate;break b}g=void 0}else mb?tg(a,c)&&(g=ua.compositionEnd):"keydown"===a&&229===c.keyCode&&(g=ua.compositionStart);g?(xg&&"ko"!==c.locale&&(mb||g!==ua.compositionStart?g===ua.compositionEnd&&mb&&(f=rg()):(Ba=d,ce="value"in Ba?Ba.value:Ba.textContent,mb=!0)),e=Tj.getPooled(g,b,c,d),f?e.data=f:(f=ug(c),null!==f&&(e.data=f)),lb(e),f=e):f=null;(a=Vj?Oi(a,c):Pi(a,c))?(b=Uj.getPooled(ua.beforeInput,b,c,d),b.data=a,lb(b)):b=null;return null===f?b:null===b?f:[f,b]}},Qi={color:!0,date:!0,
+datetime:!0,"datetime-local":!0,email:!0,month:!0,number:!0,password:!0,range:!0,search:!0,tel:!0,text:!0,time:!0,url:!0,week:!0},Ag={change:{phasedRegistrationNames:{bubbled:"onChange",captured:"onChangeCapture"},dependencies:"blur change click focus input keydown keyup selectionchange".split(" ")}},Mb=null,Nb=null,kf=!1;wa&&(kf=Tf("input")&&(!document.documentMode||9<document.documentMode));var Xj={eventTypes:Ag,_isInputEventSupported:kf,extractEvents:function(a,b,c,d,e){e=b?Pa(b):window;var f=
+e.nodeName&&e.nodeName.toLowerCase();if("select"===f||"input"===f&&"file"===e.type)var g=Si;else if(yg(e))if(kf)g=Wi;else{g=Ui;var h=Ti}else(f=e.nodeName)&&"input"===f.toLowerCase()&&("checkbox"===e.type||"radio"===e.type)&&(g=Vi);if(g&&(g=g(a,b)))return zg(g,c,d);h&&h(a,e,b);"blur"===a&&(a=e._wrapperState)&&a.controlled&&"number"===e.type&&Ed(e,"number",e.value)}},dc=R.extend({view:null,detail:null}),Yi={Alt:"altKey",Control:"ctrlKey",Meta:"metaKey",Shift:"shiftKey"},di=0,ei=0,fi=!1,gi=!1,ec=dc.extend({screenX:null,
+screenY:null,clientX:null,clientY:null,pageX:null,pageY:null,ctrlKey:null,shiftKey:null,altKey:null,metaKey:null,getModifierState:fe,button:null,buttons:null,relatedTarget:function(a){return a.relatedTarget||(a.fromElement===a.srcElement?a.toElement:a.fromElement)},movementX:function(a){if("movementX"in a)return a.movementX;var b=di;di=a.screenX;return fi?"mousemove"===a.type?a.screenX-b:0:(fi=!0,0)},movementY:function(a){if("movementY"in a)return a.movementY;var b=ei;ei=a.screenY;return gi?"mousemove"===
+a.type?a.screenY-b:0:(gi=!0,0)}}),hi=ec.extend({pointerId:null,width:null,height:null,pressure:null,tangentialPressure:null,tiltX:null,tiltY:null,twist:null,pointerType:null,isPrimary:null}),fc={mouseEnter:{registrationName:"onMouseEnter",dependencies:["mouseout","mouseover"]},mouseLeave:{registrationName:"onMouseLeave",dependencies:["mouseout","mouseover"]},pointerEnter:{registrationName:"onPointerEnter",dependencies:["pointerout","pointerover"]},pointerLeave:{registrationName:"onPointerLeave",dependencies:["pointerout",
+"pointerover"]}},Yj={eventTypes:fc,extractEvents:function(a,b,c,d,e){var f="mouseover"===a||"pointerover"===a,g="mouseout"===a||"pointerout"===a;if(f&&0===(e&32)&&(c.relatedTarget||c.fromElement)||!g&&!f)return null;f=d.window===d?d:(f=d.ownerDocument)?f.defaultView||f.parentWindow:window;if(g){if(g=b,b=(b=c.relatedTarget||c.toElement)?Bb(b):null,null!==b){var h=Na(b);if(b!==h||5!==b.tag&&6!==b.tag)b=null}}else g=null;if(g===b)return null;if("mouseout"===a||"mouseover"===a){var m=ec;var n=fc.mouseLeave;
+var l=fc.mouseEnter;var k="mouse"}else if("pointerout"===a||"pointerover"===a)m=hi,n=fc.pointerLeave,l=fc.pointerEnter,k="pointer";a=null==g?f:Pa(g);f=null==b?f:Pa(b);n=m.getPooled(n,g,c,d);n.type=k+"leave";n.target=a;n.relatedTarget=f;c=m.getPooled(l,b,c,d);c.type=k+"enter";c.target=f;c.relatedTarget=a;d=g;k=b;if(d&&k)a:{m=d;l=k;g=0;for(a=m;a;a=pa(a))g++;a=0;for(b=l;b;b=pa(b))a++;for(;0<g-a;)m=pa(m),g--;for(;0<a-g;)l=pa(l),a--;for(;g--;){if(m===l||m===l.alternate)break a;m=pa(m);l=pa(l)}m=null}else m=
+null;l=m;for(m=[];d&&d!==l;){g=d.alternate;if(null!==g&&g===l)break;m.push(d);d=pa(d)}for(d=[];k&&k!==l;){g=k.alternate;if(null!==g&&g===l)break;d.push(k);k=pa(k)}for(k=0;k<m.length;k++)be(m[k],"bubbled",n);for(k=d.length;0<k--;)be(d[k],"captured",c);return 0===(e&64)?[n]:[n,c]}},Qa="function"===typeof Object.is?Object.is:Zi,$i=Object.prototype.hasOwnProperty,Zj=wa&&"documentMode"in document&&11>=document.documentMode,Eg={select:{phasedRegistrationNames:{bubbled:"onSelect",captured:"onSelectCapture"},
+dependencies:"blur contextmenu dragend focus keydown keyup mousedown mouseup selectionchange".split(" ")}},nb=null,he=null,Pb=null,ge=!1,ak={eventTypes:Eg,extractEvents:function(a,b,c,d,e,f){e=f||(d.window===d?d.document:9===d.nodeType?d:d.ownerDocument);if(!(f=!e)){a:{e=Jd(e);f=rd.onSelect;for(var g=0;g<f.length;g++)if(!e.has(f[g])){e=!1;break a}e=!0}f=!e}if(f)return null;e=b?Pa(b):window;switch(a){case "focus":if(yg(e)||"true"===e.contentEditable)nb=e,he=b,Pb=null;break;case "blur":Pb=he=nb=null;
+break;case "mousedown":ge=!0;break;case "contextmenu":case "mouseup":case "dragend":return ge=!1,Dg(c,d);case "selectionchange":if(Zj)break;case "keydown":case "keyup":return Dg(c,d)}return null}},bk=R.extend({animationName:null,elapsedTime:null,pseudoElement:null}),ck=R.extend({clipboardData:function(a){return"clipboardData"in a?a.clipboardData:window.clipboardData}}),dk=dc.extend({relatedTarget:null}),ek={Esc:"Escape",Spacebar:" ",Left:"ArrowLeft",Up:"ArrowUp",Right:"ArrowRight",Down:"ArrowDown",
+Del:"Delete",Win:"OS",Menu:"ContextMenu",Apps:"ContextMenu",Scroll:"ScrollLock",MozPrintableKey:"Unidentified"},fk={8:"Backspace",9:"Tab",12:"Clear",13:"Enter",16:"Shift",17:"Control",18:"Alt",19:"Pause",20:"CapsLock",27:"Escape",32:" ",33:"PageUp",34:"PageDown",35:"End",36:"Home",37:"ArrowLeft",38:"ArrowUp",39:"ArrowRight",40:"ArrowDown",45:"Insert",46:"Delete",112:"F1",113:"F2",114:"F3",115:"F4",116:"F5",117:"F6",118:"F7",119:"F8",120:"F9",121:"F10",122:"F11",123:"F12",144:"NumLock",145:"ScrollLock",
+224:"Meta"},gk=dc.extend({key:function(a){if(a.key){var b=ek[a.key]||a.key;if("Unidentified"!==b)return b}return"keypress"===a.type?(a=Ac(a),13===a?"Enter":String.fromCharCode(a)):"keydown"===a.type||"keyup"===a.type?fk[a.keyCode]||"Unidentified":""},location:null,ctrlKey:null,shiftKey:null,altKey:null,metaKey:null,repeat:null,locale:null,getModifierState:fe,charCode:function(a){return"keypress"===a.type?Ac(a):0},keyCode:function(a){return"keydown"===a.type||"keyup"===a.type?a.keyCode:0},which:function(a){return"keypress"===
+a.type?Ac(a):"keydown"===a.type||"keyup"===a.type?a.keyCode:0}}),hk=ec.extend({dataTransfer:null}),ik=dc.extend({touches:null,targetTouches:null,changedTouches:null,altKey:null,metaKey:null,ctrlKey:null,shiftKey:null,getModifierState:fe}),jk=R.extend({propertyName:null,elapsedTime:null,pseudoElement:null}),kk=ec.extend({deltaX:function(a){return"deltaX"in a?a.deltaX:"wheelDeltaX"in a?-a.wheelDeltaX:0},deltaY:function(a){return"deltaY"in a?a.deltaY:"wheelDeltaY"in a?-a.wheelDeltaY:"wheelDelta"in a?
+-a.wheelDelta:0},deltaZ:null,deltaMode:null}),lk={eventTypes:dg,extractEvents:function(a,b,c,d,e){e=cg.get(a);if(!e)return null;switch(a){case "keypress":if(0===Ac(c))return null;case "keydown":case "keyup":a=gk;break;case "blur":case "focus":a=dk;break;case "click":if(2===c.button)return null;case "auxclick":case "dblclick":case "mousedown":case "mousemove":case "mouseup":case "mouseout":case "mouseover":case "contextmenu":a=ec;break;case "drag":case "dragend":case "dragenter":case "dragexit":case "dragleave":case "dragover":case "dragstart":case "drop":a=
+hk;break;case "touchcancel":case "touchend":case "touchmove":case "touchstart":a=ik;break;case $h:case ai:case bi:a=bk;break;case ci:a=jk;break;case "scroll":a=dc;break;case "wheel":a=kk;break;case "copy":case "cut":case "paste":a=ck;break;case "gotpointercapture":case "lostpointercapture":case "pointercancel":case "pointerdown":case "pointermove":case "pointerout":case "pointerover":case "pointerup":a=hi;break;default:a=R}b=a.getPooled(e,b,c,d);lb(b);return b}};(function(a){if(ic)throw Error(k(101));
+ic=Array.prototype.slice.call(a);nf()})("ResponderEventPlugin SimpleEventPlugin EnterLeaveEventPlugin ChangeEventPlugin SelectEventPlugin BeforeInputEventPlugin".split(" "));(function(a,b,c){td=a;rf=b;mf=c})(ae,Hb,Pa);pf({SimpleEventPlugin:lk,EnterLeaveEventPlugin:Yj,ChangeEventPlugin:Xj,SelectEventPlugin:ak,BeforeInputEventPlugin:Wj});var ie=[],ob=-1,Ca={},B={current:Ca},G={current:!1},Ra=Ca,bj=Pd,je=$f,Rg=Lj,aj=Nj,Dc=Oj,Ig=Zh,Jg=ag,Kg=Pj,Lg=Qj,Qg={},yj=Mj,Cj=void 0!==Yh?Yh:function(){},qa=null,
+Ec=null,ke=!1,ii=ff(),Y=1E4>ii?ff:function(){return ff()-ii},Ic={current:null},Hc=null,qb=null,Gc=null,Tg=0,Jc=2,Ga=!1,Vb=da.ReactCurrentBatchConfig,$g=(new ea.Component).refs,Mc={isMounted:function(a){return(a=a._reactInternalFiber)?Na(a)===a:!1},enqueueSetState:function(a,b,c){a=a._reactInternalFiber;var d=ka(),e=Vb.suspense;d=Va(d,a,e);e=Ea(d,e);e.payload=b;void 0!==c&&null!==c&&(e.callback=c);Fa(a,e);Ja(a,d)},enqueueReplaceState:function(a,b,c){a=a._reactInternalFiber;var d=ka(),e=Vb.suspense;
+d=Va(d,a,e);e=Ea(d,e);e.tag=1;e.payload=b;void 0!==c&&null!==c&&(e.callback=c);Fa(a,e);Ja(a,d)},enqueueForceUpdate:function(a,b){a=a._reactInternalFiber;var c=ka(),d=Vb.suspense;c=Va(c,a,d);d=Ea(c,d);d.tag=Jc;void 0!==b&&null!==b&&(d.callback=b);Fa(a,d);Ja(a,c)}},Qc=Array.isArray,wb=ah(!0),Fe=ah(!1),Sb={},ja={current:Sb},Ub={current:Sb},Tb={current:Sb},D={current:0},Sc=da.ReactCurrentDispatcher,X=da.ReactCurrentBatchConfig,Ia=0,z=null,K=null,J=null,Uc=!1,Tc={readContext:W,useCallback:S,useContext:S,
+useEffect:S,useImperativeHandle:S,useLayoutEffect:S,useMemo:S,useReducer:S,useRef:S,useState:S,useDebugValue:S,useResponder:S,useDeferredValue:S,useTransition:S},dj={readContext:W,useCallback:ih,useContext:W,useEffect:eh,useImperativeHandle:function(a,b,c){c=null!==c&&void 0!==c?c.concat([a]):null;return ze(4,2,gh.bind(null,b,a),c)},useLayoutEffect:function(a,b){return ze(4,2,a,b)},useMemo:function(a,b){var c=ub();b=void 0===b?null:b;a=a();c.memoizedState=[a,b];return a},useReducer:function(a,b,c){var d=
+ub();b=void 0!==c?c(b):b;d.memoizedState=d.baseState=b;a=d.queue={pending:null,dispatch:null,lastRenderedReducer:a,lastRenderedState:b};a=a.dispatch=ch.bind(null,z,a);return[d.memoizedState,a]},useRef:function(a){var b=ub();a={current:a};return b.memoizedState=a},useState:xe,useDebugValue:Be,useResponder:ue,useDeferredValue:function(a,b){var c=xe(a),d=c[0],e=c[1];eh(function(){var c=X.suspense;X.suspense=void 0===b?null:b;try{e(a)}finally{X.suspense=c}},[a,b]);return d},useTransition:function(a){var b=
+xe(!1),c=b[0];b=b[1];return[ih(Ce.bind(null,b,a),[b,a]),c]}},ej={readContext:W,useCallback:Yc,useContext:W,useEffect:Xc,useImperativeHandle:hh,useLayoutEffect:fh,useMemo:jh,useReducer:Vc,useRef:dh,useState:function(a){return Vc(Ua)},useDebugValue:Be,useResponder:ue,useDeferredValue:function(a,b){var c=Vc(Ua),d=c[0],e=c[1];Xc(function(){var c=X.suspense;X.suspense=void 0===b?null:b;try{e(a)}finally{X.suspense=c}},[a,b]);return d},useTransition:function(a){var b=Vc(Ua),c=b[0];b=b[1];return[Yc(Ce.bind(null,
+b,a),[b,a]),c]}},fj={readContext:W,useCallback:Yc,useContext:W,useEffect:Xc,useImperativeHandle:hh,useLayoutEffect:fh,useMemo:jh,useReducer:Wc,useRef:dh,useState:function(a){return Wc(Ua)},useDebugValue:Be,useResponder:ue,useDeferredValue:function(a,b){var c=Wc(Ua),d=c[0],e=c[1];Xc(function(){var c=X.suspense;X.suspense=void 0===b?null:b;try{e(a)}finally{X.suspense=c}},[a,b]);return d},useTransition:function(a){var b=Wc(Ua),c=b[0];b=b[1];return[Yc(Ce.bind(null,b,a),[b,a]),c]}},ra=null,Ka=null,Wa=
+!1,gj=da.ReactCurrentOwner,ia=!1,Je={dehydrated:null,retryTime:0};var jj=function(a,b,c,d){for(c=b.child;null!==c;){if(5===c.tag||6===c.tag)a.appendChild(c.stateNode);else if(4!==c.tag&&null!==c.child){c.child.return=c;c=c.child;continue}if(c===b)break;for(;null===c.sibling;){if(null===c.return||c.return===b)return;c=c.return}c.sibling.return=c.return;c=c.sibling}};var wh=function(a){};var ij=function(a,b,c,d,e){var f=a.memoizedProps;if(f!==d){var g=b.stateNode;Ta(ja.current);a=null;switch(c){case "input":f=
+Cd(g,f);d=Cd(g,d);a=[];break;case "option":f=Fd(g,f);d=Fd(g,d);a=[];break;case "select":f=M({},f,{value:void 0});d=M({},d,{value:void 0});a=[];break;case "textarea":f=Gd(g,f);d=Gd(g,d);a=[];break;default:"function"!==typeof f.onClick&&"function"===typeof d.onClick&&(g.onclick=uc)}Ud(c,d);var h,m;c=null;for(h in f)if(!d.hasOwnProperty(h)&&f.hasOwnProperty(h)&&null!=f[h])if("style"===h)for(m in g=f[h],g)g.hasOwnProperty(m)&&(c||(c={}),c[m]="");else"dangerouslySetInnerHTML"!==h&&"children"!==h&&"suppressContentEditableWarning"!==
+h&&"suppressHydrationWarning"!==h&&"autoFocus"!==h&&(db.hasOwnProperty(h)?a||(a=[]):(a=a||[]).push(h,null));for(h in d){var k=d[h];g=null!=f?f[h]:void 0;if(d.hasOwnProperty(h)&&k!==g&&(null!=k||null!=g))if("style"===h)if(g){for(m in g)!g.hasOwnProperty(m)||k&&k.hasOwnProperty(m)||(c||(c={}),c[m]="");for(m in k)k.hasOwnProperty(m)&&g[m]!==k[m]&&(c||(c={}),c[m]=k[m])}else c||(a||(a=[]),a.push(h,c)),c=k;else"dangerouslySetInnerHTML"===h?(k=k?k.__html:void 0,g=g?g.__html:void 0,null!=k&&g!==k&&(a=a||
+[]).push(h,k)):"children"===h?g===k||"string"!==typeof k&&"number"!==typeof k||(a=a||[]).push(h,""+k):"suppressContentEditableWarning"!==h&&"suppressHydrationWarning"!==h&&(db.hasOwnProperty(h)?(null!=k&&oa(e,h),a||g===k||(a=[])):(a=a||[]).push(h,k))}c&&(a=a||[]).push("style",c);e=a;if(b.updateQueue=e)b.effectTag|=4}};var kj=function(a,b,c,d){c!==d&&(b.effectTag|=4)};var pj="function"===typeof WeakSet?WeakSet:Set,wj="function"===typeof WeakMap?WeakMap:Map,sj=Math.ceil,gd=da.ReactCurrentDispatcher,
+Uh=da.ReactCurrentOwner,H=0,Ye=8,ca=16,ma=32,Xa=0,hd=1,Oh=2,ad=3,bd=4,Xe=5,p=H,U=null,t=null,P=0,F=Xa,id=null,ta=1073741823,Yb=1073741823,kd=null,Xb=0,jd=!1,Re=0,Ph=500,l=null,cd=!1,Se=null,La=null,ld=!1,Zb=null,$b=90,bb=null,ac=0,af=null,dd=0,Ja=function(a,b){if(50<ac)throw ac=0,af=null,Error(k(185));a=ed(a,b);if(null!==a){var c=Cc();1073741823===b?(p&Ye)!==H&&(p&(ca|ma))===H?Te(a):(V(a),p===H&&ha()):V(a);(p&4)===H||98!==c&&99!==c||(null===bb?bb=new Map([[a,b]]):(c=bb.get(a),(void 0===c||c>b)&&bb.set(a,
+b)))}};var zj=function(a,b,c){var d=b.expirationTime;if(null!==a){var e=b.pendingProps;if(a.memoizedProps!==e||G.current)ia=!0;else{if(d<c){ia=!1;switch(b.tag){case 3:sh(b);Ee();break;case 5:bh(b);if(b.mode&4&&1!==c&&e.hidden)return b.expirationTime=b.childExpirationTime=1,null;break;case 1:N(b.type)&&Bc(b);break;case 4:se(b,b.stateNode.containerInfo);break;case 10:d=b.memoizedProps.value;e=b.type._context;y(Ic,e._currentValue);e._currentValue=d;break;case 13:if(null!==b.memoizedState){d=b.child.childExpirationTime;
+if(0!==d&&d>=c)return th(a,b,c);y(D,D.current&1);b=sa(a,b,c);return null!==b?b.sibling:null}y(D,D.current&1);break;case 19:d=b.childExpirationTime>=c;if(0!==(a.effectTag&64)){if(d)return vh(a,b,c);b.effectTag|=64}e=b.memoizedState;null!==e&&(e.rendering=null,e.tail=null);y(D,D.current);if(!d)return null}return sa(a,b,c)}ia=!1}}else ia=!1;b.expirationTime=0;switch(b.tag){case 2:d=b.type;null!==a&&(a.alternate=null,b.alternate=null,b.effectTag|=2);a=b.pendingProps;e=pb(b,B.current);rb(b,c);e=we(null,
+b,d,a,e,c);b.effectTag|=1;if("object"===typeof e&&null!==e&&"function"===typeof e.render&&void 0===e.$$typeof){b.tag=1;b.memoizedState=null;b.updateQueue=null;if(N(d)){var f=!0;Bc(b)}else f=!1;b.memoizedState=null!==e.state&&void 0!==e.state?e.state:null;ne(b);var g=d.getDerivedStateFromProps;"function"===typeof g&&Lc(b,d,g,a);e.updater=Mc;b.stateNode=e;e._reactInternalFiber=b;pe(b,d,a,c);b=Ie(null,b,d,!0,f,c)}else b.tag=0,T(null,b,e,c),b=b.child;return b;case 16:a:{e=b.elementType;null!==a&&(a.alternate=
+null,b.alternate=null,b.effectTag|=2);a=b.pendingProps;ri(e);if(1!==e._status)throw e._result;e=e._result;b.type=e;f=b.tag=Gj(e);a=aa(e,a);switch(f){case 0:b=He(null,b,e,a,c);break a;case 1:b=rh(null,b,e,a,c);break a;case 11:b=nh(null,b,e,a,c);break a;case 14:b=oh(null,b,e,aa(e.type,a),d,c);break a}throw Error(k(306,e,""));}return b;case 0:return d=b.type,e=b.pendingProps,e=b.elementType===d?e:aa(d,e),He(a,b,d,e,c);case 1:return d=b.type,e=b.pendingProps,e=b.elementType===d?e:aa(d,e),rh(a,b,d,e,c);
+case 3:sh(b);d=b.updateQueue;if(null===a||null===d)throw Error(k(282));d=b.pendingProps;e=b.memoizedState;e=null!==e?e.element:null;oe(a,b);Qb(b,d,null,c);d=b.memoizedState.element;if(d===e)Ee(),b=sa(a,b,c);else{if(e=b.stateNode.hydrate)Ka=kb(b.stateNode.containerInfo.firstChild),ra=b,e=Wa=!0;if(e)for(c=Fe(b,null,d,c),b.child=c;c;)c.effectTag=c.effectTag&-3|1024,c=c.sibling;else T(a,b,d,c),Ee();b=b.child}return b;case 5:return bh(b),null===a&&De(b),d=b.type,e=b.pendingProps,f=null!==a?a.memoizedProps:
+null,g=e.children,Yd(d,e)?g=null:null!==f&&Yd(d,f)&&(b.effectTag|=16),qh(a,b),b.mode&4&&1!==c&&e.hidden?(b.expirationTime=b.childExpirationTime=1,b=null):(T(a,b,g,c),b=b.child),b;case 6:return null===a&&De(b),null;case 13:return th(a,b,c);case 4:return se(b,b.stateNode.containerInfo),d=b.pendingProps,null===a?b.child=wb(b,null,d,c):T(a,b,d,c),b.child;case 11:return d=b.type,e=b.pendingProps,e=b.elementType===d?e:aa(d,e),nh(a,b,d,e,c);case 7:return T(a,b,b.pendingProps,c),b.child;case 8:return T(a,
+b,b.pendingProps.children,c),b.child;case 12:return T(a,b,b.pendingProps.children,c),b.child;case 10:a:{d=b.type._context;e=b.pendingProps;g=b.memoizedProps;f=e.value;var h=b.type._context;y(Ic,h._currentValue);h._currentValue=f;if(null!==g)if(h=g.value,f=Qa(h,f)?0:("function"===typeof d._calculateChangedBits?d._calculateChangedBits(h,f):1073741823)|0,0===f){if(g.children===e.children&&!G.current){b=sa(a,b,c);break a}}else for(h=b.child,null!==h&&(h.return=b);null!==h;){var m=h.dependencies;if(null!==
+m){g=h.child;for(var l=m.firstContext;null!==l;){if(l.context===d&&0!==(l.observedBits&f)){1===h.tag&&(l=Ea(c,null),l.tag=Jc,Fa(h,l));h.expirationTime<c&&(h.expirationTime=c);l=h.alternate;null!==l&&l.expirationTime<c&&(l.expirationTime=c);Sg(h.return,c);m.expirationTime<c&&(m.expirationTime=c);break}l=l.next}}else g=10===h.tag?h.type===b.type?null:h.child:h.child;if(null!==g)g.return=h;else for(g=h;null!==g;){if(g===b){g=null;break}h=g.sibling;if(null!==h){h.return=g.return;g=h;break}g=g.return}h=
+g}T(a,b,e.children,c);b=b.child}return b;case 9:return e=b.type,f=b.pendingProps,d=f.children,rb(b,c),e=W(e,f.unstable_observedBits),d=d(e),b.effectTag|=1,T(a,b,d,c),b.child;case 14:return e=b.type,f=aa(e,b.pendingProps),f=aa(e.type,f),oh(a,b,e,f,d,c);case 15:return ph(a,b,b.type,b.pendingProps,d,c);case 17:return d=b.type,e=b.pendingProps,e=b.elementType===d?e:aa(d,e),null!==a&&(a.alternate=null,b.alternate=null,b.effectTag|=2),b.tag=1,N(d)?(a=!0,Bc(b)):a=!1,rb(b,c),Yg(b,d,e),pe(b,d,e,c),Ie(null,
+b,d,!0,a,c);case 19:return vh(a,b,c)}throw Error(k(156,b.tag));};var bf=null,Ne=null,la=function(a,b,c,d){return new Fj(a,b,c,d)};ef.prototype.render=function(a){md(a,this._internalRoot,null,null)};ef.prototype.unmount=function(){var a=this._internalRoot,b=a.containerInfo;md(null,a,null,function(){b[Lb]=null})};var Di=function(a){if(13===a.tag){var b=Fc(ka(),150,100);Ja(a,b);df(a,b)}};var Yf=function(a){13===a.tag&&(Ja(a,3),df(a,3))};var Bi=function(a){if(13===a.tag){var b=ka();b=Va(b,a,null);Ja(a,
+b);df(a,b)}};sd=function(a,b,c){switch(b){case "input":Dd(a,c);b=c.name;if("radio"===c.type&&null!=b){for(c=a;c.parentNode;)c=c.parentNode;c=c.querySelectorAll("input[name="+JSON.stringify(""+b)+'][type="radio"]');for(b=0;b<c.length;b++){var d=c[b];if(d!==a&&d.form===a.form){var e=ae(d);if(!e)throw Error(k(90));Gf(d);Dd(d,e)}}}break;case "textarea":Lf(a,c);break;case "select":b=c.value,null!=b&&hb(a,!!c.multiple,b,!1)}};(function(a,b,c,d){ee=a;eg=b;vd=c;vf=d})(Qh,function(a,b,c,d,e){var f=p;p|=4;
+try{return Da(98,a.bind(null,b,c,d,e))}finally{p=f,p===H&&ha()}},function(){(p&(1|ca|ma))===H&&(uj(),xb())},function(a,b){var c=p;p|=2;try{return a(b)}finally{p=c,p===H&&ha()}});var mk={Events:[Hb,Pa,ae,pf,qd,lb,function(a){Kd(a,Ki)},sf,tf,sc,pc,xb,{current:!1}]};(function(a){var b=a.findFiberByHostInstance;return Ej(M({},a,{overrideHookState:null,overrideProps:null,setSuspenseHandler:null,scheduleUpdate:null,currentDispatcherRef:da.ReactCurrentDispatcher,findHostInstanceByFiber:function(a){a=Sf(a);
+return null===a?null:a.stateNode},findFiberByHostInstance:function(a){return b?b(a):null},findHostInstancesForRefresh:null,scheduleRefresh:null,scheduleRoot:null,setRefreshHandler:null,getCurrentFiber:null}))})({findFiberByHostInstance:Bb,bundleType:0,version:"16.13.1",rendererPackageName:"react-dom"});I.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED=mk;I.createPortal=Xh;I.findDOMNode=function(a){if(null==a)return null;if(1===a.nodeType)return a;var b=a._reactInternalFiber;if(void 0===
+b){if("function"===typeof a.render)throw Error(k(188));throw Error(k(268,Object.keys(a)));}a=Sf(b);a=null===a?null:a.stateNode;return a};I.flushSync=function(a,b){if((p&(ca|ma))!==H)throw Error(k(187));var c=p;p|=1;try{return Da(99,a.bind(null,b))}finally{p=c,ha()}};I.hydrate=function(a,b,c){if(!bc(b))throw Error(k(200));return nd(null,a,b,!0,c)};I.render=function(a,b,c){if(!bc(b))throw Error(k(200));return nd(null,a,b,!1,c)};I.unmountComponentAtNode=function(a){if(!bc(a))throw Error(k(40));return a._reactRootContainer?
+(Rh(function(){nd(null,null,a,!1,function(){a._reactRootContainer=null;a[Lb]=null})}),!0):!1};I.unstable_batchedUpdates=Qh;I.unstable_createPortal=function(a,b){return Xh(a,b,2<arguments.length&&void 0!==arguments[2]?arguments[2]:null)};I.unstable_renderSubtreeIntoContainer=function(a,b,c,d){if(!bc(c))throw Error(k(200));if(null==a||void 0===a._reactInternalFiber)throw Error(k(38));return nd(a,b,c,!1,d)};I.version="16.13.1"});
+</script>
+    <script>const e = React.createElement;
+
+function pathToString(path) {
+  if (path[0] === '/') {
+    return '/' + path.slice(1).join('/');
+  } else {
+    return path.join('/');
+  }
+}
+
+function findCommonPath(files) {
+  if (!files || !files.length) {
+    return [];
+  }
+
+  function isPrefix(arr, prefix) {
+    if (arr.length < prefix.length) {
+      return false;
+    }
+    for (let i = prefix.length - 1; i >= 0; --i) {
+      if (arr[i] !== prefix[i]) {
+        return false;
+      }
+    }
+    return true;
+  }
+
+  let commonPath = files[0].path.slice(0, -1);
+  while (commonPath.length) {
+    if (files.every(file => isPrefix(file.path, commonPath))) {
+      break;
+    }
+    commonPath.pop();
+  }
+  return commonPath;
+}
+
+function findFolders(files) {
+  if (!files || !files.length) {
+    return [];
+  }
+
+  let folders = files.filter(file => file.path.length > 1).map(file => file.path[0]);
+  folders = [...new Set(folders)]; // unique
+  folders.sort();
+
+  folders = folders.map(folder => {
+    let filesInFolder = files
+      .filter(file => file.path[0] === folder)
+      .map(file => ({
+        ...file,
+        path: file.path.slice(1),
+        parent: [...file.parent, file.path[0]],
+      }));
+
+    const children = findFolders(filesInFolder); // recursion
+
+    return {
+      is_folder: true,
+      path: [folder],
+      parent: files[0].parent,
+      children,
+      covered: children.reduce((sum, file) => sum + file.covered, 0),
+      coverable: children.reduce((sum, file) => sum + file.coverable, 0),
+      prevRun: {
+        covered: children.reduce((sum, file) => sum + file.prevRun.covered, 0),
+        coverable: children.reduce((sum, file) => sum + file.prevRun.coverable, 0),
+      }
+    };
+  });
+
+  return [
+    ...folders,
+    ...files.filter(file => file.path.length === 1),
+  ];
+}
+
+class App extends React.Component {
+  constructor(...args) {
+    super(...args);
+
+    this.state = {
+      current: [],
+    };
+  }
+
+  componentDidMount() {
+    this.updateStateFromLocation();
+    window.addEventListener("hashchange", () => this.updateStateFromLocation(), false);
+  }
+
+  updateStateFromLocation() {
+    if (window.location.hash.length > 1) {
+      const current = window.location.hash.substr(1).split('/');
+      this.setState({current});
+    } else {
+      this.setState({current: []});
+    }
+  }
+
+  getCurrentPath() {
+    let file = this.props.root;
+    let path = [file];
+    for (let p of this.state.current) {
+      file = file.children.find(file => file.path[0] === p);
+      if (!file) {
+        return path;
+      }
+      path.push(file);
+    }
+    return path;
+  }
+
+  render() {
+    const path = this.getCurrentPath();
+    const file = path[path.length - 1];
+
+    let w = null;
+    if (file.is_folder) {
+      w = e(FilesList, {
+        folder: file,
+        onSelectFile: this.selectFile.bind(this),
+        onBack: path.length > 1 ? this.back.bind(this) : null,
+      });
+    } else {
+      w = e(DisplayFile, {
+        file,
+        onBack: this.back.bind(this),
+      });
+    }
+
+    return e('div', {className: 'app'}, w);
+  }
+
+  selectFile(file) {
+    this.setState(({current}) => {
+      return {current: [...current, file.path[0]]};
+    }, () => this.updateHash());
+  }
+
+  back(file) {
+    this.setState(({current}) => {
+      return {current: current.slice(0, current.length - 1)};
+    }, () => this.updateHash());
+  }
+
+  updateHash() {
+    if (!this.state.current || !this.state.current.length) {
+      window.location = '#';
+    } else {
+      window.location = '#' + this.state.current.join('/');
+    }
+  }
+}
+
+function FilesList({folder, onSelectFile, onBack}) {
+  let files = folder.children;
+  return e('div', {className: 'display-folder'},
+    e(FileHeader, {file: folder, onBack}),
+    e('table', {className: 'files-list'},
+      e('thead', {className: 'files-list__head'},
+        e('tr', null,
+          e('th', null, "Path"),
+          e('th', null, "Coverage")
+        )
+      ),
+      e('tbody', {className: 'files-list__body'},
+        files.map(file => e(File, {file, onClick: onSelectFile}))
+      )
+    )
+  );
+}
+
+function File({file, onClick}) {
+  const coverage = file.coverable ? file.covered / file.coverable * 100 : -1;
+  const coverageDelta = file.prevRun &&
+    (file.covered / file.coverable * 100 - file.prevRun.covered / file.prevRun.coverable * 100);
+
+  return e('tr', {
+      className: 'files-list__file'
+        + (coverage >= 0 && coverage < 50 ? ' files-list__file_low': '')
+        + (coverage >= 50 && coverage < 80 ? ' files-list__file_medium': '')
+        + (coverage >= 80 ? ' files-list__file_high': '')
+        + (file.is_folder ? ' files-list__file_folder': ''),
+      onClick: () => onClick(file),
+    },
+    e('td', null, e('a', null, pathToString(file.path))),
+    e('td', null,
+      file.covered + ' / ' + file.coverable +
+      (coverage >= 0 ? ' (' + coverage.toFixed(2) + '%)' : ''),
+      e('span', {title: 'Change from the previous run'},
+        (coverageDelta ? ` (${coverageDelta > 0 ? '+' : ''}${coverageDelta.toFixed(2)}%)` : ''))
+    )
+  );
+}
+
+function DisplayFile({file, onBack}) {
+  return e('div', {className: 'display-file'},
+    e(FileHeader, {file, onBack}),
+    e(FileContent, {file})
+  );
+}
+
+function FileHeader({file, onBack}) {
+  const coverage = file.covered / file.coverable * 100;
+  const coverageDelta = file.prevRun && (coverage - file.prevRun.covered / file.prevRun.coverable * 100);
+
+  return e('div', {className: 'file-header'},
+    onBack ? e('a', {className: 'file-header__back', onClick: onBack}, 'Back') : null,
+    e('div', {className: 'file-header__name'}, pathToString([...file.parent, ...file.path])),
+    e('div', {className: 'file-header__stat'},
+      'Covered: ' + file.covered + ' of ' + file.coverable +
+      (file.coverable ? ' (' + coverage.toFixed(2) + '%)' : ''),
+      e('span', {title: 'Change from the previous run'},
+        (coverageDelta ? ` (${coverageDelta > 0 ? '+' : ''}${coverageDelta.toFixed(2)}%)` : ''))
+    )
+  );
+}
+
+function FileContent({file}) {
+  return e('pre', {className: 'file-content'},
+    file.content.split(/\r?\n/).map((line, index) => {
+      const trace = file.traces.find(trace => trace.line === index + 1);
+      const covered = trace && trace.stats.Line;
+      const uncovered = trace && !trace.stats.Line;
+      return e('code', {
+          className: 'code-line'
+            + (covered ? ' code-line_covered' : '')
+            + (uncovered ? ' code-line_uncovered' : ''),
+          title: trace ? JSON.stringify(trace.stats, null, 2) : null,
+        }, line);
+    })
+  );
+}
+
+(function(){
+  const commonPath = findCommonPath(data.files);
+  const prevFilesMap = new Map();
+
+  previousData && previousData.files.forEach((file) => {
+    const path = file.path.slice(commonPath.length).join('/');
+    prevFilesMap.set(path, file);
+  });
+
+  const files = data.files.map((file) => {
+    const path = file.path.slice(commonPath.length);
+    const { covered = 0, coverable = 0 } = prevFilesMap.get(path.join('/')) || {};
+    return {
+      ...file,
+      path,
+      parent: commonPath,
+      prevRun: { covered, coverable },
+    };
+  });
+
+  const children = findFolders(files);
+
+  const root = {
+    is_folder: true,
+    children,
+    path: commonPath,
+    parent: [],
+    covered: children.reduce((sum, file) => sum + file.covered, 0),
+    coverable: children.reduce((sum, file) => sum + file.coverable, 0),
+    prevRun: {
+      covered: children.reduce((sum, file) => sum + file.prevRun.covered, 0),
+      coverable: children.reduce((sum, file) => sum + file.prevRun.coverable, 0),
+    }
+  };
+
+  ReactDOM.render(e(App, {root, prevFilesMap}), document.getElementById('root'));
+}());
+</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/tests/jwk.rs b/tests/jwk.rs
index f3a2a39..904dcfb 100644
--- a/tests/jwk.rs
+++ b/tests/jwk.rs
@@ -1,10 +1,11 @@
 use jose::{
     crypto::hmac,
-    jwa,
-    jwk::{self, FromKey as _, Thumbprint as _},
+    jwa::{self, JsonWebAlgorithm},
+    jwk::{self, policy::Checkable, FromKey as _, Thumbprint as _},
     Base64UrlString, JsonWebKey,
 };
 use pretty_assertions::assert_eq;
+use serde::{Deserialize, Serialize};
 
 use crate::common::{read_jwk, TestResult};
 
@@ -49,12 +50,62 @@ fn roundtrip(file: &str, unsupported: bool, check: fn(&JsonWebKey)) -> TestResul
     assert_eq!(json_key, serialized);
     assert_eq!(json_key, serialized_from_str);
 
+    // now try constructing a builder using this key, and check invalid
+    // algorithm
+    let err = JsonWebKey::builder(jwk.key_type().clone())
+        .algorithm(Some(JsonWebAlgorithm::Other("foo".to_string())))
+        .build()
+        .unwrap_err();
+    assert!(matches!(
+        err,
+        jwk::JsonWebKeyBuildError::IncompatibleKeyType
+    ));
+
+    let err = jwk
+        .into_builder()
+        .algorithm(Some(JsonWebAlgorithm::Other("foo".to_string())))
+        .build()
+        .unwrap_err();
+    assert!(matches!(
+        err,
+        jwk::JsonWebKeyBuildError::IncompatibleKeyType
+    ));
+
     Ok(())
 }
 
-fn roundtrip_pair(private: &str, public: &str, check: fn(&JsonWebKey)) -> TestResult {
-    roundtrip(private, false, check)?;
-    roundtrip(public, false, check)?;
+fn roundtrip_pair(
+    private: &str,
+    public: &str,
+    unsupported: bool,
+    check: fn(&JsonWebKey),
+) -> TestResult {
+    roundtrip(private, unsupported, check)?;
+    roundtrip(public, unsupported, check)?;
+
+    let private_key: JsonWebKey = serde_json::from_value(read_jwk(private)?)?;
+    let public_key: JsonWebKey = serde_json::from_value(read_jwk(public)?)?;
+
+    assert!(private_key.is_signing_key());
+    assert!(!public_key.is_signing_key());
+
+    assert!(!private_key.is_symmetric());
+    assert!(!public_key.is_symmetric());
+
+    assert!(private_key.is_asymmetric());
+    assert!(public_key.is_asymmetric());
+
+    let stripped = private_key.clone().strip_secret_material().unwrap();
+    assert_eq!(stripped.key_type(), public_key.key_type());
+
+    let stripped_from_public = public_key.clone().strip_secret_material().unwrap();
+    assert_eq!(stripped_from_public.key_type(), public_key.key_type());
+
+    let into_verifying = private_key.into_verifying_key();
+    assert_eq!(into_verifying.key_type(), public_key.key_type());
+
+    let public_into_verifying = public_key.clone().into_verifying_key();
+    assert_eq!(public_into_verifying.key_type(), public_key.key_type());
 
     Ok(())
 }
@@ -71,57 +122,20 @@ fn assert_thumbprint(jwk: &JsonWebKey, sha256: &str, sha384: &str, sha512: &str)
 }
 
 pub mod roundtrip {
-    use jose::{
-        jwa,
-        jwk::{self, AsymmetricJsonWebKey, JsonWebKeyType},
-    };
+    use jose::{jwa, jwk};
     use pretty_assertions::assert_eq;
 
     use crate::{assert_thumbprint, common::TestResult, roundtrip, roundtrip_pair};
 
     #[test]
-    fn _3_1_ec_public_key() -> TestResult {
-        roundtrip(
-            "3_1.ec_public_key",
-            // RustCrypto and ring do not support P-521 curve
-            cfg!(feature = "crypto-rustcrypto") || cfg!(feature = "crypto-ring"),
-            |jwk| {
-                let JsonWebKeyType::Asymmetric(key) = jwk.key_type() else {
-                    panic!("Expected asymmetric key type");
-                };
-
-                assert!(matches!(
-                    **key,
-                    AsymmetricJsonWebKey::Public(jwk::Public::Ec(jwk::EcPublic::P521(..)))
-                ));
-                assert_eq!(jwk.key_usage(), Some(&jwk::KeyUsage::Signing));
-                assert_thumbprint(
-                    jwk,
-                    "dHri3SADZkrush5HU_50AoRhcKFryN-PI6jPBtPL55M",
-                    "HncTFMje-quVjjwt2ufqfFb75ZwHLDh9M-VY4wJ9awQkfbu194TmVpeGbG6Ykb9b",
-                    "i8RIsIb6HVP2AO9o38HtraybJAP5veAfBIgynNUqpxlhuvq2UDgSA3JFgGgle1YvmCQDHllAn7MG52Idb8B4fA"
-                );
-            },
-        )
-    }
-
-    #[test]
-    fn _3_2_ec_private_key() -> TestResult {
-        roundtrip(
+    fn _3_1_and_2_ec() -> TestResult {
+        roundtrip_pair(
             "3_2.ec_private_key",
+            "3_1.ec_public_key",
             // RustCrypto and ring do not support P-521 curve
             cfg!(feature = "crypto-rustcrypto") || cfg!(feature = "crypto-ring"),
             |jwk| {
-                let JsonWebKeyType::Asymmetric(key) = jwk.key_type() else {
-                    panic!("Expected asymmetric key type");
-                };
-
-                assert!(matches!(
-                    **key,
-                    AsymmetricJsonWebKey::Private(jwk::Private::Ec(jwk::EcPrivate::P521(..)))
-                ));
                 assert_eq!(jwk.key_usage(), Some(&jwk::KeyUsage::Signing));
-
                 assert_thumbprint(
                     jwk,
                     "dHri3SADZkrush5HU_50AoRhcKFryN-PI6jPBtPL55M",
@@ -133,20 +147,8 @@ pub mod roundtrip {
     }
 
     #[test]
-    fn _3_3_rsa_public_key() -> TestResult {
-        roundtrip("3_3.rsa_public_key", false, |jwk| {
-            assert_thumbprint(
-                jwk,
-                "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI",
-                "iRBthSmwxk6o9pTGF6a9yLHohmMXSFRvKoN9rgcbOWFgLldwqED1DrOgDtLq5Q4R",
-                "FerGBUpYnzT0ptNAC7Y3qNpGINqILXdZ_9-Na3UkPUtDznnAChw7NWluNRjx-lmKDnuO1CpmIZL7e2bzRkQBew",
-            );
-        })
-    }
-
-    #[test]
-    fn _3_4_rsa_private_key() -> TestResult {
-        roundtrip("3_4.rsa_private_key", false, |jwk| {
+    fn _3_3_and_4_rsa() -> TestResult {
+        roundtrip_pair("3_4.rsa_private_key", "3_3.rsa_public_key", false, |jwk| {
             assert_thumbprint(
                 jwk,
                 "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI",
@@ -164,6 +166,11 @@ pub mod roundtrip {
                 Some(&jwa::JsonWebAlgorithm::from(jwa::Hmac::Hs256))
             );
 
+            assert!(jwk.is_symmetric());
+            assert!(jwk.is_signing_key());
+
+            assert_eq!(jwk.key_type(), jwk.clone().into_verifying_key().key_type());
+
             assert_thumbprint(
                 jwk,
                 "RtoRur_1Dir5M4wuOfqNkDYOf9O_4RJ-aHkTA75RLA8",
@@ -195,7 +202,7 @@ pub mod roundtrip {
 
     #[test]
     fn ed25519() -> TestResult {
-        roundtrip_pair("ed25519", "ed25519.pub", |jwk| {
+        roundtrip_pair("ed25519", "ed25519.pub", false, |jwk| {
             assert_eq!(
                 jwk.algorithm(),
                 Some(&jwa::JsonWebAlgorithm::from(
@@ -281,7 +288,7 @@ pub mod roundtrip {
 
     #[test]
     fn p256() -> TestResult {
-        roundtrip_pair("p256", "p256.pub", |jwk| {
+        roundtrip_pair("p256", "p256.pub", false, |jwk| {
             assert_eq!(
                 jwk.algorithm(),
                 Some(&jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es256))
@@ -298,7 +305,7 @@ pub mod roundtrip {
 
     #[test]
     fn p384() -> TestResult {
-        roundtrip_pair("p384", "p384.pub", |jwk| {
+        roundtrip_pair("p384", "p384.pub", false, |jwk| {
             assert_eq!(
                 jwk.algorithm(),
                 Some(&jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es384))
@@ -313,9 +320,27 @@ pub mod roundtrip {
         })
     }
 
+    #[test]
+    #[cfg_attr(feature = "crypto-ring", ignore)]
+    fn secp256k1() -> TestResult {
+        roundtrip_pair("k256", "k256.pub", false, |jwk| {
+            assert_eq!(
+                jwk.algorithm(),
+                Some(&jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es256K))
+            );
+
+            assert_thumbprint(
+                jwk,
+                "i0H0zy_Zyc4g9gUfIU3ZgSk21eC_a9B-J_keq5eRVq4",
+                "NWo1frAmwhk6vYKYK0YCTpJWbgvI-EDV5ZvEFvA_7V4y6VRAG0l4Q_uNkFIiisuL",
+                "E1oJ78FUrNMsq66wi7AT8jIU4QUMoV_JnYiCqwy2vgDod7yDHMXLkweJ0Vhd1A1TJysPMFNr4Q8yVvQ4Q1fXKg"
+            );
+        })
+    }
+
     #[test]
     fn rsa() -> TestResult {
-        roundtrip_pair("rsa", "rsa.pub", |jwk| {
+        roundtrip_pair("rsa", "rsa.pub", false, |jwk| {
             assert_thumbprint(
                 jwk,
                 "nYPs6qc5zj3VOVKr4yY-EzirO-AcdUl0JC5bcXKGE6Y",
@@ -324,6 +349,26 @@ pub mod roundtrip {
             );
         })
     }
+
+    #[test]
+    #[cfg_attr(
+        any(
+            feature = "crypto-ring",
+            feature = "crypto-aws-lc",
+            feature = "crypto-rustcrypto"
+        ),
+        ignore
+    )]
+    fn ed448() -> TestResult {
+        roundtrip_pair("ed448", "ed448.pub", false, |jwk| {
+            assert_thumbprint(
+                jwk,
+                "-K8d13H2SA_vuRYSxn05sQN4hAkeWXFt5XainSnkfZc",
+                "a_AWZk_w5qSm2XziCOKyHRLU1amUzTlbb1df8Q0JCx3bOaQp0YcLqdHS2Sbyw2PQ",
+                "qM1ai1zIZ-NRzbkOKxVkOY6DXVXmDWsSXMCQRRy7oIZEwRzQ0gQK5c-cruMkpyYcBs7ftQcofV_YXWfCdKhSWw",
+            );
+        })
+    }
 }
 
 // TODO: test to ensure correct length of x, y, d
@@ -369,10 +414,7 @@ pub mod generate {
     use crate::common::TestResult;
 
     #[test]
-    #[cfg_attr(
-        feature = "crypto-ring",
-        ignore = "crypto backend does not support ECC key generation"
-    )]
+    #[cfg_attr(feature = "crypto-ring", ignore)]
     fn ec_p256() -> TestResult {
         let p256 = P256PrivateKey::generate()?;
         let p256_pub = p256.to_public_key();
@@ -382,10 +424,7 @@ pub mod generate {
     }
 
     #[test]
-    #[cfg_attr(
-        feature = "crypto-ring",
-        ignore = "crypto backend does not support ECC key generation"
-    )]
+    #[cfg_attr(feature = "crypto-ring", ignore)]
     fn ec_p384() -> TestResult {
         let p384 = P384PrivateKey::generate()?;
         let p384_pub = p384.to_public_key();
@@ -395,10 +434,7 @@ pub mod generate {
     }
 
     #[test]
-    #[cfg_attr(
-        any(feature = "crypto-rustcrypto", feature = "crypto-ring"),
-        ignore = "crypto backend does not support P-521 curve"
-    )]
+    #[cfg_attr(any(feature = "crypto-rustcrypto", feature = "crypto-ring"), ignore)]
     fn ec_p521() -> TestResult {
         let p521 = P521PrivateKey::generate()?;
         let p521_pub = p521.to_public_key();
@@ -408,10 +444,7 @@ pub mod generate {
     }
 
     #[test]
-    #[cfg_attr(
-        feature = "crypto-ring",
-        ignore = "crypto backend does not support RSA key generation"
-    )]
+    #[cfg_attr(feature = "crypto-ring", ignore)]
     fn rsa() -> TestResult {
         let rsa = rsa::PrivateKey::generate(4096)?;
         let rsa_pub = rsa.to_public_key();
@@ -427,10 +460,7 @@ pub mod generate {
     }
 
     #[test]
-    #[cfg_attr(
-        feature = "crypto-ring",
-        ignore = "crypto backend does not support Ed448 curve"
-    )]
+    #[cfg_attr(feature = "crypto-ring", ignore)]
     fn ed25519() -> TestResult {
         let ed25519 = okp::PrivateKey::<okp::Ed25519>::generate()?;
         let ed25519_pub = ed25519.to_public_key();
@@ -446,7 +476,7 @@ pub mod generate {
             feature = "crypto-ring",
             feature = "crypto-aws-lc"
         ),
-        ignore = "crypto backend does not support Ed448 curve"
+        ignore
     )]
     fn ed448() -> TestResult {
         let ed448 = okp::PrivateKey::<okp::Ed448>::generate()?;
@@ -482,3 +512,46 @@ fn symmetric_key_can_not_strip_secret() -> TestResult {
 
     Ok(())
 }
+
+#[test]
+fn additional_properties() -> TestResult {
+    #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+    struct Additional {
+        #[serde(rename = "additional/one")]
+        one: String,
+        another_additional: i32,
+    }
+
+    impl Checkable for Additional {
+        fn check<P: jwk::policy::Policy>(
+            self,
+            policy: P,
+        ) -> Result<jwk::policy::Checked<Self, P>, (Self, P::Error)> {
+            Ok(jwk::policy::Checked::new(self, policy))
+        }
+    }
+
+    let key = read_jwk("rsa_with_additional_props.pub")?;
+    let key: JsonWebKey<Additional> = serde_json::from_value(key)?;
+
+    assert_eq!(key.additional().one.as_str(), "my rsa key");
+    assert_eq!(key.additional().another_additional, 1);
+
+    let untyped = key.clone().into_untyped_additional()?;
+    assert_eq!(
+        untyped
+            .clone()
+            .deserialize_additional::<Additional>()?
+            .additional(),
+        key.additional()
+    );
+
+    let untyped = untyped.additional();
+
+    assert_eq!(untyped["additional/one"], "my rsa key");
+    assert_eq!(untyped["another_additional"], 1);
+
+    let _checked = key.check(jwk::policy::StandardPolicy::new()).unwrap();
+
+    Ok(())
+}
diff --git a/tests/jws.rs b/tests/jws.rs
index e69de29..8b13789 100644
--- a/tests/jws.rs
+++ b/tests/jws.rs
@@ -0,0 +1 @@
+
diff --git a/tests/vectors/jwk/ed448.json b/tests/vectors/jwk/ed448.json
new file mode 100644
index 0000000..773a2d6
--- /dev/null
+++ b/tests/vectors/jwk/ed448.json
@@ -0,0 +1,6 @@
+{
+  "crv": "Ed448",
+  "kty": "OKP",
+  "x": "TLmubeIL94Lp5tUdNMzMS0IoqiWNqBdlmIedMI504TcPLMMXqCcHrlPtxbnKS3mmvZzSzg4bC98A",
+  "d": "HuEpUexGlbKpPJD0eivXsuTEgymVIEdmpNdbgsSPbZSXOQjX7s9RtumPy1fYzYT2BdmvB7io5rrS"
+}
diff --git a/tests/vectors/jwk/ed448.pub.json b/tests/vectors/jwk/ed448.pub.json
new file mode 100644
index 0000000..edf51a3
--- /dev/null
+++ b/tests/vectors/jwk/ed448.pub.json
@@ -0,0 +1,5 @@
+{
+  "crv": "Ed448",
+  "kty": "OKP",
+  "x": "TLmubeIL94Lp5tUdNMzMS0IoqiWNqBdlmIedMI504TcPLMMXqCcHrlPtxbnKS3mmvZzSzg4bC98A"
+}
diff --git a/tests/vectors/jwk/k256.json b/tests/vectors/jwk/k256.json
new file mode 100644
index 0000000..6d8abe2
--- /dev/null
+++ b/tests/vectors/jwk/k256.json
@@ -0,0 +1,9 @@
+{
+  "alg":"ES256K",
+  "crv":"secp256k1",
+  "d":"8WieVX5crsjLd1VZmsWa6fdip1apcxv7sasaBhXNxKU",
+  "key_ops":["sign","verify"],
+  "kty":"EC",
+  "x":"KBKyqszcuKAz2PovGR0vu46v8X9nVx43T4rLiMKmuyw",
+  "y":"jmE55gZG_Qe4tebTrZIwUfwkM7KXEdJHR_yqH87rSp8"
+}
diff --git a/tests/vectors/jwk/k256.pub.json b/tests/vectors/jwk/k256.pub.json
new file mode 100644
index 0000000..8264d51
--- /dev/null
+++ b/tests/vectors/jwk/k256.pub.json
@@ -0,0 +1,8 @@
+{
+  "alg":"ES256K",
+  "crv":"secp256k1",
+  "key_ops":["verify"],
+  "kty":"EC",
+  "x":"KBKyqszcuKAz2PovGR0vu46v8X9nVx43T4rLiMKmuyw",
+  "y":"jmE55gZG_Qe4tebTrZIwUfwkM7KXEdJHR_yqH87rSp8"
+}
diff --git a/tests/vectors/jwk/rsa_with_additional_props.pub.json b/tests/vectors/jwk/rsa_with_additional_props.pub.json
new file mode 100644
index 0000000..d61d2f6
--- /dev/null
+++ b/tests/vectors/jwk/rsa_with_additional_props.pub.json
@@ -0,0 +1,10 @@
+{
+    "use": "sig",
+    "kty": "RSA",
+    "kid": "nYPs6qc5zj3VOVKr4yY-EzirO-AcdUl0JC5bcXKGE6Y",
+    "alg": "RS256",
+    "n": "vxmzEVX_Fus8i8BWT_sC_m389t615iPxKSMavPFv0xEhES42RWkO6yNpb_cwWhlJtoy_UdiRW8-0DHYJIbpiwkw4oRRnfMYX4FU77yjovSQLEhKPfIuYDBuP-9LQgF8_NgB9z1WokSUcH-tAf_35MpiXptGxoFuIe1EE7u1TWpTnMwGBnqO1EvJltyWej9R6rt47oqizn1VN8P2No3tys181B_TE9c6N2tXzWpnm5QY7UZO2zPLtYFGbj7hJCNhc5SL3vt-81KkaNjPcW1rgCIoRKvHVI79n_H81LQdiJDJyIobtvPH3XFQa_tM4CP2ul121E_Zi0tcjuD1zyLCq7Q",
+    "e": "AQAB",
+    "additional/one": "my rsa key",
+    "another_additional": 1
+}

From 44b9865130a9c3b4e715494aef4b61f5f1f1de19 Mon Sep 17 00:00:00 2001
From: Justus K <justus.k@protonmail.com>
Date: Sat, 3 May 2025 13:26:48 +0200
Subject: [PATCH 3/5] chore: remove default feature from Cargo.toml

---
 Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Cargo.toml b/Cargo.toml
index b6b3d65..8520866 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -22,7 +22,7 @@ categories = [
 ]
 
 [features]
-default = ["crypto-openssl"]
+default = []
 std = [
   "thiserror/std",
   "fluent-uri/std",

From ab9fa3edafb99635281a41544da959cf3fcee8b4 Mon Sep 17 00:00:00 2001
From: Justus K <justus.k@protonmail.com>
Date: Sat, 3 May 2025 13:50:07 +0200
Subject: [PATCH 4/5] fix(tests): skip roundtrip on unsupported crypto backends

---
 tests/jwk.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/jwk.rs b/tests/jwk.rs
index 904dcfb..87709e9 100644
--- a/tests/jwk.rs
+++ b/tests/jwk.rs
@@ -83,6 +83,10 @@ fn roundtrip_pair(
     roundtrip(private, unsupported, check)?;
     roundtrip(public, unsupported, check)?;
 
+    if unsupported {
+        return Ok(());
+    }
+
     let private_key: JsonWebKey = serde_json::from_value(read_jwk(private)?)?;
     let public_key: JsonWebKey = serde_json::from_value(read_jwk(public)?)?;
 

From 5b68aef338e24effb933e93f7db57a8ce89cdbf8 Mon Sep 17 00:00:00 2001
From: Justus K <justus.k@protonmail.com>
Date: Sat, 3 May 2025 14:25:05 +0200
Subject: [PATCH 5/5] chore: delete tarpaulin-report file

---
 tarpaulin-report.html | 671 ------------------------------------------
 1 file changed, 671 deletions(-)
 delete mode 100644 tarpaulin-report.html

diff --git a/tarpaulin-report.html b/tarpaulin-report.html
deleted file mode 100644
index c0cdb23..0000000
--- a/tarpaulin-report.html
+++ /dev/null
@@ -1,671 +0,0 @@
-<!doctype html>
-<html>
-<head>
-    <meta charset="utf-8">
-    <style>html, body {
-  margin: 0;
-  padding: 0;
-}
-
-.app {
-  margin: 10px;
-  padding: 0;
-}
-
-.files-list {
-  margin: 10px 0 0;
-  width: 100%;
-  border-collapse: collapse;
-}
-.files-list__head {
-  border: 1px solid #999;
-}
-.files-list__head > tr > th {
-  padding: 10px;
-  border: 1px solid #999;
-  text-align: left;
-  font-weight: normal;
-  background: #ddd;
-}
-.files-list__body {
-}
-.files-list__file {
-  cursor: pointer;
-}
-.files-list__file:hover {
-  background: #ccf;
-}
-.files-list__file > td {
-  padding: 10px;
-  border: 1px solid #999;
-}
-.files-list__file > td:first-child::before {
-  content: '\01F4C4';
-  margin-right: 1em;
-}
-.files-list__file_low {
-  background: #fcc;
-}
-.files-list__file_medium {
-  background: #ffc;
-}
-.files-list__file_high {
-  background: #cfc;
-}
-.files-list__file_folder > td:first-child::before {
-  content: '\01F4C1';
-  margin-right: 1em;
-}
-
-.file-header {
-  border: 1px solid #999;
-  display: flex;
-  justify-content: space-between;
-  align-items: center;
-  position: sticky;
-  top: 0;
-  background: white;
-}
-
-.file-header__back {
-  margin: 10px;
-  cursor: pointer;
-  flex-shrink: 0;
-  flex-grow: 0;
-  text-decoration: underline;
-  color: #338;
-}
-
-.file-header__name {
-  margin: 10px;
-  flex-shrink: 2;
-  flex-grow: 2;
-}
-
-.file-header__stat {
-  margin: 10px;
-  flex-shrink: 0;
-  flex-grow: 0;
-}
-
-.file-content {
-  margin: 10px 0 0;
-  border: 1px solid #999;
-  padding: 10px;
-  counter-reset: line;
-  display: flex;
-  flex-direction: column;
-}
-
-.code-line::before {
-    content: counter(line);
-    margin-right: 10px;
-}
-.code-line {
-  margin: 0;
-  padding: 0.3em;
-  height: 1em;
-  counter-increment: line;
-}
-.code-line_covered {
-  background: #cfc;
-}
-.code-line_uncovered {
-  background: #fcc;
-}
-</style>
-</head>
-<body>
-    <div id="root"></div>
-    <script>
-        var data = {"files":[{"path":["/","home","stu","dev","rust","jose","build.rs"],"content":"use std::{env, process::exit};\n\nstruct CryptoBackend {\n    name: \u0026'static str,\n    feature: \u0026'static str,\n}\n\nconst ALL_BACKENDS: \u0026[CryptoBackend] = \u0026[\n    CryptoBackend {\n        name: \"RustCrypto\",\n        feature: \"crypto-rustcrypto\",\n    },\n    CryptoBackend {\n        name: \"OpenSSL\",\n        feature: \"crypto-openssl\",\n    },\n    CryptoBackend {\n        name: \"AWS-LC\",\n        feature: \"crypto-aws-lc\",\n    },\n    CryptoBackend {\n        name: \"ring\",\n        feature: \"crypto-ring\",\n    },\n];\n\nfn main() {\n    crypto_backends_check();\n\n    println!(\"cargo::rustc-check-cfg=cfg(openssl320)\");\n\n    // the nonce api for deterministic EcDSA signing is only possible on specific\n    // version\n    #[expect(clippy::unusual_byte_groupings)]\n    if let Ok(v) = env::var(\"DEP_OPENSSL_VERSION_NUMBER\") {\n        let version = u64::from_str_radix(\u0026v, 16).unwrap();\n\n        if version \u003e= 0x3_02_00_00_0 {\n            println!(\"cargo:rustc-cfg=openssl320\");\n        }\n    }\n}\n\nfn crypto_backends_check() {\n    let enabled = ALL_BACKENDS\n        .iter()\n        .filter(|backend| {\n            std::env::var(format!(\n                \"CARGO_FEATURE_{}\",\n                backend.feature.to_uppercase().replace(\"-\", \"_\")\n            ))\n            .is_ok()\n        })\n        .collect::\u003cVec\u003c_\u003e\u003e();\n\n    if enabled.is_empty() {\n        eprintln!(\n            \"No cryptographic backend selected.\n\n`jose` requires a cryptographic backend.  This backend \\\n             is selected at compile time using feature flags.\n\nSee https://github.com/minkan-chat/jose#crypto-backends\\\n             \"\n        );\n\n        exit(1);\n    } else if enabled.len() \u003e 1 {\n        eprintln!(\n            \"Multiple cryptographic backends selected.\n\n`jose` requires exactly one cryptographic backend. \\\n             Unfortunately, you have selected multiple backends:\n\n    {}\n\nSee https://github.com/minkan-chat/jose#crypto-backends\\\n             \",\n            enabled\n                .iter()\n                .map(|b| b.name)\n                .collect::\u003cVec\u003c_\u003e\u003e()\n                .join(\", \")\n        );\n\n        exit(1);\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","examples","basic-jwt","main.rs"],"content":"//! Simple program to generate, sign and verify a JsonWebToken (JWT)\n\nuse clap::Parser;\nuse clio::Input;\nuse eyre::eyre;\nuse jose::{\n    crypto::{\n        ec::P256PrivateKey,\n        hmac::{Hs256, Key as HmacKey},\n    },\n    format::{Compact, DecodeFormat},\n    jwk::{\n        policy::{Checkable, StandardPolicy},\n        IntoJsonWebKey, JwkSigner, JwkVerifier, KeyOperation,\n    },\n    jwt::Claims,\n    JsonWebKey, Jwt, UntypedAdditionalProperties,\n};\n\n#[derive(Parser)]\nenum Commands {\n    /// Generates a JsonWebKey\n    Generate {\n        /// Wheter or not it should be a symmetric secret or not\n        #[arg(short, long)]\n        symmetric: bool,\n    },\n    /// Signs a payload with a JsonWebKey\n    Sign {\n        /// Key used to sign the JsonWebToken\n        key: Input,\n        /// The claims that this JWT should contain\n        payload: Input,\n    },\n    /// Verifies a JsonWebToken with a JsonWebKey\n    Verify { jwt: String, key: Input },\n}\n\nfn main() -\u003e eyre::Result\u003c()\u003e {\n    let cmds = Commands::parse();\n\n    match cmds {\n        Commands::Generate { symmetric } =\u003e {\n            let key = match symmetric {\n                true =\u003e HmacKey::\u003cHs256\u003e::generate()?.into_jwk(Some(()))?,\n                false =\u003e P256PrivateKey::generate()?.into_jwk(Some(()))?,\n            };\n            // Key containing private/secret key\n            let private_key = key\n                .into_builder()\n                .key_operations(Some([KeyOperation::Sign, KeyOperation::Verify]))\n                .build()?;\n            println!(\"Private:\\n{}\", serde_json::to_string(\u0026private_key)?);\n\n            // If the key can be made public, do so and print it as well\n            if let Some(public) = private_key.strip_secret_material() {\n                println!(\"Public:\\n{}\", serde_json::to_string(\u0026public)?)\n            };\n        }\n        Commands::Sign { key, payload } =\u003e {\n            let key: JsonWebKey = serde_json::from_reader(key)?;\n            let payload: Claims\u003cUntypedAdditionalProperties\u003e = serde_json::from_reader(payload)?;\n            if !key.is_signing_key() {\n                return Err(eyre!(\"Key is not capable of signing\"));\n            }\n\n            let key = key\n                .check(StandardPolicy::default())\n                .map_err(|(_key, e)| e)?;\n            let mut signer: JwkSigner = key.try_into()?;\n\n            let jwt = Jwt::builder_jwt().build(payload)?;\n            let signed = jwt.sign(\u0026mut signer)?;\n            let encoded = signed.encode();\n            println!(\"JWT: {encoded}\");\n        }\n        Commands::Verify { jwt, key } =\u003e {\n            let key: JsonWebKey = serde_json::from_reader(key)?;\n            let key = key.check(StandardPolicy::default()).map_err(|(_, e)| e)?;\n            let mut verifier: JwkVerifier = key.try_into()?;\n            let encoded: Compact = jwt.parse()?;\n            let unverified_jwt = Jwt::\u003cUntypedAdditionalProperties\u003e::decode(encoded)?;\n            let jwt = unverified_jwt.verify(\u0026mut verifier)?;\n            let payload = jwt.payload();\n            println!(\n                \"JWT: Sub {:?}, {:?}:\",\n                payload.subject,\n                payload.additional.get(\"name\")\n            )\n        }\n    }\n    Ok(())\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","base64_url.rs"],"content":"//! Helpers for base64 urlsafe encoded stuff\n\nuse alloc::{borrow::ToOwned, string::String, vec::Vec};\nuse core::{fmt, ops::Deref, str::FromStr};\n\nuse base64ct::{Base64UrlUnpadded, Encoding};\nuse secrecy::{ExposeSecret as _, SecretSlice};\nuse serde::{de::Error, Deserialize, Deserializer, Serialize};\nuse thiserror::Error;\nuse zeroize::{Zeroize, Zeroizing};\n\n/// Error type indicating that one part of the compact\n/// representation was an invalid Base64Url string.\n#[derive(Debug, Clone, Copy, Error)]\n#[error(\"the string is not a valid Base64Url representation\")]\npub struct NoBase64UrlString;\n\n/// A wrapper around a [`String`] that guarantees that the inner string is a\n/// valid Base64Url string.\n#[derive(Debug, Clone, Hash, PartialEq, Eq, Serialize, Default)]\n#[repr(transparent)]\n#[serde(transparent)]\npub struct Base64UrlString(String);\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Base64UrlString {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let inner = String::deserialize(deserializer)?;\n        Base64UrlString::from_str(\u0026inner).map_err(D::Error::custom)\n    }\n}\n\nimpl fmt::Display for Base64UrlString {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Display::fmt(\u0026self.0, f)\n    }\n}\n\nimpl FromStr for Base64UrlString {\n    type Err = NoBase64UrlString;\n\n    fn from_str(s: \u0026str) -\u003e Result\u003cSelf, Self::Err\u003e {\n        // it is an expensive check.. yes\n        base64ct::Base64UrlUnpadded::decode_vec(s)\n            .map(|_| Self(s.to_owned()))\n            .map_err(|_| NoBase64UrlString)\n    }\n}\n\nimpl Base64UrlString {\n    /// Creates a new, empty Base64Url string.\n    #[inline]\n    pub const fn new() -\u003e Self {\n        Self(String::new())\n    }\n\n    /// Encode the given bytes using Base64Url format.\n    #[inline]\n    pub fn encode(x: impl AsRef\u003c[u8]\u003e) -\u003e Self {\n        Base64UrlString(Base64UrlUnpadded::encode_string(x.as_ref()))\n    }\n\n    /// Decodes this Base64Url string into it's raw byte representation.\n    #[inline]\n    pub fn decode(\u0026self) -\u003e Vec\u003cu8\u003e {\n        Base64UrlUnpadded::decode_vec(\u0026self.0)\n            .expect(\"Base64UrlString is guaranteed to be a valid base64 string\")\n    }\n\n    /// Return the inner string.\n    pub fn into_inner(self) -\u003e String {\n        self.0\n    }\n}\n\nimpl Deref for Base64UrlString {\n    type Target = str;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\n#[derive(Debug, PartialEq, Eq, Clone, Hash, Zeroize)]\npub(crate) struct Base64UrlBytes(pub(crate) Vec\u003cu8\u003e);\n\nimpl Serialize for Base64UrlBytes {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let encoded = Base64UrlUnpadded::encode_string(\u0026self.0);\n        encoded.serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Base64UrlBytes {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let encoded = String::deserialize(deserializer)?;\n\n        let decoded = Base64UrlUnpadded::decode_vec(\u0026encoded)\n            .map_err(|_| D::Error::custom(\"encountered invalid Base64Url string\"))?;\n\n        Ok(Self(decoded))\n    }\n}\n\n#[derive(Debug, Clone, Zeroize)]\npub(crate) struct SecretBase64UrlBytes(pub(crate) SecretSlice\u003cu8\u003e);\n\nimpl Serialize for SecretBase64UrlBytes {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let data = self.0.expose_secret();\n        let encoded = Zeroizing::new(Base64UrlUnpadded::encode_string(data));\n\n        encoded.serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for SecretBase64UrlBytes {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let encoded = Zeroizing::new(String::deserialize(deserializer)?);\n\n        let decoded = Base64UrlUnpadded::decode_vec(\u0026encoded)\n            .map_err(|_| D::Error::custom(\"encountered invalid Base64Url string\"))?;\n\n        Ok(Self(SecretSlice::from(decoded)))\n    }\n}\n\n// TODO: test for correct length check and base64url parsing\n#[cfg(test)]\nmod tests {}\n","traces":[{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":44,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":63}},{"line":62,"address":[],"length":0,"stats":{"Line":63}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":81,"address":[],"length":0,"stats":{"Line":63}},{"line":82,"address":[],"length":0,"stats":{"Line":63}},{"line":90,"address":[],"length":0,"stats":{"Line":206}},{"line":94,"address":[],"length":0,"stats":{"Line":206}},{"line":95,"address":[],"length":0,"stats":{"Line":206}},{"line":100,"address":[],"length":0,"stats":{"Line":257}},{"line":104,"address":[],"length":0,"stats":{"Line":514}},{"line":106,"address":[],"length":0,"stats":{"Line":138}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":36}},{"line":121,"address":[],"length":0,"stats":{"Line":36}},{"line":122,"address":[],"length":0,"stats":{"Line":36}},{"line":124,"address":[],"length":0,"stats":{"Line":36}},{"line":129,"address":[],"length":0,"stats":{"Line":109}},{"line":133,"address":[],"length":0,"stats":{"Line":218}},{"line":135,"address":[],"length":0,"stats":{"Line":76}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}}],"covered":17,"coverable":36},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","dummy.rs"],"content":"//! This backend is a dummy backend, that will return an error for all\n//! methods.\n//!\n//! This is only used for testing purposes, to make the code compile.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse super::interface;\nuse crate::crypto::Result;\n\n#[derive(Debug, thiserror::Error)]\n#[error(\"the dummy crypto backend does not support any operations\")]\npub(crate) struct Error;\n\n/// The dummy backend.\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = DummyKey;\n    type EcPublicKey = DummyKey;\n    type EdPrivateKey = DummyKey;\n    type EdPublicKey = DummyKey;\n    type Error = Error;\n    type HmacKey = DummyKey;\n    type RsaPrivateKey = DummyKey;\n    type RsaPublicKey = DummyKey;\n\n    fn fill_random(_buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        Err(Error)\n    }\n\n    fn sha256(_: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n        panic!(\"The dummy backend does not support any operations\");\n    }\n\n    fn sha384(_: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n        panic!(\"The dummy backend does not support any operations\");\n    }\n\n    fn sha512(_: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n        panic!(\"The dummy backend does not support any operations\");\n    }\n}\n\n#[derive(Debug, Clone, PartialEq, Eq)]\npub(crate) struct DummyKey {\n    _private: (),\n}\n\nimpl interface::ec::PrivateKey for DummyKey {\n    type PublicKey = DummyKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn new(_alg: crate::jwa::EcDSA, _x: Vec\u003cu8\u003e, _y: Vec\u003cu8\u003e, _d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn generate(_: crate::jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        unreachable!()\n    }\n\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        unreachable!()\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        unreachable!()\n    }\n\n    fn sign(\u0026mut self, _: \u0026[u8], _: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::ec::PublicKey for DummyKey {\n    fn new(_: crate::jwa::EcDSA, _: Vec\u003cu8\u003e, _: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        unreachable!()\n    }\n\n    fn verify(\u0026mut self, _: \u0026[u8], _: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::okp::PrivateKey for DummyKey {\n    type PublicKey = DummyKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_: interface::okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn new(_: interface::okp::CurveAlgorithm, _: Vec\u003cu8\u003e, _: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        unreachable!()\n    }\n\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        unreachable!()\n    }\n\n    fn sign(\u0026mut self, _: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::okp::PublicKey for DummyKey {\n    fn new(_: interface::okp::CurveAlgorithm, _: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        unreachable!()\n    }\n\n    fn verify(\u0026mut self, _: \u0026[u8], _: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::hmac::Key for DummyKey {\n    type Signature = Vec\u003cu8\u003e;\n\n    fn new(_: crate::jwa::Hmac, _: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn sign(\u0026mut self, _: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::rsa::PrivateKey for DummyKey {\n    type PublicKey = DummyKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_: usize) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn from_components(\n        _: interface::rsa::PrivateKeyComponents,\n        _: interface::rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        unreachable!()\n    }\n\n    fn sign(\u0026mut self, _: crate::jwa::RsaSigning, _: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003cinterface::rsa::PrivateKeyComponents\u003e {\n        unreachable!()\n    }\n\n    fn public_components(\u0026self) -\u003e interface::rsa::PublicKeyComponents {\n        unreachable!()\n    }\n}\n\nimpl interface::rsa::PublicKey for DummyKey {\n    fn from_components(_: interface::rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn verify(\n        \u0026mut self,\n        _alg: crate::jwa::RsaSigning,\n        _msg: \u0026[u8],\n        _signature: \u0026[u8],\n    ) -\u003e Result\u003cbool\u003e {\n        unreachable!()\n    }\n\n    fn components(\u0026self) -\u003e interface::rsa::PublicKeyComponents {\n        unreachable!()\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","ec.rs"],"content":"//! The interfaces for EC keys.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse crate::{crypto::Result, jwa};\n\n/// The common operations for a curve-generic EC public key.\npub(crate) trait PublicKey: Sized + Clone {\n    /// Creates a new public key from the given data.\n    fn new(alg: jwa::EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the (x, y) coordinates of the public key.\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e);\n\n    /// Verifies if the message is valid for the given signature and algorithm.\n    ///\n    /// Returns `true` if the signature is valid, `false` otherwise.\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e;\n}\n\n/// The common operations for a curve-generic EC private key.\npub(crate) trait PrivateKey: Sized + Clone {\n    /// The signature type that is produced by this key.\n    type Signature: Into\u003cVec\u003cu8\u003e\u003e + AsRef\u003c[u8]\u003e;\n\n    /// The public key type.\n    type PublicKey: PublicKey;\n\n    /// Creates a new private key from the given data.\n    fn new(alg: jwa::EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Generates a new secure random private key.\n    fn generate(alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the private key material of this key.\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e;\n\n    /// Returns the public part of this key, a (x, y) coordinates.\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e);\n\n    /// Returns the public key of this private key.\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    ///\n    /// The `deterministic` flag indicates if the signature should be\n    /// deterministic, as according to [RFC 6979](https://www.rfc-editor.org/rfc/rfc6979).\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","hmac.rs"],"content":"//! The interfaces for HMAC.\n\nuse crate::{crypto::Result, jwa};\n\n/// The common operations for an HMAC key.\npub(crate) trait Key: Sized {\n    /// The signature type that is produced by this key.\n    type Signature: AsRef\u003c[u8]\u003e;\n\n    /// Creates a new key from the given data.\n    fn new(variant: jwa::Hmac, key: \u0026[u8]) -\u003e Result\u003cSelf\u003e;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","okp.rs"],"content":"//! The interfaces for OKP/ED keys.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse crate::crypto::Result;\n\n/// The common operations for a ED public key.\npub(crate) trait PublicKey: Sized + Clone {\n    /// Creates a new public key from the given data.\n    fn new(alg: CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the encoded bytes for this public key.\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e;\n\n    /// Verifies if the message is valid for the given signature and algorithm.\n    ///\n    /// Returns `true` if the signature is valid, `false` otherwise.\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e;\n}\n\n/// The common operations for a ED private key.\npub(crate) trait PrivateKey: Sized + Clone {\n    /// The signature type that is produced by this key.\n    type Signature: Into\u003cVec\u003cu8\u003e\u003e + AsRef\u003c[u8]\u003e;\n\n    /// The public key type.\n    type PublicKey: PublicKey;\n\n    /// Generates a new secure random private key.\n    fn generate(alg: CurveAlgorithm) -\u003e Result\u003cSelf\u003e;\n\n    /// Creates a new private key from the given data.\n    fn new(alg: CurveAlgorithm, x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the public key that belongs to this private key.\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey;\n\n    /// Returns the encoded bytes for this private key.\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e;\n}\n\n/// The different curve algorithm combinations that can be supported\n/// by a crypto backend.\n#[derive(Debug, Clone, Copy, PartialEq, Eq)]\npub(crate) enum CurveAlgorithm {\n    /// The Ed25519 curve.\n    Ed25519,\n    /// The Ed448 curve.\n    Ed448,\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","rsa.rs"],"content":"//! The interfaces for RSA.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse crate::{crypto::Result, jwa};\n\n/// Part of the [`PrivateKeyComponents`], which includes additional information\n/// about the prime numbers.\n#[derive(Clone)]\npub(crate) struct PrivateKeyPrimeComponents {\n    pub p: SecretSlice\u003cu8\u003e,\n    pub q: SecretSlice\u003cu8\u003e,\n    pub dp: SecretSlice\u003cu8\u003e,\n    pub dq: SecretSlice\u003cu8\u003e,\n    pub qi: SecretSlice\u003cu8\u003e,\n}\n\n/// The components of a private key.\n///\n/// All fields in this struct are of type `Vec\u003cu8\u003e` and are\n/// big integers represented in big endian bytes.\n#[derive(Clone)]\npub(crate) struct PrivateKeyComponents {\n    pub d: SecretSlice\u003cu8\u003e,\n    pub prime: PrivateKeyPrimeComponents,\n}\n\n/// The components of a public key.\n///\n/// All fields in this struct are of type `Vec\u003cu8\u003e` and are\n/// big integers represented in big endian bytes.\n#[derive(Clone, PartialEq, Eq)]\npub(crate) struct PublicKeyComponents {\n    pub n: Vec\u003cu8\u003e,\n    pub e: Vec\u003cu8\u003e,\n}\n\n/// The common operations for an RSA private key.\npub(crate) trait PrivateKey: Sized {\n    /// The signature type that is produced by this key.\n    type Signature: Into\u003cVec\u003cu8\u003e\u003e + AsRef\u003c[u8]\u003e;\n\n    /// The public key type.\n    type PublicKey: PublicKey;\n\n    /// Generates a new rsa private key with the given number of bits.\n    fn generate(bits: usize) -\u003e Result\u003cSelf\u003e;\n\n    /// Creates a new RSA private key from the given private \u0026 public key\n    /// components.\n    fn from_components(private: PrivateKeyComponents, public: PublicKeyComponents) -\u003e Result\u003cSelf\u003e;\n\n    /// Creates a new public key from this private key.\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey;\n\n    /// Returns the private key components.\n    fn private_components(\u0026self) -\u003e Result\u003cPrivateKeyComponents\u003e;\n\n    /// Returns the public key components.\n    fn public_components(\u0026self) -\u003e PublicKeyComponents;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e;\n}\n\n/// The common operations for an RSA public key.\npub(crate) trait PublicKey: Sized {\n    /// Creates a new RSA public key from the given public key components.\n    fn from_components(components: PublicKeyComponents) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the public key components.\n    fn components(\u0026self) -\u003e PublicKeyComponents;\n\n    /// Verifies if the message is valid for the given signature and algorithm.\n    ///\n    /// Returns `true` if the signature is valid, `false` otherwise.\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface.rs"],"content":"//! Common traits that define the API each backend must implement.\n\nuse core::{error, fmt};\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n/// The backend trait that all backends must implement.\n///\n/// This trait is used to define some commonly used operations, like generating\n/// random data.\npub(crate) trait Backend {\n    /// The error type that is used by this backend.\n    type Error: fmt::Debug + fmt::Display + error::Error;\n\n    /// The HMAC key type.\n    type HmacKey: hmac::Key;\n\n    /// The RSA private key type.\n    type RsaPrivateKey: rsa::PrivateKey;\n\n    /// The RSA public key type.\n    type RsaPublicKey: rsa::PublicKey;\n\n    /// The EC public key type.\n    type EcPublicKey: ec::PublicKey;\n\n    /// The EC private key type.\n    type EcPrivateKey: ec::PrivateKey;\n\n    /// The ED public key type.\n    type EdPublicKey: okp::PublicKey;\n\n    /// The ED private key type.\n    type EdPrivateKey: okp::PrivateKey;\n\n    /// Fills the given buffer with random data.\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Performs a quick Sha256 of the given data.\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32];\n\n    /// Performs a quick Sha384 of the given data.\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48];\n\n    /// Performs a quick Sha512 of the given data.\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64];\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","ec.rs"],"content":"use alloc::vec::Vec;\n\nuse openssl::{\n    bn::{BigNum, BigNumContext},\n    ec::{EcGroup, EcKey},\n    ecdsa::EcdsaSig,\n    hash::MessageDigest,\n    md::Md,\n    md_ctx::MdCtx,\n    pkey::{PKey, Private, Public},\n    sign::Verifier,\n};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::{\n    crypto::{\n        backend::interface::ec,\n        ec::{coordinate_size, scalar_size},\n        Result,\n    },\n    jwa::{self, EcDSA},\n};\n\nfn ec_group(alg: jwa::EcDSA) -\u003e Result\u003cEcGroup\u003e {\n    let group = match alg {\n        EcDSA::Es256 =\u003e EcGroup::from_curve_name(openssl::nid::Nid::X9_62_PRIME256V1)?,\n        EcDSA::Es384 =\u003e EcGroup::from_curve_name(openssl::nid::Nid::SECP384R1)?,\n        EcDSA::Es512 =\u003e EcGroup::from_curve_name(openssl::nid::Nid::SECP521R1)?,\n        EcDSA::Es256K =\u003e EcGroup::from_curve_name(openssl::nid::Nid::SECP256K1)?,\n    };\n\n    Ok(group)\n}\n\nfn digest(alg: jwa::EcDSA) -\u003e MessageDigest {\n    match alg {\n        EcDSA::Es256 =\u003e MessageDigest::sha256(),\n        EcDSA::Es384 =\u003e MessageDigest::sha384(),\n        EcDSA::Es512 =\u003e MessageDigest::sha512(),\n        EcDSA::Es256K =\u003e MessageDigest::sha256(),\n    }\n}\n\n/// A low level private EC key.\n#[derive(Clone)]\npub(crate) struct PrivateKey {\n    alg: jwa::EcDSA,\n\n    key: PKey\u003cPrivate\u003e,\n    public_key: PKey\u003cPublic\u003e,\n\n    d: SecretSlice\u003cu8\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\nimpl ec::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        let group = ec_group(alg)?;\n\n        let ec_key = EcKey::generate(\u0026group)?;\n        ec_key.check_key()?;\n\n        let public_point = ec_key.public_key();\n        let public_key = EcKey::from_public_key(\u0026group, public_point)?;\n\n        let mut x = BigNum::new()?;\n        let mut y = BigNum::new()?;\n        let mut ctx = BigNumContext::new()?;\n        public_point.affine_coordinates(\u0026group, \u0026mut x, \u0026mut y, \u0026mut ctx)?;\n\n        let coordinate_size = coordinate_size(alg) as i32;\n        Ok(Self {\n            alg,\n            public_key: PKey::from_ec_key(public_key)?,\n            d: SecretSlice::from(\n                ec_key\n                    .private_key()\n                    .to_vec_padded(scalar_size(alg) as i32)?,\n            ),\n            key: PKey::from_ec_key(ec_key)?,\n            x: x.to_vec_padded(coordinate_size)?,\n            y: y.to_vec_padded(coordinate_size)?,\n        })\n    }\n\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let group = ec_group(alg)?;\n\n        let d = BigNum::from_slice(d.expose_secret())?;\n        let x = BigNum::from_slice(\u0026x)?;\n        let y = BigNum::from_slice(\u0026y)?;\n\n        let public_key = EcKey::from_public_key_affine_coordinates(\u0026group, \u0026x, \u0026y)?;\n        public_key.check_key()?;\n\n        let key = EcKey::from_private_components(\u0026group, \u0026d, public_key.public_key())?;\n        key.check_key()?;\n\n        let coordinate_size = coordinate_size(alg) as i32;\n        Ok(Self {\n            alg,\n            key: PKey::from_ec_key(key.clone())?,\n            d: SecretSlice::from(key.private_key().to_vec_padded(scalar_size(alg) as i32)?),\n            public_key: PKey::from_ec_key(public_key)?,\n            x: x.to_vec_padded(coordinate_size)?,\n            y: y.to_vec_padded(coordinate_size)?,\n        })\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.d.clone()\n    }\n\n    #[inline]\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.x.clone(), self.y.clone())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            digest: digest(self.alg),\n            key: self.public_key.clone(),\n            x: self.x.clone(),\n            y: self.y.clone(),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        let mut md_ctx = MdCtx::new()?;\n\n        let md = match self.alg {\n            EcDSA::Es256 =\u003e Md::sha256(),\n            EcDSA::Es384 =\u003e Md::sha384(),\n            EcDSA::Es512 =\u003e Md::sha512(),\n            EcDSA::Es256K =\u003e Md::sha256(),\n        };\n\n        #[allow(unused_variables)]\n        let pkey_ctx = md_ctx.digest_sign_init(Some(md), \u0026self.key)?;\n\n        if deterministic {\n            #[cfg(all(not(feature = \"crypto-aws-lc\"), openssl320))]\n            pkey_ctx.set_nonce_type(openssl::pkey_ctx::NonceType::DETERMINISTIC_K)?;\n\n            #[cfg(any(feature = \"crypto-aws-lc\", not(openssl320)))]\n            return Err(super::BackendError::Unsupported(\n                \"deterministic signing for EcDSA\".to_string(),\n            )\n            .into());\n        }\n\n        md_ctx.digest_update(data)?;\n\n        let mut der_sig = vec![];\n        md_ctx.digest_sign_final_to_vec(\u0026mut der_sig)?;\n\n        // the returned signature is in DER format, we need to convert it according\n        // to Section 3.4 of RFC 7518\n        let signature = EcdsaSig::from_der(\u0026der_sig)?;\n        let r = signature.r().to_vec_padded(32)?;\n        let s = signature.s().to_vec_padded(32)?;\n\n        let mut sig = Vec::with_capacity(r.len() + s.len());\n        sig.extend_from_slice(\u0026r);\n        sig.extend_from_slice(\u0026s);\n\n        Ok(sig)\n    }\n}\n\n/// A low level public EC key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    digest: MessageDigest,\n    key: PKey\u003cPublic\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\nimpl ec::PublicKey for PublicKey {\n    fn new(alg: EcDSA, raw_x: Vec\u003cu8\u003e, raw_y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let group = ec_group(alg)?;\n\n        let x = BigNum::from_slice(\u0026raw_x)?;\n        let y = BigNum::from_slice(\u0026raw_y)?;\n\n        let public_key = EcKey::from_public_key_affine_coordinates(\u0026group, \u0026x, \u0026y)?;\n        public_key.check_key()?;\n        let key = PKey::from_ec_key(public_key)?;\n\n        let coordinate_size = coordinate_size(alg) as i32;\n        Ok(Self {\n            digest: digest(alg),\n            key,\n            x: x.to_vec_padded(coordinate_size)?,\n            y: y.to_vec_padded(coordinate_size)?,\n        })\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.x.clone(), self.y.clone())\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        // the signature is r and s concatenated, but we need it in DER format for\n        // OpenSSL\n\n        let (r, s) = signature.split_at(signature.len() / 2);\n        let r = BigNum::from_slice(r)?;\n        let s = BigNum::from_slice(s)?;\n\n        let signature = EcdsaSig::from_private_components(r, s)?.to_der()?;\n\n        let mut verifier = Verifier::new(self.digest, \u0026self.key)?;\n        verifier.update(msg)?;\n        let valid = verifier.verify(\u0026signature)?;\n\n        Ok(valid)\n    }\n}\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":31}},{"line":25,"address":[],"length":0,"stats":{"Line":62}},{"line":26,"address":[],"length":0,"stats":{"Line":11}},{"line":27,"address":[],"length":0,"stats":{"Line":7}},{"line":28,"address":[],"length":0,"stats":{"Line":7}},{"line":29,"address":[],"length":0,"stats":{"Line":6}},{"line":35,"address":[],"length":0,"stats":{"Line":52}},{"line":36,"address":[],"length":0,"stats":{"Line":52}},{"line":37,"address":[],"length":0,"stats":{"Line":18}},{"line":38,"address":[],"length":0,"stats":{"Line":12}},{"line":39,"address":[],"length":0,"stats":{"Line":12}},{"line":40,"address":[],"length":0,"stats":{"Line":10}},{"line":61,"address":[],"length":0,"stats":{"Line":3}},{"line":62,"address":[],"length":0,"stats":{"Line":6}},{"line":64,"address":[],"length":0,"stats":{"Line":3}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":3}},{"line":68,"address":[],"length":0,"stats":{"Line":3}},{"line":70,"address":[],"length":0,"stats":{"Line":3}},{"line":71,"address":[],"length":0,"stats":{"Line":3}},{"line":72,"address":[],"length":0,"stats":{"Line":3}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":3}},{"line":76,"address":[],"length":0,"stats":{"Line":3}},{"line":77,"address":[],"length":0,"stats":{"Line":3}},{"line":78,"address":[],"length":0,"stats":{"Line":3}},{"line":79,"address":[],"length":0,"stats":{"Line":3}},{"line":80,"address":[],"length":0,"stats":{"Line":3}},{"line":81,"address":[],"length":0,"stats":{"Line":3}},{"line":82,"address":[],"length":0,"stats":{"Line":3}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":3}},{"line":86,"address":[],"length":0,"stats":{"Line":3}},{"line":90,"address":[],"length":0,"stats":{"Line":14}},{"line":91,"address":[],"length":0,"stats":{"Line":28}},{"line":93,"address":[],"length":0,"stats":{"Line":14}},{"line":94,"address":[],"length":0,"stats":{"Line":14}},{"line":95,"address":[],"length":0,"stats":{"Line":14}},{"line":97,"address":[],"length":0,"stats":{"Line":14}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":28}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":14}},{"line":104,"address":[],"length":0,"stats":{"Line":14}},{"line":105,"address":[],"length":0,"stats":{"Line":14}},{"line":106,"address":[],"length":0,"stats":{"Line":14}},{"line":107,"address":[],"length":0,"stats":{"Line":28}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":14}},{"line":110,"address":[],"length":0,"stats":{"Line":14}},{"line":114,"address":[],"length":0,"stats":{"Line":8}},{"line":115,"address":[],"length":0,"stats":{"Line":8}},{"line":119,"address":[],"length":0,"stats":{"Line":8}},{"line":120,"address":[],"length":0,"stats":{"Line":8}},{"line":123,"address":[],"length":0,"stats":{"Line":38}},{"line":125,"address":[],"length":0,"stats":{"Line":38}},{"line":126,"address":[],"length":0,"stats":{"Line":38}},{"line":127,"address":[],"length":0,"stats":{"Line":38}},{"line":128,"address":[],"length":0,"stats":{"Line":38}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":143,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":14}},{"line":186,"address":[],"length":0,"stats":{"Line":28}},{"line":188,"address":[],"length":0,"stats":{"Line":14}},{"line":189,"address":[],"length":0,"stats":{"Line":14}},{"line":191,"address":[],"length":0,"stats":{"Line":14}},{"line":192,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":28}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":200,"address":[],"length":0,"stats":{"Line":14}},{"line":204,"address":[],"length":0,"stats":{"Line":93}},{"line":205,"address":[],"length":0,"stats":{"Line":93}},{"line":208,"address":[],"length":0,"stats":{"Line":0}},{"line":212,"address":[],"length":0,"stats":{"Line":0}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":214,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":219,"address":[],"length":0,"stats":{"Line":0}},{"line":220,"address":[],"length":0,"stats":{"Line":0}}],"covered":62,"coverable":92},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","hmac.rs"],"content":"use openssl::{\n    hash::MessageDigest,\n    pkey::{PKey, Private},\n    sign::Signer,\n};\n\nuse crate::{\n    crypto::{backend::interface::hmac, Result},\n    jwa,\n};\n\n/// A low level HMAC key.\npub(crate) struct Key {\n    inner: PKey\u003cPrivate\u003e,\n    digest: MessageDigest,\n}\n\nimpl hmac::Key for Key {\n    type Signature = Vec\u003cu8\u003e;\n\n    fn new(variant: jwa::Hmac, data: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            digest: match variant {\n                jwa::Hmac::Hs256 =\u003e MessageDigest::sha256(),\n                jwa::Hmac::Hs384 =\u003e MessageDigest::sha384(),\n                jwa::Hmac::Hs512 =\u003e MessageDigest::sha512(),\n            },\n            inner: PKey::hmac(data)?,\n        })\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let mut signer = Signer::new(self.digest, \u0026self.inner)?;\n        signer.update(data)?;\n        let sig = signer.sign_to_vec()?;\n        Ok(sig)\n    }\n}\n","traces":[{"line":21,"address":[],"length":0,"stats":{"Line":1}},{"line":22,"address":[],"length":0,"stats":{"Line":1}},{"line":23,"address":[],"length":0,"stats":{"Line":1}},{"line":24,"address":[],"length":0,"stats":{"Line":1}},{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":1}},{"line":32,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}}],"covered":5,"coverable":11},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","okp.rs"],"content":"use openssl::{\n    pkey::{Id, PKey, Private, Public},\n    sign::{Signer, Verifier},\n};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::crypto::{backend::interface::okp, Result};\n\nfn id_from_alg(alg: okp::CurveAlgorithm) -\u003e Result\u003cId\u003e {\n    Ok(match alg {\n        okp::CurveAlgorithm::Ed25519 =\u003e Id::ED25519,\n        #[cfg(not(feature = \"crypto-aws-lc\"))]\n        okp::CurveAlgorithm::Ed448 =\u003e Id::ED448,\n        #[cfg(feature = \"crypto-aws-lc\")]\n        okp::CurveAlgorithm::Ed448 =\u003e {\n            return Err(super::BackendError::Unsupported(\"Ed448\".to_string()).into())\n        }\n    })\n}\n\n/// A low level private ED key.\n#[derive(Clone)]\npub(crate) struct PrivateKey {\n    key: PKey\u003cPrivate\u003e,\n    public_key: PKey\u003cPublic\u003e,\n\n    raw: SecretSlice\u003cu8\u003e,\n    raw_public_key: Vec\u003cu8\u003e,\n}\n\nimpl okp::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(alg: okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e PKey::generate_ed25519()?,\n            #[cfg(not(feature = \"crypto-aws-lc\"))]\n            okp::CurveAlgorithm::Ed448 =\u003e PKey::generate_ed448()?,\n            #[cfg(feature = \"crypto-aws-lc\")]\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::Unsupported(\"Ed448\".to_string()).into())\n            }\n        };\n\n        let raw_public_key = key.raw_public_key()?;\n        let public_key = PKey::public_key_from_raw_bytes(\u0026raw_public_key, id_from_alg(alg)?)?;\n\n        Ok(Self {\n            raw: SecretSlice::from(key.raw_private_key()?),\n            public_key,\n            key,\n            raw_public_key,\n        })\n    }\n\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key_type = id_from_alg(alg)?;\n\n        let key = PKey::private_key_from_raw_bytes(d.expose_secret(), key_type)?;\n        let public_key = PKey::public_key_from_raw_bytes(\u0026x, key_type)?;\n\n        Ok(Self {\n            raw: SecretSlice::from(key.raw_private_key()?),\n            raw_public_key: public_key.raw_public_key()?,\n            public_key,\n            key,\n        })\n    }\n\n    #[inline]\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.raw.clone()\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        Self::PublicKey {\n            key: self.public_key.clone(),\n            raw: self.raw_public_key.clone(),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let mut signer = Signer::new_without_digest(\u0026self.key)?;\n        let sig = signer.sign_oneshot_to_vec(data)?;\n\n        Ok(sig)\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    key: PKey\u003cPublic\u003e,\n    raw: Vec\u003cu8\u003e,\n}\n\nimpl okp::PublicKey for PublicKey {\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key_type = id_from_alg(alg)?;\n        let key = PKey::public_key_from_raw_bytes(\u0026x, key_type)?;\n\n        Ok(Self {\n            raw: key.raw_public_key()?,\n            key,\n        })\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        self.raw.clone()\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let mut verifier = Verifier::new_without_digest(\u0026self.key)?;\n        let valid = verifier.verify_oneshot(signature, msg)?;\n\n        Ok(valid)\n    }\n}\n","traces":[{"line":9,"address":[],"length":0,"stats":{"Line":14}},{"line":10,"address":[],"length":0,"stats":{"Line":14}},{"line":11,"address":[],"length":0,"stats":{"Line":7}},{"line":13,"address":[],"length":0,"stats":{"Line":7}},{"line":35,"address":[],"length":0,"stats":{"Line":2}},{"line":36,"address":[],"length":0,"stats":{"Line":4}},{"line":37,"address":[],"length":0,"stats":{"Line":1}},{"line":39,"address":[],"length":0,"stats":{"Line":1}},{"line":46,"address":[],"length":0,"stats":{"Line":2}},{"line":47,"address":[],"length":0,"stats":{"Line":4}},{"line":50,"address":[],"length":0,"stats":{"Line":2}},{"line":57,"address":[],"length":0,"stats":{"Line":6}},{"line":58,"address":[],"length":0,"stats":{"Line":12}},{"line":60,"address":[],"length":0,"stats":{"Line":6}},{"line":61,"address":[],"length":0,"stats":{"Line":6}},{"line":64,"address":[],"length":0,"stats":{"Line":6}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":6}},{"line":67,"address":[],"length":0,"stats":{"Line":6}},{"line":72,"address":[],"length":0,"stats":{"Line":4}},{"line":73,"address":[],"length":0,"stats":{"Line":4}},{"line":76,"address":[],"length":0,"stats":{"Line":22}},{"line":78,"address":[],"length":0,"stats":{"Line":22}},{"line":79,"address":[],"length":0,"stats":{"Line":22}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":6}},{"line":100,"address":[],"length":0,"stats":{"Line":12}},{"line":101,"address":[],"length":0,"stats":{"Line":6}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":6}},{"line":109,"address":[],"length":0,"stats":{"Line":48}},{"line":110,"address":[],"length":0,"stats":{"Line":48}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":114,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}}],"covered":29,"coverable":37},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","rsa.rs"],"content":"use alloc::vec::Vec;\n\nuse openssl::{\n    bn::{BigNum, BigNumRef},\n    hash::MessageDigest,\n    pkey::{PKey, Private, Public},\n    rsa::{Padding, Rsa},\n    sign::{Signer, Verifier},\n};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::{\n    crypto::{backend::interface::rsa, Result},\n    jwa,\n};\n\nfn digest(alg: jwa::RsaSigning) -\u003e MessageDigest {\n    match alg {\n        jwa::RsaSigning::Pss(pss) =\u003e match pss {\n            jwa::RsassaPss::Ps256 =\u003e MessageDigest::sha256(),\n            jwa::RsassaPss::Ps384 =\u003e MessageDigest::sha384(),\n            jwa::RsassaPss::Ps512 =\u003e MessageDigest::sha512(),\n        },\n        jwa::RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n            jwa::RsassaPkcs1V1_5::Rs256 =\u003e MessageDigest::sha256(),\n            jwa::RsassaPkcs1V1_5::Rs384 =\u003e MessageDigest::sha384(),\n            jwa::RsassaPkcs1V1_5::Rs512 =\u003e MessageDigest::sha512(),\n        },\n    }\n}\n\n/// A low level private RSA key.\n#[derive(Clone)]\npub(crate) struct PrivateKey {\n    private_key: PKey\u003cPrivate\u003e,\n    public_key: PKey\u003cPublic\u003e,\n\n    private_data: Rsa\u003cPrivate\u003e,\n    public_data: Rsa\u003cPublic\u003e,\n}\n\nimpl rsa::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(bits: usize) -\u003e Result\u003cSelf\u003e {\n        let private_data = Rsa::generate(bits as u32)?;\n        let public_data = Rsa::from_public_components(\n            private_data.n().to_owned()?,\n            private_data.e().to_owned()?,\n        )?;\n\n        Ok(Self {\n            private_key: PKey::from_rsa(private_data.clone())?,\n            public_key: PKey::from_rsa(public_data.clone())?,\n            private_data,\n            public_data,\n        })\n    }\n\n    fn from_components(\n        pri: rsa::PrivateKeyComponents,\n        pu: rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        let n = BigNum::from_slice(\u0026pu.n)?;\n        let e = BigNum::from_slice(\u0026pu.e)?;\n\n        let d = BigNum::from_slice(pri.d.expose_secret())?;\n        let p = BigNum::from_slice(pri.prime.p.expose_secret())?;\n        let q = BigNum::from_slice(pri.prime.q.expose_secret())?;\n        let dp = BigNum::from_slice(pri.prime.dp.expose_secret())?;\n        let dq = BigNum::from_slice(pri.prime.dq.expose_secret())?;\n        let qi = BigNum::from_slice(pri.prime.qi.expose_secret())?;\n\n        let private_data = Rsa::from_private_components(n, e, d, p, q, dp, dq, qi)?;\n        private_data.check_key()?;\n\n        let n = BigNum::from_slice(\u0026pu.n)?;\n        let e = BigNum::from_slice(\u0026pu.e)?;\n        let public_data = Rsa::from_public_components(n, e)?;\n\n        Ok(Self {\n            private_key: PKey::from_rsa(private_data.clone())?,\n            public_key: PKey::from_rsa(public_data.clone())?,\n            private_data,\n            public_data,\n        })\n    }\n\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let digest = digest(alg);\n        let mut signer = Signer::new(digest, \u0026self.private_key)?;\n\n        // FIXME: verify correct setting of parameters\n        match alg {\n            jwa::RsaSigning::Pss(..) =\u003e {\n                signer.set_rsa_mgf1_md(digest)?;\n                signer.set_rsa_padding(Padding::PKCS1_PSS)?;\n            }\n            jwa::RsaSigning::RsPkcs1V1_5(..) =\u003e {\n                signer.set_rsa_padding(Padding::PKCS1)?;\n            }\n        }\n\n        signer.update(data)?;\n        let sig = signer.sign_to_vec()?;\n        Ok(sig)\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            key: self.public_key.clone(),\n            data: self.public_data.clone(),\n        }\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003crsa::PrivateKeyComponents\u003e {\n        let err = || super::BackendError::NoPrimeData;\n        let map = |x: Option\u003c\u0026BigNumRef\u003e| x.map(|x| SecretSlice::from(x.to_vec())).ok_or_else(err);\n\n        let d = SecretSlice::from(self.private_data.d().to_vec());\n\n        let p = map(self.private_data.p())?;\n        let q = map(self.private_data.q())?;\n        let dp = map(self.private_data.dmp1())?;\n        let dq = map(self.private_data.dmq1())?;\n        let qi = map(self.private_data.iqmp())?;\n\n        Ok(rsa::PrivateKeyComponents {\n            d,\n            prime: rsa::PrivateKeyPrimeComponents { p, q, dp, dq, qi },\n        })\n    }\n\n    fn public_components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        let n = self.private_data.n().to_vec();\n        let e = self.private_data.e().to_vec();\n        rsa::PublicKeyComponents { n, e }\n    }\n}\n\n/// A low level public RSA key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    key: PKey\u003cPublic\u003e,\n    data: Rsa\u003cPublic\u003e,\n}\n\nimpl rsa::PublicKey for PublicKey {\n    fn from_components(c: rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        let n = BigNum::from_slice(\u0026c.n)?;\n        let e = BigNum::from_slice(\u0026c.e)?;\n        let data = Rsa::from_public_components(n, e)?;\n\n        Ok(Self {\n            key: PKey::from_rsa(data.clone())?,\n            data,\n        })\n    }\n\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let digest = digest(alg);\n        let mut verifier = Verifier::new(digest, \u0026self.key)?;\n\n        // FIXME: verify correct setting of parameters\n        match alg {\n            jwa::RsaSigning::Pss(..) =\u003e {\n                verifier.set_rsa_mgf1_md(digest)?;\n                verifier.set_rsa_padding(Padding::PKCS1_PSS)?;\n            }\n            jwa::RsaSigning::RsPkcs1V1_5(..) =\u003e {\n                verifier.set_rsa_padding(Padding::PKCS1)?;\n            }\n        }\n\n        verifier.update(msg)?;\n        let valid = verifier.verify(signature)?;\n        Ok(valid)\n    }\n\n    fn components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        rsa::PublicKeyComponents {\n            n: self.data.n().to_vec(),\n            e: self.data.e().to_vec(),\n        }\n    }\n}\n","traces":[{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":18,"address":[],"length":0,"stats":{"Line":0}},{"line":19,"address":[],"length":0,"stats":{"Line":0}},{"line":20,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":1}},{"line":47,"address":[],"length":0,"stats":{"Line":2}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":1}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":1}},{"line":56,"address":[],"length":0,"stats":{"Line":1}},{"line":57,"address":[],"length":0,"stats":{"Line":1}},{"line":61,"address":[],"length":0,"stats":{"Line":6}},{"line":65,"address":[],"length":0,"stats":{"Line":12}},{"line":66,"address":[],"length":0,"stats":{"Line":6}},{"line":68,"address":[],"length":0,"stats":{"Line":6}},{"line":69,"address":[],"length":0,"stats":{"Line":6}},{"line":70,"address":[],"length":0,"stats":{"Line":6}},{"line":71,"address":[],"length":0,"stats":{"Line":6}},{"line":72,"address":[],"length":0,"stats":{"Line":6}},{"line":73,"address":[],"length":0,"stats":{"Line":6}},{"line":75,"address":[],"length":0,"stats":{"Line":6}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":12}},{"line":79,"address":[],"length":0,"stats":{"Line":6}},{"line":80,"address":[],"length":0,"stats":{"Line":6}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":6}},{"line":85,"address":[],"length":0,"stats":{"Line":6}},{"line":86,"address":[],"length":0,"stats":{"Line":6}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":16}},{"line":112,"address":[],"length":0,"stats":{"Line":16}},{"line":113,"address":[],"length":0,"stats":{"Line":16}},{"line":117,"address":[],"length":0,"stats":{"Line":4}},{"line":118,"address":[],"length":0,"stats":{"Line":4}},{"line":119,"address":[],"length":0,"stats":{"Line":64}},{"line":121,"address":[],"length":0,"stats":{"Line":4}},{"line":123,"address":[],"length":0,"stats":{"Line":8}},{"line":124,"address":[],"length":0,"stats":{"Line":4}},{"line":125,"address":[],"length":0,"stats":{"Line":4}},{"line":126,"address":[],"length":0,"stats":{"Line":4}},{"line":127,"address":[],"length":0,"stats":{"Line":4}},{"line":135,"address":[],"length":0,"stats":{"Line":4}},{"line":136,"address":[],"length":0,"stats":{"Line":4}},{"line":137,"address":[],"length":0,"stats":{"Line":4}},{"line":150,"address":[],"length":0,"stats":{"Line":13}},{"line":151,"address":[],"length":0,"stats":{"Line":26}},{"line":152,"address":[],"length":0,"stats":{"Line":13}},{"line":153,"address":[],"length":0,"stats":{"Line":13}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":13}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":162,"address":[],"length":0,"stats":{"Line":0}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":168,"address":[],"length":0,"stats":{"Line":0}},{"line":169,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":176,"address":[],"length":0,"stats":{"Line":0}},{"line":177,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":63}},{"line":183,"address":[],"length":0,"stats":{"Line":63}},{"line":184,"address":[],"length":0,"stats":{"Line":63}}],"covered":45,"coverable":76},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl.rs"],"content":"//! This backend implements the primitives using the [OpenSSL](openssl) library.\n\nuse thiserror::Error;\n\nuse super::interface;\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n#[allow(dead_code)] // may occurr when selecting different OpenSSL variant\n#[derive(Debug, Error)]\npub(crate) enum BackendError {\n    /// An error from the OpenSSL library.\n    #[error(transparent)]\n    OpenSsl(#[from] openssl::error::ErrorStack),\n\n    /// No prime data was found in private key\n    #[error(\"No prime data was found in private key\")]\n    NoPrimeData,\n\n    /// A specific feature is not supported\n    #[error(\"openssl variant does not support feature: {0}\")]\n    Unsupported(String),\n}\n\n/// The [RustCrypto] based backend.\n///\n/// [RustCrypto]: https://github.com/RustCrypto\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = ec::PrivateKey;\n    type EcPublicKey = ec::PublicKey;\n    type EdPrivateKey = okp::PrivateKey;\n    type EdPublicKey = okp::PublicKey;\n    type Error = BackendError;\n    type HmacKey = hmac::Key;\n    type RsaPrivateKey = rsa::PrivateKey;\n    type RsaPublicKey = rsa::PublicKey;\n\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        openssl::rand::rand_bytes(buf)?;\n        Ok(())\n    }\n\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n        openssl::sha::sha256(data)\n    }\n\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n        openssl::sha::sha384(data)\n    }\n\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n        openssl::sha::sha512(data)\n    }\n}\n","traces":[{"line":44,"address":[],"length":0,"stats":{"Line":1}},{"line":45,"address":[],"length":0,"stats":{"Line":1}},{"line":46,"address":[],"length":0,"stats":{"Line":1}},{"line":49,"address":[],"length":0,"stats":{"Line":33}},{"line":50,"address":[],"length":0,"stats":{"Line":33}},{"line":53,"address":[],"length":0,"stats":{"Line":21}},{"line":54,"address":[],"length":0,"stats":{"Line":21}},{"line":57,"address":[],"length":0,"stats":{"Line":21}},{"line":58,"address":[],"length":0,"stats":{"Line":21}}],"covered":9,"coverable":9},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","ec.rs"],"content":"use alloc::{boxed::Box, vec::Vec};\n\nuse ring::{\n    rand::SystemRandom,\n    signature::{self, EcdsaKeyPair, UnparsedPublicKey},\n};\nuse secrecy::{ExposeSecret as _, SecretSlice};\n\nuse crate::{\n    crypto::{backend::interface::ec, Result},\n    jwa::{self, EcDSA},\n};\n\n/// Converts x and y coordinates to a sequence that is compatible\n/// with the \"Octet-String-to-Elliptic-Curve-Point Conversion\" algorithm\n/// defined in Section 2.3.4 of https://www.secg.org/sec1-v2.pdf\nfn make_public_key(x: \u0026[u8], y: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    let mut pubkey = Vec::with_capacity(x.len() + y.len() + 1);\n    pubkey.push(0x04); // uncompressed point\n    pubkey.extend_from_slice(x);\n    pubkey.extend_from_slice(y);\n    pubkey\n}\n\npub(crate) struct PrivateKeyData {\n    key: EcdsaKeyPair,\n    private_material: SecretSlice\u003cu8\u003e,\n\n    pub_key: UnparsedPublicKey\u003cVec\u003cu8\u003e\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\n/// A low level private EC key.\npub(crate) struct PrivateKey {\n    alg: \u0026'static signature::EcdsaSigningAlgorithm,\n    data: Box\u003cPrivateKeyData\u003e,\n}\n\nimpl Clone for PrivateKey {\n    fn clone(\u0026self) -\u003e Self {\n        Self {\n            alg: self.alg,\n            data: Box::new(PrivateKeyData {\n                key: EcdsaKeyPair::from_private_key_and_public_key(\n                    self.alg,\n                    self.data.private_material.expose_secret(),\n                    self.data.pub_key.as_ref(),\n                    \u0026SystemRandom::new(),\n                )\n                .expect(\"this method was already successful with the exact same data\"),\n                private_material: self.data.private_material.clone(),\n                pub_key: self.data.pub_key.clone(),\n                x: self.data.x.clone(),\n                y: self.data.y.clone(),\n            }),\n        }\n    }\n}\n\nimpl ec::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        Err(super::BackendError::Unsupported(\"EcDSA key generation\").into())\n    }\n\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let (sign_alg, verify_alg) = match alg {\n            EcDSA::Es256 =\u003e (\n                \u0026signature::ECDSA_P256_SHA256_FIXED_SIGNING,\n                \u0026signature::ECDSA_P256_SHA256_FIXED,\n            ),\n            EcDSA::Es384 =\u003e (\n                \u0026signature::ECDSA_P384_SHA384_FIXED_SIGNING,\n                \u0026signature::ECDSA_P384_SHA384_FIXED,\n            ),\n            EcDSA::Es512 =\u003e return Err(super::BackendError::UnsupportedCurve(\"P-521\").into()),\n            EcDSA::Es256K =\u003e return Err(super::BackendError::UnsupportedCurve(\"secp256k1\").into()),\n        };\n\n        let rng = SystemRandom::new();\n        let pubkey = make_public_key(\u0026x, \u0026y);\n\n        let keypair = EcdsaKeyPair::from_private_key_and_public_key(\n            sign_alg,\n            d.expose_secret(),\n            \u0026pubkey,\n            \u0026rng,\n        )?;\n\n        Ok(Self {\n            alg: sign_alg,\n            data: Box::new(PrivateKeyData {\n                key: keypair,\n                private_material: d,\n                pub_key: UnparsedPublicKey::new(verify_alg, pubkey),\n                x,\n                y,\n            }),\n        })\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.data.private_material.clone()\n    }\n\n    #[inline]\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.data.x.clone(), self.data.y.clone())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            inner: self.data.pub_key.clone(),\n            x: self.data.x.clone(),\n            y: self.data.y.clone(),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        if deterministic {\n            return Err(super::BackendError::Unsupported(\"deterministic EcDSA signing\").into());\n        }\n\n        let sig = self.data.key.sign(\u0026SystemRandom::new(), data)?;\n        Ok(sig.as_ref().to_vec())\n    }\n}\n\n/// A low level public EC key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    inner: UnparsedPublicKey\u003cVec\u003cu8\u003e\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\nimpl ec::PublicKey for PublicKey {\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let verify_alg = match alg {\n            EcDSA::Es256 =\u003e \u0026signature::ECDSA_P256_SHA256_FIXED,\n            EcDSA::Es384 =\u003e \u0026signature::ECDSA_P384_SHA384_FIXED,\n            EcDSA::Es512 =\u003e return Err(super::BackendError::UnsupportedCurve(\"P-521\").into()),\n            EcDSA::Es256K =\u003e return Err(super::BackendError::UnsupportedCurve(\"secp256k1\").into()),\n        };\n\n        let pubkey = UnparsedPublicKey::new(verify_alg, make_public_key(\u0026x, \u0026y));\n        Ok(Self {\n            inner: pubkey,\n            x,\n            y,\n        })\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.x.clone(), self.y.clone())\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        Ok(self.inner.verify(msg, signature).is_ok())\n    }\n}\n","traces":[{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":2},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","hmac.rs"],"content":"use ring::hmac::Key as RingKey;\n\nuse crate::{\n    crypto::{backend::interface::hmac, Result},\n    jwa,\n};\n\n/// A low level HMAC key.\n#[repr(transparent)]\npub(crate) struct Key {\n    inner: RingKey,\n}\n\nimpl hmac::Key for Key {\n    type Signature = ring::hmac::Tag;\n\n    fn new(variant: jwa::Hmac, data: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        let key = match variant {\n            jwa::Hmac::Hs256 =\u003e RingKey::new(ring::hmac::HMAC_SHA256, data),\n            jwa::Hmac::Hs384 =\u003e RingKey::new(ring::hmac::HMAC_SHA384, data),\n            jwa::Hmac::Hs512 =\u003e RingKey::new(ring::hmac::HMAC_SHA512, data),\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        Ok(ring::hmac::sign(\u0026self.inner, data))\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","okp.rs"],"content":"use alloc::vec::Vec;\n\nuse ring::signature::{Ed25519KeyPair, KeyPair as _, UnparsedPublicKey};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::crypto::{backend::interface::okp, Result};\n\n/// A low level public ED key.\npub(crate) struct PrivateKey {\n    inner: Ed25519KeyPair,\n    d: SecretSlice\u003cu8\u003e,\n}\n\nimpl Clone for PrivateKey {\n    fn clone(\u0026self) -\u003e Self {\n        Self {\n            inner: Ed25519KeyPair::from_seed_and_public_key(\n                self.d.expose_secret(),\n                self.inner.public_key().as_ref(),\n            )\n            .expect(\"this method was already successful with the exact same data\"),\n            d: self.d.clone(),\n        }\n    }\n}\n\nimpl okp::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_alg: okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        Err(super::BackendError::Unsupported(\"Ed25519 key generation\").into())\n    }\n\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        if alg != okp::CurveAlgorithm::Ed25519 {\n            return Err(super::BackendError::UnsupportedCurve(\"Ed2559\").into());\n        }\n\n        let key = Ed25519KeyPair::from_seed_and_public_key(d.expose_secret(), \u0026x)?;\n\n        Ok(Self { inner: key, d })\n    }\n\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.d.clone()\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            inner: UnparsedPublicKey::new(\n                \u0026ring::signature::ED25519,\n                self.inner.public_key().as_ref().to_vec(),\n            ),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let sig = self.inner.sign(data);\n        Ok(sig.as_ref().to_vec())\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    inner: UnparsedPublicKey\u003cVec\u003cu8\u003e\u003e,\n}\n\nimpl okp::PublicKey for PublicKey {\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        if alg != okp::CurveAlgorithm::Ed25519 {\n            return Err(super::BackendError::UnsupportedCurve(\"Ed2559\").into());\n        }\n\n        let key = UnparsedPublicKey::new(\u0026ring::signature::ED25519, x);\n        Ok(Self { inner: key })\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        self.inner.as_ref().to_vec()\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        Ok(self.inner.verify(msg, signature).is_ok())\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","rsa.rs"],"content":"use alloc::{vec, vec::Vec};\n\nuse ring::{\n    rand::SystemRandom,\n    rsa::{KeyPair, KeyPairComponents, PublicKeyComponents, RsaParameters},\n    signature::RsaEncoding,\n};\nuse secrecy::ExposeSecret;\n\nuse crate::{\n    crypto::{backend::interface::rsa, Result},\n    jwa::{self, RsaSigning, RsassaPkcs1V1_5, RsassaPss},\n};\n\n/// A low level private RSA key.\npub(crate) struct PrivateKey {\n    inner: KeyPair,\n\n    // store this data, as ring doesn't provide a way to access it\n    private_components: rsa::PrivateKeyComponents,\n    public_components: rsa::PublicKeyComponents,\n}\n\nimpl Clone for PrivateKey {\n    fn clone(\u0026self) -\u003e Self {\n        let pri = \u0026self.private_components;\n        let pu = \u0026self.public_components;\n        let components = KeyPairComponents {\n            public_key: PublicKeyComponents { n: \u0026pu.n, e: \u0026pu.e },\n            d: pri.d.expose_secret(),\n            p: pri.prime.p.expose_secret(),\n            q: pri.prime.q.expose_secret(),\n            dP: pri.prime.dp.expose_secret(),\n            dQ: pri.prime.dq.expose_secret(),\n            qInv: pri.prime.qi.expose_secret(),\n        };\n\n        Self {\n            inner: KeyPair::from_components(\u0026components)\n                .expect(\"this method was already successful with the exact same data\"),\n            private_components: self.private_components.clone(),\n            public_components: self.public_components.clone(),\n        }\n    }\n}\n\nimpl rsa::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_bits: usize) -\u003e Result\u003cSelf\u003e {\n        Err(super::BackendError::Unsupported(\"RSA key generation\").into())\n    }\n\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let padding_alg: \u0026'static dyn RsaEncoding = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e \u0026ring::signature::RSA_PSS_SHA256,\n                RsassaPss::Ps384 =\u003e \u0026ring::signature::RSA_PSS_SHA384,\n                RsassaPss::Ps512 =\u003e \u0026ring::signature::RSA_PSS_SHA512,\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e \u0026ring::signature::RSA_PKCS1_SHA512,\n                RsassaPkcs1V1_5::Rs384 =\u003e \u0026ring::signature::RSA_PKCS1_SHA384,\n                RsassaPkcs1V1_5::Rs512 =\u003e \u0026ring::signature::RSA_PKCS1_SHA512,\n            },\n        };\n\n        let rng = SystemRandom::new();\n        let mut sig = vec![0; self.inner.public().modulus_len()];\n        self.inner.sign(padding_alg, \u0026rng, data, \u0026mut sig)?;\n        Ok(sig)\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            components: self.public_components.clone(),\n        }\n    }\n\n    fn from_components(\n        pri: rsa::PrivateKeyComponents,\n        pu: rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        let components = KeyPairComponents {\n            public_key: PublicKeyComponents { n: \u0026pu.n, e: \u0026pu.e },\n            d: pri.d.expose_secret(),\n            p: pri.prime.p.expose_secret(),\n            q: pri.prime.q.expose_secret(),\n            dP: pri.prime.dp.expose_secret(),\n            dQ: pri.prime.dq.expose_secret(),\n            qInv: pri.prime.qi.expose_secret(),\n        };\n        let key = KeyPair::from_components(\u0026components)?;\n\n        Ok(Self {\n            inner: key,\n            private_components: pri,\n            public_components: pu,\n        })\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003crsa::PrivateKeyComponents\u003e {\n        Ok(self.private_components.clone())\n    }\n\n    fn public_components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        self.public_components.clone()\n    }\n}\n\n/// A low level public RSA key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    components: rsa::PublicKeyComponents,\n}\n\nimpl rsa::PublicKey for PublicKey {\n    fn from_components(c: rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        Ok(Self { components: c })\n    }\n\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let params: \u0026'static RsaParameters = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e \u0026ring::signature::RSA_PSS_2048_8192_SHA256,\n                RsassaPss::Ps384 =\u003e \u0026ring::signature::RSA_PSS_2048_8192_SHA384,\n                RsassaPss::Ps512 =\u003e \u0026ring::signature::RSA_PSS_2048_8192_SHA512,\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e \u0026ring::signature::RSA_PKCS1_2048_8192_SHA256,\n                RsassaPkcs1V1_5::Rs384 =\u003e \u0026ring::signature::RSA_PKCS1_2048_8192_SHA384,\n                RsassaPkcs1V1_5::Rs512 =\u003e \u0026ring::signature::RSA_PKCS1_2048_8192_SHA512,\n            },\n        };\n\n        let rsa = PublicKeyComponents {\n            n: \u0026self.components.n,\n            e: \u0026self.components.e,\n        };\n\n        Ok(rsa.verify(params, msg, signature).is_ok())\n    }\n\n    fn components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        self.components.clone()\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring.rs"],"content":"//! This backend implements the primitives using the [`ring`] crate\n\nuse ring::{\n    digest,\n    rand::{SecureRandom as _, SystemRandom},\n};\nuse thiserror::Error;\n\nuse super::interface;\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n// TODO: remove the `cfg_attr` once the RustCrypto crates implement\n// the core::error::Error trait.\n\n/// The errors that can be produced by the rust crypto backend.\n#[derive(Debug, Error)]\npub(crate) enum BackendError {\n    /// The error returned by `ring`.\n    #[error(\"ring returned an unspecified error\")]\n    Unspecified,\n\n    /// Key rejected error.\n    #[error(\"{0}\")]\n    KeyRejected(ring::error::KeyRejected),\n\n    /// Unsupported EC curve\n    #[error(\"unsupported EcDSA curve: {0}\")]\n    UnsupportedCurve(\u0026'static str),\n\n    /// A specific feature is not supported\n    #[error(\"ring does not support feature: {0}\")]\n    Unsupported(\u0026'static str),\n}\n\nimpl From\u003cring::error::Unspecified\u003e for BackendError {\n    fn from(_: ring::error::Unspecified) -\u003e Self {\n        Self::Unspecified\n    }\n}\n\nimpl From\u003cring::error::KeyRejected\u003e for BackendError {\n    fn from(x: ring::error::KeyRejected) -\u003e Self {\n        Self::KeyRejected(x)\n    }\n}\n\n/// The [`ring`] based backend.\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = ec::PrivateKey;\n    type EcPublicKey = ec::PublicKey;\n    type EdPrivateKey = okp::PrivateKey;\n    type EdPublicKey = okp::PublicKey;\n    type Error = BackendError;\n    type HmacKey = hmac::Key;\n    type RsaPrivateKey = rsa::PrivateKey;\n    type RsaPublicKey = rsa::PublicKey;\n\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        let rng = SystemRandom::new();\n        rng.fill(buf)?;\n        Ok(())\n    }\n\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n        digest::digest(\u0026digest::SHA256, data)\n            .as_ref()\n            .try_into()\n            .expect(\"SHA256 digest length mismatch\")\n    }\n\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n        digest::digest(\u0026digest::SHA384, data)\n            .as_ref()\n            .try_into()\n            .expect(\"SHA384 digest length mismatch\")\n    }\n\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n        digest::digest(\u0026digest::SHA512, data)\n            .as_ref()\n            .try_into()\n            .expect(\"SHA512 digest length mismatch\")\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","ec.rs"],"content":"use alloc::vec::Vec;\n\nuse ecdsa::EncodedPoint;\nuse elliptic_curve::{\n    sec1::{FromEncodedPoint, ToEncodedPoint, ValidatePublicKey as _},\n    FieldBytes, SecretKey,\n};\nuse generic_array::typenum::Unsigned as _;\nuse k256::Secp256k1;\nuse p256::NistP256;\nuse p384::NistP384;\nuse rand_core::OsRng;\nuse secrecy::{ExposeSecret as _, SecretSlice};\nuse signature::{RandomizedSigner as _, Verifier as _};\nuse zeroize::Zeroizing;\n\nuse crate::{\n    crypto::{backend::interface::ec, Result},\n    jwa::{self, EcDSA},\n};\n\n#[derive(Clone)]\nenum ErasedPrivateKey {\n    P256(SecretKey\u003cNistP256\u003e),\n    P384(SecretKey\u003cNistP384\u003e),\n    Secp256k1(SecretKey\u003cSecp256k1\u003e),\n}\n\n#[derive(Clone)]\nenum ErasedPublicKey {\n    P256(elliptic_curve::PublicKey\u003cNistP256\u003e),\n    P384(elliptic_curve::PublicKey\u003cNistP384\u003e),\n    Secp256k1(elliptic_curve::PublicKey\u003cSecp256k1\u003e),\n}\n\n#[derive(Clone)]\npub(crate) enum ErasedSignature {\n    P256(ecdsa::SignatureBytes\u003cNistP256\u003e),\n    P384(ecdsa::SignatureBytes\u003cNistP384\u003e),\n    Secp256k1(ecdsa::SignatureBytes\u003cSecp256k1\u003e),\n}\n\nimpl From\u003cErasedSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: ErasedSignature) -\u003e Self {\n        match value {\n            ErasedSignature::P256(sig) =\u003e sig.to_vec(),\n            ErasedSignature::P384(sig) =\u003e sig.to_vec(),\n            ErasedSignature::Secp256k1(sig) =\u003e sig.to_vec(),\n        }\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for ErasedSignature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        match self {\n            ErasedSignature::P256(sig) =\u003e sig.as_ref(),\n            ErasedSignature::P384(sig) =\u003e sig.as_ref(),\n            ErasedSignature::Secp256k1(sig) =\u003e sig.as_ref(),\n        }\n    }\n}\n\nfn to_field_bytes\u003cC: elliptic_curve::Curve\u003e(\n    bytes: \u0026[u8],\n) -\u003e Result\u003c\u0026FieldBytes\u003cC\u003e, super::BackendError\u003e {\n    if bytes.len() != C::FieldBytesSize::USIZE {\n        return Err(super::BackendError::InvalidEcPoint {\n            expected: C::FieldBytesSize::USIZE,\n            actual: bytes.len(),\n        });\n    }\n\n    Ok(FieldBytes::\u003cC\u003e::from_slice(bytes))\n}\n\n/// A low level private EC key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PrivateKey {\n    inner: ErasedPrivateKey,\n}\n\nimpl ec::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = ErasedSignature;\n\n    fn generate(alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        let mut rng = OsRng;\n\n        let key = match alg {\n            EcDSA::Es256 =\u003e ErasedPrivateKey::P256(SecretKey::\u003cNistP256\u003e::random(\u0026mut rng)),\n            EcDSA::Es384 =\u003e ErasedPrivateKey::P384(SecretKey::\u003cNistP384\u003e::random(\u0026mut rng)),\n            EcDSA::Es512 =\u003e return Err(super::BackendError::CurveNotSupported(\"P-521\").into()),\n            EcDSA::Es256K =\u003e ErasedPrivateKey::Secp256k1(SecretKey::\u003cSecp256k1\u003e::random(\u0026mut rng)),\n        };\n        Ok(Self { inner: key })\n    }\n\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        fn new_typed\u003cC: elliptic_curve::Curve + elliptic_curve::CurveArithmetic\u003e(\n            x: Vec\u003cu8\u003e,\n            y: Vec\u003cu8\u003e,\n            d: SecretSlice\u003cu8\u003e,\n        ) -\u003e Result\u003celliptic_curve::SecretKey\u003cC\u003e\u003e\n        where\n            \u003cC as elliptic_curve::Curve\u003e::FieldBytesSize: elliptic_curve::sec1::ModulusSize,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: FromEncodedPoint\u003cC\u003e,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: ToEncodedPoint\u003cC\u003e,\n        {\n            let x = to_field_bytes::\u003cC\u003e(\u0026x)?;\n            let y = to_field_bytes::\u003cC\u003e(\u0026y)?;\n\n            let d = d.expose_secret();\n            let d = to_field_bytes::\u003cC\u003e(d)?;\n\n            let point = EncodedPoint::\u003cC\u003e::from_affine_coordinates(x, y, false);\n            let secret = elliptic_curve::SecretKey::\u003cC\u003e::from_bytes(d)\n                .map_err(super::BackendError::EllipticCurve)?;\n\n            C::validate_public_key(\u0026secret, \u0026point).map_err(super::BackendError::EllipticCurve)?;\n\n            Ok(secret)\n        }\n\n        match alg {\n            EcDSA::Es256 =\u003e Ok(Self {\n                inner: ErasedPrivateKey::P256(new_typed::\u003cNistP256\u003e(x, y, d)?),\n            }),\n            EcDSA::Es384 =\u003e Ok(Self {\n                inner: ErasedPrivateKey::P384(new_typed::\u003cNistP384\u003e(x, y, d)?),\n            }),\n            EcDSA::Es512 =\u003e Err(super::BackendError::CurveNotSupported(\"P-521\").into()),\n            EcDSA::Es256K =\u003e Ok(Self {\n                inner: ErasedPrivateKey::Secp256k1(new_typed::\u003cSecp256k1\u003e(x, y, d)?),\n            }),\n        }\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        match self.inner {\n            ErasedPrivateKey::P256(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                let material = material.to_vec();\n                SecretSlice::from(material)\n            }\n            ErasedPrivateKey::P384(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                let material = material.to_vec();\n                SecretSlice::from(material)\n            }\n            ErasedPrivateKey::Secp256k1(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                let material = material.to_vec();\n                SecretSlice::from(material)\n            }\n        }\n    }\n\n    #[inline]\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        ec::PublicKey::to_point(\u0026self.to_public_key())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        match self.inner {\n            ErasedPrivateKey::P256(ref key) =\u003e PublicKey {\n                inner: ErasedPublicKey::P256(key.public_key()),\n            },\n            ErasedPrivateKey::P384(ref key) =\u003e PublicKey {\n                inner: ErasedPublicKey::P384(key.public_key()),\n            },\n            ErasedPrivateKey::Secp256k1(ref key) =\u003e PublicKey {\n                inner: ErasedPublicKey::Secp256k1(key.public_key()),\n            },\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        let sig = match self.inner {\n            ErasedPrivateKey::P256(ref key) =\u003e {\n                let key = ecdsa::SigningKey::\u003cNistP256\u003e::from(key);\n\n                let sig = if deterministic {\n                    key.sign_recoverable(data)\n                        .map_err(super::BackendError::Ecdsa)?\n                        .0\n                } else {\n                    key.try_sign_with_rng(\u0026mut OsRng, data)\n                        .map_err(super::BackendError::Ecdsa)?\n                };\n\n                ErasedSignature::P256(sig.to_bytes())\n            }\n            ErasedPrivateKey::P384(ref key) =\u003e {\n                let key = ecdsa::SigningKey::\u003cNistP384\u003e::from(key);\n\n                let sig = if deterministic {\n                    key.sign_recoverable(data)\n                        .map_err(super::BackendError::Ecdsa)?\n                        .0\n                } else {\n                    key.try_sign_with_rng(\u0026mut OsRng, data)\n                        .map_err(super::BackendError::Ecdsa)?\n                };\n\n                ErasedSignature::P384(sig.to_bytes())\n            }\n            ErasedPrivateKey::Secp256k1(ref key) =\u003e {\n                let key = ecdsa::SigningKey::\u003cSecp256k1\u003e::from(key);\n\n                let sig = if deterministic {\n                    key.sign_recoverable(data)\n                        .map_err(super::BackendError::Ecdsa)?\n                        .0\n                } else {\n                    key.try_sign_with_rng(\u0026mut OsRng, data)\n                        .map_err(super::BackendError::Ecdsa)?\n                };\n\n                ErasedSignature::Secp256k1(sig.to_bytes())\n            }\n        };\n\n        Ok(sig)\n    }\n}\n\n/// A low level public EC key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PublicKey {\n    inner: ErasedPublicKey,\n}\n\nimpl ec::PublicKey for PublicKey {\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        fn new_typed\u003cC: elliptic_curve::Curve + elliptic_curve::CurveArithmetic\u003e(\n            x: Vec\u003cu8\u003e,\n            y: Vec\u003cu8\u003e,\n        ) -\u003e Result\u003celliptic_curve::PublicKey\u003cC\u003e\u003e\n        where\n            \u003cC as elliptic_curve::Curve\u003e::FieldBytesSize: elliptic_curve::sec1::ModulusSize,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: FromEncodedPoint\u003cC\u003e,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: ToEncodedPoint\u003cC\u003e,\n        {\n            let x = to_field_bytes::\u003cC\u003e(\u0026x)?;\n            let y = to_field_bytes::\u003cC\u003e(\u0026y)?;\n\n            let point = EncodedPoint::\u003cC\u003e::from_affine_coordinates(x, y, false);\n            let key: Option\u003c_\u003e = elliptic_curve::PublicKey::\u003cC\u003e::from_encoded_point(\u0026point).into();\n            let key = key.ok_or(super::BackendError::InvalidEcKey)?;\n            Ok(key)\n        }\n\n        match alg {\n            EcDSA::Es256 =\u003e Ok(Self {\n                inner: ErasedPublicKey::P256(new_typed::\u003cNistP256\u003e(x, y)?),\n            }),\n            EcDSA::Es384 =\u003e Ok(Self {\n                inner: ErasedPublicKey::P384(new_typed::\u003cNistP384\u003e(x, y)?),\n            }),\n            EcDSA::Es512 =\u003e Err(super::BackendError::CurveNotSupported(\"P-521\").into()),\n            EcDSA::Es256K =\u003e Ok(Self {\n                inner: ErasedPublicKey::Secp256k1(new_typed::\u003cSecp256k1\u003e(x, y)?),\n            }),\n        }\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        let identity_point = || alloc::vec![0u8];\n        match self.inner {\n            ErasedPublicKey::P256(ref key) =\u003e {\n                let point = key.to_encoded_point(false);\n                (\n                    point.x().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                    point.y().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                )\n            }\n            ErasedPublicKey::P384(ref key) =\u003e {\n                let point = key.to_encoded_point(false);\n                (\n                    point.x().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                    point.y().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                )\n            }\n            ErasedPublicKey::Secp256k1(ref key) =\u003e {\n                let point = key.to_encoded_point(false);\n                (\n                    point.x().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                    point.y().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                )\n            }\n        }\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        Ok(match self.inner {\n            ErasedPublicKey::P256(ref key) =\u003e {\n                let Ok(sig) = ecdsa::Signature::\u003cNistP256\u003e::try_from(signature) else {\n                    return Ok(false);\n                };\n                let key = ecdsa::VerifyingKey::\u003cNistP256\u003e::from(key);\n                key.verify(msg, \u0026sig).is_ok()\n            }\n            ErasedPublicKey::P384(ref key) =\u003e {\n                let Ok(sig) = ecdsa::Signature::\u003cNistP384\u003e::try_from(signature) else {\n                    return Ok(false);\n                };\n                let key = ecdsa::VerifyingKey::\u003cNistP384\u003e::from(key);\n                key.verify(msg, \u0026sig).is_ok()\n            }\n            ErasedPublicKey::Secp256k1(ref key) =\u003e {\n                let Ok(sig) = ecdsa::Signature::\u003cSecp256k1\u003e::try_from(signature) else {\n                    return Ok(false);\n                };\n                let key = ecdsa::VerifyingKey::\u003cSecp256k1\u003e::from(key);\n                key.verify(msg, \u0026sig).is_ok()\n            }\n        })\n    }\n}\n","traces":[{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":114,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":246,"address":[],"length":0,"stats":{"Line":0}},{"line":247,"address":[],"length":0,"stats":{"Line":0}},{"line":249,"address":[],"length":0,"stats":{"Line":0}},{"line":250,"address":[],"length":0,"stats":{"Line":0}},{"line":251,"address":[],"length":0,"stats":{"Line":0}},{"line":252,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":22},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","hmac.rs"],"content":"use ::hmac::Hmac;\nuse digest::{Mac as _, Output};\n\nuse crate::{\n    crypto::{backend::interface::hmac, Result},\n    jwa,\n};\n\n/// Rust crypto uses generic arguments to represent the variant.\n///\n/// We don't to that at this level, so we have to erase the type.\nenum ErasedKey {\n    Hs256(Hmac\u003csha2::Sha256\u003e),\n    Hs384(Hmac\u003csha2::Sha384\u003e),\n    Hs512(Hmac\u003csha2::Sha512\u003e),\n}\n\npub(crate) enum ErasedSignature {\n    Hs256(Output\u003cHmac\u003csha2::Sha256\u003e\u003e),\n    Hs384(Output\u003cHmac\u003csha2::Sha384\u003e\u003e),\n    Hs512(Output\u003cHmac\u003csha2::Sha512\u003e\u003e),\n}\n\nimpl AsRef\u003c[u8]\u003e for ErasedSignature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        match self {\n            ErasedSignature::Hs256(sig) =\u003e sig.as_ref(),\n            ErasedSignature::Hs384(sig) =\u003e sig.as_ref(),\n            ErasedSignature::Hs512(sig) =\u003e sig.as_ref(),\n        }\n    }\n}\n\n/// A low level HMAC key.\n#[repr(transparent)]\npub(crate) struct Key {\n    inner: ErasedKey,\n}\n\nimpl hmac::Key for Key {\n    type Signature = ErasedSignature;\n\n    fn new(variant: jwa::Hmac, data: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        let key = match variant {\n            jwa::Hmac::Hs256 =\u003e ErasedKey::Hs256(Hmac::\u003csha2::Sha256\u003e::new_from_slice(data)?),\n            jwa::Hmac::Hs384 =\u003e ErasedKey::Hs384(Hmac::\u003csha2::Sha384\u003e::new_from_slice(data)?),\n            jwa::Hmac::Hs512 =\u003e ErasedKey::Hs512(Hmac::\u003csha2::Sha512\u003e::new_from_slice(data)?),\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let signature = match \u0026mut self.inner {\n            ErasedKey::Hs256(hmac) =\u003e {\n                hmac.update(data);\n                ErasedSignature::Hs256(hmac.finalize_reset().into_bytes())\n            }\n            ErasedKey::Hs384(hmac) =\u003e {\n                hmac.update(data);\n                ErasedSignature::Hs384(hmac.finalize_reset().into_bytes())\n            }\n            ErasedKey::Hs512(hmac) =\u003e {\n                hmac.update(data);\n                ErasedSignature::Hs512(hmac.finalize_reset().into_bytes())\n            }\n        };\n\n        Ok(signature)\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","okp.rs"],"content":"use alloc::vec::Vec;\n\nuse ed25519_dalek::{PUBLIC_KEY_LENGTH, SECRET_KEY_LENGTH};\nuse rand_core::OsRng;\nuse secrecy::{ExposeSecret, SecretSlice};\nuse signature::Signer as _;\nuse zeroize::Zeroizing;\n\nuse crate::crypto::{backend::interface::okp, Result};\n\n#[derive(Clone)]\nenum ErasedPrivateKey {\n    Ed25519(ed25519_dalek::SigningKey),\n}\n\n#[derive(Clone)]\nenum ErasedPublicKey {\n    Ed25519(ed25519_dalek::VerifyingKey),\n}\n\n#[derive(Clone)]\npub(crate) enum ErasedSignature {\n    Ed25519([u8; ed25519_dalek::Signature::BYTE_SIZE]),\n}\n\nimpl From\u003cErasedSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: ErasedSignature) -\u003e Self {\n        match value {\n            ErasedSignature::Ed25519(sig) =\u003e sig.to_vec(),\n        }\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for ErasedSignature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        match self {\n            ErasedSignature::Ed25519(ref sig) =\u003e sig,\n        }\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PublicKey {\n    inner: ErasedPublicKey,\n}\n\nimpl okp::PublicKey for PublicKey {\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e {\n                let len = x.len();\n                let x: [u8; PUBLIC_KEY_LENGTH] =\n                    x.try_into()\n                        .map_err(|_| super::BackendError::InvalidEcPoint {\n                            expected: PUBLIC_KEY_LENGTH,\n                            actual: len,\n                        })?;\n                ErasedPublicKey::Ed25519(\n                    ed25519_dalek::VerifyingKey::from_bytes(\u0026x)\n                        .map_err(super::BackendError::Ed25519)?,\n                )\n            }\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::CurveNotSupported(\"Ed448\").into())\n            }\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        match self.inner {\n            ErasedPublicKey::Ed25519(ref key) =\u003e key.to_bytes().to_vec(),\n        }\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        match self.inner {\n            ErasedPublicKey::Ed25519(ref key) =\u003e {\n                // FIXME: this needs interop testing in case this is handled differently by\n                // other implementations\n                // See \u003chttps://docs.rs/ed25519-dalek/latest/ed25519_dalek/struct.VerifyingKey.html#on-the-multiple-sources-of-malleability-in-ed25519-signatures\u003e\n\n                let Ok(sig) = ed25519_dalek::Signature::from_slice(signature) else {\n                    return Ok(false);\n                };\n\n                Ok(key.verify_strict(msg, \u0026sig).is_ok())\n            }\n        }\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PrivateKey {\n    inner: ErasedPrivateKey,\n}\n\nimpl okp::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = ErasedSignature;\n\n    fn generate(alg: okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e {\n                let mut rng = OsRng;\n                ErasedPrivateKey::Ed25519(ed25519_dalek::SigningKey::generate(\u0026mut rng))\n            }\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::CurveNotSupported(\"Ed448\").into())\n            }\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn new(alg: okp::CurveAlgorithm, _x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e {\n                let d = d.expose_secret();\n\n                let len = d.len();\n                let d: [u8; SECRET_KEY_LENGTH] =\n                    d.try_into()\n                        .map_err(|_| super::BackendError::InvalidEcPoint {\n                            expected: SECRET_KEY_LENGTH,\n                            actual: len,\n                        })?;\n\n                ErasedPrivateKey::Ed25519(ed25519_dalek::SigningKey::from_bytes(\u0026d))\n            }\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::CurveNotSupported(\"Ed448\").into())\n            }\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        match self.inner {\n            ErasedPrivateKey::Ed25519(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                SecretSlice::from(material.to_vec())\n            }\n        }\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        let key = match self.inner {\n            ErasedPrivateKey::Ed25519(ref key) =\u003e {\n                let pubkey = key.verifying_key();\n                ErasedPublicKey::Ed25519(pubkey)\n            }\n        };\n\n        PublicKey { inner: key }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        Ok(match self.inner {\n            ErasedPrivateKey::Ed25519(ref key) =\u003e {\n                let sig = key.try_sign(data).map_err(super::BackendError::Ed25519)?;\n                ErasedSignature::Ed25519(sig.to_bytes())\n            }\n        })\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","rsa.rs"],"content":"use alloc::vec::Vec;\n\nuse ::rsa::{\n    traits::{PrivateKeyParts, PublicKeyParts as _},\n    BigUint, Pkcs1v15Sign, Pss, RsaPrivateKey, RsaPublicKey,\n};\nuse secrecy::{ExposeSecret, SecretSlice};\nuse sha2::Digest as _;\nuse zeroize::Zeroizing;\n\nuse crate::{\n    crypto::{backend::interface::rsa, Result},\n    jwa::{self, RsaSigning, RsassaPkcs1V1_5, RsassaPss},\n};\n\n/// A low level private RSA key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PrivateKey {\n    // WARN: It is important that the `inner` key always contains it's precomupted values.\n    // It must be ensured that on each construction of this type, `precomputed` method is called\n    inner: RsaPrivateKey,\n}\n\nimpl rsa::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(bits: usize) -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            inner: RsaPrivateKey::new(\u0026mut rand_core::OsRng, bits)?,\n        })\n    }\n\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let hashed = match alg {\n            RsaSigning::Pss(RsassaPss::Ps256) | RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs256) =\u003e {\n                sha2::Sha256::digest(data).to_vec()\n            }\n            RsaSigning::Pss(RsassaPss::Ps384) | RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs384) =\u003e {\n                sha2::Sha384::digest(data).to_vec()\n            }\n            RsaSigning::Pss(RsassaPss::Ps512) | RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs512) =\u003e {\n                sha2::Sha512::digest(data).to_vec()\n            }\n        };\n\n        let mut rng = rand_core::OsRng;\n\n        let res = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e {\n                    let pad = Pss::new::\u003csha2::Sha256\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPss::Ps384 =\u003e {\n                    let pad = Pss::new::\u003csha2::Sha384\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPss::Ps512 =\u003e {\n                    let pad = Pss::new::\u003csha2::Sha512\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e {\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha256\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPkcs1V1_5::Rs384 =\u003e {\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha384\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPkcs1V1_5::Rs512 =\u003e {\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha512\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n            },\n        };\n\n        Ok(res?)\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n        }\n    }\n\n    fn from_components(\n        pri: rsa::PrivateKeyComponents,\n        pu: rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        let n = BigUint::from_bytes_be(\u0026pu.n);\n        let e = BigUint::from_bytes_be(\u0026pu.e);\n\n        let d = pri.d.expose_secret();\n        let d = BigUint::from_bytes_be(d);\n\n        let p = BigUint::from_bytes_be(pri.prime.p.expose_secret());\n        let q = BigUint::from_bytes_be(pri.prime.q.expose_secret());\n\n        let mut key = RsaPrivateKey::from_components(n, e, d, alloc::vec![p, q])?;\n        key.precompute()?;\n        Ok(Self { inner: key })\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003crsa::PrivateKeyComponents\u003e {\n        let mut primes = self.inner.primes().iter().map(|b| b.to_bytes_be());\n\n        let p = primes\n            .next()\n            .map(SecretSlice::from)\n            .ok_or(super::BackendError::RsaTwoPrimes)?;\n        let q = primes\n            .next()\n            .map(SecretSlice::from)\n            .ok_or(super::BackendError::RsaTwoPrimes)?;\n\n        if primes.next().is_some() {\n            return Err(super::BackendError::RsaTwoPrimes.into());\n        }\n\n        let opt_uint = |x: Option\u003c\u0026BigUint\u003e| {\n            x.map(|x| SecretSlice::from(x.to_bytes_be()))\n                .expect(\"key must be precomputed\")\n        };\n\n        Ok(rsa::PrivateKeyComponents {\n            d: SecretSlice::from(self.inner.d().to_bytes_be()),\n            prime: rsa::PrivateKeyPrimeComponents {\n                p,\n                q,\n                dp: opt_uint(self.inner.dp()),\n                dq: opt_uint(self.inner.dq()),\n                qi: {\n                    let qi = Zeroizing::new(self.inner.crt_coefficient());\n                    opt_uint(qi.as_ref())\n                },\n            },\n        })\n    }\n\n    fn public_components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        rsa::PublicKeyComponents {\n            n: self.inner.n().to_bytes_be(),\n            e: self.inner.e().to_bytes_be(),\n        }\n    }\n}\n\n/// A low level public RSA key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PublicKey {\n    inner: RsaPublicKey,\n}\n\nimpl rsa::PublicKey for PublicKey {\n    fn from_components(c: rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        let n = ::rsa::BigUint::from_bytes_be(\u0026c.n);\n        let e = ::rsa::BigUint::from_bytes_be(\u0026c.e);\n        let key = ::rsa::RsaPublicKey::new(n, e)?;\n\n        Ok(Self { inner: key })\n    }\n\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let res = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e {\n                    let hashed = sha2::Sha256::digest(msg);\n                    let pad = Pss::new::\u003csha2::Sha256\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPss::Ps384 =\u003e {\n                    let hashed = sha2::Sha384::digest(msg);\n                    let pad = Pss::new::\u003csha2::Sha384\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPss::Ps512 =\u003e {\n                    let hashed = sha2::Sha512::digest(msg);\n                    let pad = Pss::new::\u003csha2::Sha512\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e {\n                    let hashed = sha2::Sha256::digest(msg);\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha256\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPkcs1V1_5::Rs384 =\u003e {\n                    let hashed = sha2::Sha384::digest(msg);\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha384\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPkcs1V1_5::Rs512 =\u003e {\n                    let hashed = sha2::Sha512::digest(msg);\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha512\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n            },\n        };\n\n        Ok(res.is_ok())\n    }\n\n    fn components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        rsa::PublicKeyComponents {\n            n: self.inner.n().to_bytes_be(),\n            e: self.inner.e().to_bytes_be(),\n        }\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust.rs"],"content":"//! This backend implements the primitives using the [RustCrypto] ecosystem.\n//!\n//! [RustCrypto]: https://github.com/RustCrypto\n\nuse digest::Digest as _;\nuse rand_core::RngCore as _;\nuse thiserror::Error;\n\nuse super::interface;\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n// TODO: remove the `cfg_attr` once the RustCrypto crates implement\n// the core::error::Error trait.\n\n/// The errors that can be produced by the rust crypto backend.\n#[derive(Debug, Error)]\npub(crate) enum BackendError {\n    /// The error returned if the key is invalid.\n    #[error(\"invalid key length\")]\n    InvalidLength,\n\n    /// RSA operation failed.\n    #[cfg_attr(feature = \"std\", error(\"an RSA operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an RSA operation failed: {0}\"))]\n    Rsa(#[cfg_attr(feature = \"std\", source)] ::rsa::errors::Error),\n\n    /// Error of the `elliptic_curve` crate.\n    #[cfg_attr(feature = \"std\", error(\"an elliptic curve operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an elliptic curve operation failed: {0}\"))]\n    EllipticCurve(#[cfg_attr(feature = \"std\", source)] ::elliptic_curve::Error),\n\n    /// Error of the `ecdsa` crate.\n    #[cfg_attr(feature = \"std\", error(\"an ECDSA operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an ECDSA operation failed: {0}\"))]\n    Ecdsa(#[cfg_attr(feature = \"std\", source)] ::ecdsa::Error),\n\n    /// Error of the `ed25519-dalek` crate.\n    #[cfg_attr(feature = \"std\", error(\"an ED25519 operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an ED25519 operation failed: {0}\"))]\n    Ed25519(#[cfg_attr(feature = \"std\", source)] ed25519_dalek::SignatureError),\n\n    /// The amount of bytes for an EC point is invalid.\n    #[error(\"invalid EC point length, expected {expected}, got {actual}\")]\n    InvalidEcPoint { expected: usize, actual: usize },\n\n    /// The coordinates did not form a valid key.\n    #[error(\"invalid EC key\")]\n    InvalidEcKey,\n\n    /// The curve type is not supported by this backend.\n    #[error(\"curve '{0}' not supported by this backend\")]\n    CurveNotSupported(\u0026'static str),\n\n    #[error(\"RSA key expected to have exactly 2 prime numbers\")]\n    RsaTwoPrimes,\n\n    /// `rand_core` error.\n    #[cfg_attr(feature = \"std\", error(\"failed to generate random data\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"failed to generate random data: {0}\"))]\n    Rand(#[cfg_attr(feature = \"std\", source)] rand_core::Error),\n}\n\nimpl From\u003cdigest::InvalidLength\u003e for BackendError {\n    fn from(_: digest::InvalidLength) -\u003e Self {\n        Self::InvalidLength\n    }\n}\n\nimpl From\u003c::rsa::errors::Error\u003e for BackendError {\n    fn from(x: ::rsa::errors::Error) -\u003e Self {\n        Self::Rsa(x)\n    }\n}\n\n/// The [RustCrypto] based backend.\n///\n/// [RustCrypto]: https://github.com/RustCrypto\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = ec::PrivateKey;\n    type EcPublicKey = ec::PublicKey;\n    type EdPrivateKey = okp::PrivateKey;\n    type EdPublicKey = okp::PublicKey;\n    type Error = BackendError;\n    type HmacKey = hmac::Key;\n    type RsaPrivateKey = rsa::PrivateKey;\n    type RsaPublicKey = rsa::PublicKey;\n\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        use rand_core::OsRng;\n\n        OsRng.try_fill_bytes(buf).map_err(BackendError::Rand)?;\n        Ok(())\n    }\n\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n        sha2::Sha256::digest(data).into()\n    }\n\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n        sha2::Sha384::digest(data).into()\n    }\n\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n        sha2::Sha512::digest(data).into()\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend.rs"],"content":"//! The actual implementations for the cryptographic backends.\n\npub(super) mod interface;\n\ncfg_if::cfg_if! {\n    if #[cfg(feature = \"crypto-rustcrypto\")] {\n        mod rust;\n        pub(crate) use rust::*;\n    } else if #[cfg(feature = \"crypto-openssl\")] {\n        mod openssl;\n        pub(crate) use openssl::*;\n    } else if #[cfg(feature = \"crypto-aws-lc\")] {\n        mod openssl;\n        pub(crate) use openssl::*;\n    } else if #[cfg(feature = \"crypto-ring\")] {\n        mod ring;\n        pub(crate) use ring::*;\n    } else {\n        compile_error!(\"No crypto backend selected. Please enable any of the `crypto-*` features.\");\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","ec.rs"],"content":"//! The primitives for working with [EC (elliptic curve)](https://en.wikipedia.org/wiki/Elliptic-curve_cryptography)\n//! algorithms (`kty` parameter = `EC`).\n//!\n//! If you are looking for the other curve types, see the\n//! [`okp`](crate::crypto::okp) module, which contains all curves that require a\n//! octet key pair.\n\nuse alloc::{boxed::Box, format, string::String, vec::Vec};\nuse core::{fmt, marker::PhantomData};\n\nuse secrecy::ExposeSecret;\nuse serde::{de::Error as _, Deserialize, Serialize};\n\nuse super::backend::{interface, Backend};\nuse crate::{\n    base64_url::{Base64UrlBytes, SecretBase64UrlBytes},\n    crypto::{\n        backend::interface::ec::{PrivateKey as _, PublicKey as _},\n        Result,\n    },\n    jwa, jwk, jws, Base64UrlString,\n};\n\ntype BackendPublicKey = \u003cBackend as interface::Backend\u003e::EcPublicKey;\ntype BackendPrivateKey = \u003cBackend as interface::Backend\u003e::EcPrivateKey;\n\n/// The public key type using the P-256 curve.\npub type P256PublicKey = PublicKey\u003cP256\u003e;\n\n/// The private key type using the P-256 curve.\npub type P256PrivateKey = PrivateKey\u003cP256\u003e;\n\n/// The signer type using the P-256 curve.\npub type P256Signer = Signer\u003cP256\u003e;\n\n/// The verifier type using the P-256 curve.\npub type P256Verifier = Verifier\u003cP256\u003e;\n\n/// The public key type using the P-384 curve.\npub type P384PublicKey = PublicKey\u003cP384\u003e;\n\n/// The private key type using the P-384 curve.\npub type P384PrivateKey = PrivateKey\u003cP384\u003e;\n\n/// The signer type using the P-384 curve.\npub type P384Signer = Signer\u003cP384\u003e;\n\n/// The verifier type using the P-384 curve.\npub type P384Verifier = Verifier\u003cP384\u003e;\n\n/// The public key type using the P-521 curve.\npub type P521PublicKey = PublicKey\u003cP521\u003e;\n\n/// The private key type using the P-521 curve.\npub type P521PrivateKey = PrivateKey\u003cP521\u003e;\n\n/// The signer type using the P-521 curve.\npub type P521Signer = Signer\u003cP521\u003e;\n\n/// The verifier type using the P-521 curve.\npub type P521Verifier = Verifier\u003cP521\u003e;\n\n/// The public key type using the secp256k1 curve.\npub type Secp256k1PublicKey = PublicKey\u003cSecp256k1\u003e;\n\n/// The private key type using the secp256k1 curve.\npub type Secp256k1PrivateKey = PrivateKey\u003cSecp256k1\u003e;\n\n/// The signer type using the secp256k1 curve.\npub type Secp256k1Signer = Signer\u003cSecp256k1\u003e;\n\n/// The verifier type using the secp256k1 curve.\npub type Secp256k1Verifier = Verifier\u003cSecp256k1\u003e;\n\n/// The curve trait marks all possible curves for key type `EC`.\npub trait Curve: sealed::Sealed {\n    /// The name of the curve, that is also used in the `crv` parameter of a\n    /// JWK.\n    const NAME: \u0026'static str;\n\n    /// The algorithm used for this curve.\n    const ALGORITHM: jwa::EcDSA;\n}\n\n/// Returns the number of bytes a single coordinate of the given curve holds.\npub(crate) fn coordinate_size(alg: jwa::EcDSA) -\u003e usize {\n    match alg {\n        jwa::EcDSA::Es256 =\u003e 32,\n        jwa::EcDSA::Es384 =\u003e 48,\n        jwa::EcDSA::Es512 =\u003e 66,\n        jwa::EcDSA::Es256K =\u003e 32,\n    }\n}\n\n/// The number of bytes for a scalar value for the given curve.\n///\n/// This is mostly used to ensure the private key has the correct length.\npub(crate) fn scalar_size(alg: jwa::EcDSA) -\u003e usize {\n    // The length of this octet string MUST be ceiling(log-base-2(n)/8) octets\n    // (where n is the order of the curve).\n    match alg {\n        jwa::EcDSA::Es256 =\u003e 32,\n        jwa::EcDSA::Es384 =\u003e 48,\n        jwa::EcDSA::Es512 =\u003e 66,\n        jwa::EcDSA::Es256K =\u003e 32,\n    }\n}\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendPrivateKey as interface::ec::PrivateKey\u003e::Signature,\n}\n\nimpl From\u003cSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: Signature) -\u003e Self {\n        value.as_ref().to_vec()\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(AsRef::\u003c[u8]\u003e::as_ref(\u0026self.inner), f)\n    }\n}\n\n/// The serializable public key for all curve types.\n#[derive(Clone)]\npub struct PublicKey\u003cC\u003e {\n    inner: BackendPublicKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e Eq for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PublicKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        let (x, y) = self.inner.to_point();\n        let (o_x, o_y) = other.inner.to_point();\n\n        x == o_x \u0026\u0026 y == o_y\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PublicKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let (x, y) = self.inner.to_point();\n        let x = Base64UrlString::encode(x);\n        let y = Base64UrlString::encode(y);\n\n        f.debug_struct(\"PublicKey\")\n            .field(\"x\", \u0026x)\n            .field(\"y\", \u0026y)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPublicKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PublicKey\u003cC\u003e) -\u003e Self {\n        C::public_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PublicKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::public_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(key, alg.map(|_| C::ALGORITHM.into()));\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PublicKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        jwk::thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\n#[derive(Deserialize)]\nstruct PublicKeyRepr {\n    crv: String,\n    kty: String,\n    x: Base64UrlBytes,\n    y: Base64UrlBytes,\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PublicKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let key = PublicKeyRepr::deserialize(deserializer)?;\n\n        if key.kty != \"EC\" {\n            return Err(D::Error::custom(alloc::format!(\n                \"Invalid key type `{}`. Expected: `EC`\",\n                key.kty,\n            )));\n        }\n\n        if key.crv != C::NAME {\n            return Err(D::Error::custom(alloc::format!(\n                \"Invalid curve type `{}`. Expected: `{}`\",\n                key.crv,\n                C::NAME,\n            )));\n        }\n\n        let check_coordinate = |c: \u0026[u8], name: \u0026str| {\n            if c.len() != coordinate_size(C::ALGORITHM) {\n                return Err(D::Error::custom(alloc::format!(\n                    \"ECC coordinate {name} has invalid length of {}, expected {}\",\n                    c.len(),\n                    coordinate_size(C::ALGORITHM),\n                )));\n            }\n\n            Ok(())\n        };\n\n        // https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.2\n        //\n        // Verifies that both coordinates are the same length as the curve size.\n        check_coordinate(\u0026key.x.0, \"x\")?;\n        check_coordinate(\u0026key.y.0, \"y\")?;\n\n        Ok(Self {\n            inner: \u003cBackendPublicKey as interface::ec::PublicKey\u003e::new(\n                C::ALGORITHM,\n                key.x.0,\n                key.y.0,\n            )\n            .map_err(|e| D::Error::custom(format!(\"failed to construct public EC key: {e}\")))?,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PublicKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(serde::Serialize)]\n        struct Repr\u003c'a\u003e {\n            crv: \u0026'a str,\n            kty: \u0026'a str,\n            x: Base64UrlBytes,\n            y: Base64UrlBytes,\n        }\n\n        let (x, y) = self.inner.to_point();\n\n        #[expect(clippy::useless_conversion)]\n        let repr = Repr {\n            crv: C::NAME,\n            kty: \"EC\",\n            x: Base64UrlBytes(Vec::\u003cu8\u003e::from(x)),\n            y: Base64UrlBytes(Vec::\u003cu8\u003e::from(y)),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// The serializable private key for all curve types.\n#[derive(Clone)]\npub struct PrivateKey\u003cC\u003e {\n    inner: BackendPrivateKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e PrivateKey\u003cC\u003e {\n    /// Generate a new RSA key pair of the given bit size.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the key generation fails.\n    pub fn generate() -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            inner: BackendPrivateKey::generate(C::ALGORITHM)?,\n            _curve: PhantomData,\n        })\n    }\n\n    /// Returns the public key of this private key.\n    pub fn to_public_key(\u0026self) -\u003e PublicKey\u003cC\u003e {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n            _curve: PhantomData,\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e Eq for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PrivateKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.to_public_key() == other.to_public_key()\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PrivateKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let (x, y) = self.inner.public_point();\n        let x = Base64UrlString::encode(x);\n        let y = Base64UrlString::encode(y);\n\n        f.debug_struct(\"PublicKey\")\n            .field(\"x\", \u0026x)\n            .field(\"y\", \u0026y)\n            .field(\"d\", \u0026\"[REDACTED]\")\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPrivateKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PrivateKey\u003cC\u003e) -\u003e Self {\n        C::private_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PrivateKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::private_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(key, alg.map(|_| C::ALGORITHM.into()));\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PrivateKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.to_public_key().thumbprint_prehashed()\n    }\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PrivateKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            #[serde(flatten)]\n            public: PublicKeyRepr,\n            d: SecretBase64UrlBytes,\n        }\n        let key = Repr::deserialize(deserializer)?;\n\n        let len = key.d.0.expose_secret().len();\n        if len != scalar_size(C::ALGORITHM) {\n            return Err(D::Error::custom(alloc::format!(\n                \"ECC scalar has invalid length of {len}, expected {}\",\n                scalar_size(C::ALGORITHM),\n            )));\n        }\n\n        Ok(Self {\n            inner: \u003cBackendPrivateKey as interface::ec::PrivateKey\u003e::new(\n                C::ALGORITHM,\n                key.public.x.0,\n                key.public.y.0,\n                key.d.0,\n            )\n            .map_err(|e| D::Error::custom(format!(\"failed to construct private EC key: {e}\")))?,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PrivateKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(serde::Serialize)]\n        struct Repr\u003c'a\u003e {\n            crv: \u0026'a str,\n            kty: \u0026'a str,\n            x: Base64UrlBytes,\n            y: Base64UrlBytes,\n            d: SecretBase64UrlBytes,\n        }\n\n        let (x, y) = self.inner.public_point();\n        let d = self.inner.private_material();\n\n        #[expect(clippy::useless_conversion)]\n        let repr = Repr {\n            crv: C::NAME,\n            kty: \"EC\",\n            x: Base64UrlBytes(Vec::\u003cu8\u003e::from(x)),\n            y: Base64UrlBytes(Vec::\u003cu8\u003e::from(y)),\n            d: SecretBase64UrlBytes(d),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// The [`Signer`](jws::Signer) for EC keys.\npub struct Signer\u003cC\u003e {\n    inner: PrivateKey\u003cC\u003e,\n    deterministic: bool,\n}\n\nimpl\u003cC: Curve\u003e Signer\u003cC\u003e {\n    /// Makes the sign operation of this EcDSA signer deterministic.\n    ///\n    /// This enables deterministic signature values, according to [RFC 6979](https://www.rfc-editor.org/rfc/rfc6979).\n    #[cfg(feature = \"deterministic-ecdsa\")]\n    pub fn deterministic(mut self, deterministic: bool) -\u003e Self {\n        self.deterministic = deterministic;\n        self\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Signer\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Signer\").field(\"key\", \u0026self.inner).finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Signer\u003cSignature\u003e for Signer\u003cC\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature\u003e {\n        let sig = self.inner.inner.sign(msg, self.deterministic)?;\n        Ok(Signature { inner: sig })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::EcDSA(C::ALGORITHM)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Signer\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EcDSA(alg))\n                if alg == C::ALGORITHM =\u003e\n            {\n                Ok(Self {\n                    inner: value,\n                    deterministic: false,\n                })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\n/// The [`Verifier`](jws::Verifier) for EC keys.\npub struct Verifier\u003cC\u003e {\n    inner: PublicKey\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Verifier\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Verifier\")\n            .field(\"key\", \u0026self.inner)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Verifier for Verifier\u003cC\u003e {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        match self.inner.inner.verify(msg, signature) {\n            Ok(true) =\u003e Ok(()),\n            Ok(false) =\u003e Err(jws::VerifyError::InvalidSignature),\n            Err(e) =\u003e Err(jws::VerifyError::CryptoBackend(e)),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPublicKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PublicKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EcDSA(alg))\n                if alg == C::ALGORITHM =\u003e\n            {\n                Ok(Self { inner: value })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    #[inline]\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        Self::from_key(value.to_public_key(), alg)\n    }\n}\n\nmacro_rules! impl_curve {\n    ($(\n        $(#[$doc:meta])*\n        $curve:ident {\n            name: $curve_name:literal,\n            algorithm: $algorithm:ident,\n        }\n    ),*$(,)?) =\u003e { $(\n        $(#[$doc])*\n        #[derive(Debug, Clone, Copy)]\n        pub enum $curve {}\n\n        impl Curve for $curve {\n            const NAME: \u0026'static str = $curve_name;\n            const ALGORITHM: jwa::EcDSA = jwa::EcDSA::$algorithm;\n        }\n        impl sealed::Sealed for $curve {\n            fn public_to_jwk_type(key: PublicKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Public(\n                    jwk::Public::Ec(jwk::EcPublic::$curve(key)),\n                )))\n            }\n\n            fn private_to_jwk_type(key: PrivateKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Private(\n                    jwk::Private::Ec(jwk::EcPrivate::$curve(key)),\n                )))\n            }\n        }\n    )* };\n}\n\nimpl_curve!(\n    /// The P-256 curve.\n    P256 {\n        name: \"P-256\",\n        algorithm: Es256,\n    },\n\n    /// The P-384 curve.\n    P384 {\n        name: \"P-384\",\n        algorithm: Es384,\n    },\n\n    /// The P-521 curve.\n    P521 {\n        name: \"P-521\",\n        algorithm: Es512,\n    },\n\n    /// The secp256k1 curve.\n    Secp256k1 {\n        name: \"secp256k1\",\n        algorithm: Es256K,\n    },\n);\n\nmod sealed {\n    use crate::jwk::JsonWebKeyType;\n\n    pub trait Sealed: Sized {\n        fn public_to_jwk_type(key: super::PublicKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n\n        fn private_to_jwk_type(key: super::PrivateKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n    }\n}\n","traces":[{"line":86,"address":[],"length":0,"stats":{"Line":59}},{"line":87,"address":[],"length":0,"stats":{"Line":59}},{"line":88,"address":[],"length":0,"stats":{"Line":21}},{"line":89,"address":[],"length":0,"stats":{"Line":13}},{"line":90,"address":[],"length":0,"stats":{"Line":13}},{"line":91,"address":[],"length":0,"stats":{"Line":12}},{"line":98,"address":[],"length":0,"stats":{"Line":31}},{"line":101,"address":[],"length":0,"stats":{"Line":31}},{"line":102,"address":[],"length":0,"stats":{"Line":11}},{"line":103,"address":[],"length":0,"stats":{"Line":7}},{"line":104,"address":[],"length":0,"stats":{"Line":7}},{"line":105,"address":[],"length":0,"stats":{"Line":6}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":26}},{"line":143,"address":[],"length":0,"stats":{"Line":26}},{"line":144,"address":[],"length":0,"stats":{"Line":26}},{"line":146,"address":[],"length":0,"stats":{"Line":52}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":154,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":174,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":0}},{"line":179,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":33}},{"line":186,"address":[],"length":0,"stats":{"Line":33}},{"line":199,"address":[],"length":0,"stats":{"Line":14}},{"line":203,"address":[],"length":0,"stats":{"Line":28}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":206,"address":[],"length":0,"stats":{"Line":0}},{"line":207,"address":[],"length":0,"stats":{"Line":0}},{"line":208,"address":[],"length":0,"stats":{"Line":0}},{"line":212,"address":[],"length":0,"stats":{"Line":14}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":214,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":220,"address":[],"length":0,"stats":{"Line":42}},{"line":221,"address":[],"length":0,"stats":{"Line":28}},{"line":222,"address":[],"length":0,"stats":{"Line":0}},{"line":223,"address":[],"length":0,"stats":{"Line":0}},{"line":224,"address":[],"length":0,"stats":{"Line":0}},{"line":225,"address":[],"length":0,"stats":{"Line":0}},{"line":229,"address":[],"length":0,"stats":{"Line":28}},{"line":235,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":14}},{"line":238,"address":[],"length":0,"stats":{"Line":0}},{"line":239,"address":[],"length":0,"stats":{"Line":14}},{"line":240,"address":[],"length":0,"stats":{"Line":14}},{"line":241,"address":[],"length":0,"stats":{"Line":14}},{"line":242,"address":[],"length":0,"stats":{"Line":14}},{"line":244,"address":[],"length":0,"stats":{"Line":14}},{"line":245,"address":[],"length":0,"stats":{"Line":14}},{"line":251,"address":[],"length":0,"stats":{"Line":41}},{"line":263,"address":[],"length":0,"stats":{"Line":41}},{"line":269,"address":[],"length":0,"stats":{"Line":41}},{"line":270,"address":[],"length":0,"stats":{"Line":41}},{"line":273,"address":[],"length":0,"stats":{"Line":41}},{"line":290,"address":[],"length":0,"stats":{"Line":3}},{"line":291,"address":[],"length":0,"stats":{"Line":3}},{"line":292,"address":[],"length":0,"stats":{"Line":3}},{"line":293,"address":[],"length":0,"stats":{"Line":3}},{"line":298,"address":[],"length":0,"stats":{"Line":38}},{"line":300,"address":[],"length":0,"stats":{"Line":38}},{"line":308,"address":[],"length":0,"stats":{"Line":4}},{"line":309,"address":[],"length":0,"stats":{"Line":4}},{"line":314,"address":[],"length":0,"stats":{"Line":0}},{"line":315,"address":[],"length":0,"stats":{"Line":0}},{"line":316,"address":[],"length":0,"stats":{"Line":0}},{"line":317,"address":[],"length":0,"stats":{"Line":0}},{"line":319,"address":[],"length":0,"stats":{"Line":0}},{"line":320,"address":[],"length":0,"stats":{"Line":0}},{"line":321,"address":[],"length":0,"stats":{"Line":0}},{"line":322,"address":[],"length":0,"stats":{"Line":0}},{"line":328,"address":[],"length":0,"stats":{"Line":0}},{"line":329,"address":[],"length":0,"stats":{"Line":0}},{"line":338,"address":[],"length":0,"stats":{"Line":0}},{"line":342,"address":[],"length":0,"stats":{"Line":0}},{"line":343,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":349,"address":[],"length":0,"stats":{"Line":17}},{"line":350,"address":[],"length":0,"stats":{"Line":17}},{"line":355,"address":[],"length":0,"stats":{"Line":28}},{"line":365,"address":[],"length":0,"stats":{"Line":56}},{"line":367,"address":[],"length":0,"stats":{"Line":0}},{"line":368,"address":[],"length":0,"stats":{"Line":0}},{"line":369,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":375,"address":[],"length":0,"stats":{"Line":14}},{"line":376,"address":[],"length":0,"stats":{"Line":14}},{"line":377,"address":[],"length":0,"stats":{"Line":14}},{"line":378,"address":[],"length":0,"stats":{"Line":14}},{"line":379,"address":[],"length":0,"stats":{"Line":14}},{"line":380,"address":[],"length":0,"stats":{"Line":14}},{"line":382,"address":[],"length":0,"stats":{"Line":14}},{"line":383,"address":[],"length":0,"stats":{"Line":14}},{"line":389,"address":[],"length":0,"stats":{"Line":8}},{"line":402,"address":[],"length":0,"stats":{"Line":8}},{"line":403,"address":[],"length":0,"stats":{"Line":8}},{"line":409,"address":[],"length":0,"stats":{"Line":8}},{"line":410,"address":[],"length":0,"stats":{"Line":8}},{"line":411,"address":[],"length":0,"stats":{"Line":8}},{"line":414,"address":[],"length":0,"stats":{"Line":8}},{"line":429,"address":[],"length":0,"stats":{"Line":0}},{"line":430,"address":[],"length":0,"stats":{"Line":0}},{"line":431,"address":[],"length":0,"stats":{"Line":0}},{"line":436,"address":[],"length":0,"stats":{"Line":0}},{"line":437,"address":[],"length":0,"stats":{"Line":0}},{"line":442,"address":[],"length":0,"stats":{"Line":0}},{"line":443,"address":[],"length":0,"stats":{"Line":0}},{"line":444,"address":[],"length":0,"stats":{"Line":0}},{"line":447,"address":[],"length":0,"stats":{"Line":0}},{"line":448,"address":[],"length":0,"stats":{"Line":0}},{"line":455,"address":[],"length":0,"stats":{"Line":0}},{"line":456,"address":[],"length":0,"stats":{"Line":0}},{"line":457,"address":[],"length":0,"stats":{"Line":0}},{"line":458,"address":[],"length":0,"stats":{"Line":0}},{"line":460,"address":[],"length":0,"stats":{"Line":0}},{"line":461,"address":[],"length":0,"stats":{"Line":0}},{"line":462,"address":[],"length":0,"stats":{"Line":0}},{"line":465,"address":[],"length":0,"stats":{"Line":0}},{"line":476,"address":[],"length":0,"stats":{"Line":0}},{"line":477,"address":[],"length":0,"stats":{"Line":0}},{"line":478,"address":[],"length":0,"stats":{"Line":0}},{"line":484,"address":[],"length":0,"stats":{"Line":0}},{"line":485,"address":[],"length":0,"stats":{"Line":0}},{"line":486,"address":[],"length":0,"stats":{"Line":0}},{"line":487,"address":[],"length":0,"stats":{"Line":0}},{"line":488,"address":[],"length":0,"stats":{"Line":0}},{"line":496,"address":[],"length":0,"stats":{"Line":0}},{"line":497,"address":[],"length":0,"stats":{"Line":0}},{"line":498,"address":[],"length":0,"stats":{"Line":0}},{"line":499,"address":[],"length":0,"stats":{"Line":0}},{"line":501,"address":[],"length":0,"stats":{"Line":0}},{"line":503,"address":[],"length":0,"stats":{"Line":0}},{"line":512,"address":[],"length":0,"stats":{"Line":0}},{"line":513,"address":[],"length":0,"stats":{"Line":0}},{"line":534,"address":[],"length":0,"stats":{"Line":0}},{"line":535,"address":[],"length":0,"stats":{"Line":0}},{"line":536,"address":[],"length":0,"stats":{"Line":0}},{"line":540,"address":[],"length":0,"stats":{"Line":0}},{"line":541,"address":[],"length":0,"stats":{"Line":0}},{"line":542,"address":[],"length":0,"stats":{"Line":0}}],"covered":63,"coverable":155},{"path":["/","home","stu","dev","rust","jose","src","crypto","hmac.rs"],"content":"//! The primitives for working with [HMAC] algorithms.\n//!\n//! [HMAC]: https://en.wikipedia.org/wiki/HMAC\n\nuse core::fmt;\n\nuse secrecy::{ExposeSecret, SecretSlice};\nuse subtle::ConstantTimeEq as _;\n\nuse super::{\n    backend::{\n        interface::{self, hmac::Key as _},\n        Backend,\n    },\n    Error, Result,\n};\nuse crate::{\n    crypto::backend::interface::Backend as _,\n    jwa,\n    jwk::{\n        self,\n        symmetric::{FromOctetSequenceError, OctetSequence},\n        IntoJsonWebKey,\n    },\n    jws::{self, Signer},\n};\n\ntype BackendHmacKey = \u003cBackend as interface::Backend\u003e::HmacKey;\n\n/// Marker trait is implemented for all supported HMAC variants.\npub trait Variant: crate::sealed::Sealed {\n    /// The JWA algorithm for this variant.\n    const ALGORITHM: jwa::Hmac;\n\n    /// The number of bytes in the output of the hash operation operation.\n    const OUTPUT_SIZE_BYTES: usize;\n}\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendHmacKey as interface::hmac::Key\u003e::Signature,\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(AsRef::\u003c[u8]\u003e::as_ref(\u0026self.inner), f)\n    }\n}\n\n/// A key that can be used for signing and verifying HMAC signatures.\npub struct Key\u003cH: Variant\u003e {\n    inner: BackendHmacKey,\n    // We also need to store the raw key, to be able to convert it to a JWK.\n    raw_key: SecretSlice\u003cu8\u003e,\n    _variant: core::marker::PhantomData\u003cH\u003e,\n}\n\nimpl\u003cH: Variant\u003e Key\u003cH\u003e {\n    /// Generate a new random HMAC key, using the crypto backends default RNG.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the crypto backend failed to generate random data.\n    pub fn generate() -\u003e Result\u003cSelf\u003e {\n        let mut key = alloc::vec![0u8; H::OUTPUT_SIZE_BYTES].into_boxed_slice();\n        Backend::fill_random(\u0026mut key)?;\n        let key = SecretSlice::from(key);\n\n        Self::new_from_key(key)\n    }\n\n    fn new_from_key(key: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let inner = BackendHmacKey::new(H::ALGORITHM, key.expose_secret())?;\n        Ok(Self {\n            inner,\n            raw_key: key,\n            _variant: core::marker::PhantomData,\n        })\n    }\n}\n\nimpl\u003cH: Variant\u003e fmt::Debug for Key\u003cH\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Key\")\n            .field(\"key\", \u0026self.raw_key)\n            .field(\"algorithm\", \u0026H::ALGORITHM)\n            .finish()\n    }\n}\n\nimpl\u003cH: Variant\u003e From\u003cKey\u003cH\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(key: Key\u003cH\u003e) -\u003e Self {\n        jwk::JsonWebKeyType::Symmetric(jwk::SymmetricJsonWebKey::OctetSequence(OctetSequence::new(\n            key.raw_key,\n        )))\n    }\n}\n\nimpl\u003cH: Variant\u003e crate::sealed::Sealed for Key\u003cH\u003e {}\nimpl\u003cH: Variant\u003e IntoJsonWebKey for Key\u003cH\u003e {\n    type Algorithm = ();\n    type Error = core::convert::Infallible;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003ccrate::JsonWebKey, Self::Error\u003e {\n        let key_ty = jwk::JsonWebKeyType::from(self);\n        let alg = alg.map(|_| {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Hmac(H::ALGORITHM))\n        });\n        Ok(jwk::JsonWebKey::new_with_algorithm(key_ty, alg))\n    }\n}\n\nimpl\u003cH: Variant\u003e jws::Verifier for Key\u003cH\u003e {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        let signed = self.inner.sign(msg)?;\n\n        let valid = bool::from(signature.ct_eq(signed.as_ref()));\n        if valid {\n            Ok(())\n        } else {\n            Err(jws::VerifyError::InvalidSignature)\n        }\n    }\n}\n\nimpl\u003cH: Variant\u003e Signer\u003cSignature\u003e for Key\u003cH\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature, Error\u003e {\n        let signature = self.inner.sign(msg)?;\n        Ok(Signature { inner: signature })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::Hmac(H::ALGORITHM)\n    }\n}\n\nimpl\u003cH: Variant\u003e jwk::FromKey\u003cOctetSequence\u003e for Key\u003cH\u003e {\n    type Error = FromOctetSequenceError;\n\n    fn from_key(\n        key: OctetSequence,\n        alg: jwa::JsonWebAlgorithm,\n    ) -\u003e core::result::Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Hmac(alg)) =\u003e {\n                if alg != H::ALGORITHM {\n                    return Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                        jws::InvalidSigningAlgorithmError,\n                    ));\n                }\n\n                // This check is not required for normal Hmac implementations based on RFC 2104\n                // but RFC 7518 section 3.2 requires this check and\n                // forbids keys with a length \u003c output\n                if key.len() \u003c H::OUTPUT_SIZE_BYTES {\n                    return Err(FromOctetSequenceError::InvalidLength);\n                }\n\n                Ok(Self::new_from_key(key.into_bytes())?)\n            }\n            _ =\u003e Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                jws::InvalidSigningAlgorithmError,\n            )),\n        }\n    }\n}\n\nimpl\u003cH: Variant\u003e jwk::FromKey\u003c\u0026OctetSequence\u003e for Key\u003cH\u003e {\n    type Error = FromOctetSequenceError;\n\n    fn from_key(key: \u0026OctetSequence, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Hmac(alg)) =\u003e {\n                if alg != H::ALGORITHM {\n                    return Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                        jws::InvalidSigningAlgorithmError,\n                    ));\n                }\n\n                // This check is not required for normal Hmac implementations based on RFC 2104\n                // but RFC 7518 section 3.2 requires this check and\n                // forbids keys with a length \u003c output\n                if key.len() \u003c H::OUTPUT_SIZE_BYTES {\n                    return Err(FromOctetSequenceError::InvalidLength);\n                }\n\n                Ok(Self::new_from_key(key.bytes().clone())?)\n            }\n            _ =\u003e Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                jws::InvalidSigningAlgorithmError,\n            )),\n        }\n    }\n}\nmacro_rules! impl_variant {\n    (#[$doc:meta] $variant:ident = $size:expr) =\u003e {\n        #[$doc]\n        #[derive(Debug)]\n        pub enum $variant {}\n\n        impl Variant for $variant {\n            const ALGORITHM: jwa::Hmac = jwa::Hmac::$variant;\n            const OUTPUT_SIZE_BYTES: usize = $size;\n        }\n        impl crate::sealed::Sealed for $variant {}\n    };\n}\n\nimpl_variant!(\n    /// Marker type that represents Hmac using the Sha256 digest.\n    Hs256 = 256 / 8\n);\nimpl_variant!(\n    /// Marker type that represents Hmac using the Sha384 digest.\n    Hs384 = 384 / 8\n);\nimpl_variant!(\n    /// Marker type that represents Hmac using the Sha512 digest.\n    Hs512 = 512 / 8\n);\n","traces":[{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":1}},{"line":72,"address":[],"length":0,"stats":{"Line":1}},{"line":73,"address":[],"length":0,"stats":{"Line":1}},{"line":74,"address":[],"length":0,"stats":{"Line":1}},{"line":76,"address":[],"length":0,"stats":{"Line":1}},{"line":79,"address":[],"length":0,"stats":{"Line":1}},{"line":80,"address":[],"length":0,"stats":{"Line":2}},{"line":81,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":143,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":154,"address":[],"length":0,"stats":{"Line":0}},{"line":155,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":166,"address":[],"length":0,"stats":{"Line":0}},{"line":169,"address":[],"length":0,"stats":{"Line":0}},{"line":171,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":1}},{"line":182,"address":[],"length":0,"stats":{"Line":1}},{"line":183,"address":[],"length":0,"stats":{"Line":1}},{"line":184,"address":[],"length":0,"stats":{"Line":1}},{"line":185,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":1}},{"line":194,"address":[],"length":0,"stats":{"Line":1}},{"line":197,"address":[],"length":0,"stats":{"Line":0}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":200,"address":[],"length":0,"stats":{"Line":0}}],"covered":13,"coverable":60},{"path":["/","home","stu","dev","rust","jose","src","crypto","okp.rs"],"content":"//! The primitives for working with EdDSA algorithms (`kty`\n//! parameter = `OKP`).\n//!\n//! If you are looking for the other curve types, see the\n//! [`ec`](crate::crypto::ec) module, which contains all curves, that do not\n//! require an octet key pair as a key.\n\nuse alloc::{borrow::Cow, format, string::String, vec::Vec};\nuse core::{fmt, marker::PhantomData};\n\nuse serde::{de::Error as _, Deserialize, Serialize};\n\nuse super::backend::{\n    interface::{\n        self,\n        okp::{PrivateKey as _, PublicKey as _},\n    },\n    Backend,\n};\nuse crate::{\n    base64_url::{Base64UrlBytes, SecretBase64UrlBytes},\n    crypto::Result,\n    jwa, jwk, jws, Base64UrlString,\n};\n\nconst KTY: \u0026str = \"OKP\";\n\ntype BackendPublicKey = \u003cBackend as interface::Backend\u003e::EdPublicKey;\ntype BackendPrivateKey = \u003cBackend as interface::Backend\u003e::EdPrivateKey;\n\n/// The curve trait marks all possible curves for EdDSA keys.\n///\n/// Technically, the implementors of this trait (e.g. [`Ed25519`]) are not\n/// curves, but rather the curve + algorithm combination. However, the JWK\n/// specification uses the term \"curve\" for this combination, so we will\n/// follow that convention here.\npub trait Curve: sealed::Sealed {\n    /// The name of the curve, that is also used in the `crv` parameter of a\n    /// JWK.\n    const NAME: \u0026'static str;\n}\n\n/// The public key using the Ed25519 curve.\npub type Ed25519PublicKey = PublicKey\u003cEd25519\u003e;\n\n/// The private key using the Ed25519 curve.\npub type Ed25519PrivateKey = PrivateKey\u003cEd25519\u003e;\n\n/// The signer type using the Ed25519 curve.\npub type Ed25519Signer = Signer\u003cEd25519\u003e;\n\n/// The verifier type using the Ed25519 curve.\npub type Ed25519Verifier = Verifier\u003cEd25519\u003e;\n\n/// The public key using the Ed448 curve.\npub type Ed448PublicKey = PublicKey\u003cEd448\u003e;\n\n/// The private key using the Ed448 curve.\npub type Ed448PrivateKey = PrivateKey\u003cEd448\u003e;\n\n/// The signer type using the Ed448 curve.\npub type Ed448Signer = Signer\u003cEd448\u003e;\n\n/// The verifier type using the Ed448 curve.\npub type Ed448Verifier = Verifier\u003cEd448\u003e;\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendPrivateKey as interface::okp::PrivateKey\u003e::Signature,\n}\n\nimpl From\u003cSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: Signature) -\u003e Self {\n        value.as_ref().to_vec()\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(AsRef::\u003c[u8]\u003e::as_ref(\u0026self.inner), f)\n    }\n}\n\n/// A public key for EdDSA algorithms.\n///\n/// The type of algorithm and curve is determined by the\n/// `C` type parameter.\n#[derive(Clone)]\npub struct PublicKey\u003cC\u003e {\n    inner: BackendPublicKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e Eq for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PublicKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        interface::okp::PublicKey::to_bytes(\u0026self.inner)\n            == interface::okp::PublicKey::to_bytes(\u0026other.inner)\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PublicKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let bytes = Base64UrlString::encode(interface::okp::PublicKey::to_bytes(\u0026self.inner));\n        f.debug_struct(\"PublicKey\")\n            .field(\"curve\", \u0026C::NAME)\n            .field(\"x\", \u0026bytes)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPublicKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PublicKey\u003cC\u003e) -\u003e Self {\n        C::public_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PublicKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::public_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(\n            key,\n            alg.map(|_| jwa::JsonWebSigningAlgorithm::EdDSA.into()),\n        );\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PublicKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        jwk::thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\n#[derive(Serialize, Deserialize)]\nstruct PublicRepr\u003c'a\u003e {\n    crv: Cow\u003c'a, str\u003e,\n    kty: Cow\u003c'a, str\u003e,\n    x: Base64UrlBytes,\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PublicKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let repr = PublicRepr::deserialize(deserializer)?;\n\n        if repr.crv != C::NAME {\n            return Err(D::Error::custom(format!(\n                \"Invalid curve type `{}`. Expected `{}`\",\n                repr.crv,\n                C::NAME\n            )));\n        }\n\n        if repr.kty != KTY {\n            return Err(D::Error::custom(format!(\n                \"Invalid key type `{}`. Expected `{KTY}`\",\n                repr.kty,\n            )));\n        }\n\n        let key =\n            interface::okp::PublicKey::new(C::ALGORITHM, repr.x.0).map_err(D::Error::custom)?;\n        Ok(Self {\n            inner: key,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PublicKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let repr = PublicRepr {\n            crv: C::NAME.into(),\n            kty: KTY.into(),\n            x: Base64UrlBytes(interface::okp::PublicKey::to_bytes(\u0026self.inner)),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// A private key for EdDSA algorithms.\n///\n/// The type of algorithm and curve is determined by the\n/// `C` type parameter.\n#[derive(Clone)]\npub struct PrivateKey\u003cC\u003e {\n    inner: BackendPrivateKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e PrivateKey\u003cC\u003e {\n    /// Generate a new random key pair.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the key generation fails.\n    pub fn generate() -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            inner: BackendPrivateKey::generate(C::ALGORITHM)?,\n            _curve: PhantomData,\n        })\n    }\n\n    /// Returns the public key of this private key.\n    pub fn to_public_key(\u0026self) -\u003e PublicKey\u003cC\u003e {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n            _curve: PhantomData,\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e Eq for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PrivateKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.to_public_key() == other.to_public_key()\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PrivateKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let pub_key = interface::okp::PrivateKey::to_public_key(\u0026self.inner);\n        let bytes = Base64UrlString::encode(interface::okp::PublicKey::to_bytes(\u0026pub_key));\n\n        f.debug_struct(\"PrivateKey\")\n            .field(\"curve\", \u0026C::NAME)\n            .field(\"x\", \u0026bytes)\n            .field(\"d\", \u0026\"[REDACTED]\")\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPrivateKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PrivateKey\u003cC\u003e) -\u003e Self {\n        C::private_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PrivateKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::private_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(\n            key,\n            alg.map(|_| jwa::JsonWebSigningAlgorithm::EdDSA.into()),\n        );\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PrivateKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.to_public_key().thumbprint_prehashed()\n    }\n}\n\n#[derive(Serialize, Deserialize)]\nstruct PrivateRepr\u003c'a\u003e {\n    #[serde(flatten)]\n    public: PublicRepr\u003c'a\u003e,\n    d: SecretBase64UrlBytes,\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PrivateKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let repr = PrivateRepr::deserialize(deserializer)?;\n\n        let key = interface::okp::PrivateKey::new(C::ALGORITHM, repr.public.x.0, repr.d.0)\n            .map_err(D::Error::custom)?;\n\n        Ok(Self {\n            inner: key,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PrivateKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let pub_key = self.inner.to_public_key();\n        let repr = PrivateRepr {\n            public: PublicRepr {\n                crv: C::NAME.into(),\n                kty: KTY.into(),\n                x: Base64UrlBytes(interface::okp::PublicKey::to_bytes(\u0026pub_key)),\n            },\n            d: SecretBase64UrlBytes(interface::okp::PrivateKey::to_bytes(\u0026self.inner)),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// The [`Signer`](jws::Signer) for EC keys.\npub struct Signer\u003cC\u003e {\n    inner: PrivateKey\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Signer\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Signer\").field(\"key\", \u0026self.inner).finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Signer\u003cSignature\u003e for Signer\u003cC\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature\u003e {\n        let sig = self.inner.inner.sign(msg)?;\n        Ok(Signature { inner: sig })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::EdDSA\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Signer\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EdDSA) =\u003e {\n                Ok(Self { inner: value })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\n/// The [`Verifier`](jws::Verifier) for EC keys.\npub struct Verifier\u003cC\u003e {\n    inner: PublicKey\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Verifier\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Verifier\")\n            .field(\"key\", \u0026self.inner)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Verifier for Verifier\u003cC\u003e {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        match self.inner.inner.verify(msg, signature) {\n            Ok(true) =\u003e Ok(()),\n            Ok(false) =\u003e Err(jws::VerifyError::InvalidSignature),\n            Err(e) =\u003e Err(jws::VerifyError::CryptoBackend(e)),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPublicKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PublicKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EdDSA) =\u003e {\n                Ok(Self { inner: value })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    #[inline]\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        Self::from_key(value.to_public_key(), alg)\n    }\n}\n\nmacro_rules! impl_curve {\n    ($(\n        $(#[$doc:meta])*\n        $curve:ident {\n            name: $curve_name:literal,\n        }\n    ),*$(,)?) =\u003e { $(\n        $(#[$doc])*\n        #[derive(Debug, Clone, Copy)]\n        pub enum $curve {}\n\n        impl Curve for $curve {\n            const NAME: \u0026'static str = $curve_name;\n        }\n\n        impl sealed::Sealed for $curve {\n            #[expect(private_interfaces)]\n            const ALGORITHM: interface::okp::CurveAlgorithm = interface::okp::CurveAlgorithm::$curve;\n\n            fn public_to_jwk_type(key: PublicKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(jwk::AsymmetricJsonWebKey::Public(\n                    jwk::Public::Okp(jwk::OkpPublic::$curve(key)),\n                )))\n            }\n\n            fn private_to_jwk_type(key: PrivateKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(jwk::AsymmetricJsonWebKey::Private(\n                    jwk::Private::Okp(jwk::OkpPrivate::$curve(key)),\n                )))\n            }\n        }\n    )* };\n}\n\nimpl_curve!(\n    /// The Ed25519 curve.\n    Ed25519 {\n        name: \"Ed25519\",\n    },\n\n    /// The Ed448 curve.\n    Ed448 {\n        name: \"Ed448\",\n    },\n);\n\nmod sealed {\n    use crate::{crypto::backend::interface, jwk::JsonWebKeyType};\n\n    pub trait Sealed: Sized {\n        #[expect(private_interfaces)]\n        const ALGORITHM: interface::okp::CurveAlgorithm;\n\n        fn public_to_jwk_type(key: super::PublicKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n\n        fn private_to_jwk_type(key: super::PrivateKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n    }\n}\n","traces":[{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":81,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":12}},{"line":104,"address":[],"length":0,"stats":{"Line":12}},{"line":105,"address":[],"length":0,"stats":{"Line":12}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":114,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":121,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":16}},{"line":145,"address":[],"length":0,"stats":{"Line":16}},{"line":157,"address":[],"length":0,"stats":{"Line":6}},{"line":161,"address":[],"length":0,"stats":{"Line":12}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":166,"address":[],"length":0,"stats":{"Line":0}},{"line":167,"address":[],"length":0,"stats":{"Line":0}},{"line":171,"address":[],"length":0,"stats":{"Line":6}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":173,"address":[],"length":0,"stats":{"Line":0}},{"line":174,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":6}},{"line":179,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":0}},{"line":182,"address":[],"length":0,"stats":{"Line":0}},{"line":188,"address":[],"length":0,"stats":{"Line":20}},{"line":193,"address":[],"length":0,"stats":{"Line":20}},{"line":194,"address":[],"length":0,"stats":{"Line":20}},{"line":195,"address":[],"length":0,"stats":{"Line":20}},{"line":198,"address":[],"length":0,"stats":{"Line":20}},{"line":218,"address":[],"length":0,"stats":{"Line":2}},{"line":219,"address":[],"length":0,"stats":{"Line":2}},{"line":220,"address":[],"length":0,"stats":{"Line":2}},{"line":221,"address":[],"length":0,"stats":{"Line":2}},{"line":226,"address":[],"length":0,"stats":{"Line":18}},{"line":228,"address":[],"length":0,"stats":{"Line":18}},{"line":236,"address":[],"length":0,"stats":{"Line":2}},{"line":237,"address":[],"length":0,"stats":{"Line":2}},{"line":242,"address":[],"length":0,"stats":{"Line":0}},{"line":243,"address":[],"length":0,"stats":{"Line":0}},{"line":244,"address":[],"length":0,"stats":{"Line":0}},{"line":246,"address":[],"length":0,"stats":{"Line":0}},{"line":247,"address":[],"length":0,"stats":{"Line":0}},{"line":248,"address":[],"length":0,"stats":{"Line":0}},{"line":249,"address":[],"length":0,"stats":{"Line":0}},{"line":255,"address":[],"length":0,"stats":{"Line":0}},{"line":256,"address":[],"length":0,"stats":{"Line":0}},{"line":265,"address":[],"length":0,"stats":{"Line":0}},{"line":269,"address":[],"length":0,"stats":{"Line":0}},{"line":271,"address":[],"length":0,"stats":{"Line":0}},{"line":272,"address":[],"length":0,"stats":{"Line":0}},{"line":274,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":8}},{"line":280,"address":[],"length":0,"stats":{"Line":8}},{"line":292,"address":[],"length":0,"stats":{"Line":12}},{"line":296,"address":[],"length":0,"stats":{"Line":24}},{"line":298,"address":[],"length":0,"stats":{"Line":6}},{"line":299,"address":[],"length":0,"stats":{"Line":0}},{"line":301,"address":[],"length":0,"stats":{"Line":0}},{"line":302,"address":[],"length":0,"stats":{"Line":0}},{"line":303,"address":[],"length":0,"stats":{"Line":0}},{"line":309,"address":[],"length":0,"stats":{"Line":4}},{"line":313,"address":[],"length":0,"stats":{"Line":4}},{"line":315,"address":[],"length":0,"stats":{"Line":4}},{"line":320,"address":[],"length":0,"stats":{"Line":4}},{"line":323,"address":[],"length":0,"stats":{"Line":4}},{"line":333,"address":[],"length":0,"stats":{"Line":0}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":339,"address":[],"length":0,"stats":{"Line":0}},{"line":340,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":352,"address":[],"length":0,"stats":{"Line":0}},{"line":353,"address":[],"length":0,"stats":{"Line":0}},{"line":354,"address":[],"length":0,"stats":{"Line":0}},{"line":355,"address":[],"length":0,"stats":{"Line":0}},{"line":357,"address":[],"length":0,"stats":{"Line":0}},{"line":368,"address":[],"length":0,"stats":{"Line":0}},{"line":369,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":376,"address":[],"length":0,"stats":{"Line":0}},{"line":377,"address":[],"length":0,"stats":{"Line":0}},{"line":378,"address":[],"length":0,"stats":{"Line":0}},{"line":379,"address":[],"length":0,"stats":{"Line":0}},{"line":380,"address":[],"length":0,"stats":{"Line":0}},{"line":388,"address":[],"length":0,"stats":{"Line":0}},{"line":389,"address":[],"length":0,"stats":{"Line":0}},{"line":390,"address":[],"length":0,"stats":{"Line":0}},{"line":391,"address":[],"length":0,"stats":{"Line":0}},{"line":393,"address":[],"length":0,"stats":{"Line":0}},{"line":402,"address":[],"length":0,"stats":{"Line":0}},{"line":403,"address":[],"length":0,"stats":{"Line":0}},{"line":426,"address":[],"length":0,"stats":{"Line":0}},{"line":427,"address":[],"length":0,"stats":{"Line":0}},{"line":428,"address":[],"length":0,"stats":{"Line":0}},{"line":432,"address":[],"length":0,"stats":{"Line":0}},{"line":433,"address":[],"length":0,"stats":{"Line":0}},{"line":434,"address":[],"length":0,"stats":{"Line":0}}],"covered":32,"coverable":113},{"path":["/","home","stu","dev","rust","jose","src","crypto","rsa.rs"],"content":"//! The primitives for working with [RSA] encryption.\n//!\n//! [RSA]: https://en.wikipedia.org/wiki/RSA_cryptosystem\n\nuse alloc::{boxed::Box, format, string::String, vec::Vec};\nuse core::{convert::Infallible, fmt};\n\nuse serde::{de::Error as _, ser::Error as _, Deserialize, Serialize};\n\nuse super::backend::{\n    interface::{\n        self,\n        rsa::{self, PrivateKey as _, PublicKey as _},\n    },\n    Backend,\n};\nuse crate::{\n    base64_url::{Base64UrlBytes, SecretBase64UrlBytes},\n    crypto::Result,\n    jwa::{self, RsaSigning},\n    jwk::{self, FromKey, IntoJsonWebKey},\n    jws::{self, InvalidSigningAlgorithmError},\n    Base64UrlString,\n};\n\ntype BackendPublicKey = \u003cBackend as interface::Backend\u003e::RsaPublicKey;\ntype BackendPrivateKey = \u003cBackend as interface::Backend\u003e::RsaPrivateKey;\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendPrivateKey as rsa::PrivateKey\u003e::Signature,\n}\n\nimpl From\u003cSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: Signature) -\u003e Self {\n        value.as_ref().to_vec()\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(self.as_ref(), f)\n    }\n}\n\n/// The RSA public key type.\n#[derive(Clone)]\npub struct PublicKey {\n    inner: BackendPublicKey,\n}\n\nimpl Eq for PublicKey {}\nimpl PartialEq for PublicKey {\n    fn eq(\u0026self, o: \u0026Self) -\u003e bool {\n        let this_pub = rsa::PublicKey::components(\u0026self.inner);\n        let o_pub = rsa::PublicKey::components(\u0026o.inner);\n\n        this_pub == o_pub\n    }\n}\n\nimpl fmt::Debug for PublicKey {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let key = rsa::PublicKey::components(\u0026self.inner);\n        let n = Base64UrlString::encode(key.n);\n        let e = Base64UrlString::encode(key.e);\n\n        f.debug_struct(\"PublicKey\")\n            .field(\"n\", \u0026n)\n            .field(\"e\", \u0026e)\n            .finish()\n    }\n}\n\nimpl From\u003cPublicKey\u003e for jwk::JsonWebKeyType {\n    fn from(x: PublicKey) -\u003e Self {\n        jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Public(\n            jwk::Public::Rsa(x),\n        )))\n    }\n}\n\nimpl crate::sealed::Sealed for PublicKey {}\nimpl IntoJsonWebKey for PublicKey {\n    type Algorithm = RsaSigning;\n    type Error = Infallible;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003ccrate::JsonWebKey, Self::Error\u003e {\n        let alg = alg.map(|rsa| {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(rsa.into()))\n        });\n\n        let key = jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Public(\n            jwk::Public::Rsa(self),\n        )));\n\n        Ok(jwk::JsonWebKey::new_with_algorithm(key, alg))\n    }\n}\n\nimpl jwk::Thumbprint for PublicKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        crate::jwk::thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\nimpl Serialize for PublicKey {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(Serialize)]\n        struct Repr {\n            kty: \u0026'static str,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n        }\n\n        let key = rsa::PublicKey::components(\u0026self.inner);\n        Repr {\n            kty: \"RSA\",\n            n: Base64UrlBytes(key.n),\n            e: Base64UrlBytes(key.e),\n        }\n        .serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for PublicKey {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            kty: String,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n        }\n\n        let repr = Repr::deserialize(deserializer)?;\n\n        if \u0026*repr.kty != \"RSA\" {\n            return Err(D::Error::custom(\"`kty` field is required to be `RSA`\"));\n        }\n\n        let components = rsa::PublicKeyComponents {\n            n: repr.n.0,\n            e: repr.e.0,\n        };\n        let key = rsa::PublicKey::from_components(components)\n            .map_err(|e| D::Error::custom(format!(\"failed to construct RSA public key: {e}\")))?;\n        Ok(Self { inner: key })\n    }\n}\n\n/// The RSA private key type.\n#[derive(Clone)]\npub struct PrivateKey {\n    inner: BackendPrivateKey,\n}\n\nimpl PrivateKey {\n    /// Generate a new RSA key pair of the given bit size.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the key generation fails.\n    pub fn generate(bits: usize) -\u003e Result\u003cSelf\u003e {\n        let key = BackendPrivateKey::generate(bits)?;\n        Ok(Self { inner: key })\n    }\n\n    /// Get the public key corresponding to this private key.\n    pub fn to_public_key(\u0026self) -\u003e PublicKey {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n        }\n    }\n}\n\nimpl Eq for PrivateKey {}\nimpl PartialEq for PrivateKey {\n    fn eq(\u0026self, o: \u0026Self) -\u003e bool {\n        self.to_public_key() == o.to_public_key()\n    }\n}\n\nimpl From\u003cPrivateKey\u003e for jwk::JsonWebKeyType {\n    fn from(x: PrivateKey) -\u003e Self {\n        jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Private(\n            jwk::Private::Rsa(Box::new(x)),\n        )))\n    }\n}\n\nimpl fmt::Debug for PrivateKey {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let key = rsa::PrivateKey::public_components(\u0026self.inner);\n        let n = Base64UrlString::encode(key.n);\n        let e = Base64UrlString::encode(key.e);\n\n        f.debug_struct(\"PrivateKey\")\n            .field(\"n\", \u0026n)\n            .field(\"e\", \u0026e)\n            .field(\"primes\", \u0026\"[REDACTED]\")\n            .finish()\n    }\n}\n\nimpl crate::sealed::Sealed for PrivateKey {}\nimpl IntoJsonWebKey for PrivateKey {\n    type Algorithm = RsaSigning;\n    type Error = Infallible;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003ccrate::JsonWebKey, Self::Error\u003e {\n        let alg = alg.map(|rsa| {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(rsa.into()))\n        });\n\n        let key = jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Private(\n            jwk::Private::Rsa(Box::new(self)),\n        )));\n\n        Ok(crate::JsonWebKey::new_with_algorithm(key, alg))\n    }\n}\n\nimpl jwk::Thumbprint for PrivateKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.to_public_key().thumbprint_prehashed()\n    }\n}\n\nimpl Serialize for PrivateKey {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(Serialize)]\n        struct Repr {\n            kty: \u0026'static str,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n\n            d: SecretBase64UrlBytes,\n            p: SecretBase64UrlBytes,\n            q: SecretBase64UrlBytes,\n            dp: SecretBase64UrlBytes,\n            dq: SecretBase64UrlBytes,\n            qi: SecretBase64UrlBytes,\n        }\n\n        let pub_key = rsa::PrivateKey::public_components(\u0026self.inner);\n        let key = rsa::PrivateKey::private_components(\u0026self.inner).map_err(S::Error::custom)?;\n\n        let repr = Repr {\n            kty: \"RSA\",\n            n: Base64UrlBytes(pub_key.n),\n            e: Base64UrlBytes(pub_key.e),\n            d: SecretBase64UrlBytes(key.d),\n            p: SecretBase64UrlBytes(key.prime.p),\n            q: SecretBase64UrlBytes(key.prime.q),\n            dp: SecretBase64UrlBytes(key.prime.dp),\n            dq: SecretBase64UrlBytes(key.prime.dq),\n            qi: SecretBase64UrlBytes(key.prime.qi),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for PrivateKey {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            kty: String,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n            d: SecretBase64UrlBytes,\n\n            p: Option\u003cSecretBase64UrlBytes\u003e,\n            q: Option\u003cSecretBase64UrlBytes\u003e,\n            dp: Option\u003cSecretBase64UrlBytes\u003e,\n            dq: Option\u003cSecretBase64UrlBytes\u003e,\n            qi: Option\u003cSecretBase64UrlBytes\u003e,\n\n            oth: Option\u003cserde_json::Value\u003e,\n        }\n\n        let repr = Repr::deserialize(deserializer)?;\n\n        if \u0026*repr.kty != \"RSA\" {\n            return Err(D::Error::custom(\"`kty` field is required to be `RSA`\"));\n        }\n\n        // RFC:\n        //\n        // The parameter \"d\" is REQUIRED for RSA private keys.  The others enable\n        // optimizations and SHOULD be included by producers of JWKs\n        // representing RSA private keys.  If the producer includes any of the\n        // other private key parameters, then all of the others MUST be present,\n        // with the exception of \"oth\", which MUST only be present when more than two\n        // prime factors were used.\n\n        let any_prime_present = repr.p.is_some()\n            | repr.q.is_some()\n            | repr.dp.is_some()\n            | repr.dq.is_some()\n            | repr.qi.is_some();\n\n        let prime_info = if any_prime_present {\n            let err = |field: \u0026str| {\n                D::Error::custom(format!(\n                    \"expected `{field}` to be present because all prime fields must be set if one \\\n                     of them is set\"\n                ))\n            };\n\n            rsa::PrivateKeyPrimeComponents {\n                p: repr.p.ok_or_else(|| err(\"p\"))?.0,\n                q: repr.q.ok_or_else(|| err(\"q\"))?.0,\n                dp: repr.dp.ok_or_else(|| err(\"dp\"))?.0,\n                dq: repr.dq.ok_or_else(|| err(\"dq\"))?.0,\n                qi: repr.qi.ok_or_else(|| err(\"qi\"))?.0,\n            }\n        } else {\n            // FIXME: can we support RSA keys without any primes?\n            return Err(D::Error::custom(\n                \"RSA private keys without any primes are not supported\",\n            ));\n        };\n\n        if repr.oth.is_some() {\n            // FIXME: Support additional primes\n            return Err(D::Error::custom(\n                \"RSA private keys with `oth` field set are not supported\",\n            ));\n        }\n\n        let pub_components = rsa::PublicKeyComponents {\n            n: repr.n.0,\n            e: repr.e.0,\n        };\n\n        let priv_components = rsa::PrivateKeyComponents {\n            d: repr.d.0,\n            prime: prime_info,\n        };\n\n        let key = rsa::PrivateKey::from_components(priv_components, pub_components)\n            .map_err(|e| D::Error::custom(format!(\"failed to construct RSA private key: {e}\")))?;\n        Ok(Self { inner: key })\n    }\n}\n\n/// A [`Signer`](jws::Signer) using an [`PrivateKey`] and an RSA algorithm.\n#[derive(Debug)]\npub struct Signer {\n    key: PrivateKey,\n    alg: RsaSigning,\n}\n\nimpl FromKey\u003cPrivateKey\u003e for Signer {\n    type Error = InvalidSigningAlgorithmError;\n\n    fn from_key(value: PrivateKey, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(alg)) =\u003e {\n                Ok(Self { key: value, alg })\n            }\n            _ =\u003e Err(InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl jws::Signer\u003cSignature\u003e for Signer {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature\u003e {\n        let sig = self.key.inner.sign(self.alg, msg)?;\n        Ok(Signature { inner: sig })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::Rsa(self.alg)\n    }\n}\n\n/// A [`Verifier`](jws::Verifier) using an [`PublicKey`] and an RSA algorithm.\n#[derive(Debug)]\npub struct Verifier {\n    key: PublicKey,\n    alg: RsaSigning,\n}\n\nimpl FromKey\u003cPublicKey\u003e for Verifier {\n    type Error = InvalidSigningAlgorithmError;\n\n    fn from_key(value: PublicKey, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(alg)) =\u003e {\n                Ok(Self { key: value, alg })\n            }\n            _ =\u003e Err(InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl FromKey\u003cPrivateKey\u003e for Verifier {\n    type Error = InvalidSigningAlgorithmError;\n\n    /// Create a [`Verifier`] from the private key by\n    /// turning it into the public key and dropping the private parts afterwards\n    fn from_key(value: PrivateKey, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        Self::from_key(value.to_public_key(), alg)\n    }\n}\n\nimpl jws::Verifier for Verifier {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        match self.key.inner.verify(self.alg, msg, signature) {\n            Ok(true) =\u003e Ok(()),\n            Ok(false) =\u003e Err(jws::VerifyError::InvalidSignature),\n            Err(err) =\u003e Err(jws::VerifyError::CryptoBackend(err)),\n        }\n    }\n}\n","traces":[{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":15}},{"line":62,"address":[],"length":0,"stats":{"Line":15}},{"line":63,"address":[],"length":0,"stats":{"Line":15}},{"line":65,"address":[],"length":0,"stats":{"Line":15}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":23}},{"line":113,"address":[],"length":0,"stats":{"Line":23}},{"line":118,"address":[],"length":0,"stats":{"Line":33}},{"line":130,"address":[],"length":0,"stats":{"Line":33}},{"line":133,"address":[],"length":0,"stats":{"Line":33}},{"line":134,"address":[],"length":0,"stats":{"Line":33}},{"line":136,"address":[],"length":0,"stats":{"Line":33}},{"line":141,"address":[],"length":0,"stats":{"Line":33}},{"line":153,"address":[],"length":0,"stats":{"Line":66}},{"line":155,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":13}},{"line":161,"address":[],"length":0,"stats":{"Line":13}},{"line":163,"address":[],"length":0,"stats":{"Line":13}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":1}},{"line":182,"address":[],"length":0,"stats":{"Line":2}},{"line":187,"address":[],"length":0,"stats":{"Line":16}},{"line":189,"address":[],"length":0,"stats":{"Line":16}},{"line":196,"address":[],"length":0,"stats":{"Line":2}},{"line":197,"address":[],"length":0,"stats":{"Line":2}},{"line":202,"address":[],"length":0,"stats":{"Line":0}},{"line":203,"address":[],"length":0,"stats":{"Line":0}},{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":210,"address":[],"length":0,"stats":{"Line":0}},{"line":211,"address":[],"length":0,"stats":{"Line":0}},{"line":212,"address":[],"length":0,"stats":{"Line":0}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":217,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":228,"address":[],"length":0,"stats":{"Line":0}},{"line":232,"address":[],"length":0,"stats":{"Line":0}},{"line":233,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":0}},{"line":237,"address":[],"length":0,"stats":{"Line":0}},{"line":240,"address":[],"length":0,"stats":{"Line":0}},{"line":245,"address":[],"length":0,"stats":{"Line":7}},{"line":246,"address":[],"length":0,"stats":{"Line":7}},{"line":251,"address":[],"length":0,"stats":{"Line":4}},{"line":270,"address":[],"length":0,"stats":{"Line":4}},{"line":271,"address":[],"length":0,"stats":{"Line":8}},{"line":275,"address":[],"length":0,"stats":{"Line":0}},{"line":276,"address":[],"length":0,"stats":{"Line":0}},{"line":277,"address":[],"length":0,"stats":{"Line":0}},{"line":278,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":0}},{"line":280,"address":[],"length":0,"stats":{"Line":0}},{"line":281,"address":[],"length":0,"stats":{"Line":0}},{"line":282,"address":[],"length":0,"stats":{"Line":0}},{"line":285,"address":[],"length":0,"stats":{"Line":0}},{"line":290,"address":[],"length":0,"stats":{"Line":59}},{"line":311,"address":[],"length":0,"stats":{"Line":118}},{"line":313,"address":[],"length":0,"stats":{"Line":0}},{"line":314,"address":[],"length":0,"stats":{"Line":0}},{"line":326,"address":[],"length":0,"stats":{"Line":6}},{"line":327,"address":[],"length":0,"stats":{"Line":6}},{"line":328,"address":[],"length":0,"stats":{"Line":6}},{"line":329,"address":[],"length":0,"stats":{"Line":6}},{"line":330,"address":[],"length":0,"stats":{"Line":6}},{"line":332,"address":[],"length":0,"stats":{"Line":6}},{"line":333,"address":[],"length":0,"stats":{"Line":6}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":336,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":6}},{"line":342,"address":[],"length":0,"stats":{"Line":6}},{"line":343,"address":[],"length":0,"stats":{"Line":6}},{"line":344,"address":[],"length":0,"stats":{"Line":6}},{"line":345,"address":[],"length":0,"stats":{"Line":6}},{"line":349,"address":[],"length":0,"stats":{"Line":0}},{"line":350,"address":[],"length":0,"stats":{"Line":0}},{"line":354,"address":[],"length":0,"stats":{"Line":0}},{"line":356,"address":[],"length":0,"stats":{"Line":0}},{"line":357,"address":[],"length":0,"stats":{"Line":0}},{"line":362,"address":[],"length":0,"stats":{"Line":6}},{"line":363,"address":[],"length":0,"stats":{"Line":6}},{"line":367,"address":[],"length":0,"stats":{"Line":6}},{"line":371,"address":[],"length":0,"stats":{"Line":6}},{"line":372,"address":[],"length":0,"stats":{"Line":0}},{"line":373,"address":[],"length":0,"stats":{"Line":0}},{"line":387,"address":[],"length":0,"stats":{"Line":0}},{"line":388,"address":[],"length":0,"stats":{"Line":0}},{"line":389,"address":[],"length":0,"stats":{"Line":0}},{"line":390,"address":[],"length":0,"stats":{"Line":0}},{"line":392,"address":[],"length":0,"stats":{"Line":0}},{"line":398,"address":[],"length":0,"stats":{"Line":0}},{"line":399,"address":[],"length":0,"stats":{"Line":0}},{"line":403,"address":[],"length":0,"stats":{"Line":0}},{"line":404,"address":[],"length":0,"stats":{"Line":0}},{"line":418,"address":[],"length":0,"stats":{"Line":0}},{"line":419,"address":[],"length":0,"stats":{"Line":0}},{"line":420,"address":[],"length":0,"stats":{"Line":0}},{"line":421,"address":[],"length":0,"stats":{"Line":0}},{"line":423,"address":[],"length":0,"stats":{"Line":0}},{"line":433,"address":[],"length":0,"stats":{"Line":0}},{"line":434,"address":[],"length":0,"stats":{"Line":0}},{"line":439,"address":[],"length":0,"stats":{"Line":0}},{"line":440,"address":[],"length":0,"stats":{"Line":0}},{"line":441,"address":[],"length":0,"stats":{"Line":0}},{"line":442,"address":[],"length":0,"stats":{"Line":0}},{"line":443,"address":[],"length":0,"stats":{"Line":0}}],"covered":45,"coverable":130},{"path":["/","home","stu","dev","rust","jose","src","crypto.rs"],"content":"//! Cryptographic primitives.\n//!\n//! This module contains all primitives required for the JOSE RFCs. It abstracts\n//! away the different cryptographic libraries and provides a common interface\n//! for them. The goal is to make it easy to switch between different libraries\n//! and implementations without changing the code that uses them.\n//!\n//! ## Random Number Generation\n//!\n//! Many of the private key types provide `generate` functions. These functions\n//! require access to secure, random data. Each backend provides it own way of\n//! getting secure random data from the underlying system. The\n//! `crypto-rustcrypto` and `crypto-ring` use the [`getrandom`] crate to get\n//! random data. In order to use the `jose` crate on `no_std` systems, the user\n//! must supply a custom random number generator by using the\n//! [`register_custom_getrandom`] macro.\n//!\n//! **Note:** The current version `ring` and Rust Crypto crates use the `0.2`\n//! version of the `getrandom` crate.\n//!\n//! [`register_custom_getrandom`]: (https://docs.rs/getrandom/0.2.10/getrandom/macro.register_custom_getrandom.html)\n//! [`getrandom`]: (https://docs.rs/getrandom/0.2.10/getrandom/index.html)\n\npub(crate) mod backend;\npub mod ec;\npub mod hmac;\npub mod okp;\npub mod rsa;\n\nuse core::{error, fmt};\n\nuse backend::interface;\n\nuse self::backend::Backend;\n\n/// The result type used for cryptographic operations.\npub type Result\u003cT, E = Error\u003e = core::result::Result\u003cT, E\u003e;\n\n/// The erased error type that is used to generalize all errors that all the\n/// cryptographic libraries can return.\npub struct Error {\n    inner: \u003cBackend as interface::Backend\u003e::Error,\n}\n\nimpl fmt::Display for Error {\n    fn fmt(\u0026self, _f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Display::fmt(\u0026self.inner, _f)\n    }\n}\n\nimpl fmt::Debug for Error {\n    fn fmt(\u0026self, _f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(\u0026self.inner, _f)\n    }\n}\n\nimpl error::Error for Error {\n    fn source(\u0026self) -\u003e Option\u003c\u0026(dyn error::Error + 'static)\u003e {\n        error::Error::source(\u0026self.inner)\n    }\n}\n\nimpl\u003cE\u003e From\u003cE\u003e for Error\nwhere\n    \u003cBackend as interface::Backend\u003e::Error: From\u003cE\u003e,\n{\n    fn from(err: E) -\u003e Self {\n        Self {\n            inner: \u003cBackend as interface::Backend\u003e::Error::from(err),\n        }\n    }\n}\n\n/// Fills the given buffer with random data.\n#[inline]\n#[expect(unused)] // may be used in the future\npub(crate) fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c()\u003e {\n    \u003cBackend as interface::Backend\u003e::fill_random(buf).map_err(|e| Error { inner: e })\n}\n\n/// Performs a quick Sha256 of the given data.\n#[inline]\npub(crate) fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n    \u003cBackend as interface::Backend\u003e::sha256(data)\n}\n\n/// Performs a quick Sha384 of the given data.\n#[inline]\npub(crate) fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n    \u003cBackend as interface::Backend\u003e::sha384(data)\n}\n\n/// Performs a quick Sha512 of the given data.\n#[inline]\npub(crate) fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n    \u003cBackend as interface::Backend\u003e::sha512(data)\n}\n","traces":[{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":33}},{"line":84,"address":[],"length":0,"stats":{"Line":33}},{"line":89,"address":[],"length":0,"stats":{"Line":21}},{"line":90,"address":[],"length":0,"stats":{"Line":21}},{"line":95,"address":[],"length":0,"stats":{"Line":21}},{"line":96,"address":[],"length":0,"stats":{"Line":21}}],"covered":6,"coverable":16},{"path":["/","home","stu","dev","rust","jose","src","format","compact.rs"],"content":"use alloc::vec::Vec;\nuse core::{fmt, str::FromStr};\n\nuse super::{sealed, Format};\nuse crate::{\n    base64_url::NoBase64UrlString,\n    header,\n    jws::{PayloadData, SignError, Signer},\n    Base64UrlString, JoseHeader,\n};\n\n/// The compact representation is essentially a list of Base64Url\n/// strings that are separated by `.`.\n#[derive(Default, Debug, Clone, PartialEq, Eq, Hash)]\npub struct Compact {\n    parts: Vec\u003cBase64UrlString\u003e,\n}\n\nimpl Format for Compact {}\nimpl sealed::SealedFormat\u003cCompact\u003e for Compact {\n    type JwsHeader = JoseHeader\u003cCompact, header::Jws\u003e;\n    type SerializedJwsHeader = Base64UrlString;\n\n    fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(header: \u0026mut Self::JwsHeader, signer: \u0026dyn Signer\u003cS\u003e) {\n        header.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n    }\n\n    fn serialize_header(\n        header: Self::JwsHeader,\n    ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003ccore::convert::Infallible\u003e\u003e {\n        let (protected_header, _) = header.into_values().map_err(SignError::InvalidHeader)?;\n\n        if protected_header\n            .as_ref()\n            .map(|x| x.is_empty())\n            .unwrap_or(true)\n        {\n            return Err(SignError::EmptyProtectedHeader);\n        }\n\n        let header =\n            serde_json::to_string(\u0026protected_header).map_err(SignError::SerializeHeader)?;\n\n        let header = Base64UrlString::encode(header.as_bytes());\n\n        Ok(header)\n    }\n\n    fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e {\n        Some(hdr.as_bytes())\n    }\n\n    fn finalize(\n        header: Self::SerializedJwsHeader,\n        payload: Option\u003cPayloadData\u003e,\n        signature: \u0026[u8],\n    ) -\u003e Result\u003cSelf, serde_json::Error\u003e {\n        let mut compact = Compact::with_capacity(3);\n\n        compact.push_base64url(header);\n\n        let payload = match payload {\n            Some(PayloadData::Standard(b64)) =\u003e b64,\n            None =\u003e Base64UrlString::new(),\n        };\n\n        compact.parts.push(payload);\n        compact.push(signature);\n\n        Ok(compact)\n    }\n\n    fn finalize_jws_header_builder(\n        value_ref: \u0026mut Result\u003cSelf::JwsHeader, header::JoseHeaderBuilderError\u003e,\n        new_builder: header::JoseHeaderBuilder\u003cCompact, header::Jws\u003e,\n    ) {\n        *value_ref = new_builder.build();\n    }\n}\n\nimpl Compact {\n    pub(crate) fn with_capacity(cap: usize) -\u003e Self {\n        Compact {\n            parts: Vec::with_capacity(cap),\n        }\n    }\n\n    pub(crate) fn push_base64url(\u0026mut self, part: Base64UrlString) {\n        self.parts.push(part);\n    }\n\n    pub(crate) fn push(\u0026mut self, part: impl AsRef\u003c[u8]\u003e) {\n        self.parts.push(Base64UrlString::encode(part));\n    }\n\n    pub(crate) fn part(\u0026self, idx: usize) -\u003e Option\u003c\u0026Base64UrlString\u003e {\n        self.parts.get(idx)\n    }\n\n    pub(crate) fn len(\u0026self) -\u003e usize {\n        self.parts.len()\n    }\n}\n\nimpl FromStr for Compact {\n    type Err = NoBase64UrlString;\n\n    /// Verifies if every part of the string is valid base64url format\n    fn from_str(s: \u0026str) -\u003e Result\u003cSelf, Self::Err\u003e {\n        let parts = s\n            .split('.')\n            .map(Base64UrlString::from_str)\n            .collect::\u003cResult\u003cVec\u003c_\u003e, _\u003e\u003e()?;\n        Ok(Self { parts })\n    }\n}\n\nimpl fmt::Display for Compact {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let len = self.parts.len();\n\n        for (idx, part) in self.parts.iter().enumerate() {\n            fmt::Display::fmt(\u0026part, f)?;\n\n            if idx != len - 1 {\n                f.write_str(\".\")?;\n            }\n        }\n\n        Ok(())\n    }\n}\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":0}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":126,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":41},{"path":["/","home","stu","dev","rust","jose","src","format","json_flattened.rs"],"content":"use alloc::string::String;\nuse core::fmt;\n\nuse serde::{Deserialize, Serialize};\nuse serde_json::Value;\n\nuse super::{sealed, Format};\nuse crate::{\n    header,\n    jws::{PayloadData, SignError},\n    Base64UrlString, JoseHeader,\n};\n\n/// The flattened json serialization format.\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]\npub struct JsonFlattened {\n    pub(crate) payload: Option\u003cBase64UrlString\u003e,\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) protected: Option\u003cBase64UrlString\u003e,\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) header: Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    pub(crate) signature: Base64UrlString,\n}\n\nimpl Format for JsonFlattened {}\n\nimpl fmt::Display for JsonFlattened {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let repr = if f.alternate() {\n            serde_json::to_string_pretty(\u0026self).map_err(|_| fmt::Error)?\n        } else {\n            serde_json::to_string(\u0026self).map_err(|_| fmt::Error)?\n        };\n\n        f.write_str(\u0026repr)\n    }\n}\n\nimpl sealed::SealedFormat\u003cJsonFlattened\u003e for JsonFlattened {\n    type JwsHeader = JoseHeader\u003cJsonFlattened, header::Jws\u003e;\n    type SerializedJwsHeader = (\n        Option\u003cBase64UrlString\u003e,\n        Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    );\n\n    fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(\n        header: \u0026mut Self::JwsHeader,\n        signer: \u0026dyn crate::jws::Signer\u003cS\u003e,\n    ) {\n        header.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n    }\n\n    fn serialize_header(\n        header: Self::JwsHeader,\n    ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003ccore::convert::Infallible\u003e\u003e {\n        let (protected, unprotected) = header.into_values().map_err(SignError::InvalidHeader)?;\n\n        let protected = match protected {\n            Some(hdr) =\u003e {\n                let json = serde_json::to_string(\u0026hdr).map_err(SignError::SerializeHeader)?;\n\n                let encoded = Base64UrlString::encode(json);\n                Some(encoded)\n            }\n            None =\u003e None,\n        };\n\n        Ok((protected, unprotected))\n    }\n\n    fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e {\n        hdr.0.as_ref().map(|x| x.as_bytes())\n    }\n\n    fn finalize(\n        (protected, unprotected): Self::SerializedJwsHeader,\n        payload: Option\u003cPayloadData\u003e,\n        signature: \u0026[u8],\n    ) -\u003e Result\u003cSelf, serde_json::Error\u003e {\n        let payload = payload.map(|PayloadData::Standard(b64)| b64);\n\n        let signature = Base64UrlString::encode(signature);\n\n        Ok(JsonFlattened {\n            payload,\n            protected,\n            header: unprotected,\n            signature,\n        })\n    }\n\n    fn finalize_jws_header_builder(\n        value_ref: \u0026mut Result\u003cSelf::JwsHeader, header::JoseHeaderBuilderError\u003e,\n        new_builder: header::JoseHeaderBuilder\u003cJsonFlattened, header::Jws\u003e,\n    ) {\n        *value_ref = new_builder.build();\n    }\n}\n","traces":[{"line":28,"address":[],"length":0,"stats":{"Line":0}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}},{"line":32,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":24},{"path":["/","home","stu","dev","rust","jose","src","format","json_general.rs"],"content":"use alloc::{string::String, vec, vec::Vec};\nuse core::{convert::Infallible, fmt};\n\nuse serde::{Deserialize, Serialize};\nuse serde_json::Value;\n\nuse super::{sealed, Format};\nuse crate::{\n    header::{self, JoseHeaderBuilder, JoseHeaderBuilderError},\n    jws::{PayloadData, SignError, Signer},\n    Base64UrlString, JoseHeader,\n};\n\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]\npub(crate) struct Signature {\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) protected: Option\u003cBase64UrlString\u003e,\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) header: Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    pub(crate) signature: Base64UrlString,\n}\n\n/// The JSON General Serialization format as specified in [Section 7.2.1] in the\n/// JWS RFC.\n///\n/// [Section 7.2.1]: https://datatracker.ietf.org/doc/html/rfc7515#section-7.2.1\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]\npub struct JsonGeneral {\n    pub(crate) payload: Option\u003cBase64UrlString\u003e,\n    pub(crate) signatures: Vec\u003cSignature\u003e,\n}\n\nimpl fmt::Display for JsonGeneral {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let repr = if f.alternate() {\n            serde_json::to_string_pretty(\u0026self).map_err(|_| fmt::Error)?\n        } else {\n            serde_json::to_string(\u0026self).map_err(|_| fmt::Error)?\n        };\n\n        f.write_str(\u0026repr)\n    }\n}\n\nimpl Format for JsonGeneral {}\n\nimpl sealed::SealedFormat\u003cJsonGeneral\u003e for JsonGeneral {\n    type JwsHeader = Vec\u003cJoseHeader\u003cJsonGeneral, header::Jws\u003e\u003e;\n    // this only a single header, even though JsonGeneral supports multiple headers,\n    // because this trait implementation is only be used for a single signer.\n    type SerializedJwsHeader = (\n        Option\u003cBase64UrlString\u003e,\n        Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    );\n\n    fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(header: \u0026mut Self::JwsHeader, signer: \u0026dyn Signer\u003cS\u003e) {\n        let Some(first) = header.first_mut() else {\n            return;\n        };\n\n        first.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n    }\n\n    fn serialize_header(\n        mut header: Self::JwsHeader,\n    ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003cInfallible\u003e\u003e {\n        let len = header.len();\n\n        let Some(header) = header.pop().filter(|_| len == 1) else {\n            return Err(SignError::HeaderCountMismatch);\n        };\n\n        let (protected, unprotected) = header.into_values().map_err(SignError::InvalidHeader)?;\n\n        let protected = match protected {\n            Some(hdr) =\u003e {\n                let json = serde_json::to_string(\u0026hdr).map_err(SignError::SerializeHeader)?;\n\n                let encoded = Base64UrlString::encode(json);\n                Some(encoded)\n            }\n            None =\u003e None,\n        };\n\n        Ok((protected, unprotected))\n    }\n\n    fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e {\n        hdr.0.as_ref().map(|x| x.as_bytes())\n    }\n\n    fn finalize(\n        header: Self::SerializedJwsHeader,\n        payload: Option\u003cPayloadData\u003e,\n        signature: \u0026[u8],\n    ) -\u003e Result\u003cSelf, serde_json::Error\u003e {\n        let payload = payload.map(|PayloadData::Standard(b64)| b64);\n\n        let signature = Base64UrlString::encode(signature);\n\n        Ok(JsonGeneral {\n            payload,\n            signatures: vec![Signature {\n                protected: header.0,\n                header: header.1,\n                signature,\n            }],\n        })\n    }\n\n    fn finalize_jws_header_builder(\n        value_ref: \u0026mut Result\u003cSelf::JwsHeader, JoseHeaderBuilderError\u003e,\n        new_builder: JoseHeaderBuilder\u003cJsonGeneral, header::Jws\u003e,\n    ) {\n        let header = match new_builder.build() {\n            Ok(header) =\u003e header,\n            Err(err) =\u003e {\n                *value_ref = Err(err);\n                return;\n            }\n        };\n\n        match value_ref {\n            Ok(headers) =\u003e headers.push(header),\n            Err(_) =\u003e *value_ref = Ok(vec![header]),\n        }\n    }\n}\n","traces":[{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":35},{"path":["/","home","stu","dev","rust","jose","src","format.rs"],"content":"//! Contains abstractions for different kinds of\n//! serialization formats.\n//!\n//! Currently, the only two formats are [`Compact`] and [`JsonFlattened`].\n\nmod compact;\nmod json_flattened;\nmod json_general;\n\nuse core::fmt;\n\npub use compact::Compact;\npub use json_flattened::JsonFlattened;\npub use json_general::JsonGeneral;\npub(crate) use json_general::Signature as JsonGeneralSignature;\n\nuse crate::sealed::Sealed;\n\npub(crate) mod sealed {\n    use alloc::fmt;\n    use core::convert::Infallible;\n\n    use crate::{\n        header::{self, JoseHeaderBuilder, JoseHeaderBuilderError},\n        jws::{PayloadData, SignError, Signer},\n    };\n\n    // We put all methods, types, etc into a sealed trait, so\n    // the user is not able to access these thing as they should\n    // only be used internally by this crate\n    pub trait SealedFormat\u003cF\u003e: Sized {\n        type JwsHeader: fmt::Debug;\n        type SerializedJwsHeader: fmt::Debug;\n\n        fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(header: \u0026mut Self::JwsHeader, signer: \u0026dyn Signer\u003cS\u003e);\n\n        /// Serializes the header for this format.\n        ///\n        /// The returned values must be the serializd header and the\n        /// bytes that must be appended to the message for the signature.\n        fn serialize_header(\n            header: Self::JwsHeader,\n        ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003cInfallible\u003e\u003e;\n\n        /// This method converts a serialized header into the message bytes\n        /// that are used for the signature.\n        fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e;\n\n        fn finalize(\n            header: Self::SerializedJwsHeader,\n            payload: Option\u003cPayloadData\u003e,\n            signature: \u0026[u8],\n        ) -\u003e Result\u003cSelf, serde_json::Error\u003e;\n\n        fn finalize_jws_header_builder(\n            value_ref: \u0026mut Result\u003cSelf::JwsHeader, JoseHeaderBuilderError\u003e,\n            new_builder: JoseHeaderBuilder\u003cF, header::Jws\u003e,\n        );\n    }\n}\n\n/// This trait represents any possible format in which a JWS or JWE can be\n/// represented.\npub trait Format: fmt::Display + sealed::SealedFormat\u003cSelf\u003e + Sized {}\n\n/// Used to parse a [`Compact`] or another format representation\n/// into a concrete type.\npub trait DecodeFormat\u003cF\u003e: Sealed + Sized {\n    /// The error that can occurr while parsing `Self` from the input.\n    type Error;\n\n    /// The decoded type to return.\n    type Decoded\u003cT\u003e;\n\n    /// Parse the input into a new [`Decoded`](Self::Decoded) instance of\n    /// `Self`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// this type.\n    fn decode(input: F) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e;\n}\n\n/// Used to parse a [`Compact`] or another format representation\n/// into a concrete type.\npub trait DecodeFormatWithContext\u003cF, C\u003e: Sealed + Sized {\n    /// The error that can occurr while parsing `Self` from the input.\n    type Error;\n\n    /// The decoded type to return.\n    type Decoded\u003cT\u003e;\n\n    /// Parse the input into a new [`Decoded`](Self::Decoded) instance of\n    /// `Self`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// this type.\n    fn decode_with_context(input: F, context: \u0026C) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","builder.rs"],"content":"use alloc::{\n    collections::{BTreeMap, BTreeSet},\n    string::String,\n    vec::Vec,\n};\nuse core::marker::PhantomData;\n\nuse mediatype::MediaTypeBuf;\nuse serde_json::Value;\n\nuse super::{\n    parameters::MediaTypeWithMaybeStrippedApplicationTopLevel, HeaderValue, Jwe, Jws, Type,\n};\nuse crate::{\n    format::Format,\n    header::parameters::Parameters,\n    jwa::{JsonWebContentEncryptionAlgorithm, JsonWebEncryptionAlgorithm, JsonWebSigningAlgorithm},\n    jwk::serde_impl::Base64DerCertificate,\n    JoseHeader, JsonWebKey, UntypedAdditionalProperties, Uri,\n};\n\n/// A builder for a [`JoseHeader`].\n#[derive(Debug)]\n#[non_exhaustive]\npub struct JoseHeaderBuilder\u003cF, T\u003e {\n    // data\n    critical_headers: Option\u003cBTreeSet\u003cString\u003e\u003e,\n    jwk_set_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    json_web_key: Option\u003cHeaderValue\u003cJsonWebKey\u003cUntypedAdditionalProperties\u003e\u003e\u003e,\n    key_identifier: Option\u003cHeaderValue\u003cString\u003e\u003e,\n    x509_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    x509_certificate_chain: Option\u003cHeaderValue\u003cVec\u003cVec\u003cu8\u003e\u003e\u003e\u003e,\n    x509_certificate_sha1_thumbprint: Option\u003cHeaderValue\u003c[u8; 20]\u003e\u003e,\n    x509_certificate_sha256_thumbprint: Option\u003cHeaderValue\u003c[u8; 32]\u003e\u003e,\n    typ: Option\u003cHeaderValue\u003cMediaTypeBuf\u003e\u003e,\n    content_type: Option\u003cHeaderValue\u003cMediaTypeBuf\u003e\u003e,\n    additional: BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e,\n    specific: Specific,\n    _phantom: PhantomData\u003c(F, T)\u003e,\n}\n\nimpl\u003cF, T\u003e JoseHeaderBuilder\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    /// Set the [`critical_headers`](crate::JoseHeader::critical_headers)\n    /// parameter.\n    pub fn critical_headers(self, critical_headers: Option\u003cBTreeSet\u003cString\u003e\u003e) -\u003e Self {\n        // since `crit` header is not allowed to be an empty array, an empty set is\n        // discarded setting `None` will remove any existing critical headers\n        // that may already be present\n        Self {\n            critical_headers,\n            ..self\n        }\n    }\n\n    /// Set [additional](crate::JoseHeader::additional) parameters.\n    ///\n    /// Note: Do not push parameter names that are understood by this\n    /// implementation. Instead, use the appropriate method to set the parameter\n    /// directly.\n    pub fn additional(self, additional: BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e) -\u003e Self {\n        Self { additional, ..self }\n    }\n\n    /// Create a new [`JoseHeaderBuilder`] in order to build a [`JoseHeader`].\n    pub fn new() -\u003e Self {\n        Self {\n            critical_headers: None,\n            jwk_set_url: None,\n            json_web_key: None,\n            key_identifier: None,\n            x509_url: None,\n            x509_certificate_chain: None,\n            x509_certificate_sha1_thumbprint: None,\n            x509_certificate_sha256_thumbprint: None,\n            typ: None,\n            content_type: None,\n            additional: BTreeMap::new(),\n            specific: T::specific_default(),\n            _phantom: PhantomData,\n        }\n    }\n\n    fn build_parameters(self) -\u003e Result\u003c(Parameters\u003c()\u003e, Specific), JoseHeaderBuilderError\u003e {\n        // oh dear god\n        let x509_certificate_chain = self\n            .x509_certificate_chain\n            .map(|v| v.map(|v| v.into_iter().map(Base64DerCertificate).collect::\u003cVec\u003c_\u003e\u003e()));\n\n        // FIXME: check if additional parameters contain parameters that are understood\n        // by our implementation and that should be set via their methods instead.\n\n        let parameters = Parameters {\n            critical_headers: self.critical_headers,\n            jwk_set_url: self.jwk_set_url,\n            json_web_key: self.json_web_key,\n            key_id: self.key_identifier,\n            x509_url: self.x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n            typ: self\n                .typ\n                .map(|v| v.map(MediaTypeWithMaybeStrippedApplicationTopLevel)),\n            content_type: self\n                .content_type\n                .map(|v| v.map(MediaTypeWithMaybeStrippedApplicationTopLevel)),\n            specific: (),\n            additional: self.additional,\n        };\n        Ok((parameters, self.specific))\n    }\n\n    /// Create a [`JoseHeaderBuilder`] from a [`JoseHeader`] preserving the\n    /// parameters.\n    pub fn from_header(header: JoseHeader\u003cF, T\u003e) -\u003e Self {\n        let parameters = header.parameters;\n        let specific = parameters.specific.into_specific();\n\n        let x509_certificate_chain = parameters\n            .x509_certificate_chain\n            .map(|v| v.map(|v| v.into_iter().map(|v| v.0).collect::\u003cVec\u003c_\u003e\u003e()));\n        Self {\n            critical_headers: parameters.critical_headers,\n            jwk_set_url: parameters.jwk_set_url,\n            json_web_key: parameters.json_web_key,\n            key_identifier: parameters.key_id,\n            x509_url: parameters.x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: parameters.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: parameters.x509_certificate_sha256_thumbprint,\n            typ: parameters.typ.map(|v| v.map(|v| v.0)),\n            content_type: parameters.content_type.map(|v| v.map(|v| v.0)),\n            additional: parameters.additional,\n            specific,\n            _phantom: PhantomData,\n        }\n    }\n}\n\nimpl\u003cF, T\u003e Default for JoseHeaderBuilder\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    fn default() -\u003e Self {\n        Self::new()\n    }\n}\n\n/// Specific parameters for Jws and Jwe. See [`Jws`] and [`Jwe`]\n#[derive(Debug)]\n#[non_exhaustive]\npub enum Specific {\n    Jws {\n        algorithm: Option\u003cHeaderValue\u003cJsonWebSigningAlgorithm\u003e\u003e,\n        // default: true\n        payload_base64_url_encoded: Option\u003cbool\u003e,\n    },\n    Jwe {\n        algorithm: Option\u003cHeaderValue\u003cJsonWebEncryptionAlgorithm\u003e\u003e,\n        content_encryption_algorithm: Option\u003cHeaderValue\u003cJsonWebContentEncryptionAlgorithm\u003e\u003e,\n    },\n}\n\n/// Errors that may occur while building a [`JoseHeader`] via\n/// [`JoseHeaderBuilder::build`].\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum JoseHeaderBuilderError {\n    /// There is no algorithm specified. Specify an algorithm via\n    /// [`JoseHeaderBuilder::algorithm`].\n    #[error(\"no algorithm set\")]\n    MissingAlgorithm,\n    /// There is no content encryption algorithm specified. Specify an content\n    /// encryption algorithm via\n    /// [`JoseHeaderBuilder::content_encryption_algorithm`].\n    ///\n    /// Note: This error may only occur while building a [`JoseHeader`] for\n    /// [`Jwe`].\n    #[error(\"no content encryption algorithm set\")]\n    MissingContentEncryptionAlgorithm,\n    /// One or more certificates in the X.509 certificate chain (set via\n    /// [`JoseHeaderBuilder::x509_certificate_chain`]) are invalid. E.g. not\n    /// valid DER-encoded.\n    #[error(\"the certificates in the certificate chain are invalid\")]\n    InvalidX509CertificateChain,\n}\n\nimpl\u003cF\u003e JoseHeaderBuilder\u003cF, Jws\u003e\nwhere\n    F: Format,\n{\n    /// Set the [`algorithm`](crate::JoseHeader::algorithm) parameter for\n    /// [`Jws`].\n    pub fn algorithm(self, algorithm: HeaderValue\u003cJsonWebSigningAlgorithm\u003e) -\u003e Self {\n        let specific = Specific::Jws {\n            algorithm: Some(algorithm),\n            payload_base64_url_encoded: match self.specific {\n                Specific::Jws {\n                    algorithm: _,\n                    payload_base64_url_encoded,\n                } =\u003e payload_base64_url_encoded,\n                // implementation must ensure a JoseHeaderBuilder\u003cF, Jws\u003e cannot be turned into an\n                // JoseHeaderBuilder\u003cF, Jwe\u003e\n                _ =\u003e unreachable!(),\n            },\n        };\n        Self { specific, ..self }\n    }\n\n    /// Set the [`payload_base64_url_encoded`](crate::JoseHeader::payload_base64_url_encoded) parameter for [`Jws`].\n    pub fn payload_base64_url_encoded(self, payload_base64_url_encoded: bool) -\u003e Self {\n        let specific = Specific::Jws {\n            algorithm: match self.specific {\n                Specific::Jws {\n                    algorithm,\n                    payload_base64_url_encoded: _,\n                } =\u003e algorithm,\n                _ =\u003e unreachable!(),\n            },\n            payload_base64_url_encoded: Some(payload_base64_url_encoded),\n        };\n        Self { specific, ..self }\n    }\n\n    /// Try to build a [`JoseHeader`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any of the values provided by the builder are\n    /// invalid. See [`JoseHeaderBuilderError`] for details.\n    pub fn build(self) -\u003e Result\u003cJoseHeader\u003cF, Jws\u003e, JoseHeaderBuilderError\u003e {\n        let (parameters, specific) = self.build_parameters()?;\n\n        let (algorithm, payload_base64_url_encoded) = match specific {\n            Specific::Jws {\n                algorithm,\n                payload_base64_url_encoded,\n            } =\u003e (\n                algorithm.ok_or(JoseHeaderBuilderError::MissingAlgorithm)?,\n                payload_base64_url_encoded,\n            ),\n            _ =\u003e unreachable!(),\n        };\n        let specific = Jws {\n            algorithm,\n            payload_base64_url_encoded,\n        };\n        Ok(JoseHeader {\n            _format: PhantomData,\n            parameters: Parameters {\n                specific,\n                critical_headers: parameters.critical_headers,\n                jwk_set_url: parameters.jwk_set_url,\n                json_web_key: parameters.json_web_key,\n                key_id: parameters.key_id,\n                x509_url: parameters.x509_url,\n                x509_certificate_chain: parameters.x509_certificate_chain,\n                x509_certificate_sha1_thumbprint: parameters.x509_certificate_sha1_thumbprint,\n                x509_certificate_sha256_thumbprint: parameters.x509_certificate_sha256_thumbprint,\n                typ: parameters.typ,\n                content_type: parameters.content_type,\n                additional: parameters.additional,\n            },\n        })\n    }\n}\n\nimpl\u003cF\u003e JoseHeaderBuilder\u003cF, Jwe\u003e\nwhere\n    F: Format,\n{\n    /// Set the [`algorithm`](crate::JoseHeader::algorithm) parameter for\n    /// [`Jwe`].\n    pub fn algorithm(self, algorithm: HeaderValue\u003cJsonWebEncryptionAlgorithm\u003e) -\u003e Self {\n        let specific = Specific::Jwe {\n            algorithm: Some(algorithm),\n            content_encryption_algorithm: match self.specific {\n                Specific::Jwe {\n                    algorithm: _,\n                    content_encryption_algorithm,\n                } =\u003e content_encryption_algorithm,\n                _ =\u003e unreachable!(),\n            },\n        };\n        Self { specific, ..self }\n    }\n\n    /// Set the [`content_encryption_algorithm`](crate::JoseHeader::content_encryption_algorithm) parameter for [`Jwe`].\n    pub fn content_encryption_algorithm(\n        self,\n        content_encryption_algorithm: HeaderValue\u003cJsonWebContentEncryptionAlgorithm\u003e,\n    ) -\u003e Self {\n        let specific = Specific::Jwe {\n            algorithm: match self.specific {\n                Specific::Jwe {\n                    algorithm,\n                    content_encryption_algorithm: _,\n                } =\u003e algorithm,\n                _ =\u003e unreachable!(),\n            },\n            content_encryption_algorithm: Some(content_encryption_algorithm),\n        };\n        Self { specific, ..self }\n    }\n\n    /// Try to build a [`JoseHeader`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any of the values provided by the builder are\n    /// invalid. See [`JoseHeaderBuilderError`] for details.\n    pub fn build(self) -\u003e Result\u003cJoseHeader\u003cF, Jwe\u003e, JoseHeaderBuilderError\u003e {\n        let (parameters, specific) = self.build_parameters()?;\n        let (algorithm, content_encryption_algorithm) = match specific {\n            Specific::Jwe {\n                algorithm,\n                content_encryption_algorithm,\n            } =\u003e (\n                algorithm.ok_or(JoseHeaderBuilderError::MissingAlgorithm)?,\n                content_encryption_algorithm.ok_or(JoseHeaderBuilderError::MissingAlgorithm)?,\n            ),\n            _ =\u003e unreachable!(),\n        };\n        let specific = Jwe {\n            algorithm,\n            content_encryption_algorithm,\n        };\n\n        Ok(JoseHeader {\n            _format: PhantomData,\n            parameters: Parameters {\n                specific,\n                critical_headers: parameters.critical_headers,\n                jwk_set_url: parameters.jwk_set_url,\n                json_web_key: parameters.json_web_key,\n                key_id: parameters.key_id,\n                x509_url: parameters.x509_url,\n                x509_certificate_chain: parameters.x509_certificate_chain,\n                x509_certificate_sha1_thumbprint: parameters.x509_certificate_sha1_thumbprint,\n                x509_certificate_sha256_thumbprint: parameters.x509_certificate_sha256_thumbprint,\n                typ: parameters.typ,\n                content_type: parameters.content_type,\n                additional: parameters.additional,\n            },\n        })\n    }\n}\n\nmacro_rules! setter {\n    ($($parameter:ident: $parameter_typ:ty),+,) =\u003e {\n        impl\u003cF, T\u003e JoseHeaderBuilder\u003cF, T\u003e\n        where\n            F: Format,\n            T: Type,\n        {\n            $(\n            #[doc = concat!(\"Set the [`\", stringify!($parameter), \"`](crate::JoseHeader::\", stringify!($parameter), \") parameter.\")]\n            pub fn $parameter(self, $parameter: Option\u003cHeaderValue\u003c$parameter_typ\u003e\u003e) -\u003e Self {\n                Self {\n                    $parameter,\n                    ..self\n                }\n            }\n            )+\n        }\n    };\n}\n\nsetter! {\n    x509_certificate_chain: Vec\u003cVec\u003cu8\u003e\u003e,\n    jwk_set_url: Uri,\n    json_web_key: JsonWebKey\u003cUntypedAdditionalProperties\u003e,\n    key_identifier: String,\n    x509_url: Uri,\n    x509_certificate_sha1_thumbprint: [u8; 20],\n    x509_certificate_sha256_thumbprint: [u8; 32],\n    typ: MediaTypeBuf,\n    content_type: MediaTypeBuf,\n}\n","traces":[{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":1}},{"line":81,"address":[],"length":0,"stats":{"Line":1}},{"line":82,"address":[],"length":0,"stats":{"Line":1}},{"line":87,"address":[],"length":0,"stats":{"Line":1}},{"line":89,"address":[],"length":0,"stats":{"Line":1}},{"line":90,"address":[],"length":0,"stats":{"Line":1}},{"line":91,"address":[],"length":0,"stats":{"Line":1}},{"line":97,"address":[],"length":0,"stats":{"Line":1}},{"line":98,"address":[],"length":0,"stats":{"Line":1}},{"line":99,"address":[],"length":0,"stats":{"Line":1}},{"line":100,"address":[],"length":0,"stats":{"Line":1}},{"line":101,"address":[],"length":0,"stats":{"Line":1}},{"line":103,"address":[],"length":0,"stats":{"Line":1}},{"line":104,"address":[],"length":0,"stats":{"Line":1}},{"line":105,"address":[],"length":0,"stats":{"Line":1}},{"line":108,"address":[],"length":0,"stats":{"Line":1}},{"line":111,"address":[],"length":0,"stats":{"Line":1}},{"line":112,"address":[],"length":0,"stats":{"Line":1}},{"line":114,"address":[],"length":0,"stats":{"Line":1}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":121,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":135,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":1}},{"line":150,"address":[],"length":0,"stats":{"Line":1}},{"line":199,"address":[],"length":0,"stats":{"Line":1}},{"line":201,"address":[],"length":0,"stats":{"Line":1}},{"line":202,"address":[],"length":0,"stats":{"Line":1}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":225,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":1}},{"line":237,"address":[],"length":0,"stats":{"Line":2}},{"line":239,"address":[],"length":0,"stats":{"Line":1}},{"line":240,"address":[],"length":0,"stats":{"Line":0}},{"line":241,"address":[],"length":0,"stats":{"Line":1}},{"line":242,"address":[],"length":0,"stats":{"Line":1}},{"line":243,"address":[],"length":0,"stats":{"Line":1}},{"line":244,"address":[],"length":0,"stats":{"Line":1}},{"line":245,"address":[],"length":0,"stats":{"Line":0}},{"line":253,"address":[],"length":0,"stats":{"Line":0}},{"line":254,"address":[],"length":0,"stats":{"Line":0}},{"line":255,"address":[],"length":0,"stats":{"Line":0}},{"line":256,"address":[],"length":0,"stats":{"Line":0}},{"line":257,"address":[],"length":0,"stats":{"Line":0}},{"line":258,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":260,"address":[],"length":0,"stats":{"Line":0}},{"line":261,"address":[],"length":0,"stats":{"Line":0}},{"line":262,"address":[],"length":0,"stats":{"Line":0}},{"line":263,"address":[],"length":0,"stats":{"Line":0}},{"line":264,"address":[],"length":0,"stats":{"Line":0}},{"line":265,"address":[],"length":0,"stats":{"Line":0}},{"line":266,"address":[],"length":0,"stats":{"Line":0}},{"line":267,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":0}},{"line":281,"address":[],"length":0,"stats":{"Line":0}},{"line":282,"address":[],"length":0,"stats":{"Line":0}},{"line":294,"address":[],"length":0,"stats":{"Line":0}},{"line":299,"address":[],"length":0,"stats":{"Line":0}},{"line":306,"address":[],"length":0,"stats":{"Line":0}},{"line":317,"address":[],"length":0,"stats":{"Line":0}},{"line":318,"address":[],"length":0,"stats":{"Line":0}},{"line":319,"address":[],"length":0,"stats":{"Line":0}},{"line":320,"address":[],"length":0,"stats":{"Line":0}},{"line":321,"address":[],"length":0,"stats":{"Line":0}},{"line":322,"address":[],"length":0,"stats":{"Line":0}},{"line":323,"address":[],"length":0,"stats":{"Line":0}},{"line":324,"address":[],"length":0,"stats":{"Line":0}},{"line":325,"address":[],"length":0,"stats":{"Line":0}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":336,"address":[],"length":0,"stats":{"Line":0}},{"line":337,"address":[],"length":0,"stats":{"Line":0}},{"line":338,"address":[],"length":0,"stats":{"Line":0}},{"line":339,"address":[],"length":0,"stats":{"Line":0}},{"line":340,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":0}},{"line":342,"address":[],"length":0,"stats":{"Line":0}},{"line":343,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":347,"address":[],"length":0,"stats":{"Line":0}},{"line":348,"address":[],"length":0,"stats":{"Line":0}},{"line":363,"address":[],"length":0,"stats":{"Line":0}},{"line":364,"address":[],"length":0,"stats":{"Line":0}},{"line":365,"address":[],"length":0,"stats":{"Line":0}},{"line":366,"address":[],"length":0,"stats":{"Line":0}}],"covered":31,"coverable":103},{"path":["/","home","stu","dev","rust","jose","src","header","error.rs"],"content":"use alloc::string::String;\n\n/// Errors that may occur while working [`JoseHeader`](super::JoseHeader)\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum Error {\n    /// Found a header parameter that must be protected in the unprotected\n    /// `header` parameter\n    #[error(\"found an unprotected header parameter, that must be proctected\")]\n    ExpectedProtected,\n    /// The `protected` and (unprotected) `header` parameter share members with\n    /// the same name\n    #[error(\"the protected and unprotected header parameters share members with the same name\")]\n    NotDisjoint,\n    /// Both the `protected` and (unprotected) `header` members in a JWS or JWE\n    /// are empty.\n    #[error(\"both the protected and unprotected header parameters are empty\")]\n    NoHeader,\n    /// The `protected` or the (unprotected) `header` member is present but\n    /// contains no members (it is an empty object `{}`)\n    #[error(\"the protected or the unprotected header parameter is empty\")]\n    EmptyHeader,\n    /// Found a header parameter name that is forbidden as per [section 4.1.11\n    /// of RFC 7515]\n    ///\n    /// [section 4.1.11 of RFC 7515]: \u003chttps://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11\u003e\n    #[error(\"found a forbidden header parameter: {0}\")]\n    ForbiddenHeader(String),\n    /// A REQUIRED header is missing (e.g. the `alg` header)\n    #[error(\"a required header is missing: {0}\")]\n    MissingHeader(String),\n    /// The `crit` header is present but an empty list (`[]`)\n    #[error(\"the crit header is empty\")]\n    EmptyCriticalHeaders,\n    /// A JSON deserialization error, see [`serde_json::Error`] for details.\n    #[error(transparent)]\n    JsonError(#[from] serde_json::Error),\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","parameters.rs"],"content":"use alloc::{\n    borrow::Cow,\n    collections::{BTreeMap, BTreeSet},\n    string::{String, ToString},\n    vec::Vec,\n};\n\nuse mediatype::MediaTypeBuf;\nuse serde::{de::Error, Deserialize, Serialize};\nuse serde_json::Value;\n\nuse super::HeaderValue;\nuse crate::{jwk::serde_impl::Base64DerCertificate, JsonWebKey, UntypedAdditionalProperties, Uri};\n\n#[derive(Debug)]\n#[non_exhaustive]\npub(crate) struct Parameters\u003cT\u003e {\n    /// `crit` header MUST always be protected\n    pub(crate) critical_headers: Option\u003cBTreeSet\u003cString\u003e\u003e,\n    /// `jku` parameter defined in section 4.1.2 of JWS and section 4.1.4 of JWE\n    pub(crate) jwk_set_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    /// `jwk` parameter defined in section 4.1.3 of JWS and section 4.1.5 of JWE\n    pub(crate) json_web_key: Option\u003cHeaderValue\u003cJsonWebKey\u003cUntypedAdditionalProperties\u003e\u003e\u003e,\n    // `kid` parameter defined in section 4.1.4 of JWS and section 4.1.6 of JWE\n    pub(crate) key_id: Option\u003cHeaderValue\u003cString\u003e\u003e,\n    /// `x5u` parameter defined in section 4.1.5 of JWS and section 4.1.7 of JWE\n    // FIXME: use url type instead\n    pub(crate) x509_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    /// `x5c` parameter defined in section 4.1.6 of JWS and section 4.1.8 of JWE\n    pub(crate) x509_certificate_chain: Option\u003cHeaderValue\u003cVec\u003cBase64DerCertificate\u003e\u003e\u003e,\n    /// `x5t` parameter defined in section 4.1.7 of JWS and section 4.1.9 of JWE\n    pub(crate) x509_certificate_sha1_thumbprint: Option\u003cHeaderValue\u003c[u8; 20]\u003e\u003e,\n    /// `x5t#S256` parameter defined in section 4.1.8 of JWS and section 4.1.10\n    /// of JWE\n    pub(crate) x509_certificate_sha256_thumbprint: Option\u003cHeaderValue\u003c[u8; 32]\u003e\u003e,\n    /// `typ` parameter defined in section 4.1.9 of JWS and section 4.1.11 of\n    /// JWE\n    pub(crate) typ: Option\u003cHeaderValue\u003cMediaTypeWithMaybeStrippedApplicationTopLevel\u003e\u003e,\n    /// `cty` parameter defined in section 4.1.10 of JWS and section 4.1.12 of\n    /// JWE\n    pub(crate) content_type: Option\u003cHeaderValue\u003cMediaTypeWithMaybeStrippedApplicationTopLevel\u003e\u003e,\n    // additional parameters specific to JWS or JWE (e.g. `enc` in JWE)\n    pub(crate) specific: T,\n    // an untyped list of other values that are not understood by this implementation\n    pub(crate) additional: BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e,\n}\n\n/// A wrapper type that incorporates the special handling of `application/X`\n/// media types in `typ` and `cty` header parameters as defined in [Section\n/// 4.1.9 of RFC 7515][1].\n///\n/// See [#128].\n///\n/// If the mediatype starts with `application/` and no other `/` is present,\n/// implementations should strip the `application/` to save space.\n///\n/// Since this is a serialization detail, we abstract it away, because the\n/// meaning remains the same and this way users can easily use the mediatype\n/// crate.\n///\n/// [#128]: \u003chttps://github.com/minkan-chat/jose/issues/128\u003e\n/// [1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9\u003e\n#[derive(Debug)]\npub(crate) struct MediaTypeWithMaybeStrippedApplicationTopLevel(pub(crate) MediaTypeBuf);\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for MediaTypeWithMaybeStrippedApplicationTopLevel {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let raw: Cow\u003c'_, str\u003e = Cow::deserialize(deserializer)?;\n        // if there is no `/` in the media type the RFC dictates to prepend\n        // `application/`\n        let corrected = if !raw.contains('/') {\n            alloc::format!(\"application/{raw}\")\n        } else {\n            raw.to_string()\n        };\n        let inner = MediaTypeBuf::from_string(corrected).map_err(D::Error::custom)?;\n        Ok(Self(inner))\n    }\n}\n\nimpl Serialize for MediaTypeWithMaybeStrippedApplicationTopLevel {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let correct = self.0.to_string();\n        if self.0.ty() == mediatype::names::APPLICATION\n            // ensure media type contains exactly one slash (parameters included)\n            \u0026\u0026 correct.chars().filter(|c| *c == '/').count() == 1\n        {\n            let raw = correct.split_once('/').expect(\"contains one slash\").1;\n            // these should be UPPERCASE for interop with legacy implementation according to\n            // the JOSE RFCs..\n            const SHOULD_BE_UPPERCASE: [\u0026str; 2] = [\"jwt\", \"jose\"];\n            Ok(\n                if SHOULD_BE_UPPERCASE.contains(\u0026raw.to_lowercase().as_str()) {\n                    raw.to_uppercase().serialize(serializer)?\n                } else {\n                    raw.serialize(serializer)?\n                },\n            )\n        } else {\n            correct.serialize(serializer)\n        }\n    }\n}\n\n#[cfg(test)]\nmod tests {\n    use alloc::string::String;\n\n    use mediatype::{\n        names::{APPLICATION, JWT},\n        MediaType,\n    };\n    use serde::{Deserialize, Serialize};\n\n    use super::MediaTypeWithMaybeStrippedApplicationTopLevel;\n\n    #[derive(Deserialize, Serialize)]\n    struct Dummy {\n        typ: MediaTypeWithMaybeStrippedApplicationTopLevel,\n    }\n    #[test]\n    fn jwt_without_application_roundtrip() {\n        let payload = r#\"{\"typ\":\"JWT\"}\"#;\n        let a: Dummy = serde_json::from_str(payload).expect(\"valid\");\n        assert_eq!(a.typ.0, MediaType::new(APPLICATION, JWT));\n        let json: String = serde_json::to_string(\u0026a).expect(\"valid\");\n        assert_eq!(json, payload);\n    }\n}\n","traces":[{"line":67,"address":[],"length":0,"stats":{"Line":1}},{"line":71,"address":[],"length":0,"stats":{"Line":2}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":1}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":1}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":1}},{"line":89,"address":[],"length":0,"stats":{"Line":1}},{"line":90,"address":[],"length":0,"stats":{"Line":1}},{"line":92,"address":[],"length":0,"stats":{"Line":17}},{"line":94,"address":[],"length":0,"stats":{"Line":1}},{"line":99,"address":[],"length":0,"stats":{"Line":1}},{"line":100,"address":[],"length":0,"stats":{"Line":1}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}}],"covered":11,"coverable":16},{"path":["/","home","stu","dev","rust","jose","src","header","types","jwe.rs"],"content":"use crate::{\n    header::HeaderValue,\n    jwa::{JsonWebContentEncryptionAlgorithm, JsonWebEncryptionAlgorithm},\n    sealed::Sealed,\n};\n\n/// Parameters specific to Json Web Encryption\n#[derive(Debug)]\n#[non_exhaustive]\npub struct Jwe {\n    /// `alg` parameter\n    pub(crate) algorithm: HeaderValue\u003cJsonWebEncryptionAlgorithm\u003e,\n    /// `enc` parameter\n    pub(crate) content_encryption_algorithm: HeaderValue\u003cJsonWebContentEncryptionAlgorithm\u003e,\n    // FIXME: other JWE parameters (zip, epk, ...)\n}\n\nimpl Sealed for Jwe {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","types","jws.rs"],"content":"use crate::{header::HeaderValue, jwa::JsonWebSigningAlgorithm, sealed::Sealed};\n\n/// Parameters specific to Json Web Signatures\n#[derive(Debug)]\n#[non_exhaustive]\npub struct Jws {\n    // `alg` parameter\n    pub(crate) algorithm: HeaderValue\u003cJsonWebSigningAlgorithm\u003e,\n    /// `b64` parameter as defined by RFC 7797. This parameter is optional and\n    /// it's default value is `true`.\n    ///\n    /// If this value is `false`, the payload of the JWS is not base64 urlsafe\n    /// encoded. This can work for simple stuff like a hex string, but will\n    /// often cause parsing errors. Use of this option makes sense if the\n    /// payload of a JWS is detached.\n    ///\n    /// Note: In a JsonWebToken, this value MUST always be true. Therefore, the\n    /// payload MUST NOT use the unencoded payload option.\n    ///\n    /// Note: This header MUST be integrity protected.\n    pub(crate) payload_base64_url_encoded: Option\u003cbool\u003e,\n}\n\nimpl Sealed for Jws {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","types.rs"],"content":"mod jwe;\nmod jws;\n\nuse alloc::{\n    collections::BTreeMap,\n    string::{String, ToString},\n};\n\nuse serde_json::Value;\n\n#[doc(inline)]\npub use self::{jwe::*, jws::*};\nuse super::{builder::Specific, Error, HeaderDeserializer, HeaderValue};\nuse crate::sealed::Sealed;\n\n/// Trait used to specify where a [`JoseHeader`](super::JoseHeader) is being\n/// used. Implemented by [`Jws`] and [`Jwe`].\n///\n/// This trait is an implementation detailed and sealed. It is not relevant for\n/// developers using this crate.\npub trait Type: Sealed {\n    /// A list of parameters that are not allowed in the `crit` header.\n    ///\n    /// This list might grow or shrink. This is not considered a breaking\n    /// change.\n    fn forbidden_critical_headers() -\u003e \u0026'static [\u0026'static str];\n    /// Build the implementing type while preseving the [`HeaderDeserializer`]\n    ///\n    /// # Errors\n    ///\n    /// Should return an [`Error`] if deserialization fails or an invalid value\n    /// is detected.\n    fn from_deserializer(\n        de: HeaderDeserializer,\n    ) -\u003e Result\u003c(Self, HeaderDeserializer), (Error, HeaderDeserializer)\u003e\n    where\n        Self: Sized;\n\n    /// Implementation detail of\n    /// [`JoseHeaderBuilder`](super::JoseHeaderBuilder).\n    fn specific_default() -\u003e Specific;\n\n    /// Implementation detail of\n    /// [`JoseHeaderBuilder`](super::JoseHeaderBuilder).\n    fn into_specific(self) -\u003e Specific;\n\n    /// Convert fields into a Map that can be used for serialization\n    ///\n    /// # Errors\n    ///\n    /// May return an error if the conversion to [`Value`] fails.\n    fn into_map(self) -\u003e Result\u003cBTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e, Error\u003e;\n}\n\nimpl Type for Jws {\n    #[inline]\n    fn forbidden_critical_headers() -\u003e \u0026'static [\u0026'static str] {\n        // \u003chttps://www.rfc-editor.org/rfc/rfc7515.html#section-9.1.2\u003e\n        // FIXME: add parameters from JWA\n        \u0026[\n            \"alg\", \"jku\", \"jwk\", \"kid\", \"x5u\", \"x5c\", \"x5t\", \"x5t#S256\", \"typ\", \"cty\", \"crit\",\n        ]\n    }\n\n    fn from_deserializer(\n        mut de: HeaderDeserializer,\n    ) -\u003e Result\u003c(Self, HeaderDeserializer), (Error, HeaderDeserializer)\u003e\n    where\n        Self: Sized,\n    {\n        // \"try\" blocks hack\n        let mut t = || {\n            Ok(Self {\n                algorithm: de\n                    .deserialize_field(\"alg\")\n                    .transpose()?\n                    .ok_or(Error::MissingHeader(\"alg\".to_string()))?,\n                payload_base64_url_encoded: de\n                    .deserialize_field(\"b64\")\n                    .transpose()?\n                    // `b64` must be protected\n                    .map(|v| v.protected().ok_or(Error::ExpectedProtected))\n                    .transpose()?,\n            })\n        };\n        let s: Result\u003cJws, Error\u003e = t();\n        match s {\n            Ok(v) =\u003e Ok((v, de)),\n            Err(e) =\u003e Err((e, de)),\n        }\n    }\n\n    fn specific_default() -\u003e Specific {\n        Specific::Jws {\n            algorithm: None,\n            payload_base64_url_encoded: None,\n        }\n    }\n\n    fn into_specific(self) -\u003e Specific {\n        Specific::Jws {\n            algorithm: Some(self.algorithm),\n            payload_base64_url_encoded: self.payload_base64_url_encoded,\n        }\n    }\n\n    fn into_map(self) -\u003e Result\u003cBTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e, Error\u003e {\n        let mut map = BTreeMap::new();\n        map.insert(\n            \"alg\".to_string(),\n            self.algorithm.map(serde_json::to_value).transpose()?,\n        );\n\n        // if explictly set to true, set it even tho true is the default\n        if let Some(b64) = self.payload_base64_url_encoded {\n            map.insert(\n                \"b64\".to_string(),\n                HeaderValue::Protected(serde_json::to_value(b64)?),\n            );\n        }\n\n        Ok(map)\n    }\n}\n\nimpl Type for Jwe {\n    #[inline]\n    fn forbidden_critical_headers() -\u003e \u0026'static [\u0026'static str] {\n        // \u003chttps://www.rfc-editor.org/rfc/rfc7516.html#section-10.1.1\u003e\n        // FIXME: add parameters from JWA\n        \u0026[\n            \"alg\", \"enc\", \"zip\", \"jku\", \"jwk\", \"kid\", \"x5u\", \"x5c\", \"x5t\", \"x5t#S256\", \"typ\",\n            \"cty\", \"crit\",\n        ]\n    }\n\n    fn from_deserializer(\n        mut de: HeaderDeserializer,\n    ) -\u003e Result\u003c(Self, HeaderDeserializer), (Error, HeaderDeserializer)\u003e\n    where\n        Self: Sized,\n    {\n        // \"try\" blocks hack\n        let mut t = || {\n            Ok(Self {\n                algorithm: de\n                    .deserialize_field(\"alg\")\n                    .transpose()?\n                    .ok_or(Error::MissingHeader(\"alg\".to_string()))?,\n                content_encryption_algorithm: de\n                    .deserialize_field(\"enc\")\n                    .transpose()?\n                    .ok_or(Error::MissingHeader(\"enc\".to_string()))?,\n            })\n        };\n        let s: Result\u003cJwe, Error\u003e = t();\n        match s {\n            Ok(v) =\u003e Ok((v, de)),\n            Err(e) =\u003e Err((e, de)),\n        }\n    }\n\n    fn specific_default() -\u003e Specific {\n        Specific::Jwe {\n            algorithm: None,\n            content_encryption_algorithm: None,\n        }\n    }\n\n    fn into_specific(self) -\u003e Specific {\n        Specific::Jwe {\n            algorithm: Some(self.algorithm),\n            content_encryption_algorithm: Some(self.content_encryption_algorithm),\n        }\n    }\n\n    fn into_map(self) -\u003e Result\u003cBTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e, Error\u003e {\n        Ok([\n            (\n                \"alg\".to_string(),\n                self.algorithm.map(serde_json::to_value).transpose()?,\n            ),\n            (\n                \"enc\".to_string(),\n                self.content_encryption_algorithm\n                    .map(serde_json::to_value)\n                    .transpose()?,\n            ),\n        ]\n        .into_iter()\n        .collect())\n    }\n}\n","traces":[{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":1}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":145,"address":[],"length":0,"stats":{"Line":0}},{"line":146,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":148,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":173,"address":[],"length":0,"stats":{"Line":0}},{"line":177,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":0}},{"line":184,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}},{"line":187,"address":[],"length":0,"stats":{"Line":0}},{"line":190,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}}],"covered":1,"coverable":65},{"path":["/","home","stu","dev","rust","jose","src","header","value.rs"],"content":"use core::ops::Deref;\n\nuse crate::sealed::Sealed;\n\n/// Some value `T` in either the protected or unprotected header.\n#[derive(Debug, PartialEq, Eq, PartialOrd, Ord)]\npub enum HeaderValue\u003cT\u003e {\n    /// `T` is in the `protected` header parameter and integrity protected.\n    Protected(T),\n    /// `T` is in the unprotected `header` parameter and NOT integrity\n    /// protected.\n    Unprotected(T),\n}\n\nimpl\u003cT\u003e Sealed for HeaderValue\u003cT\u003e {}\n\nimpl\u003cT\u003e HeaderValue\u003cT\u003e {\n    /// Convert from `\u0026HeaderValue\u003cT\u003e` to `HeaderValue\u003c\u0026T\u003e`.\n    ///\n    /// Works like [`Option::as_ref`]\n    pub fn as_ref(\u0026self) -\u003e HeaderValue\u003c\u0026'_ T\u003e {\n        match self {\n            HeaderValue::Protected(v) =\u003e HeaderValue::Protected(v),\n            HeaderValue::Unprotected(v) =\u003e HeaderValue::Unprotected(v),\n        }\n    }\n\n    /// Converts from `\u0026HeaderValue\u003cT\u003e` to `HeaderValue\u003c\u0026T::Target\u003e`.\n    ///\n    /// Works like [`Option::as_deref`]\n    pub fn as_deref(\u0026self) -\u003e HeaderValue\u003c\u0026T::Target\u003e\n    where\n        T: Deref,\n    {\n        match self.as_ref() {\n            HeaderValue::Protected(t) =\u003e HeaderValue::Protected(t.deref()),\n            HeaderValue::Unprotected(t) =\u003e HeaderValue::Unprotected(t.deref()),\n        }\n    }\n\n    /// Maps an `HeaderValue\u003cT\u003e` to `HeaderValue\u003cU\u003e` by applying a function to a\n    /// contained value.\n    pub fn map\u003cU, F\u003e(self, f: F) -\u003e HeaderValue\u003cU\u003e\n    where\n        F: FnOnce(T) -\u003e U,\n    {\n        match self {\n            HeaderValue::Protected(t) =\u003e HeaderValue::Protected(f(t)),\n            HeaderValue::Unprotected(t) =\u003e HeaderValue::Unprotected(f(t)),\n        }\n    }\n\n    /// Returns [`Some`] if `T` is in the `protected` parameter.\n    pub fn protected(self) -\u003e Option\u003cT\u003e {\n        match self {\n            Self::Protected(p) =\u003e Some(p),\n            _ =\u003e None,\n        }\n    }\n\n    /// Returns [`Some`] if `T` is in the unprotected `header` parameter.\n    pub fn unprotected(self) -\u003e Option\u003cT\u003e {\n        match self {\n            Self::Unprotected(u) =\u003e Some(u),\n            _ =\u003e None,\n        }\n    }\n\n    /// Returns the inner type `T` discarding the information about where `T` is\n    /// stored.\n    pub fn into_inner(self) -\u003e T {\n        match self {\n            Self::Protected(t) =\u003e t,\n            Self::Unprotected(t) =\u003e t,\n        }\n    }\n}\n\nimpl\u003cT\u003e HeaderValue\u003cOption\u003cT\u003e\u003e {\n    /// Transpose a [`HeaderValue\u003cOption\u003cT\u003e\u003e`] into [`Option\u003cHeaderValue\u003cT\u003e\u003e`]\n    pub fn transpose(self) -\u003e Option\u003cHeaderValue\u003cT\u003e\u003e {\n        Some(match self {\n            HeaderValue::Protected(p) =\u003e HeaderValue::Protected(p?),\n            HeaderValue::Unprotected(u) =\u003e HeaderValue::Unprotected(u?),\n        })\n    }\n}\n\nimpl\u003cT, E\u003e HeaderValue\u003cResult\u003cT, E\u003e\u003e {\n    /// Transpose a [`HeaderValue\u003cResult\u003cT, E\u003e\u003e`] into\n    /// [`Result\u003cHeaderValue\u003c`T`\u003e, E\u003e`]\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the inner [`Result`] contains an error.\n    pub fn transpose(self) -\u003e Result\u003cHeaderValue\u003cT\u003e, E\u003e {\n        Ok(match self {\n            Self::Protected(p) =\u003e HeaderValue::Protected(p?),\n            Self::Unprotected(u) =\u003e HeaderValue::Unprotected(u?),\n        })\n    }\n}\n","traces":[{"line":21,"address":[],"length":0,"stats":{"Line":1}},{"line":22,"address":[],"length":0,"stats":{"Line":1}},{"line":23,"address":[],"length":0,"stats":{"Line":1}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":81,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}}],"covered":3,"coverable":32},{"path":["/","home","stu","dev","rust","jose","src","header.rs"],"content":"//! [`JoseHeader`] and associated abstractions as defined in [section 4 of RFC\n//! 7515].\n//!\n//! [section 4 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4\u003e\nuse alloc::{\n    collections::{BTreeMap, BTreeSet},\n    string::{String, ToString},\n};\nuse core::{marker::PhantomData, ops::Deref};\n\nuse mediatype::MediaType;\nuse serde::Deserialize;\nuse serde_json::{Map, Value};\n\nmod builder;\nmod error;\nmod parameters;\nmod types;\nmod value;\n\nuse self::parameters::Parameters;\n#[doc(inline)]\npub use self::{\n    builder::{JoseHeaderBuilder, JoseHeaderBuilderError},\n    error::Error,\n    types::*,\n    value::*,\n};\nuse crate::{\n    format::Format,\n    jwa::{JsonWebContentEncryptionAlgorithm, JsonWebEncryptionAlgorithm, JsonWebSigningAlgorithm},\n    uri::BorrowedUri,\n    JsonWebKey, UntypedAdditionalProperties,\n};\n\n/// A [`JoseHeader`] is primarily used to specify how a JSON Web Signature or\n/// JSON Web Encryption should be processed.\n///\n/// Besides the [`algorithm`](JoseHeader::algorithm) used for the cryptographic\n/// primitives, it can also store additional metadata that should not be part of\n/// the payload.\n/// For example, the [`typ`](JoseHeader::typ) parameter may be used to specify a\n/// content type for the payload.\n///\n/// # Structure\n///\n/// A [`JoseHeader`] may be a bit different, depending where it is being used.\n/// Therefore, [`JoseHeader\u003cF, T\u003e`] has two generic types that define where and\n/// how exactly it is being used. `F` defines the [`Format`] that this\n/// [`JoseHeader`] is being used in. `T` defines whether the [`JoseHeader`] is\n/// part of a [JSON Web Signature][Jws] or [JSON Web Encryption][Jwe].\n///\n/// A [`JoseHeader`] can store parameters in two ways:\n///\n/// * [protected](HeaderValue::Protected): Parameters stored in the protected\n///   part of a [`JoseHeader`] **cannot** be modified without knowledge of the\n///   cryptographic key that was used to protect the payload.\n///\n/// * [unprotected](HeaderValue::Unprotected): Parameters stored in the\n///   unprotected part of a [`JoseHeader`] **can** be modified by anybody and\n///   *changes cannot be detected*. You therefore *MUST NOT* trust them.\n///\n/// Since most parameters are allowed in both of the two header parts, each\n/// parameter is wrapped in a [`HeaderValue\u003cT\u003e`] that specifies the part in\n/// which the paramter is stored.\n///\n/// # Parameter classes\n///\n/// [Section 4 of RFC 7515] defines three classes of header parameters:\n///\n/// * [Registered header parameters]: these parameters are registerd in the\n///   [IANA `JSON Web Signature and Encryption Header Parameters` registry].\n///   Most of them are implemented by this library and can be directly accessed\n///   via the methods on [`JoseHeader`]. If you find a registered parameter you\n///   need missing, you are welcome to open an issue or even better a pull\n///   request to support it.\n///\n/// * [Public header parameters]: these parameters are not registered but use a\n///   \"Collision-Resistant Name\" (e.g. they are prefixed by a domain you\n///   control) as defined in [section 2 of RFC 7515]. You may access them using\n///   [`JoseHeader::additional`].\n///\n/// * [Private header parameters]: these parameters are not registered either\n///   but do not use a \"Collisin-Resistant Name\" and are therefore subject to\n///   collision. You can also use them via [`JoseHeader::additional`] but their\n///   use is not recommended and if new paramters are registered that collide\n///   with a private parameter, your implementation may break.\n///\n/// # Examples\n///\n///\n/// ```\n/// use jose::{\n///     format::Compact,\n///     header::{HeaderValue, JoseHeader, Jws},\n///     jwa::Hmac,\n/// };\n///\n/// // we are going to build a `JoseHeader` for a `Compact` `Jws`\n/// let header = JoseHeader::\u003cCompact, Jws\u003e::builder()\n///     // we set the `alg` header parameter as an unprotected parameter\n///     .algorithm(HeaderValue::Unprotected(Hmac::Hs256.into()))\n///     // we set the `kid` header parameter as an protected parameter\n///     .key_identifier(Some(HeaderValue::Protected(\"key-1\".to_string())))\n///     .build()\n///     .unwrap();\n///\n/// assert_eq!(\n///     header.algorithm(),\n///     HeaderValue::Unprotected(\u0026Hmac::Hs256.into())\n/// );\n/// assert_eq!(\n///     header.key_identifier(),\n///     Some(HeaderValue::Protected(\"key-1\"))\n/// );\n/// ```\n///\n/// [section 2 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-2\u003e\n/// [Section 4 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4\u003e\n/// [IANA `JSON Web Signature and Encryption Header Parameters` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-header-parameters\u003e\n/// [Registered header parameters]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1\u003e\n/// [Public header parameters]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.2\u003e\n/// [Private header parameters]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.3\u003e\n#[derive(Debug)]\npub struct JoseHeader\u003cF, T\u003e {\n    parameters: Parameters\u003cT\u003e,\n    // marker for the format (compact, json general, json flattened)\n    _format: PhantomData\u003cF\u003e,\n}\n\nimpl\u003cF\u003e JoseHeader\u003cF, Jws\u003e\nwhere\n    F: Format,\n{\n    /// Method to override the alg and kid fields.\n    /// Only intended for internal usage.\n    pub(crate) fn overwrite_alg_and_key_id(\n        \u0026mut self,\n        alg: JsonWebSigningAlgorithm,\n        kid: Option\u003c\u0026str\u003e,\n    ) {\n        let is_protected = matches!(self.algorithm(), HeaderValue::Protected(_));\n\n        let alg = if is_protected {\n            HeaderValue::Protected(alg)\n        } else {\n            HeaderValue::Unprotected(alg)\n        };\n\n        let kid = kid.map(|s| {\n            let kid = s.to_string();\n            if is_protected {\n                HeaderValue::Protected(kid)\n            } else {\n                HeaderValue::Unprotected(kid)\n            }\n        });\n\n        self.parameters.key_id = kid;\n        self.parameters.specific.algorithm = alg;\n    }\n}\n\nimpl\u003cF, T\u003e JoseHeader\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    /// Build a new [`JoseHeader`].\n    pub fn builder() -\u003e JoseHeaderBuilder\u003cF, T\u003e {\n        JoseHeaderBuilder::default()\n    }\n\n    /// Modify this [`JoseHeader`] by turning it back into a\n    /// [`JoseHeaderBuilder`].\n    pub fn into_builder(self) -\u003e JoseHeaderBuilder\u003cF, T\u003e {\n        JoseHeaderBuilder::from_header(self)\n    }\n\n    /// Returns a url containing a link to a JSON Web Key Set as defined in\n    /// [section 5 of RFC 7517].\n    ///\n    /// This parameter is serialized as `jku` and defined in [section 4.1.2 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.2 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.2\u003e\n    /// [section 5 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-5\u003e\n    // FIXME: use url type instead\n    pub fn jwk_set_url(\u0026self) -\u003e Option\u003cHeaderValue\u003cBorrowedUri\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .jwk_set_url\n            .as_ref()\n            .map(|x| x.as_ref().map(|x| x.borrow()))\n    }\n\n    /// Depending where this [`JoseHeader`] is being used, in JWE it contains\n    /// the recipient's public key and in JWS it contains the signer's public\n    /// key.\n    ///\n    /// This parameter is serialized as `jwk` and defined in [section 4.1.3 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.3 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.3\u003e\n    pub fn json_web_key(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026JsonWebKey\u003cUntypedAdditionalProperties\u003e\u003e\u003e {\n        self.parameters\n            .json_web_key\n            .as_ref()\n            .map(HeaderValue::as_ref)\n    }\n\n    /// The identifier of the key used in this JWE or JWS used to give a hint to\n    /// recipient.\n    ///\n    /// It is a case-sensitive string. When used together with a [`JsonWebKey`]\n    /// via the [`jwk`](Self::json_web_key) parameter, it is used to match the\n    /// [Key ID](JsonWebKey::key_id) of the [`JsonWebKey`].\n    ///\n    /// This parameter is serialized as `jwk` and defined in [section 4.1.4 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.4 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4\u003e\n    pub fn key_identifier(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026str\u003e\u003e {\n        self.parameters.key_id.as_ref().map(HeaderValue::as_deref)\n    }\n\n    /// The X.509 URL parameter is an URI (as defined in [RFC 3986]) that refers\n    /// to a resource for the X.509 public key certificate or certificate chain\n    /// (as defined in [RFC 5280]) of the public key used in this JWE or JWS.\n    ///\n    /// This parameter is serialized as `x5u` and defined in [section 4.1.5 of\n    /// RFC 7515].\n    ///\n    /// [RFC 3986]: \u003chttps://datatracker.ietf.org/doc/html/rfc3986\u003e\n    /// [RFC 5280]: \u003chttps://datatracker.ietf.org/doc/html/rfc5280\u003e\n    /// [section 4.1.5 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.5\u003e\n    pub fn x509_url(\u0026self) -\u003e Option\u003cHeaderValue\u003cBorrowedUri\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .x509_url\n            .as_ref()\n            .map(|x| x.as_ref().map(|x| x.borrow()))\n    }\n\n    /// An [`Iterator`] over a X.509 certificate chain that certify the public\n    /// key used in this JWE or JWS.\n    ///\n    /// The first certificate in the [`Iterator`] returned by this method is the\n    /// PKIX certificate containing the key value as required by the RFC.\n    ///\n    /// Each [`Item`](Iterator::Item) will be the byte representation of a\n    /// DER-encoded X.509 certificate. This parameter works the same as\n    /// [`JsonWebKey::x509_certificate_chain`].\n    ///\n    /// This parameter is serialized as `x5u` and defined in [section 4.1.6 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.6 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6\u003e\n    pub fn x509_certificate_chain(\u0026self) -\u003e Option\u003cHeaderValue\u003cimpl Iterator\u003cItem = \u0026[u8]\u003e\u003e\u003e {\n        self.parameters\n            .x509_certificate_chain\n            .as_ref()\n            .map(HeaderValue::as_deref)\n            .map(|value| value.map(|certs| certs.iter().map(Deref::deref)))\n    }\n\n    /// This parameter is the SHA-1 hash of the DER-encoded X.509 certificate\n    /// (X.509 Certificate SHA-1 Thumbprint).\n    ///\n    /// # Warning: Cryptographically broken!\n    ///\n    /// TL;DR: check if you can use the [SHA-256\n    /// thumbprint](Self::x509_certificate_sha256_thumbprint) instead.\n    ///\n    /// The following text is taken from the `sha1` crate: \\\n    /// The SHA-1 hash function should be considered cryptographically broken\n    /// and unsuitable for further use in any security critical capacity, as it\n    /// is [practically vulnerable to chosen-prefix collisions](https://sha-mbles.github.io/).\n    ///\n    /// This parameter is serialized as `x5t` and defined in [section 4.1.7 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.7 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.7\u003e\n    // replace the hardcoded output size with the Sha1::OutputsizeUser value then\n    // they use const generics\n    pub fn x509_certificate_sha1_thumbprint(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026[u8; 20]\u003e\u003e {\n        self.parameters\n            .x509_certificate_sha1_thumbprint\n            .as_ref()\n            .map(HeaderValue::as_ref)\n    }\n\n    /// This parameter is the SHA-256 hash of the DER-encoded X.509 certificate\n    /// (X.509 Certificate SHA-256 Thumbprint).\n    ///\n    /// This parameter is serialized as `x5t#S256` and defined in [section 4.1.8\n    /// of RFC 7515].\n    ///\n    /// [section 4.1.8 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.8\u003e\n    pub fn x509_certificate_sha256_thumbprint(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026[u8; 32]\u003e\u003e {\n        self.parameters\n            .x509_certificate_sha256_thumbprint\n            .as_ref()\n            .map(HeaderValue::as_ref)\n    }\n\n    /// The Type parameter is used to declare the [media type] of this\n    /// complete JWE or JWS.\n    ///\n    /// This parameter is serialized as `typ` and defined in [section 4.1.9 of\n    /// RFC 7515].\n    ///\n    /// # Note\n    ///\n    /// Media types that start with [`application`]`/` (top-level type) and\n    /// do not contain any other `/` are shortend to just the subtype according\n    /// to [section 4.1.9 of RFC 7515]. Therefore, for example,\n    /// `application/jwt` would become just `jwt`. However, since the RFC\n    /// recommends that the mediatype `jwt` and `jose` should be uppercase for\n    /// interop with legacy implementations, it would actually become `JWT`.\n    ///\n    ///\n    /// # Example\n    ///\n    /// When a [`JoseHeader`] is being used with a JSON Web Token and this\n    /// parameter is set, it is recommended that this type will be\n    /// [`application`]`/`[`jwt`] as defined in [section 5.1 of RFC 7519].\n    /// In the serialized form, `typ` will be `JWT`.\n    ///\n    /// [media type]: \u003chttps://www.iana.org/assignments/media-types\u003e\n    /// [section 4.1.9 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9\u003e\n    /// [`application`]: \u003cmediatype::names::APPLICATION\u003e\n    /// [`jwt`]: \u003cmediatype::names::JWT\u003e\n    /// [section 5.1 of RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519#section-5.1\u003e\n    pub fn typ(\u0026self) -\u003e Option\u003cHeaderValue\u003cMediaType\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .typ\n            .as_ref()\n            .map(|value| value.as_ref().map(|v| v.0.to_ref()))\n    }\n\n    /// The Content Type parameter is used to declare the [media type] of the\n    /// payload of a JWE or JWS.\n    ///\n    /// This parameter is serialized as `cty` and defined in [section 4.1.10 of\n    /// RFC 7515].\n    ///\n    /// # Example\n    ///\n    /// When a [`JoseHeader`] is being used with a JSON Web Token and nested\n    /// encryption or signing is employed, this parameter must be present and be\n    /// set to [`application`]`/`[`jwt`] as defined by [section 5.2 of RFC\n    /// 7519].\n    ///\n    /// [media type]: \u003chttps://www.iana.org/assignments/media-types\u003e\n    /// [section 4.1.10 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.10\u003e\n    /// [`application`]: \u003cmediatype::names::APPLICATION\u003e\n    /// [`jwt`]: \u003cmediatype::names::JWT\u003e\n    /// [section 5.2 of RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519#section-5.2\u003e\n    pub fn content_type(\u0026self) -\u003e Option\u003cHeaderValue\u003cMediaType\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .content_type\n            .as_ref()\n            .map(|value| value.as_ref().map(|v| v.0.to_ref()))\n    }\n\n    /// Get additional parameters by their serialized parameter name.\n    ///\n    /// Note: Parameters that are understood by this implementation (receivable\n    /// via the method on [`JoseHeader`]) will return [`None`]. Use the\n    /// appropriate method instead.\n    pub fn additional(\u0026self, parameter_name: impl AsRef\u003cstr\u003e) -\u003e Option\u003cHeaderValue\u003c\u0026Value\u003e\u003e {\n        self.parameters\n            .additional\n            .get(parameter_name.as_ref())\n            .map(|v| v.as_ref())\n    }\n\n    /// The Critical Header parameter is used to declare headers that must be\n    /// understood by an implementation.\n    ///\n    /// It is an [`Iterator`] over the parameter names of critical headers in\n    /// this [`JoseHeader`]. If there are no headers marked as critical, this\n    /// [`Iterator`] will be empty.\n    ///\n    /// This parameter is serialized as `crit` and defined in [section 4.1.11 of\n    /// RFC 7515].\n    ///\n    /// Note: Header names listed in this parameter have to be present and the\n    /// [`JoseHeader`] is considered invalid otherwise.\n    ///\n    /// Note: This header parameter is always integrity protected.\n    ///\n    /// [section 4.1.11 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.11\u003e\n    pub fn critical_headers(\u0026self) -\u003e impl Iterator\u003cItem = \u0026'_ str\u003e {\n        self.parameters\n            .critical_headers\n            .iter()\n            .flatten()\n            .map(Deref::deref)\n    }\n}\n\nimpl\u003cF\u003e JoseHeader\u003cF, Jws\u003e\nwhere\n    F: Format,\n{\n    /// The [signing algorithm](JsonWebSigningAlgorithm) used to create the\n    /// signature for the JWS this [`JoseHeader`] is contained in.\n    ///\n    /// This parameter is serialized as `alg` and defined in [section 4.1.1 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.1 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.1\u003e\n    pub fn algorithm(\u0026self) -\u003e HeaderValue\u003c\u0026JsonWebSigningAlgorithm\u003e {\n        self.parameters.specific.algorithm.as_ref()\n    }\n\n    /// Whether the payload is being base64url encoded or not.\n    ///\n    /// This parameter is serialized as `b64` and defined in [section 3 of RFC\n    /// 7797].\n    ///\n    /// Note: This header parameter is always integrity protected.\n    ///\n    /// Note: This header parameter is OPTIONAL and has a default value of\n    /// `true`.\n    ///\n    /// [section 3 of RFC 7797]: \u003chttps://datatracker.ietf.org/doc/html/rfc7797#section-3\u003e\n    pub fn payload_base64_url_encoded(\u0026self) -\u003e bool {\n        self.parameters\n            .specific\n            .payload_base64_url_encoded\n            .unwrap_or(true)\n    }\n}\n\nimpl\u003cF\u003e JoseHeader\u003cF, Jwe\u003e\nwhere\n    F: Format,\n{\n    /// The [encryption algorithm][JsonWebEncryptionAlgorithm] used to\n    /// encryption the content encryption key (CEK).\n    ///\n    /// This parameter is serialized as `alg` and defined in [section 4.1.1 of\n    /// RFC 7516].\n    ///\n    /// [section 4.1.1 of RFC 7516]: \u003chttps://datatracker.ietf.org/doc/html/rfc7516/#section-4.1.1\u003e\n    pub fn algorithm(\u0026self) -\u003e HeaderValue\u003c\u0026JsonWebEncryptionAlgorithm\u003e {\n        self.parameters.specific.algorithm.as_ref()\n    }\n\n    /// The [encryption algorithm](JsonWebContentEncryptionAlgorithm) used to\n    /// encryption the payload of a JWE.\n    ///\n    /// This parameter is serialized as `enc` and defined in [section 4.1.2 of\n    /// RFC 7516].\n    ///\n    /// [section 4.1.2 of RFC 7516]: \u003chttps://datatracker.ietf.org/doc/html/rfc7516/#section-4.1.2\u003e\n    pub fn content_encryption_algorithm(\u0026self) -\u003e HeaderValue\u003c\u0026JsonWebContentEncryptionAlgorithm\u003e {\n        self.parameters\n            .specific\n            .content_encryption_algorithm\n            .as_ref()\n    }\n}\n\nimpl\u003cF, T\u003e JoseHeader\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    /// Build a JoseHeader from its `header` and `protected` part.\n    ///\n    /// Note: The `protected` part must already be base64 decoded.\n    pub(crate) fn from_values(\n        protected: Option\u003cMap\u003cString, Value\u003e\u003e,\n        unprotected: Option\u003cMap\u003cString, Value\u003e\u003e,\n    ) -\u003e Result\u003cSelf, Error\u003e {\n        let de = HeaderDeserializer::from_values(protected, unprotected)?;\n        let (specific, mut de) = T::from_deserializer(de).map_err(|(e, _)| e)?;\n        Ok(Self {\n            parameters: Parameters {\n                critical_headers: de\n                    .deserialize_field(\"crit\")\n                    .transpose()?\n                    .map(|v| v.protected().ok_or(Error::ExpectedProtected))\n                    .transpose()?\n                    .map(|v: BTreeSet\u003c_\u003e| {\n                        // RFC 7515\n                        // `crit` must not be an empty list,\n                        // must not contain header names specified by the specification\n                        // FIXME: consider forbidden headers that are `Format` specific.\n                        if v.is_empty() {\n                            return Err(Error::EmptyCriticalHeaders);\n                        }\n                        for forbidden in T::forbidden_critical_headers() {\n                            if v.contains(*forbidden) {\n                                return Err(Error::ForbiddenHeader(forbidden.to_string()));\n                            }\n                        }\n                        Ok(v)\n                    })\n                    .transpose()?,\n                jwk_set_url: de.deserialize_field(\"jku\").transpose()?,\n                json_web_key: de.deserialize_field(\"jwk\").transpose()?,\n                key_id: de.deserialize_field(\"kid\").transpose()?,\n                x509_url: de.deserialize_field(\"x5u\").transpose()?,\n                x509_certificate_chain: de.deserialize_field(\"x5c\").transpose()?,\n                x509_certificate_sha1_thumbprint: de.deserialize_field(\"x5t\").transpose()?,\n                x509_certificate_sha256_thumbprint: de.deserialize_field(\"x5t#S256\").transpose()?,\n                typ: de.deserialize_field(\"typ\").transpose()?,\n                content_type: de.deserialize_field(\"cty\").transpose()?,\n                specific,\n                additional: de.additional(),\n            },\n            _format: PhantomData,\n        })\n    }\n\n    /// Returns `Result\u003c(Option\u003cProtected\u003e, Option\u003cUnprotected\u003e), Error\u003e`\n    #[allow(clippy::type_complexity)]\n    pub(crate) fn into_values(\n        self,\n    ) -\u003e Result\u003c(Option\u003cMap\u003cString, Value\u003e\u003e, Option\u003cMap\u003cString, Value\u003e\u003e), Error\u003e {\n        let parameters = self.parameters;\n\n        // use the existing Map with additional parameters. Parameters that collide with\n        // names understood by this library are replaced.\n        let mut collected_parameters = parameters.additional;\n\n        // insert crit header only if it is some and non empty as per RFC\n        if let Some(crit) = parameters.critical_headers {\n            if !crit.is_empty() {\n                collected_parameters.insert(\n                    \"crit\".to_string(),\n                    HeaderValue::Protected(serde_json::to_value(crit)?),\n                );\n            }\n        } else {\n            collected_parameters.remove(\"crit\");\n        }\n\n        // FIXME: optimize this code in a way that there are not this many inserts\n        macro_rules! insert {\n            ($($name:literal: $value:expr),+,) =\u003e {\n                $(if let Some(value) = $value {\n                    collected_parameters.insert(\n                        $name.to_string(),\n                        value.map(serde_json::to_value).transpose()?,\n                    );\n                } else {\n                    collected_parameters.remove($name);\n                })+\n            };\n        }\n        insert! {\n            \"jku\": parameters.jwk_set_url,\n            \"jwk\": parameters.json_web_key,\n            \"kid\": parameters.key_id,\n            \"x5u\": parameters.x509_url,\n            \"x5c\": parameters.x509_certificate_chain,\n            \"x5t\": parameters.x509_certificate_sha1_thumbprint,\n            \"x5t#S256\": parameters.x509_certificate_sha256_thumbprint,\n            \"typ\": parameters.typ,\n            \"cty\": parameters.content_type,\n        }\n\n        let mut protected = Map::new();\n        let mut unprotected = Map::new();\n        for (key, value) in collected_parameters\n            .into_iter()\n            .chain(parameters.specific.into_map()?)\n        {\n            match value {\n                HeaderValue::Protected(value) =\u003e protected.insert(key, value),\n                HeaderValue::Unprotected(value) =\u003e unprotected.insert(key, value),\n            };\n        }\n\n        let protected = match protected.is_empty() {\n            true =\u003e None,\n            false =\u003e Some(protected),\n        };\n\n        let unprotected = match unprotected.is_empty() {\n            true =\u003e None,\n            false =\u003e Some(unprotected),\n        };\n\n        Ok((protected, unprotected))\n    }\n}\n\n/// An implementation detail for [`JoseHeader`]\n#[derive(Debug)]\npub struct HeaderDeserializer {\n    protected: Map\u003cString, Value\u003e,\n    unprotected: Map\u003cString, Value\u003e,\n}\n\nimpl HeaderDeserializer {\n    /// Prepare the deserialize for deserialization and run a few checks\n    fn from_values(\n        protected: Option\u003cMap\u003cString, Value\u003e\u003e,\n        unprotected: Option\u003cMap\u003cString, Value\u003e\u003e,\n    ) -\u003e Result\u003cSelf, Error\u003e {\n        // ensure that if the header is present, it actually contains some members as\n        // per section 7.2.1 of RFC 7515\n        if let Some(ref p) = protected {\n            if p.is_empty() {\n                return Err(Error::EmptyHeader);\n            }\n        }\n        if let Some(ref u) = unprotected {\n            if u.is_empty() {\n                return Err(Error::EmptyHeader);\n            }\n        }\n\n        let (protected, unprotected) = match (protected, unprotected) {\n            (Some(protected), Some(unprotected)) =\u003e (protected, unprotected),\n            (Some(protected), None) =\u003e (protected, Map::new()),\n            (None, Some(unprotected)) =\u003e (Map::new(), unprotected),\n            (None, None) =\u003e return Err(Error::NoHeader),\n        };\n\n        let protected_keys: BTreeSet\u003c\u0026str\u003e = protected.keys().map(Deref::deref).collect();\n        let unprotected_keys: BTreeSet\u003c\u0026str\u003e = unprotected.keys().map(Deref::deref).collect();\n\n        // the members of `protected` and `header` must be disjoint, because otherwise\n        // an implementation must decide which header type takes priority\n        if !protected_keys.is_disjoint(\u0026unprotected_keys) {\n            return Err(Error::NotDisjoint);\n        }\n\n        Ok(Self {\n            protected,\n            unprotected,\n        })\n    }\n\n    fn deserialize_field\u003c'a, 'de, V\u003e(\n        \u0026'a mut self,\n        field: \u0026'a str,\n    ) -\u003e Option\u003cResult\u003cHeaderValue\u003cV\u003e, serde_json::Error\u003e\u003e\n    where\n        V: Deserialize\u003c'de\u003e,\n        'a: 'de,\n    {\n        // Security\n        //\n        // This method first looks at the `protected` header and if the requested field\n        // isn't in there, it looks in the `header` parameter (which is not integrity\n        // protected). A `HeaderDeserializer` should always ensure that the inner JSON\n        // Objects don't share the same parameters but even if they do, an attacker\n        // cannot overwrite protected headers via the unprotected header, because the\n        // protected header is searched first.\n\n        if let Some(p) = self.protected.remove(field) {\n            debug_assert_eq!(self.unprotected.remove(field), None);\n            return Some(V::deserialize(p).map(|v| HeaderValue::Protected(v)));\n        }\n\n        if let Some(u) = self.unprotected.remove(field) {\n            debug_assert_eq!(self.protected.remove(field), None);\n            return Some(V::deserialize(u).map(|v| HeaderValue::Unprotected(v)));\n        }\n\n        None\n    }\n\n    fn additional(self) -\u003e BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e {\n        self.protected\n            .into_iter()\n            .map(|(field, value)| (field, HeaderValue::Protected(value)))\n            .chain(\n                self.unprotected\n                    .into_iter()\n                    .map(|(field, value)| (field, HeaderValue::Unprotected(value))),\n            )\n            .collect()\n    }\n}\n","traces":[{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":145,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":155,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":1}},{"line":171,"address":[],"length":0,"stats":{"Line":1}},{"line":176,"address":[],"length":0,"stats":{"Line":0}},{"line":177,"address":[],"length":0,"stats":{"Line":0}},{"line":189,"address":[],"length":0,"stats":{"Line":0}},{"line":190,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":0}},{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":206,"address":[],"length":0,"stats":{"Line":0}},{"line":208,"address":[],"length":0,"stats":{"Line":0}},{"line":222,"address":[],"length":0,"stats":{"Line":0}},{"line":223,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":0}},{"line":237,"address":[],"length":0,"stats":{"Line":0}},{"line":238,"address":[],"length":0,"stats":{"Line":0}},{"line":240,"address":[],"length":0,"stats":{"Line":0}},{"line":257,"address":[],"length":0,"stats":{"Line":0}},{"line":258,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":261,"address":[],"length":0,"stats":{"Line":0}},{"line":262,"address":[],"length":0,"stats":{"Line":0}},{"line":284,"address":[],"length":0,"stats":{"Line":0}},{"line":285,"address":[],"length":0,"stats":{"Line":0}},{"line":286,"address":[],"length":0,"stats":{"Line":0}},{"line":288,"address":[],"length":0,"stats":{"Line":0}},{"line":298,"address":[],"length":0,"stats":{"Line":0}},{"line":299,"address":[],"length":0,"stats":{"Line":0}},{"line":300,"address":[],"length":0,"stats":{"Line":0}},{"line":302,"address":[],"length":0,"stats":{"Line":0}},{"line":333,"address":[],"length":0,"stats":{"Line":0}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":337,"address":[],"length":0,"stats":{"Line":0}},{"line":358,"address":[],"length":0,"stats":{"Line":0}},{"line":359,"address":[],"length":0,"stats":{"Line":0}},{"line":360,"address":[],"length":0,"stats":{"Line":0}},{"line":362,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":372,"address":[],"length":0,"stats":{"Line":0}},{"line":373,"address":[],"length":0,"stats":{"Line":0}},{"line":374,"address":[],"length":0,"stats":{"Line":0}},{"line":393,"address":[],"length":0,"stats":{"Line":0}},{"line":394,"address":[],"length":0,"stats":{"Line":0}},{"line":395,"address":[],"length":0,"stats":{"Line":0}},{"line":398,"address":[],"length":0,"stats":{"Line":0}},{"line":413,"address":[],"length":0,"stats":{"Line":1}},{"line":414,"address":[],"length":0,"stats":{"Line":1}},{"line":428,"address":[],"length":0,"stats":{"Line":0}},{"line":429,"address":[],"length":0,"stats":{"Line":0}},{"line":430,"address":[],"length":0,"stats":{"Line":0}},{"line":431,"address":[],"length":0,"stats":{"Line":0}},{"line":447,"address":[],"length":0,"stats":{"Line":0}},{"line":448,"address":[],"length":0,"stats":{"Line":0}},{"line":458,"address":[],"length":0,"stats":{"Line":0}},{"line":459,"address":[],"length":0,"stats":{"Line":0}},{"line":460,"address":[],"length":0,"stats":{"Line":0}},{"line":461,"address":[],"length":0,"stats":{"Line":0}},{"line":474,"address":[],"length":0,"stats":{"Line":0}},{"line":478,"address":[],"length":0,"stats":{"Line":0}},{"line":479,"address":[],"length":0,"stats":{"Line":0}},{"line":480,"address":[],"length":0,"stats":{"Line":0}},{"line":481,"address":[],"length":0,"stats":{"Line":0}},{"line":482,"address":[],"length":0,"stats":{"Line":0}},{"line":483,"address":[],"length":0,"stats":{"Line":0}},{"line":484,"address":[],"length":0,"stats":{"Line":0}},{"line":485,"address":[],"length":0,"stats":{"Line":0}},{"line":486,"address":[],"length":0,"stats":{"Line":0}},{"line":487,"address":[],"length":0,"stats":{"Line":0}},{"line":492,"address":[],"length":0,"stats":{"Line":0}},{"line":493,"address":[],"length":0,"stats":{"Line":0}},{"line":495,"address":[],"length":0,"stats":{"Line":0}},{"line":496,"address":[],"length":0,"stats":{"Line":0}},{"line":497,"address":[],"length":0,"stats":{"Line":0}},{"line":500,"address":[],"length":0,"stats":{"Line":0}},{"line":502,"address":[],"length":0,"stats":{"Line":0}},{"line":503,"address":[],"length":0,"stats":{"Line":0}},{"line":504,"address":[],"length":0,"stats":{"Line":0}},{"line":505,"address":[],"length":0,"stats":{"Line":0}},{"line":506,"address":[],"length":0,"stats":{"Line":0}},{"line":507,"address":[],"length":0,"stats":{"Line":0}},{"line":508,"address":[],"length":0,"stats":{"Line":0}},{"line":509,"address":[],"length":0,"stats":{"Line":0}},{"line":510,"address":[],"length":0,"stats":{"Line":0}},{"line":511,"address":[],"length":0,"stats":{"Line":0}},{"line":512,"address":[],"length":0,"stats":{"Line":0}},{"line":513,"address":[],"length":0,"stats":{"Line":0}},{"line":515,"address":[],"length":0,"stats":{"Line":0}},{"line":521,"address":[],"length":0,"stats":{"Line":0}},{"line":524,"address":[],"length":0,"stats":{"Line":0}},{"line":528,"address":[],"length":0,"stats":{"Line":0}},{"line":531,"address":[],"length":0,"stats":{"Line":0}},{"line":532,"address":[],"length":0,"stats":{"Line":0}},{"line":533,"address":[],"length":0,"stats":{"Line":0}},{"line":534,"address":[],"length":0,"stats":{"Line":0}},{"line":535,"address":[],"length":0,"stats":{"Line":0}},{"line":539,"address":[],"length":0,"stats":{"Line":0}},{"line":543,"address":[],"length":0,"stats":{"Line":0}},{"line":544,"address":[],"length":0,"stats":{"Line":0}},{"line":545,"address":[],"length":0,"stats":{"Line":0}},{"line":546,"address":[],"length":0,"stats":{"Line":0}},{"line":547,"address":[],"length":0,"stats":{"Line":0}},{"line":548,"address":[],"length":0,"stats":{"Line":0}},{"line":551,"address":[],"length":0,"stats":{"Line":0}},{"line":552,"address":[],"length":0,"stats":{"Line":0}},{"line":555,"address":[],"length":0,"stats":{"Line":0}},{"line":556,"address":[],"length":0,"stats":{"Line":0}},{"line":557,"address":[],"length":0,"stats":{"Line":0}},{"line":558,"address":[],"length":0,"stats":{"Line":0}},{"line":559,"address":[],"length":0,"stats":{"Line":0}},{"line":560,"address":[],"length":0,"stats":{"Line":0}},{"line":561,"address":[],"length":0,"stats":{"Line":0}},{"line":562,"address":[],"length":0,"stats":{"Line":0}},{"line":563,"address":[],"length":0,"stats":{"Line":0}},{"line":564,"address":[],"length":0,"stats":{"Line":0}},{"line":567,"address":[],"length":0,"stats":{"Line":0}},{"line":568,"address":[],"length":0,"stats":{"Line":0}},{"line":569,"address":[],"length":0,"stats":{"Line":0}},{"line":570,"address":[],"length":0,"stats":{"Line":0}},{"line":571,"address":[],"length":0,"stats":{"Line":0}},{"line":573,"address":[],"length":0,"stats":{"Line":0}},{"line":574,"address":[],"length":0,"stats":{"Line":0}},{"line":575,"address":[],"length":0,"stats":{"Line":0}},{"line":579,"address":[],"length":0,"stats":{"Line":0}},{"line":580,"address":[],"length":0,"stats":{"Line":0}},{"line":581,"address":[],"length":0,"stats":{"Line":0}},{"line":584,"address":[],"length":0,"stats":{"Line":0}},{"line":585,"address":[],"length":0,"stats":{"Line":0}},{"line":586,"address":[],"length":0,"stats":{"Line":0}},{"line":589,"address":[],"length":0,"stats":{"Line":0}},{"line":602,"address":[],"length":0,"stats":{"Line":0}},{"line":608,"address":[],"length":0,"stats":{"Line":0}},{"line":610,"address":[],"length":0,"stats":{"Line":0}},{"line":613,"address":[],"length":0,"stats":{"Line":0}},{"line":615,"address":[],"length":0,"stats":{"Line":0}},{"line":619,"address":[],"length":0,"stats":{"Line":0}},{"line":620,"address":[],"length":0,"stats":{"Line":0}},{"line":621,"address":[],"length":0,"stats":{"Line":0}},{"line":622,"address":[],"length":0,"stats":{"Line":0}},{"line":623,"address":[],"length":0,"stats":{"Line":0}},{"line":632,"address":[],"length":0,"stats":{"Line":0}},{"line":635,"address":[],"length":0,"stats":{"Line":0}},{"line":636,"address":[],"length":0,"stats":{"Line":0}},{"line":637,"address":[],"length":0,"stats":{"Line":0}},{"line":641,"address":[],"length":0,"stats":{"Line":0}},{"line":658,"address":[],"length":0,"stats":{"Line":0}},{"line":659,"address":[],"length":0,"stats":{"Line":0}},{"line":660,"address":[],"length":0,"stats":{"Line":0}},{"line":663,"address":[],"length":0,"stats":{"Line":0}},{"line":664,"address":[],"length":0,"stats":{"Line":0}},{"line":665,"address":[],"length":0,"stats":{"Line":0}},{"line":668,"address":[],"length":0,"stats":{"Line":0}},{"line":671,"address":[],"length":0,"stats":{"Line":0}},{"line":672,"address":[],"length":0,"stats":{"Line":0}},{"line":674,"address":[],"length":0,"stats":{"Line":0}},{"line":676,"address":[],"length":0,"stats":{"Line":0}},{"line":677,"address":[],"length":0,"stats":{"Line":0}},{"line":678,"address":[],"length":0,"stats":{"Line":0}}],"covered":4,"coverable":172},{"path":["/","home","stu","dev","rust","jose","src","jwa","aes_cbc_hs.rs"],"content":"/// Authenticated encryption algorithms built using a composition of AES in\n/// Cipher Block Chaining (CBC) mode and HMAC as defined in [section 5.2 of RFC\n/// 7518]\n///\n/// [section 5.2 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\npub enum AesCbcHs {\n    /// AES_128_CBC_HMAC_SHA_256 authenticated encryption as defined in [section\n    /// 5.2.3]\n    ///\n    /// [section 5.2.3]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2.3\u003e\n    Aes128CbcHs256,\n    /// AES_192_CBC_HMAC_SHA_384 authenticated encryption algorithm as defined\n    /// in [section 5.2.4]\n    ///\n    /// [section 5.2.4]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2.4\u003e\n    Aes192CbcHs384,\n\n    /// AES_256_CBC_HMAC_SHA_512 authenticated encryption algorithm as defined\n    /// in [section 5.2.5]\n    ///\n    /// [section 5.2.5]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2.5\u003e\n    Aes256CbcHs512,\n}\n\nimpl From\u003cAesCbcHs\u003e for super::JsonWebContentEncryptionAlgorithm {\n    fn from(x: AesCbcHs) -\u003e Self {\n        super::JsonWebContentEncryptionAlgorithm::AesCbcHs(x)\n    }\n}\n","traces":[{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":2},{"path":["/","home","stu","dev","rust","jose","src","jwa","aes_gcm.rs"],"content":"/// Different variants of AES GCM as in the table in [section 4.7 of RFC 7518]\n///\n/// [section 4.7 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.7\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum AesGcm {\n    /// Key wrapping with AES GCM using 128-bit key\n    Aes128,\n    /// Key wrapping with AES GCM using 192-bit key\n    Aes192,\n    /// Key wrapping with AES GCM using 256-bit key\n    Aes256,\n}\n\nimpl From\u003cAesGcm\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: AesGcm) -\u003e Self {\n        Self::AesGcmKw(x)\n    }\n}\n\nimpl From\u003cAesGcm\u003e for super::JsonWebAlgorithm {\n    fn from(x: AesGcm) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::AesGcmKw(x))\n    }\n}\n\nimpl From\u003cAesGcm\u003e for super::JsonWebContentEncryptionAlgorithm {\n    fn from(x: AesGcm) -\u003e Self {\n        super::JsonWebContentEncryptionAlgorithm::AesGcm(x)\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":6},{"path":["/","home","stu","dev","rust","jose","src","jwa","aes_kw.rs"],"content":"/// Key Wrapping with AES Key Wrap as defined in [section 4.4 of RFC 7518]\n///\n/// [section 4.4 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.4\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Copy, Hash)]\npub enum AesKw {\n    /// AES Key Wrap with default initial value using 128-bit key\n    Aes128,\n    /// AES Key Wrap with default initial value using 192-bit key\n    Aes192,\n    /// AES Key Wrap with default initial value using 256-bit key\n    Aes256,\n}\n\nimpl From\u003cAesKw\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: AesKw) -\u003e Self {\n        Self::AesKw(x)\n    }\n}\n\nimpl From\u003cAesKw\u003e for super::JsonWebAlgorithm {\n    fn from(x: AesKw) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::AesKw(x))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","ecdh_es.rs"],"content":"use super::AesKw;\n\n/// Different modes ECDH-ES can be used as defined in [section 4.6 of RFC 7518]\n///\n/// [section 4.6 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.6\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum EcDhES {\n    /// Using ECDH-ES directly without any wrapping\n    Direct,\n    /// ECDH-ES using Concat KDF and CEK wrapped with one variant of [AesKw]\n    AesKw(AesKw),\n}\n\nimpl From\u003cEcDhES\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: EcDhES) -\u003e Self {\n        Self::EcDhES(x)\n    }\n}\n\nimpl From\u003cEcDhES\u003e for super::JsonWebAlgorithm {\n    fn from(x: EcDhES) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::EcDhES(x))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","ecdsa.rs"],"content":"/// Digital Signature with ECDSA as defined in [section 3.4 of RFC 7518]\n///\n/// [section 3.4 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.4\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum EcDSA {\n    /// ECDSA using P-256 and SHA-256\n    Es256,\n    /// ECDSA using P-384 and SHA-384\n    Es384,\n    /// ECDSA using P-521 and SHA-512\n    Es512,\n    /// ECDSA using secp256k1 curve and SHA-256\n    ///\n    /// ECDSA with secp256k1 is defined in [RFC 8812 section 3]\n    ///\n    /// [RFC 8812 section 3]: \u003chttps://datatracker.ietf.org/doc/html/rfc8812#section-3\u003e\n    Es256K,\n}\n\nimpl From\u003cEcDSA\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: EcDSA) -\u003e Self {\n        Self::EcDSA(x)\n    }\n}\n\nimpl From\u003cEcDSA\u003e for super::JsonWebAlgorithm {\n    fn from(x: EcDSA) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::EcDSA(x))\n    }\n}\n","traces":[{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":6}},{"line":28,"address":[],"length":0,"stats":{"Line":6}}],"covered":2,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","hmac.rs"],"content":"/// HMAC with SHA-2 Functions as defined in [section 3.2 of RFC 7518]\n///\n/// [section 3.2 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.2\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum Hmac {\n    /// HMAC using SHA-256\n    Hs256,\n    /// HMAC using SHA-384\n    Hs384,\n    /// HMAC using SHA-512\n    Hs512,\n}\n\nimpl From\u003cHmac\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: Hmac) -\u003e Self {\n        Self::Hmac(x)\n    }\n}\n\nimpl From\u003cHmac\u003e for super::JsonWebAlgorithm {\n    fn from(x: Hmac) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Hmac(x))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":2}},{"line":22,"address":[],"length":0,"stats":{"Line":2}}],"covered":2,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","pbes2.rs"],"content":"/// A variant of Key Encryption with PBES2 as defined in the table of [section\n/// 4.8 of RFC 7518]\n///\n/// [section 4.8 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.8\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum Pbes2 {\n    /// PBES2 with HMAC SHA-256 and \"A128KW\" wrapping\n    Hs256Aes128,\n    /// PBES2 with HMAC SHA-384 and \"A192KW\" wrapping\n    Hs384Aes192,\n    /// PBES2 with HMAC SHA-512 and \"A256KW\" wrapping\n    Hs512Aes256,\n}\n\nimpl From\u003cPbes2\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: Pbes2) -\u003e Self {\n        Self::Pbes2(x)\n    }\n}\n\nimpl From\u003cPbes2\u003e for super::JsonWebAlgorithm {\n    fn from(x: Pbes2) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::Pbes2(x))\n    }\n}\n","traces":[{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":23,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa","rsaes_oaep.rs"],"content":"/// Key Encryption with RSAES OAEP as defined in [section 4.3 of RFC 7518]\n///\n/// [section 4.3 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.3\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsaesOaep {\n    /// RSAES OAEP using default parameters\n    RsaesOaep,\n    /// RSAES OAEP using SHA-256 and MGF1 with SHA-256\n    RsaesOaep256,\n}\n\nimpl From\u003cRsaesOaep\u003e for crate::jwa::JsonWebEncryptionAlgorithm {\n    fn from(x: RsaesOaep) -\u003e Self {\n        Self::RsaesOaep(x)\n    }\n}\n\nimpl From\u003cRsaesOaep\u003e for crate::jwa::JsonWebAlgorithm {\n    fn from(x: RsaesOaep) -\u003e Self {\n        Self::Encryption(crate::jwa::JsonWebEncryptionAlgorithm::RsaesOaep(x))\n    }\n}\n","traces":[{"line":13,"address":[],"length":0,"stats":{"Line":0}},{"line":14,"address":[],"length":0,"stats":{"Line":0}},{"line":19,"address":[],"length":0,"stats":{"Line":2}},{"line":20,"address":[],"length":0,"stats":{"Line":2}}],"covered":2,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa","rsassa_pkcs1_v1_5.rs"],"content":"/// Digital Signature with RSASSA-PKCS1-v1_5 as defined in [section 3.3 of RFC\n/// 7518]\n///\n/// [section 3.3 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.3\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsassaPkcs1V1_5 {\n    /// RSASSA-PKCS1-v1_5 using SHA-256\n    Rs256,\n    /// RSASSA-PKCS1-v1_5 using SHA-384\n    Rs384,\n    /// RSASSA-PKCS1-v1_5 using SHA-512\n    Rs512,\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa","rsassa_pss.rs"],"content":"/// Digital Signature with RSASSA-PSS as defined in [section 3.5 of RFC 7518]\n///\n/// [section 3.5 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.5\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsassaPss {\n    /// RSASSA-PSS using SHA-256 and MGF1 with SHA-256\n    Ps256,\n    /// RSASSA-PSS using SHA-384 and MGF1 with SHA-384\n    Ps384,\n    /// RSASSA-PSS using SHA-512 and MGF1 with SHA-512\n    Ps512,\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa.rs"],"content":"mod rsaes_oaep;\nmod rsassa_pkcs1_v1_5;\nmod rsassa_pss;\n\npub use self::{rsaes_oaep::RsaesOaep, rsassa_pkcs1_v1_5::RsassaPkcs1V1_5, rsassa_pss::RsassaPss};\n\n/// Some signing algorithm using a RSA key under the hood\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsaSigning {\n    /// Digital Signature with RSASSA-PSS\n    Pss(RsassaPss),\n    /// Digital Signature with RSASSA-PKCS1-v1_5\n    RsPkcs1V1_5(RsassaPkcs1V1_5),\n}\n\nimpl From\u003cRsaSigning\u003e for super::JsonWebAlgorithm {\n    fn from(x: RsaSigning) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Rsa(x))\n    }\n}\n\nimpl From\u003cRsaSigning\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: RsaSigning) -\u003e Self {\n        Self::Rsa(x)\n    }\n}\n\nimpl From\u003cRsassaPss\u003e for RsaSigning {\n    fn from(x: RsassaPss) -\u003e Self {\n        RsaSigning::Pss(x)\n    }\n}\n\nimpl From\u003cRsassaPss\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: RsassaPss) -\u003e Self {\n        Self::Rsa(RsaSigning::Pss(x))\n    }\n}\n\nimpl From\u003cRsassaPss\u003e for super::JsonWebAlgorithm {\n    fn from(x: RsassaPss) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Rsa(RsaSigning::Pss(x)))\n    }\n}\n\nimpl From\u003cRsassaPkcs1V1_5\u003e for RsaSigning {\n    fn from(x: RsassaPkcs1V1_5) -\u003e Self {\n        RsaSigning::RsPkcs1V1_5(x)\n    }\n}\n\nimpl From\u003cRsassaPkcs1V1_5\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: RsassaPkcs1V1_5) -\u003e Self {\n        Self::Rsa(RsaSigning::RsPkcs1V1_5(x))\n    }\n}\n\nimpl From\u003cRsassaPkcs1V1_5\u003e for super::JsonWebAlgorithm {\n    fn from(x: RsassaPkcs1V1_5) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Rsa(\n            RsaSigning::RsPkcs1V1_5(x),\n        ))\n    }\n}\n","traces":[{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":18,"address":[],"length":0,"stats":{"Line":0}},{"line":23,"address":[],"length":0,"stats":{"Line":0}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":1}},{"line":60,"address":[],"length":0,"stats":{"Line":1}},{"line":61,"address":[],"length":0,"stats":{"Line":1}}],"covered":3,"coverable":17},{"path":["/","home","stu","dev","rust","jose","src","jwa.rs"],"content":"//! Implementation of JSON Web Algorithms (JWA) as defined in [RFC 7518]\n//!\n//! [RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518\u003e\n\nmod aes_cbc_hs;\nmod aes_gcm;\nmod aes_kw;\nmod ecdh_es;\nmod ecdsa;\nmod hmac;\nmod pbes2;\nmod rsa;\n\nuse alloc::{borrow::Cow, string::String};\n\nuse serde::{Deserialize, Serialize};\n\n#[doc(inline)]\npub use self::{\n    aes_cbc_hs::AesCbcHs,\n    aes_gcm::AesGcm,\n    aes_kw::AesKw,\n    ecdh_es::EcDhES,\n    ecdsa::EcDSA,\n    hmac::Hmac,\n    pbes2::Pbes2,\n    rsa::{RsaSigning, RsaesOaep, RsassaPkcs1V1_5, RsassaPss},\n};\n\n/// Either a JSON Web Algorithm for signing operations, or an algorithm for\n/// encryption operations. Possible values should be registered in the [IANA\n/// `JSON Web Signature and Encryption Algorithms` registry][1].\n///\n/// [1]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize)]\n#[serde(untagged)]\npub enum JsonWebAlgorithm {\n    /// Signing algorithm.\n    Signing(JsonWebSigningAlgorithm),\n\n    /// Encryption algorithm.\n    Encryption(JsonWebEncryptionAlgorithm),\n\n    /// Unknown algorithm.\n    Other(String),\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for JsonWebAlgorithm {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let name = Cow::\u003c'_, str\u003e::deserialize(deserializer)?;\n\n        let sign =\n            JsonWebSigningAlgorithm::from_str_without_other(name.as_ref()).map(Self::Signing);\n        let enc =\n            JsonWebEncryptionAlgorithm::from_str_without_other(name.as_ref()).map(Self::Encryption);\n\n        let alg = sign\n            .or(enc)\n            .unwrap_or_else(|| Self::Other(name.into_owned()));\n        Ok(alg)\n    }\n}\n\n/// A JSON Web Algorithm (JWA) for singing operations (JWS) as defined in [RFC\n/// 7518 section 3]\n///\n/// This enum covers the `alg` Header Parameter Values for JWS. It represents\n/// the table from [section 3.1].\n///\n/// [RFC 7518 section 3]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3\u003e\n/// [section 3.1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.1\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\n#[non_exhaustive]\npub enum JsonWebSigningAlgorithm {\n    /// HMAC with SHA-2 Functions\n    Hmac(Hmac),\n    /// RSASSA-PKCS1-v1_5 using SHA-2 Functions\n    /// Digital Signature with RSASSA-PSS\n    Rsa(RsaSigning),\n    /// Digital Signature with ECDSA\n    EcDSA(EcDSA),\n    /// Digital Signature with Edwards-curve Digital Signature Algorithm (EdDSA)\n    /// as defined in [section 3.1 of RFC 8037]\n    ///\n    /// Note: `EdDSA` should not be confused with\n    /// [`EcDSA`](JsonWebSigningAlgorithm::EcDSA).\n    /// Also note that an EdDSA signature can either be made using `Ed25519` or\n    /// `Ed448` but this information is not included.\n    ///\n    /// [section 3.1 of RFC 8037]: \u003chttps://datatracker.ietf.org/doc/html/rfc8037#section-3.1\u003e\n    EdDSA,\n    /// The \"none\" algorithm as defined in [section 3.6 of RFC 7518].\n    ///\n    /// Using this algorithm essentially means that there is\n    /// no integrity protection for the JWS.\n    ///\n    /// [section 3.6 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.6\u003e\n    None,\n    /// JSON Web Algorithms that are not recognised by this implementation.\n    ///\n    /// If you want to implement custom algorithms via a custom\n    /// [`Signer`](crate::jws::Signer) and [`Verifier`](crate::jws::Verifier)\n    /// type, you should use this type to define an identifier for your\n    /// algorithm.\n    ///\n    /// Note: When you deserialize the `alg` header parameter via the\n    /// [`JsonWebAlgorithm`] enum, this variant will never be\n    /// constructed.\n    Other(String),\n}\n\nimpl From\u003cJsonWebSigningAlgorithm\u003e for JsonWebAlgorithm {\n    fn from(x: JsonWebSigningAlgorithm) -\u003e Self {\n        Self::Signing(x)\n    }\n}\n\n// don't judge this macro please.\n// its ugly but it works\nimpl_serde_jwa!(\n    JsonWebSigningAlgorithm,\n    [\n        \"HS256\" =\u003e Self::Hmac(Hmac::Hs256); Self::Hmac(Hmac::Hs256),\n        \"HS384\" =\u003e Self::Hmac(Hmac::Hs384); Self::Hmac(Hmac::Hs384),\n        \"HS512\" =\u003e Self::Hmac(Hmac::Hs512); Self::Hmac(Hmac::Hs512),\n\n        \"RS256\" =\u003e Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs256)); Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs256)),\n        \"RS384\" =\u003e Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs384)); Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs384)),\n        \"RS512\" =\u003e Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs512)); Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs512)),\n\n        \"ES256\" =\u003e Self::EcDSA(EcDSA::Es256); Self::EcDSA(EcDSA::Es256),\n        \"ES384\" =\u003e Self::EcDSA(EcDSA::Es384); Self::EcDSA(EcDSA::Es384),\n        \"ES512\" =\u003e Self::EcDSA(EcDSA::Es512); Self::EcDSA(EcDSA::Es512),\n        \"ES256K\" =\u003e Self::EcDSA(EcDSA::Es256K); Self::EcDSA(EcDSA::Es256K),\n\n        \"EdDSA\" =\u003e Self::EdDSA; Self::EdDSA,\n\n        \"PS256\" =\u003e Self::Rsa(RsaSigning::Pss(RsassaPss::Ps256)); Self::Rsa(RsaSigning::Pss(RsassaPss::Ps256)),\n        \"PS384\" =\u003e Self::Rsa(RsaSigning::Pss(RsassaPss::Ps384)); Self::Rsa(RsaSigning::Pss(RsassaPss::Ps384)),\n        \"PS512\" =\u003e Self::Rsa(RsaSigning::Pss(RsassaPss::Ps512)); Self::Rsa(RsaSigning::Pss(RsassaPss::Ps512)),\n\n\n        \"none\" =\u003e Self::None; Self::None,\n    ]\n);\n\n/// A JSON Web Algorithm (JWA) for encryption and decryption of Content\n/// Encryption Key (CEK) as defined in [RFC 7518 section 4]\n///\n/// This enum covers the `alg` Header Parameter Values for JWE. It represents\n/// the table from [section 4.1].\n///\n/// [RFC 7518 section 4]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4\u003e\n/// [section 4.1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.1\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\n#[non_exhaustive]\npub enum JsonWebEncryptionAlgorithm {\n    /// Key Encryption with RSAES-PKCS1-v1_5 as defined in [section 4.2]\n    ///\n    /// [section 4.2]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.2\u003e\n    Rsa1_5,\n    /// Key Encryption with RSAES OAEP\n    RsaesOaep(RsaesOaep),\n    /// AES Key Wrap\n    AesKw(AesKw),\n    /// Direct use of a shared symmetric key as the CEK as defined in [section\n    /// 4.5]\n    ///\n    /// [section 4.5]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.5\u003e\n    Direct,\n    /// Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES)\n    EcDhES(EcDhES),\n    /// Key wrapping with AES GCM\n    AesGcmKw(AesGcm),\n    /// PBES2 Key Encryption\n    Pbes2(Pbes2),\n    /// JSON Web Algorithms that are not recognised by this implementation.\n    ///\n    /// If you want to implement custom algorithms for use in JSON Web\n    /// encryption, you should use this variant to identify your algorithm.\n    ///\n    /// Note: When you deserialize the `alg` header parameter via the\n    /// [`JsonWebAlgorithm`] enum, this variant will never be\n    /// constructed.\n    Other(String),\n}\n\nimpl From\u003cJsonWebEncryptionAlgorithm\u003e for JsonWebAlgorithm {\n    fn from(x: JsonWebEncryptionAlgorithm) -\u003e Self {\n        Self::Encryption(x)\n    }\n}\n\nimpl_serde_jwa!(\n    JsonWebEncryptionAlgorithm,\n    [\n        \"RSA1_5\" =\u003e Self::Rsa1_5; Self::Rsa1_5,\n        \"RSA-OAEP\" =\u003e Self::RsaesOaep(RsaesOaep::RsaesOaep); Self::RsaesOaep(RsaesOaep::RsaesOaep),\n        \"RSA-OAEP-256\" =\u003e Self::RsaesOaep(RsaesOaep::RsaesOaep256); Self::RsaesOaep(RsaesOaep::RsaesOaep256),\n        \"A128KW\" =\u003e Self::AesKw(AesKw::Aes128); Self::AesKw(AesKw::Aes128),\n        \"A192KW\" =\u003e Self::AesKw(AesKw::Aes192); Self::AesKw(AesKw::Aes192),\n        \"A256KW\" =\u003e Self::AesKw(AesKw::Aes256); Self::AesKw(AesKw::Aes256),\n        \"dir\" =\u003e Self::Direct; Self::Direct,\n        \"ECDH-ES\" =\u003e Self::EcDhES(EcDhES::Direct); Self::EcDhES(EcDhES::Direct),\n        \"ECDH-ES+A128KW\" =\u003e Self::EcDhES(EcDhES::AesKw(AesKw::Aes128)); Self::EcDhES(EcDhES::AesKw(AesKw::Aes128)),\n        \"ECDH-ES+A192KW\" =\u003e Self::EcDhES(EcDhES::AesKw(AesKw::Aes192)); Self::EcDhES(EcDhES::AesKw(AesKw::Aes192)),\n        \"ECDH-ES+A256KW\" =\u003e Self::EcDhES(EcDhES::AesKw(AesKw::Aes256)); Self::EcDhES(EcDhES::AesKw(AesKw::Aes256)),\n        \"A128GCMKW\" =\u003e Self::AesGcmKw(AesGcm::Aes128); Self::AesGcmKw(AesGcm::Aes128),\n        \"A192GCMKW\" =\u003e Self::AesGcmKw(AesGcm::Aes192); Self::AesGcmKw(AesGcm::Aes192),\n        \"A256GCMKW\" =\u003e Self::AesGcmKw(AesGcm::Aes256); Self::AesGcmKw(AesGcm::Aes256),\n        \"PBES2-HS256+A128KW\" =\u003e Self::Pbes2(Pbes2::Hs256Aes128); Self::Pbes2(Pbes2::Hs256Aes128),\n        \"PBES2-HS384+A192KW\" =\u003e Self::Pbes2(Pbes2::Hs384Aes192); Self::Pbes2(Pbes2::Hs384Aes192),\n        \"PBES2-HS512+A256KW\" =\u003e Self::Pbes2(Pbes2::Hs512Aes256); Self::Pbes2(Pbes2::Hs512Aes256),\n    ]\n);\n\n/// A JSON Web Algorithm (JWA) for content encryption and decryption of a JWE as\n/// defined in [RFC 7518 section 5]\n///\n/// This enum covers the `enc` Header Parameter Values for JWE. It represents\n/// the table from [section 5.1].\n///\n/// [RFC 7518 section 5]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5\u003e\n/// [section 5.1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.1\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\n#[non_exhaustive]\npub enum JsonWebContentEncryptionAlgorithm {\n    /// Content Encryption using AES in CBC mode with HMAC\n    AesCbcHs(AesCbcHs),\n    /// Content Encryption using AES GCM\n    AesGcm(AesGcm),\n    /// JSON Web Algorithms that are not recognised by this implementation.\n    ///\n    /// Use this variant if you want to implement a custom content encryption\n    /// algorithm.\n    Other(String),\n}\n\nimpl_serde_jwa!(\n    JsonWebContentEncryptionAlgorithm,\n    [\n        \"A128CBC-HS256\" =\u003e Self::AesCbcHs(AesCbcHs::Aes128CbcHs256); Self::AesCbcHs(AesCbcHs::Aes128CbcHs256),\n        \"A192CBC-HS384\" =\u003e Self::AesCbcHs(AesCbcHs::Aes192CbcHs384); Self::AesCbcHs(AesCbcHs::Aes192CbcHs384),\n        \"A256CBC-HS512\" =\u003e Self::AesCbcHs(AesCbcHs::Aes256CbcHs512); Self::AesCbcHs(AesCbcHs::Aes256CbcHs512),\n\n        \"A128GCM\" =\u003e Self::AesGcm(AesGcm::Aes128); Self::AesGcm(AesGcm::Aes128),\n        \"A192GCM\" =\u003e Self::AesGcm(AesGcm::Aes192); Self::AesGcm(AesGcm::Aes192),\n        \"A256GCM\" =\u003e Self::AesGcm(AesGcm::Aes256); Self::AesGcm(AesGcm::Aes256),\n    ]\n);\n\n#[test]\nfn test_others_not_stealing() {\n    use alloc::string::ToString;\n    let jwe = \"dir\";\n    let jwa: JsonWebAlgorithm =\n        serde_json::from_value(serde_json::Value::String(jwe.to_string())).unwrap();\n    assert_eq!(\n        jwa,\n        JsonWebAlgorithm::Encryption(JsonWebEncryptionAlgorithm::Direct)\n    );\n}\n","traces":[{"line":49,"address":[],"length":0,"stats":{"Line":47}},{"line":53,"address":[],"length":0,"stats":{"Line":94}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":2}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":2}},{"line":117,"address":[],"length":0,"stats":{"Line":2}},{"line":192,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":0}}],"covered":5,"coverable":14},{"path":["/","home","stu","dev","rust","jose","src","jwe.rs"],"content":"//! Implementation of JSON Web Encryption (JWE) as defined in [RFC 7516]\n//!\n//! [RFC 7516]: \u003chttps://www.rfc-editor.org/rfc/rfc7516.html\u003e\n\n/// TODO\n#[derive(Debug)]\npub struct JsonWebEncryption {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","jwk","asymmetric.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\nuse super::{Private, Public, Thumbprint};\n\n/// Some kind of asymmetric cryptographic key which can be either [`Private`] or\n/// [`Public`]\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum AsymmetricJsonWebKey {\n    /// The private part of an asymmetric key\n    Private(Private),\n    /// The public part of an asymmetric key\n    Public(Public),\n}\n\nimpl crate::sealed::Sealed for AsymmetricJsonWebKey {}\nimpl Thumbprint for AsymmetricJsonWebKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            AsymmetricJsonWebKey::Private(key) =\u003e key.thumbprint_prehashed(),\n            AsymmetricJsonWebKey::Public(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cAsymmetricJsonWebKey\u003e for super::JsonWebKeyType {\n    fn from(x: AsymmetricJsonWebKey) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(x))\n    }\n}\n","traces":[{"line":20,"address":[],"length":0,"stats":{"Line":58}},{"line":21,"address":[],"length":0,"stats":{"Line":58}},{"line":22,"address":[],"length":0,"stats":{"Line":25}},{"line":23,"address":[],"length":0,"stats":{"Line":33}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}}],"covered":4,"coverable":6},{"path":["/","home","stu","dev","rust","jose","src","jwk","builder.rs"],"content":"use alloc::{string::String, vec::Vec};\nuse core::convert::Infallible;\n\nuse hashbrown::HashSet;\n\nuse super::{serde_impl::Base64DerCertificate, JsonWebKey, JsonWebKeyType, KeyOperation, KeyUsage};\nuse crate::{\n    jwa::JsonWebAlgorithm,\n    jwk::policy::{Checkable, Checked, Policy},\n    Uri,\n};\n\n/// Reasons the construction of a `JsonWebKey` via the\n/// [`JsonWebKeyBuilder::build`] method can fail.\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum JsonWebKeyBuildError\u003cP\u003e {\n    /// The [`JsonWebKeyType`] and [`JsonWebAlgorithm`] are not compatible.\n    ///\n    /// An example is usage of an RSA key with an Hmac Json web algorithm.\n    #[error(\"the `key_type` and `algorithm` are not compatible\")]\n    IncompatibleKeyType,\n    /// This error can only happen when using the\n    /// [`build_and_check`](JsonWebKeyBuilder::build_and_check) is used and the\n    /// policy check failed.\n    #[error(transparent)]\n    PolicyCheckFailed(P),\n}\n\n/// The builder for modifying a [`JsonWebKey`].\n#[derive(Debug, Clone)]\npub struct JsonWebKeyBuilder\u003cA\u003e {\n    pub(super) key_type: JsonWebKeyType,\n    pub(super) key_use: Option\u003cKeyUsage\u003e,\n    pub(super) key_operations: Option\u003cHashSet\u003cKeyOperation\u003e\u003e,\n    pub(super) algorithm: Option\u003cJsonWebAlgorithm\u003e,\n    pub(super) kid: Option\u003cString\u003e,\n    pub(super) x509_url: Option\u003cUri\u003e,\n    pub(super) x509_certificate_chain: Vec\u003cBase64DerCertificate\u003e,\n    pub(super) x509_certificate_sha1_thumbprint: Option\u003c[u8; 20]\u003e,\n    pub(super) x509_certificate_sha256_thumbprint: Option\u003c[u8; 32]\u003e,\n    pub(super) additional: A,\n}\n\nmacro_rules! gen_builder_methods {\n    ($($field:ident: $T:ty,)*) =\u003e {\n        $(#[doc = concat!(\"Override the `\", stringify!($field), \"` for this JWK.\")]\n        #[inline]\n        pub fn $field(mut self, $field: Option\u003cimpl Into\u003c$T\u003e\u003e) -\u003e Self {\n            self.$field = $field.map(Into::into);\n            self\n        })*\n    };\n}\n\nimpl JsonWebKeyBuilder\u003c()\u003e {\n    /// Create a new [`JsonWebKeyBuilder`] with the given key.\n    pub fn new(key_type: impl Into\u003cJsonWebKeyType\u003e) -\u003e Self {\n        Self {\n            key_type: key_type.into(),\n            key_use: None,\n            key_operations: None,\n            algorithm: None,\n            kid: None,\n            x509_url: None,\n            x509_certificate_chain: alloc::vec![],\n            x509_certificate_sha1_thumbprint: None,\n            x509_certificate_sha256_thumbprint: None,\n            additional: (),\n        }\n    }\n}\n\nimpl\u003cA\u003e JsonWebKeyBuilder\u003cA\u003e {\n    /// Try to construct the final [`JsonWebKey`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if any parameter is considered invalid. For example,\n    /// if a [`JsonWebKeyType`] is not compatible with the [`JsonWebAlgorithm`]\n    /// set.\n    pub fn build(self) -\u003e Result\u003cJsonWebKey\u003cA\u003e, JsonWebKeyBuildError\u003cInfallible\u003e\u003e {\n        let Self {\n            key_type,\n            key_use,\n            key_operations,\n            algorithm,\n            kid,\n            x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint,\n            additional,\n        } = self;\n\n        if let Some(ref algorithm) = algorithm {\n            if !key_type.compatible_with(algorithm) {\n                return Err(JsonWebKeyBuildError::IncompatibleKeyType);\n            }\n        }\n\n        Ok(JsonWebKey {\n            key_type,\n            key_use,\n            key_operations,\n            algorithm,\n            kid,\n            x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint,\n            additional,\n        })\n    }\n\n    /// Try to construct the final [`JsonWebKey`], and then validates the\n    /// resulting JWK using the given [`Policy`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if any parameter is considered invalid, or the policy\n    /// check failed. For example, if a [`JsonWebKeyType`] is not compatible\n    /// with the [`JsonWebAlgorithm`] set.\n    // We think that this degree of complexity is acceptable and a type alias would make things even\n    // more complex\n    #[allow(clippy::type_complexity, clippy::result_large_err)]\n    pub fn build_and_check\u003cP: Policy\u003e(\n        self,\n        policy: P,\n    ) -\u003e Result\u003cChecked\u003cJsonWebKey\u003cA\u003e, P\u003e, JsonWebKeyBuildError\u003cP::Error\u003e\u003e\n    where\n        A: Checkable,\n    {\n        self.build()\n            .map_err(|e| match e {\n                JsonWebKeyBuildError::IncompatibleKeyType =\u003e {\n                    JsonWebKeyBuildError::IncompatibleKeyType\n                }\n                JsonWebKeyBuildError::PolicyCheckFailed(x) =\u003e match x {},\n            })?\n            .check(policy)\n            .map_err(|(_, e)| JsonWebKeyBuildError::PolicyCheckFailed(e))\n    }\n}\n\nimpl\u003cA\u003e JsonWebKeyBuilder\u003cA\u003e {\n    gen_builder_methods! {\n        key_use: KeyUsage,\n        key_operations: HashSet\u003cKeyOperation\u003e,\n        algorithm: JsonWebAlgorithm,\n        kid: String,\n        x509_url: Uri,\n        x509_certificate_sha1_thumbprint: [u8; 20],\n        x509_certificate_sha256_thumbprint: [u8; 32],\n    }\n\n    /// Override the `key_type` for this JWK.\n    #[inline]\n    pub fn key_type(mut self, key_type: JsonWebKeyType) -\u003e Self {\n        self.key_type = key_type;\n        self\n    }\n\n    /// Override the `x509_certificate_chain` for this JWK.\n    #[inline]\n    pub fn x509_certificate_chain(mut self, x509_certificate_chain: Vec\u003cVec\u003cu8\u003e\u003e) -\u003e Self {\n        self.x509_certificate_chain = x509_certificate_chain\n            .into_iter()\n            .map(Base64DerCertificate)\n            .collect();\n        self\n    }\n\n    /// Override the additional parameters for this JWK.\n    #[inline]\n    pub fn additional\u003cN\u003e(self, additional: N) -\u003e JsonWebKeyBuilder\u003cN\u003e {\n        JsonWebKeyBuilder {\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n            additional,\n        }\n    }\n}\n","traces":[{"line":49,"address":[],"length":0,"stats":{"Line":42}},{"line":50,"address":[],"length":0,"stats":{"Line":42}},{"line":51,"address":[],"length":0,"stats":{"Line":42}},{"line":52,"address":[],"length":0,"stats":{"Line":42}},{"line":58,"address":[],"length":0,"stats":{"Line":21}},{"line":60,"address":[],"length":0,"stats":{"Line":21}},{"line":66,"address":[],"length":0,"stats":{"Line":21}},{"line":69,"address":[],"length":0,"stats":{"Line":21}},{"line":82,"address":[],"length":0,"stats":{"Line":42}},{"line":83,"address":[],"length":0,"stats":{"Line":42}},{"line":84,"address":[],"length":0,"stats":{"Line":42}},{"line":85,"address":[],"length":0,"stats":{"Line":42}},{"line":86,"address":[],"length":0,"stats":{"Line":42}},{"line":87,"address":[],"length":0,"stats":{"Line":42}},{"line":88,"address":[],"length":0,"stats":{"Line":42}},{"line":89,"address":[],"length":0,"stats":{"Line":42}},{"line":90,"address":[],"length":0,"stats":{"Line":42}},{"line":91,"address":[],"length":0,"stats":{"Line":42}},{"line":92,"address":[],"length":0,"stats":{"Line":42}},{"line":93,"address":[],"length":0,"stats":{"Line":42}},{"line":94,"address":[],"length":0,"stats":{"Line":42}},{"line":96,"address":[],"length":0,"stats":{"Line":84}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":42}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":135,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":141,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":166,"address":[],"length":0,"stats":{"Line":0}},{"line":167,"address":[],"length":0,"stats":{"Line":0}},{"line":168,"address":[],"length":0,"stats":{"Line":0}},{"line":169,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":0}},{"line":171,"address":[],"length":0,"stats":{"Line":0}},{"line":176,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":0}},{"line":179,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":0}},{"line":182,"address":[],"length":0,"stats":{"Line":0}},{"line":183,"address":[],"length":0,"stats":{"Line":0}},{"line":184,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}}],"covered":23,"coverable":62},{"path":["/","home","stu","dev","rust","jose","src","jwk","key_ops.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\n/// This enum represents the key operations (`key_ops`) parameter as defined in\n/// [Section 4.3 of RFC 7517]. All possible values are registered in the [IANA\n/// `JSON Web Key Operations` registry].\n///\n/// This enum SHOULD NOT be used together with the [`KeyUsage`](super::KeyUsage)\n/// enum. If they are both present, their information MUST be consistent.\n///\n/// [Section 4.3 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.3\u003e\n/// [IANA `JSON Web Key Operations` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-key-operations\u003e\n#[non_exhaustive]\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum KeyOperation {\n    /// This key may compute digital signatures or MACs\n    Sign,\n    /// This key may verify digital signatures or MACs\n    Verify,\n    /// This key may encrypt content\n    Encrypt,\n    /// This key may decrypt content and validate decryption, if applicable\n    Decrypt,\n    /// This key may encrypt a key\n    WrapKey,\n    /// This key may decrypt a key and validate the decryption, if applicable\n    UnwrapKey,\n    /// This key may derive a key\n    DeriveKey,\n    /// This key may derive bits not to be used as a key\n    DeriveBits,\n    /// Some other case-sensitive [`String`] that did not match any of the\n    /// publicly known key operations\n    Other(String),\n}\n\nimpl Serialize for KeyOperation {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        match self {\n            Self::Sign =\u003e \"sign\",\n            Self::Verify =\u003e \"verify\",\n            Self::Encrypt =\u003e \"encrypt\",\n            Self::Decrypt =\u003e \"decrypt\",\n            Self::WrapKey =\u003e \"wrapKey\",\n            Self::UnwrapKey =\u003e \"unwrapKey\",\n            Self::DeriveKey =\u003e \"deriveKey\",\n            Self::DeriveBits =\u003e \"deriveBits\",\n            Self::Other(s) =\u003e s,\n        }\n        .serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for KeyOperation {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let val = \u003calloc::borrow::Cow\u003c'_, str\u003e\u003e::deserialize(deserializer)?;\n        Ok(match \u0026*val {\n            \"sign\" =\u003e Self::Sign,\n            \"verify\" =\u003e Self::Verify,\n            \"encrypt\" =\u003e Self::Encrypt,\n            \"decrypt\" =\u003e Self::Decrypt,\n            \"wrapKey\" =\u003e Self::WrapKey,\n            \"unwrapKey\" =\u003e Self::UnwrapKey,\n            \"deriveKey\" =\u003e Self::DeriveKey,\n            \"deriveBits\" =\u003e Self::DeriveBits,\n            _ =\u003e Self::Other(val.into_owned()),\n        })\n    }\n}\n","traces":[{"line":39,"address":[],"length":0,"stats":{"Line":10}},{"line":43,"address":[],"length":0,"stats":{"Line":10}},{"line":44,"address":[],"length":0,"stats":{"Line":2}},{"line":45,"address":[],"length":0,"stats":{"Line":4}},{"line":46,"address":[],"length":0,"stats":{"Line":2}},{"line":47,"address":[],"length":0,"stats":{"Line":2}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":0}},{"line":51,"address":[],"length":0,"stats":{"Line":0}},{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":10}},{"line":59,"address":[],"length":0,"stats":{"Line":16}},{"line":63,"address":[],"length":0,"stats":{"Line":32}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":3}},{"line":66,"address":[],"length":0,"stats":{"Line":19}},{"line":67,"address":[],"length":0,"stats":{"Line":11}},{"line":68,"address":[],"length":0,"stats":{"Line":6}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}}],"covered":13,"coverable":24},{"path":["/","home","stu","dev","rust","jose","src","jwk","key_use.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\n/// This enum represents possible key usage (`use`) parameter as\n/// defined in [Section 4.2 of RFC 7517]. All possible values are registered in\n/// the [IANA `JSON Web Key Use` registry].\n///\n/// [Section 4.2 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.2\u003e\n/// [IANA `JSON Web Key Use` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-key-use\u003e\n#[non_exhaustive]\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum KeyUsage {\n    /// The `sig` (signature) value\n    Signing,\n    /// The `enc` (encryption) value\n    Encryption,\n    /// Some other case-sensitive [`String`] that did not match any of the\n    /// publicly known variants\n    Other(String),\n}\n\nimpl Serialize for KeyUsage {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        match self {\n            Self::Signing =\u003e \"sig\",\n            Self::Encryption =\u003e \"enc\",\n            Self::Other(s) =\u003e s,\n        }\n        .serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for KeyUsage {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let val = \u003calloc::borrow::Cow\u003c'_, str\u003e\u003e::deserialize(deserializer)?;\n        Ok(match \u0026*val {\n            \"sig\" =\u003e Self::Signing,\n            \"enc\" =\u003e Self::Encryption,\n            _ =\u003e Self::Other(val.into_owned()),\n        })\n    }\n}\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":34}},{"line":28,"address":[],"length":0,"stats":{"Line":34}},{"line":29,"address":[],"length":0,"stats":{"Line":28}},{"line":30,"address":[],"length":0,"stats":{"Line":6}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":34}},{"line":38,"address":[],"length":0,"stats":{"Line":50}},{"line":42,"address":[],"length":0,"stats":{"Line":100}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":44,"address":[],"length":0,"stats":{"Line":44}},{"line":45,"address":[],"length":0,"stats":{"Line":12}},{"line":46,"address":[],"length":0,"stats":{"Line":0}}],"covered":9,"coverable":12},{"path":["/","home","stu","dev","rust","jose","src","jwk","policy","standard.rs"],"content":"use alloc::string::{String, ToString};\nuse core::fmt::Display;\n\nuse hashbrown::HashSet;\nuse thiserror::Error;\n\nuse super::{CryptographicOperation, Policy, PolicyError};\nuse crate::{\n    jwa::{JsonWebAlgorithm, JsonWebEncryptionAlgorithm, JsonWebSigningAlgorithm},\n    jwk::{KeyOperation, KeyUsage},\n};\n\n/// Reasons a [`StandardPolicy`] can deny a JWK.\n#[derive(Debug, Error)]\npub enum StandardPolicyFail {\n    /// A [`JsonWebKey`](crate::jwk::JsonWebKey) may not perform a\n    /// [`CryptographicOperation`]\n    #[error(\"this key may not perform this cryptographic operation\")]\n    OperationNotAllowed,\n    /// The [`JsonWebSigningAlgorithm::None`] algorithm is not allowed as this\n    /// indicates an unverified/unencrypted JWS/JWE.\n    #[error(\"`none` algorithm is not allowed\")]\n    NoneAlgorithm,\n    /// [`KeyUsage::Other`] can not be verified by the standard policy, thus\n    /// it's simply declined and the user needs to use a custom policy to\n    /// check it.\n    #[error(\"`use` contained custom usage which can't be checked\")]\n    OtherKeyUsage,\n    /// [`KeyOperation::Other`] can not be verified by the standard policy, thus\n    /// it's simply declined and the user needs to use a custom policy to\n    /// check it.\n    #[error(\"`key_ops` contained custom operation which can't be checked\")]\n    OtherKeyOperation,\n    /// If any of [`JsonWebSigningAlgorithm`] or [`JsonWebEncryptionAlgorithm`]\n    /// contains the `Other` variant, this error will be raised by the\n    /// [`StandardPolicy`] because it is not understood by the implementations\n    /// provided by this library.\n    ///\n    /// If you use custom implementations (for example, via your own\n    /// [`Signer`](crate::jws::Signer) type) and use custom values for your\n    /// algorithm identification, you should provide our own [`Policy`] that\n    /// compares the `Other` variants against values understood by your\n    /// implementation.\n    #[error(\"`alg` header contains an unknown value\")]\n    OtherAlgorithm,\n    /// Used for the [`PolicyError`] implementation\n    #[error(\"{0}\")]\n    Custom(String),\n}\n\nimpl PolicyError for StandardPolicyFail {\n    fn custom\u003cT\u003e(msg: T) -\u003e Self\n    where\n        T: Display,\n    {\n        Self::Custom(msg.to_string())\n    }\n}\n\n/// A [`Policy`] with reasonable rules. Use this struct if you want to have some\n/// secure defaults.\n///\n/// # Included checks\n///\n/// - [`JsonWebSigningAlgorithm::None`] is not allowed\n/// - `use` field must not contain [`KeyUsage::Other`] because it can't be\n///   verified\n/// - `key_ops` field must not contain [`KeyOperation::Other`] because it can't\n///   be verified\n#[non_exhaustive]\n#[derive(Debug, Default, Clone)]\npub struct StandardPolicy;\n\nimpl StandardPolicy {\n    /// Create a [`StandardPolicy`]\n    pub const fn new() -\u003e Self {\n        Self\n    }\n}\n\n// TODO: StandardPolicy should check that the JsonWebKeyType and the provided\n// Algorithm make sense\nimpl Policy for StandardPolicy {\n    type Error = StandardPolicyFail;\n\n    fn algorithm(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e Result\u003c(), Self::Error\u003e {\n        match alg {\n            JsonWebAlgorithm::Encryption(JsonWebEncryptionAlgorithm::Other(_))\n            | JsonWebAlgorithm::Signing(JsonWebSigningAlgorithm::Other(_)) =\u003e {\n                Err(StandardPolicyFail::OtherAlgorithm)\n            }\n\n            JsonWebAlgorithm::Signing(JsonWebSigningAlgorithm::None) =\u003e {\n                Err(StandardPolicyFail::NoneAlgorithm)\n            }\n            JsonWebAlgorithm::Other(..) =\u003e Err(StandardPolicyFail::OtherAlgorithm),\n            _ =\u003e Ok(()),\n        }\n    }\n\n    fn compare_key_ops_and_use(\n        \u0026self,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        if matches!(key_use, KeyUsage::Other(..)) {\n            return Err(StandardPolicyFail::OtherKeyUsage);\n        }\n\n        if key_ops.iter().any(|o| matches!(o, KeyOperation::Other(..))) {\n            return Err(StandardPolicyFail::OtherKeyOperation);\n        }\n\n        // TODO: check that the typed variants of KeyUsage and KeyOperation\n        Ok(())\n    }\n\n    fn may_perform_operation_key_ops(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        use CryptographicOperation::*;\n        match operation {\n            Encrypt if key_ops.contains(\u0026KeyOperation::Encrypt) =\u003e Ok(()),\n            Decrypt if key_ops.contains(\u0026KeyOperation::Encrypt) =\u003e Ok(()),\n            Sign if key_ops.contains(\u0026KeyOperation::Sign) =\u003e Ok(()),\n            Verify if key_ops.contains(\u0026KeyOperation::Verify) =\u003e Ok(()),\n            _ =\u003e Err(StandardPolicyFail::OperationNotAllowed),\n        }\n    }\n\n    fn may_perform_operation_key_use(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        use CryptographicOperation::*;\n        match operation {\n            Decrypt | Encrypt if key_use == \u0026KeyUsage::Encryption =\u003e Ok(()),\n            Sign | Verify if key_use == \u0026KeyUsage::Signing =\u003e Ok(()),\n            _ =\u003e Err(StandardPolicyFail::OperationNotAllowed),\n        }\n    }\n}\n","traces":[{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":1}},{"line":77,"address":[],"length":0,"stats":{"Line":1}},{"line":86,"address":[],"length":0,"stats":{"Line":1}},{"line":87,"address":[],"length":0,"stats":{"Line":1}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":1}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":126,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":1}},{"line":139,"address":[],"length":0,"stats":{"Line":1}},{"line":140,"address":[],"length":0,"stats":{"Line":0}},{"line":141,"address":[],"length":0,"stats":{"Line":3}},{"line":142,"address":[],"length":0,"stats":{"Line":0}}],"covered":8,"coverable":28},{"path":["/","home","stu","dev","rust","jose","src","jwk","policy.rs"],"content":"//! Validate jose data against some [`Policy`]\n\nmod standard;\nuse core::{\n    fmt::{Debug, Display},\n    ops::{Deref, DerefMut},\n};\n\nuse hashbrown::HashSet;\npub use standard::{StandardPolicy, StandardPolicyFail};\n\nuse crate::{\n    jwa::JsonWebAlgorithm,\n    jwk::{KeyOperation, KeyUsage},\n};\n\n/// A type `T` that was checked against a [`Policy`] `P`\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub struct Checked\u003cT, P\u003e {\n    /// The [`Policy`] this `T` was checked against\n    policy: P,\n    /// The data that were checked\n    data: T,\n}\n\nimpl\u003cT, P\u003e Deref for Checked\u003cT, P\u003e\nwhere\n    P: Policy,\n{\n    type Target = T;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.data\n    }\n}\n\nimpl\u003cT, P\u003e DerefMut for Checked\u003cT, P\u003e\nwhere\n    P: Policy,\n{\n    fn deref_mut(\u0026mut self) -\u003e \u0026mut Self::Target {\n        \u0026mut self.data\n    }\n}\n\nimpl\u003cT, P\u003e Checked\u003cT, P\u003e {\n    /// Create a new [`Checked\u003cT, P\u003e`]\n    ///\n    /// **Warning**: This function can't perform any validation/checks and\n    /// therefore MUST only be used after sufficient validation is already done.\n    pub fn new(data: T, policy: P) -\u003e Self\n    where\n        P: Policy,\n    {\n        Self { policy, data }\n    }\n\n    /// Turns this `Checked` into it's underlying values. `T` is the type that\n    /// was checked and `P` the [`Policy`] used to check `T`\n    pub fn into_inner(self) -\u003e (T, P) {\n        (self.data, self.policy)\n    }\n\n    /// Turns this `Checked` into it's underlying checked type `T`\n    pub fn into_type(self) -\u003e T {\n        self.into_inner().0\n    }\n\n    /// Turns this `Checked` into it's underlying [`Policy`] `P` that was used\n    /// to check `T`\n    pub fn into_policy(self) -\u003e P {\n        self.into_inner().1\n    }\n\n    /// Returns the [`Policy`] that was used to validate `T`\n    pub fn policy(\u0026self) -\u003e \u0026P\n    where\n        P: Policy,\n    {\n        \u0026self.policy\n    }\n}\n\n/// A trait to enforce some rules in jose\npub trait Policy {\n    /// The error type returned when any check of this policy fails.\n    type Error: PolicyError;\n\n    /// Checks the `alg` header\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the algorithm is not accepted (e.g.\n    /// because it is considered insecure)\n    fn algorithm(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Compares the `use` and `key_ops` parameters\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if key_use and key_ops are inconsistent\n    /// with each other\n    fn compare_key_ops_and_use(\n        \u0026self,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Checks if a [`JsonWebKey`](crate::jwk::JsonWebKey) with the given\n    /// [`KeyOperation`]s is allowed to perform a certain\n    /// [`CryptographicOperation`]\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the given\n    /// [`JsonWebKey`](crate::jwk::JsonWebKey) with this specific set of\n    /// [`KeyOperation`]s is not allowed to perform the\n    /// [`CryptographicOperation`] For example, this might be the case if\n    /// key_ops only contain [`KeyOperation::Encrypt`] but the\n    /// [`CryptographicOperation`] is [`Sign`](CryptographicOperation::Sign).\n    fn may_perform_operation_key_ops(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Checks if a [`JsonWebKey`](crate::jwk::JsonWebKey) with the given\n    /// [`KeyUsage`] parameter is allowed to perform a certain\n    /// [`CryptographicOperation`]\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the given\n    /// [`JsonWebKey`](crate::jwk::JsonWebKey) with this specific [`KeyUsage`]\n    /// is not allowed to perform the [`CryptographicOperation`]\n    fn may_perform_operation_key_use(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n    ) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Checks both [`KeyUsage`] and [`KeyOperation`] for the given\n    /// [`CryptographicOperation`]\n    ///\n    /// The default implementation just calls\n    /// [`may_perform_operation_key_ops`](Self::may_perform_operation_key_ops)\n    /// and [`may_perform_operation_key_use`](Self::may_perform_operation_key_use).\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the [`KeyUsage`] and [`KeyOperation`]\n    /// do not allow for the [`CryptographicOperation`]\n    fn may_perform_operation(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        self.may_perform_operation_key_ops(operation, key_ops)?;\n        self.may_perform_operation_key_use(operation, key_use)\n    }\n}\n\n/// An enum used to specify a cryptographic operation\n#[non_exhaustive]\n#[derive(Debug, PartialEq, Eq, Hash, Clone, Copy)]\npub enum CryptographicOperation {\n    /// Create a signature (used in JWS)\n    Sign,\n    /// Verify a signature (used in JWS)\n    Verify,\n    /// Encrypt something (used in JWE)\n    Encrypt,\n    /// Decrypt some ciphertext (used in JWE)\n    Decrypt,\n    // TODO: possibly add derive key and derive bits in case they are ever needed (maybe in JWE?)\n}\n\nimpl\u003cP: Policy\u003e Policy for \u0026P {\n    type Error = P::Error;\n\n    fn algorithm(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e Result\u003c(), Self::Error\u003e {\n        P::algorithm(self, alg)\n    }\n\n    fn compare_key_ops_and_use(\n        \u0026self,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        P::compare_key_ops_and_use(self, key_use, key_ops)\n    }\n\n    fn may_perform_operation_key_ops(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        P::may_perform_operation_key_ops(self, operation, key_ops)\n    }\n\n    fn may_perform_operation_key_use(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        P::may_perform_operation_key_use(self, operation, key_use)\n    }\n}\n\n/// An error returned by the [`Policy`] trait\npub trait PolicyError {\n    /// A custom error message\n    fn custom\u003cT\u003e(msg: T) -\u003e Self\n    where\n        T: Display;\n}\n\n/// A type that can be checked against some [`Policy`]\npub trait Checkable: Sized {\n    /// Check [`self`] against a [`Policy`]\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any check against the [`Policy`] failed\n    fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e;\n}\n\n/// This implementation allows the default JsonWebKey (and others types with\n/// additional members) to implement Checkable where there are no additional\n/// members (`T = ()`)\nimpl Checkable for () {\n    fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n        Ok(Checked::new(self, policy))\n    }\n}\n","traces":[{"line":32,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":51,"address":[],"length":0,"stats":{"Line":2}},{"line":60,"address":[],"length":0,"stats":{"Line":1}},{"line":61,"address":[],"length":0,"stats":{"Line":1}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":182,"address":[],"length":0,"stats":{"Line":0}},{"line":183,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":194,"address":[],"length":0,"stats":{"Line":0}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":202,"address":[],"length":0,"stats":{"Line":0}},{"line":207,"address":[],"length":0,"stats":{"Line":0}},{"line":233,"address":[],"length":0,"stats":{"Line":0}},{"line":234,"address":[],"length":0,"stats":{"Line":0}}],"covered":3,"coverable":26},{"path":["/","home","stu","dev","rust","jose","src","jwk","private.rs"],"content":"use alloc::{boxed::Box, string::String};\n\nuse serde::{Deserialize, Serialize};\n\nuse super::Thumbprint;\nuse crate::crypto::{ec, okp, rsa};\n\n/// The `private` part of some asymmetric cryptographic key\n#[non_exhaustive]\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum Private {\n    /// The private part of a Rsa key\n    Rsa(Box\u003crsa::PrivateKey\u003e),\n    /// The private part of an elliptic curve\n    Ec(EcPrivate),\n    /// The private part of an `OKP` key type, probably the private part of a\n    /// curve25519 or curve448 key\n    Okp(OkpPrivate),\n}\n\nimpl From\u003cPrivate\u003e for super::JsonWebKeyType {\n    fn from(x: Private) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(Box::new(super::AsymmetricJsonWebKey::Private(x)))\n    }\n}\n\nimpl crate::sealed::Sealed for Private {}\nimpl Thumbprint for Private {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            Private::Rsa(key) =\u003e key.thumbprint_prehashed(),\n            Private::Ec(key) =\u003e key.thumbprint_prehashed(),\n            Private::Okp(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\n/// The private part of some elliptic curve\n///\n/// Note: This does not include Curve25519 and Curve448. For these, see the\n/// `Okp` variant of the [`Private`](super::Private)\n/// enum.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum EcPrivate {\n    /// Private part of the P-256 curve\n    P256(ec::P256PrivateKey),\n    /// Private part of the P-384 curve\n    P384(ec::P384PrivateKey),\n    /// Private part of the P-521 curve\n    P521(ec::P521PrivateKey),\n    /// Private part of the secp256k1 curve\n    Secp256k1(ec::Secp256k1PrivateKey),\n}\n\nimpl crate::sealed::Sealed for EcPrivate {}\nimpl Thumbprint for EcPrivate {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            EcPrivate::P256(key) =\u003e key.thumbprint_prehashed(),\n            EcPrivate::P384(key) =\u003e key.thumbprint_prehashed(),\n            EcPrivate::P521(key) =\u003e key.thumbprint_prehashed(),\n            EcPrivate::Secp256k1(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cEcPrivate\u003e for super::JsonWebKeyType {\n    fn from(x: EcPrivate) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Private(super::Private::Ec(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(EcPrivate, \"crv\", \"EcCurve\", [\n    \"P-256\" =\u003e P256,\n    \"P-384\" =\u003e P384,\n    \"P-521\" =\u003e P521,\n    \"secp256k1\" =\u003e Secp256k1,\n]);\n\n/// The private part of ED keys, whose type is `OKP`.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum OkpPrivate {\n    /// Private part of the Ed25519 curve\n    Ed25519(okp::Ed25519PrivateKey),\n\n    /// Private part of the Ed448 curve\n    Ed448(okp::Ed448PrivateKey),\n}\n\nimpl crate::sealed::Sealed for OkpPrivate {}\nimpl Thumbprint for OkpPrivate {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            OkpPrivate::Ed25519(key) =\u003e key.thumbprint_prehashed(),\n            OkpPrivate::Ed448(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cOkpPrivate\u003e for super::JsonWebKeyType {\n    fn from(x: OkpPrivate) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Private(super::Private::Okp(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(OkpPrivate, \"crv\", \"OkpCurve\", [\n    \"Ed25519\" =\u003e Ed25519,\n    \"Ed448\" =\u003e Ed448,\n]);\n","traces":[{"line":23,"address":[],"length":0,"stats":{"Line":0}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":25}},{"line":31,"address":[],"length":0,"stats":{"Line":25}},{"line":32,"address":[],"length":0,"stats":{"Line":6}},{"line":33,"address":[],"length":0,"stats":{"Line":13}},{"line":34,"address":[],"length":0,"stats":{"Line":6}},{"line":60,"address":[],"length":0,"stats":{"Line":13}},{"line":61,"address":[],"length":0,"stats":{"Line":13}},{"line":62,"address":[],"length":0,"stats":{"Line":4}},{"line":63,"address":[],"length":0,"stats":{"Line":3}},{"line":64,"address":[],"length":0,"stats":{"Line":3}},{"line":65,"address":[],"length":0,"stats":{"Line":3}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":6}},{"line":100,"address":[],"length":0,"stats":{"Line":6}},{"line":101,"address":[],"length":0,"stats":{"Line":3}},{"line":102,"address":[],"length":0,"stats":{"Line":3}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}}],"covered":15,"coverable":23},{"path":["/","home","stu","dev","rust","jose","src","jwk","public.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\nuse super::Thumbprint;\nuse crate::crypto::{ec, okp, rsa};\n\n/// The `public` part of some asymmetric cryptographic key\n#[non_exhaustive]\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum Public {\n    /// The public part of a Rsa key\n    Rsa(rsa::PublicKey),\n    /// The public part of an elliptic curve\n    Ec(EcPublic),\n    /// The public part of an `OKP` key type, probably the public part of a\n    /// curve25519 or curve448 key\n    Okp(OkpPublic),\n}\n\nimpl crate::sealed::Sealed for Public {}\nimpl Thumbprint for Public {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            Public::Rsa(key) =\u003e key.thumbprint_prehashed(),\n            Public::Ec(key) =\u003e key.thumbprint_prehashed(),\n            Public::Okp(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\n/// The public part of some elliptic curve\n///\n/// Note: This does not include Curve25519 and Curve448. For these, see the\n/// `Okp` variant of the [`Public`](super::Public) enum.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum EcPublic {\n    /// Public part of the P-256 curve\n    P256(ec::P256PublicKey),\n\n    /// Public part of the P-384 curve\n    P384(ec::P384PublicKey),\n\n    /// Public part of the P-521 curve\n    P521(ec::P521PublicKey),\n\n    /// Public part of the secp256k1 curve\n    Secp256k1(ec::Secp256k1PublicKey),\n}\n\nimpl crate::sealed::Sealed for EcPublic {}\nimpl Thumbprint for EcPublic {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            EcPublic::P256(key) =\u003e key.thumbprint_prehashed(),\n            EcPublic::P384(key) =\u003e key.thumbprint_prehashed(),\n            EcPublic::P521(key) =\u003e key.thumbprint_prehashed(),\n            EcPublic::Secp256k1(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cEcPublic\u003e for super::JsonWebKeyType {\n    fn from(x: EcPublic) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Public(super::Public::Ec(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(EcPublic, \"crv\", \"EcCurve\", [\n    \"P-256\" =\u003e P256,\n    \"P-384\" =\u003e P384,\n    \"P-521\" =\u003e P521,\n    \"secp256k1\" =\u003e Secp256k1,\n]);\n\n/// The public part of ED keys, whose type is `OKP`.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum OkpPublic {\n    /// Public part of the Ed25519 curve\n    Ed25519(okp::Ed25519PublicKey),\n\n    /// Public part of the Ed448 curve\n    Ed448(okp::Ed448PublicKey),\n}\n\nimpl crate::sealed::Sealed for OkpPublic {}\nimpl Thumbprint for OkpPublic {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            OkpPublic::Ed25519(key) =\u003e key.thumbprint_prehashed(),\n            OkpPublic::Ed448(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cOkpPublic\u003e for super::JsonWebKeyType {\n    fn from(x: OkpPublic) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Public(super::Public::Okp(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(OkpPublic, \"crv\", \"OkpCurve\", [\n    \"Ed25519\" =\u003e Ed25519,\n    \"Ed448\" =\u003e Ed448,\n]);\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":33}},{"line":25,"address":[],"length":0,"stats":{"Line":33}},{"line":26,"address":[],"length":0,"stats":{"Line":15}},{"line":27,"address":[],"length":0,"stats":{"Line":12}},{"line":28,"address":[],"length":0,"stats":{"Line":6}},{"line":56,"address":[],"length":0,"stats":{"Line":12}},{"line":57,"address":[],"length":0,"stats":{"Line":12}},{"line":58,"address":[],"length":0,"stats":{"Line":3}},{"line":59,"address":[],"length":0,"stats":{"Line":3}},{"line":60,"address":[],"length":0,"stats":{"Line":3}},{"line":61,"address":[],"length":0,"stats":{"Line":3}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":6}},{"line":96,"address":[],"length":0,"stats":{"Line":6}},{"line":97,"address":[],"length":0,"stats":{"Line":3}},{"line":98,"address":[],"length":0,"stats":{"Line":3}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}}],"covered":15,"coverable":21},{"path":["/","home","stu","dev","rust","jose","src","jwk","serde_impl.rs"],"content":"use alloc::{borrow::Cow, vec::Vec};\nuse core::ops::Deref;\n\nuse base64ct::{Base64, Base64UrlUnpadded, Encoding};\nuse hashbrown::HashSet;\nuse serde::{de::Error, Deserialize, Deserializer, Serialize, Serializer};\n\nuse super::KeyOperation;\n\n/// Helper function to ensure that a [`HashSet`] is created from a [`Vec`]\n/// without duplicates\npub fn deserialize_ensure_set\u003c'de, D\u003e(\n    deserializer: D,\n) -\u003e Result\u003cOption\u003cHashSet\u003cKeyOperation\u003e\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    match \u003cOption\u003cVec\u003cKeyOperation\u003e\u003e as Deserialize\u003e::deserialize(deserializer)? {\n        Some(val) =\u003e {\n            let mut set = HashSet::new();\n            for o in val {\n                // detect duplicates in `key_ops` parameter. according to the rfc,\n                // \u003e Duplicate key operation values MUST NOT be present in the array.\n                // means: this is a set\n                if !set.insert(o) {\n                    return Err(\u003cD::Error as Error\u003e::custom(\n                        \"found duplicate in `key_ops` parameter\",\n                    ));\n                }\n            }\n            Ok(Some(set))\n        }\n        None =\u003e Ok(None),\n    }\n}\n\n/// serialize a generic array to base64 urlsafe nopad\npub fn serialize_ga\u003cconst N: usize, S\u003e(\n    // \u0026Option needed because serde passes an \u0026Option\u003cT\u003e instead of Option\u003c\u0026T\u003e\n    v: \u0026Option\u003c[u8; N]\u003e,\n    serializer: S,\n) -\u003e Result\u003cS::Ok, S::Error\u003e\nwhere\n    S: Serializer,\n{\n    let v = v.as_ref();\n    v.map(|v| Base64UrlUnpadded::encode_string(v))\n        .serialize(serializer)\n}\n\n/// deserialize a generic array from base64 urlsafe nopad\npub fn deserialize_ga\u003c'de, D, const N: usize\u003e(deserializer: D) -\u003e Result\u003cOption\u003c[u8; N]\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    Ok(match Option::\u003cCow\u003c'_, str\u003e\u003e::deserialize(deserializer)? {\n        Some(val) =\u003e {\n            let mut buf = [0u8; N];\n            Base64UrlUnpadded::decode(\u0026*val, \u0026mut buf).map_err(\u003cD::Error as Error\u003e::custom)?;\n            Some(buf)\n        }\n        None =\u003e None,\n    })\n}\n\npub fn serialize_ga_sha1\u003cS\u003e(v: \u0026Option\u003c[u8; 20]\u003e, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\nwhere\n    S: Serializer,\n{\n    serialize_ga::\u003c20, _\u003e(v, serializer)\n}\n\npub fn serialize_ga_sha256\u003cS\u003e(v: \u0026Option\u003c[u8; 32]\u003e, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\nwhere\n    S: Serializer,\n{\n    serialize_ga::\u003c32, _\u003e(v, serializer)\n}\n\npub fn deserialize_ga_sha1\u003c'de, D\u003e(deserializer: D) -\u003e Result\u003cOption\u003c[u8; 20]\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    deserialize_ga::\u003c_, 20\u003e(deserializer)\n}\n\npub fn deserialize_ga_sha256\u003c'de, D\u003e(deserializer: D) -\u003e Result\u003cOption\u003c[u8; 32]\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    deserialize_ga::\u003c_, 32\u003e(deserializer)\n}\n\n#[derive(Debug, Hash, PartialEq, Eq, Clone)]\npub(crate) struct Base64DerCertificate(pub Vec\u003cu8\u003e);\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Base64DerCertificate {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let val = \u003calloc::borrow::Cow\u003c'_, str\u003e\u003e::deserialize(deserializer)?;\n        Ok(Self(\n            Base64::decode_vec(\u0026val).map_err(\u003cD::Error as Error\u003e::custom)?,\n        ))\n    }\n}\n\nimpl Deref for Base64DerCertificate {\n    type Target = [u8];\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        self.0.deref()\n    }\n}\n\nimpl Serialize for Base64DerCertificate {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: Serializer,\n    {\n        Base64::encode_string(\u0026self.0).serialize(serializer)\n    }\n}\n","traces":[{"line":12,"address":[],"length":0,"stats":{"Line":9}},{"line":18,"address":[],"length":0,"stats":{"Line":9}},{"line":19,"address":[],"length":0,"stats":{"Line":9}},{"line":20,"address":[],"length":0,"stats":{"Line":9}},{"line":21,"address":[],"length":0,"stats":{"Line":40}},{"line":25,"address":[],"length":0,"stats":{"Line":16}},{"line":26,"address":[],"length":0,"stats":{"Line":1}},{"line":27,"address":[],"length":0,"stats":{"Line":1}},{"line":31,"address":[],"length":0,"stats":{"Line":8}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":12}},{"line":46,"address":[],"length":0,"stats":{"Line":12}},{"line":47,"address":[],"length":0,"stats":{"Line":24}},{"line":48,"address":[],"length":0,"stats":{"Line":12}},{"line":52,"address":[],"length":0,"stats":{"Line":12}},{"line":56,"address":[],"length":0,"stats":{"Line":12}},{"line":57,"address":[],"length":0,"stats":{"Line":12}},{"line":58,"address":[],"length":0,"stats":{"Line":12}},{"line":59,"address":[],"length":0,"stats":{"Line":12}},{"line":60,"address":[],"length":0,"stats":{"Line":12}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":6}},{"line":70,"address":[],"length":0,"stats":{"Line":6}},{"line":73,"address":[],"length":0,"stats":{"Line":6}},{"line":77,"address":[],"length":0,"stats":{"Line":6}},{"line":80,"address":[],"length":0,"stats":{"Line":6}},{"line":84,"address":[],"length":0,"stats":{"Line":6}},{"line":87,"address":[],"length":0,"stats":{"Line":6}},{"line":91,"address":[],"length":0,"stats":{"Line":6}},{"line":98,"address":[],"length":0,"stats":{"Line":6}},{"line":102,"address":[],"length":0,"stats":{"Line":12}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":6}},{"line":122,"address":[],"length":0,"stats":{"Line":6}}],"covered":31,"coverable":37},{"path":["/","home","stu","dev","rust","jose","src","jwk","signer.rs"],"content":"use alloc::{borrow::ToOwned, string::String, vec::Vec};\n\nuse super::{\n    private::EcPrivate, symmetric::FromOctetSequenceError, AsymmetricJsonWebKey, FromKey,\n    JsonWebKeyType, OkpPrivate, Private, SymmetricJsonWebKey,\n};\nuse crate::{\n    crypto::{ec, hmac, okp, rsa},\n    jwa::{EcDSA, Hmac, JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::policy::{Checked, CryptographicOperation, Policy},\n    jws::{IntoSigner, InvalidSigningAlgorithmError, Signer},\n    JsonWebKey,\n};\n\n/// An abstract [`Signer`] over all possible [key types](JsonWebKeyType)\n// FIXME: make PR to dependencies to we can derive C-COMMON-TRAITS\n#[derive(Debug)]\npub struct JwkSigner {\n    inner: InnerSigner,\n    key_id: Option\u003cString\u003e,\n}\n\nimpl JwkSigner {\n    /// Create a [`JwkSigner`] from a [`JsonWebKeyType`] used with the provided\n    /// [`JsonWebAlgorithm`]\n    ///\n    /// # Errors\n    ///\n    /// This function returns an error if the provided [`JsonWebAlgorithm`] and\n    /// the actual [`JsonWebKeyType`] don't match. For example, you'll get an\n    /// error if you try to to use this function with a [symmetric\n    /// key](JsonWebKeyType::Symmetric) and an asymmetric key algorithm.\n    ///\n    /// E.g., this won't work:\n    ///     \n    /// ```\n    /// use jose::{\n    ///     jwa::{Hmac, JsonWebSigningAlgorithm},\n    ///     jwk::{FromJwkError, JsonWebKeyType, JwkSigner},\n    /// };\n    /// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n    /// let key: JsonWebKeyType = serde_json::from_str(\n    ///     r#\"\n    /// {\n    ///   \"kty\": \"EC\",\n    ///   \"kid\": \"6j1ImYAlN6DnVupozzN13UKnLR7BfEvngNmVl5bLlI0\",\n    ///   \"crv\": \"P-256\",\n    ///   \"x\": \"-HGJKqKLCoB6z4zlNKef927CODDulLcHdxNi2iUTi5g\",\n    ///   \"y\": \"GaVhYaBvIgSAaNLjXjVqOvtCGH56x5s4DnWMy9TXbTU\",\n    ///   \"d\": \"C6AV5ZvCGQevYYMJT15frXWuKaqEDthnSMtuJKEKykI\"\n    /// }\"#,\n    /// )?;\n    ///\n    /// // returns an error since a P-256 key cannot be used with Hmac\n    /// assert!(matches!(\n    ///     JwkSigner::new(key, JsonWebSigningAlgorithm::Hmac(Hmac::Hs256)),\n    ///     Err(FromJwkError::InvalidAlgorithm)\n    /// ));\n    /// # Ok(())\n    /// # }\n    /// ```\n    pub fn new(key: JsonWebKeyType, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cSelf, FromJwkError\u003e {\n        Ok(Self {\n            key_id: None,\n            inner: match key {\n                JsonWebKeyType::Asymmetric(key) =\u003e match *key {\n                    AsymmetricJsonWebKey::Public(_) =\u003e Err(FromJwkError::NoPrivateKey)?,\n                    AsymmetricJsonWebKey::Private(key) =\u003e match key {\n                        Private::Ec(key) =\u003e match key {\n                            EcPrivate::P256(key) =\u003e InnerSigner::Es256(key.into_signer(alg)?),\n                            EcPrivate::P384(key) =\u003e InnerSigner::Es384(key.into_signer(alg)?),\n                            EcPrivate::P521(key) =\u003e InnerSigner::Es512(key.into_signer(alg)?),\n                            EcPrivate::Secp256k1(key) =\u003e {\n                                InnerSigner::Secp256k1(key.into_signer(alg)?)\n                            }\n                        },\n                        Private::Rsa(key) =\u003e InnerSigner::Rsa((*key).into_signer(alg)?),\n                        Private::Okp(key) =\u003e match key {\n                            OkpPrivate::Ed25519(key) =\u003e InnerSigner::Ed25519(key.into_signer(alg)?),\n                            OkpPrivate::Ed448(key) =\u003e InnerSigner::Ed448(key.into_signer(alg)?),\n                        },\n                    },\n                },\n                JsonWebKeyType::Symmetric(key) =\u003e match key {\n                    SymmetricJsonWebKey::OctetSequence(ref key) =\u003e match alg {\n                        JsonWebSigningAlgorithm::Hmac(hs) =\u003e match hs {\n                            Hmac::Hs256 =\u003e InnerSigner::Hs256(key.into_signer(alg)?),\n                            Hmac::Hs384 =\u003e InnerSigner::Hs384(key.into_signer(alg)?),\n                            Hmac::Hs512 =\u003e InnerSigner::Hs512(key.into_signer(alg)?),\n                        },\n                        _ =\u003e Err(InvalidSigningAlgorithmError)?,\n                    },\n                },\n            },\n        })\n    }\n\n    /// Sets the key id for this [`Signer`].\n    ///\n    /// If this method is used, the [`kid`] header of the signed JWS will be set\n    /// to the given key id.\n    ///\n    /// [`kid`]: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4\n    pub fn with_key_id(mut self, key_id: String) -\u003e Self {\n        self.key_id = Some(key_id);\n        self\n    }\n\n    /// Sets the key id of this signer to `None`.\n    ///\n    /// Calling this method will result to omitting the [`kid`] header in the\n    /// signed JWS header.\n    ///\n    /// [`kid`]: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4\n    pub fn without_key_id(mut self) -\u003e Self {\n        self.key_id = None;\n        self\n    }\n}\n\nimpl Signer\u003cVec\u003cu8\u003e\u003e for JwkSigner {\n    fn sign(\u0026mut self, x: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, crate::crypto::Error\u003e {\n        match \u0026mut self.inner {\n            InnerSigner::Rsa(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Hs256(s) =\u003e s.sign(x).map(|x| x.as_ref().to_vec()),\n            InnerSigner::Hs384(s) =\u003e s.sign(x).map(|x| x.as_ref().to_vec()),\n            InnerSigner::Hs512(s) =\u003e s.sign(x).map(|x| x.as_ref().to_vec()),\n            InnerSigner::Es256(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Es384(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Es512(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Secp256k1(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Ed448(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Ed25519(s) =\u003e s.sign(x).map(|x| x.into()),\n        }\n    }\n\n    fn algorithm(\u0026self) -\u003e JsonWebSigningAlgorithm {\n        match self.inner {\n            InnerSigner::Hs256(_) =\u003e JsonWebSigningAlgorithm::Hmac(Hmac::Hs256),\n            InnerSigner::Hs384(_) =\u003e JsonWebSigningAlgorithm::Hmac(Hmac::Hs384),\n            InnerSigner::Hs512(_) =\u003e JsonWebSigningAlgorithm::Hmac(Hmac::Hs512),\n            InnerSigner::Es256(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256),\n            InnerSigner::Es384(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es384),\n            InnerSigner::Es512(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es512),\n            InnerSigner::Secp256k1(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256K),\n            InnerSigner::Rsa(ref rsa) =\u003e rsa.algorithm(),\n            InnerSigner::Ed25519(_) | InnerSigner::Ed448(_) =\u003e JsonWebSigningAlgorithm::EdDSA,\n        }\n    }\n\n    fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        self.key_id.as_deref()\n    }\n}\n\nimpl\u003cT, P\u003e TryFrom\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkSigner\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkSigner`] from a [`JsonWebKey`]\n    ///\n    /// # Errors\n    ///\n    /// This conversion fails if [`JsonWebKey::algorithm`] is [`None`]\n    fn try_from(jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e) -\u003e Result\u003cSelf, Self::Error\u003e {\n        let alg = jwk\n            .algorithm()\n            .ok_or(FromJwkError::InvalidAlgorithm)?\n            .to_owned();\n        let kid = jwk.kid.clone();\n        let mut signer = JwkSigner::from_key(jwk, alg)?;\n        signer.key_id = kid;\n        Ok(signer)\n    }\n}\n\nimpl\u003cT, P\u003e FromKey\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkSigner\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkSigner`] from a [`JsonWebKey`] overwriting\n    /// [`JsonWebKey::algorithm`] with `alg`.\n    fn from_key(\n        jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e,\n        alg: JsonWebAlgorithm,\n    ) -\u003e Result\u003cSelf, Self::Error\u003e {\n        if let Some(usage) = jwk.key_usage() {\n            jwk.policy()\n                .may_perform_operation_key_use(CryptographicOperation::Sign, usage)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        if let Some(ops) = jwk.key_operations() {\n            jwk.policy()\n                .may_perform_operation_key_ops(CryptographicOperation::Sign, ops)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        match alg {\n            JsonWebAlgorithm::Encryption(..) | JsonWebAlgorithm::Other(..) =\u003e {\n                Err(InvalidSigningAlgorithmError.into())\n            }\n            JsonWebAlgorithm::Signing(alg) =\u003e Self::new(jwk.into_type().key_type, alg),\n        }\n    }\n}\n\n/// An error returned when creating a [`JwkSigner`] from a [`JsonWebKeyType`]\n/// (or indirectly via [`JsonWebKey`])\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum FromJwkError {\n    /// A [`JsonWebKey`] has either the `use` or `key_ops` parameter set and one\n    /// of these parameters indicates that this key MAY NOT be used for signing\n    /// or verifying\n    #[error(\"key not allowed for signing\")]\n    OperationNotAllowed,\n    /// The algorithm can't be used with the provided [`JsonWebKeyType`]\n    #[error(\"this algorithm can't be used together with this JsonWebKey\")]\n    InvalidAlgorithm,\n    /// The provided [`JsonWebKeyType`] did not contain a [private\n    /// key](super::Private) which is needed by [`JwkSigner`] to create\n    /// signatures.\n    #[error(\"found variant which has no private key\")]\n    NoPrivateKey,\n    /// See the documentation of [`FromOctetSequenceError`] for details.\n    ///\n    /// Usually, [`FromOctetSequenceError::InvalidLength`] shouldn't be returend\n    /// since the key already exists at this point.\n    #[error(transparent)]\n    OctetSequence(#[from] FromOctetSequenceError),\n}\n\nimpl From\u003cInvalidSigningAlgorithmError\u003e for FromJwkError {\n    fn from(_: InvalidSigningAlgorithmError) -\u003e Self {\n        Self::InvalidAlgorithm\n    }\n}\n\n/// Abstract type with a variant for each [`Signer`]\n#[derive(Debug)]\nenum InnerSigner {\n    // symmetric algorithms\n    Hs256(hmac::Key\u003chmac::Hs256\u003e),\n    Hs384(hmac::Key\u003chmac::Hs384\u003e),\n    Hs512(hmac::Key\u003chmac::Hs512\u003e),\n    // asymmetric algorithms\n    Rsa(rsa::Signer),\n\n    Es256(ec::P256Signer),\n    Es384(ec::P384Signer),\n    Es512(ec::P521Signer),\n    Secp256k1(ec::Secp256k1Signer),\n\n    Ed25519(okp::Ed25519Signer),\n    Ed448(okp::Ed448Signer),\n}\n","traces":[{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":126,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":140,"address":[],"length":0,"stats":{"Line":0}},{"line":141,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":143,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":145,"address":[],"length":0,"stats":{"Line":0}},{"line":146,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":167,"address":[],"length":0,"stats":{"Line":0}},{"line":168,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":173,"address":[],"length":0,"stats":{"Line":0}},{"line":174,"address":[],"length":0,"stats":{"Line":0}},{"line":175,"address":[],"length":0,"stats":{"Line":0}},{"line":187,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":192,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":0}},{"line":194,"address":[],"length":0,"stats":{"Line":0}},{"line":197,"address":[],"length":0,"stats":{"Line":0}},{"line":198,"address":[],"length":0,"stats":{"Line":0}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":200,"address":[],"length":0,"stats":{"Line":0}},{"line":203,"address":[],"length":0,"stats":{"Line":0}},{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":207,"address":[],"length":0,"stats":{"Line":0}},{"line":239,"address":[],"length":0,"stats":{"Line":0}},{"line":240,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":77},{"path":["/","home","stu","dev","rust","jose","src","jwk","symmetric.rs"],"content":"//! Symmetric cryptography for JWS and JWE\n\nuse alloc::string::String;\n\nuse secrecy::{ExposeSecret, SecretBox};\nuse serde::{de::Error, Deserialize, Deserializer, Serialize};\nuse subtle::ConstantTimeEq;\nuse zeroize::Zeroize;\n\nuse super::thumbprint::{self, Thumbprint};\nuse crate::{base64_url::Base64UrlBytes, jws::InvalidSigningAlgorithmError};\n\n/// Symmetric Keys\n///\n/// Symmetric keys only have a secret value, therefore, they MUST only be used\n/// in a protected environment.\n/// For example, with a symmetric key, checking the validity of a\n/// [`JsonWebSignature`](crate::JsonWebSignature) cannot be done on the client\n/// side, because it leaks the key and the client can then create own\n/// signatures.\n///\n/// See \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6.4\u003e\n#[non_exhaustive]\n#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum SymmetricJsonWebKey {\n    /// `oct` \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6.4\u003e\n    OctetSequence(OctetSequence),\n}\n\nimpl crate::sealed::Sealed for SymmetricJsonWebKey {}\nimpl Thumbprint for SymmetricJsonWebKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            SymmetricJsonWebKey::OctetSequence(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\n/// [`OctetSequence`] is the simplest and only available\n/// [`SymmetricJsonWebKey`].\n///\n/// However, because its length is not defined, it cannot be generated directly.\n/// Instead, you should use [`HmacKey\u003cH\u003e`](crate::crypto::hmac::Key)\n/// with the appropriate key size, for example\n/// [`Hs512`](crate::crypto::hmac::Hs512) and then, if needed, convert\n/// it to a [`JsonWebKey`](crate::JsonWebKey) using\n/// [`IntoJsonWebKey`](crate::jwk::IntoJsonWebKey).\n///\n/// \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6.4.1\u003e\n#[derive(Debug, Clone, Zeroize)]\npub struct OctetSequence(SecretBox\u003c[u8]\u003e);\n\nimpl OctetSequence {\n    pub(crate) fn new(x: SecretBox\u003c[u8]\u003e) -\u003e Self {\n        Self(x)\n    }\n\n    /// Returns the bytes of this octet sequence.\n    pub(crate) fn bytes(\u0026self) -\u003e \u0026SecretBox\u003c[u8]\u003e {\n        \u0026self.0\n    }\n\n    /// Returns the bytes of this octet sequence.\n    pub(crate) fn into_bytes(self) -\u003e SecretBox\u003c[u8]\u003e {\n        self.0\n    }\n\n    /// Returns the number of bytes that are in this octet sequence.\n    #[inline]\n    pub fn len(\u0026self) -\u003e usize {\n        self.0.expose_secret().len()\n    }\n\n    /// Returns `true` if this octet sequence has a length of zero.\n    #[inline]\n    pub fn is_empty(\u0026self) -\u003e bool {\n        self.len() == 0\n    }\n}\n\nimpl PartialEq for OctetSequence {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        bool::from(self.0.expose_secret().ct_eq(other.0.expose_secret()))\n    }\n}\nimpl Eq for OctetSequence {}\n\nimpl crate::sealed::Sealed for OctetSequence {}\nimpl Thumbprint for OctetSequence {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\nimpl From\u003cSymmetricJsonWebKey\u003e for super::JsonWebKeyType {\n    fn from(x: SymmetricJsonWebKey) -\u003e Self {\n        super::JsonWebKeyType::Symmetric(x)\n    }\n}\n\nimpl From\u003cOctetSequence\u003e for super::JsonWebKeyType {\n    fn from(x: OctetSequence) -\u003e Self {\n        super::JsonWebKeyType::Symmetric(SymmetricJsonWebKey::OctetSequence(x))\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for OctetSequence {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            kty: String,\n            k: Base64UrlBytes,\n        }\n\n        let repr = Repr::deserialize(deserializer)?;\n        if repr.kty != \"oct\" {\n            return Err(D::Error::custom(\"`kty` field is required to be `oct`\"));\n        }\n        Ok(Self(SecretBox::new(repr.k.0.into_boxed_slice())))\n    }\n}\n\nimpl Serialize for OctetSequence {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(Serialize)]\n        struct Repr\u003c'a\u003e {\n            kty: \u0026'static str,\n            k: \u0026'a Base64UrlBytes,\n        }\n        Repr {\n            kty: \"oct\",\n            k: \u0026Base64UrlBytes(self.0.expose_secret().to_vec()),\n        }\n        .serialize(serializer)\n    }\n}\n\n/// An error that can occur when creating an\n/// [`HmacKey`](crate::crypto::hmac::Key) from an [`OctetSequence`].\n#[derive(Debug, thiserror::Error)]\npub enum FromOctetSequenceError {\n    /// An invalid signing algorithm was used\n    #[error(transparent)]\n    InvalidSigningAlgorithm(#[from] InvalidSigningAlgorithmError),\n\n    /// A key from which a signer should've been created had an invalid length\n    #[error(\"the length of the is invalid\")]\n    InvalidLength,\n\n    /// Crypto backend threw an unknown error.\n    #[error(\"the crypto backend failed\")]\n    Crypto(\n        #[from]\n        #[source]\n        crate::crypto::Error,\n    ),\n}\n","traces":[{"line":33,"address":[],"length":0,"stats":{"Line":6}},{"line":34,"address":[],"length":0,"stats":{"Line":6}},{"line":35,"address":[],"length":0,"stats":{"Line":6}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":1}},{"line":72,"address":[],"length":0,"stats":{"Line":1}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":3}},{"line":84,"address":[],"length":0,"stats":{"Line":3}},{"line":91,"address":[],"length":0,"stats":{"Line":6}},{"line":92,"address":[],"length":0,"stats":{"Line":6}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":65}},{"line":119,"address":[],"length":0,"stats":{"Line":130}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":121,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":6}},{"line":128,"address":[],"length":0,"stats":{"Line":10}},{"line":139,"address":[],"length":0,"stats":{"Line":10}},{"line":141,"address":[],"length":0,"stats":{"Line":10}}],"covered":15,"coverable":29},{"path":["/","home","stu","dev","rust","jose","src","jwk","thumbprint.rs"],"content":"use alloc::{collections::BTreeMap, string::String};\n\nuse serde::Serialize;\n\nuse crate::sealed::Sealed;\n\n/// This trait is implemented by all key types, and can be used\n/// to compute the thumbprint of any private, public or symmetric key.\n///\n/// If you want to use custom hashing functions, call the\n/// [`Self::thumbprint_prehashed`] method and hash the result yourself.\npub trait Thumbprint: Sealed {\n    /// Compute the thumbprint JSON string of this key.\n    ///\n    /// This method does not perform any hashing, it only returns\n    /// the constructed JSON string, so that it can be hashed\n    /// with some custom hashing algorithm that is not supported\n    /// natively by this crate.\n    ///\n    /// For common hashing methods have a look at these methods:\n    ///\n    /// - SHA256 - [`thumbprint_sha256`](Self::thumbprint_sha256)\n    /// - SHA384 - [`thumbprint_sha384`](Self::thumbprint_sha384)\n    /// - SHA512 - [`thumbprint_sha512`](Self::thumbprint_sha512)\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_prehashed(\u0026self) -\u003e String;\n\n    /// Computes the SHA256-hashed thumbprint of this key.\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_sha256(\u0026self) -\u003e [u8; 32] {\n        let msg = self.thumbprint_prehashed();\n        crate::crypto::sha256(msg.as_bytes())\n    }\n\n    /// Computes the SHA384-hashed thumbprint of this key.\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_sha384(\u0026self) -\u003e [u8; 48] {\n        let msg = self.thumbprint_prehashed();\n        crate::crypto::sha384(msg.as_bytes())\n    }\n\n    /// Computes the SHA512-hashed thumbprint of this key.\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_sha512(\u0026self) -\u003e [u8; 64] {\n        let msg = self.thumbprint_prehashed();\n        crate::crypto::sha512(msg.as_bytes())\n    }\n}\n\npub(crate) fn serialize_key_thumbprint\u003cT: Serialize\u003e(key: \u0026T) -\u003e String {\n    let obj = serde_json::to_value(key).expect(\"serialization of OctetSequence can not fail\");\n\n    let map = match obj {\n        serde_json::Value::Object(map) =\u003e BTreeMap::from_iter(map),\n        _ =\u003e unreachable!(\"all keytypes must serialize to structs\"),\n    };\n\n    serde_json::to_string(\u0026map).expect(\"BTreeMap serialization can not fail\")\n}\n","traces":[{"line":36,"address":[],"length":0,"stats":{"Line":33}},{"line":37,"address":[],"length":0,"stats":{"Line":33}},{"line":38,"address":[],"length":0,"stats":{"Line":33}},{"line":46,"address":[],"length":0,"stats":{"Line":21}},{"line":47,"address":[],"length":0,"stats":{"Line":21}},{"line":48,"address":[],"length":0,"stats":{"Line":21}},{"line":56,"address":[],"length":0,"stats":{"Line":21}},{"line":57,"address":[],"length":0,"stats":{"Line":21}},{"line":58,"address":[],"length":0,"stats":{"Line":21}},{"line":62,"address":[],"length":0,"stats":{"Line":78}},{"line":63,"address":[],"length":0,"stats":{"Line":78}},{"line":65,"address":[],"length":0,"stats":{"Line":156}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}}],"covered":12,"coverable":14},{"path":["/","home","stu","dev","rust","jose","src","jwk","verifier.rs"],"content":"use alloc::borrow::ToOwned;\n\nuse super::{\n    private::EcPrivate, public::EcPublic, AsymmetricJsonWebKey, FromJwkError, FromKey, OkpPrivate,\n    OkpPublic, Private, Public, SymmetricJsonWebKey,\n};\nuse crate::{\n    crypto::{ec, hmac, okp, rsa},\n    jwa::{Hmac, JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::{\n        policy::{Checked, CryptographicOperation, Policy},\n        JsonWebKeyType,\n    },\n    jws::{IntoVerifier, InvalidSigningAlgorithmError, Verifier, VerifyError},\n    JsonWebKey,\n};\n#[derive(Debug)]\n/// An abstract [`Verifier`] over all possible [key types](JsonWebKeyType)\npub struct JwkVerifier {\n    inner: InnerVerifier,\n}\n\nimpl JwkVerifier {\n    /// Create a [`JwkVerifier`] from a [`JsonWebKeyType`] used with the\n    /// provided [`JsonWebAlgorithm`].\n    ///\n    /// # Errors\n    ///\n    /// This function returns an error if the provided [`JsonWebAlgorithm`] and\n    /// the actual [`JsonWebKeyType`] don't match. Since this type is the\n    /// counterpart to [`JwkSigner`](super::JwkSigner) it behaves almost\n    /// identical. See it's error documentation for details.\n    pub fn new(key: JsonWebKeyType, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cSelf, FromJwkError\u003e {\n        Ok(Self {\n            inner: match key {\n                JsonWebKeyType::Asymmetric(key) =\u003e match *key {\n                    AsymmetricJsonWebKey::Public(key) =\u003e match key {\n                        Public::Ec(key) =\u003e match key {\n                            EcPublic::P256(key) =\u003e InnerVerifier::Es256(key.into_verifier(alg)?),\n                            EcPublic::P384(key) =\u003e InnerVerifier::Es384(key.into_verifier(alg)?),\n                            EcPublic::P521(key) =\u003e InnerVerifier::Es512(key.into_verifier(alg)?),\n                            EcPublic::Secp256k1(key) =\u003e {\n                                InnerVerifier::Secp256k1(key.into_verifier(alg)?)\n                            }\n                        },\n                        Public::Rsa(key) =\u003e InnerVerifier::Rsa(key.into_verifier(alg)?),\n                        Public::Okp(key) =\u003e match key {\n                            OkpPublic::Ed25519(key) =\u003e {\n                                InnerVerifier::Ed25519(key.into_verifier(alg)?)\n                            }\n                            OkpPublic::Ed448(key) =\u003e InnerVerifier::Ed448(key.into_verifier(alg)?),\n                        },\n                    },\n                    AsymmetricJsonWebKey::Private(key) =\u003e match key {\n                        Private::Ec(key) =\u003e match key {\n                            EcPrivate::P256(key) =\u003e InnerVerifier::Es256(key.into_verifier(alg)?),\n                            EcPrivate::P384(key) =\u003e InnerVerifier::Es384(key.into_verifier(alg)?),\n                            EcPrivate::P521(key) =\u003e InnerVerifier::Es512(key.into_verifier(alg)?),\n                            EcPrivate::Secp256k1(key) =\u003e {\n                                InnerVerifier::Secp256k1(key.into_verifier(alg)?)\n                            }\n                        },\n                        Private::Rsa(key) =\u003e InnerVerifier::Rsa((*key).into_verifier(alg)?),\n                        Private::Okp(key) =\u003e match key {\n                            OkpPrivate::Ed25519(key) =\u003e {\n                                InnerVerifier::Ed25519(key.into_verifier(alg)?)\n                            }\n                            OkpPrivate::Ed448(key) =\u003e InnerVerifier::Ed448(key.into_verifier(alg)?),\n                        },\n                    },\n                },\n                JsonWebKeyType::Symmetric(key) =\u003e match key {\n                    SymmetricJsonWebKey::OctetSequence(ref key) =\u003e match alg {\n                        JsonWebSigningAlgorithm::Hmac(hs) =\u003e match hs {\n                            Hmac::Hs256 =\u003e InnerVerifier::Hs256(key.into_verifier(alg)?),\n                            Hmac::Hs384 =\u003e InnerVerifier::Hs384(key.into_verifier(alg)?),\n                            Hmac::Hs512 =\u003e InnerVerifier::Hs512(key.into_verifier(alg)?),\n                        },\n                        _ =\u003e Err(InvalidSigningAlgorithmError)?,\n                    },\n                },\n            },\n        })\n    }\n}\n\nimpl Verifier for JwkVerifier {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), VerifyError\u003e {\n        match \u0026mut self.inner {\n            InnerVerifier::Hs256(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Hs384(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Hs512(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Rsa(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Es256(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Es384(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Es512(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Secp256k1(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Ed448(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Ed25519(verifier) =\u003e verifier.verify(msg, signature),\n        }\n    }\n}\n\nimpl\u003cT, P\u003e FromKey\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkVerifier\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkVerifier`] form a [`JsonWebKey`] overwriting\n    /// [`JsonWebKey::algorithm`] with `alg`.\n    fn from_key(\n        jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e,\n        alg: JsonWebAlgorithm,\n    ) -\u003e Result\u003cSelf, Self::Error\u003e {\n        if let Some(usage) = jwk.key_usage() {\n            jwk.policy()\n                .may_perform_operation_key_use(CryptographicOperation::Verify, usage)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        if let Some(ops) = jwk.key_operations() {\n            jwk.policy()\n                .may_perform_operation_key_ops(CryptographicOperation::Verify, ops)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        match alg {\n            JsonWebAlgorithm::Encryption(..) | JsonWebAlgorithm::Other(..) =\u003e {\n                Err(FromJwkError::InvalidAlgorithm)\n            }\n            JsonWebAlgorithm::Signing(alg) =\u003e Self::new(jwk.into_type().key_type, alg),\n        }\n    }\n}\n\nimpl\u003cT, P\u003e TryFrom\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkVerifier\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkVerifier`] from a [`JsonWebKey`]\n    ///\n    /// # Errors\n    ///\n    /// This conversion fails if [`JsonWebKey::algorithm`] is [`None`]\n    fn try_from(jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e) -\u003e Result\u003cSelf, Self::Error\u003e {\n        let alg = jwk\n            .algorithm()\n            .ok_or(FromJwkError::InvalidAlgorithm)?\n            .to_owned();\n        JwkVerifier::from_key(jwk, alg)\n    }\n}\n/// Abstract type with a variant for each [`Verifier`]\n#[derive(Debug)]\nenum InnerVerifier {\n    // symmetric algorithms\n    Hs256(hmac::Key\u003chmac::Hs256\u003e),\n    Hs384(hmac::Key\u003chmac::Hs384\u003e),\n    Hs512(hmac::Key\u003chmac::Hs512\u003e),\n    // asymmetric algorithms\n    Rsa(rsa::Verifier),\n\n    Es256(ec::P256Verifier),\n    Es384(ec::P384Verifier),\n    Es512(ec::P521Verifier),\n    Secp256k1(ec::Secp256k1Verifier),\n\n    Ed25519(okp::Ed25519Verifier),\n    Ed448(okp::Ed448Verifier),\n}\n","traces":[{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":0}},{"line":39,"address":[],"length":0,"stats":{"Line":0}},{"line":40,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":51,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":148,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":64},{"path":["/","home","stu","dev","rust","jose","src","jwk.rs"],"content":"//! [`JsonWebKey`] and connected things\n\nuse alloc::{boxed::Box, string::String, vec, vec::Vec};\nuse core::{\n    fmt::Debug,\n    ops::{ControlFlow, Deref},\n};\n\nuse hashbrown::HashSet;\nuse serde::{de::DeserializeOwned, Deserialize, Serialize};\n\nuse crate::{\n    crypto::hmac::{self, Variant as _},\n    jwa::{\n        AesGcm, AesKw, EcDSA, Hmac, JsonWebAlgorithm, JsonWebEncryptionAlgorithm,\n        JsonWebSigningAlgorithm, Pbes2,\n    },\n    sealed::Sealed,\n    uri::BorrowedUri,\n    UntypedAdditionalProperties, Uri,\n};\n\npub mod symmetric;\n\nmod asymmetric;\nmod builder;\nmod key_ops;\nmod key_use;\npub mod policy;\nmod private;\nmod public;\npub(crate) mod serde_impl;\nmod signer;\npub(crate) mod thumbprint;\nmod verifier;\n\n#[doc(inline)]\npub use self::{\n    asymmetric::AsymmetricJsonWebKey,\n    builder::{JsonWebKeyBuildError, JsonWebKeyBuilder},\n    key_ops::KeyOperation,\n    key_use::KeyUsage,\n    private::{EcPrivate, OkpPrivate, Private},\n    public::{EcPublic, OkpPublic, Public},\n    signer::{FromJwkError, JwkSigner},\n    symmetric::SymmetricJsonWebKey,\n    thumbprint::Thumbprint,\n    verifier::JwkVerifier,\n};\nuse self::{\n    policy::{Checkable, Checked, CryptographicOperation, Policy, PolicyError as _},\n    serde_impl::Base64DerCertificate,\n};\n\n/// A [`JsonWebKey`] is a [JSON Object](serde_json::Value::Object) representing\n/// the components of a cryptographic keys that can be used for\n/// [JWE](crate::jwe::JsonWebEncryption) and\n/// [JWS](crate::jws::JsonWebSignature).\n///\n/// The format of Json Web Keys is defined in [RFC 7517] with key specific\n/// parameters defined in [section 6 of RFC 7518]. The [`JsonWebKey`] struct is\n/// an abstract representation of all possible key types. The [`JsonWebKeyType`]\n/// enum is used to specialize on concrete key type.\n///\n/// # Comparison and equality\n///\n/// It is not defined how to determine if a [`JsonWebKey`] is [equal](PartialEq)\n/// to another. Therefore, [`JsonWebKey`] *does not* implement [`PartialEq`].\n/// If you want to compare a [`JsonWebKey`], you should either use something\n/// like the [`kid`](JsonWebKey::key_id) parameter or a [`Thumbprint`] of\n/// the key (or ideally, a [`Thumbprint`] as [`kid`](JsonWebKey::key_id)).\n///\n/// You should *avoid* comparing the serialized form of a [`JsonWebKey`] as it\n/// may contain optional parameters, which may not always be present and would\n/// lead to unexpected results.\n///\n/// # Examples\n///\n/// Parse a JsonWebKey from its json representation:\n///\n/// ```\n/// # // std is available in tests\n/// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n/// use jose::{jwk::KeyUsage, JsonWebKey};\n///\n/// // The following json object represents a RSA key used for signing\n/// let json = r#\"\n/// {\n///  \"kty\": \"RSA\",\n///  \"kid\": \"bilbo.baggins@hobbiton.example\",\n///  \"use\": \"sig\",\n///  \"n\": \"n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT-O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqVwGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuCLqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5gHdrNP5zw\",\n///  \"e\": \"AQAB\"\n/// }\"#;\n///\n/// // deserialize the key from it's json representation using serde_json\n/// let jwk: JsonWebKey = serde_json::from_str(json)?;\n///\n/// // You can use the JsonWebKey to access parameters defined by the spec.\n/// // For example, we might want to ensure that this key is for signing by\n/// // checking the `use` parameter\n/// assert_eq!(jwk.key_usage(), Some(\u0026KeyUsage::Signing));\n/// # Ok(())\n/// # }\n/// ```\n///\n/// ## Additional parameters\n///\n/// The spec allows custom/additional parameters that are not registered in the\n/// [IANA `JSON Web Key Parameters` registry]. The `A` generic parameter of\n/// [`JsonWebKey\u003cA\u003e`] allows you to bring your own type to do just that.\n///\n/// To do so, create a container type that holds all your parameters (and maybe\n/// even another container).\n/// Imagine we have a custom parameter `intended_party` which holds a [`String`]\n/// identifying the application which should use the [`JsonWebKey`]:\n///\n/// ```\n/// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n/// use jose::JsonWebKey;\n/// use serde::{Deserialize, Serialize};\n///\n/// // don't forget to derive or implement the serde traits since they are used for (de)serialization\n/// #[derive(Deserialize, Serialize)]\n/// struct MyCustomParameters {\n///     intended_party: String,\n/// }\n///\n/// /// A type alias so we dont have to type so much\n/// type MyJsonWebKey = JsonWebKey\u003cMyCustomParameters\u003e;\n///\n/// // consider the same key as before but this time it needs our custom parameter `intended_party`\n/// let json = r#\"\n/// {\n///  \"intended_party\": \"my_application\",\n///  \"kty\": \"RSA\",\n///  \"kid\": \"bilbo.baggins@hobbiton.example\",\n///  \"use\": \"sig\",\n///  \"n\": \"n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT-O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqVwGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuCLqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5gHdrNP5zw\",\n///  \"e\": \"AQAB\"\n/// }\"#;\n///\n/// let jwk: MyJsonWebKey = serde_json::from_str(json)?;\n///\n/// // access the custom parameter\n/// assert_eq!(\"my_application\", jwk.additional().intended_party.as_str());\n/// # Ok(())\n/// # }\n/// ```\n///\n/// ### Implementing [`Checkable`] for your additional type\n///\n/// The [`Checkable`] trait should be implemented by types that can utilize some\n/// (potentially expensive) checks to ensure their validity optionally using a\n/// [`Policy`]. For example, [`JsonWebKey`] implements the [`Checkable`] trait\n/// to validate some parameters which can't be validated during deserialization.\n///\n/// For [`JsonWebKey`] to implement [`Checkable`], your additional type also\n/// needs to implement [`Checkable`]. If we recall the example from before, we\n/// might want to ensure that our `intended_party` parameter containts only\n/// ascii characters. An implementation for that purpose might look like this:\n/// ```\n/// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n/// use jose::jwk::policy::{Checkable, Checked, Policy, PolicyError};\n/// use serde::{Deserialize, Serialize};\n/// // our type from before\n/// #[derive(Deserialize, Serialize)]\n/// struct MyCustomParameters {\n///     intended_party: String,\n/// }\n///\n/// impl Checkable for MyCustomParameters {\n///     fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n///         if self.intended_party.is_ascii() {\n///             Ok(Checked::new(self, policy))\n///         } else {\n///             Err((\n///                 self,\n///                 \u003cP::Error as PolicyError\u003e::custom(\n///                     \"`intended_party` parameter must contain ascii characters only\",\n///                 ),\n///             ))\n///         }\n///     }\n/// }\n/// # Ok(())\n/// # }\n/// ```\n///\n/// [RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517\u003e\n/// [section 6 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6\u003e\n/// [IANA `Json Web Key Parameters` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-key-parameters\u003e\n#[derive(Debug, Deserialize, Serialize, Clone)]\npub struct JsonWebKey\u003cA = ()\u003e {\n    /// Additional members in the JWK as permitted by the fourth paragraph of\n    /// [section 4]\n    ///\n    /// [section 4]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4\u003e\n    // Note: `A` is first because otherwise it is possible to overwrite parameters set by us\n    #[serde(flatten)]\n    additional: A,\n    /// `kty` parameter section 4.1\n    /// Note that the [`JsonWebKeyType`] enum does way more than just\n    /// checking/storing the `kty` parameter\n    #[serde(flatten)]\n    key_type: JsonWebKeyType,\n    /// `use` parameter section 4.2\n    #[serde(rename = \"use\", skip_serializing_if = \"Option::is_none\")]\n    key_use: Option\u003cKeyUsage\u003e,\n    /// `key_ops` parameter section 4.3\n    #[serde(\n        deserialize_with = \"serde_impl::deserialize_ensure_set\",\n        rename = \"key_ops\",\n        skip_serializing_if = \"Option::is_none\",\n        // default needed because else serde will error if the `key_ops` parameter is not present\n        default\n    )]\n    key_operations: Option\u003cHashSet\u003cKeyOperation\u003e\u003e,\n    /// `alg` parameter section 4.4\n    #[serde(rename = \"alg\", skip_serializing_if = \"Option::is_none\")]\n    algorithm: Option\u003cJsonWebAlgorithm\u003e,\n    /// `kid` parameter section 4.4\n    // FIXME: Consider an enum if this value is a valid JWK Thumbprint,\n    // see \u003chttps://www.rfc-editor.org/rfc/rfc7638\u003e\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    kid: Option\u003cString\u003e,\n    /// `x5u` parameter section 4.6\n    // FIXME: considerung to ensure the protocol\n    // uses TLS or some other form of integrity protection.\n    // There are other things to consider, see the relevant section in the RFC.\n    #[serde(rename = \"x5u\", skip_serializing_if = \"Option::is_none\")]\n    x509_url: Option\u003cUri\u003e,\n    /// `x5c` parameter section 4.7\n    // If the `x5c` parameter is not present, this will be an empty Vec\n    // FIXME: find a good way and crate to parse the DER-encoded X.509 certificate(s)\n    #[serde(rename = \"x5c\", skip_serializing_if = \"Vec::is_empty\", default)]\n    x509_certificate_chain: Vec\u003cBase64DerCertificate\u003e,\n    /// `x5t` parameter section 4.8\n    #[serde(\n        serialize_with = \"serde_impl::serialize_ga_sha1\",\n        deserialize_with = \"serde_impl::deserialize_ga_sha1\",\n        rename = \"x5t\",\n        default,\n        skip_serializing_if = \"Option::is_none\"\n    )]\n    x509_certificate_sha1_thumbprint: Option\u003c[u8; 20]\u003e,\n    /// `x5t#S256` parameter section 4.9\n    #[serde(\n        serialize_with = \"serde_impl::serialize_ga_sha256\",\n        deserialize_with = \"serde_impl::deserialize_ga_sha256\",\n        rename = \"x5t#S256\",\n        default,\n        skip_serializing_if = \"Option::is_none\"\n    )]\n    x509_certificate_sha256_thumbprint: Option\u003c[u8; 32]\u003e,\n}\n\nimpl JsonWebKey\u003c()\u003e {\n    pub(crate) fn new_with_algorithm(\n        key_type: JsonWebKeyType,\n        alg: Option\u003cJsonWebAlgorithm\u003e,\n    ) -\u003e Self {\n        Self {\n            key_type,\n            key_use: None,\n            key_operations: None,\n            algorithm: alg,\n            kid: None,\n            x509_url: None,\n            x509_certificate_chain: vec![],\n            x509_certificate_sha1_thumbprint: None,\n            x509_certificate_sha256_thumbprint: None,\n            additional: (),\n        }\n    }\n}\n\nimpl JsonWebKey\u003c()\u003e {\n    /// Create a [`JsonWebKeyBuilder`] to construct a new JWK.\n    pub fn builder(key_type: impl Into\u003cJsonWebKeyType\u003e) -\u003e JsonWebKeyBuilder\u003c()\u003e {\n        JsonWebKeyBuilder::new(key_type)\n    }\n}\n\nimpl\u003cT\u003e JsonWebKey\u003cT\u003e {\n    /// Turn this Json Web Key into a builder to modify it's contents.\n    pub fn into_builder(self) -\u003e JsonWebKeyBuilder\u003cT\u003e {\n        JsonWebKeyBuilder {\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n            additional: self.additional,\n        }\n    }\n\n    /// [Section 4.1 of RFC 7517] defines the `kty` (Key Type) Parameter.\n    ///\n    /// Since the `kty` parameter is used to distinguish different key types, we\n    /// use the [`JsonWebKeyType`] to also store key specific data. You can\n    /// match the [`JsonWebKeyType`] to determine the exact key type used.\n    ///\n    /// [Section 4.1 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.1\u003e\n    pub fn key_type(\u0026self) -\u003e \u0026JsonWebKeyType {\n        \u0026self.key_type\n    }\n\n    /// [Section 4.2 of RFC 7517] defines the `use` (Public Key Use) Parameter.\n    ///\n    /// See the documentation of [`KeyUsage`] for details.\n    ///\n    /// [Section 4.2 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.2\u003e\n    pub fn key_usage(\u0026self) -\u003e Option\u003c\u0026KeyUsage\u003e {\n        self.key_use.as_ref()\n    }\n\n    /// [Section 4.3 of RFC 7517] defines the `key_ops` (Key Operations)\n    /// Parameter.\n    ///\n    /// It is a set of different operations a key may perform.\n    /// See the documentation of [`KeyOperation`] for details.\n    ///\n    /// [Section 4.3 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.3\u003e\n    pub fn key_operations(\u0026self) -\u003e Option\u003c\u0026HashSet\u003cKeyOperation\u003e\u003e {\n        self.key_operations.as_ref()\n    }\n\n    /// [Section 4.4 of RFC 7517] defines the `alg` (Algorithm) Parameter.\n    ///\n    /// See the documentation of [`JsonWebAlgorithm`] for details.\n    ///\n    /// [Section 4.4 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.4\u003e\n    pub fn algorithm(\u0026self) -\u003e Option\u003c\u0026JsonWebAlgorithm\u003e {\n        self.algorithm.as_ref()\n    }\n\n    /// [Section 4.5 of RFC 7517] defines the `kid` (Key ID) Parameter.\n    ///\n    /// [Section 4.5 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.5\u003e\n    pub fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        self.kid.as_deref()\n    }\n\n    /// [Section 4.6 of RFC 7517] defines the `x5u` (X.509 URL) Parameter.\n    ///\n    /// [Section 4.6 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.6\u003e\n    pub fn x509_url(\u0026self) -\u003e Option\u003cBorrowedUri\u003c'_\u003e\u003e {\n        self.x509_url.as_ref().map(|x| x.borrow())\n    }\n\n    /// [Section 4.7 of RFC 7517] defines the `x5c` (X.509 Certificate Chain)\n    /// Parameter.\n    ///\n    /// This parameter is a list of X.509 certificates. The first certificate in\n    /// the [`ExactSizeIterator`] returned by this method is the PKIX\n    /// certificate containing the key value as required by the RFC. Note\n    /// that this parameter is OPTIONAL and if not present, this\n    /// [`ExactSizeIterator`] will be empty ([`next`](Iterator::next) will be\n    /// [`None`] and [`len`](ExactSizeIterator::len) will be `0`).\n    ///\n    /// Each [`Item`](Iterator::Item) will be the byte representation of a\n    /// DER-encoded X.509 certificate.\n    ///\n    /// [Section 4.7 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.7\u003e\n    pub fn x509_certificate_chain(\u0026self) -\u003e impl ExactSizeIterator\u003cItem = \u0026[u8]\u003e {\n        self.x509_certificate_chain.iter().map(Deref::deref)\n    }\n\n    /// [Section 4.8 of RFC 7517] defines the `x5t` (X.509 Certificate SHA-1\n    /// Thumbprint) Parameter.\n    ///\n    /// It is the SHA-1 hash of the DER-encoded X.509 certificate.\n    ///\n    /// # Warning: Cryptographically broken!\n    ///\n    /// TL;DR: check if you can use the [SHA-256\n    /// thumbprint](JsonWebKey::x509_certificate_sha256_thumbprint) instead.\n    ///\n    /// The following text is taken from the `sha1` crate: \\\n    /// The SHA-1 hash function should be considered cryptographically broken\n    /// and unsuitable for further use in any security critical capacity, as it\n    /// is [practically vulnerable to chosen-prefix collisions](https://sha-mbles.github.io/).\n    ///\n    /// [Section 4.8 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.8\u003e\n    // replace the hardcoded output size with the Sha1::OutputsizeUser value then\n    // they use const generics\n    pub fn x509_certificate_sha1_thumbprint(\u0026self) -\u003e Option\u003c\u0026[u8; 20]\u003e {\n        self.x509_certificate_sha1_thumbprint.as_ref()\n    }\n\n    /// [Section 4.9 of RFC 7517] defines the `x5t#S256` (X.509 Certificate\n    /// SHA-256 Thumbprint) Parameter.\n    ///\n    /// It is the SHA-256 hash of the DER-encoded X.509 certificate.\n    ///\n    /// [Section 4.9 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.9\u003e\n    pub fn x509_certificate_sha256_thumbprint(\u0026self) -\u003e Option\u003c\u0026[u8; 32]\u003e {\n        self.x509_certificate_sha256_thumbprint.as_ref()\n    }\n\n    /// Additional members in the [`JsonWebKey`] as permitted by the fourth\n    /// paragraph of [section 4 in RFC 7517]\n    ///\n    /// [section 4 in RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4\u003e\n    pub fn additional(\u0026self) -\u003e \u0026T {\n        \u0026self.additional\n    }\n\n    /// Checks if this [`JsonWebKey`] is a symmetric key.\n    #[inline]\n    pub fn is_symmetric(\u0026self) -\u003e bool {\n        matches!(self.key_type, JsonWebKeyType::Symmetric(_))\n    }\n\n    /// Checks if this [`JsonWebKey`] is an asymmetric key.\n    #[inline]\n    pub fn is_asymmetric(\u0026self) -\u003e bool {\n        matches!(self.key_type, JsonWebKeyType::Asymmetric(_))\n    }\n\n    /// Checks if this [`JsonWebKey`] can be used for signing.\n    ///\n    /// For asymmetric keys, this method is equivalent to checking\n    /// if this key is a private key.\n    /// For symmetric keys, this always returns `true`.\n    #[inline]\n    pub fn is_signing_key(\u0026self) -\u003e bool {\n        match self.key_type() {\n            JsonWebKeyType::Symmetric(_) =\u003e true,\n            JsonWebKeyType::Asymmetric(ref key) =\u003e match \u0026**key {\n                AsymmetricJsonWebKey::Private(_) =\u003e true,\n                AsymmetricJsonWebKey::Public(_) =\u003e false,\n            },\n        }\n    }\n\n    /// Strips the secret material from this [`JsonWebKey`].\n    ///\n    /// After calling this method, the key can safely be shared as it\n    /// only contains the public parts.\n    ///\n    /// For symmetric keys, this method returns [`None`], as symmetric\n    /// keys will always hold the secret material.\n    #[doc(alias = \"strip_private_material\")]\n    pub fn strip_secret_material(mut self) -\u003e Option\u003cSelf\u003e {\n        let key = match self.key_type {\n            JsonWebKeyType::Symmetric(_) =\u003e return None,\n            JsonWebKeyType::Asymmetric(ref key) =\u003e key,\n        };\n\n        match \u0026**key {\n            // public keys are no-ops\n            AsymmetricJsonWebKey::Public(_) =\u003e Some(self),\n            AsymmetricJsonWebKey::Private(Private::Okp(okp)) =\u003e {\n                let key = match okp {\n                    OkpPrivate::Ed25519(key) =\u003e OkpPublic::Ed25519(key.to_public_key()),\n                    OkpPrivate::Ed448(key) =\u003e OkpPublic::Ed448(key.to_public_key()),\n                };\n\n                self.key_type = JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(\n                    Public::Okp(key),\n                )));\n\n                Some(self)\n            }\n            AsymmetricJsonWebKey::Private(Private::Ec(ec)) =\u003e {\n                let pub_key = match ec {\n                    EcPrivate::P256(key) =\u003e EcPublic::P256(key.to_public_key()),\n                    EcPrivate::P384(key) =\u003e EcPublic::P384(key.to_public_key()),\n                    EcPrivate::P521(key) =\u003e EcPublic::P521(key.to_public_key()),\n                    EcPrivate::Secp256k1(key) =\u003e EcPublic::Secp256k1(key.to_public_key()),\n                };\n\n                self.key_type = JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(\n                    Public::Ec(pub_key),\n                )));\n\n                Some(self)\n            }\n            AsymmetricJsonWebKey::Private(Private::Rsa(rsa)) =\u003e {\n                let pub_key = Public::Rsa(rsa.to_public_key());\n\n                self.key_type =\n                    JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(pub_key)));\n\n                Some(self)\n            }\n        }\n    }\n\n    /// Converts this [`JsonWebKey`] into a [`JsonWebKey`] that is only meant to\n    /// be uesd for verifying signatures.\n    ///\n    /// For asymmetric keys, this operation is equivalent to converting a\n    /// private key into it's public key.\n    ///\n    /// For symmetric keys, this operation is a no-op, as the secret material\n    /// can not be removed from the key.\n    #[doc(alias = \"into_public_key\")]\n    pub fn into_verifying_key(mut self) -\u003e Self {\n        match self.key_type {\n            // symmetric keys are no-op\n            JsonWebKeyType::Symmetric(_) =\u003e self,\n            JsonWebKeyType::Asymmetric(ref key) =\u003e match \u0026**key {\n                // public keys are no-ops too\n                AsymmetricJsonWebKey::Public(_) =\u003e self,\n                AsymmetricJsonWebKey::Private(Private::Okp(okp)) =\u003e {\n                    let key = match okp {\n                        OkpPrivate::Ed25519(key) =\u003e OkpPublic::Ed25519(key.to_public_key()),\n                        OkpPrivate::Ed448(key) =\u003e OkpPublic::Ed448(key.to_public_key()),\n                    };\n\n                    self.key_type = JsonWebKeyType::Asymmetric(Box::new(\n                        AsymmetricJsonWebKey::Public(Public::Okp(key)),\n                    ));\n\n                    self\n                }\n                AsymmetricJsonWebKey::Private(Private::Ec(ec)) =\u003e {\n                    let pub_key = match ec {\n                        EcPrivate::P256(key) =\u003e EcPublic::P256(key.to_public_key()),\n                        EcPrivate::P384(key) =\u003e EcPublic::P384(key.to_public_key()),\n                        EcPrivate::P521(key) =\u003e EcPublic::P521(key.to_public_key()),\n                        EcPrivate::Secp256k1(key) =\u003e EcPublic::Secp256k1(key.to_public_key()),\n                    };\n\n                    self.key_type = JsonWebKeyType::Asymmetric(Box::new(\n                        AsymmetricJsonWebKey::Public(Public::Ec(pub_key)),\n                    ));\n\n                    self\n                }\n                AsymmetricJsonWebKey::Private(Private::Rsa(rsa)) =\u003e {\n                    let pub_key = Public::Rsa(rsa.to_public_key());\n\n                    self.key_type =\n                        JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(pub_key)));\n\n                    self\n                }\n            },\n        }\n    }\n}\n\nimpl\u003cT: Serialize\u003e JsonWebKey\u003cT\u003e {\n    /// Converts this [`JsonWebKey`] with custom additional parameters,\n    /// into a [`JsonWebKey`] with untyped additional parameters.\n    ///\n    /// # Errors\n    ///\n    /// This function fails if the serialization of the additional parameters\n    /// failed, or the serialization does not result in a JSON object.\n    pub fn into_untyped_additional(\n        self,\n    ) -\u003e Result\u003cJsonWebKey\u003cUntypedAdditionalProperties\u003e, serde_json::Error\u003e {\n        let value = serde_json::to_value(\u0026self.additional)?;\n        let additional: UntypedAdditionalProperties = serde_json::from_value(value)?;\n\n        Ok(JsonWebKey {\n            additional,\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n        })\n    }\n}\n\nimpl JsonWebKey\u003cUntypedAdditionalProperties\u003e {\n    /// Deserializes the additional members of this [`JsonWebKey`]\n    /// to the given type.\n    ///\n    /// # Errors\n    ///\n    /// The given type failed to be deserialized from the additional members.\n    pub fn deserialize_additional\u003cT: DeserializeOwned\u003e(\n        self,\n    ) -\u003e Result\u003cJsonWebKey\u003cT\u003e, serde_json::Error\u003e {\n        let additional = serde_json::from_value(self.additional.into())?;\n\n        Ok(JsonWebKey {\n            additional,\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n        })\n    }\n}\n\nimpl\u003cT\u003e Checkable for JsonWebKey\u003cT\u003e\nwhere\n    T: Checkable,\n{\n    fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n        if let Some(alg) = self.algorithm() {\n            if let Err(e) = policy.algorithm(alg) {\n                return Err((self, e));\n            }\n\n            let operations = match alg {\n                JsonWebAlgorithm::Encryption(..) =\u003e [\n                    CryptographicOperation::Encrypt,\n                    CryptographicOperation::Decrypt,\n                ],\n                JsonWebAlgorithm::Signing(..) =\u003e {\n                    [CryptographicOperation::Sign, CryptographicOperation::Verify]\n                }\n                JsonWebAlgorithm::Other(..) =\u003e {\n                    return Err((self, P::Error::custom(\"specified key algorithm is unknown\")))\n                }\n            };\n            debug_assert!(!operations.is_empty());\n\n            if let Some(key_use) = self.key_usage() {\n                // The following ensures that at least one `operation` is allowed with the\n                // current key usage (returns Ok(())). If Ok(()) is returned, it\n                // short-circuits\n                match operations.iter().try_fold(None, |_, operation| {\n                    match policy.may_perform_operation_key_use(*operation, key_use) {\n                        Ok(_) =\u003e ControlFlow::Break(()),\n                        Err(err) =\u003e ControlFlow::Continue(Some(err)),\n                    }\n                }) {\n                    ControlFlow::Break(_) =\u003e (),\n                    ControlFlow::Continue(err) =\u003e {\n                        return Err((\n                            self,\n                            // Safety\n                            //\n                            // First of, this could use unwrap_unchecked but doesn't since we\n                            // forbid unsafe code in this crate. However, it would be safe,\n                            // because: the call to the Policy returns\n                            // Result\u003c(), err\u003e and if it's Ok, it\n                            // will break and this branch will never get called. If the call\n                            // failed, the inital state of `None` will be set to\n                            // Continue(Some(err)), which will be the value in this branch\n                            err.expect(\"at least one call has been made to the Policy\"),\n                        ));\n                    }\n                }\n            }\n\n            if let Some(key_ops) = self.key_operations() {\n                // The following ensures tthat at loeast one `operation` is allowed with the\n                // current key operations. If Ok(()) is returned, it short-circuits.\n                // For example, a key might have a signing algorithm, but only\n                // `KeyOperation::Verify` is set since it is a public key and can't perform\n                // signing operations. In this case, it has the same signing algorithm.\n                match operations.iter().try_fold(None, |_, operation| {\n                    match policy.may_perform_operation_key_ops(*operation, key_ops) {\n                        Ok(_) =\u003e ControlFlow::Break(()),\n                        Err(err) =\u003e ControlFlow::Continue(Some(err)),\n                    }\n                }) {\n                    ControlFlow::Break(_) =\u003e (),\n                    ControlFlow::Continue(err) =\u003e {\n                        return Err((\n                            self,\n                            // Same rules as for the code with `key_usage` from above apply.\n                            err.expect(\"at leat one call has been made to the Policy\"),\n                        ));\n                    }\n                }\n            }\n        }\n\n        if let (Some(key_use), Some(key_ops)) = (self.key_usage(), self.key_operations()) {\n            if let Err(e) = policy.compare_key_ops_and_use(key_use, key_ops) {\n                return Err((self, e));\n            }\n        }\n\n        match self.additional.check(policy) {\n            Err(e) =\u003e Err((\n                Self {\n                    additional: e.0,\n                    ..self\n                },\n                e.1,\n            )),\n            Ok(o) =\u003e {\n                let (additional, p) = o.into_inner();\n                Ok(Checked::new(Self { additional, ..self }, p))\n            }\n        }\n    }\n}\n\nimpl Sealed for JsonWebKey {}\nimpl Thumbprint for JsonWebKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.key_type().thumbprint_prehashed()\n    }\n}\n\n/// A [`JsonWebKey`] represents a cryptographic key. It can either be symmetric\n/// or asymmetric. In the latter case, it can store public or private\n/// information about the key. This enum represents the key types as defined in\n/// [RFC 7518 section 6].\n///\n/// [RFC 7518 section 6]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6\u003e\n#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum JsonWebKeyType {\n    /// A symmetric cryptographic key\n    Symmetric(SymmetricJsonWebKey),\n    /// An asymmetric cryptographic key\n    Asymmetric(Box\u003cAsymmetricJsonWebKey\u003e),\n}\n\nimpl Sealed for JsonWebKeyType {}\nimpl Thumbprint for JsonWebKeyType {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            JsonWebKeyType::Symmetric(key) =\u003e key.thumbprint_prehashed(),\n            JsonWebKeyType::Asymmetric(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl JsonWebKeyType {\n    pub(self) fn compatible_with(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e bool {\n        use JsonWebAlgorithm::*;\n        use JsonWebKeyType::*;\n\n        // it is unreadable with the matches! macro and there's no benefit\n        #[allow(clippy::match_like_matches_macro)]\n        match (self, alg) {\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Signing(JsonWebSigningAlgorithm::Hmac(hmac)),\n            ) =\u003e match (hmac, key.len()) {\n                (Hmac::Hs256, hmac::Hs256::OUTPUT_SIZE_BYTES..)\n                | (Hmac::Hs384, hmac::Hs384::OUTPUT_SIZE_BYTES..)\n                | (Hmac::Hs512, hmac::Hs512::OUTPUT_SIZE_BYTES..) =\u003e true,\n                _ =\u003e false,\n            },\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Encryption(JsonWebEncryptionAlgorithm::AesKw(aes)),\n            ) =\u003e matches!(\n                (aes, key.len()),\n                (AesKw::Aes128, 16) | (AesKw::Aes192, 24) | (AesKw::Aes256, 32)\n            ),\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Encryption(JsonWebEncryptionAlgorithm::AesGcmKw(aes)),\n            ) =\u003e matches!(\n                (aes, key.len()),\n                (AesGcm::Aes128, 16) | (AesGcm::Aes192, 24) | (AesGcm::Aes256, 32)\n            ),\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Encryption(JsonWebEncryptionAlgorithm::Pbes2(pbes2)),\n            ) =\u003e matches!(\n                (pbes2, key.len()),\n                (Pbes2::Hs256Aes128, 16) | (Pbes2::Hs384Aes192, 24) | (Pbes2::Hs512Aes256, 32)\n            ),\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(..)),\n                Encryption(JsonWebEncryptionAlgorithm::Direct),\n            ) =\u003e true,\n            (Asymmetric(key), alg) =\u003e match (\u0026**key, alg) {\n                (\n                    AsymmetricJsonWebKey::Public(Public::Ec(..))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(..)),\n                    Encryption(JsonWebEncryptionAlgorithm::EcDhES(..)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::P256(..)))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::P256(..))),\n                    Signing(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::P384(..)))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::P384(..))),\n                    Signing(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es384)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::Secp256k1(..)))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::Secp256k1(..))),\n                    Signing(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256K)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Okp(\n                        OkpPublic::Ed25519(..) | OkpPublic::Ed448(..),\n                    ))\n                    | AsymmetricJsonWebKey::Private(Private::Okp(\n                        OkpPrivate::Ed25519(..) | OkpPrivate::Ed448(..),\n                    )),\n                    Signing(JsonWebSigningAlgorithm::EdDSA),\n                    // FIXME: look how encryption is handled and which algorithm is used\n                    //| Encryption(JsonWebEncryptionAlgorithm::EcDhES(..)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Rsa(..))\n                    | AsymmetricJsonWebKey::Private(Private::Rsa(..)),\n                    Signing(JsonWebSigningAlgorithm::Rsa(..))\n                    | Encryption(JsonWebEncryptionAlgorithm::Rsa1_5)\n                    | Encryption(JsonWebEncryptionAlgorithm::RsaesOaep(..)),\n                ) =\u003e true,\n                _ =\u003e false,\n            },\n            _ =\u003e false,\n        }\n    }\n}\n\n/// A trait for a [`Signer`](crate::jws::Signer) or\n/// [`Verifier`](crate::jws::Verifier) to implement if it can be created from\n/// key material as long as the algorithm is known\npub trait FromKey\u003cK\u003e: Sized {\n    /// The error returned if the conversion failed\n    type Error;\n\n    /// Turn `K` into this [`Signer`](crate::jws::Signer) or\n    /// [`Verifier`](crate::jws::Verifier).\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the conversion failed\n    fn from_key(value: K, alg: JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e;\n}\n\n/// A trait for different key types to implement if they can be converted into a\n/// [`JsonWebKey`].\n///\n/// This trait, and deserialization, is the only public way of creating a\n/// [`JsonWebKey`].\npub trait IntoJsonWebKey: Sealed {\n    /// One key type may be used for multiple [`JsonWebAlgorithm`]s.\n    ///\n    /// This algorithm can be specified using this type.\n    type Algorithm;\n\n    /// The error that can occurr when converting this key into a JWK.\n    type Error;\n\n    /// Turns this key mateiral into a [`JsonWebKey`] for the given algorithm.\n    ///\n    /// If the given argument is `None`, the `alg` header field of the resulting\n    /// JWK will be None.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the conversion fails.\n    fn into_jwk(self, alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e) -\u003e Result\u003cJsonWebKey, Self::Error\u003e;\n}\n\n/// Hash implementation for all types that implement `Thumbprint` trait\nmod hash_impl {\n    use core::hash::{Hash, Hasher};\n\n    use super::{symmetric::OctetSequence, JsonWebKey};\n    use crate::crypto::{ec, okp, rsa};\n\n    impl_thumbprint_hash_trait!(ec::P256PublicKey, ec::P256PrivateKey);\n    impl_thumbprint_hash_trait!(ec::P384PublicKey, ec::P384PrivateKey);\n    impl_thumbprint_hash_trait!(ec::P521PublicKey, ec::P521PrivateKey);\n    impl_thumbprint_hash_trait!(ec::Secp256k1PublicKey, ec::Secp256k1PrivateKey);\n    impl_thumbprint_hash_trait!(okp::Ed25519PublicKey, okp::Ed25519PrivateKey);\n    impl_thumbprint_hash_trait!(okp::Ed448PublicKey, okp::Ed448PrivateKey);\n    impl_thumbprint_hash_trait!(rsa::PublicKey, rsa::PrivateKey);\n    impl_thumbprint_hash_trait!(OctetSequence);\n\n    /// The [`Hash`] implementation of [`JsonWebKey`] uses the [`Hash`]\n    /// implementation of the underlying\n    /// [`JsonWebKeyType`](super::JsonWebKeyType).\n    ///\n    /// **Note**: [`Hash`] and [`Thumbprint`](super::Thumbprint) are used\n    /// differently. A [`Thumbprint`](super::Thumbprint) does does distinguish\n    /// between a private and a public key. But the [`Hash`] implementation of\n    /// all [`JsonWebKey`]s does, because otherwise two different versions of\n    /// [`JsonWebKey`] with different capabilities would have the same hash.\n    impl Hash for JsonWebKey {\n        fn hash\u003cH: Hasher\u003e(\u0026self, state: \u0026mut H) {\n            self.key_type.hash(state);\n        }\n    }\n\n    #[test]\n    fn smoke() {\n        use crate::{jwk::Thumbprint, JsonWebKey};\n\n        #[allow(unused_extern_crates)]\n        extern crate std;\n\n        // This is a serialized asymmetric key. The private key part is stored in\n        // the `d` parameter\n        let serialized_private_key = r#\"\n{\n    \"crv\": \"P-256\",\n    \"kty\": \"EC\",\n     \"x\": \"1uiXGPoQ3eLR3VOsCfnx1YzIJZGUQLbVfbl1CpCHcs0\",\n     \"y\": \"danaoyQqKi48vlB2jnCoFmq3PdIbYwIRJyNKWiindZM\",\n     \"d\": \"eLGzm5zd242okyN9SQBvmaC_4EPvASCgMhFgwtBvf3k\",\n     \"alg\": \"ES256\"\n}\n\"#;\n        let private_key: JsonWebKey =\n            serde_json::from_str(serialized_private_key).expect(\"valid key\");\n\n        let expected_prehash = r#\"{\"crv\":\"P-256\",\"kty\":\"EC\",\"x\":\"1uiXGPoQ3eLR3VOsCfnx1YzIJZGUQLbVfbl1CpCHcs0\",\"y\":\"danaoyQqKi48vlB2jnCoFmq3PdIbYwIRJyNKWiindZM\"}\"#;\n        assert_eq!(private_key.thumbprint_prehashed(), expected_prehash);\n\n        let mut hasher = std::hash::DefaultHasher::default();\n        private_key.hash(\u0026mut hasher);\n        let hash_private = hasher.finish();\n\n        let serialized_public_key = r#\"\n{\n    \"crv\": \"P-256\",\n    \"kty\": \"EC\",\n     \"x\": \"1uiXGPoQ3eLR3VOsCfnx1YzIJZGUQLbVfbl1CpCHcs0\",\n     \"y\": \"danaoyQqKi48vlB2jnCoFmq3PdIbYwIRJyNKWiindZM\",\n     \"alg\": \"ES256\"\n}\n\"#;\n\n        let public_key: JsonWebKey = serde_json::from_str(serialized_public_key).unwrap();\n        let mut hasher = std::hash::DefaultHasher::default();\n        public_key.hash(\u0026mut hasher);\n        let hash_public = hasher.finish();\n        assert_ne!(hash_private, hash_public);\n    }\n}\n","traces":[{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":270,"address":[],"length":0,"stats":{"Line":0}},{"line":273,"address":[],"length":0,"stats":{"Line":0}},{"line":280,"address":[],"length":0,"stats":{"Line":21}},{"line":281,"address":[],"length":0,"stats":{"Line":21}},{"line":287,"address":[],"length":0,"stats":{"Line":21}},{"line":289,"address":[],"length":0,"stats":{"Line":21}},{"line":290,"address":[],"length":0,"stats":{"Line":21}},{"line":291,"address":[],"length":0,"stats":{"Line":21}},{"line":292,"address":[],"length":0,"stats":{"Line":21}},{"line":293,"address":[],"length":0,"stats":{"Line":21}},{"line":294,"address":[],"length":0,"stats":{"Line":21}},{"line":295,"address":[],"length":0,"stats":{"Line":21}},{"line":296,"address":[],"length":0,"stats":{"Line":21}},{"line":297,"address":[],"length":0,"stats":{"Line":21}},{"line":298,"address":[],"length":0,"stats":{"Line":21}},{"line":309,"address":[],"length":0,"stats":{"Line":214}},{"line":310,"address":[],"length":0,"stats":{"Line":214}},{"line":318,"address":[],"length":0,"stats":{"Line":8}},{"line":319,"address":[],"length":0,"stats":{"Line":8}},{"line":329,"address":[],"length":0,"stats":{"Line":3}},{"line":330,"address":[],"length":0,"stats":{"Line":3}},{"line":338,"address":[],"length":0,"stats":{"Line":14}},{"line":339,"address":[],"length":0,"stats":{"Line":14}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":352,"address":[],"length":0,"stats":{"Line":0}},{"line":353,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":392,"address":[],"length":0,"stats":{"Line":2}},{"line":393,"address":[],"length":0,"stats":{"Line":2}},{"line":402,"address":[],"length":0,"stats":{"Line":2}},{"line":403,"address":[],"length":0,"stats":{"Line":2}},{"line":410,"address":[],"length":0,"stats":{"Line":5}},{"line":411,"address":[],"length":0,"stats":{"Line":5}},{"line":416,"address":[],"length":0,"stats":{"Line":17}},{"line":417,"address":[],"length":0,"stats":{"Line":33}},{"line":422,"address":[],"length":0,"stats":{"Line":16}},{"line":423,"address":[],"length":0,"stats":{"Line":16}},{"line":432,"address":[],"length":0,"stats":{"Line":17}},{"line":433,"address":[],"length":0,"stats":{"Line":17}},{"line":434,"address":[],"length":0,"stats":{"Line":1}},{"line":435,"address":[],"length":0,"stats":{"Line":16}},{"line":436,"address":[],"length":0,"stats":{"Line":8}},{"line":437,"address":[],"length":0,"stats":{"Line":8}},{"line":450,"address":[],"length":0,"stats":{"Line":18}},{"line":451,"address":[],"length":0,"stats":{"Line":35}},{"line":452,"address":[],"length":0,"stats":{"Line":1}},{"line":453,"address":[],"length":0,"stats":{"Line":17}},{"line":456,"address":[],"length":0,"stats":{"Line":9}},{"line":458,"address":[],"length":0,"stats":{"Line":8}},{"line":459,"address":[],"length":0,"stats":{"Line":2}},{"line":460,"address":[],"length":0,"stats":{"Line":4}},{"line":461,"address":[],"length":0,"stats":{"Line":1}},{"line":462,"address":[],"length":0,"stats":{"Line":1}},{"line":465,"address":[],"length":0,"stats":{"Line":2}},{"line":466,"address":[],"length":0,"stats":{"Line":2}},{"line":469,"address":[],"length":0,"stats":{"Line":2}},{"line":471,"address":[],"length":0,"stats":{"Line":5}},{"line":472,"address":[],"length":0,"stats":{"Line":10}},{"line":473,"address":[],"length":0,"stats":{"Line":2}},{"line":474,"address":[],"length":0,"stats":{"Line":1}},{"line":475,"address":[],"length":0,"stats":{"Line":1}},{"line":476,"address":[],"length":0,"stats":{"Line":1}},{"line":479,"address":[],"length":0,"stats":{"Line":5}},{"line":480,"address":[],"length":0,"stats":{"Line":5}},{"line":483,"address":[],"length":0,"stats":{"Line":5}},{"line":485,"address":[],"length":0,"stats":{"Line":2}},{"line":486,"address":[],"length":0,"stats":{"Line":2}},{"line":488,"address":[],"length":0,"stats":{"Line":2}},{"line":489,"address":[],"length":0,"stats":{"Line":2}},{"line":491,"address":[],"length":0,"stats":{"Line":2}},{"line":505,"address":[],"length":0,"stats":{"Line":18}},{"line":506,"address":[],"length":0,"stats":{"Line":18}},{"line":508,"address":[],"length":0,"stats":{"Line":1}},{"line":509,"address":[],"length":0,"stats":{"Line":26}},{"line":511,"address":[],"length":0,"stats":{"Line":8}},{"line":512,"address":[],"length":0,"stats":{"Line":2}},{"line":513,"address":[],"length":0,"stats":{"Line":4}},{"line":514,"address":[],"length":0,"stats":{"Line":1}},{"line":515,"address":[],"length":0,"stats":{"Line":1}},{"line":518,"address":[],"length":0,"stats":{"Line":2}},{"line":519,"address":[],"length":0,"stats":{"Line":2}},{"line":522,"address":[],"length":0,"stats":{"Line":2}},{"line":524,"address":[],"length":0,"stats":{"Line":5}},{"line":525,"address":[],"length":0,"stats":{"Line":10}},{"line":526,"address":[],"length":0,"stats":{"Line":2}},{"line":527,"address":[],"length":0,"stats":{"Line":1}},{"line":528,"address":[],"length":0,"stats":{"Line":1}},{"line":529,"address":[],"length":0,"stats":{"Line":1}},{"line":532,"address":[],"length":0,"stats":{"Line":5}},{"line":533,"address":[],"length":0,"stats":{"Line":5}},{"line":536,"address":[],"length":0,"stats":{"Line":5}},{"line":538,"address":[],"length":0,"stats":{"Line":2}},{"line":539,"address":[],"length":0,"stats":{"Line":2}},{"line":541,"address":[],"length":0,"stats":{"Line":2}},{"line":542,"address":[],"length":0,"stats":{"Line":2}},{"line":544,"address":[],"length":0,"stats":{"Line":2}},{"line":559,"address":[],"length":0,"stats":{"Line":1}},{"line":562,"address":[],"length":0,"stats":{"Line":2}},{"line":563,"address":[],"length":0,"stats":{"Line":1}},{"line":565,"address":[],"length":0,"stats":{"Line":0}},{"line":566,"address":[],"length":0,"stats":{"Line":0}},{"line":567,"address":[],"length":0,"stats":{"Line":0}},{"line":568,"address":[],"length":0,"stats":{"Line":0}},{"line":569,"address":[],"length":0,"stats":{"Line":0}},{"line":570,"address":[],"length":0,"stats":{"Line":0}},{"line":571,"address":[],"length":0,"stats":{"Line":0}},{"line":572,"address":[],"length":0,"stats":{"Line":0}},{"line":573,"address":[],"length":0,"stats":{"Line":0}},{"line":574,"address":[],"length":0,"stats":{"Line":0}},{"line":575,"address":[],"length":0,"stats":{"Line":0}},{"line":587,"address":[],"length":0,"stats":{"Line":1}},{"line":590,"address":[],"length":0,"stats":{"Line":2}},{"line":592,"address":[],"length":0,"stats":{"Line":0}},{"line":593,"address":[],"length":0,"stats":{"Line":0}},{"line":594,"address":[],"length":0,"stats":{"Line":0}},{"line":595,"address":[],"length":0,"stats":{"Line":0}},{"line":596,"address":[],"length":0,"stats":{"Line":0}},{"line":597,"address":[],"length":0,"stats":{"Line":0}},{"line":598,"address":[],"length":0,"stats":{"Line":0}},{"line":599,"address":[],"length":0,"stats":{"Line":0}},{"line":600,"address":[],"length":0,"stats":{"Line":0}},{"line":601,"address":[],"length":0,"stats":{"Line":0}},{"line":602,"address":[],"length":0,"stats":{"Line":0}},{"line":611,"address":[],"length":0,"stats":{"Line":1}},{"line":612,"address":[],"length":0,"stats":{"Line":2}},{"line":613,"address":[],"length":0,"stats":{"Line":0}},{"line":614,"address":[],"length":0,"stats":{"Line":0}},{"line":617,"address":[],"length":0,"stats":{"Line":2}},{"line":618,"address":[],"length":0,"stats":{"Line":0}},{"line":619,"address":[],"length":0,"stats":{"Line":0}},{"line":620,"address":[],"length":0,"stats":{"Line":0}},{"line":622,"address":[],"length":0,"stats":{"Line":0}},{"line":623,"address":[],"length":0,"stats":{"Line":1}},{"line":625,"address":[],"length":0,"stats":{"Line":0}},{"line":626,"address":[],"length":0,"stats":{"Line":0}},{"line":629,"address":[],"length":0,"stats":{"Line":0}},{"line":631,"address":[],"length":0,"stats":{"Line":2}},{"line":635,"address":[],"length":0,"stats":{"Line":1}},{"line":636,"address":[],"length":0,"stats":{"Line":1}},{"line":637,"address":[],"length":0,"stats":{"Line":1}},{"line":638,"address":[],"length":0,"stats":{"Line":0}},{"line":641,"address":[],"length":0,"stats":{"Line":1}},{"line":642,"address":[],"length":0,"stats":{"Line":0}},{"line":643,"address":[],"length":0,"stats":{"Line":0}},{"line":644,"address":[],"length":0,"stats":{"Line":0}},{"line":654,"address":[],"length":0,"stats":{"Line":0}},{"line":660,"address":[],"length":0,"stats":{"Line":1}},{"line":666,"address":[],"length":0,"stats":{"Line":0}},{"line":667,"address":[],"length":0,"stats":{"Line":0}},{"line":668,"address":[],"length":0,"stats":{"Line":0}},{"line":669,"address":[],"length":0,"stats":{"Line":0}},{"line":672,"address":[],"length":0,"stats":{"Line":0}},{"line":673,"address":[],"length":0,"stats":{"Line":0}},{"line":674,"address":[],"length":0,"stats":{"Line":0}},{"line":675,"address":[],"length":0,"stats":{"Line":0}},{"line":677,"address":[],"length":0,"stats":{"Line":0}},{"line":684,"address":[],"length":0,"stats":{"Line":1}},{"line":685,"address":[],"length":0,"stats":{"Line":0}},{"line":686,"address":[],"length":0,"stats":{"Line":0}},{"line":690,"address":[],"length":0,"stats":{"Line":1}},{"line":691,"address":[],"length":0,"stats":{"Line":0}},{"line":692,"address":[],"length":0,"stats":{"Line":0}},{"line":693,"address":[],"length":0,"stats":{"Line":0}},{"line":694,"address":[],"length":0,"stats":{"Line":0}},{"line":696,"address":[],"length":0,"stats":{"Line":0}},{"line":698,"address":[],"length":0,"stats":{"Line":1}},{"line":699,"address":[],"length":0,"stats":{"Line":1}},{"line":700,"address":[],"length":0,"stats":{"Line":1}},{"line":708,"address":[],"length":0,"stats":{"Line":64}},{"line":709,"address":[],"length":0,"stats":{"Line":64}},{"line":730,"address":[],"length":0,"stats":{"Line":64}},{"line":731,"address":[],"length":0,"stats":{"Line":64}},{"line":732,"address":[],"length":0,"stats":{"Line":6}},{"line":733,"address":[],"length":0,"stats":{"Line":58}},{"line":739,"address":[],"length":0,"stats":{"Line":42}},{"line":745,"address":[],"length":0,"stats":{"Line":42}},{"line":747,"address":[],"length":0,"stats":{"Line":0}},{"line":748,"address":[],"length":0,"stats":{"Line":0}},{"line":749,"address":[],"length":0,"stats":{"Line":0}},{"line":750,"address":[],"length":0,"stats":{"Line":0}},{"line":751,"address":[],"length":0,"stats":{"Line":0}},{"line":752,"address":[],"length":0,"stats":{"Line":0}},{"line":753,"address":[],"length":0,"stats":{"Line":0}},{"line":756,"address":[],"length":0,"stats":{"Line":0}},{"line":757,"address":[],"length":0,"stats":{"Line":0}},{"line":758,"address":[],"length":0,"stats":{"Line":0}},{"line":759,"address":[],"length":0,"stats":{"Line":0}},{"line":763,"address":[],"length":0,"stats":{"Line":0}},{"line":764,"address":[],"length":0,"stats":{"Line":0}},{"line":765,"address":[],"length":0,"stats":{"Line":0}},{"line":766,"address":[],"length":0,"stats":{"Line":0}},{"line":770,"address":[],"length":0,"stats":{"Line":0}},{"line":771,"address":[],"length":0,"stats":{"Line":0}},{"line":772,"address":[],"length":0,"stats":{"Line":0}},{"line":773,"address":[],"length":0,"stats":{"Line":0}},{"line":779,"address":[],"length":0,"stats":{"Line":0}},{"line":780,"address":[],"length":0,"stats":{"Line":38}},{"line":818,"address":[],"length":0,"stats":{"Line":0}},{"line":819,"address":[],"length":0,"stats":{"Line":38}},{"line":821,"address":[],"length":0,"stats":{"Line":4}},{"line":893,"address":[],"length":0,"stats":{"Line":2}},{"line":894,"address":[],"length":0,"stats":{"Line":2}}],"covered":123,"coverable":205},{"path":["/","home","stu","dev","rust","jose","src","jws","builder.rs"],"content":"use crate::{\n    format::Format,\n    header::{self, HeaderValue, JoseHeaderBuilder, JoseHeaderBuilderError},\n    jwa::JsonWebSigningAlgorithm,\n    JoseHeader, JsonWebSignature,\n};\n\n/// Builds a [`JsonWebSignature`] with custom header parameters.\n#[derive(Debug)]\npub struct JsonWebSignatureBuilder\u003cF: Format\u003e {\n    header: Option\u003cResult\u003cF::JwsHeader, JoseHeaderBuilderError\u003e\u003e,\n}\n\nimpl\u003cF: Format\u003e JsonWebSignatureBuilder\u003cF\u003e {\n    pub(super) fn new() -\u003e Self {\n        Self { header: None }\n    }\n\n    /// Configures the custom header for this [`JsonWebSignature`].\n    ///\n    /// For [`Compact`](crate::format::Compact) and\n    /// [`JsonFlattened`](crate::format::JsonFlattened) format, this method\n    /// will set the single protected, and unprotected header if JSON flattened,\n    /// header.\n    ///\n    /// ## Support for empty protected headers\n    ///\n    /// The [JWS RFC] allows for the protected header to be empty, and instead\n    /// supply all necessary parameters in the unprotected header. By\n    /// default, the `jose` crate will overwrite the `alg` field (and\n    /// optionally `kid` field) in the protected header, with the signing\n    /// algorithm used in the signing operation.\n    /// To achieve that the `alg` field is set on the unprotected header, one\n    /// must set the `alg`\n    /// field to `HeaderValue::Protected(JsonWebSigningAlgorithm::None)`\n    /// manually.\n    ///\n    /// However, you must note, that this feature is not supported for the\n    /// [`Compact`](crate::format::Compact) format, becuase that format can only\n    /// have a protected header.\n    ///\n    /// ```\n    /// # use jose::{format::*, jws::*, header::HeaderValue, jwa::*};\n    /// # fn main() {\n    /// let jws = JsonWebSignature::\u003cJsonFlattened, _\u003e::builder()\n    ///     .header(|b| b.algorithm(HeaderValue::Unprotected(JsonWebSigningAlgorithm::None)))\n    ///     .build(())\n    ///     .unwrap();\n    /// # }\n    /// ```\n    ///\n    /// [JWS RFC]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515\u003e\n    pub fn header\u003c\n        CB: FnOnce(JoseHeaderBuilder\u003cF, header::Jws\u003e) -\u003e JoseHeaderBuilder\u003cF, header::Jws\u003e,\n    \u003e(\n        mut self,\n        callback: CB,\n    ) -\u003e Self {\n        let mut header = match self.header {\n            Some(Ok(hdr)) =\u003e Ok(hdr),\n\n            // when there was an error setting the previous header,\n            // do not overwrite the header value, because we want\n            // to keep the error and report it in the `build` method\n            Some(Err(_)) =\u003e return self,\n\n            // this `Err` value is just used as a placeholder to be replaced\n            None =\u003e Err(JoseHeaderBuilderError::MissingAlgorithm),\n        };\n\n        let builder = JoseHeader::\u003cF, header::Jws\u003e::builder()\n            .algorithm(HeaderValue::Protected(JsonWebSigningAlgorithm::None));\n        let builder = callback(builder);\n\n        F::finalize_jws_header_builder(\u0026mut header, builder);\n        self.header = Some(header);\n\n        self\n    }\n\n    /// Finalizes this builder and returns the creates [`JsonWebSignature`].\n    ///\n    /// # Errors\n    ///\n    /// Fails if the supplied header parameters were invalid.\n    pub fn build\u003cT\u003e(self, payload: T) -\u003e Result\u003cJsonWebSignature\u003cF, T\u003e, JoseHeaderBuilderError\u003e {\n        let header = match self.header {\n            Some(hdr) =\u003e hdr?,\n            None =\u003e {\n                let default_header = JoseHeader::\u003cF, header::Jws\u003e::builder()\n                    .algorithm(HeaderValue::Protected(JsonWebSigningAlgorithm::None));\n\n                let mut header = Err(JoseHeaderBuilderError::MissingAlgorithm);\n                F::finalize_jws_header_builder(\u0026mut header, default_header);\n                header?\n            }\n        };\n\n        Ok(JsonWebSignature::new(header, payload))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":22},{"path":["/","home","stu","dev","rust","jose","src","jws","sign.rs"],"content":"use core::fmt;\n\nuse crate::{\n    crypto,\n    format::Format,\n    jwa::{JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::FromKey,\n};\n\n/// This type indicates that the inner value is signed using a [signing\n/// algorithm].\n///\n/// # Generic Arguments\n///\n/// - `T` is the inner type that is signed\n/// - `S` is the signature\n///\n/// [signing algorithm]: crate::jwa::JsonWebSigningAlgorithm\n#[derive(Debug, PartialEq, Eq, Hash)]\npub struct Signed\u003cF\u003e {\n    pub(crate) value: F,\n}\n\nimpl\u003cF: Format\u003e fmt::Display for Signed\u003cF\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Display::fmt(\u0026self.value, f)\n    }\n}\n\nimpl\u003cF: Format\u003e Signed\u003cF\u003e {\n    /// Encodes this signed value into the format of the signed JWS.\n    #[inline]\n    pub fn encode(self) -\u003e F {\n        self.value\n    }\n}\n\n/// This trait represents anything that can be used to sign a JWS, JWE, or\n/// whatever.\n///\n/// A message is signed by just passing the raw bytes that should be signed.\n///\n/// To be able to be used as a [`Signer`], one must provide the sign operation\n/// itself, and also needs to [specify the algorithm] used for signing. The\n/// algorithm will be used as the value for the `alg` field inside the\n/// [`JoseHeader`](crate::header::JoseHeader) for the signed type.\n///\n/// [specify the algorithm]: Signer::algorithm\npub trait Signer\u003cS: AsRef\u003c[u8]\u003e\u003e {\n    /// Signs a raw byte message using this signer, returning a signature.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the signing operation fails.\n    /// An error usually only appears when communicating with external signers.\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cS, crypto::Error\u003e;\n\n    /// Return the type of signing algorithm used by this signer.\n    fn algorithm(\u0026self) -\u003e JsonWebSigningAlgorithm;\n\n    /// JsonWebSignatures *can* contain a key id which is specified\n    /// by this method.\n    fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        None\n    }\n\n    /// Returns a new [`Signer`] that wraps `self`, but returns `None` when\n    /// calling the `key_id` method.\n    fn without_key_id(self) -\u003e SignerWithoutKeyId\u003cSelf\u003e\n    where\n        Self: Sized,\n    {\n        SignerWithoutKeyId { inner: self }\n    }\n}\n\n/// Wrapper type around an existing [`Signer`] that will always return `None`\n/// for the key id.\n///\n/// This is useful if you parse a JWK, which has a Key ID, but you do not want\n/// to add this ID to the header in a JWS.\n#[derive(Debug, Clone)]\npub struct SignerWithoutKeyId\u003cS\u003e {\n    inner: S,\n}\n\nimpl\u003cSIG: AsRef\u003c[u8]\u003e, S: Signer\u003cSIG\u003e\u003e Signer\u003cSIG\u003e for SignerWithoutKeyId\u003cS\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSIG, crypto::Error\u003e {\n        S::sign(\u0026mut self.inner, msg)\n    }\n\n    fn algorithm(\u0026self) -\u003e JsonWebSigningAlgorithm {\n        S::algorithm(\u0026self.inner)\n    }\n\n    fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        None\n    }\n}\n\n/// An error returned if something expected a different\n/// [`JsonWebAlgorithm`]\n#[derive(Debug, thiserror::Error, PartialEq, Eq)]\n#[error(\"Invalid algorithm\")]\npub struct InvalidSigningAlgorithmError;\n\n/// A trait to turn something into a [`Signer`].\n///\n/// Some key types like the [`Rsa`](crate::crypto::rsa::PrivateKey) key type\n/// need to know which [algorithm](JsonWebSigningAlgorithm) to use.\npub trait IntoSigner\u003cT, S\u003e\nwhere\n    T: Signer\u003cS\u003e,\n    S: AsRef\u003c[u8]\u003e,\n{\n    /// The error returned if the conversion failed\n    type Error;\n\n    /// Turn `self` into the [`Signer`] `T`\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the conversion failed\n    fn into_signer(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cT, Self::Error\u003e;\n}\n\nimpl\u003cK, T, S\u003e IntoSigner\u003cT, S\u003e for K\nwhere\n    T: FromKey\u003cK\u003e + Signer\u003cS\u003e,\n    S: AsRef\u003c[u8]\u003e,\n{\n    type Error = \u003cT as FromKey\u003cK\u003e\u003e::Error;\n\n    fn into_signer(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cT, Self::Error\u003e {\n        T::from_key(self, JsonWebAlgorithm::Signing(alg))\n    }\n}\n","traces":[{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":135,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":15},{"path":["/","home","stu","dev","rust","jose","src","jws","verify.rs"],"content":"use alloc::vec::Vec;\nuse core::ops::{Deref, DerefMut};\n\nuse thiserror::Error;\n\nuse super::JsonWebSignature;\nuse crate::{\n    crypto,\n    format::{DecodeFormat, DecodeFormatWithContext, Format, JsonGeneral},\n    jwa::{JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::FromKey,\n};\n\n/// The error indicating if either the signature is invalid, or if the\n/// cyptographic operation failed.\n#[derive(Debug, Error)]\npub enum VerifyError {\n    /// The signature is invalid.\n    #[error(\"signature is invalid\")]\n    InvalidSignature,\n\n    /// The crypto backend threw an error.\n    #[error(\"crypto backend error\")]\n    CryptoBackend(\n        #[from]\n        #[source]\n        crypto::Error,\n    ),\n}\n\n/// This trait represents anything that can be used to verify a JWS, JWE, or\n/// whatever.\npub trait Verifier {\n    /// The `verify` operation.\n    ///\n    /// If the message is valid, returns `Ok(())`.\n    ///\n    /// # Errors\n    ///\n    /// Returns [`VerifyError`] if anything went wrong during signature\n    /// verification or if the signature is just invalid.\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), VerifyError\u003e;\n}\n\n/// This wrapper type represents a [JWS](crate::JsonWebSignature) that was\n/// parsed from user input, but the data integrity was not verified, thus it\n/// might contain corrupted or malicious data.\n///\n/// An [`Unverified`] struct can be verified using the [`verify`](Self::verify)\n/// method.\n#[derive(Debug)]\npub struct Unverified\u003cT\u003e {\n    pub(crate) value: T,\n    pub(crate) signature: Vec\u003cu8\u003e,\n    pub(crate) msg: Vec\u003cu8\u003e,\n}\n\nimpl\u003cT\u003e Unverified\u003cT\u003e {\n    /// Parse the input format to an unverified representation of `T`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// the `T` type.\n    pub fn decode\u003cF: Format\u003e(input: F) -\u003e Result\u003cSelf, T::Error\u003e\n    where\n        T: DecodeFormat\u003cF, Decoded\u003cT\u003e = Unverified\u003cT\u003e\u003e,\n    {\n        T::decode(input)\n    }\n\n    /// Parse the input format to an unverified representation of `T`, with the\n    /// given context.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// the `T` type.\n    pub fn decode_with_context\u003cF: Format, C\u003e(input: F, context: \u0026C) -\u003e Result\u003cSelf, T::Error\u003e\n    where\n        T: DecodeFormatWithContext\u003cF, C, Decoded\u003cT\u003e = Unverified\u003cT\u003e\u003e,\n    {\n        T::decode_with_context(input, context)\n    }\n\n    /// Verify this struct using the given verifier, returning a [`Verified`]\n    /// representation of the inner type.\n    ///\n    /// # Errors\n    ///\n    /// Returns [`VerifyError`] if anything went wrong during signature\n    /// verification or if the signature is just invalid.\n    pub fn verify(self, verifier: \u0026mut dyn Verifier) -\u003e Result\u003cVerified\u003cT\u003e, VerifyError\u003e {\n        verifier.verify(\u0026self.msg, \u0026self.signature)?;\n        Ok(Verified(self.value))\n    }\n}\n\nimpl\u003cT, F\u003e Unverified\u003cJsonWebSignature\u003cF, T\u003e\u003e\nwhere\n    F: Format,\n{\n    /// Exposes the **unverified** [`JoseHeader`](crate::JoseHeader) of this\n    /// [`JsonWebSignature`]\n    ///\n    /// You usually **should not use this method**. Instead, verify the\n    /// [`JsonWebSignature`] and potentially protected headers first, to avoid\n    /// creating security vulnerabilities.\n    ///\n    /// # When to use\n    ///\n    /// One use case is to determine which key was used to create this signature\n    /// in the first place. For example, consider you have a list of public\n    /// keys used by the same party. If you were not able to peek inside to\n    /// get a hint of the key used, for example via\n    /// [`JoseHeader::key_identifier`](crate::JoseHeader::key_identifier), you\n    /// would have to try each key until either a signature is valid or\n    /// there are no keys left.\n    ///\n    /// However, note that, since the header is not verified yet, an attacker\n    /// can spoof the key hint. For example, you MUST still make sure that the\n    /// key in the hint is actually established and does not belong to some\n    /// other party which might still be in your list of keys but is unrelated.\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// [`JoseHeader`](crate::JoseHeader), including\n    /// [`HeaderValue::Protected`](crate::header::HeaderValue). Thus, you should\n    /// use this method only within isolated code regions.\n    pub fn expose_unverified_header(\u0026self) -\u003e \u0026F::JwsHeader {\n        \u0026self.value.header\n    }\n\n    /// Exposes the **unverified** [`payload`](JsonWebSignature::payload) of\n    /// this [`JsonWebSignature`]\n    ///\n    /// You **should never have the need to use this method**. If you have\n    /// information in the payload that you need in order to verify the\n    /// signature, you are using it wrong. Instead, such information should be\n    /// put in the [`JoseHeader`](crate::JoseHeader) and can be accessed via\n    /// [`expose_unverified_header]`](Self::expose_unverified_header).\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// payload `T`. Thus, you should use this method only within isolated code\n    /// regions.\n    pub fn expose_unverified_payload(\u0026self) -\u003e \u0026T {\n        \u0026self.value.payload\n    }\n\n    /// Exposes the **unverified** raw signature in its byte representation\n    ///\n    /// Note: raw means that it is already base64 decoded.\n    ///\n    /// There is absolutely no reason to use this method. If you want to use\n    /// your own code for verification, you should create your own [`Verifier`]\n    /// instead.\n    pub fn expose_unverified_raw_signature(\u0026self) -\u003e \u0026[u8] {\n        self.signature.as_slice()\n    }\n}\n\n/// This wrapper type represents a [JWS](crate::JsonWebSignature) that was\n/// parsed from user input, but the data integrity was not verified, thus it\n/// might contain corrupted or malicious data.\n///\n/// Compared to [`Unverified`] this type can contain multiple signatures that\n/// need to be verified. An instance of this type can only be obtained by\n/// decoding a JWS using the [`JsonGeneral`] format.\n#[derive(Debug)]\npub struct ManyUnverified\u003cT\u003e {\n    pub(crate) value: T,\n    // Vec\u003c(msg, signature)\u003e\n    pub(crate) signatures: Vec\u003c(Vec\u003cu8\u003e, Vec\u003cu8\u003e)\u003e,\n}\n\nimpl\u003cT\u003e ManyUnverified\u003cT\u003e {\n    /// Parses a JWS in the [`JsonGeneral`] format into an unverified\n    /// representation of `T`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// the `T` type.\n    pub fn decode(input: JsonGeneral) -\u003e Result\u003cSelf, T::Error\u003e\n    where\n        T: DecodeFormat\u003cJsonGeneral, Decoded\u003cT\u003e = ManyUnverified\u003cT\u003e\u003e,\n    {\n        T::decode(input)\n    }\n\n    /// Returns the number of signatures in this JWS.\n    pub fn signature_count(\u0026self) -\u003e usize {\n        self.signatures.len()\n    }\n\n    /// Verify this struct using the given verifies, returning a [`Verified`]\n    /// representation of the inner type.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the number of verifiers does not match the number of\n    /// signatures, or if anything went wrong during a signature\n    /// verification or if one of the signatures is just invalid.\n    // TODO: consider using a more specific error type to give the usermore\n    // information about the error\n    pub fn verify_many\u003c'a\u003e(\n        self,\n        verifiers: impl IntoIterator\u003cItem = \u0026'a mut dyn Verifier\u003e,\n    ) -\u003e Result\u003cVerified\u003cT\u003e, VerifyError\u003e {\n        let verifiers = verifiers.into_iter().collect::\u003cVec\u003c_\u003e\u003e();\n        if verifiers.len() != self.signatures.len() {\n            return Err(VerifyError::InvalidSignature);\n        }\n\n        for (verifier, (msg, signature)) in verifiers.into_iter().zip(self.signatures) {\n            verifier.verify(\u0026msg, \u0026signature)?;\n        }\n\n        Ok(Verified(self.value))\n    }\n}\n\nimpl\u003cT, F\u003e ManyUnverified\u003cJsonWebSignature\u003cF, T\u003e\u003e\nwhere\n    F: Format,\n{\n    /// Exposes the **unverified** [`JoseHeader`](crate::JoseHeader) of this\n    /// [`JsonWebSignature`]\n    ///\n    /// You usually **should not use this method**. Instead, verify the\n    /// [`JsonWebSignature`] and potentially protected headers first, to avoid\n    /// creating security vulnerabilities.\n    ///\n    /// # When to use\n    ///\n    /// One use case is to determine which key was used to create this signature\n    /// in the first place. For example, consider you have a list of public\n    /// keys used by the same party. If you were not able to peek inside to\n    /// get a hint of the key used, for example via\n    /// [`JoseHeader::key_identifier`](crate::JoseHeader::key_identifier), you\n    /// would have to try each key until either a signature is valid or\n    /// there are no keys left.\n    ///\n    /// However, note that, since the header is not verified yet, an attacker\n    /// can spoof the key hint. For example, you MUST still make sure that the\n    /// key in the hint is actually established and does not belong to some\n    /// other party which might still be in your list of keys but is unrelated.\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// [`JoseHeader`](crate::JoseHeader), including\n    /// [`HeaderValue::Protected`](crate::header::HeaderValue). Thus, you should\n    /// use this method only within isolated code regions.\n    pub fn expose_unverified_header(\u0026self) -\u003e \u0026F::JwsHeader {\n        \u0026self.value.header\n    }\n\n    /// Exposes the **unverified** [`payload`](JsonWebSignature::payload) of\n    /// this [`JsonWebSignature`]\n    ///\n    /// You **should never have the need to use this method**. If you have\n    /// information in the payload that you need in order to verify the\n    /// signature, you are using it wrong. Instead, such information should be\n    /// put in the [`JoseHeader`](crate::JoseHeader) and can be accessed via\n    /// [`expose_unverified_header]`](Self::expose_unverified_header).\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// payload `T`. Thus, you should use this method only within isolated code\n    /// regions.\n    pub fn expose_unverified_payload(\u0026self) -\u003e \u0026T {\n        \u0026self.value.payload\n    }\n\n    /// Exposes an [`Iterator`] over the **unverified** signatures and their\n    /// corresponding messages.\n    ///\n    /// It returns an [`Iterator`] over `(message, signature)` for each\n    /// signature. Note: raw means that they are already base64 decoded.\n    ///\n    /// There is absolutely no reason to use this method. If you want to use\n    /// your own code for verification, you should create your own [`Verifier`]\n    /// instead.\n    pub fn expose_unverified_raw_signatures(\u0026self) -\u003e impl Iterator\u003cItem = (\u0026[u8], \u0026[u8])\u003e {\n        self.signatures\n            .iter()\n            .map(|(msg, sig)| (msg.as_slice(), sig.as_slice()))\n    }\n}\n\n/// Wrapper type around a JWS, or JWE that was verified using a [`Verifier`].\n#[derive(Debug)]\npub struct Verified\u003cT\u003e(T);\n\nimpl\u003cT\u003e Verified\u003cT\u003e {\n    /// Turns self into it's inner `T`.\n    pub fn into_inner(self) -\u003e T {\n        self.0\n    }\n}\n\nimpl\u003cT\u003e Deref for Verified\u003cT\u003e {\n    type Target = T;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\nimpl\u003cT\u003e DerefMut for Verified\u003cT\u003e {\n    fn deref_mut(\u0026mut self) -\u003e \u0026mut Self::Target {\n        \u0026mut self.0\n    }\n}\n\n/// A trait to turn something into a [`Verifier`]\n///\n/// Some key types like the [`Rsa`](crate::crypto::rsa::PublicKey) key type need\n/// to know which [algorithm](JsonWebSigningAlgorithm) to use.\npub trait IntoVerifier\u003cV\u003e\nwhere\n    V: Verifier,\n{\n    /// The error returned if the conversion failed\n    type Error;\n\n    /// Turn `self` into the [`Verifier`] `V`\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the conversion failed\n    fn into_verifier(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cV, Self::Error\u003e;\n}\n\nimpl\u003cK, V\u003e IntoVerifier\u003cV\u003e for K\nwhere\n    V: FromKey\u003cK\u003e + Verifier,\n{\n    type Error = \u003cV as FromKey\u003cK\u003e\u003e::Error;\n\n    fn into_verifier(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cV, Self::Error\u003e {\n        V::from_key(self, JsonWebAlgorithm::Signing(alg))\n    }\n}\n","traces":[{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":187,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":195,"address":[],"length":0,"stats":{"Line":0}},{"line":196,"address":[],"length":0,"stats":{"Line":0}},{"line":209,"address":[],"length":0,"stats":{"Line":0}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":214,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":219,"address":[],"length":0,"stats":{"Line":0}},{"line":222,"address":[],"length":0,"stats":{"Line":0}},{"line":258,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":276,"address":[],"length":0,"stats":{"Line":0}},{"line":277,"address":[],"length":0,"stats":{"Line":0}},{"line":289,"address":[],"length":0,"stats":{"Line":0}},{"line":290,"address":[],"length":0,"stats":{"Line":0}},{"line":292,"address":[],"length":0,"stats":{"Line":0}},{"line":302,"address":[],"length":0,"stats":{"Line":0}},{"line":303,"address":[],"length":0,"stats":{"Line":0}},{"line":310,"address":[],"length":0,"stats":{"Line":0}},{"line":311,"address":[],"length":0,"stats":{"Line":0}},{"line":316,"address":[],"length":0,"stats":{"Line":0}},{"line":317,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":347,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":39},{"path":["/","home","stu","dev","rust","jose","src","jws.rs"],"content":"//! Implementation of JSON Web Signature (JWS) as defined in [RFC 7515]\n//!\n//! [RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515\u003e\n\nuse alloc::{format, string::String, vec, vec::Vec};\n\nuse thiserror::Error;\n\nuse crate::{\n    crypto,\n    format::{\n        Compact, DecodeFormat, DecodeFormatWithContext, Format, JsonFlattened, JsonGeneral,\n        JsonGeneralSignature,\n    },\n    header, Base64UrlString, JoseHeader,\n};\n\nmod builder;\nmod sign;\nmod verify;\n\n#[doc(inline)]\npub use {builder::*, sign::*, verify::*};\n\n// FIXME: check section 5.3. (string comparison) and verify correctness\n// FIXME: protected headers\n// FIXME: unencoded payload (IMPORTANT: check that string is all ascii, except\n// `.` character)\n\n/// The kind of payload used in a JWS.\n///\n/// Kind means that a payload data is either attached, or detached.\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum PayloadKind {\n    /// Attached payload.\n    ///\n    /// The payload data will be put into the JWS.\n    /// This is the standard kind.\n    Attached(PayloadData),\n\n    /// Detached payload.\n    ///\n    /// Detached payload is a special payload\n    /// representation of a JWS, specified\n    /// in [Appendix F](https://datatracker.ietf.org/doc/html/rfc7515#appendix-F)\n    /// of the JWS RFC.\n    ///\n    /// Essentially, the payload is not put into the JWS,\n    /// instead it's only used for signing.\n    Detached(PayloadData),\n}\n\n/// The raw payload data that should be stored in the JWS.\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum PayloadData {\n    /// The given base64 string will just be used as the payload.\n    Standard(Base64UrlString),\n}\n\n/// Represents anything that can be serialized into a raw payload.\n///\n/// This is required to be implemented when trying to sign a JWS, or encrypt a\n/// JWE.\n///\n/// # Examples\n///\n/// ```\n/// # extern crate alloc;\n/// # use alloc::string::{FromUtf8Error, String};\n/// # use core::convert::Infallible;\n/// # use jose::Base64UrlString;\n/// # use jose::jws::{FromRawPayload, IntoPayload, PayloadKind, PayloadData};\n///\n/// #[derive(Debug, PartialEq, Eq)]\n/// struct StringPayload(String);\n///\n/// impl IntoPayload for StringPayload {\n///     type Error = Infallible;\n///\n///     fn into_payload(self) -\u003e Result\u003cPayloadKind, Self::Error\u003e {\n///         let s = Base64UrlString::encode(self.0);\n///         Ok(PayloadKind::Attached(PayloadData::Standard(s)))\n///     }\n/// }\n/// ```\npub trait IntoPayload {\n    /// The error that can occurr while providing the payload in the\n    /// [`Self::into_payload`] method.\n    type Error;\n\n    /// First, this method must insert the raw bytes representation of this\n    /// payload into the given `digest`, which is later used for creating the\n    /// signature. Then the method must return the [kind of\n    /// payload](PayloadKind) to use in the resulting JWS.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if it failed to provide the payload.\n    fn into_payload(self) -\u003e Result\u003cPayloadKind, Self::Error\u003e;\n}\n\n/// Represents anything that can be parsed from a raw payload.\n///\n/// This is required to be implemented when trying to decoe a JWS, or encrypt a\n/// JWE, from it's format representation.\npub trait FromRawPayload: Sized {\n    /// The error that can occurr in any of the `from_*` methods.\n    type Error;\n\n    /// The additional context that is passed when decoding a payload.\n    type Context;\n\n    /// Converts a standard, attached [`PayloadData`] into this payload type.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the operation failed.\n    fn from_attached(context: \u0026Self::Context, payload: PayloadData) -\u003e Result\u003cSelf, Self::Error\u003e;\n\n    /// Construts this payload type from a detached content.\n    ///\n    /// For context, the header of the JWS will be provided,\n    /// to get / construct the payload.\n    ///\n    /// In addition to `Self`, the raw payload data must be\n    /// returned, in order to verify the signature.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the operation failed.\n    fn from_detached\u003cF, T\u003e(\n        context: \u0026Self::Context,\n        header: \u0026JoseHeader\u003cF, T\u003e,\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e;\n\n    /// Construts this payload type from a detached content.\n    ///\n    /// This method is only used when verifying JWS in JSON General format.\n    /// For context, all the header of the JWS will be provided,\n    /// to get / construct the payload.\n    ///\n    /// In addition to `Self`, the raw payload data must be\n    /// returned, in order to verify the signature.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the operation failed.\n    fn from_detached_many\u003cF, T\u003e(\n        context: \u0026Self::Context,\n        headers: \u0026[JoseHeader\u003cF, T\u003e],\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e;\n}\n\n/// Different kinds of errors that can occurr while signing a JWS.\n#[derive(Debug, Error)]\npub enum SignError\u003cP\u003e {\n    /// The number of headers in the JWS does not match the number of\n    /// [`Signer`]s.\n    ///\n    /// This error is only possible when using the [`JsonGeneral`] format.\n    #[error(\"the number of headers does not match the number of signers\")]\n    HeaderCountMismatch,\n    /// Failed to serialize the [`JoseHeader`].\n    #[error(\"failed to serialize header: {0}\")]\n    SerializeHeader(#[source] serde_json::Error),\n    /// The `protected` part of the header was empty, which is disallowed in the\n    /// compact format.\n    #[error(\"the protected header was empty on a compact JWS\")]\n    EmptyProtectedHeader,\n    /// The header of the JWS is invalid.\n    #[error(\"invalid JWS header: {0}\")]\n    InvalidHeader(#[source] header::Error),\n    /// The underlying signing operation of the given signer failed.\n    #[error(transparent)]\n    Sign(crypto::Error),\n    /// Failed to convert payload into it's raw byte representation.\n    #[error(transparent)]\n    Payload(P),\n}\n\n/// Represents a JSON Web Signature (JWS) as defined in [RFC 7515].\n///\n/// The JWS is a format for representing digitally signed or MACed (Message\n/// Authentication Code) content using JSON. The JSON representation is used\n/// to convey the payload, the signature, and optionally additional meta-data\n/// about the payload and signature.\n///\n/// The [`JsonWebSignature`] struct has two type parameters:\n///\n/// * `F`: The format of the JWS. This can be either [`Compact`] or\n///   [`JsonFlattened`].\n/// * `T`: The type of the payload. This can be any type that implements the\n///   [`IntoPayload`] trait and also the [`FromRawPayload`] trait.\n///\n/// [RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515\u003e\n#[derive(Debug)]\npub struct JsonWebSignature\u003cF: Format, T = ()\u003e {\n    header: F::JwsHeader,\n    payload: T,\n}\n\nimpl\u003cF: Format\u003e JsonWebSignature\u003cF, ()\u003e {\n    /// Constructs a [`JsonWebSignatureBuilder`].\n    pub fn builder() -\u003e JsonWebSignatureBuilder\u003cF\u003e {\n        JsonWebSignatureBuilder::new()\n    }\n}\n\nimpl\u003cF: Format, T\u003e JsonWebSignature\u003cF, T\u003e {\n    pub(crate) fn new(header: F::JwsHeader, payload: T) -\u003e Self {\n        Self { header, payload }\n    }\n\n    /// Returns a reference to the payload of this JWS.\n    pub fn payload(\u0026self) -\u003e \u0026T {\n        \u0026self.payload\n    }\n}\n\nimpl\u003cT\u003e JsonWebSignature\u003cCompact, T\u003e {\n    /// Returns a reference to the [`JoseHeader`] of\n    /// this JWS.\n    pub fn header(\u0026self) -\u003e \u0026JoseHeader\u003cCompact, header::Jws\u003e {\n        \u0026self.header\n    }\n}\n\nimpl\u003cT\u003e JsonWebSignature\u003cJsonFlattened, T\u003e {\n    /// Returns a reference to the [`JoseHeader`] of\n    /// this JWS.\n    pub fn header(\u0026self) -\u003e \u0026JoseHeader\u003cJsonFlattened, header::Jws\u003e {\n        \u0026self.header\n    }\n}\n\nimpl\u003cT\u003e JsonWebSignature\u003cJsonGeneral, T\u003e {\n    /// Returns a reference to the list of [`JoseHeader`] of this JWS.\n    pub fn header(\u0026self) -\u003e \u0026Vec\u003cJoseHeader\u003cJsonGeneral, header::Jws\u003e\u003e {\n        \u0026self.header\n    }\n}\n\nimpl\u003cF: Format, T: IntoPayload\u003e JsonWebSignature\u003cF, T\u003e {\n    /// Signs this [`JsonWebSignature`] using the given `signer`.\n    ///\n    /// When signing the JWS, some fields of the header of this JWS may be\n    /// updated. For example, the `alg` header parameter will be updated to\n    /// reflect the algorithm used to sign the JWS, and the `kid` header\n    /// parameter may be updated using the value from the given [`Signer`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any step of the signing operation failed.\n    /// This may include:\n    /// - The header is invalid or failed to serialize.\n    /// - The header is invalid after updating it with the given signer.\n    /// - The underlying signing operation of the given signer failed.\n    /// - The payload failed to provide it's raw byte representation.\n    pub fn sign\u003cS: AsRef\u003c[u8]\u003e\u003e(\n        mut self,\n        signer: \u0026mut dyn Signer\u003cS\u003e,\n    ) -\u003e Result\u003cSigned\u003cF\u003e, SignError\u003cT::Error\u003e\u003e {\n        F::update_header(\u0026mut self.header, signer);\n\n        let serialized_header = F::serialize_header(self.header).map_err(|x| match x {\n            SignError::HeaderCountMismatch =\u003e SignError::HeaderCountMismatch,\n            SignError::SerializeHeader(x) =\u003e SignError::SerializeHeader(x),\n            SignError::InvalidHeader(x) =\u003e SignError::InvalidHeader(x),\n            SignError::EmptyProtectedHeader =\u003e SignError::EmptyProtectedHeader,\n            SignError::Sign(x) =\u003e SignError::Sign(x),\n            SignError::Payload(x) =\u003e match x {},\n        })?;\n\n        let mut msg = F::message_from_header(\u0026serialized_header)\n            .map(|x| x.to_vec())\n            .unwrap_or_default();\n        msg.push(b'.');\n\n        let payload = self.payload.into_payload().map_err(SignError::Payload)?;\n        let payload = match payload {\n            PayloadKind::Attached(PayloadData::Standard(b64)) =\u003e {\n                msg.extend(b64.as_bytes());\n                Some(PayloadData::Standard(b64))\n            }\n            PayloadKind::Detached(PayloadData::Standard(b64)) =\u003e {\n                msg.extend(b64.as_bytes());\n                None\n            }\n        };\n\n        let signature = signer.sign(\u0026msg).map_err(SignError::Sign)?;\n\n        Ok(Signed {\n            value: F::finalize(serialized_header, payload, signature.as_ref())\n                .map_err(SignError::SerializeHeader)?,\n        })\n    }\n}\n\nimpl\u003cT: IntoPayload\u003e JsonWebSignature\u003cJsonGeneral, T\u003e {\n    /// Signs this JWS using multiple signers.\n    ///\n    /// This is only supported when the JWS is in the [`JsonGeneral`] format.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the length of the given iterator of signers does\n    /// not match the number of headers in this JWS.\n    /// Otherwise, this method may return the same errors as the normal sign\n    /// operation.\n    pub fn sign_many\u003c's, S: AsRef\u003c[u8]\u003e + 's\u003e(\n        self,\n        signers: impl IntoIterator\u003cItem = \u0026's mut dyn Signer\u003cS\u003e\u003e,\n    ) -\u003e Result\u003cSigned\u003cJsonGeneral\u003e, SignError\u003cT::Error\u003e\u003e {\n        if self.header.is_empty() {\n            // this is unreachable right now, but we don't want to panic, so just return a\n            // kind of matching error\n            return Err(SignError::HeaderCountMismatch);\n        }\n\n        let signers = signers.into_iter().collect::\u003cVec\u003c_\u003e\u003e();\n\n        if signers.len() != self.header.len() {\n            return Err(SignError::HeaderCountMismatch);\n        }\n\n        let payload = self.payload.into_payload().map_err(SignError::Payload)?;\n        let payload_msg = match payload {\n            PayloadKind::Attached(PayloadData::Standard(ref b64)) =\u003e b64.as_bytes(),\n            PayloadKind::Detached(PayloadData::Standard(ref b64)) =\u003e b64.as_bytes(),\n        };\n\n        let mut signatures = vec![];\n\n        for (mut hdr, signer) in self.header.into_iter().zip(signers) {\n            hdr.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n\n            let mut msg = vec![];\n\n            let serialized_hdr = {\n                let (protected, unprotected) =\n                    hdr.into_values().map_err(SignError::InvalidHeader)?;\n\n                let protected = match protected {\n                    Some(hdr) =\u003e {\n                        let json =\n                            serde_json::to_string(\u0026hdr).map_err(SignError::SerializeHeader)?;\n\n                        let encoded = Base64UrlString::encode(json);\n                        msg.extend(encoded.as_bytes());\n                        Some(encoded)\n                    }\n                    None =\u003e None,\n                };\n\n                (protected, unprotected)\n            };\n\n            msg.push(b'.');\n            msg.extend(payload_msg);\n\n            let signature = signer.sign(\u0026msg).map_err(SignError::Sign)?;\n\n            signatures.push(JsonGeneralSignature {\n                protected: serialized_hdr.0,\n                header: serialized_hdr.1,\n                signature: Base64UrlString::encode(signature.as_ref()),\n            });\n        }\n\n        let payload = match payload {\n            PayloadKind::Attached(PayloadData::Standard(s)) =\u003e Some(s),\n            PayloadKind::Detached(_) =\u003e None,\n        };\n\n        Ok(Signed {\n            value: JsonGeneral {\n                payload,\n                signatures,\n            },\n        })\n    }\n}\n\n/// Different kinds of errors that can occurr while parsing a JWS from it's\n/// compact format.\n#[derive(Debug, Error)]\npub enum ParseCompactError\u003cP\u003e {\n    /// `crit` header field contained an unsupported name.\n    #[error(\"encountered unsupported critical headers (crit header field)\")]\n    UnsupportedCriticalHeader,\n    /// One of the parts was invalid UTF8\n    #[error(\"one of the parts was an invalid UTF-8 byte sequence\")]\n    InvalidUtf8Encoding,\n    /// One of the parts was an invalid Json string\n    #[error(\"one of the parts was an invalid json string\")]\n    InvalidJson(#[source] serde_json::Error),\n    /// The header of the JWS is invalid.\n    #[error(\"invalid JWS header: {0}\")]\n    InvalidHeader(#[source] header::Error),\n    /// Got a `Compact` with less or more than three elements.\n    #[error(\"got compact representation that didn't have 3 parts\")]\n    InvalidLength,\n    /// Failed to parse the payload.\n    #[error(transparent)]\n    Payload(P),\n}\n\nimpl\u003cF: Format, T\u003e crate::sealed::Sealed for JsonWebSignature\u003cF, T\u003e {}\n\nimpl\u003cT: FromRawPayload\u003cContext = ()\u003e\u003e DecodeFormat\u003cCompact\u003e for JsonWebSignature\u003cCompact, T\u003e {\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseCompactError\u003cT::Error\u003e;\n\n    fn decode(input: Compact) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        Self::decode_with_context(input, \u0026())\n    }\n}\n\nimpl\u003cC, T: FromRawPayload\u003cContext = C\u003e\u003e DecodeFormatWithContext\u003cCompact, C\u003e\n    for JsonWebSignature\u003cCompact, T\u003e\n{\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseCompactError\u003cT::Error\u003e;\n\n    fn decode_with_context(input: Compact, context: \u0026C) -\u003e Result\u003cUnverified\u003cSelf\u003e, Self::Error\u003e {\n        if input.len() != 3 {\n            return Err(ParseCompactError::InvalidLength);\n        }\n\n        let (header, raw_header) = {\n            let raw = input.part(0).expect(\"`len()` is checked above to be 3\");\n            let json = String::from_utf8(raw.decode())\n                .map_err(|_| ParseCompactError::InvalidUtf8Encoding)?;\n\n            let header = serde_json::from_str::\u003cserde_json::Map\u003cString, serde_json::Value\u003e\u003e(\u0026json)\n                .map_err(ParseCompactError::InvalidJson)?;\n\n            let header = JoseHeader::from_values(Some(header), None)\n                .map_err(ParseCompactError::InvalidHeader)?;\n\n            (header, raw)\n        };\n\n        let (payload, raw_payload) = {\n            let raw = input.part(1).expect(\"`len()` is checked above to be 3\");\n\n            // if payload is empty, detached payload\n            let (payload, raw) = if raw.is_empty() {\n                T::from_detached(context, \u0026header).map_err(ParseCompactError::Payload)?\n            } else {\n                let data = PayloadData::Standard(raw.clone());\n\n                (\n                    T::from_attached(context, data.clone()).map_err(ParseCompactError::Payload)?,\n                    data,\n                )\n            };\n\n            (payload, raw)\n        };\n        let PayloadData::Standard(raw_payload) = raw_payload;\n\n        let signature = input.part(2).expect(\"`len()` is checked above to be 3\");\n\n        let msg = format!(\"{raw_header}.{raw_payload}\");\n\n        Ok(Unverified {\n            value: JsonWebSignature { header, payload },\n            signature: signature.decode(),\n            msg: msg.into_bytes(),\n        })\n    }\n}\n\nfn parse_json_header\u003cF: Format, E\u003e(\n    protected: Option\u003c\u0026Base64UrlString\u003e,\n    header: Option\u003cserde_json::Map\u003cString, serde_json::Value\u003e\u003e,\n) -\u003e Result\u003cJoseHeader\u003cF, header::Jws\u003e, ParseJsonError\u003cE\u003e\u003e {\n    let protected = match protected {\n        Some(encoded) =\u003e {\n            let json = String::from_utf8(encoded.decode())\n                .map_err(|_| ParseJsonError::InvalidUtf8Encoding)?;\n\n            let values = serde_json::from_str::\u003cserde_json::Map\u003cString, serde_json::Value\u003e\u003e(\u0026json)\n                .map_err(ParseJsonError::InvalidJson)?;\n            Some(values)\n        }\n        None =\u003e None,\n    };\n\n    JoseHeader::from_values(protected, header).map_err(ParseJsonError::InvalidHeader)\n}\n\n/// Different kinds of errors that can occurr while parsing a JWS from it's\n/// JSON, general or flattened, format.\n#[derive(Debug, Error)]\npub enum ParseJsonError\u003cP\u003e {\n    /// The `signatures` array was empty.\n    ///\n    /// This error can only happen when decoding the [`JsonGeneral`] format.\n    #[error(\"the signatures array was empty\")]\n    EmptySignatures,\n    /// The header of the JWS is invalid.\n    #[error(\"invalid JWS header: {0}\")]\n    InvalidHeader(#[source] header::Error),\n    /// The protected header or signature contained invalid UTF-8\n    #[error(\"protected header or signature contained invalid UTF-8\")]\n    InvalidUtf8Encoding,\n    /// The protected header contained invalid JSON\n    #[error(\"protected header contained invalid JSON\")]\n    InvalidJson(#[source] serde_json::Error),\n    /// Failed to parse the payload.\n    #[error(transparent)]\n    Payload(P),\n}\n\nimpl\u003cT: FromRawPayload\u003cContext = ()\u003e\u003e DecodeFormat\u003cJsonFlattened\u003e\n    for JsonWebSignature\u003cJsonFlattened, T\u003e\n{\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode(input: JsonFlattened) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        Self::decode_with_context(input, \u0026())\n    }\n}\n\nimpl\u003cC, T: FromRawPayload\u003cContext = C\u003e\u003e DecodeFormatWithContext\u003cJsonFlattened, C\u003e\n    for JsonWebSignature\u003cJsonFlattened, T\u003e\n{\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode_with_context(\n        JsonFlattened {\n            payload,\n            protected,\n            header,\n            signature,\n        }: JsonFlattened,\n        context: \u0026C,\n    ) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        let protected_str = protected.clone().unwrap_or_default().into_inner();\n        let header = parse_json_header(protected.as_ref(), header)?;\n\n        let (payload, raw_payload) = match payload {\n            Some(b64) =\u003e (\n                T::from_attached(context, PayloadData::Standard(b64.clone()))\n                    .map_err(ParseJsonError::Payload)?,\n                PayloadData::Standard(b64),\n            ),\n            None =\u003e T::from_detached(context, \u0026header).map_err(ParseJsonError::Payload)?,\n        };\n        let PayloadData::Standard(raw_payload) = raw_payload;\n\n        let msg = format!(\"{protected_str}.{raw_payload}\");\n        Ok(Unverified {\n            value: JsonWebSignature { header, payload },\n            signature: signature.decode(),\n            msg: msg.into_bytes(),\n        })\n    }\n}\n\nimpl\u003cT: FromRawPayload\u003cContext = ()\u003e\u003e DecodeFormat\u003cJsonGeneral\u003e\n    for JsonWebSignature\u003cJsonGeneral, T\u003e\n{\n    type Decoded\u003cD\u003e = ManyUnverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode(input: JsonGeneral) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        Self::decode_with_context(input, \u0026())\n    }\n}\n\nimpl\u003cC, T: FromRawPayload\u003cContext = C\u003e\u003e DecodeFormatWithContext\u003cJsonGeneral, C\u003e\n    for JsonWebSignature\u003cJsonGeneral, T\u003e\n{\n    type Decoded\u003cD\u003e = ManyUnverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode_with_context(\n        JsonGeneral {\n            payload,\n            signatures,\n        }: JsonGeneral,\n        context: \u0026C,\n    ) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        if signatures.is_empty() {\n            return Err(ParseJsonError::EmptySignatures);\n        }\n\n        let mut headers = Vec::with_capacity(signatures.len());\n        let mut sigs = Vec::with_capacity(signatures.len());\n\n        for sig in signatures {\n            let header = parse_json_header(sig.protected.as_ref(), sig.header)?;\n\n            headers.push(header);\n            sigs.push((sig.protected.unwrap_or_default(), sig.signature.decode()));\n        }\n\n        let (payload, raw_payload) = match payload {\n            Some(b64) =\u003e (\n                T::from_attached(context, PayloadData::Standard(b64.clone()))\n                    .map_err(ParseJsonError::Payload)?,\n                PayloadData::Standard(b64),\n            ),\n            None =\u003e T::from_detached_many(context, \u0026headers).map_err(ParseJsonError::Payload)?,\n        };\n        let PayloadData::Standard(raw_payload) = raw_payload;\n\n        let unverified_signatures = sigs\n            .into_iter()\n            .map(|(protected, signature)| {\n                let msg = format!(\"{protected}.{raw_payload}\");\n\n                (msg.into_bytes(), signature)\n            })\n            .collect();\n\n        Ok(ManyUnverified {\n            value: JsonWebSignature {\n                header: headers,\n                payload,\n            },\n            signatures: unverified_signatures,\n        })\n    }\n}\n","traces":[{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":210,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":223,"address":[],"length":0,"stats":{"Line":0}},{"line":224,"address":[],"length":0,"stats":{"Line":0}},{"line":231,"address":[],"length":0,"stats":{"Line":0}},{"line":232,"address":[],"length":0,"stats":{"Line":0}},{"line":238,"address":[],"length":0,"stats":{"Line":0}},{"line":239,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":263,"address":[],"length":0,"stats":{"Line":0}},{"line":265,"address":[],"length":0,"stats":{"Line":0}},{"line":266,"address":[],"length":0,"stats":{"Line":0}},{"line":267,"address":[],"length":0,"stats":{"Line":0}},{"line":268,"address":[],"length":0,"stats":{"Line":0}},{"line":269,"address":[],"length":0,"stats":{"Line":0}},{"line":270,"address":[],"length":0,"stats":{"Line":0}},{"line":271,"address":[],"length":0,"stats":{"Line":0}},{"line":274,"address":[],"length":0,"stats":{"Line":0}},{"line":275,"address":[],"length":0,"stats":{"Line":0}},{"line":277,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":0}},{"line":280,"address":[],"length":0,"stats":{"Line":0}},{"line":281,"address":[],"length":0,"stats":{"Line":0}},{"line":282,"address":[],"length":0,"stats":{"Line":0}},{"line":283,"address":[],"length":0,"stats":{"Line":0}},{"line":285,"address":[],"length":0,"stats":{"Line":0}},{"line":286,"address":[],"length":0,"stats":{"Line":0}},{"line":287,"address":[],"length":0,"stats":{"Line":0}},{"line":291,"address":[],"length":0,"stats":{"Line":0}},{"line":293,"address":[],"length":0,"stats":{"Line":0}},{"line":294,"address":[],"length":0,"stats":{"Line":0}},{"line":295,"address":[],"length":0,"stats":{"Line":0}},{"line":311,"address":[],"length":0,"stats":{"Line":0}},{"line":315,"address":[],"length":0,"stats":{"Line":0}},{"line":318,"address":[],"length":0,"stats":{"Line":0}},{"line":321,"address":[],"length":0,"stats":{"Line":0}},{"line":323,"address":[],"length":0,"stats":{"Line":0}},{"line":324,"address":[],"length":0,"stats":{"Line":0}},{"line":327,"address":[],"length":0,"stats":{"Line":0}},{"line":328,"address":[],"length":0,"stats":{"Line":0}},{"line":329,"address":[],"length":0,"stats":{"Line":0}},{"line":330,"address":[],"length":0,"stats":{"Line":0}},{"line":333,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":336,"address":[],"length":0,"stats":{"Line":0}},{"line":338,"address":[],"length":0,"stats":{"Line":0}},{"line":340,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":0}},{"line":342,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":347,"address":[],"length":0,"stats":{"Line":0}},{"line":349,"address":[],"length":0,"stats":{"Line":0}},{"line":350,"address":[],"length":0,"stats":{"Line":0}},{"line":351,"address":[],"length":0,"stats":{"Line":0}},{"line":353,"address":[],"length":0,"stats":{"Line":0}},{"line":356,"address":[],"length":0,"stats":{"Line":0}},{"line":359,"address":[],"length":0,"stats":{"Line":0}},{"line":360,"address":[],"length":0,"stats":{"Line":0}},{"line":362,"address":[],"length":0,"stats":{"Line":0}},{"line":364,"address":[],"length":0,"stats":{"Line":0}},{"line":365,"address":[],"length":0,"stats":{"Line":0}},{"line":366,"address":[],"length":0,"stats":{"Line":0}},{"line":367,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":372,"address":[],"length":0,"stats":{"Line":0}},{"line":373,"address":[],"length":0,"stats":{"Line":0}},{"line":376,"address":[],"length":0,"stats":{"Line":0}},{"line":377,"address":[],"length":0,"stats":{"Line":0}},{"line":378,"address":[],"length":0,"stats":{"Line":0}},{"line":379,"address":[],"length":0,"stats":{"Line":0}},{"line":415,"address":[],"length":0,"stats":{"Line":0}},{"line":416,"address":[],"length":0,"stats":{"Line":0}},{"line":426,"address":[],"length":0,"stats":{"Line":0}},{"line":427,"address":[],"length":0,"stats":{"Line":0}},{"line":428,"address":[],"length":0,"stats":{"Line":0}},{"line":431,"address":[],"length":0,"stats":{"Line":0}},{"line":432,"address":[],"length":0,"stats":{"Line":0}},{"line":433,"address":[],"length":0,"stats":{"Line":0}},{"line":434,"address":[],"length":0,"stats":{"Line":0}},{"line":436,"address":[],"length":0,"stats":{"Line":0}},{"line":437,"address":[],"length":0,"stats":{"Line":0}},{"line":439,"address":[],"length":0,"stats":{"Line":0}},{"line":440,"address":[],"length":0,"stats":{"Line":0}},{"line":442,"address":[],"length":0,"stats":{"Line":0}},{"line":445,"address":[],"length":0,"stats":{"Line":0}},{"line":446,"address":[],"length":0,"stats":{"Line":0}},{"line":449,"address":[],"length":0,"stats":{"Line":0}},{"line":450,"address":[],"length":0,"stats":{"Line":0}},{"line":452,"address":[],"length":0,"stats":{"Line":0}},{"line":455,"address":[],"length":0,"stats":{"Line":0}},{"line":456,"address":[],"length":0,"stats":{"Line":0}},{"line":460,"address":[],"length":0,"stats":{"Line":0}},{"line":462,"address":[],"length":0,"stats":{"Line":0}},{"line":464,"address":[],"length":0,"stats":{"Line":0}},{"line":466,"address":[],"length":0,"stats":{"Line":0}},{"line":468,"address":[],"length":0,"stats":{"Line":0}},{"line":469,"address":[],"length":0,"stats":{"Line":0}},{"line":470,"address":[],"length":0,"stats":{"Line":0}},{"line":471,"address":[],"length":0,"stats":{"Line":0}},{"line":476,"address":[],"length":0,"stats":{"Line":0}},{"line":480,"address":[],"length":0,"stats":{"Line":0}},{"line":481,"address":[],"length":0,"stats":{"Line":0}},{"line":482,"address":[],"length":0,"stats":{"Line":0}},{"line":483,"address":[],"length":0,"stats":{"Line":0}},{"line":485,"address":[],"length":0,"stats":{"Line":0}},{"line":486,"address":[],"length":0,"stats":{"Line":0}},{"line":487,"address":[],"length":0,"stats":{"Line":0}},{"line":489,"address":[],"length":0,"stats":{"Line":0}},{"line":492,"address":[],"length":0,"stats":{"Line":0}},{"line":524,"address":[],"length":0,"stats":{"Line":0}},{"line":525,"address":[],"length":0,"stats":{"Line":0}},{"line":535,"address":[],"length":0,"stats":{"Line":0}},{"line":544,"address":[],"length":0,"stats":{"Line":0}},{"line":545,"address":[],"length":0,"stats":{"Line":0}},{"line":547,"address":[],"length":0,"stats":{"Line":0}},{"line":548,"address":[],"length":0,"stats":{"Line":0}},{"line":549,"address":[],"length":0,"stats":{"Line":0}},{"line":550,"address":[],"length":0,"stats":{"Line":0}},{"line":551,"address":[],"length":0,"stats":{"Line":0}},{"line":553,"address":[],"length":0,"stats":{"Line":0}},{"line":555,"address":[],"length":0,"stats":{"Line":0}},{"line":557,"address":[],"length":0,"stats":{"Line":0}},{"line":558,"address":[],"length":0,"stats":{"Line":0}},{"line":559,"address":[],"length":0,"stats":{"Line":0}},{"line":560,"address":[],"length":0,"stats":{"Line":0}},{"line":561,"address":[],"length":0,"stats":{"Line":0}},{"line":572,"address":[],"length":0,"stats":{"Line":0}},{"line":573,"address":[],"length":0,"stats":{"Line":0}},{"line":583,"address":[],"length":0,"stats":{"Line":0}},{"line":590,"address":[],"length":0,"stats":{"Line":0}},{"line":591,"address":[],"length":0,"stats":{"Line":0}},{"line":594,"address":[],"length":0,"stats":{"Line":0}},{"line":595,"address":[],"length":0,"stats":{"Line":0}},{"line":597,"address":[],"length":0,"stats":{"Line":0}},{"line":598,"address":[],"length":0,"stats":{"Line":0}},{"line":600,"address":[],"length":0,"stats":{"Line":0}},{"line":601,"address":[],"length":0,"stats":{"Line":0}},{"line":604,"address":[],"length":0,"stats":{"Line":0}},{"line":605,"address":[],"length":0,"stats":{"Line":0}},{"line":606,"address":[],"length":0,"stats":{"Line":0}},{"line":607,"address":[],"length":0,"stats":{"Line":0}},{"line":608,"address":[],"length":0,"stats":{"Line":0}},{"line":610,"address":[],"length":0,"stats":{"Line":0}},{"line":612,"address":[],"length":0,"stats":{"Line":0}},{"line":614,"address":[],"length":0,"stats":{"Line":0}},{"line":616,"address":[],"length":0,"stats":{"Line":0}},{"line":617,"address":[],"length":0,"stats":{"Line":0}},{"line":619,"address":[],"length":0,"stats":{"Line":0}},{"line":623,"address":[],"length":0,"stats":{"Line":0}},{"line":624,"address":[],"length":0,"stats":{"Line":0}},{"line":625,"address":[],"length":0,"stats":{"Line":0}},{"line":626,"address":[],"length":0,"stats":{"Line":0}},{"line":628,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":158},{"path":["/","home","stu","dev","rust","jose","src","jwt.rs"],"content":"//! JsonWebToken (JWT) implementation\n//!\n//! JWTs are the most common use of JOSE.\n\nuse alloc::string::String;\n\nuse serde::{de::DeserializeOwned, Deserialize, Serialize};\n\nuse crate::{\n    format::{self, Compact},\n    jws::{FromRawPayload, IntoPayload, JsonWebSignatureBuilder, PayloadData, PayloadKind},\n    Base64UrlString, JsonWebSignature, Jws,\n};\n\n/// A JSON Web Token (JWT) as defined in [RFC 7519].\n///\n/// Since a JWT is only allowed to be serialized in the compact format, the\n/// `F` type parameter is fixed to [`Compact`] in this type\n/// alias.\n///\n/// [RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519\u003e\npub type JsonWebToken\u003cA\u003e = JsonWebSignature\u003cformat::Compact, Claims\u003cA\u003e\u003e;\n\nimpl JsonWebToken\u003c()\u003e {\n    /// Returns a [`JsonWebSignatureBuilder`] for a [`JsonWebToken`]\n    // this method is needed because of interference problems if it is named\n    // builder directly.\n    pub fn builder_jwt() -\u003e JsonWebSignatureBuilder\u003cCompact\u003e {\n        Jws::builder()\n    }\n}\n\n/// The claims of a JSON Web Token (JWT) as defined in [RFC 7519].\n///\n/// The `A` type parameter is used to specify the type of the additional\n/// parameters of the claims. If no additional parameters are required,\n/// the unit type `()` can be used.\n///\n/// [RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Default)]\npub struct Claims\u003cA = ()\u003e {\n    /// The \"iss\" (issuer) claim identifies the principal that issued the JWT.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1).\n    #[serde(rename = \"iss\", skip_serializing_if = \"Option::is_none\")]\n    pub issuer: Option\u003cString\u003e,\n\n    /// The \"sub\" (subject) claim identifies the principal that is the subject\n    /// of the JWT.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.2](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2).\n    #[serde(rename = \"sub\", skip_serializing_if = \"Option::is_none\")]\n    pub subject: Option\u003cString\u003e,\n\n    /// The \"aud\" (audience) claim identifies the recipients that the JWT is\n    /// intended for.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3).\n    #[serde(rename = \"aud\", skip_serializing_if = \"Option::is_none\")]\n    pub audience: Option\u003cString\u003e,\n\n    /// The \"exp\" (expiration time) claim identifies the expiration time on or\n    /// after which the JWT MUST NOT be accepted for processing.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.4](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4).\n    #[serde(rename = \"exp\", skip_serializing_if = \"Option::is_none\")]\n    pub expiration: Option\u003cu64\u003e,\n\n    /// The \"nbf\" (not before) claim identifies the time before which the JWT\n    /// MUST NOT be accepted for processing.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.5](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5).\n    #[serde(rename = \"nbf\", skip_serializing_if = \"Option::is_none\")]\n    pub not_before: Option\u003cu64\u003e,\n\n    /// The \"iat\" (issued at) claim identifies the time at which the JWT was\n    /// issued.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.6](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6).\n    #[serde(rename = \"iat\", skip_serializing_if = \"Option::is_none\")]\n    pub issued_at: Option\u003cu64\u003e,\n\n    /// The \"jti\" (JWT ID) claim provides a unique identifier for the JWT.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.7](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7).\n    #[serde(rename = \"jti\", skip_serializing_if = \"Option::is_none\")]\n    pub jwt_id: Option\u003cString\u003e,\n\n    /// Additional, potentially unregistered JWT claims.\n    #[serde(flatten)]\n    pub additional: A,\n}\n\nimpl\u003cA\u003e IntoPayload for Claims\u003cA\u003e\nwhere\n    A: Serialize,\n{\n    type Error = serde_json::Error;\n\n    fn into_payload(self) -\u003e Result\u003cPayloadKind, Self::Error\u003e {\n        let encoded = serde_json::to_vec(\u0026self)?;\n        Ok(PayloadKind::Attached(PayloadData::Standard(\n            Base64UrlString::encode(encoded),\n        )))\n    }\n}\n\n/// Error returned by [`FromRawPayload`] implementation of [`Claims`]\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum ClaimsDecodeError {\n    /// [`Claims`] does not support this operation.\n    #[error(\"Operation not supported.\")]\n    OperationUnsupported,\n    /// Error while deserializing underlying Json\n    #[error(transparent)]\n    Json(#[from] serde_json::Error),\n}\n\nimpl\u003cA\u003e FromRawPayload for Claims\u003cA\u003e\nwhere\n    A: DeserializeOwned,\n{\n    type Context = ();\n    type Error = ClaimsDecodeError;\n\n    fn from_attached(_: \u0026Self::Context, payload: PayloadData) -\u003e Result\u003cSelf, Self::Error\u003e {\n        let data = match payload {\n            PayloadData::Standard(data) =\u003e data.decode(),\n        };\n        let claims: Claims\u003cA\u003e = serde_json::from_slice(\u0026data)?;\n        Ok(claims)\n    }\n\n    /// Detached is not supported with [`JsonWebToken`]\n    ///\n    /// # Returns\n    ///\n    /// Always returns [`ClaimsDecodeError::OperationUnsupported`]\n    fn from_detached\u003cF, T\u003e(\n        _: \u0026Self::Context,\n        _: \u0026crate::JoseHeader\u003cF, T\u003e,\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e {\n        Err(ClaimsDecodeError::OperationUnsupported)\n    }\n\n    /// Detached is not supported with [`JsonWebToken`]\n    ///\n    /// # Returns\n    ///\n    /// Always returns [`ClaimsDecodeError::OperationUnsupported`]\n    fn from_detached_many\u003cF, T\u003e(\n        _: \u0026Self::Context,\n        _: \u0026[crate::JoseHeader\u003cF, T\u003e],\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e {\n        Err(ClaimsDecodeError::OperationUnsupported)\n    }\n}\n","traces":[{"line":28,"address":[],"length":0,"stats":{"Line":0}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":140,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":15},{"path":["/","home","stu","dev","rust","jose","src","lib.rs"],"content":"#![doc = include_str!(\"../README.md\")]\n#![allow(clippy::doc_overindented_list_items)]\n#![warn(\n    missing_docs,\n    missing_debug_implementations,\n    trivial_casts,\n    trivial_numeric_casts,\n    unused_extern_crates,\n    unused_import_braces,\n    explicit_outlives_requirements,\n    clippy::missing_errors_doc\n)]\n#![deny(\n    rustdoc::broken_intra_doc_links,\n    rustdoc::bare_urls,\n    macro_use_extern_crate,\n    non_ascii_idents,\n    elided_lifetimes_in_paths\n)]\n#![forbid(unsafe_code)]\n#![cfg_attr(not(feature = \"std\"), no_std)]\n#![cfg_attr(feature = \"std\", allow(unused_qualifications))]\n#![cfg_attr(docsrs, feature(doc_auto_cfg))]\n\nextern crate alloc;\n\n#[macro_use]\nmod macros;\n\npub(crate) mod base64_url;\n#[macro_use]\npub(crate) mod tagged_visitor;\npub(crate) mod sealed;\n\npub mod crypto;\npub mod format;\npub mod header;\npub mod jwa;\npub mod jwe;\npub mod jwk;\npub mod jws;\npub mod jwt;\nmod uri;\n\nuse alloc::string::String;\n\npub use base64_url::Base64UrlString;\npub use uri::Uri;\n\n#[doc(inline)]\npub use self::{header::JoseHeader, jwk::JsonWebKey, jws::JsonWebSignature, jwt::JsonWebToken};\n\n/// Type alias to make [`JsonWebSignature`] easier to access.\npub type Jws\u003cF = format::Compact, T = ()\u003e = JsonWebSignature\u003cF, T\u003e;\n\n/// Type alias to make [`JsonWebToken`] easier to access.\npub type Jwt\u003cA = ()\u003e = JsonWebToken\u003cA\u003e;\n\n/// Type alias to make [`JsonWebKey`] easier to access.\npub type Jwk\u003cA = ()\u003e = JsonWebKey\u003cA\u003e;\n\n/// This type is used when the type of the additional parameters\n/// of a [`JsonWebKey`], or a [`JoseHeader`] can not be\n/// specified, but must not be discarded.\npub type UntypedAdditionalProperties = serde_json::Map\u003cString, serde_json::Value\u003e;\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","macros.rs"],"content":"macro_rules! impl_serde_jwa {\n    ($T:ty, [\n        $($name:literal =\u003e $val:expr; $valp:pat,)*\n    ]) =\u003e {\n\n        impl core::fmt::Display for $T {\n            fn fmt(\u0026self, f: \u0026mut core::fmt::Formatter\u003c'_\u003e) -\u003e core::fmt::Result {\n                match \u0026self {\n                    $($valp =\u003e write!(f, \"{}\", $name),)*\n                    Self::Other(other) =\u003e write!(f, \"{}\", other),\n                }\n            }\n        }\n        #[allow(unused_qualifications)]\n        impl\u003c'de\u003e serde::Deserialize\u003c'de\u003e for $T {\n            fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n            where\n                D: serde::Deserializer\u003c'de\u003e,\n            {\n                let name = \u003calloc::borrow::Cow\u003c'_, str\u003e as serde::Deserialize\u003e::deserialize(deserializer)?;\n\n                Ok(Self::from_str_without_other(\u0026name).unwrap_or_else(|| {\n                    Self::Other(name.into_owned())\n                }))\n            }\n        }\n\n        #[allow(unused_qualifications)]\n        impl serde::Serialize for $T {\n            fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n            where\n                S: serde::Serializer,\n            {\n                let name = match self {\n                    $($valp =\u003e $name,)*\n                    Self::Other(custom) =\u003e custom,\n                };\n                \u003c\u0026str as serde::Serialize\u003e::serialize(\u0026name, serializer)\n            }\n        }\n\n        impl $T {\n            /// Tries to parse the given name into a variant, and returns `None`\n            /// if no variant matched.\n            pub(crate) fn from_str_without_other(name: \u0026str) -\u003e Option\u003cSelf\u003e {\n                match name {\n                    $($name =\u003e Some($val),)*\n                    _ =\u003e None,\n                }\n            }\n        }\n    };\n}\n\nmacro_rules! impl_internally_tagged_deserialize {\n    ($T:ty, $tag:literal, $expecting:literal, [$($name:literal =\u003e $i:ident),* $(,)?]) =\u003e {\n        #[allow(unused_qualifications)]\n        impl\u003c'de\u003e serde::Deserialize\u003c'de\u003e for $T {\n            fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n            where\n                D: serde::Deserializer\u003c'de\u003e,\n            {\n                #[derive(Clone, Copy, Deserialize)]\n                enum Tag {\n                    $(#[serde(rename = $name)]\n                    $i,)*\n                }\n\n                let tagged =\n                    deserializer.deserialize_any(crate::tagged_visitor::TaggedContentVisitor::new($tag, $expecting))?;\n\n                match tagged.tag {\n                    $(Tag::$i =\u003e Deserialize::deserialize(tagged.content).map(\u003c$T\u003e::$i),)*\n                }\n                .map_err(|x| x.into_error())\n            }\n        }\n    };\n}\n\nmacro_rules! impl_thumbprint_hash_trait {\n    ($symmetric:ty) =\u003e {\n        #[allow(rustdoc::redundant_explicit_links)]\n        /// The [`Hash`](core::hash::Hash) implementation uses\n        /// [`Thumbprint::thumbprint_prehashed`](crate::jwk::Thumbprint::thumbprint_prehashed)\n        impl core::hash::Hash for $symmetric {\n            fn hash\u003cH\u003e(\u0026self, state: \u0026mut H)\n            where\n                H: core::hash::Hasher,\n            {\n                alloc::format!(\n                    \"symmetric:{}\",\n                    \u003c$symmetric as crate::jwk::Thumbprint\u003e::thumbprint_prehashed(\u0026self)\n                )\n                .hash(state)\n            }\n        }\n    };\n    ($public:ty, $private:ty) =\u003e {\n        #[allow(rustdoc::redundant_explicit_links)]\n        /// The [`Hash`](core::hash::Hash) implementation uses\n        /// [`Thumbprint::thumbprint_prehashed`](crate::jwk::Thumbprint::thumbprint_prehashed)\n        impl core::hash::Hash for $public {\n            fn hash\u003cH\u003e(\u0026self, state: \u0026mut H)\n            where\n                H: core::hash::Hasher,\n            {\n                alloc::format!(\n                    \"public:{}\",\n                    \u003c$public as crate::jwk::Thumbprint\u003e::thumbprint_prehashed(\u0026self)\n                )\n                .hash(state)\n            }\n        }\n        #[allow(rustdoc::redundant_explicit_links)]\n        /// The [`Hash`](core::hash::Hash) implementation uses\n        /// [`Thumbprint::thumbprint_prehashed`](crate::jwk::Thumbprint::thumbprint_prehashed)\n        impl core::hash::Hash for $private {\n            fn hash\u003cH\u003e(\u0026self, state: \u0026mut H)\n            where\n                H: core::hash::Hasher,\n            {\n                alloc::format!(\n                    \"private:{}\",\n                    \u003c$private as crate::jwk::Thumbprint\u003e::thumbprint_prehashed(\u0026self)\n                )\n                .hash(state)\n            }\n        }\n    };\n}\n","traces":[{"line":7,"address":[],"length":0,"stats":{"Line":0}},{"line":8,"address":[],"length":0,"stats":{"Line":0}},{"line":9,"address":[],"length":0,"stats":{"Line":0}},{"line":10,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":18,"address":[],"length":0,"stats":{"Line":0}},{"line":20,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":23,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":28}},{"line":31,"address":[],"length":0,"stats":{"Line":28}},{"line":32,"address":[],"length":0,"stats":{"Line":28}},{"line":34,"address":[],"length":0,"stats":{"Line":34}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":28}},{"line":45,"address":[],"length":0,"stats":{"Line":94}},{"line":46,"address":[],"length":0,"stats":{"Line":94}},{"line":47,"address":[],"length":0,"stats":{"Line":49}},{"line":48,"address":[],"length":0,"stats":{"Line":49}},{"line":59,"address":[],"length":0,"stats":{"Line":118}},{"line":60,"address":[],"length":0,"stats":{"Line":118}},{"line":61,"address":[],"length":0,"stats":{"Line":118}},{"line":69,"address":[],"length":0,"stats":{"Line":60}},{"line":70,"address":[],"length":0,"stats":{"Line":176}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":24}},{"line":75,"address":[],"length":0,"stats":{"Line":20}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":1}},{"line":105,"address":[],"length":0,"stats":{"Line":1}},{"line":106,"address":[],"length":0,"stats":{"Line":1}},{"line":108,"address":[],"length":0,"stats":{"Line":1}},{"line":109,"address":[],"length":0,"stats":{"Line":1}},{"line":110,"address":[],"length":0,"stats":{"Line":1}},{"line":112,"address":[],"length":0,"stats":{"Line":1}},{"line":119,"address":[],"length":0,"stats":{"Line":1}},{"line":120,"address":[],"length":0,"stats":{"Line":1}},{"line":121,"address":[],"length":0,"stats":{"Line":1}},{"line":123,"address":[],"length":0,"stats":{"Line":1}},{"line":124,"address":[],"length":0,"stats":{"Line":1}},{"line":125,"address":[],"length":0,"stats":{"Line":1}},{"line":127,"address":[],"length":0,"stats":{"Line":1}}],"covered":30,"coverable":49},{"path":["/","home","stu","dev","rust","jose","src","sealed.rs"],"content":"/// A trait to protect traits meant only to be implemented by types from this\n/// crate from types outside this crate ([`C-SEALED`])\n///\n/// [`C-SEALED`]: \u003chttps://rust-lang.github.io/api-guidelines/future-proofing.html\u003e\npub trait Sealed {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","tagged_visitor.rs"],"content":"use alloc::{collections::BTreeMap, fmt};\nuse core::marker::PhantomData;\n\nuse serde::{\n    de::{self, DeserializeSeed, MapAccess, Visitor},\n    Deserialize, Deserializer,\n};\nuse serde_value::Value;\n\npub(crate) struct TaggedContent\u003cT\u003e {\n    pub tag: T,\n    pub content: Value,\n}\n\npub(crate) struct TaggedContentVisitor\u003c'de, T\u003e {\n    tag_name: \u0026'static str,\n    expecting: \u0026'static str,\n    _tag: PhantomData\u003cT\u003e,\n    _content: PhantomData\u003c\u0026'de [u8]\u003e,\n}\n\nimpl\u003cT\u003e TaggedContentVisitor\u003c'_, T\u003e {\n    pub fn new(tag_name: \u0026'static str, expecting: \u0026'static str) -\u003e Self {\n        Self {\n            tag_name,\n            expecting,\n            _tag: PhantomData,\n            _content: PhantomData,\n        }\n    }\n}\n\nimpl\u003c'de, T\u003e DeserializeSeed\u003c'de\u003e for TaggedContentVisitor\u003c'de, T\u003e\nwhere\n    T: Deserialize\u003c'de\u003e + Clone,\n{\n    type Value = TaggedContent\u003cT\u003e;\n\n    fn deserialize\u003cD\u003e(self, deserializer: D) -\u003e Result\u003cSelf::Value, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        // Internally tagged enums are only supported in self-describing\n        // formats.\n        deserializer.deserialize_any(self)\n    }\n}\n\nimpl\u003c'de, T\u003e Visitor\u003c'de\u003e for TaggedContentVisitor\u003c'de, T\u003e\nwhere\n    T: Deserialize\u003c'de\u003e + Clone,\n{\n    type Value = TaggedContent\u003cT\u003e;\n\n    fn expecting(\u0026self, fmt: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt.write_str(self.expecting)\n    }\n\n    fn visit_map\u003cM\u003e(self, mut map: M) -\u003e Result\u003cSelf::Value, M::Error\u003e\n    where\n        M: MapAccess\u003c'de\u003e,\n    {\n        let mut tag = None;\n        let mut content = BTreeMap::new();\n\n        while let Some(k) = map.next_key::\u003cValue\u003e()? {\n            let val = if matches!(k, Value::String(ref s) if s == self.tag_name) {\n                let val = map.next_value::\u003cValue\u003e()?;\n                tag = Some(val.clone().deserialize_into().map_err(|e| e.into_error())?);\n                val\n            } else {\n                map.next_value()?\n            };\n\n            content.insert(k, val);\n        }\n\n        match tag {\n            None =\u003e Err(de::Error::missing_field(self.tag_name)),\n            Some(tag) =\u003e Ok(TaggedContent {\n                tag,\n                content: Value::Map(content),\n            }),\n        }\n    }\n}\n","traces":[{"line":23,"address":[],"length":0,"stats":{"Line":118}},{"line":39,"address":[],"length":0,"stats":{"Line":0}},{"line":45,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":118}},{"line":63,"address":[],"length":0,"stats":{"Line":118}},{"line":64,"address":[],"length":0,"stats":{"Line":118}},{"line":66,"address":[],"length":0,"stats":{"Line":790}},{"line":67,"address":[],"length":0,"stats":{"Line":856}},{"line":68,"address":[],"length":0,"stats":{"Line":184}},{"line":69,"address":[],"length":0,"stats":{"Line":124}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":260}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":86}},{"line":79,"address":[],"length":0,"stats":{"Line":26}},{"line":80,"address":[],"length":0,"stats":{"Line":60}},{"line":81,"address":[],"length":0,"stats":{"Line":60}},{"line":82,"address":[],"length":0,"stats":{"Line":60}}],"covered":14,"coverable":20},{"path":["/","home","stu","dev","rust","jose","src","uri.rs"],"content":"use alloc::string::String;\nuse core::{fmt, ops::Deref};\n\nuse serde::{Deserialize, Serialize};\n\n/// A serializable URI type implemented using [`serde`] and [`fluent_uri`].\n///\n/// This is a thing wrapper around a [`fluent_uri::Uri\u003cString\u003e`] that implements\n/// [`Serialize`] and [`Deserialize`].\n#[derive(Debug, Clone, Default)]\npub struct Uri(fluent_uri::Uri\u003cString\u003e);\n\nimpl Uri {\n    /// Borrows this URI.\n    pub fn borrow(\u0026self) -\u003e BorrowedUri\u003c'_\u003e {\n        BorrowedUri(self.0.borrow())\n    }\n\n    /// Turns this URI into the underlying [`fluent_uri::Uri\u003cString\u003e`].\n    pub fn into_inner(self) -\u003e fluent_uri::Uri\u003cString\u003e {\n        self.0\n    }\n}\n\nimpl PartialEq for Uri {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.0.as_str().eq(other.0.as_str())\n    }\n}\nimpl Eq for Uri {}\n\nimpl Deref for Uri {\n    type Target = fluent_uri::Uri\u003cString\u003e;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\nimpl From\u003cfluent_uri::Uri\u003cString\u003e\u003e for Uri {\n    fn from(uri: fluent_uri::Uri\u003cString\u003e) -\u003e Self {\n        Self(uri)\n    }\n}\n\nimpl fmt::Display for Uri {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        self.0.fmt(f)\n    }\n}\n\nimpl Serialize for Uri {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        self.0.as_str().serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Uri {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cUri, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let uri = String::deserialize(deserializer)?;\n\n        Ok(Uri(\n            fluent_uri::Uri::parse(uri).map_err(serde::de::Error::custom)?\n        ))\n    }\n}\n\n/// A borrowed version of the [`Uri`].\n///\n/// This is a thing wrapper around a [`fluent_uri::Uri\u003c\u0026str\u003e`] that implements\n/// [`Serialize`].\n#[derive(Debug)]\npub struct BorrowedUri\u003c's\u003e(fluent_uri::Uri\u003c\u0026's str\u003e);\n\nimpl BorrowedUri\u003c'_\u003e {\n    /// Turns this borrowed URI into an owned [`Uri`].\n    pub fn to_owned(\u0026self) -\u003e Uri {\n        Uri(self.0.to_owned())\n    }\n}\n\nimpl\u003c's\u003e Deref for BorrowedUri\u003c's\u003e {\n    type Target = fluent_uri::Uri\u003c\u0026's str\u003e;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\nimpl fmt::Display for BorrowedUri\u003c'_\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        self.0.fmt(f)\n    }\n}\n\nimpl Serialize for BorrowedUri\u003c'_\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        self.0.as_str().serialize(serializer)\n    }\n}\n\nimpl PartialEq for BorrowedUri\u003c'_\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.0.as_str().eq(other.0.as_str())\n    }\n}\nimpl Eq for BorrowedUri\u003c'_\u003e {}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":20,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":28},{"path":["/","home","stu","dev","rust","jose","target","debug","build","eyre-43034007078a440d","out","probe.rs"],"content":"\n    #![allow(dead_code)]\n\n    #[track_caller]\n    fn foo() {\n        let _location = std::panic::Location::caller();\n    }\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","target","debug","build","eyre-75120121d1e0e56e","out","probe.rs"],"content":"\n    #![allow(dead_code)]\n\n    #[track_caller]\n    fn foo() {\n        let _location = std::panic::Location::caller();\n    }\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","common","mod.rs"],"content":"//! Common test helpers.\n\nuse serde_json::Value;\n\npub type TestResult\u003cT = ()\u003e = Result\u003cT, Box\u003cdyn std::error::Error\u003e\u003e;\n\n/// Reads a key file from the `tests/vectors/jwk` directory.\npub fn read_jwk(name: \u0026str) -\u003e TestResult\u003cValue\u003e {\n    let json = std::fs::read_to_string(format!(\n        \"{}/tests/vectors/jwk/{name}.json\",\n        env!(\"CARGO_MANIFEST_DIR\"),\n    ))?;\n    let key: Value = serde_json::from_str(\u0026json)?;\n\n    Ok(key)\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","header.rs"],"content":"use jose::{\n    format::Compact,\n    header::{HeaderValue, Jws},\n    jwa::JsonWebSigningAlgorithm,\n    JoseHeader,\n};\n\n#[test]\nfn build_header() {\n    let builder = JoseHeader::\u003cCompact, Jws\u003e::builder();\n    let header = builder\n        .algorithm(HeaderValue::Protected(JsonWebSigningAlgorithm::None))\n        .build()\n        .unwrap();\n    assert_eq!(\n        header.algorithm(),\n        HeaderValue::Protected(\u0026JsonWebSigningAlgorithm::None)\n    );\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","jwk.rs"],"content":"use jose::{\n    crypto::hmac,\n    jwa::{self, JsonWebAlgorithm},\n    jwk::{self, policy::Checkable, FromKey as _, Thumbprint as _},\n    Base64UrlString, JsonWebKey,\n};\nuse pretty_assertions::assert_eq;\nuse serde::{Deserialize, Serialize};\n\nuse crate::common::{read_jwk, TestResult};\n\nmod common;\n\nfn roundtrip(file: \u0026str, unsupported: bool, check: fn(\u0026JsonWebKey)) -\u003e TestResult {\n    let mut json_key = read_jwk(file)?;\n    let json_key_str = serde_json::to_string(\u0026json_key)?;\n\n    let jwk = match serde_json::from_value::\u003cJsonWebKey\u003e(json_key.clone()) {\n        Ok(..) if unsupported =\u003e panic!(\"Unsupported key type was successful\"),\n        Ok(jwk) =\u003e jwk,\n        Err(..) if unsupported =\u003e return Ok(()),\n        Err(e) =\u003e return Err(e.into()),\n    };\n    check(\u0026jwk);\n\n    // we want to deserialize the JWK from an owned value, and a borrowed value\n    let jwk_from_str = serde_json::from_str::\u003cJsonWebKey\u003e(\u0026json_key_str)?;\n    assert_eq!(jwk.key_type(), jwk_from_str.key_type());\n\n    let mut serialized = serde_json::to_value(\u0026jwk)?;\n    let mut serialized_from_str = serde_json::to_value(\u0026jwk_from_str)?;\n\n    // removes the field `name` from the given json value, mostly because some\n    // fields are serialized non-deterministic (key_ops), because the order is\n    // random\n    let remove_field = |value: \u0026mut serde_json::Value, name: \u0026str| {\n        if let Some(obj) = value.as_object_mut() {\n            obj.remove(name);\n        }\n    };\n\n    let mut remove_field_from_all = |name: \u0026str| {\n        remove_field(\u0026mut json_key, name);\n        remove_field(\u0026mut serialized, name);\n        remove_field(\u0026mut serialized_from_str, name);\n    };\n\n    remove_field_from_all(\"key_ops\");\n\n    assert_eq!(json_key, serialized);\n    assert_eq!(json_key, serialized_from_str);\n\n    // now try constructing a builder using this key, and check invalid\n    // algorithm\n    let err = JsonWebKey::builder(jwk.key_type().clone())\n        .algorithm(Some(JsonWebAlgorithm::Other(\"foo\".to_string())))\n        .build()\n        .unwrap_err();\n    assert!(matches!(\n        err,\n        jwk::JsonWebKeyBuildError::IncompatibleKeyType\n    ));\n\n    let err = jwk\n        .into_builder()\n        .algorithm(Some(JsonWebAlgorithm::Other(\"foo\".to_string())))\n        .build()\n        .unwrap_err();\n    assert!(matches!(\n        err,\n        jwk::JsonWebKeyBuildError::IncompatibleKeyType\n    ));\n\n    Ok(())\n}\n\nfn roundtrip_pair(\n    private: \u0026str,\n    public: \u0026str,\n    unsupported: bool,\n    check: fn(\u0026JsonWebKey),\n) -\u003e TestResult {\n    roundtrip(private, unsupported, check)?;\n    roundtrip(public, unsupported, check)?;\n\n    let private_key: JsonWebKey = serde_json::from_value(read_jwk(private)?)?;\n    let public_key: JsonWebKey = serde_json::from_value(read_jwk(public)?)?;\n\n    assert!(private_key.is_signing_key());\n    assert!(!public_key.is_signing_key());\n\n    assert!(!private_key.is_symmetric());\n    assert!(!public_key.is_symmetric());\n\n    assert!(private_key.is_asymmetric());\n    assert!(public_key.is_asymmetric());\n\n    let stripped = private_key.clone().strip_secret_material().unwrap();\n    assert_eq!(stripped.key_type(), public_key.key_type());\n\n    let stripped_from_public = public_key.clone().strip_secret_material().unwrap();\n    assert_eq!(stripped_from_public.key_type(), public_key.key_type());\n\n    let into_verifying = private_key.into_verifying_key();\n    assert_eq!(into_verifying.key_type(), public_key.key_type());\n\n    let public_into_verifying = public_key.clone().into_verifying_key();\n    assert_eq!(public_into_verifying.key_type(), public_key.key_type());\n\n    Ok(())\n}\n\nfn assert_thumbprint(jwk: \u0026JsonWebKey, sha256: \u0026str, sha384: \u0026str, sha512: \u0026str) {\n    let print_sha256 = Base64UrlString::encode(jwk.thumbprint_sha256());\n    assert_eq!(\u0026*print_sha256, sha256);\n\n    let print_sha384 = Base64UrlString::encode(jwk.thumbprint_sha384());\n    assert_eq!(\u0026*print_sha384, sha384);\n\n    let print_sha512 = Base64UrlString::encode(jwk.thumbprint_sha512());\n    assert_eq!(\u0026*print_sha512, sha512);\n}\n\npub mod roundtrip {\n    use jose::{jwa, jwk};\n    use pretty_assertions::assert_eq;\n\n    use crate::{assert_thumbprint, common::TestResult, roundtrip, roundtrip_pair};\n\n    #[test]\n    fn _3_1_and_2_ec() -\u003e TestResult {\n        roundtrip_pair(\n            \"3_2.ec_private_key\",\n            \"3_1.ec_public_key\",\n            // RustCrypto and ring do not support P-521 curve\n            cfg!(feature = \"crypto-rustcrypto\") || cfg!(feature = \"crypto-ring\"),\n            |jwk| {\n                assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Signing));\n                assert_thumbprint(\n                    jwk,\n                    \"dHri3SADZkrush5HU_50AoRhcKFryN-PI6jPBtPL55M\",\n                    \"HncTFMje-quVjjwt2ufqfFb75ZwHLDh9M-VY4wJ9awQkfbu194TmVpeGbG6Ykb9b\",\n                    \"i8RIsIb6HVP2AO9o38HtraybJAP5veAfBIgynNUqpxlhuvq2UDgSA3JFgGgle1YvmCQDHllAn7MG52Idb8B4fA\"\n                );\n            },\n        )\n    }\n\n    #[test]\n    fn _3_3_and_4_rsa() -\u003e TestResult {\n        roundtrip_pair(\"3_4.rsa_private_key\", \"3_3.rsa_public_key\", false, |jwk| {\n            assert_thumbprint(\n                jwk,\n                \"9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI\",\n                \"iRBthSmwxk6o9pTGF6a9yLHohmMXSFRvKoN9rgcbOWFgLldwqED1DrOgDtLq5Q4R\",\n                \"FerGBUpYnzT0ptNAC7Y3qNpGINqILXdZ_9-Na3UkPUtDznnAChw7NWluNRjx-lmKDnuO1CpmIZL7e2bzRkQBew\",\n            );\n        })\n    }\n\n    #[test]\n    fn _3_5_symmetric_key_mac() -\u003e TestResult {\n        roundtrip(\"3_5.symmetric_key_mac_computation\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::Hmac::Hs256))\n            );\n\n            assert!(jwk.is_symmetric());\n            assert!(jwk.is_signing_key());\n\n            assert_eq!(jwk.key_type(), jwk.clone().into_verifying_key().key_type());\n\n            assert_thumbprint(\n                jwk,\n                \"RtoRur_1Dir5M4wuOfqNkDYOf9O_4RJ-aHkTA75RLA8\",\n                \"KG7sBEFjGfsIG21uR9cggZfOEIdKSvylcD7ndWgQsnG2k_5Wpw700r__c63SBBwf\",\n                \"EI4XUPoajddrVSS3fgSS6AcPt1uuacMmuYIi9i4A2CgjnWHuUV1qyNks84w03blKdF75HPSTJTJWgqRNEU_ZIg\"\n            );\n        })\n    }\n\n    #[test]\n    fn _3_6_symmetric_key_encryption() -\u003e TestResult {\n        roundtrip(\"3_6.symmetric_key_encryption\", false, |jwk| {\n            // NOTE: We do not support A256GCM as a JWK, because it's a one-time use\n            // session key, and must not be stored or reused\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::Other(\"A256GCM\".to_string()))\n            );\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Encryption));\n\n            assert_thumbprint(\n                jwk,\n                \"VDMp1ZgGGv1OKgOeDc1EUKHXNQzMdLkCnxPETHdA4v0\",\n                \"4YmDfp3zlozmoDxrRxpMBiU6XHA9X82IKNW3bWiitdnudrwmAiKOi4yWWj4fyeYm\",\n                \"FmHGxbagOqt0LS__rv4hIpgnQ9pAB7nDneYNPN9i1gHIbvJJILw-VyyYIP_RTgsOU7K683SdE5aeplCUqz4ZaA\"\n            );\n        })\n    }\n\n    #[test]\n    fn ed25519() -\u003e TestResult {\n        roundtrip_pair(\"ed25519\", \"ed25519.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(\n                    jwa::JsonWebSigningAlgorithm::EdDSA\n                ))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"IpNACexNZWO9hVeADtTT0Nvturu6OtMV3B4u1OVr1fU\",\n                \"NibgvGWph4nhazrZ1PcyRXYy55bdTotSDi1L4iE8gB0VtxDhh_a-du0fSnGExFwa\",\n                \"uS4j-x1iQUeF2a4a7M3iHZhPQGwyKgXU2Fh_GeNn9_uw_KAj1VTmNVenxTiFdDqcDHoWBemcLjioFY4slFbIZA\",\n            );\n        })\n    }\n\n    #[test]\n    fn rsa_enc_optional_parameters() -\u003e TestResult {\n        roundtrip(\"jwk_optional_parameters_rsa_enc.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::RsaesOaep::RsaesOaep))\n            );\n\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Encryption));\n            assert!(jwk.x509_certificate_sha1_thumbprint().is_some());\n            assert!(jwk.x509_certificate_sha256_thumbprint().is_some());\n\n            assert_thumbprint(\n                jwk,\n                \"ZwmJSHbFy5nl7WenHepIG5N9Rz16NH8SPGeqoZPTTuc\",\n                \"06f-mujFCZ0cUPKCgm0m7EuE0TW2mUmoQ0I519rD73v5JDAWti5QsuOX2PqTYuhV\",\n                \"EaW6WfYvQ5rauUmOYPZi82-ADGjmOb3Jz76jNVHUIQ_vA42s7CFve47jVTyb1n3UQbqLw3DDguD4u0wlFL4sbg\"\n            );\n        })\n    }\n\n    #[test]\n    fn rsa_sign_optional_parameters() -\u003e TestResult {\n        roundtrip(\"jwk_optional_parameters_rsa_sig.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::RsassaPkcs1V1_5::Rs256))\n            );\n\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Signing));\n            assert!(jwk.x509_certificate_sha1_thumbprint().is_some());\n            assert!(jwk.x509_certificate_sha256_thumbprint().is_some());\n\n            assert_thumbprint(\n                jwk,\n                \"bVeakRIe7OjtcR6E5FfkZvFAhEXfhIboYrcZ7OhZ1UY\",\n                \"_jnSoeQaW04m5PzXFnP7w2Zl_WFEop1UEKZ2vGHtQCdfsSqOkLhTbn2vyaDcMbHQ\",\n                \"cHiM1PMNsVve19_e5cfCiJqIMnQhYx0CkcvmiNCdwulCJ5B5ftaAvFYwr7_NQCMTQeXMcTKdbsP2a4mEKojPaQ\"\n            );\n        })\n    }\n\n    #[test]\n    fn rsa_with_key_ops_for_enc() -\u003e TestResult {\n        roundtrip(\"key_ops_rsa_enc.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::RsaesOaep::RsaesOaep))\n            );\n\n            let ops = jwk.key_operations().unwrap();\n\n            assert_eq!(ops.len(), 2);\n            assert!(ops.contains(\u0026jwk::KeyOperation::Encrypt));\n            assert!(ops.contains(\u0026jwk::KeyOperation::Decrypt));\n\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Encryption));\n\n            assert_thumbprint(\n                jwk,\n                \"ZwmJSHbFy5nl7WenHepIG5N9Rz16NH8SPGeqoZPTTuc\",\n                \"06f-mujFCZ0cUPKCgm0m7EuE0TW2mUmoQ0I519rD73v5JDAWti5QsuOX2PqTYuhV\",\n                \"EaW6WfYvQ5rauUmOYPZi82-ADGjmOb3Jz76jNVHUIQ_vA42s7CFve47jVTyb1n3UQbqLw3DDguD4u0wlFL4sbg\"\n            );\n        })\n    }\n\n    #[test]\n    fn p256() -\u003e TestResult {\n        roundtrip_pair(\"p256\", \"p256.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es256))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"6j1ImYAlN6DnVupozzN13UKnLR7BfEvngNmVl5bLlI0\",\n                \"u5W5WvG_wZc2u18HY0hqP48hVOOwytBz3BZzBimJl43SA3A4l-INFnhMNLEWL8a3\",\n                \"8fmi-z_V-FykWlKQAscDYj3I_uonEd2-0ChLqb7BwRJqnQiitQ9widx6Pk9ewMkhFk8NnBr1hCFa51kyrg7Pyw\"\n            );\n        })\n    }\n\n    #[test]\n    fn p384() -\u003e TestResult {\n        roundtrip_pair(\"p384\", \"p384.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es384))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"B_9VooM6jEuy9OvK_plFUDVADfKKnjCUPrqfc5Wtgq4\",\n                \"TXXx3K1KOHjCKWt_bY9cFZfsI9E8NUw8sK1xSOfd0jVgaBMiCP1hFvsxaamAQfK5\",\n                \"AtsWpt8bdnsqT49ovBfv67rhq_PB2eqnhvJ4F-uH-STeCZTVO97hWeEc0zGoOT18XtmHf_2o6ENmwIv9gcXyRQ\"\n            );\n        })\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn secp256k1() -\u003e TestResult {\n        roundtrip_pair(\"k256\", \"k256.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es256K))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"i0H0zy_Zyc4g9gUfIU3ZgSk21eC_a9B-J_keq5eRVq4\",\n                \"NWo1frAmwhk6vYKYK0YCTpJWbgvI-EDV5ZvEFvA_7V4y6VRAG0l4Q_uNkFIiisuL\",\n                \"E1oJ78FUrNMsq66wi7AT8jIU4QUMoV_JnYiCqwy2vgDod7yDHMXLkweJ0Vhd1A1TJysPMFNr4Q8yVvQ4Q1fXKg\"\n            );\n        })\n    }\n\n    #[test]\n    fn rsa() -\u003e TestResult {\n        roundtrip_pair(\"rsa\", \"rsa.pub\", false, |jwk| {\n            assert_thumbprint(\n                jwk,\n                \"nYPs6qc5zj3VOVKr4yY-EzirO-AcdUl0JC5bcXKGE6Y\",\n                \"JhX_riWIrTLs3p7SnueDgpcO27pDgXh1xQOivPzOKsU3CaQgHoLgiKIinmb2CMoE\",\n                \"DQd_FsR8hTwlVrv3WGQP2E1KQejcBbJCFtqWy489xmmPm8LdNT91zYFX-yTghCtq2zutBGYY2mkwIWN-VQWYyQ\"\n            );\n        })\n    }\n\n    #[test]\n    #[cfg_attr(\n        any(\n            feature = \"crypto-ring\",\n            feature = \"crypto-aws-lc\",\n            feature = \"crypto-rustcrypto\"\n        ),\n        ignore\n    )]\n    fn ed448() -\u003e TestResult {\n        roundtrip_pair(\"ed448\", \"ed448.pub\", false, |jwk| {\n            assert_thumbprint(\n                jwk,\n                \"-K8d13H2SA_vuRYSxn05sQN4hAkeWXFt5XainSnkfZc\",\n                \"a_AWZk_w5qSm2XziCOKyHRLU1amUzTlbb1df8Q0JCx3bOaQp0YcLqdHS2Sbyw2PQ\",\n                \"qM1ai1zIZ-NRzbkOKxVkOY6DXVXmDWsSXMCQRRy7oIZEwRzQ0gQK5c-cruMkpyYcBs7ftQcofV_YXWfCdKhSWw\",\n            );\n        })\n    }\n}\n\n// TODO: test to ensure correct length of x, y, d\n\n#[test]\nfn deny_duplicates_key_operations() {\n    let key = r#\"\n{\n    \"key_ops\": [\"encrypt\", \"decrypt\", \"encrypt\"],\n    \"kty\": \"oct\",\n    \"alg\": \"HS256\",\n    \"k\": \"hJtXIZ2uSN5kbQfbtTNWbpdmhkV8FJG-Onbc6mxCcYg\"\n}\n\"#;\n\n    serde_json::from_str::\u003cJsonWebKey\u003e(key).unwrap_err();\n}\n\n#[test]\nfn deny_hmac_key_with_short_key() -\u003e TestResult {\n    let raw_key = r#\"{\"kty\": \"oct\", \"k\": \"QUFBQQ\"}\"#;\n    let key = serde_json::from_str::\u003cjwk::symmetric::OctetSequence\u003e(raw_key)?;\n\n    let hmac = hmac::Key::\u003chmac::Hs256\u003e::from_key(\u0026key, jwa::Hmac::Hs256.into());\n\n    assert!(matches!(\n        hmac.unwrap_err(),\n        jwk::symmetric::FromOctetSequenceError::InvalidLength\n    ));\n\n    Ok(())\n}\n\npub mod generate {\n    use jose::{\n        crypto::{\n            ec::{P256PrivateKey, P384PrivateKey, P521PrivateKey},\n            hmac, okp, rsa,\n        },\n        jwk::Thumbprint as _,\n    };\n\n    use crate::common::TestResult;\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn ec_p256() -\u003e TestResult {\n        let p256 = P256PrivateKey::generate()?;\n        let p256_pub = p256.to_public_key();\n        assert_eq!(p256.thumbprint_sha256(), p256_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn ec_p384() -\u003e TestResult {\n        let p384 = P384PrivateKey::generate()?;\n        let p384_pub = p384.to_public_key();\n        assert_eq!(p384.thumbprint_sha256(), p384_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(any(feature = \"crypto-rustcrypto\", feature = \"crypto-ring\"), ignore)]\n    fn ec_p521() -\u003e TestResult {\n        let p521 = P521PrivateKey::generate()?;\n        let p521_pub = p521.to_public_key();\n        assert_eq!(p521.thumbprint_sha256(), p521_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn rsa() -\u003e TestResult {\n        let rsa = rsa::PrivateKey::generate(4096)?;\n        let rsa_pub = rsa.to_public_key();\n        assert_eq!(rsa.thumbprint_sha256(), rsa_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    fn hmac() -\u003e TestResult {\n        let _hmac = hmac::Key::\u003chmac::Hs256\u003e::generate()?;\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn ed25519() -\u003e TestResult {\n        let ed25519 = okp::PrivateKey::\u003cokp::Ed25519\u003e::generate()?;\n        let ed25519_pub = ed25519.to_public_key();\n        assert_eq!(ed25519.thumbprint_sha256(), ed25519_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(\n        any(\n            feature = \"crypto-rustcrypto\",\n            feature = \"crypto-ring\",\n            feature = \"crypto-aws-lc\"\n        ),\n        ignore\n    )]\n    fn ed448() -\u003e TestResult {\n        let ed448 = okp::PrivateKey::\u003cokp::Ed448\u003e::generate()?;\n        let ed448_pub = ed448.to_public_key();\n        assert_eq!(ed448.thumbprint_sha256(), ed448_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n}\n\n#[test]\nfn convert_to_public_key() -\u003e TestResult {\n    let private_json = read_jwk(\"p256\")?;\n    let public_json = read_jwk(\"p256.pub\")?;\n\n    let private: JsonWebKey = serde_json::from_value(private_json)?;\n    let public: JsonWebKey = serde_json::from_value(public_json)?;\n\n    let public_converted = private.clone().into_verifying_key();\n    assert_eq!(public.key_type(), public_converted.key_type());\n\n    let public_converted = private.strip_secret_material().unwrap();\n    assert_eq!(public.key_type(), public_converted.key_type());\n\n    Ok(())\n}\n\n#[test]\nfn symmetric_key_can_not_strip_secret() -\u003e TestResult {\n    let key = read_jwk(\"3_5.symmetric_key_mac_computation\")?;\n    let key: JsonWebKey = serde_json::from_value(key)?;\n    assert!(key.strip_secret_material().is_none());\n\n    Ok(())\n}\n\n#[test]\nfn additional_properties() -\u003e TestResult {\n    #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]\n    struct Additional {\n        #[serde(rename = \"additional/one\")]\n        one: String,\n        another_additional: i32,\n    }\n\n    impl Checkable for Additional {\n        fn check\u003cP: jwk::policy::Policy\u003e(\n            self,\n            policy: P,\n        ) -\u003e Result\u003cjwk::policy::Checked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n            Ok(jwk::policy::Checked::new(self, policy))\n        }\n    }\n\n    let key = read_jwk(\"rsa_with_additional_props.pub\")?;\n    let key: JsonWebKey\u003cAdditional\u003e = serde_json::from_value(key)?;\n\n    assert_eq!(key.additional().one.as_str(), \"my rsa key\");\n    assert_eq!(key.additional().another_additional, 1);\n\n    let untyped = key.clone().into_untyped_additional()?;\n    assert_eq!(\n        untyped\n            .clone()\n            .deserialize_additional::\u003cAdditional\u003e()?\n            .additional(),\n        key.additional()\n    );\n\n    let untyped = untyped.additional();\n\n    assert_eq!(untyped[\"additional/one\"], \"my rsa key\");\n    assert_eq!(untyped[\"another_additional\"], 1);\n\n    let _checked = key.check(jwk::policy::StandardPolicy::new()).unwrap();\n\n    Ok(())\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","jws.rs"],"content":"","traces":[],"covered":0,"coverable":0}]};
-        var previousData = {"files":[{"path":["/","home","stu","dev","rust","jose","build.rs"],"content":"use std::{env, process::exit};\n\nstruct CryptoBackend {\n    name: \u0026'static str,\n    feature: \u0026'static str,\n}\n\nconst ALL_BACKENDS: \u0026[CryptoBackend] = \u0026[\n    CryptoBackend {\n        name: \"RustCrypto\",\n        feature: \"crypto-rustcrypto\",\n    },\n    CryptoBackend {\n        name: \"OpenSSL\",\n        feature: \"crypto-openssl\",\n    },\n    CryptoBackend {\n        name: \"AWS-LC\",\n        feature: \"crypto-aws-lc\",\n    },\n    CryptoBackend {\n        name: \"ring\",\n        feature: \"crypto-ring\",\n    },\n];\n\nfn main() {\n    crypto_backends_check();\n\n    println!(\"cargo::rustc-check-cfg=cfg(openssl320)\");\n\n    // the nonce api for deterministic EcDSA signing is only possible on specific\n    // version\n    #[expect(clippy::unusual_byte_groupings)]\n    if let Ok(v) = env::var(\"DEP_OPENSSL_VERSION_NUMBER\") {\n        let version = u64::from_str_radix(\u0026v, 16).unwrap();\n\n        if version \u003e= 0x3_02_00_00_0 {\n            println!(\"cargo:rustc-cfg=openssl320\");\n        }\n    }\n}\n\nfn crypto_backends_check() {\n    let enabled = ALL_BACKENDS\n        .iter()\n        .filter(|backend| {\n            std::env::var(format!(\n                \"CARGO_FEATURE_{}\",\n                backend.feature.to_uppercase().replace(\"-\", \"_\")\n            ))\n            .is_ok()\n        })\n        .collect::\u003cVec\u003c_\u003e\u003e();\n\n    if enabled.is_empty() {\n        eprintln!(\n            \"No cryptographic backend selected.\n\n`jose` requires a cryptographic backend.  This backend \\\n             is selected at compile time using feature flags.\n\nSee https://github.com/minkan-chat/jose#crypto-backends\\\n             \"\n        );\n\n        exit(1);\n    } else if enabled.len() \u003e 1 {\n        eprintln!(\n            \"Multiple cryptographic backends selected.\n\n`jose` requires exactly one cryptographic backend. \\\n             Unfortunately, you have selected multiple backends:\n\n    {}\n\nSee https://github.com/minkan-chat/jose#crypto-backends\\\n             \",\n            enabled\n                .iter()\n                .map(|b| b.name)\n                .collect::\u003cVec\u003c_\u003e\u003e()\n                .join(\", \")\n        );\n\n        exit(1);\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","examples","basic-jwt","main.rs"],"content":"//! Simple program to generate, sign and verify a JsonWebToken (JWT)\n\nuse clap::Parser;\nuse clio::Input;\nuse eyre::eyre;\nuse jose::{\n    crypto::{\n        ec::P256PrivateKey,\n        hmac::{Hs256, Key as HmacKey},\n    },\n    format::{Compact, DecodeFormat},\n    jwk::{\n        policy::{Checkable, StandardPolicy},\n        IntoJsonWebKey, JwkSigner, JwkVerifier, KeyOperation,\n    },\n    jwt::Claims,\n    JsonWebKey, Jwt, UntypedAdditionalProperties,\n};\n\n#[derive(Parser)]\nenum Commands {\n    /// Generates a JsonWebKey\n    Generate {\n        /// Wheter or not it should be a symmetric secret or not\n        #[arg(short, long)]\n        symmetric: bool,\n    },\n    /// Signs a payload with a JsonWebKey\n    Sign {\n        /// Key used to sign the JsonWebToken\n        key: Input,\n        /// The claims that this JWT should contain\n        payload: Input,\n    },\n    /// Verifies a JsonWebToken with a JsonWebKey\n    Verify { jwt: String, key: Input },\n}\n\nfn main() -\u003e eyre::Result\u003c()\u003e {\n    let cmds = Commands::parse();\n\n    match cmds {\n        Commands::Generate { symmetric } =\u003e {\n            let key = match symmetric {\n                true =\u003e HmacKey::\u003cHs256\u003e::generate()?.into_jwk(Some(()))?,\n                false =\u003e P256PrivateKey::generate()?.into_jwk(Some(()))?,\n            };\n            // Key containing private/secret key\n            let private_key = key\n                .into_builder()\n                .key_operations(Some([KeyOperation::Sign, KeyOperation::Verify]))\n                .build()?;\n            println!(\"Private:\\n{}\", serde_json::to_string(\u0026private_key)?);\n\n            // If the key can be made public, do so and print it as well\n            if let Some(public) = private_key.strip_secret_material() {\n                println!(\"Public:\\n{}\", serde_json::to_string(\u0026public)?)\n            };\n        }\n        Commands::Sign { key, payload } =\u003e {\n            let key: JsonWebKey = serde_json::from_reader(key)?;\n            let payload: Claims\u003cUntypedAdditionalProperties\u003e = serde_json::from_reader(payload)?;\n            if !key.is_signing_key() {\n                return Err(eyre!(\"Key is not capable of signing\"));\n            }\n\n            let key = key\n                .check(StandardPolicy::default())\n                .map_err(|(_key, e)| e)?;\n            let mut signer: JwkSigner = key.try_into()?;\n\n            let jwt = Jwt::builder_jwt().build(payload)?;\n            let signed = jwt.sign(\u0026mut signer)?;\n            let encoded = signed.encode();\n            println!(\"JWT: {encoded}\");\n        }\n        Commands::Verify { jwt, key } =\u003e {\n            let key: JsonWebKey = serde_json::from_reader(key)?;\n            let key = key.check(StandardPolicy::default()).map_err(|(_, e)| e)?;\n            let mut verifier: JwkVerifier = key.try_into()?;\n            let encoded: Compact = jwt.parse()?;\n            let unverified_jwt = Jwt::\u003cUntypedAdditionalProperties\u003e::decode(encoded)?;\n            let jwt = unverified_jwt.verify(\u0026mut verifier)?;\n            let payload = jwt.payload();\n            println!(\n                \"JWT: Sub {:?}, {:?}:\",\n                payload.subject,\n                payload.additional.get(\"name\")\n            )\n        }\n    }\n    Ok(())\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","base64_url.rs"],"content":"//! Helpers for base64 urlsafe encoded stuff\n\nuse alloc::{borrow::ToOwned, string::String, vec::Vec};\nuse core::{fmt, ops::Deref, str::FromStr};\n\nuse base64ct::{Base64UrlUnpadded, Encoding};\nuse secrecy::{ExposeSecret as _, SecretSlice};\nuse serde::{de::Error, Deserialize, Deserializer, Serialize};\nuse thiserror::Error;\nuse zeroize::{Zeroize, Zeroizing};\n\n/// Error type indicating that one part of the compact\n/// representation was an invalid Base64Url string.\n#[derive(Debug, Clone, Copy, Error)]\n#[error(\"the string is not a valid Base64Url representation\")]\npub struct NoBase64UrlString;\n\n/// A wrapper around a [`String`] that guarantees that the inner string is a\n/// valid Base64Url string.\n#[derive(Debug, Clone, Hash, PartialEq, Eq, Serialize, Default)]\n#[repr(transparent)]\n#[serde(transparent)]\npub struct Base64UrlString(String);\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Base64UrlString {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let inner = String::deserialize(deserializer)?;\n        Base64UrlString::from_str(\u0026inner).map_err(D::Error::custom)\n    }\n}\n\nimpl fmt::Display for Base64UrlString {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Display::fmt(\u0026self.0, f)\n    }\n}\n\nimpl FromStr for Base64UrlString {\n    type Err = NoBase64UrlString;\n\n    fn from_str(s: \u0026str) -\u003e Result\u003cSelf, Self::Err\u003e {\n        // it is an expensive check.. yes\n        base64ct::Base64UrlUnpadded::decode_vec(s)\n            .map(|_| Self(s.to_owned()))\n            .map_err(|_| NoBase64UrlString)\n    }\n}\n\nimpl Base64UrlString {\n    /// Creates a new, empty Base64Url string.\n    #[inline]\n    pub const fn new() -\u003e Self {\n        Self(String::new())\n    }\n\n    /// Encode the given bytes using Base64Url format.\n    #[inline]\n    pub fn encode(x: impl AsRef\u003c[u8]\u003e) -\u003e Self {\n        Base64UrlString(Base64UrlUnpadded::encode_string(x.as_ref()))\n    }\n\n    /// Decodes this Base64Url string into it's raw byte representation.\n    #[inline]\n    pub fn decode(\u0026self) -\u003e Vec\u003cu8\u003e {\n        Base64UrlUnpadded::decode_vec(\u0026self.0)\n            .expect(\"Base64UrlString is guaranteed to be a valid base64 string\")\n    }\n\n    /// Return the inner string.\n    pub fn into_inner(self) -\u003e String {\n        self.0\n    }\n}\n\nimpl Deref for Base64UrlString {\n    type Target = str;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\n#[derive(Debug, PartialEq, Eq, Clone, Hash, Zeroize)]\npub(crate) struct Base64UrlBytes(pub(crate) Vec\u003cu8\u003e);\n\nimpl Serialize for Base64UrlBytes {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let encoded = Base64UrlUnpadded::encode_string(\u0026self.0);\n        encoded.serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Base64UrlBytes {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let encoded = String::deserialize(deserializer)?;\n\n        let decoded = Base64UrlUnpadded::decode_vec(\u0026encoded)\n            .map_err(|_| D::Error::custom(\"encountered invalid Base64Url string\"))?;\n\n        Ok(Self(decoded))\n    }\n}\n\n#[derive(Debug, Clone, Zeroize)]\npub(crate) struct SecretBase64UrlBytes(pub(crate) SecretSlice\u003cu8\u003e);\n\nimpl Serialize for SecretBase64UrlBytes {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let data = self.0.expose_secret();\n        let encoded = Zeroizing::new(Base64UrlUnpadded::encode_string(data));\n\n        encoded.serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for SecretBase64UrlBytes {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let encoded = Zeroizing::new(String::deserialize(deserializer)?);\n\n        let decoded = Base64UrlUnpadded::decode_vec(\u0026encoded)\n            .map_err(|_| D::Error::custom(\"encountered invalid Base64Url string\"))?;\n\n        Ok(Self(SecretSlice::from(decoded)))\n    }\n}\n\n// TODO: test for correct length check and base64url parsing\n#[cfg(test)]\nmod tests {}\n","traces":[{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":44,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":63}},{"line":62,"address":[],"length":0,"stats":{"Line":63}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":81,"address":[],"length":0,"stats":{"Line":63}},{"line":82,"address":[],"length":0,"stats":{"Line":63}},{"line":90,"address":[],"length":0,"stats":{"Line":206}},{"line":94,"address":[],"length":0,"stats":{"Line":206}},{"line":95,"address":[],"length":0,"stats":{"Line":206}},{"line":100,"address":[],"length":0,"stats":{"Line":257}},{"line":104,"address":[],"length":0,"stats":{"Line":514}},{"line":106,"address":[],"length":0,"stats":{"Line":138}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":36}},{"line":121,"address":[],"length":0,"stats":{"Line":36}},{"line":122,"address":[],"length":0,"stats":{"Line":36}},{"line":124,"address":[],"length":0,"stats":{"Line":36}},{"line":129,"address":[],"length":0,"stats":{"Line":109}},{"line":133,"address":[],"length":0,"stats":{"Line":218}},{"line":135,"address":[],"length":0,"stats":{"Line":76}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}}],"covered":17,"coverable":36},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","dummy.rs"],"content":"//! This backend is a dummy backend, that will return an error for all\n//! methods.\n//!\n//! This is only used for testing purposes, to make the code compile.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse super::interface;\nuse crate::crypto::Result;\n\n#[derive(Debug, thiserror::Error)]\n#[error(\"the dummy crypto backend does not support any operations\")]\npub(crate) struct Error;\n\n/// The dummy backend.\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = DummyKey;\n    type EcPublicKey = DummyKey;\n    type EdPrivateKey = DummyKey;\n    type EdPublicKey = DummyKey;\n    type Error = Error;\n    type HmacKey = DummyKey;\n    type RsaPrivateKey = DummyKey;\n    type RsaPublicKey = DummyKey;\n\n    fn fill_random(_buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        Err(Error)\n    }\n\n    fn sha256(_: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n        panic!(\"The dummy backend does not support any operations\");\n    }\n\n    fn sha384(_: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n        panic!(\"The dummy backend does not support any operations\");\n    }\n\n    fn sha512(_: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n        panic!(\"The dummy backend does not support any operations\");\n    }\n}\n\n#[derive(Debug, Clone, PartialEq, Eq)]\npub(crate) struct DummyKey {\n    _private: (),\n}\n\nimpl interface::ec::PrivateKey for DummyKey {\n    type PublicKey = DummyKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn new(_alg: crate::jwa::EcDSA, _x: Vec\u003cu8\u003e, _y: Vec\u003cu8\u003e, _d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn generate(_: crate::jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        unreachable!()\n    }\n\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        unreachable!()\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        unreachable!()\n    }\n\n    fn sign(\u0026mut self, _: \u0026[u8], _: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::ec::PublicKey for DummyKey {\n    fn new(_: crate::jwa::EcDSA, _: Vec\u003cu8\u003e, _: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        unreachable!()\n    }\n\n    fn verify(\u0026mut self, _: \u0026[u8], _: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::okp::PrivateKey for DummyKey {\n    type PublicKey = DummyKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_: interface::okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn new(_: interface::okp::CurveAlgorithm, _: Vec\u003cu8\u003e, _: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        unreachable!()\n    }\n\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        unreachable!()\n    }\n\n    fn sign(\u0026mut self, _: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::okp::PublicKey for DummyKey {\n    fn new(_: interface::okp::CurveAlgorithm, _: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        unreachable!()\n    }\n\n    fn verify(\u0026mut self, _: \u0026[u8], _: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::hmac::Key for DummyKey {\n    type Signature = Vec\u003cu8\u003e;\n\n    fn new(_: crate::jwa::Hmac, _: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn sign(\u0026mut self, _: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n}\n\nimpl interface::rsa::PrivateKey for DummyKey {\n    type PublicKey = DummyKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_: usize) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn from_components(\n        _: interface::rsa::PrivateKeyComponents,\n        _: interface::rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        unreachable!()\n    }\n\n    fn sign(\u0026mut self, _: crate::jwa::RsaSigning, _: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        unreachable!()\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003cinterface::rsa::PrivateKeyComponents\u003e {\n        unreachable!()\n    }\n\n    fn public_components(\u0026self) -\u003e interface::rsa::PublicKeyComponents {\n        unreachable!()\n    }\n}\n\nimpl interface::rsa::PublicKey for DummyKey {\n    fn from_components(_: interface::rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        Err(Error.into())\n    }\n\n    fn verify(\n        \u0026mut self,\n        _alg: crate::jwa::RsaSigning,\n        _msg: \u0026[u8],\n        _signature: \u0026[u8],\n    ) -\u003e Result\u003cbool\u003e {\n        unreachable!()\n    }\n\n    fn components(\u0026self) -\u003e interface::rsa::PublicKeyComponents {\n        unreachable!()\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","ec.rs"],"content":"//! The interfaces for EC keys.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse crate::{crypto::Result, jwa};\n\n/// The common operations for a curve-generic EC public key.\npub(crate) trait PublicKey: Sized + Clone {\n    /// Creates a new public key from the given data.\n    fn new(alg: jwa::EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the (x, y) coordinates of the public key.\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e);\n\n    /// Verifies if the message is valid for the given signature and algorithm.\n    ///\n    /// Returns `true` if the signature is valid, `false` otherwise.\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e;\n}\n\n/// The common operations for a curve-generic EC private key.\npub(crate) trait PrivateKey: Sized + Clone {\n    /// The signature type that is produced by this key.\n    type Signature: Into\u003cVec\u003cu8\u003e\u003e + AsRef\u003c[u8]\u003e;\n\n    /// The public key type.\n    type PublicKey: PublicKey;\n\n    /// Creates a new private key from the given data.\n    fn new(alg: jwa::EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Generates a new secure random private key.\n    fn generate(alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the private key material of this key.\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e;\n\n    /// Returns the public part of this key, a (x, y) coordinates.\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e);\n\n    /// Returns the public key of this private key.\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    ///\n    /// The `deterministic` flag indicates if the signature should be\n    /// deterministic, as according to [RFC 6979](https://www.rfc-editor.org/rfc/rfc6979).\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","hmac.rs"],"content":"//! The interfaces for HMAC.\n\nuse crate::{crypto::Result, jwa};\n\n/// The common operations for an HMAC key.\npub(crate) trait Key: Sized {\n    /// The signature type that is produced by this key.\n    type Signature: AsRef\u003c[u8]\u003e;\n\n    /// Creates a new key from the given data.\n    fn new(variant: jwa::Hmac, key: \u0026[u8]) -\u003e Result\u003cSelf\u003e;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","okp.rs"],"content":"//! The interfaces for OKP/ED keys.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse crate::crypto::Result;\n\n/// The common operations for a ED public key.\npub(crate) trait PublicKey: Sized + Clone {\n    /// Creates a new public key from the given data.\n    fn new(alg: CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the encoded bytes for this public key.\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e;\n\n    /// Verifies if the message is valid for the given signature and algorithm.\n    ///\n    /// Returns `true` if the signature is valid, `false` otherwise.\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e;\n}\n\n/// The common operations for a ED private key.\npub(crate) trait PrivateKey: Sized + Clone {\n    /// The signature type that is produced by this key.\n    type Signature: Into\u003cVec\u003cu8\u003e\u003e + AsRef\u003c[u8]\u003e;\n\n    /// The public key type.\n    type PublicKey: PublicKey;\n\n    /// Generates a new secure random private key.\n    fn generate(alg: CurveAlgorithm) -\u003e Result\u003cSelf\u003e;\n\n    /// Creates a new private key from the given data.\n    fn new(alg: CurveAlgorithm, x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the public key that belongs to this private key.\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey;\n\n    /// Returns the encoded bytes for this private key.\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e;\n}\n\n/// The different curve algorithm combinations that can be supported\n/// by a crypto backend.\n#[derive(Debug, Clone, Copy, PartialEq, Eq)]\npub(crate) enum CurveAlgorithm {\n    /// The Ed25519 curve.\n    Ed25519,\n    /// The Ed448 curve.\n    Ed448,\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface","rsa.rs"],"content":"//! The interfaces for RSA.\n\nuse alloc::vec::Vec;\n\nuse secrecy::SecretSlice;\n\nuse crate::{crypto::Result, jwa};\n\n/// Part of the [`PrivateKeyComponents`], which includes additional information\n/// about the prime numbers.\n#[derive(Clone)]\npub(crate) struct PrivateKeyPrimeComponents {\n    pub p: SecretSlice\u003cu8\u003e,\n    pub q: SecretSlice\u003cu8\u003e,\n    pub dp: SecretSlice\u003cu8\u003e,\n    pub dq: SecretSlice\u003cu8\u003e,\n    pub qi: SecretSlice\u003cu8\u003e,\n}\n\n/// The components of a private key.\n///\n/// All fields in this struct are of type `Vec\u003cu8\u003e` and are\n/// big integers represented in big endian bytes.\n#[derive(Clone)]\npub(crate) struct PrivateKeyComponents {\n    pub d: SecretSlice\u003cu8\u003e,\n    pub prime: PrivateKeyPrimeComponents,\n}\n\n/// The components of a public key.\n///\n/// All fields in this struct are of type `Vec\u003cu8\u003e` and are\n/// big integers represented in big endian bytes.\n#[derive(Clone, PartialEq, Eq)]\npub(crate) struct PublicKeyComponents {\n    pub n: Vec\u003cu8\u003e,\n    pub e: Vec\u003cu8\u003e,\n}\n\n/// The common operations for an RSA private key.\npub(crate) trait PrivateKey: Sized {\n    /// The signature type that is produced by this key.\n    type Signature: Into\u003cVec\u003cu8\u003e\u003e + AsRef\u003c[u8]\u003e;\n\n    /// The public key type.\n    type PublicKey: PublicKey;\n\n    /// Generates a new rsa private key with the given number of bits.\n    fn generate(bits: usize) -\u003e Result\u003cSelf\u003e;\n\n    /// Creates a new RSA private key from the given private \u0026 public key\n    /// components.\n    fn from_components(private: PrivateKeyComponents, public: PublicKeyComponents) -\u003e Result\u003cSelf\u003e;\n\n    /// Creates a new public key from this private key.\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey;\n\n    /// Returns the private key components.\n    fn private_components(\u0026self) -\u003e Result\u003cPrivateKeyComponents\u003e;\n\n    /// Returns the public key components.\n    fn public_components(\u0026self) -\u003e PublicKeyComponents;\n\n    /// Signs the given data using this key.\n    ///\n    /// This operation **must** be re-usable, meaning this method can be\n    /// called multiple times with different data to sign.\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e;\n}\n\n/// The common operations for an RSA public key.\npub(crate) trait PublicKey: Sized {\n    /// Creates a new RSA public key from the given public key components.\n    fn from_components(components: PublicKeyComponents) -\u003e Result\u003cSelf\u003e;\n\n    /// Returns the public key components.\n    fn components(\u0026self) -\u003e PublicKeyComponents;\n\n    /// Verifies if the message is valid for the given signature and algorithm.\n    ///\n    /// Returns `true` if the signature is valid, `false` otherwise.\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","interface.rs"],"content":"//! Common traits that define the API each backend must implement.\n\nuse core::{error, fmt};\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n/// The backend trait that all backends must implement.\n///\n/// This trait is used to define some commonly used operations, like generating\n/// random data.\npub(crate) trait Backend {\n    /// The error type that is used by this backend.\n    type Error: fmt::Debug + fmt::Display + error::Error;\n\n    /// The HMAC key type.\n    type HmacKey: hmac::Key;\n\n    /// The RSA private key type.\n    type RsaPrivateKey: rsa::PrivateKey;\n\n    /// The RSA public key type.\n    type RsaPublicKey: rsa::PublicKey;\n\n    /// The EC public key type.\n    type EcPublicKey: ec::PublicKey;\n\n    /// The EC private key type.\n    type EcPrivateKey: ec::PrivateKey;\n\n    /// The ED public key type.\n    type EdPublicKey: okp::PublicKey;\n\n    /// The ED private key type.\n    type EdPrivateKey: okp::PrivateKey;\n\n    /// Fills the given buffer with random data.\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Performs a quick Sha256 of the given data.\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32];\n\n    /// Performs a quick Sha384 of the given data.\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48];\n\n    /// Performs a quick Sha512 of the given data.\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64];\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","ec.rs"],"content":"use alloc::vec::Vec;\n\nuse openssl::{\n    bn::{BigNum, BigNumContext},\n    ec::{EcGroup, EcKey},\n    ecdsa::EcdsaSig,\n    hash::MessageDigest,\n    md::Md,\n    md_ctx::MdCtx,\n    pkey::{PKey, Private, Public},\n    sign::Verifier,\n};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::{\n    crypto::{\n        backend::interface::ec,\n        ec::{coordinate_size, scalar_size},\n        Result,\n    },\n    jwa::{self, EcDSA},\n};\n\nfn ec_group(alg: jwa::EcDSA) -\u003e Result\u003cEcGroup\u003e {\n    let group = match alg {\n        EcDSA::Es256 =\u003e EcGroup::from_curve_name(openssl::nid::Nid::X9_62_PRIME256V1)?,\n        EcDSA::Es384 =\u003e EcGroup::from_curve_name(openssl::nid::Nid::SECP384R1)?,\n        EcDSA::Es512 =\u003e EcGroup::from_curve_name(openssl::nid::Nid::SECP521R1)?,\n        EcDSA::Es256K =\u003e EcGroup::from_curve_name(openssl::nid::Nid::SECP256K1)?,\n    };\n\n    Ok(group)\n}\n\nfn digest(alg: jwa::EcDSA) -\u003e MessageDigest {\n    match alg {\n        EcDSA::Es256 =\u003e MessageDigest::sha256(),\n        EcDSA::Es384 =\u003e MessageDigest::sha384(),\n        EcDSA::Es512 =\u003e MessageDigest::sha512(),\n        EcDSA::Es256K =\u003e MessageDigest::sha256(),\n    }\n}\n\n/// A low level private EC key.\n#[derive(Clone)]\npub(crate) struct PrivateKey {\n    alg: jwa::EcDSA,\n\n    key: PKey\u003cPrivate\u003e,\n    public_key: PKey\u003cPublic\u003e,\n\n    d: SecretSlice\u003cu8\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\nimpl ec::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        let group = ec_group(alg)?;\n\n        let ec_key = EcKey::generate(\u0026group)?;\n        ec_key.check_key()?;\n\n        let public_point = ec_key.public_key();\n        let public_key = EcKey::from_public_key(\u0026group, public_point)?;\n\n        let mut x = BigNum::new()?;\n        let mut y = BigNum::new()?;\n        let mut ctx = BigNumContext::new()?;\n        public_point.affine_coordinates(\u0026group, \u0026mut x, \u0026mut y, \u0026mut ctx)?;\n\n        let coordinate_size = coordinate_size(alg) as i32;\n        Ok(Self {\n            alg,\n            public_key: PKey::from_ec_key(public_key)?,\n            d: SecretSlice::from(\n                ec_key\n                    .private_key()\n                    .to_vec_padded(scalar_size(alg) as i32)?,\n            ),\n            key: PKey::from_ec_key(ec_key)?,\n            x: x.to_vec_padded(coordinate_size)?,\n            y: y.to_vec_padded(coordinate_size)?,\n        })\n    }\n\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let group = ec_group(alg)?;\n\n        let d = BigNum::from_slice(d.expose_secret())?;\n        let x = BigNum::from_slice(\u0026x)?;\n        let y = BigNum::from_slice(\u0026y)?;\n\n        let public_key = EcKey::from_public_key_affine_coordinates(\u0026group, \u0026x, \u0026y)?;\n        public_key.check_key()?;\n\n        let key = EcKey::from_private_components(\u0026group, \u0026d, public_key.public_key())?;\n        key.check_key()?;\n\n        let coordinate_size = coordinate_size(alg) as i32;\n        Ok(Self {\n            alg,\n            key: PKey::from_ec_key(key.clone())?,\n            d: SecretSlice::from(key.private_key().to_vec_padded(scalar_size(alg) as i32)?),\n            public_key: PKey::from_ec_key(public_key)?,\n            x: x.to_vec_padded(coordinate_size)?,\n            y: y.to_vec_padded(coordinate_size)?,\n        })\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.d.clone()\n    }\n\n    #[inline]\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.x.clone(), self.y.clone())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            digest: digest(self.alg),\n            key: self.public_key.clone(),\n            x: self.x.clone(),\n            y: self.y.clone(),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        let mut md_ctx = MdCtx::new()?;\n\n        let md = match self.alg {\n            EcDSA::Es256 =\u003e Md::sha256(),\n            EcDSA::Es384 =\u003e Md::sha384(),\n            EcDSA::Es512 =\u003e Md::sha512(),\n            EcDSA::Es256K =\u003e Md::sha256(),\n        };\n\n        #[allow(unused_variables)]\n        let pkey_ctx = md_ctx.digest_sign_init(Some(md), \u0026self.key)?;\n\n        if deterministic {\n            #[cfg(all(not(feature = \"crypto-aws-lc\"), openssl320))]\n            pkey_ctx.set_nonce_type(openssl::pkey_ctx::NonceType::DETERMINISTIC_K)?;\n\n            #[cfg(any(feature = \"crypto-aws-lc\", not(openssl320)))]\n            return Err(super::BackendError::Unsupported(\n                \"deterministic signing for EcDSA\".to_string(),\n            )\n            .into());\n        }\n\n        md_ctx.digest_update(data)?;\n\n        let mut der_sig = vec![];\n        md_ctx.digest_sign_final_to_vec(\u0026mut der_sig)?;\n\n        // the returned signature is in DER format, we need to convert it according\n        // to Section 3.4 of RFC 7518\n        let signature = EcdsaSig::from_der(\u0026der_sig)?;\n        let r = signature.r().to_vec_padded(32)?;\n        let s = signature.s().to_vec_padded(32)?;\n\n        let mut sig = Vec::with_capacity(r.len() + s.len());\n        sig.extend_from_slice(\u0026r);\n        sig.extend_from_slice(\u0026s);\n\n        Ok(sig)\n    }\n}\n\n/// A low level public EC key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    digest: MessageDigest,\n    key: PKey\u003cPublic\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\nimpl ec::PublicKey for PublicKey {\n    fn new(alg: EcDSA, raw_x: Vec\u003cu8\u003e, raw_y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let group = ec_group(alg)?;\n\n        let x = BigNum::from_slice(\u0026raw_x)?;\n        let y = BigNum::from_slice(\u0026raw_y)?;\n\n        let public_key = EcKey::from_public_key_affine_coordinates(\u0026group, \u0026x, \u0026y)?;\n        public_key.check_key()?;\n        let key = PKey::from_ec_key(public_key)?;\n\n        let coordinate_size = coordinate_size(alg) as i32;\n        Ok(Self {\n            digest: digest(alg),\n            key,\n            x: x.to_vec_padded(coordinate_size)?,\n            y: y.to_vec_padded(coordinate_size)?,\n        })\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.x.clone(), self.y.clone())\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        // the signature is r and s concatenated, but we need it in DER format for\n        // OpenSSL\n\n        let (r, s) = signature.split_at(signature.len() / 2);\n        let r = BigNum::from_slice(r)?;\n        let s = BigNum::from_slice(s)?;\n\n        let signature = EcdsaSig::from_private_components(r, s)?.to_der()?;\n\n        let mut verifier = Verifier::new(self.digest, \u0026self.key)?;\n        verifier.update(msg)?;\n        let valid = verifier.verify(\u0026signature)?;\n\n        Ok(valid)\n    }\n}\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":31}},{"line":25,"address":[],"length":0,"stats":{"Line":62}},{"line":26,"address":[],"length":0,"stats":{"Line":11}},{"line":27,"address":[],"length":0,"stats":{"Line":7}},{"line":28,"address":[],"length":0,"stats":{"Line":7}},{"line":29,"address":[],"length":0,"stats":{"Line":6}},{"line":35,"address":[],"length":0,"stats":{"Line":52}},{"line":36,"address":[],"length":0,"stats":{"Line":52}},{"line":37,"address":[],"length":0,"stats":{"Line":18}},{"line":38,"address":[],"length":0,"stats":{"Line":12}},{"line":39,"address":[],"length":0,"stats":{"Line":12}},{"line":40,"address":[],"length":0,"stats":{"Line":10}},{"line":61,"address":[],"length":0,"stats":{"Line":3}},{"line":62,"address":[],"length":0,"stats":{"Line":6}},{"line":64,"address":[],"length":0,"stats":{"Line":3}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":3}},{"line":68,"address":[],"length":0,"stats":{"Line":3}},{"line":70,"address":[],"length":0,"stats":{"Line":3}},{"line":71,"address":[],"length":0,"stats":{"Line":3}},{"line":72,"address":[],"length":0,"stats":{"Line":3}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":3}},{"line":76,"address":[],"length":0,"stats":{"Line":3}},{"line":77,"address":[],"length":0,"stats":{"Line":3}},{"line":78,"address":[],"length":0,"stats":{"Line":3}},{"line":79,"address":[],"length":0,"stats":{"Line":3}},{"line":80,"address":[],"length":0,"stats":{"Line":3}},{"line":81,"address":[],"length":0,"stats":{"Line":3}},{"line":82,"address":[],"length":0,"stats":{"Line":3}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":3}},{"line":86,"address":[],"length":0,"stats":{"Line":3}},{"line":90,"address":[],"length":0,"stats":{"Line":14}},{"line":91,"address":[],"length":0,"stats":{"Line":28}},{"line":93,"address":[],"length":0,"stats":{"Line":14}},{"line":94,"address":[],"length":0,"stats":{"Line":14}},{"line":95,"address":[],"length":0,"stats":{"Line":14}},{"line":97,"address":[],"length":0,"stats":{"Line":14}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":28}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":14}},{"line":104,"address":[],"length":0,"stats":{"Line":14}},{"line":105,"address":[],"length":0,"stats":{"Line":14}},{"line":106,"address":[],"length":0,"stats":{"Line":14}},{"line":107,"address":[],"length":0,"stats":{"Line":28}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":14}},{"line":110,"address":[],"length":0,"stats":{"Line":14}},{"line":114,"address":[],"length":0,"stats":{"Line":8}},{"line":115,"address":[],"length":0,"stats":{"Line":8}},{"line":119,"address":[],"length":0,"stats":{"Line":8}},{"line":120,"address":[],"length":0,"stats":{"Line":8}},{"line":123,"address":[],"length":0,"stats":{"Line":38}},{"line":125,"address":[],"length":0,"stats":{"Line":38}},{"line":126,"address":[],"length":0,"stats":{"Line":38}},{"line":127,"address":[],"length":0,"stats":{"Line":38}},{"line":128,"address":[],"length":0,"stats":{"Line":38}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":143,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":14}},{"line":186,"address":[],"length":0,"stats":{"Line":28}},{"line":188,"address":[],"length":0,"stats":{"Line":14}},{"line":189,"address":[],"length":0,"stats":{"Line":14}},{"line":191,"address":[],"length":0,"stats":{"Line":14}},{"line":192,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":28}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":200,"address":[],"length":0,"stats":{"Line":14}},{"line":204,"address":[],"length":0,"stats":{"Line":93}},{"line":205,"address":[],"length":0,"stats":{"Line":93}},{"line":208,"address":[],"length":0,"stats":{"Line":0}},{"line":212,"address":[],"length":0,"stats":{"Line":0}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":214,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":219,"address":[],"length":0,"stats":{"Line":0}},{"line":220,"address":[],"length":0,"stats":{"Line":0}}],"covered":62,"coverable":92},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","hmac.rs"],"content":"use openssl::{\n    hash::MessageDigest,\n    pkey::{PKey, Private},\n    sign::Signer,\n};\n\nuse crate::{\n    crypto::{backend::interface::hmac, Result},\n    jwa,\n};\n\n/// A low level HMAC key.\npub(crate) struct Key {\n    inner: PKey\u003cPrivate\u003e,\n    digest: MessageDigest,\n}\n\nimpl hmac::Key for Key {\n    type Signature = Vec\u003cu8\u003e;\n\n    fn new(variant: jwa::Hmac, data: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            digest: match variant {\n                jwa::Hmac::Hs256 =\u003e MessageDigest::sha256(),\n                jwa::Hmac::Hs384 =\u003e MessageDigest::sha384(),\n                jwa::Hmac::Hs512 =\u003e MessageDigest::sha512(),\n            },\n            inner: PKey::hmac(data)?,\n        })\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let mut signer = Signer::new(self.digest, \u0026self.inner)?;\n        signer.update(data)?;\n        let sig = signer.sign_to_vec()?;\n        Ok(sig)\n    }\n}\n","traces":[{"line":21,"address":[],"length":0,"stats":{"Line":1}},{"line":22,"address":[],"length":0,"stats":{"Line":1}},{"line":23,"address":[],"length":0,"stats":{"Line":1}},{"line":24,"address":[],"length":0,"stats":{"Line":1}},{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":1}},{"line":32,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}}],"covered":5,"coverable":11},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","okp.rs"],"content":"use openssl::{\n    pkey::{Id, PKey, Private, Public},\n    sign::{Signer, Verifier},\n};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::crypto::{backend::interface::okp, Result};\n\nfn id_from_alg(alg: okp::CurveAlgorithm) -\u003e Result\u003cId\u003e {\n    Ok(match alg {\n        okp::CurveAlgorithm::Ed25519 =\u003e Id::ED25519,\n        #[cfg(not(feature = \"crypto-aws-lc\"))]\n        okp::CurveAlgorithm::Ed448 =\u003e Id::ED448,\n        #[cfg(feature = \"crypto-aws-lc\")]\n        okp::CurveAlgorithm::Ed448 =\u003e {\n            return Err(super::BackendError::Unsupported(\"Ed448\".to_string()).into())\n        }\n    })\n}\n\n/// A low level private ED key.\n#[derive(Clone)]\npub(crate) struct PrivateKey {\n    key: PKey\u003cPrivate\u003e,\n    public_key: PKey\u003cPublic\u003e,\n\n    raw: SecretSlice\u003cu8\u003e,\n    raw_public_key: Vec\u003cu8\u003e,\n}\n\nimpl okp::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(alg: okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e PKey::generate_ed25519()?,\n            #[cfg(not(feature = \"crypto-aws-lc\"))]\n            okp::CurveAlgorithm::Ed448 =\u003e PKey::generate_ed448()?,\n            #[cfg(feature = \"crypto-aws-lc\")]\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::Unsupported(\"Ed448\".to_string()).into())\n            }\n        };\n\n        let raw_public_key = key.raw_public_key()?;\n        let public_key = PKey::public_key_from_raw_bytes(\u0026raw_public_key, id_from_alg(alg)?)?;\n\n        Ok(Self {\n            raw: SecretSlice::from(key.raw_private_key()?),\n            public_key,\n            key,\n            raw_public_key,\n        })\n    }\n\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key_type = id_from_alg(alg)?;\n\n        let key = PKey::private_key_from_raw_bytes(d.expose_secret(), key_type)?;\n        let public_key = PKey::public_key_from_raw_bytes(\u0026x, key_type)?;\n\n        Ok(Self {\n            raw: SecretSlice::from(key.raw_private_key()?),\n            raw_public_key: public_key.raw_public_key()?,\n            public_key,\n            key,\n        })\n    }\n\n    #[inline]\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.raw.clone()\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        Self::PublicKey {\n            key: self.public_key.clone(),\n            raw: self.raw_public_key.clone(),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let mut signer = Signer::new_without_digest(\u0026self.key)?;\n        let sig = signer.sign_oneshot_to_vec(data)?;\n\n        Ok(sig)\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    key: PKey\u003cPublic\u003e,\n    raw: Vec\u003cu8\u003e,\n}\n\nimpl okp::PublicKey for PublicKey {\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key_type = id_from_alg(alg)?;\n        let key = PKey::public_key_from_raw_bytes(\u0026x, key_type)?;\n\n        Ok(Self {\n            raw: key.raw_public_key()?,\n            key,\n        })\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        self.raw.clone()\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let mut verifier = Verifier::new_without_digest(\u0026self.key)?;\n        let valid = verifier.verify_oneshot(signature, msg)?;\n\n        Ok(valid)\n    }\n}\n","traces":[{"line":9,"address":[],"length":0,"stats":{"Line":14}},{"line":10,"address":[],"length":0,"stats":{"Line":14}},{"line":11,"address":[],"length":0,"stats":{"Line":7}},{"line":13,"address":[],"length":0,"stats":{"Line":7}},{"line":35,"address":[],"length":0,"stats":{"Line":2}},{"line":36,"address":[],"length":0,"stats":{"Line":4}},{"line":37,"address":[],"length":0,"stats":{"Line":1}},{"line":39,"address":[],"length":0,"stats":{"Line":1}},{"line":46,"address":[],"length":0,"stats":{"Line":2}},{"line":47,"address":[],"length":0,"stats":{"Line":4}},{"line":50,"address":[],"length":0,"stats":{"Line":2}},{"line":57,"address":[],"length":0,"stats":{"Line":6}},{"line":58,"address":[],"length":0,"stats":{"Line":12}},{"line":60,"address":[],"length":0,"stats":{"Line":6}},{"line":61,"address":[],"length":0,"stats":{"Line":6}},{"line":64,"address":[],"length":0,"stats":{"Line":6}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":6}},{"line":67,"address":[],"length":0,"stats":{"Line":6}},{"line":72,"address":[],"length":0,"stats":{"Line":4}},{"line":73,"address":[],"length":0,"stats":{"Line":4}},{"line":76,"address":[],"length":0,"stats":{"Line":22}},{"line":78,"address":[],"length":0,"stats":{"Line":22}},{"line":79,"address":[],"length":0,"stats":{"Line":22}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":6}},{"line":100,"address":[],"length":0,"stats":{"Line":12}},{"line":101,"address":[],"length":0,"stats":{"Line":6}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":6}},{"line":109,"address":[],"length":0,"stats":{"Line":48}},{"line":110,"address":[],"length":0,"stats":{"Line":48}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":114,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}}],"covered":29,"coverable":37},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl","rsa.rs"],"content":"use alloc::vec::Vec;\n\nuse openssl::{\n    bn::{BigNum, BigNumRef},\n    hash::MessageDigest,\n    pkey::{PKey, Private, Public},\n    rsa::{Padding, Rsa},\n    sign::{Signer, Verifier},\n};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::{\n    crypto::{backend::interface::rsa, Result},\n    jwa,\n};\n\nfn digest(alg: jwa::RsaSigning) -\u003e MessageDigest {\n    match alg {\n        jwa::RsaSigning::Pss(pss) =\u003e match pss {\n            jwa::RsassaPss::Ps256 =\u003e MessageDigest::sha256(),\n            jwa::RsassaPss::Ps384 =\u003e MessageDigest::sha384(),\n            jwa::RsassaPss::Ps512 =\u003e MessageDigest::sha512(),\n        },\n        jwa::RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n            jwa::RsassaPkcs1V1_5::Rs256 =\u003e MessageDigest::sha256(),\n            jwa::RsassaPkcs1V1_5::Rs384 =\u003e MessageDigest::sha384(),\n            jwa::RsassaPkcs1V1_5::Rs512 =\u003e MessageDigest::sha512(),\n        },\n    }\n}\n\n/// A low level private RSA key.\n#[derive(Clone)]\npub(crate) struct PrivateKey {\n    private_key: PKey\u003cPrivate\u003e,\n    public_key: PKey\u003cPublic\u003e,\n\n    private_data: Rsa\u003cPrivate\u003e,\n    public_data: Rsa\u003cPublic\u003e,\n}\n\nimpl rsa::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(bits: usize) -\u003e Result\u003cSelf\u003e {\n        let private_data = Rsa::generate(bits as u32)?;\n        let public_data = Rsa::from_public_components(\n            private_data.n().to_owned()?,\n            private_data.e().to_owned()?,\n        )?;\n\n        Ok(Self {\n            private_key: PKey::from_rsa(private_data.clone())?,\n            public_key: PKey::from_rsa(public_data.clone())?,\n            private_data,\n            public_data,\n        })\n    }\n\n    fn from_components(\n        pri: rsa::PrivateKeyComponents,\n        pu: rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        let n = BigNum::from_slice(\u0026pu.n)?;\n        let e = BigNum::from_slice(\u0026pu.e)?;\n\n        let d = BigNum::from_slice(pri.d.expose_secret())?;\n        let p = BigNum::from_slice(pri.prime.p.expose_secret())?;\n        let q = BigNum::from_slice(pri.prime.q.expose_secret())?;\n        let dp = BigNum::from_slice(pri.prime.dp.expose_secret())?;\n        let dq = BigNum::from_slice(pri.prime.dq.expose_secret())?;\n        let qi = BigNum::from_slice(pri.prime.qi.expose_secret())?;\n\n        let private_data = Rsa::from_private_components(n, e, d, p, q, dp, dq, qi)?;\n        private_data.check_key()?;\n\n        let n = BigNum::from_slice(\u0026pu.n)?;\n        let e = BigNum::from_slice(\u0026pu.e)?;\n        let public_data = Rsa::from_public_components(n, e)?;\n\n        Ok(Self {\n            private_key: PKey::from_rsa(private_data.clone())?,\n            public_key: PKey::from_rsa(public_data.clone())?,\n            private_data,\n            public_data,\n        })\n    }\n\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let digest = digest(alg);\n        let mut signer = Signer::new(digest, \u0026self.private_key)?;\n\n        // FIXME: verify correct setting of parameters\n        match alg {\n            jwa::RsaSigning::Pss(..) =\u003e {\n                signer.set_rsa_mgf1_md(digest)?;\n                signer.set_rsa_padding(Padding::PKCS1_PSS)?;\n            }\n            jwa::RsaSigning::RsPkcs1V1_5(..) =\u003e {\n                signer.set_rsa_padding(Padding::PKCS1)?;\n            }\n        }\n\n        signer.update(data)?;\n        let sig = signer.sign_to_vec()?;\n        Ok(sig)\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            key: self.public_key.clone(),\n            data: self.public_data.clone(),\n        }\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003crsa::PrivateKeyComponents\u003e {\n        let err = || super::BackendError::NoPrimeData;\n        let map = |x: Option\u003c\u0026BigNumRef\u003e| x.map(|x| SecretSlice::from(x.to_vec())).ok_or_else(err);\n\n        let d = SecretSlice::from(self.private_data.d().to_vec());\n\n        let p = map(self.private_data.p())?;\n        let q = map(self.private_data.q())?;\n        let dp = map(self.private_data.dmp1())?;\n        let dq = map(self.private_data.dmq1())?;\n        let qi = map(self.private_data.iqmp())?;\n\n        Ok(rsa::PrivateKeyComponents {\n            d,\n            prime: rsa::PrivateKeyPrimeComponents { p, q, dp, dq, qi },\n        })\n    }\n\n    fn public_components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        let n = self.private_data.n().to_vec();\n        let e = self.private_data.e().to_vec();\n        rsa::PublicKeyComponents { n, e }\n    }\n}\n\n/// A low level public RSA key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    key: PKey\u003cPublic\u003e,\n    data: Rsa\u003cPublic\u003e,\n}\n\nimpl rsa::PublicKey for PublicKey {\n    fn from_components(c: rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        let n = BigNum::from_slice(\u0026c.n)?;\n        let e = BigNum::from_slice(\u0026c.e)?;\n        let data = Rsa::from_public_components(n, e)?;\n\n        Ok(Self {\n            key: PKey::from_rsa(data.clone())?,\n            data,\n        })\n    }\n\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let digest = digest(alg);\n        let mut verifier = Verifier::new(digest, \u0026self.key)?;\n\n        // FIXME: verify correct setting of parameters\n        match alg {\n            jwa::RsaSigning::Pss(..) =\u003e {\n                verifier.set_rsa_mgf1_md(digest)?;\n                verifier.set_rsa_padding(Padding::PKCS1_PSS)?;\n            }\n            jwa::RsaSigning::RsPkcs1V1_5(..) =\u003e {\n                verifier.set_rsa_padding(Padding::PKCS1)?;\n            }\n        }\n\n        verifier.update(msg)?;\n        let valid = verifier.verify(signature)?;\n        Ok(valid)\n    }\n\n    fn components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        rsa::PublicKeyComponents {\n            n: self.data.n().to_vec(),\n            e: self.data.e().to_vec(),\n        }\n    }\n}\n","traces":[{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":18,"address":[],"length":0,"stats":{"Line":0}},{"line":19,"address":[],"length":0,"stats":{"Line":0}},{"line":20,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":1}},{"line":47,"address":[],"length":0,"stats":{"Line":2}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":1}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":1}},{"line":56,"address":[],"length":0,"stats":{"Line":1}},{"line":57,"address":[],"length":0,"stats":{"Line":1}},{"line":61,"address":[],"length":0,"stats":{"Line":6}},{"line":65,"address":[],"length":0,"stats":{"Line":12}},{"line":66,"address":[],"length":0,"stats":{"Line":6}},{"line":68,"address":[],"length":0,"stats":{"Line":6}},{"line":69,"address":[],"length":0,"stats":{"Line":6}},{"line":70,"address":[],"length":0,"stats":{"Line":6}},{"line":71,"address":[],"length":0,"stats":{"Line":6}},{"line":72,"address":[],"length":0,"stats":{"Line":6}},{"line":73,"address":[],"length":0,"stats":{"Line":6}},{"line":75,"address":[],"length":0,"stats":{"Line":6}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":12}},{"line":79,"address":[],"length":0,"stats":{"Line":6}},{"line":80,"address":[],"length":0,"stats":{"Line":6}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":6}},{"line":85,"address":[],"length":0,"stats":{"Line":6}},{"line":86,"address":[],"length":0,"stats":{"Line":6}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":16}},{"line":112,"address":[],"length":0,"stats":{"Line":16}},{"line":113,"address":[],"length":0,"stats":{"Line":16}},{"line":117,"address":[],"length":0,"stats":{"Line":4}},{"line":118,"address":[],"length":0,"stats":{"Line":4}},{"line":119,"address":[],"length":0,"stats":{"Line":64}},{"line":121,"address":[],"length":0,"stats":{"Line":4}},{"line":123,"address":[],"length":0,"stats":{"Line":8}},{"line":124,"address":[],"length":0,"stats":{"Line":4}},{"line":125,"address":[],"length":0,"stats":{"Line":4}},{"line":126,"address":[],"length":0,"stats":{"Line":4}},{"line":127,"address":[],"length":0,"stats":{"Line":4}},{"line":135,"address":[],"length":0,"stats":{"Line":4}},{"line":136,"address":[],"length":0,"stats":{"Line":4}},{"line":137,"address":[],"length":0,"stats":{"Line":4}},{"line":150,"address":[],"length":0,"stats":{"Line":13}},{"line":151,"address":[],"length":0,"stats":{"Line":26}},{"line":152,"address":[],"length":0,"stats":{"Line":13}},{"line":153,"address":[],"length":0,"stats":{"Line":13}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":13}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":162,"address":[],"length":0,"stats":{"Line":0}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":168,"address":[],"length":0,"stats":{"Line":0}},{"line":169,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":176,"address":[],"length":0,"stats":{"Line":0}},{"line":177,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":63}},{"line":183,"address":[],"length":0,"stats":{"Line":63}},{"line":184,"address":[],"length":0,"stats":{"Line":63}}],"covered":45,"coverable":76},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","openssl.rs"],"content":"//! This backend implements the primitives using the [OpenSSL](openssl) library.\n\nuse thiserror::Error;\n\nuse super::interface;\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n#[allow(dead_code)] // may occurr when selecting different OpenSSL variant\n#[derive(Debug, Error)]\npub(crate) enum BackendError {\n    /// An error from the OpenSSL library.\n    #[error(transparent)]\n    OpenSsl(#[from] openssl::error::ErrorStack),\n\n    /// No prime data was found in private key\n    #[error(\"No prime data was found in private key\")]\n    NoPrimeData,\n\n    /// A specific feature is not supported\n    #[error(\"openssl variant does not support feature: {0}\")]\n    Unsupported(String),\n}\n\n/// The [RustCrypto] based backend.\n///\n/// [RustCrypto]: https://github.com/RustCrypto\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = ec::PrivateKey;\n    type EcPublicKey = ec::PublicKey;\n    type EdPrivateKey = okp::PrivateKey;\n    type EdPublicKey = okp::PublicKey;\n    type Error = BackendError;\n    type HmacKey = hmac::Key;\n    type RsaPrivateKey = rsa::PrivateKey;\n    type RsaPublicKey = rsa::PublicKey;\n\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        openssl::rand::rand_bytes(buf)?;\n        Ok(())\n    }\n\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n        openssl::sha::sha256(data)\n    }\n\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n        openssl::sha::sha384(data)\n    }\n\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n        openssl::sha::sha512(data)\n    }\n}\n","traces":[{"line":44,"address":[],"length":0,"stats":{"Line":1}},{"line":45,"address":[],"length":0,"stats":{"Line":1}},{"line":46,"address":[],"length":0,"stats":{"Line":1}},{"line":49,"address":[],"length":0,"stats":{"Line":33}},{"line":50,"address":[],"length":0,"stats":{"Line":33}},{"line":53,"address":[],"length":0,"stats":{"Line":21}},{"line":54,"address":[],"length":0,"stats":{"Line":21}},{"line":57,"address":[],"length":0,"stats":{"Line":21}},{"line":58,"address":[],"length":0,"stats":{"Line":21}}],"covered":9,"coverable":9},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","ec.rs"],"content":"use alloc::{boxed::Box, vec::Vec};\n\nuse ring::{\n    rand::SystemRandom,\n    signature::{self, EcdsaKeyPair, UnparsedPublicKey},\n};\nuse secrecy::{ExposeSecret as _, SecretSlice};\n\nuse crate::{\n    crypto::{backend::interface::ec, Result},\n    jwa::{self, EcDSA},\n};\n\n/// Converts x and y coordinates to a sequence that is compatible\n/// with the \"Octet-String-to-Elliptic-Curve-Point Conversion\" algorithm\n/// defined in Section 2.3.4 of https://www.secg.org/sec1-v2.pdf\nfn make_public_key(x: \u0026[u8], y: \u0026[u8]) -\u003e Vec\u003cu8\u003e {\n    let mut pubkey = Vec::with_capacity(x.len() + y.len() + 1);\n    pubkey.push(0x04); // uncompressed point\n    pubkey.extend_from_slice(x);\n    pubkey.extend_from_slice(y);\n    pubkey\n}\n\npub(crate) struct PrivateKeyData {\n    key: EcdsaKeyPair,\n    private_material: SecretSlice\u003cu8\u003e,\n\n    pub_key: UnparsedPublicKey\u003cVec\u003cu8\u003e\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\n/// A low level private EC key.\npub(crate) struct PrivateKey {\n    alg: \u0026'static signature::EcdsaSigningAlgorithm,\n    data: Box\u003cPrivateKeyData\u003e,\n}\n\nimpl Clone for PrivateKey {\n    fn clone(\u0026self) -\u003e Self {\n        Self {\n            alg: self.alg,\n            data: Box::new(PrivateKeyData {\n                key: EcdsaKeyPair::from_private_key_and_public_key(\n                    self.alg,\n                    self.data.private_material.expose_secret(),\n                    self.data.pub_key.as_ref(),\n                    \u0026SystemRandom::new(),\n                )\n                .expect(\"this method was already successful with the exact same data\"),\n                private_material: self.data.private_material.clone(),\n                pub_key: self.data.pub_key.clone(),\n                x: self.data.x.clone(),\n                y: self.data.y.clone(),\n            }),\n        }\n    }\n}\n\nimpl ec::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        Err(super::BackendError::Unsupported(\"EcDSA key generation\").into())\n    }\n\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let (sign_alg, verify_alg) = match alg {\n            EcDSA::Es256 =\u003e (\n                \u0026signature::ECDSA_P256_SHA256_FIXED_SIGNING,\n                \u0026signature::ECDSA_P256_SHA256_FIXED,\n            ),\n            EcDSA::Es384 =\u003e (\n                \u0026signature::ECDSA_P384_SHA384_FIXED_SIGNING,\n                \u0026signature::ECDSA_P384_SHA384_FIXED,\n            ),\n            EcDSA::Es512 =\u003e return Err(super::BackendError::UnsupportedCurve(\"P-521\").into()),\n            EcDSA::Es256K =\u003e return Err(super::BackendError::UnsupportedCurve(\"secp256k1\").into()),\n        };\n\n        let rng = SystemRandom::new();\n        let pubkey = make_public_key(\u0026x, \u0026y);\n\n        let keypair = EcdsaKeyPair::from_private_key_and_public_key(\n            sign_alg,\n            d.expose_secret(),\n            \u0026pubkey,\n            \u0026rng,\n        )?;\n\n        Ok(Self {\n            alg: sign_alg,\n            data: Box::new(PrivateKeyData {\n                key: keypair,\n                private_material: d,\n                pub_key: UnparsedPublicKey::new(verify_alg, pubkey),\n                x,\n                y,\n            }),\n        })\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.data.private_material.clone()\n    }\n\n    #[inline]\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.data.x.clone(), self.data.y.clone())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            inner: self.data.pub_key.clone(),\n            x: self.data.x.clone(),\n            y: self.data.y.clone(),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        if deterministic {\n            return Err(super::BackendError::Unsupported(\"deterministic EcDSA signing\").into());\n        }\n\n        let sig = self.data.key.sign(\u0026SystemRandom::new(), data)?;\n        Ok(sig.as_ref().to_vec())\n    }\n}\n\n/// A low level public EC key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    inner: UnparsedPublicKey\u003cVec\u003cu8\u003e\u003e,\n    x: Vec\u003cu8\u003e,\n    y: Vec\u003cu8\u003e,\n}\n\nimpl ec::PublicKey for PublicKey {\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let verify_alg = match alg {\n            EcDSA::Es256 =\u003e \u0026signature::ECDSA_P256_SHA256_FIXED,\n            EcDSA::Es384 =\u003e \u0026signature::ECDSA_P384_SHA384_FIXED,\n            EcDSA::Es512 =\u003e return Err(super::BackendError::UnsupportedCurve(\"P-521\").into()),\n            EcDSA::Es256K =\u003e return Err(super::BackendError::UnsupportedCurve(\"secp256k1\").into()),\n        };\n\n        let pubkey = UnparsedPublicKey::new(verify_alg, make_public_key(\u0026x, \u0026y));\n        Ok(Self {\n            inner: pubkey,\n            x,\n            y,\n        })\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        (self.x.clone(), self.y.clone())\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        Ok(self.inner.verify(msg, signature).is_ok())\n    }\n}\n","traces":[{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":2},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","hmac.rs"],"content":"use ring::hmac::Key as RingKey;\n\nuse crate::{\n    crypto::{backend::interface::hmac, Result},\n    jwa,\n};\n\n/// A low level HMAC key.\n#[repr(transparent)]\npub(crate) struct Key {\n    inner: RingKey,\n}\n\nimpl hmac::Key for Key {\n    type Signature = ring::hmac::Tag;\n\n    fn new(variant: jwa::Hmac, data: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        let key = match variant {\n            jwa::Hmac::Hs256 =\u003e RingKey::new(ring::hmac::HMAC_SHA256, data),\n            jwa::Hmac::Hs384 =\u003e RingKey::new(ring::hmac::HMAC_SHA384, data),\n            jwa::Hmac::Hs512 =\u003e RingKey::new(ring::hmac::HMAC_SHA512, data),\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        Ok(ring::hmac::sign(\u0026self.inner, data))\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","okp.rs"],"content":"use alloc::vec::Vec;\n\nuse ring::signature::{Ed25519KeyPair, KeyPair as _, UnparsedPublicKey};\nuse secrecy::{ExposeSecret, SecretSlice};\n\nuse crate::crypto::{backend::interface::okp, Result};\n\n/// A low level public ED key.\npub(crate) struct PrivateKey {\n    inner: Ed25519KeyPair,\n    d: SecretSlice\u003cu8\u003e,\n}\n\nimpl Clone for PrivateKey {\n    fn clone(\u0026self) -\u003e Self {\n        Self {\n            inner: Ed25519KeyPair::from_seed_and_public_key(\n                self.d.expose_secret(),\n                self.inner.public_key().as_ref(),\n            )\n            .expect(\"this method was already successful with the exact same data\"),\n            d: self.d.clone(),\n        }\n    }\n}\n\nimpl okp::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_alg: okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        Err(super::BackendError::Unsupported(\"Ed25519 key generation\").into())\n    }\n\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        if alg != okp::CurveAlgorithm::Ed25519 {\n            return Err(super::BackendError::UnsupportedCurve(\"Ed2559\").into());\n        }\n\n        let key = Ed25519KeyPair::from_seed_and_public_key(d.expose_secret(), \u0026x)?;\n\n        Ok(Self { inner: key, d })\n    }\n\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        self.d.clone()\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            inner: UnparsedPublicKey::new(\n                \u0026ring::signature::ED25519,\n                self.inner.public_key().as_ref().to_vec(),\n            ),\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let sig = self.inner.sign(data);\n        Ok(sig.as_ref().to_vec())\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    inner: UnparsedPublicKey\u003cVec\u003cu8\u003e\u003e,\n}\n\nimpl okp::PublicKey for PublicKey {\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        if alg != okp::CurveAlgorithm::Ed25519 {\n            return Err(super::BackendError::UnsupportedCurve(\"Ed2559\").into());\n        }\n\n        let key = UnparsedPublicKey::new(\u0026ring::signature::ED25519, x);\n        Ok(Self { inner: key })\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        self.inner.as_ref().to_vec()\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        Ok(self.inner.verify(msg, signature).is_ok())\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring","rsa.rs"],"content":"use alloc::{vec, vec::Vec};\n\nuse ring::{\n    rand::SystemRandom,\n    rsa::{KeyPair, KeyPairComponents, PublicKeyComponents, RsaParameters},\n    signature::RsaEncoding,\n};\nuse secrecy::ExposeSecret;\n\nuse crate::{\n    crypto::{backend::interface::rsa, Result},\n    jwa::{self, RsaSigning, RsassaPkcs1V1_5, RsassaPss},\n};\n\n/// A low level private RSA key.\npub(crate) struct PrivateKey {\n    inner: KeyPair,\n\n    // store this data, as ring doesn't provide a way to access it\n    private_components: rsa::PrivateKeyComponents,\n    public_components: rsa::PublicKeyComponents,\n}\n\nimpl Clone for PrivateKey {\n    fn clone(\u0026self) -\u003e Self {\n        let pri = \u0026self.private_components;\n        let pu = \u0026self.public_components;\n        let components = KeyPairComponents {\n            public_key: PublicKeyComponents { n: \u0026pu.n, e: \u0026pu.e },\n            d: pri.d.expose_secret(),\n            p: pri.prime.p.expose_secret(),\n            q: pri.prime.q.expose_secret(),\n            dP: pri.prime.dp.expose_secret(),\n            dQ: pri.prime.dq.expose_secret(),\n            qInv: pri.prime.qi.expose_secret(),\n        };\n\n        Self {\n            inner: KeyPair::from_components(\u0026components)\n                .expect(\"this method was already successful with the exact same data\"),\n            private_components: self.private_components.clone(),\n            public_components: self.public_components.clone(),\n        }\n    }\n}\n\nimpl rsa::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(_bits: usize) -\u003e Result\u003cSelf\u003e {\n        Err(super::BackendError::Unsupported(\"RSA key generation\").into())\n    }\n\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let padding_alg: \u0026'static dyn RsaEncoding = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e \u0026ring::signature::RSA_PSS_SHA256,\n                RsassaPss::Ps384 =\u003e \u0026ring::signature::RSA_PSS_SHA384,\n                RsassaPss::Ps512 =\u003e \u0026ring::signature::RSA_PSS_SHA512,\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e \u0026ring::signature::RSA_PKCS1_SHA512,\n                RsassaPkcs1V1_5::Rs384 =\u003e \u0026ring::signature::RSA_PKCS1_SHA384,\n                RsassaPkcs1V1_5::Rs512 =\u003e \u0026ring::signature::RSA_PKCS1_SHA512,\n            },\n        };\n\n        let rng = SystemRandom::new();\n        let mut sig = vec![0; self.inner.public().modulus_len()];\n        self.inner.sign(padding_alg, \u0026rng, data, \u0026mut sig)?;\n        Ok(sig)\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            components: self.public_components.clone(),\n        }\n    }\n\n    fn from_components(\n        pri: rsa::PrivateKeyComponents,\n        pu: rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        let components = KeyPairComponents {\n            public_key: PublicKeyComponents { n: \u0026pu.n, e: \u0026pu.e },\n            d: pri.d.expose_secret(),\n            p: pri.prime.p.expose_secret(),\n            q: pri.prime.q.expose_secret(),\n            dP: pri.prime.dp.expose_secret(),\n            dQ: pri.prime.dq.expose_secret(),\n            qInv: pri.prime.qi.expose_secret(),\n        };\n        let key = KeyPair::from_components(\u0026components)?;\n\n        Ok(Self {\n            inner: key,\n            private_components: pri,\n            public_components: pu,\n        })\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003crsa::PrivateKeyComponents\u003e {\n        Ok(self.private_components.clone())\n    }\n\n    fn public_components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        self.public_components.clone()\n    }\n}\n\n/// A low level public RSA key.\n#[derive(Clone)]\npub(crate) struct PublicKey {\n    components: rsa::PublicKeyComponents,\n}\n\nimpl rsa::PublicKey for PublicKey {\n    fn from_components(c: rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        Ok(Self { components: c })\n    }\n\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let params: \u0026'static RsaParameters = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e \u0026ring::signature::RSA_PSS_2048_8192_SHA256,\n                RsassaPss::Ps384 =\u003e \u0026ring::signature::RSA_PSS_2048_8192_SHA384,\n                RsassaPss::Ps512 =\u003e \u0026ring::signature::RSA_PSS_2048_8192_SHA512,\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e \u0026ring::signature::RSA_PKCS1_2048_8192_SHA256,\n                RsassaPkcs1V1_5::Rs384 =\u003e \u0026ring::signature::RSA_PKCS1_2048_8192_SHA384,\n                RsassaPkcs1V1_5::Rs512 =\u003e \u0026ring::signature::RSA_PKCS1_2048_8192_SHA512,\n            },\n        };\n\n        let rsa = PublicKeyComponents {\n            n: \u0026self.components.n,\n            e: \u0026self.components.e,\n        };\n\n        Ok(rsa.verify(params, msg, signature).is_ok())\n    }\n\n    fn components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        self.components.clone()\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","ring.rs"],"content":"//! This backend implements the primitives using the [`ring`] crate\n\nuse ring::{\n    digest,\n    rand::{SecureRandom as _, SystemRandom},\n};\nuse thiserror::Error;\n\nuse super::interface;\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n// TODO: remove the `cfg_attr` once the RustCrypto crates implement\n// the core::error::Error trait.\n\n/// The errors that can be produced by the rust crypto backend.\n#[derive(Debug, Error)]\npub(crate) enum BackendError {\n    /// The error returned by `ring`.\n    #[error(\"ring returned an unspecified error\")]\n    Unspecified,\n\n    /// Key rejected error.\n    #[error(\"{0}\")]\n    KeyRejected(ring::error::KeyRejected),\n\n    /// Unsupported EC curve\n    #[error(\"unsupported EcDSA curve: {0}\")]\n    UnsupportedCurve(\u0026'static str),\n\n    /// A specific feature is not supported\n    #[error(\"ring does not support feature: {0}\")]\n    Unsupported(\u0026'static str),\n}\n\nimpl From\u003cring::error::Unspecified\u003e for BackendError {\n    fn from(_: ring::error::Unspecified) -\u003e Self {\n        Self::Unspecified\n    }\n}\n\nimpl From\u003cring::error::KeyRejected\u003e for BackendError {\n    fn from(x: ring::error::KeyRejected) -\u003e Self {\n        Self::KeyRejected(x)\n    }\n}\n\n/// The [`ring`] based backend.\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = ec::PrivateKey;\n    type EcPublicKey = ec::PublicKey;\n    type EdPrivateKey = okp::PrivateKey;\n    type EdPublicKey = okp::PublicKey;\n    type Error = BackendError;\n    type HmacKey = hmac::Key;\n    type RsaPrivateKey = rsa::PrivateKey;\n    type RsaPublicKey = rsa::PublicKey;\n\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        let rng = SystemRandom::new();\n        rng.fill(buf)?;\n        Ok(())\n    }\n\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n        digest::digest(\u0026digest::SHA256, data)\n            .as_ref()\n            .try_into()\n            .expect(\"SHA256 digest length mismatch\")\n    }\n\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n        digest::digest(\u0026digest::SHA384, data)\n            .as_ref()\n            .try_into()\n            .expect(\"SHA384 digest length mismatch\")\n    }\n\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n        digest::digest(\u0026digest::SHA512, data)\n            .as_ref()\n            .try_into()\n            .expect(\"SHA512 digest length mismatch\")\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","ec.rs"],"content":"use alloc::vec::Vec;\n\nuse ecdsa::EncodedPoint;\nuse elliptic_curve::{\n    sec1::{FromEncodedPoint, ToEncodedPoint, ValidatePublicKey as _},\n    FieldBytes, SecretKey,\n};\nuse generic_array::typenum::Unsigned as _;\nuse k256::Secp256k1;\nuse p256::NistP256;\nuse p384::NistP384;\nuse rand_core::OsRng;\nuse secrecy::{ExposeSecret as _, SecretSlice};\nuse signature::{RandomizedSigner as _, Verifier as _};\nuse zeroize::Zeroizing;\n\nuse crate::{\n    crypto::{backend::interface::ec, Result},\n    jwa::{self, EcDSA},\n};\n\n#[derive(Clone)]\nenum ErasedPrivateKey {\n    P256(SecretKey\u003cNistP256\u003e),\n    P384(SecretKey\u003cNistP384\u003e),\n    Secp256k1(SecretKey\u003cSecp256k1\u003e),\n}\n\n#[derive(Clone)]\nenum ErasedPublicKey {\n    P256(elliptic_curve::PublicKey\u003cNistP256\u003e),\n    P384(elliptic_curve::PublicKey\u003cNistP384\u003e),\n    Secp256k1(elliptic_curve::PublicKey\u003cSecp256k1\u003e),\n}\n\n#[derive(Clone)]\npub(crate) enum ErasedSignature {\n    P256(ecdsa::SignatureBytes\u003cNistP256\u003e),\n    P384(ecdsa::SignatureBytes\u003cNistP384\u003e),\n    Secp256k1(ecdsa::SignatureBytes\u003cSecp256k1\u003e),\n}\n\nimpl From\u003cErasedSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: ErasedSignature) -\u003e Self {\n        match value {\n            ErasedSignature::P256(sig) =\u003e sig.to_vec(),\n            ErasedSignature::P384(sig) =\u003e sig.to_vec(),\n            ErasedSignature::Secp256k1(sig) =\u003e sig.to_vec(),\n        }\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for ErasedSignature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        match self {\n            ErasedSignature::P256(sig) =\u003e sig.as_ref(),\n            ErasedSignature::P384(sig) =\u003e sig.as_ref(),\n            ErasedSignature::Secp256k1(sig) =\u003e sig.as_ref(),\n        }\n    }\n}\n\nfn to_field_bytes\u003cC: elliptic_curve::Curve\u003e(\n    bytes: \u0026[u8],\n) -\u003e Result\u003c\u0026FieldBytes\u003cC\u003e, super::BackendError\u003e {\n    if bytes.len() != C::FieldBytesSize::USIZE {\n        return Err(super::BackendError::InvalidEcPoint {\n            expected: C::FieldBytesSize::USIZE,\n            actual: bytes.len(),\n        });\n    }\n\n    Ok(FieldBytes::\u003cC\u003e::from_slice(bytes))\n}\n\n/// A low level private EC key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PrivateKey {\n    inner: ErasedPrivateKey,\n}\n\nimpl ec::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = ErasedSignature;\n\n    fn generate(alg: jwa::EcDSA) -\u003e Result\u003cSelf\u003e {\n        let mut rng = OsRng;\n\n        let key = match alg {\n            EcDSA::Es256 =\u003e ErasedPrivateKey::P256(SecretKey::\u003cNistP256\u003e::random(\u0026mut rng)),\n            EcDSA::Es384 =\u003e ErasedPrivateKey::P384(SecretKey::\u003cNistP384\u003e::random(\u0026mut rng)),\n            EcDSA::Es512 =\u003e return Err(super::BackendError::CurveNotSupported(\"P-521\").into()),\n            EcDSA::Es256K =\u003e ErasedPrivateKey::Secp256k1(SecretKey::\u003cSecp256k1\u003e::random(\u0026mut rng)),\n        };\n        Ok(Self { inner: key })\n    }\n\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        fn new_typed\u003cC: elliptic_curve::Curve + elliptic_curve::CurveArithmetic\u003e(\n            x: Vec\u003cu8\u003e,\n            y: Vec\u003cu8\u003e,\n            d: SecretSlice\u003cu8\u003e,\n        ) -\u003e Result\u003celliptic_curve::SecretKey\u003cC\u003e\u003e\n        where\n            \u003cC as elliptic_curve::Curve\u003e::FieldBytesSize: elliptic_curve::sec1::ModulusSize,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: FromEncodedPoint\u003cC\u003e,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: ToEncodedPoint\u003cC\u003e,\n        {\n            let x = to_field_bytes::\u003cC\u003e(\u0026x)?;\n            let y = to_field_bytes::\u003cC\u003e(\u0026y)?;\n\n            let d = d.expose_secret();\n            let d = to_field_bytes::\u003cC\u003e(d)?;\n\n            let point = EncodedPoint::\u003cC\u003e::from_affine_coordinates(x, y, false);\n            let secret = elliptic_curve::SecretKey::\u003cC\u003e::from_bytes(d)\n                .map_err(super::BackendError::EllipticCurve)?;\n\n            C::validate_public_key(\u0026secret, \u0026point).map_err(super::BackendError::EllipticCurve)?;\n\n            Ok(secret)\n        }\n\n        match alg {\n            EcDSA::Es256 =\u003e Ok(Self {\n                inner: ErasedPrivateKey::P256(new_typed::\u003cNistP256\u003e(x, y, d)?),\n            }),\n            EcDSA::Es384 =\u003e Ok(Self {\n                inner: ErasedPrivateKey::P384(new_typed::\u003cNistP384\u003e(x, y, d)?),\n            }),\n            EcDSA::Es512 =\u003e Err(super::BackendError::CurveNotSupported(\"P-521\").into()),\n            EcDSA::Es256K =\u003e Ok(Self {\n                inner: ErasedPrivateKey::Secp256k1(new_typed::\u003cSecp256k1\u003e(x, y, d)?),\n            }),\n        }\n    }\n\n    fn private_material(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        match self.inner {\n            ErasedPrivateKey::P256(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                let material = material.to_vec();\n                SecretSlice::from(material)\n            }\n            ErasedPrivateKey::P384(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                let material = material.to_vec();\n                SecretSlice::from(material)\n            }\n            ErasedPrivateKey::Secp256k1(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                let material = material.to_vec();\n                SecretSlice::from(material)\n            }\n        }\n    }\n\n    #[inline]\n    fn public_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        ec::PublicKey::to_point(\u0026self.to_public_key())\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        match self.inner {\n            ErasedPrivateKey::P256(ref key) =\u003e PublicKey {\n                inner: ErasedPublicKey::P256(key.public_key()),\n            },\n            ErasedPrivateKey::P384(ref key) =\u003e PublicKey {\n                inner: ErasedPublicKey::P384(key.public_key()),\n            },\n            ErasedPrivateKey::Secp256k1(ref key) =\u003e PublicKey {\n                inner: ErasedPublicKey::Secp256k1(key.public_key()),\n            },\n        }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8], deterministic: bool) -\u003e Result\u003cSelf::Signature\u003e {\n        let sig = match self.inner {\n            ErasedPrivateKey::P256(ref key) =\u003e {\n                let key = ecdsa::SigningKey::\u003cNistP256\u003e::from(key);\n\n                let sig = if deterministic {\n                    key.sign_recoverable(data)\n                        .map_err(super::BackendError::Ecdsa)?\n                        .0\n                } else {\n                    key.try_sign_with_rng(\u0026mut OsRng, data)\n                        .map_err(super::BackendError::Ecdsa)?\n                };\n\n                ErasedSignature::P256(sig.to_bytes())\n            }\n            ErasedPrivateKey::P384(ref key) =\u003e {\n                let key = ecdsa::SigningKey::\u003cNistP384\u003e::from(key);\n\n                let sig = if deterministic {\n                    key.sign_recoverable(data)\n                        .map_err(super::BackendError::Ecdsa)?\n                        .0\n                } else {\n                    key.try_sign_with_rng(\u0026mut OsRng, data)\n                        .map_err(super::BackendError::Ecdsa)?\n                };\n\n                ErasedSignature::P384(sig.to_bytes())\n            }\n            ErasedPrivateKey::Secp256k1(ref key) =\u003e {\n                let key = ecdsa::SigningKey::\u003cSecp256k1\u003e::from(key);\n\n                let sig = if deterministic {\n                    key.sign_recoverable(data)\n                        .map_err(super::BackendError::Ecdsa)?\n                        .0\n                } else {\n                    key.try_sign_with_rng(\u0026mut OsRng, data)\n                        .map_err(super::BackendError::Ecdsa)?\n                };\n\n                ErasedSignature::Secp256k1(sig.to_bytes())\n            }\n        };\n\n        Ok(sig)\n    }\n}\n\n/// A low level public EC key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PublicKey {\n    inner: ErasedPublicKey,\n}\n\nimpl ec::PublicKey for PublicKey {\n    fn new(alg: EcDSA, x: Vec\u003cu8\u003e, y: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        fn new_typed\u003cC: elliptic_curve::Curve + elliptic_curve::CurveArithmetic\u003e(\n            x: Vec\u003cu8\u003e,\n            y: Vec\u003cu8\u003e,\n        ) -\u003e Result\u003celliptic_curve::PublicKey\u003cC\u003e\u003e\n        where\n            \u003cC as elliptic_curve::Curve\u003e::FieldBytesSize: elliptic_curve::sec1::ModulusSize,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: FromEncodedPoint\u003cC\u003e,\n            \u003cC as elliptic_curve::CurveArithmetic\u003e::AffinePoint: ToEncodedPoint\u003cC\u003e,\n        {\n            let x = to_field_bytes::\u003cC\u003e(\u0026x)?;\n            let y = to_field_bytes::\u003cC\u003e(\u0026y)?;\n\n            let point = EncodedPoint::\u003cC\u003e::from_affine_coordinates(x, y, false);\n            let key: Option\u003c_\u003e = elliptic_curve::PublicKey::\u003cC\u003e::from_encoded_point(\u0026point).into();\n            let key = key.ok_or(super::BackendError::InvalidEcKey)?;\n            Ok(key)\n        }\n\n        match alg {\n            EcDSA::Es256 =\u003e Ok(Self {\n                inner: ErasedPublicKey::P256(new_typed::\u003cNistP256\u003e(x, y)?),\n            }),\n            EcDSA::Es384 =\u003e Ok(Self {\n                inner: ErasedPublicKey::P384(new_typed::\u003cNistP384\u003e(x, y)?),\n            }),\n            EcDSA::Es512 =\u003e Err(super::BackendError::CurveNotSupported(\"P-521\").into()),\n            EcDSA::Es256K =\u003e Ok(Self {\n                inner: ErasedPublicKey::Secp256k1(new_typed::\u003cSecp256k1\u003e(x, y)?),\n            }),\n        }\n    }\n\n    fn to_point(\u0026self) -\u003e (Vec\u003cu8\u003e, Vec\u003cu8\u003e) {\n        let identity_point = || alloc::vec![0u8];\n        match self.inner {\n            ErasedPublicKey::P256(ref key) =\u003e {\n                let point = key.to_encoded_point(false);\n                (\n                    point.x().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                    point.y().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                )\n            }\n            ErasedPublicKey::P384(ref key) =\u003e {\n                let point = key.to_encoded_point(false);\n                (\n                    point.x().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                    point.y().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                )\n            }\n            ErasedPublicKey::Secp256k1(ref key) =\u003e {\n                let point = key.to_encoded_point(false);\n                (\n                    point.x().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                    point.y().map(|a| a.to_vec()).unwrap_or_else(identity_point),\n                )\n            }\n        }\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        Ok(match self.inner {\n            ErasedPublicKey::P256(ref key) =\u003e {\n                let Ok(sig) = ecdsa::Signature::\u003cNistP256\u003e::try_from(signature) else {\n                    return Ok(false);\n                };\n                let key = ecdsa::VerifyingKey::\u003cNistP256\u003e::from(key);\n                key.verify(msg, \u0026sig).is_ok()\n            }\n            ErasedPublicKey::P384(ref key) =\u003e {\n                let Ok(sig) = ecdsa::Signature::\u003cNistP384\u003e::try_from(signature) else {\n                    return Ok(false);\n                };\n                let key = ecdsa::VerifyingKey::\u003cNistP384\u003e::from(key);\n                key.verify(msg, \u0026sig).is_ok()\n            }\n            ErasedPublicKey::Secp256k1(ref key) =\u003e {\n                let Ok(sig) = ecdsa::Signature::\u003cSecp256k1\u003e::try_from(signature) else {\n                    return Ok(false);\n                };\n                let key = ecdsa::VerifyingKey::\u003cSecp256k1\u003e::from(key);\n                key.verify(msg, \u0026sig).is_ok()\n            }\n        })\n    }\n}\n","traces":[{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":114,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":246,"address":[],"length":0,"stats":{"Line":0}},{"line":247,"address":[],"length":0,"stats":{"Line":0}},{"line":249,"address":[],"length":0,"stats":{"Line":0}},{"line":250,"address":[],"length":0,"stats":{"Line":0}},{"line":251,"address":[],"length":0,"stats":{"Line":0}},{"line":252,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":22},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","hmac.rs"],"content":"use ::hmac::Hmac;\nuse digest::{Mac as _, Output};\n\nuse crate::{\n    crypto::{backend::interface::hmac, Result},\n    jwa,\n};\n\n/// Rust crypto uses generic arguments to represent the variant.\n///\n/// We don't to that at this level, so we have to erase the type.\nenum ErasedKey {\n    Hs256(Hmac\u003csha2::Sha256\u003e),\n    Hs384(Hmac\u003csha2::Sha384\u003e),\n    Hs512(Hmac\u003csha2::Sha512\u003e),\n}\n\npub(crate) enum ErasedSignature {\n    Hs256(Output\u003cHmac\u003csha2::Sha256\u003e\u003e),\n    Hs384(Output\u003cHmac\u003csha2::Sha384\u003e\u003e),\n    Hs512(Output\u003cHmac\u003csha2::Sha512\u003e\u003e),\n}\n\nimpl AsRef\u003c[u8]\u003e for ErasedSignature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        match self {\n            ErasedSignature::Hs256(sig) =\u003e sig.as_ref(),\n            ErasedSignature::Hs384(sig) =\u003e sig.as_ref(),\n            ErasedSignature::Hs512(sig) =\u003e sig.as_ref(),\n        }\n    }\n}\n\n/// A low level HMAC key.\n#[repr(transparent)]\npub(crate) struct Key {\n    inner: ErasedKey,\n}\n\nimpl hmac::Key for Key {\n    type Signature = ErasedSignature;\n\n    fn new(variant: jwa::Hmac, data: \u0026[u8]) -\u003e Result\u003cSelf\u003e {\n        let key = match variant {\n            jwa::Hmac::Hs256 =\u003e ErasedKey::Hs256(Hmac::\u003csha2::Sha256\u003e::new_from_slice(data)?),\n            jwa::Hmac::Hs384 =\u003e ErasedKey::Hs384(Hmac::\u003csha2::Sha384\u003e::new_from_slice(data)?),\n            jwa::Hmac::Hs512 =\u003e ErasedKey::Hs512(Hmac::\u003csha2::Sha512\u003e::new_from_slice(data)?),\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let signature = match \u0026mut self.inner {\n            ErasedKey::Hs256(hmac) =\u003e {\n                hmac.update(data);\n                ErasedSignature::Hs256(hmac.finalize_reset().into_bytes())\n            }\n            ErasedKey::Hs384(hmac) =\u003e {\n                hmac.update(data);\n                ErasedSignature::Hs384(hmac.finalize_reset().into_bytes())\n            }\n            ErasedKey::Hs512(hmac) =\u003e {\n                hmac.update(data);\n                ErasedSignature::Hs512(hmac.finalize_reset().into_bytes())\n            }\n        };\n\n        Ok(signature)\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","okp.rs"],"content":"use alloc::vec::Vec;\n\nuse ed25519_dalek::{PUBLIC_KEY_LENGTH, SECRET_KEY_LENGTH};\nuse rand_core::OsRng;\nuse secrecy::{ExposeSecret, SecretSlice};\nuse signature::Signer as _;\nuse zeroize::Zeroizing;\n\nuse crate::crypto::{backend::interface::okp, Result};\n\n#[derive(Clone)]\nenum ErasedPrivateKey {\n    Ed25519(ed25519_dalek::SigningKey),\n}\n\n#[derive(Clone)]\nenum ErasedPublicKey {\n    Ed25519(ed25519_dalek::VerifyingKey),\n}\n\n#[derive(Clone)]\npub(crate) enum ErasedSignature {\n    Ed25519([u8; ed25519_dalek::Signature::BYTE_SIZE]),\n}\n\nimpl From\u003cErasedSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: ErasedSignature) -\u003e Self {\n        match value {\n            ErasedSignature::Ed25519(sig) =\u003e sig.to_vec(),\n        }\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for ErasedSignature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        match self {\n            ErasedSignature::Ed25519(ref sig) =\u003e sig,\n        }\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PublicKey {\n    inner: ErasedPublicKey,\n}\n\nimpl okp::PublicKey for PublicKey {\n    fn new(alg: okp::CurveAlgorithm, x: Vec\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e {\n                let len = x.len();\n                let x: [u8; PUBLIC_KEY_LENGTH] =\n                    x.try_into()\n                        .map_err(|_| super::BackendError::InvalidEcPoint {\n                            expected: PUBLIC_KEY_LENGTH,\n                            actual: len,\n                        })?;\n                ErasedPublicKey::Ed25519(\n                    ed25519_dalek::VerifyingKey::from_bytes(\u0026x)\n                        .map_err(super::BackendError::Ed25519)?,\n                )\n            }\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::CurveNotSupported(\"Ed448\").into())\n            }\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn to_bytes(\u0026self) -\u003e Vec\u003cu8\u003e {\n        match self.inner {\n            ErasedPublicKey::Ed25519(ref key) =\u003e key.to_bytes().to_vec(),\n        }\n    }\n\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        match self.inner {\n            ErasedPublicKey::Ed25519(ref key) =\u003e {\n                // FIXME: this needs interop testing in case this is handled differently by\n                // other implementations\n                // See \u003chttps://docs.rs/ed25519-dalek/latest/ed25519_dalek/struct.VerifyingKey.html#on-the-multiple-sources-of-malleability-in-ed25519-signatures\u003e\n\n                let Ok(sig) = ed25519_dalek::Signature::from_slice(signature) else {\n                    return Ok(false);\n                };\n\n                Ok(key.verify_strict(msg, \u0026sig).is_ok())\n            }\n        }\n    }\n}\n\n/// A low level public ED key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PrivateKey {\n    inner: ErasedPrivateKey,\n}\n\nimpl okp::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = ErasedSignature;\n\n    fn generate(alg: okp::CurveAlgorithm) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e {\n                let mut rng = OsRng;\n                ErasedPrivateKey::Ed25519(ed25519_dalek::SigningKey::generate(\u0026mut rng))\n            }\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::CurveNotSupported(\"Ed448\").into())\n            }\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn new(alg: okp::CurveAlgorithm, _x: Vec\u003cu8\u003e, d: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let key = match alg {\n            okp::CurveAlgorithm::Ed25519 =\u003e {\n                let d = d.expose_secret();\n\n                let len = d.len();\n                let d: [u8; SECRET_KEY_LENGTH] =\n                    d.try_into()\n                        .map_err(|_| super::BackendError::InvalidEcPoint {\n                            expected: SECRET_KEY_LENGTH,\n                            actual: len,\n                        })?;\n\n                ErasedPrivateKey::Ed25519(ed25519_dalek::SigningKey::from_bytes(\u0026d))\n            }\n            okp::CurveAlgorithm::Ed448 =\u003e {\n                return Err(super::BackendError::CurveNotSupported(\"Ed448\").into())\n            }\n        };\n\n        Ok(Self { inner: key })\n    }\n\n    fn to_bytes(\u0026self) -\u003e SecretSlice\u003cu8\u003e {\n        match self.inner {\n            ErasedPrivateKey::Ed25519(ref key) =\u003e {\n                let material = Zeroizing::new(key.to_bytes());\n                SecretSlice::from(material.to_vec())\n            }\n        }\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        let key = match self.inner {\n            ErasedPrivateKey::Ed25519(ref key) =\u003e {\n                let pubkey = key.verifying_key();\n                ErasedPublicKey::Ed25519(pubkey)\n            }\n        };\n\n        PublicKey { inner: key }\n    }\n\n    fn sign(\u0026mut self, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        Ok(match self.inner {\n            ErasedPrivateKey::Ed25519(ref key) =\u003e {\n                let sig = key.try_sign(data).map_err(super::BackendError::Ed25519)?;\n                ErasedSignature::Ed25519(sig.to_bytes())\n            }\n        })\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust","rsa.rs"],"content":"use alloc::vec::Vec;\n\nuse ::rsa::{\n    traits::{PrivateKeyParts, PublicKeyParts as _},\n    BigUint, Pkcs1v15Sign, Pss, RsaPrivateKey, RsaPublicKey,\n};\nuse secrecy::{ExposeSecret, SecretSlice};\nuse sha2::Digest as _;\nuse zeroize::Zeroizing;\n\nuse crate::{\n    crypto::{backend::interface::rsa, Result},\n    jwa::{self, RsaSigning, RsassaPkcs1V1_5, RsassaPss},\n};\n\n/// A low level private RSA key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PrivateKey {\n    // WARN: It is important that the `inner` key always contains it's precomupted values.\n    // It must be ensured that on each construction of this type, `precomputed` method is called\n    inner: RsaPrivateKey,\n}\n\nimpl rsa::PrivateKey for PrivateKey {\n    type PublicKey = PublicKey;\n    type Signature = Vec\u003cu8\u003e;\n\n    fn generate(bits: usize) -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            inner: RsaPrivateKey::new(\u0026mut rand_core::OsRng, bits)?,\n        })\n    }\n\n    fn sign(\u0026mut self, alg: jwa::RsaSigning, data: \u0026[u8]) -\u003e Result\u003cSelf::Signature\u003e {\n        let hashed = match alg {\n            RsaSigning::Pss(RsassaPss::Ps256) | RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs256) =\u003e {\n                sha2::Sha256::digest(data).to_vec()\n            }\n            RsaSigning::Pss(RsassaPss::Ps384) | RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs384) =\u003e {\n                sha2::Sha384::digest(data).to_vec()\n            }\n            RsaSigning::Pss(RsassaPss::Ps512) | RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs512) =\u003e {\n                sha2::Sha512::digest(data).to_vec()\n            }\n        };\n\n        let mut rng = rand_core::OsRng;\n\n        let res = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e {\n                    let pad = Pss::new::\u003csha2::Sha256\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPss::Ps384 =\u003e {\n                    let pad = Pss::new::\u003csha2::Sha384\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPss::Ps512 =\u003e {\n                    let pad = Pss::new::\u003csha2::Sha512\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e {\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha256\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPkcs1V1_5::Rs384 =\u003e {\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha384\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n                RsassaPkcs1V1_5::Rs512 =\u003e {\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha512\u003e();\n                    self.inner.sign_with_rng(\u0026mut rng, pad, \u0026hashed)\n                }\n            },\n        };\n\n        Ok(res?)\n    }\n\n    fn to_public_key(\u0026self) -\u003e Self::PublicKey {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n        }\n    }\n\n    fn from_components(\n        pri: rsa::PrivateKeyComponents,\n        pu: rsa::PublicKeyComponents,\n    ) -\u003e Result\u003cSelf\u003e {\n        let n = BigUint::from_bytes_be(\u0026pu.n);\n        let e = BigUint::from_bytes_be(\u0026pu.e);\n\n        let d = pri.d.expose_secret();\n        let d = BigUint::from_bytes_be(d);\n\n        let p = BigUint::from_bytes_be(pri.prime.p.expose_secret());\n        let q = BigUint::from_bytes_be(pri.prime.q.expose_secret());\n\n        let mut key = RsaPrivateKey::from_components(n, e, d, alloc::vec![p, q])?;\n        key.precompute()?;\n        Ok(Self { inner: key })\n    }\n\n    fn private_components(\u0026self) -\u003e Result\u003crsa::PrivateKeyComponents\u003e {\n        let mut primes = self.inner.primes().iter().map(|b| b.to_bytes_be());\n\n        let p = primes\n            .next()\n            .map(SecretSlice::from)\n            .ok_or(super::BackendError::RsaTwoPrimes)?;\n        let q = primes\n            .next()\n            .map(SecretSlice::from)\n            .ok_or(super::BackendError::RsaTwoPrimes)?;\n\n        if primes.next().is_some() {\n            return Err(super::BackendError::RsaTwoPrimes.into());\n        }\n\n        let opt_uint = |x: Option\u003c\u0026BigUint\u003e| {\n            x.map(|x| SecretSlice::from(x.to_bytes_be()))\n                .expect(\"key must be precomputed\")\n        };\n\n        Ok(rsa::PrivateKeyComponents {\n            d: SecretSlice::from(self.inner.d().to_bytes_be()),\n            prime: rsa::PrivateKeyPrimeComponents {\n                p,\n                q,\n                dp: opt_uint(self.inner.dp()),\n                dq: opt_uint(self.inner.dq()),\n                qi: {\n                    let qi = Zeroizing::new(self.inner.crt_coefficient());\n                    opt_uint(qi.as_ref())\n                },\n            },\n        })\n    }\n\n    fn public_components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        rsa::PublicKeyComponents {\n            n: self.inner.n().to_bytes_be(),\n            e: self.inner.e().to_bytes_be(),\n        }\n    }\n}\n\n/// A low level public RSA key.\n#[derive(Clone)]\n#[repr(transparent)]\npub(crate) struct PublicKey {\n    inner: RsaPublicKey,\n}\n\nimpl rsa::PublicKey for PublicKey {\n    fn from_components(c: rsa::PublicKeyComponents) -\u003e Result\u003cSelf\u003e {\n        let n = ::rsa::BigUint::from_bytes_be(\u0026c.n);\n        let e = ::rsa::BigUint::from_bytes_be(\u0026c.e);\n        let key = ::rsa::RsaPublicKey::new(n, e)?;\n\n        Ok(Self { inner: key })\n    }\n\n    fn verify(\u0026mut self, alg: jwa::RsaSigning, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003cbool\u003e {\n        let res = match alg {\n            RsaSigning::Pss(pss) =\u003e match pss {\n                RsassaPss::Ps256 =\u003e {\n                    let hashed = sha2::Sha256::digest(msg);\n                    let pad = Pss::new::\u003csha2::Sha256\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPss::Ps384 =\u003e {\n                    let hashed = sha2::Sha384::digest(msg);\n                    let pad = Pss::new::\u003csha2::Sha384\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPss::Ps512 =\u003e {\n                    let hashed = sha2::Sha512::digest(msg);\n                    let pad = Pss::new::\u003csha2::Sha512\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n            },\n            RsaSigning::RsPkcs1V1_5(pkcs) =\u003e match pkcs {\n                RsassaPkcs1V1_5::Rs256 =\u003e {\n                    let hashed = sha2::Sha256::digest(msg);\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha256\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPkcs1V1_5::Rs384 =\u003e {\n                    let hashed = sha2::Sha384::digest(msg);\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha384\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n                RsassaPkcs1V1_5::Rs512 =\u003e {\n                    let hashed = sha2::Sha512::digest(msg);\n                    let pad = Pkcs1v15Sign::new::\u003csha2::Sha512\u003e();\n                    self.inner.verify(pad, \u0026hashed, signature)\n                }\n            },\n        };\n\n        Ok(res.is_ok())\n    }\n\n    fn components(\u0026self) -\u003e rsa::PublicKeyComponents {\n        rsa::PublicKeyComponents {\n            n: self.inner.n().to_bytes_be(),\n            e: self.inner.e().to_bytes_be(),\n        }\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend","rust.rs"],"content":"//! This backend implements the primitives using the [RustCrypto] ecosystem.\n//!\n//! [RustCrypto]: https://github.com/RustCrypto\n\nuse digest::Digest as _;\nuse rand_core::RngCore as _;\nuse thiserror::Error;\n\nuse super::interface;\n\npub(crate) mod ec;\npub(crate) mod hmac;\npub(crate) mod okp;\npub(crate) mod rsa;\n\n// TODO: remove the `cfg_attr` once the RustCrypto crates implement\n// the core::error::Error trait.\n\n/// The errors that can be produced by the rust crypto backend.\n#[derive(Debug, Error)]\npub(crate) enum BackendError {\n    /// The error returned if the key is invalid.\n    #[error(\"invalid key length\")]\n    InvalidLength,\n\n    /// RSA operation failed.\n    #[cfg_attr(feature = \"std\", error(\"an RSA operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an RSA operation failed: {0}\"))]\n    Rsa(#[cfg_attr(feature = \"std\", source)] ::rsa::errors::Error),\n\n    /// Error of the `elliptic_curve` crate.\n    #[cfg_attr(feature = \"std\", error(\"an elliptic curve operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an elliptic curve operation failed: {0}\"))]\n    EllipticCurve(#[cfg_attr(feature = \"std\", source)] ::elliptic_curve::Error),\n\n    /// Error of the `ecdsa` crate.\n    #[cfg_attr(feature = \"std\", error(\"an ECDSA operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an ECDSA operation failed: {0}\"))]\n    Ecdsa(#[cfg_attr(feature = \"std\", source)] ::ecdsa::Error),\n\n    /// Error of the `ed25519-dalek` crate.\n    #[cfg_attr(feature = \"std\", error(\"an ED25519 operation failed\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"an ED25519 operation failed: {0}\"))]\n    Ed25519(#[cfg_attr(feature = \"std\", source)] ed25519_dalek::SignatureError),\n\n    /// The amount of bytes for an EC point is invalid.\n    #[error(\"invalid EC point length, expected {expected}, got {actual}\")]\n    InvalidEcPoint { expected: usize, actual: usize },\n\n    /// The coordinates did not form a valid key.\n    #[error(\"invalid EC key\")]\n    InvalidEcKey,\n\n    /// The curve type is not supported by this backend.\n    #[error(\"curve '{0}' not supported by this backend\")]\n    CurveNotSupported(\u0026'static str),\n\n    #[error(\"RSA key expected to have exactly 2 prime numbers\")]\n    RsaTwoPrimes,\n\n    /// `rand_core` error.\n    #[cfg_attr(feature = \"std\", error(\"failed to generate random data\"))]\n    #[cfg_attr(not(feature = \"std\"), error(\"failed to generate random data: {0}\"))]\n    Rand(#[cfg_attr(feature = \"std\", source)] rand_core::Error),\n}\n\nimpl From\u003cdigest::InvalidLength\u003e for BackendError {\n    fn from(_: digest::InvalidLength) -\u003e Self {\n        Self::InvalidLength\n    }\n}\n\nimpl From\u003c::rsa::errors::Error\u003e for BackendError {\n    fn from(x: ::rsa::errors::Error) -\u003e Self {\n        Self::Rsa(x)\n    }\n}\n\n/// The [RustCrypto] based backend.\n///\n/// [RustCrypto]: https://github.com/RustCrypto\n#[derive(Debug)]\npub(crate) enum Backend {}\n\nimpl interface::Backend for Backend {\n    type EcPrivateKey = ec::PrivateKey;\n    type EcPublicKey = ec::PublicKey;\n    type EdPrivateKey = okp::PrivateKey;\n    type EdPublicKey = okp::PublicKey;\n    type Error = BackendError;\n    type HmacKey = hmac::Key;\n    type RsaPrivateKey = rsa::PrivateKey;\n    type RsaPublicKey = rsa::PublicKey;\n\n    fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c(), Self::Error\u003e {\n        use rand_core::OsRng;\n\n        OsRng.try_fill_bytes(buf).map_err(BackendError::Rand)?;\n        Ok(())\n    }\n\n    fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n        sha2::Sha256::digest(data).into()\n    }\n\n    fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n        sha2::Sha384::digest(data).into()\n    }\n\n    fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n        sha2::Sha512::digest(data).into()\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","backend.rs"],"content":"//! The actual implementations for the cryptographic backends.\n\npub(super) mod interface;\n\ncfg_if::cfg_if! {\n    if #[cfg(feature = \"crypto-rustcrypto\")] {\n        mod rust;\n        pub(crate) use rust::*;\n    } else if #[cfg(feature = \"crypto-openssl\")] {\n        mod openssl;\n        pub(crate) use openssl::*;\n    } else if #[cfg(feature = \"crypto-aws-lc\")] {\n        mod openssl;\n        pub(crate) use openssl::*;\n    } else if #[cfg(feature = \"crypto-ring\")] {\n        mod ring;\n        pub(crate) use ring::*;\n    } else {\n        compile_error!(\"No crypto backend selected. Please enable any of the `crypto-*` features.\");\n    }\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","crypto","ec.rs"],"content":"//! The primitives for working with [EC (elliptic curve)](https://en.wikipedia.org/wiki/Elliptic-curve_cryptography)\n//! algorithms (`kty` parameter = `EC`).\n//!\n//! If you are looking for the other curve types, see the\n//! [`okp`](crate::crypto::okp) module, which contains all curves that require a\n//! octet key pair.\n\nuse alloc::{boxed::Box, format, string::String, vec::Vec};\nuse core::{fmt, marker::PhantomData};\n\nuse secrecy::ExposeSecret;\nuse serde::{de::Error as _, Deserialize, Serialize};\n\nuse super::backend::{interface, Backend};\nuse crate::{\n    base64_url::{Base64UrlBytes, SecretBase64UrlBytes},\n    crypto::{\n        backend::interface::ec::{PrivateKey as _, PublicKey as _},\n        Result,\n    },\n    jwa, jwk, jws, Base64UrlString,\n};\n\ntype BackendPublicKey = \u003cBackend as interface::Backend\u003e::EcPublicKey;\ntype BackendPrivateKey = \u003cBackend as interface::Backend\u003e::EcPrivateKey;\n\n/// The public key type using the P-256 curve.\npub type P256PublicKey = PublicKey\u003cP256\u003e;\n\n/// The private key type using the P-256 curve.\npub type P256PrivateKey = PrivateKey\u003cP256\u003e;\n\n/// The signer type using the P-256 curve.\npub type P256Signer = Signer\u003cP256\u003e;\n\n/// The verifier type using the P-256 curve.\npub type P256Verifier = Verifier\u003cP256\u003e;\n\n/// The public key type using the P-384 curve.\npub type P384PublicKey = PublicKey\u003cP384\u003e;\n\n/// The private key type using the P-384 curve.\npub type P384PrivateKey = PrivateKey\u003cP384\u003e;\n\n/// The signer type using the P-384 curve.\npub type P384Signer = Signer\u003cP384\u003e;\n\n/// The verifier type using the P-384 curve.\npub type P384Verifier = Verifier\u003cP384\u003e;\n\n/// The public key type using the P-521 curve.\npub type P521PublicKey = PublicKey\u003cP521\u003e;\n\n/// The private key type using the P-521 curve.\npub type P521PrivateKey = PrivateKey\u003cP521\u003e;\n\n/// The signer type using the P-521 curve.\npub type P521Signer = Signer\u003cP521\u003e;\n\n/// The verifier type using the P-521 curve.\npub type P521Verifier = Verifier\u003cP521\u003e;\n\n/// The public key type using the secp256k1 curve.\npub type Secp256k1PublicKey = PublicKey\u003cSecp256k1\u003e;\n\n/// The private key type using the secp256k1 curve.\npub type Secp256k1PrivateKey = PrivateKey\u003cSecp256k1\u003e;\n\n/// The signer type using the secp256k1 curve.\npub type Secp256k1Signer = Signer\u003cSecp256k1\u003e;\n\n/// The verifier type using the secp256k1 curve.\npub type Secp256k1Verifier = Verifier\u003cSecp256k1\u003e;\n\n/// The curve trait marks all possible curves for key type `EC`.\npub trait Curve: sealed::Sealed {\n    /// The name of the curve, that is also used in the `crv` parameter of a\n    /// JWK.\n    const NAME: \u0026'static str;\n\n    /// The algorithm used for this curve.\n    const ALGORITHM: jwa::EcDSA;\n}\n\n/// Returns the number of bytes a single coordinate of the given curve holds.\npub(crate) fn coordinate_size(alg: jwa::EcDSA) -\u003e usize {\n    match alg {\n        jwa::EcDSA::Es256 =\u003e 32,\n        jwa::EcDSA::Es384 =\u003e 48,\n        jwa::EcDSA::Es512 =\u003e 66,\n        jwa::EcDSA::Es256K =\u003e 32,\n    }\n}\n\n/// The number of bytes for a scalar value for the given curve.\n///\n/// This is mostly used to ensure the private key has the correct length.\npub(crate) fn scalar_size(alg: jwa::EcDSA) -\u003e usize {\n    // The length of this octet string MUST be ceiling(log-base-2(n)/8) octets\n    // (where n is the order of the curve).\n    match alg {\n        jwa::EcDSA::Es256 =\u003e 32,\n        jwa::EcDSA::Es384 =\u003e 48,\n        jwa::EcDSA::Es512 =\u003e 66,\n        jwa::EcDSA::Es256K =\u003e 32,\n    }\n}\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendPrivateKey as interface::ec::PrivateKey\u003e::Signature,\n}\n\nimpl From\u003cSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: Signature) -\u003e Self {\n        value.as_ref().to_vec()\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(AsRef::\u003c[u8]\u003e::as_ref(\u0026self.inner), f)\n    }\n}\n\n/// The serializable public key for all curve types.\n#[derive(Clone)]\npub struct PublicKey\u003cC\u003e {\n    inner: BackendPublicKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e Eq for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PublicKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        let (x, y) = self.inner.to_point();\n        let (o_x, o_y) = other.inner.to_point();\n\n        x == o_x \u0026\u0026 y == o_y\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PublicKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let (x, y) = self.inner.to_point();\n        let x = Base64UrlString::encode(x);\n        let y = Base64UrlString::encode(y);\n\n        f.debug_struct(\"PublicKey\")\n            .field(\"x\", \u0026x)\n            .field(\"y\", \u0026y)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPublicKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PublicKey\u003cC\u003e) -\u003e Self {\n        C::public_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PublicKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::public_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(key, alg.map(|_| C::ALGORITHM.into()));\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PublicKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        jwk::thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\n#[derive(Deserialize)]\nstruct PublicKeyRepr {\n    crv: String,\n    kty: String,\n    x: Base64UrlBytes,\n    y: Base64UrlBytes,\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PublicKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let key = PublicKeyRepr::deserialize(deserializer)?;\n\n        if key.kty != \"EC\" {\n            return Err(D::Error::custom(alloc::format!(\n                \"Invalid key type `{}`. Expected: `EC`\",\n                key.kty,\n            )));\n        }\n\n        if key.crv != C::NAME {\n            return Err(D::Error::custom(alloc::format!(\n                \"Invalid curve type `{}`. Expected: `{}`\",\n                key.crv,\n                C::NAME,\n            )));\n        }\n\n        let check_coordinate = |c: \u0026[u8], name: \u0026str| {\n            if c.len() != coordinate_size(C::ALGORITHM) {\n                return Err(D::Error::custom(alloc::format!(\n                    \"ECC coordinate {name} has invalid length of {}, expected {}\",\n                    c.len(),\n                    coordinate_size(C::ALGORITHM),\n                )));\n            }\n\n            Ok(())\n        };\n\n        // https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.2\n        //\n        // Verifies that both coordinates are the same length as the curve size.\n        check_coordinate(\u0026key.x.0, \"x\")?;\n        check_coordinate(\u0026key.y.0, \"y\")?;\n\n        Ok(Self {\n            inner: \u003cBackendPublicKey as interface::ec::PublicKey\u003e::new(\n                C::ALGORITHM,\n                key.x.0,\n                key.y.0,\n            )\n            .map_err(|e| D::Error::custom(format!(\"failed to construct public EC key: {e}\")))?,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PublicKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(serde::Serialize)]\n        struct Repr\u003c'a\u003e {\n            crv: \u0026'a str,\n            kty: \u0026'a str,\n            x: Base64UrlBytes,\n            y: Base64UrlBytes,\n        }\n\n        let (x, y) = self.inner.to_point();\n\n        #[expect(clippy::useless_conversion)]\n        let repr = Repr {\n            crv: C::NAME,\n            kty: \"EC\",\n            x: Base64UrlBytes(Vec::\u003cu8\u003e::from(x)),\n            y: Base64UrlBytes(Vec::\u003cu8\u003e::from(y)),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// The serializable private key for all curve types.\n#[derive(Clone)]\npub struct PrivateKey\u003cC\u003e {\n    inner: BackendPrivateKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e PrivateKey\u003cC\u003e {\n    /// Generate a new RSA key pair of the given bit size.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the key generation fails.\n    pub fn generate() -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            inner: BackendPrivateKey::generate(C::ALGORITHM)?,\n            _curve: PhantomData,\n        })\n    }\n\n    /// Returns the public key of this private key.\n    pub fn to_public_key(\u0026self) -\u003e PublicKey\u003cC\u003e {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n            _curve: PhantomData,\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e Eq for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PrivateKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.to_public_key() == other.to_public_key()\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PrivateKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let (x, y) = self.inner.public_point();\n        let x = Base64UrlString::encode(x);\n        let y = Base64UrlString::encode(y);\n\n        f.debug_struct(\"PublicKey\")\n            .field(\"x\", \u0026x)\n            .field(\"y\", \u0026y)\n            .field(\"d\", \u0026\"[REDACTED]\")\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPrivateKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PrivateKey\u003cC\u003e) -\u003e Self {\n        C::private_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PrivateKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::private_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(key, alg.map(|_| C::ALGORITHM.into()));\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PrivateKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.to_public_key().thumbprint_prehashed()\n    }\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PrivateKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            #[serde(flatten)]\n            public: PublicKeyRepr,\n            d: SecretBase64UrlBytes,\n        }\n        let key = Repr::deserialize(deserializer)?;\n\n        let len = key.d.0.expose_secret().len();\n        if len != scalar_size(C::ALGORITHM) {\n            return Err(D::Error::custom(alloc::format!(\n                \"ECC scalar has invalid length of {len}, expected {}\",\n                scalar_size(C::ALGORITHM),\n            )));\n        }\n\n        Ok(Self {\n            inner: \u003cBackendPrivateKey as interface::ec::PrivateKey\u003e::new(\n                C::ALGORITHM,\n                key.public.x.0,\n                key.public.y.0,\n                key.d.0,\n            )\n            .map_err(|e| D::Error::custom(format!(\"failed to construct private EC key: {e}\")))?,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PrivateKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(serde::Serialize)]\n        struct Repr\u003c'a\u003e {\n            crv: \u0026'a str,\n            kty: \u0026'a str,\n            x: Base64UrlBytes,\n            y: Base64UrlBytes,\n            d: SecretBase64UrlBytes,\n        }\n\n        let (x, y) = self.inner.public_point();\n        let d = self.inner.private_material();\n\n        #[expect(clippy::useless_conversion)]\n        let repr = Repr {\n            crv: C::NAME,\n            kty: \"EC\",\n            x: Base64UrlBytes(Vec::\u003cu8\u003e::from(x)),\n            y: Base64UrlBytes(Vec::\u003cu8\u003e::from(y)),\n            d: SecretBase64UrlBytes(d),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// The [`Signer`](jws::Signer) for EC keys.\npub struct Signer\u003cC\u003e {\n    inner: PrivateKey\u003cC\u003e,\n    deterministic: bool,\n}\n\nimpl\u003cC: Curve\u003e Signer\u003cC\u003e {\n    /// Makes the sign operation of this EcDSA signer deterministic.\n    ///\n    /// This enables deterministic signature values, according to [RFC 6979](https://www.rfc-editor.org/rfc/rfc6979).\n    #[cfg(feature = \"deterministic-ecdsa\")]\n    pub fn deterministic(mut self, deterministic: bool) -\u003e Self {\n        self.deterministic = deterministic;\n        self\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Signer\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Signer\").field(\"key\", \u0026self.inner).finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Signer\u003cSignature\u003e for Signer\u003cC\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature\u003e {\n        let sig = self.inner.inner.sign(msg, self.deterministic)?;\n        Ok(Signature { inner: sig })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::EcDSA(C::ALGORITHM)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Signer\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EcDSA(alg))\n                if alg == C::ALGORITHM =\u003e\n            {\n                Ok(Self {\n                    inner: value,\n                    deterministic: false,\n                })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\n/// The [`Verifier`](jws::Verifier) for EC keys.\npub struct Verifier\u003cC\u003e {\n    inner: PublicKey\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Verifier\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Verifier\")\n            .field(\"key\", \u0026self.inner)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Verifier for Verifier\u003cC\u003e {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        match self.inner.inner.verify(msg, signature) {\n            Ok(true) =\u003e Ok(()),\n            Ok(false) =\u003e Err(jws::VerifyError::InvalidSignature),\n            Err(e) =\u003e Err(jws::VerifyError::CryptoBackend(e)),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPublicKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PublicKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EcDSA(alg))\n                if alg == C::ALGORITHM =\u003e\n            {\n                Ok(Self { inner: value })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    #[inline]\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        Self::from_key(value.to_public_key(), alg)\n    }\n}\n\nmacro_rules! impl_curve {\n    ($(\n        $(#[$doc:meta])*\n        $curve:ident {\n            name: $curve_name:literal,\n            algorithm: $algorithm:ident,\n        }\n    ),*$(,)?) =\u003e { $(\n        $(#[$doc])*\n        #[derive(Debug, Clone, Copy)]\n        pub enum $curve {}\n\n        impl Curve for $curve {\n            const NAME: \u0026'static str = $curve_name;\n            const ALGORITHM: jwa::EcDSA = jwa::EcDSA::$algorithm;\n        }\n        impl sealed::Sealed for $curve {\n            fn public_to_jwk_type(key: PublicKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Public(\n                    jwk::Public::Ec(jwk::EcPublic::$curve(key)),\n                )))\n            }\n\n            fn private_to_jwk_type(key: PrivateKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Private(\n                    jwk::Private::Ec(jwk::EcPrivate::$curve(key)),\n                )))\n            }\n        }\n    )* };\n}\n\nimpl_curve!(\n    /// The P-256 curve.\n    P256 {\n        name: \"P-256\",\n        algorithm: Es256,\n    },\n\n    /// The P-384 curve.\n    P384 {\n        name: \"P-384\",\n        algorithm: Es384,\n    },\n\n    /// The P-521 curve.\n    P521 {\n        name: \"P-521\",\n        algorithm: Es512,\n    },\n\n    /// The secp256k1 curve.\n    Secp256k1 {\n        name: \"secp256k1\",\n        algorithm: Es256K,\n    },\n);\n\nmod sealed {\n    use crate::jwk::JsonWebKeyType;\n\n    pub trait Sealed: Sized {\n        fn public_to_jwk_type(key: super::PublicKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n\n        fn private_to_jwk_type(key: super::PrivateKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n    }\n}\n","traces":[{"line":86,"address":[],"length":0,"stats":{"Line":59}},{"line":87,"address":[],"length":0,"stats":{"Line":59}},{"line":88,"address":[],"length":0,"stats":{"Line":21}},{"line":89,"address":[],"length":0,"stats":{"Line":13}},{"line":90,"address":[],"length":0,"stats":{"Line":13}},{"line":91,"address":[],"length":0,"stats":{"Line":12}},{"line":98,"address":[],"length":0,"stats":{"Line":31}},{"line":101,"address":[],"length":0,"stats":{"Line":31}},{"line":102,"address":[],"length":0,"stats":{"Line":11}},{"line":103,"address":[],"length":0,"stats":{"Line":7}},{"line":104,"address":[],"length":0,"stats":{"Line":7}},{"line":105,"address":[],"length":0,"stats":{"Line":6}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":26}},{"line":143,"address":[],"length":0,"stats":{"Line":26}},{"line":144,"address":[],"length":0,"stats":{"Line":26}},{"line":146,"address":[],"length":0,"stats":{"Line":52}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":154,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":174,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":0}},{"line":179,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":33}},{"line":186,"address":[],"length":0,"stats":{"Line":33}},{"line":199,"address":[],"length":0,"stats":{"Line":14}},{"line":203,"address":[],"length":0,"stats":{"Line":28}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":206,"address":[],"length":0,"stats":{"Line":0}},{"line":207,"address":[],"length":0,"stats":{"Line":0}},{"line":208,"address":[],"length":0,"stats":{"Line":0}},{"line":212,"address":[],"length":0,"stats":{"Line":14}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":214,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":220,"address":[],"length":0,"stats":{"Line":42}},{"line":221,"address":[],"length":0,"stats":{"Line":28}},{"line":222,"address":[],"length":0,"stats":{"Line":0}},{"line":223,"address":[],"length":0,"stats":{"Line":0}},{"line":224,"address":[],"length":0,"stats":{"Line":0}},{"line":225,"address":[],"length":0,"stats":{"Line":0}},{"line":229,"address":[],"length":0,"stats":{"Line":28}},{"line":235,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":14}},{"line":238,"address":[],"length":0,"stats":{"Line":0}},{"line":239,"address":[],"length":0,"stats":{"Line":14}},{"line":240,"address":[],"length":0,"stats":{"Line":14}},{"line":241,"address":[],"length":0,"stats":{"Line":14}},{"line":242,"address":[],"length":0,"stats":{"Line":14}},{"line":244,"address":[],"length":0,"stats":{"Line":14}},{"line":245,"address":[],"length":0,"stats":{"Line":14}},{"line":251,"address":[],"length":0,"stats":{"Line":41}},{"line":263,"address":[],"length":0,"stats":{"Line":41}},{"line":269,"address":[],"length":0,"stats":{"Line":41}},{"line":270,"address":[],"length":0,"stats":{"Line":41}},{"line":273,"address":[],"length":0,"stats":{"Line":41}},{"line":290,"address":[],"length":0,"stats":{"Line":3}},{"line":291,"address":[],"length":0,"stats":{"Line":3}},{"line":292,"address":[],"length":0,"stats":{"Line":3}},{"line":293,"address":[],"length":0,"stats":{"Line":3}},{"line":298,"address":[],"length":0,"stats":{"Line":38}},{"line":300,"address":[],"length":0,"stats":{"Line":38}},{"line":308,"address":[],"length":0,"stats":{"Line":4}},{"line":309,"address":[],"length":0,"stats":{"Line":4}},{"line":314,"address":[],"length":0,"stats":{"Line":0}},{"line":315,"address":[],"length":0,"stats":{"Line":0}},{"line":316,"address":[],"length":0,"stats":{"Line":0}},{"line":317,"address":[],"length":0,"stats":{"Line":0}},{"line":319,"address":[],"length":0,"stats":{"Line":0}},{"line":320,"address":[],"length":0,"stats":{"Line":0}},{"line":321,"address":[],"length":0,"stats":{"Line":0}},{"line":322,"address":[],"length":0,"stats":{"Line":0}},{"line":328,"address":[],"length":0,"stats":{"Line":0}},{"line":329,"address":[],"length":0,"stats":{"Line":0}},{"line":338,"address":[],"length":0,"stats":{"Line":0}},{"line":342,"address":[],"length":0,"stats":{"Line":0}},{"line":343,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":349,"address":[],"length":0,"stats":{"Line":17}},{"line":350,"address":[],"length":0,"stats":{"Line":17}},{"line":355,"address":[],"length":0,"stats":{"Line":28}},{"line":365,"address":[],"length":0,"stats":{"Line":56}},{"line":367,"address":[],"length":0,"stats":{"Line":0}},{"line":368,"address":[],"length":0,"stats":{"Line":0}},{"line":369,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":375,"address":[],"length":0,"stats":{"Line":14}},{"line":376,"address":[],"length":0,"stats":{"Line":14}},{"line":377,"address":[],"length":0,"stats":{"Line":14}},{"line":378,"address":[],"length":0,"stats":{"Line":14}},{"line":379,"address":[],"length":0,"stats":{"Line":14}},{"line":380,"address":[],"length":0,"stats":{"Line":14}},{"line":382,"address":[],"length":0,"stats":{"Line":14}},{"line":383,"address":[],"length":0,"stats":{"Line":14}},{"line":389,"address":[],"length":0,"stats":{"Line":8}},{"line":402,"address":[],"length":0,"stats":{"Line":8}},{"line":403,"address":[],"length":0,"stats":{"Line":8}},{"line":409,"address":[],"length":0,"stats":{"Line":8}},{"line":410,"address":[],"length":0,"stats":{"Line":8}},{"line":411,"address":[],"length":0,"stats":{"Line":8}},{"line":414,"address":[],"length":0,"stats":{"Line":8}},{"line":429,"address":[],"length":0,"stats":{"Line":0}},{"line":430,"address":[],"length":0,"stats":{"Line":0}},{"line":431,"address":[],"length":0,"stats":{"Line":0}},{"line":436,"address":[],"length":0,"stats":{"Line":0}},{"line":437,"address":[],"length":0,"stats":{"Line":0}},{"line":442,"address":[],"length":0,"stats":{"Line":0}},{"line":443,"address":[],"length":0,"stats":{"Line":0}},{"line":444,"address":[],"length":0,"stats":{"Line":0}},{"line":447,"address":[],"length":0,"stats":{"Line":0}},{"line":448,"address":[],"length":0,"stats":{"Line":0}},{"line":455,"address":[],"length":0,"stats":{"Line":0}},{"line":456,"address":[],"length":0,"stats":{"Line":0}},{"line":457,"address":[],"length":0,"stats":{"Line":0}},{"line":458,"address":[],"length":0,"stats":{"Line":0}},{"line":460,"address":[],"length":0,"stats":{"Line":0}},{"line":461,"address":[],"length":0,"stats":{"Line":0}},{"line":462,"address":[],"length":0,"stats":{"Line":0}},{"line":465,"address":[],"length":0,"stats":{"Line":0}},{"line":476,"address":[],"length":0,"stats":{"Line":0}},{"line":477,"address":[],"length":0,"stats":{"Line":0}},{"line":478,"address":[],"length":0,"stats":{"Line":0}},{"line":484,"address":[],"length":0,"stats":{"Line":0}},{"line":485,"address":[],"length":0,"stats":{"Line":0}},{"line":486,"address":[],"length":0,"stats":{"Line":0}},{"line":487,"address":[],"length":0,"stats":{"Line":0}},{"line":488,"address":[],"length":0,"stats":{"Line":0}},{"line":496,"address":[],"length":0,"stats":{"Line":0}},{"line":497,"address":[],"length":0,"stats":{"Line":0}},{"line":498,"address":[],"length":0,"stats":{"Line":0}},{"line":499,"address":[],"length":0,"stats":{"Line":0}},{"line":501,"address":[],"length":0,"stats":{"Line":0}},{"line":503,"address":[],"length":0,"stats":{"Line":0}},{"line":512,"address":[],"length":0,"stats":{"Line":0}},{"line":513,"address":[],"length":0,"stats":{"Line":0}},{"line":534,"address":[],"length":0,"stats":{"Line":0}},{"line":535,"address":[],"length":0,"stats":{"Line":0}},{"line":536,"address":[],"length":0,"stats":{"Line":0}},{"line":540,"address":[],"length":0,"stats":{"Line":0}},{"line":541,"address":[],"length":0,"stats":{"Line":0}},{"line":542,"address":[],"length":0,"stats":{"Line":0}}],"covered":63,"coverable":155},{"path":["/","home","stu","dev","rust","jose","src","crypto","hmac.rs"],"content":"//! The primitives for working with [HMAC] algorithms.\n//!\n//! [HMAC]: https://en.wikipedia.org/wiki/HMAC\n\nuse core::fmt;\n\nuse secrecy::{ExposeSecret, SecretSlice};\nuse subtle::ConstantTimeEq as _;\n\nuse super::{\n    backend::{\n        interface::{self, hmac::Key as _},\n        Backend,\n    },\n    Error, Result,\n};\nuse crate::{\n    crypto::backend::interface::Backend as _,\n    jwa,\n    jwk::{\n        self,\n        symmetric::{FromOctetSequenceError, OctetSequence},\n        IntoJsonWebKey,\n    },\n    jws::{self, Signer},\n};\n\ntype BackendHmacKey = \u003cBackend as interface::Backend\u003e::HmacKey;\n\n/// Marker trait is implemented for all supported HMAC variants.\npub trait Variant: crate::sealed::Sealed {\n    /// The JWA algorithm for this variant.\n    const ALGORITHM: jwa::Hmac;\n\n    /// The number of bytes in the output of the hash operation operation.\n    const OUTPUT_SIZE_BYTES: usize;\n}\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendHmacKey as interface::hmac::Key\u003e::Signature,\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(AsRef::\u003c[u8]\u003e::as_ref(\u0026self.inner), f)\n    }\n}\n\n/// A key that can be used for signing and verifying HMAC signatures.\npub struct Key\u003cH: Variant\u003e {\n    inner: BackendHmacKey,\n    // We also need to store the raw key, to be able to convert it to a JWK.\n    raw_key: SecretSlice\u003cu8\u003e,\n    _variant: core::marker::PhantomData\u003cH\u003e,\n}\n\nimpl\u003cH: Variant\u003e Key\u003cH\u003e {\n    /// Generate a new random HMAC key, using the crypto backends default RNG.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the crypto backend failed to generate random data.\n    pub fn generate() -\u003e Result\u003cSelf\u003e {\n        let mut key = alloc::vec![0u8; H::OUTPUT_SIZE_BYTES].into_boxed_slice();\n        Backend::fill_random(\u0026mut key)?;\n        let key = SecretSlice::from(key);\n\n        Self::new_from_key(key)\n    }\n\n    fn new_from_key(key: SecretSlice\u003cu8\u003e) -\u003e Result\u003cSelf\u003e {\n        let inner = BackendHmacKey::new(H::ALGORITHM, key.expose_secret())?;\n        Ok(Self {\n            inner,\n            raw_key: key,\n            _variant: core::marker::PhantomData,\n        })\n    }\n}\n\nimpl\u003cH: Variant\u003e fmt::Debug for Key\u003cH\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Key\")\n            .field(\"key\", \u0026self.raw_key)\n            .field(\"algorithm\", \u0026H::ALGORITHM)\n            .finish()\n    }\n}\n\nimpl\u003cH: Variant\u003e From\u003cKey\u003cH\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(key: Key\u003cH\u003e) -\u003e Self {\n        jwk::JsonWebKeyType::Symmetric(jwk::SymmetricJsonWebKey::OctetSequence(OctetSequence::new(\n            key.raw_key,\n        )))\n    }\n}\n\nimpl\u003cH: Variant\u003e crate::sealed::Sealed for Key\u003cH\u003e {}\nimpl\u003cH: Variant\u003e IntoJsonWebKey for Key\u003cH\u003e {\n    type Algorithm = ();\n    type Error = core::convert::Infallible;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003ccrate::JsonWebKey, Self::Error\u003e {\n        let key_ty = jwk::JsonWebKeyType::from(self);\n        let alg = alg.map(|_| {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Hmac(H::ALGORITHM))\n        });\n        Ok(jwk::JsonWebKey::new_with_algorithm(key_ty, alg))\n    }\n}\n\nimpl\u003cH: Variant\u003e jws::Verifier for Key\u003cH\u003e {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        let signed = self.inner.sign(msg)?;\n\n        let valid = bool::from(signature.ct_eq(signed.as_ref()));\n        if valid {\n            Ok(())\n        } else {\n            Err(jws::VerifyError::InvalidSignature)\n        }\n    }\n}\n\nimpl\u003cH: Variant\u003e Signer\u003cSignature\u003e for Key\u003cH\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature, Error\u003e {\n        let signature = self.inner.sign(msg)?;\n        Ok(Signature { inner: signature })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::Hmac(H::ALGORITHM)\n    }\n}\n\nimpl\u003cH: Variant\u003e jwk::FromKey\u003cOctetSequence\u003e for Key\u003cH\u003e {\n    type Error = FromOctetSequenceError;\n\n    fn from_key(\n        key: OctetSequence,\n        alg: jwa::JsonWebAlgorithm,\n    ) -\u003e core::result::Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Hmac(alg)) =\u003e {\n                if alg != H::ALGORITHM {\n                    return Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                        jws::InvalidSigningAlgorithmError,\n                    ));\n                }\n\n                // This check is not required for normal Hmac implementations based on RFC 2104\n                // but RFC 7518 section 3.2 requires this check and\n                // forbids keys with a length \u003c output\n                if key.len() \u003c H::OUTPUT_SIZE_BYTES {\n                    return Err(FromOctetSequenceError::InvalidLength);\n                }\n\n                Ok(Self::new_from_key(key.into_bytes())?)\n            }\n            _ =\u003e Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                jws::InvalidSigningAlgorithmError,\n            )),\n        }\n    }\n}\n\nimpl\u003cH: Variant\u003e jwk::FromKey\u003c\u0026OctetSequence\u003e for Key\u003cH\u003e {\n    type Error = FromOctetSequenceError;\n\n    fn from_key(key: \u0026OctetSequence, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Hmac(alg)) =\u003e {\n                if alg != H::ALGORITHM {\n                    return Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                        jws::InvalidSigningAlgorithmError,\n                    ));\n                }\n\n                // This check is not required for normal Hmac implementations based on RFC 2104\n                // but RFC 7518 section 3.2 requires this check and\n                // forbids keys with a length \u003c output\n                if key.len() \u003c H::OUTPUT_SIZE_BYTES {\n                    return Err(FromOctetSequenceError::InvalidLength);\n                }\n\n                Ok(Self::new_from_key(key.bytes().clone())?)\n            }\n            _ =\u003e Err(FromOctetSequenceError::InvalidSigningAlgorithm(\n                jws::InvalidSigningAlgorithmError,\n            )),\n        }\n    }\n}\nmacro_rules! impl_variant {\n    (#[$doc:meta] $variant:ident = $size:expr) =\u003e {\n        #[$doc]\n        #[derive(Debug)]\n        pub enum $variant {}\n\n        impl Variant for $variant {\n            const ALGORITHM: jwa::Hmac = jwa::Hmac::$variant;\n            const OUTPUT_SIZE_BYTES: usize = $size;\n        }\n        impl crate::sealed::Sealed for $variant {}\n    };\n}\n\nimpl_variant!(\n    /// Marker type that represents Hmac using the Sha256 digest.\n    Hs256 = 256 / 8\n);\nimpl_variant!(\n    /// Marker type that represents Hmac using the Sha384 digest.\n    Hs384 = 384 / 8\n);\nimpl_variant!(\n    /// Marker type that represents Hmac using the Sha512 digest.\n    Hs512 = 512 / 8\n);\n","traces":[{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":1}},{"line":72,"address":[],"length":0,"stats":{"Line":1}},{"line":73,"address":[],"length":0,"stats":{"Line":1}},{"line":74,"address":[],"length":0,"stats":{"Line":1}},{"line":76,"address":[],"length":0,"stats":{"Line":1}},{"line":79,"address":[],"length":0,"stats":{"Line":1}},{"line":80,"address":[],"length":0,"stats":{"Line":2}},{"line":81,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":143,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":154,"address":[],"length":0,"stats":{"Line":0}},{"line":155,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":166,"address":[],"length":0,"stats":{"Line":0}},{"line":169,"address":[],"length":0,"stats":{"Line":0}},{"line":171,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":1}},{"line":182,"address":[],"length":0,"stats":{"Line":1}},{"line":183,"address":[],"length":0,"stats":{"Line":1}},{"line":184,"address":[],"length":0,"stats":{"Line":1}},{"line":185,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":1}},{"line":194,"address":[],"length":0,"stats":{"Line":1}},{"line":197,"address":[],"length":0,"stats":{"Line":0}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":200,"address":[],"length":0,"stats":{"Line":0}}],"covered":13,"coverable":60},{"path":["/","home","stu","dev","rust","jose","src","crypto","okp.rs"],"content":"//! The primitives for working with EdDSA algorithms (`kty`\n//! parameter = `OKP`).\n//!\n//! If you are looking for the other curve types, see the\n//! [`ec`](crate::crypto::ec) module, which contains all curves, that do not\n//! require an octet key pair as a key.\n\nuse alloc::{borrow::Cow, format, string::String, vec::Vec};\nuse core::{fmt, marker::PhantomData};\n\nuse serde::{de::Error as _, Deserialize, Serialize};\n\nuse super::backend::{\n    interface::{\n        self,\n        okp::{PrivateKey as _, PublicKey as _},\n    },\n    Backend,\n};\nuse crate::{\n    base64_url::{Base64UrlBytes, SecretBase64UrlBytes},\n    crypto::Result,\n    jwa, jwk, jws, Base64UrlString,\n};\n\nconst KTY: \u0026str = \"OKP\";\n\ntype BackendPublicKey = \u003cBackend as interface::Backend\u003e::EdPublicKey;\ntype BackendPrivateKey = \u003cBackend as interface::Backend\u003e::EdPrivateKey;\n\n/// The curve trait marks all possible curves for EdDSA keys.\n///\n/// Technically, the implementors of this trait (e.g. [`Ed25519`]) are not\n/// curves, but rather the curve + algorithm combination. However, the JWK\n/// specification uses the term \"curve\" for this combination, so we will\n/// follow that convention here.\npub trait Curve: sealed::Sealed {\n    /// The name of the curve, that is also used in the `crv` parameter of a\n    /// JWK.\n    const NAME: \u0026'static str;\n}\n\n/// The public key using the Ed25519 curve.\npub type Ed25519PublicKey = PublicKey\u003cEd25519\u003e;\n\n/// The private key using the Ed25519 curve.\npub type Ed25519PrivateKey = PrivateKey\u003cEd25519\u003e;\n\n/// The signer type using the Ed25519 curve.\npub type Ed25519Signer = Signer\u003cEd25519\u003e;\n\n/// The verifier type using the Ed25519 curve.\npub type Ed25519Verifier = Verifier\u003cEd25519\u003e;\n\n/// The public key using the Ed448 curve.\npub type Ed448PublicKey = PublicKey\u003cEd448\u003e;\n\n/// The private key using the Ed448 curve.\npub type Ed448PrivateKey = PrivateKey\u003cEd448\u003e;\n\n/// The signer type using the Ed448 curve.\npub type Ed448Signer = Signer\u003cEd448\u003e;\n\n/// The verifier type using the Ed448 curve.\npub type Ed448Verifier = Verifier\u003cEd448\u003e;\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendPrivateKey as interface::okp::PrivateKey\u003e::Signature,\n}\n\nimpl From\u003cSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: Signature) -\u003e Self {\n        value.as_ref().to_vec()\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(AsRef::\u003c[u8]\u003e::as_ref(\u0026self.inner), f)\n    }\n}\n\n/// A public key for EdDSA algorithms.\n///\n/// The type of algorithm and curve is determined by the\n/// `C` type parameter.\n#[derive(Clone)]\npub struct PublicKey\u003cC\u003e {\n    inner: BackendPublicKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e Eq for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PublicKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        interface::okp::PublicKey::to_bytes(\u0026self.inner)\n            == interface::okp::PublicKey::to_bytes(\u0026other.inner)\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PublicKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let bytes = Base64UrlString::encode(interface::okp::PublicKey::to_bytes(\u0026self.inner));\n        f.debug_struct(\"PublicKey\")\n            .field(\"curve\", \u0026C::NAME)\n            .field(\"x\", \u0026bytes)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPublicKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PublicKey\u003cC\u003e) -\u003e Self {\n        C::public_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PublicKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PublicKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::public_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(\n            key,\n            alg.map(|_| jwa::JsonWebSigningAlgorithm::EdDSA.into()),\n        );\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PublicKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        jwk::thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\n#[derive(Serialize, Deserialize)]\nstruct PublicRepr\u003c'a\u003e {\n    crv: Cow\u003c'a, str\u003e,\n    kty: Cow\u003c'a, str\u003e,\n    x: Base64UrlBytes,\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PublicKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let repr = PublicRepr::deserialize(deserializer)?;\n\n        if repr.crv != C::NAME {\n            return Err(D::Error::custom(format!(\n                \"Invalid curve type `{}`. Expected `{}`\",\n                repr.crv,\n                C::NAME\n            )));\n        }\n\n        if repr.kty != KTY {\n            return Err(D::Error::custom(format!(\n                \"Invalid key type `{}`. Expected `{KTY}`\",\n                repr.kty,\n            )));\n        }\n\n        let key =\n            interface::okp::PublicKey::new(C::ALGORITHM, repr.x.0).map_err(D::Error::custom)?;\n        Ok(Self {\n            inner: key,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PublicKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let repr = PublicRepr {\n            crv: C::NAME.into(),\n            kty: KTY.into(),\n            x: Base64UrlBytes(interface::okp::PublicKey::to_bytes(\u0026self.inner)),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// A private key for EdDSA algorithms.\n///\n/// The type of algorithm and curve is determined by the\n/// `C` type parameter.\n#[derive(Clone)]\npub struct PrivateKey\u003cC\u003e {\n    inner: BackendPrivateKey,\n    _curve: PhantomData\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e PrivateKey\u003cC\u003e {\n    /// Generate a new random key pair.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the key generation fails.\n    pub fn generate() -\u003e Result\u003cSelf\u003e {\n        Ok(Self {\n            inner: BackendPrivateKey::generate(C::ALGORITHM)?,\n            _curve: PhantomData,\n        })\n    }\n\n    /// Returns the public key of this private key.\n    pub fn to_public_key(\u0026self) -\u003e PublicKey\u003cC\u003e {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n            _curve: PhantomData,\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e Eq for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e PartialEq for PrivateKey\u003cC\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.to_public_key() == other.to_public_key()\n    }\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for PrivateKey\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let pub_key = interface::okp::PrivateKey::to_public_key(\u0026self.inner);\n        let bytes = Base64UrlString::encode(interface::okp::PublicKey::to_bytes(\u0026pub_key));\n\n        f.debug_struct(\"PrivateKey\")\n            .field(\"curve\", \u0026C::NAME)\n            .field(\"x\", \u0026bytes)\n            .field(\"d\", \u0026\"[REDACTED]\")\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e From\u003cPrivateKey\u003cC\u003e\u003e for jwk::JsonWebKeyType {\n    fn from(value: PrivateKey\u003cC\u003e) -\u003e Self {\n        C::private_to_jwk_type(value)\n    }\n}\n\nimpl\u003cC: Curve\u003e crate::sealed::Sealed for PrivateKey\u003cC\u003e {}\nimpl\u003cC: Curve\u003e jwk::IntoJsonWebKey for PrivateKey\u003cC\u003e {\n    type Algorithm = ();\n    type Error = crate::crypto::Error;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003cjwk::JsonWebKey, Self::Error\u003e {\n        let key = C::private_to_jwk_type(self);\n        let key = jwk::JsonWebKey::new_with_algorithm(\n            key,\n            alg.map(|_| jwa::JsonWebSigningAlgorithm::EdDSA.into()),\n        );\n        Ok(key)\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::Thumbprint for PrivateKey\u003cC\u003e {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.to_public_key().thumbprint_prehashed()\n    }\n}\n\n#[derive(Serialize, Deserialize)]\nstruct PrivateRepr\u003c'a\u003e {\n    #[serde(flatten)]\n    public: PublicRepr\u003c'a\u003e,\n    d: SecretBase64UrlBytes,\n}\n\nimpl\u003c'de, C: Curve\u003e Deserialize\u003c'de\u003e for PrivateKey\u003cC\u003e {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let repr = PrivateRepr::deserialize(deserializer)?;\n\n        let key = interface::okp::PrivateKey::new(C::ALGORITHM, repr.public.x.0, repr.d.0)\n            .map_err(D::Error::custom)?;\n\n        Ok(Self {\n            inner: key,\n            _curve: PhantomData,\n        })\n    }\n}\n\nimpl\u003cC: Curve\u003e Serialize for PrivateKey\u003cC\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let pub_key = self.inner.to_public_key();\n        let repr = PrivateRepr {\n            public: PublicRepr {\n                crv: C::NAME.into(),\n                kty: KTY.into(),\n                x: Base64UrlBytes(interface::okp::PublicKey::to_bytes(\u0026pub_key)),\n            },\n            d: SecretBase64UrlBytes(interface::okp::PrivateKey::to_bytes(\u0026self.inner)),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\n/// The [`Signer`](jws::Signer) for EC keys.\npub struct Signer\u003cC\u003e {\n    inner: PrivateKey\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Signer\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Signer\").field(\"key\", \u0026self.inner).finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Signer\u003cSignature\u003e for Signer\u003cC\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature\u003e {\n        let sig = self.inner.inner.sign(msg)?;\n        Ok(Signature { inner: sig })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::EdDSA\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Signer\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EdDSA) =\u003e {\n                Ok(Self { inner: value })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\n/// The [`Verifier`](jws::Verifier) for EC keys.\npub struct Verifier\u003cC\u003e {\n    inner: PublicKey\u003cC\u003e,\n}\n\nimpl\u003cC: Curve\u003e fmt::Debug for Verifier\u003cC\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        f.debug_struct(\"Verifier\")\n            .field(\"key\", \u0026self.inner)\n            .finish()\n    }\n}\n\nimpl\u003cC: Curve\u003e jws::Verifier for Verifier\u003cC\u003e {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        match self.inner.inner.verify(msg, signature) {\n            Ok(true) =\u003e Ok(()),\n            Ok(false) =\u003e Err(jws::VerifyError::InvalidSignature),\n            Err(e) =\u003e Err(jws::VerifyError::CryptoBackend(e)),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPublicKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    fn from_key(value: PublicKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::EdDSA) =\u003e {\n                Ok(Self { inner: value })\n            }\n            _ =\u003e Err(jws::InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl\u003cC: Curve\u003e jwk::FromKey\u003cPrivateKey\u003cC\u003e\u003e for Verifier\u003cC\u003e {\n    type Error = jws::InvalidSigningAlgorithmError;\n\n    #[inline]\n    fn from_key(value: PrivateKey\u003cC\u003e, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        Self::from_key(value.to_public_key(), alg)\n    }\n}\n\nmacro_rules! impl_curve {\n    ($(\n        $(#[$doc:meta])*\n        $curve:ident {\n            name: $curve_name:literal,\n        }\n    ),*$(,)?) =\u003e { $(\n        $(#[$doc])*\n        #[derive(Debug, Clone, Copy)]\n        pub enum $curve {}\n\n        impl Curve for $curve {\n            const NAME: \u0026'static str = $curve_name;\n        }\n\n        impl sealed::Sealed for $curve {\n            #[expect(private_interfaces)]\n            const ALGORITHM: interface::okp::CurveAlgorithm = interface::okp::CurveAlgorithm::$curve;\n\n            fn public_to_jwk_type(key: PublicKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(jwk::AsymmetricJsonWebKey::Public(\n                    jwk::Public::Okp(jwk::OkpPublic::$curve(key)),\n                )))\n            }\n\n            fn private_to_jwk_type(key: PrivateKey\u003cSelf\u003e) -\u003e jwk::JsonWebKeyType {\n                jwk::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(jwk::AsymmetricJsonWebKey::Private(\n                    jwk::Private::Okp(jwk::OkpPrivate::$curve(key)),\n                )))\n            }\n        }\n    )* };\n}\n\nimpl_curve!(\n    /// The Ed25519 curve.\n    Ed25519 {\n        name: \"Ed25519\",\n    },\n\n    /// The Ed448 curve.\n    Ed448 {\n        name: \"Ed448\",\n    },\n);\n\nmod sealed {\n    use crate::{crypto::backend::interface, jwk::JsonWebKeyType};\n\n    pub trait Sealed: Sized {\n        #[expect(private_interfaces)]\n        const ALGORITHM: interface::okp::CurveAlgorithm;\n\n        fn public_to_jwk_type(key: super::PublicKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n\n        fn private_to_jwk_type(key: super::PrivateKey\u003cSelf\u003e) -\u003e JsonWebKeyType;\n    }\n}\n","traces":[{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":81,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":12}},{"line":104,"address":[],"length":0,"stats":{"Line":12}},{"line":105,"address":[],"length":0,"stats":{"Line":12}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":114,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":121,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":16}},{"line":145,"address":[],"length":0,"stats":{"Line":16}},{"line":157,"address":[],"length":0,"stats":{"Line":6}},{"line":161,"address":[],"length":0,"stats":{"Line":12}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":166,"address":[],"length":0,"stats":{"Line":0}},{"line":167,"address":[],"length":0,"stats":{"Line":0}},{"line":171,"address":[],"length":0,"stats":{"Line":6}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":173,"address":[],"length":0,"stats":{"Line":0}},{"line":174,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":6}},{"line":179,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":0}},{"line":182,"address":[],"length":0,"stats":{"Line":0}},{"line":188,"address":[],"length":0,"stats":{"Line":20}},{"line":193,"address":[],"length":0,"stats":{"Line":20}},{"line":194,"address":[],"length":0,"stats":{"Line":20}},{"line":195,"address":[],"length":0,"stats":{"Line":20}},{"line":198,"address":[],"length":0,"stats":{"Line":20}},{"line":218,"address":[],"length":0,"stats":{"Line":2}},{"line":219,"address":[],"length":0,"stats":{"Line":2}},{"line":220,"address":[],"length":0,"stats":{"Line":2}},{"line":221,"address":[],"length":0,"stats":{"Line":2}},{"line":226,"address":[],"length":0,"stats":{"Line":18}},{"line":228,"address":[],"length":0,"stats":{"Line":18}},{"line":236,"address":[],"length":0,"stats":{"Line":2}},{"line":237,"address":[],"length":0,"stats":{"Line":2}},{"line":242,"address":[],"length":0,"stats":{"Line":0}},{"line":243,"address":[],"length":0,"stats":{"Line":0}},{"line":244,"address":[],"length":0,"stats":{"Line":0}},{"line":246,"address":[],"length":0,"stats":{"Line":0}},{"line":247,"address":[],"length":0,"stats":{"Line":0}},{"line":248,"address":[],"length":0,"stats":{"Line":0}},{"line":249,"address":[],"length":0,"stats":{"Line":0}},{"line":255,"address":[],"length":0,"stats":{"Line":0}},{"line":256,"address":[],"length":0,"stats":{"Line":0}},{"line":265,"address":[],"length":0,"stats":{"Line":0}},{"line":269,"address":[],"length":0,"stats":{"Line":0}},{"line":271,"address":[],"length":0,"stats":{"Line":0}},{"line":272,"address":[],"length":0,"stats":{"Line":0}},{"line":274,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":8}},{"line":280,"address":[],"length":0,"stats":{"Line":8}},{"line":292,"address":[],"length":0,"stats":{"Line":12}},{"line":296,"address":[],"length":0,"stats":{"Line":24}},{"line":298,"address":[],"length":0,"stats":{"Line":6}},{"line":299,"address":[],"length":0,"stats":{"Line":0}},{"line":301,"address":[],"length":0,"stats":{"Line":0}},{"line":302,"address":[],"length":0,"stats":{"Line":0}},{"line":303,"address":[],"length":0,"stats":{"Line":0}},{"line":309,"address":[],"length":0,"stats":{"Line":4}},{"line":313,"address":[],"length":0,"stats":{"Line":4}},{"line":315,"address":[],"length":0,"stats":{"Line":4}},{"line":320,"address":[],"length":0,"stats":{"Line":4}},{"line":323,"address":[],"length":0,"stats":{"Line":4}},{"line":333,"address":[],"length":0,"stats":{"Line":0}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":339,"address":[],"length":0,"stats":{"Line":0}},{"line":340,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":352,"address":[],"length":0,"stats":{"Line":0}},{"line":353,"address":[],"length":0,"stats":{"Line":0}},{"line":354,"address":[],"length":0,"stats":{"Line":0}},{"line":355,"address":[],"length":0,"stats":{"Line":0}},{"line":357,"address":[],"length":0,"stats":{"Line":0}},{"line":368,"address":[],"length":0,"stats":{"Line":0}},{"line":369,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":376,"address":[],"length":0,"stats":{"Line":0}},{"line":377,"address":[],"length":0,"stats":{"Line":0}},{"line":378,"address":[],"length":0,"stats":{"Line":0}},{"line":379,"address":[],"length":0,"stats":{"Line":0}},{"line":380,"address":[],"length":0,"stats":{"Line":0}},{"line":388,"address":[],"length":0,"stats":{"Line":0}},{"line":389,"address":[],"length":0,"stats":{"Line":0}},{"line":390,"address":[],"length":0,"stats":{"Line":0}},{"line":391,"address":[],"length":0,"stats":{"Line":0}},{"line":393,"address":[],"length":0,"stats":{"Line":0}},{"line":402,"address":[],"length":0,"stats":{"Line":0}},{"line":403,"address":[],"length":0,"stats":{"Line":0}},{"line":426,"address":[],"length":0,"stats":{"Line":0}},{"line":427,"address":[],"length":0,"stats":{"Line":0}},{"line":428,"address":[],"length":0,"stats":{"Line":0}},{"line":432,"address":[],"length":0,"stats":{"Line":0}},{"line":433,"address":[],"length":0,"stats":{"Line":0}},{"line":434,"address":[],"length":0,"stats":{"Line":0}}],"covered":32,"coverable":113},{"path":["/","home","stu","dev","rust","jose","src","crypto","rsa.rs"],"content":"//! The primitives for working with [RSA] encryption.\n//!\n//! [RSA]: https://en.wikipedia.org/wiki/RSA_cryptosystem\n\nuse alloc::{boxed::Box, format, string::String, vec::Vec};\nuse core::{convert::Infallible, fmt};\n\nuse serde::{de::Error as _, ser::Error as _, Deserialize, Serialize};\n\nuse super::backend::{\n    interface::{\n        self,\n        rsa::{self, PrivateKey as _, PublicKey as _},\n    },\n    Backend,\n};\nuse crate::{\n    base64_url::{Base64UrlBytes, SecretBase64UrlBytes},\n    crypto::Result,\n    jwa::{self, RsaSigning},\n    jwk::{self, FromKey, IntoJsonWebKey},\n    jws::{self, InvalidSigningAlgorithmError},\n    Base64UrlString,\n};\n\ntype BackendPublicKey = \u003cBackend as interface::Backend\u003e::RsaPublicKey;\ntype BackendPrivateKey = \u003cBackend as interface::Backend\u003e::RsaPrivateKey;\n\n/// The returned signature from a sign operation.\n#[repr(transparent)]\npub struct Signature {\n    inner: \u003cBackendPrivateKey as rsa::PrivateKey\u003e::Signature,\n}\n\nimpl From\u003cSignature\u003e for Vec\u003cu8\u003e {\n    fn from(value: Signature) -\u003e Self {\n        value.as_ref().to_vec()\n    }\n}\n\nimpl AsRef\u003c[u8]\u003e for Signature {\n    fn as_ref(\u0026self) -\u003e \u0026[u8] {\n        self.inner.as_ref()\n    }\n}\n\nimpl fmt::Debug for Signature {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(self.as_ref(), f)\n    }\n}\n\n/// The RSA public key type.\n#[derive(Clone)]\npub struct PublicKey {\n    inner: BackendPublicKey,\n}\n\nimpl Eq for PublicKey {}\nimpl PartialEq for PublicKey {\n    fn eq(\u0026self, o: \u0026Self) -\u003e bool {\n        let this_pub = rsa::PublicKey::components(\u0026self.inner);\n        let o_pub = rsa::PublicKey::components(\u0026o.inner);\n\n        this_pub == o_pub\n    }\n}\n\nimpl fmt::Debug for PublicKey {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let key = rsa::PublicKey::components(\u0026self.inner);\n        let n = Base64UrlString::encode(key.n);\n        let e = Base64UrlString::encode(key.e);\n\n        f.debug_struct(\"PublicKey\")\n            .field(\"n\", \u0026n)\n            .field(\"e\", \u0026e)\n            .finish()\n    }\n}\n\nimpl From\u003cPublicKey\u003e for jwk::JsonWebKeyType {\n    fn from(x: PublicKey) -\u003e Self {\n        jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Public(\n            jwk::Public::Rsa(x),\n        )))\n    }\n}\n\nimpl crate::sealed::Sealed for PublicKey {}\nimpl IntoJsonWebKey for PublicKey {\n    type Algorithm = RsaSigning;\n    type Error = Infallible;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003ccrate::JsonWebKey, Self::Error\u003e {\n        let alg = alg.map(|rsa| {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(rsa.into()))\n        });\n\n        let key = jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Public(\n            jwk::Public::Rsa(self),\n        )));\n\n        Ok(jwk::JsonWebKey::new_with_algorithm(key, alg))\n    }\n}\n\nimpl jwk::Thumbprint for PublicKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        crate::jwk::thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\nimpl Serialize for PublicKey {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(Serialize)]\n        struct Repr {\n            kty: \u0026'static str,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n        }\n\n        let key = rsa::PublicKey::components(\u0026self.inner);\n        Repr {\n            kty: \"RSA\",\n            n: Base64UrlBytes(key.n),\n            e: Base64UrlBytes(key.e),\n        }\n        .serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for PublicKey {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            kty: String,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n        }\n\n        let repr = Repr::deserialize(deserializer)?;\n\n        if \u0026*repr.kty != \"RSA\" {\n            return Err(D::Error::custom(\"`kty` field is required to be `RSA`\"));\n        }\n\n        let components = rsa::PublicKeyComponents {\n            n: repr.n.0,\n            e: repr.e.0,\n        };\n        let key = rsa::PublicKey::from_components(components)\n            .map_err(|e| D::Error::custom(format!(\"failed to construct RSA public key: {e}\")))?;\n        Ok(Self { inner: key })\n    }\n}\n\n/// The RSA private key type.\n#[derive(Clone)]\npub struct PrivateKey {\n    inner: BackendPrivateKey,\n}\n\nimpl PrivateKey {\n    /// Generate a new RSA key pair of the given bit size.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the key generation fails.\n    pub fn generate(bits: usize) -\u003e Result\u003cSelf\u003e {\n        let key = BackendPrivateKey::generate(bits)?;\n        Ok(Self { inner: key })\n    }\n\n    /// Get the public key corresponding to this private key.\n    pub fn to_public_key(\u0026self) -\u003e PublicKey {\n        PublicKey {\n            inner: self.inner.to_public_key(),\n        }\n    }\n}\n\nimpl Eq for PrivateKey {}\nimpl PartialEq for PrivateKey {\n    fn eq(\u0026self, o: \u0026Self) -\u003e bool {\n        self.to_public_key() == o.to_public_key()\n    }\n}\n\nimpl From\u003cPrivateKey\u003e for jwk::JsonWebKeyType {\n    fn from(x: PrivateKey) -\u003e Self {\n        jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Private(\n            jwk::Private::Rsa(Box::new(x)),\n        )))\n    }\n}\n\nimpl fmt::Debug for PrivateKey {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let key = rsa::PrivateKey::public_components(\u0026self.inner);\n        let n = Base64UrlString::encode(key.n);\n        let e = Base64UrlString::encode(key.e);\n\n        f.debug_struct(\"PrivateKey\")\n            .field(\"n\", \u0026n)\n            .field(\"e\", \u0026e)\n            .field(\"primes\", \u0026\"[REDACTED]\")\n            .finish()\n    }\n}\n\nimpl crate::sealed::Sealed for PrivateKey {}\nimpl IntoJsonWebKey for PrivateKey {\n    type Algorithm = RsaSigning;\n    type Error = Infallible;\n\n    fn into_jwk(\n        self,\n        alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e,\n    ) -\u003e Result\u003ccrate::JsonWebKey, Self::Error\u003e {\n        let alg = alg.map(|rsa| {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(rsa.into()))\n        });\n\n        let key = jwk::JsonWebKeyType::Asymmetric(Box::new(jwk::AsymmetricJsonWebKey::Private(\n            jwk::Private::Rsa(Box::new(self)),\n        )));\n\n        Ok(crate::JsonWebKey::new_with_algorithm(key, alg))\n    }\n}\n\nimpl jwk::Thumbprint for PrivateKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.to_public_key().thumbprint_prehashed()\n    }\n}\n\nimpl Serialize for PrivateKey {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(Serialize)]\n        struct Repr {\n            kty: \u0026'static str,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n\n            d: SecretBase64UrlBytes,\n            p: SecretBase64UrlBytes,\n            q: SecretBase64UrlBytes,\n            dp: SecretBase64UrlBytes,\n            dq: SecretBase64UrlBytes,\n            qi: SecretBase64UrlBytes,\n        }\n\n        let pub_key = rsa::PrivateKey::public_components(\u0026self.inner);\n        let key = rsa::PrivateKey::private_components(\u0026self.inner).map_err(S::Error::custom)?;\n\n        let repr = Repr {\n            kty: \"RSA\",\n            n: Base64UrlBytes(pub_key.n),\n            e: Base64UrlBytes(pub_key.e),\n            d: SecretBase64UrlBytes(key.d),\n            p: SecretBase64UrlBytes(key.prime.p),\n            q: SecretBase64UrlBytes(key.prime.q),\n            dp: SecretBase64UrlBytes(key.prime.dp),\n            dq: SecretBase64UrlBytes(key.prime.dq),\n            qi: SecretBase64UrlBytes(key.prime.qi),\n        };\n\n        repr.serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for PrivateKey {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            kty: String,\n\n            n: Base64UrlBytes,\n            e: Base64UrlBytes,\n            d: SecretBase64UrlBytes,\n\n            p: Option\u003cSecretBase64UrlBytes\u003e,\n            q: Option\u003cSecretBase64UrlBytes\u003e,\n            dp: Option\u003cSecretBase64UrlBytes\u003e,\n            dq: Option\u003cSecretBase64UrlBytes\u003e,\n            qi: Option\u003cSecretBase64UrlBytes\u003e,\n\n            oth: Option\u003cserde_json::Value\u003e,\n        }\n\n        let repr = Repr::deserialize(deserializer)?;\n\n        if \u0026*repr.kty != \"RSA\" {\n            return Err(D::Error::custom(\"`kty` field is required to be `RSA`\"));\n        }\n\n        // RFC:\n        //\n        // The parameter \"d\" is REQUIRED for RSA private keys.  The others enable\n        // optimizations and SHOULD be included by producers of JWKs\n        // representing RSA private keys.  If the producer includes any of the\n        // other private key parameters, then all of the others MUST be present,\n        // with the exception of \"oth\", which MUST only be present when more than two\n        // prime factors were used.\n\n        let any_prime_present = repr.p.is_some()\n            | repr.q.is_some()\n            | repr.dp.is_some()\n            | repr.dq.is_some()\n            | repr.qi.is_some();\n\n        let prime_info = if any_prime_present {\n            let err = |field: \u0026str| {\n                D::Error::custom(format!(\n                    \"expected `{field}` to be present because all prime fields must be set if one \\\n                     of them is set\"\n                ))\n            };\n\n            rsa::PrivateKeyPrimeComponents {\n                p: repr.p.ok_or_else(|| err(\"p\"))?.0,\n                q: repr.q.ok_or_else(|| err(\"q\"))?.0,\n                dp: repr.dp.ok_or_else(|| err(\"dp\"))?.0,\n                dq: repr.dq.ok_or_else(|| err(\"dq\"))?.0,\n                qi: repr.qi.ok_or_else(|| err(\"qi\"))?.0,\n            }\n        } else {\n            // FIXME: can we support RSA keys without any primes?\n            return Err(D::Error::custom(\n                \"RSA private keys without any primes are not supported\",\n            ));\n        };\n\n        if repr.oth.is_some() {\n            // FIXME: Support additional primes\n            return Err(D::Error::custom(\n                \"RSA private keys with `oth` field set are not supported\",\n            ));\n        }\n\n        let pub_components = rsa::PublicKeyComponents {\n            n: repr.n.0,\n            e: repr.e.0,\n        };\n\n        let priv_components = rsa::PrivateKeyComponents {\n            d: repr.d.0,\n            prime: prime_info,\n        };\n\n        let key = rsa::PrivateKey::from_components(priv_components, pub_components)\n            .map_err(|e| D::Error::custom(format!(\"failed to construct RSA private key: {e}\")))?;\n        Ok(Self { inner: key })\n    }\n}\n\n/// A [`Signer`](jws::Signer) using an [`PrivateKey`] and an RSA algorithm.\n#[derive(Debug)]\npub struct Signer {\n    key: PrivateKey,\n    alg: RsaSigning,\n}\n\nimpl FromKey\u003cPrivateKey\u003e for Signer {\n    type Error = InvalidSigningAlgorithmError;\n\n    fn from_key(value: PrivateKey, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(alg)) =\u003e {\n                Ok(Self { key: value, alg })\n            }\n            _ =\u003e Err(InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl jws::Signer\u003cSignature\u003e for Signer {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSignature\u003e {\n        let sig = self.key.inner.sign(self.alg, msg)?;\n        Ok(Signature { inner: sig })\n    }\n\n    fn algorithm(\u0026self) -\u003e jwa::JsonWebSigningAlgorithm {\n        jwa::JsonWebSigningAlgorithm::Rsa(self.alg)\n    }\n}\n\n/// A [`Verifier`](jws::Verifier) using an [`PublicKey`] and an RSA algorithm.\n#[derive(Debug)]\npub struct Verifier {\n    key: PublicKey,\n    alg: RsaSigning,\n}\n\nimpl FromKey\u003cPublicKey\u003e for Verifier {\n    type Error = InvalidSigningAlgorithmError;\n\n    fn from_key(value: PublicKey, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        match alg {\n            jwa::JsonWebAlgorithm::Signing(jwa::JsonWebSigningAlgorithm::Rsa(alg)) =\u003e {\n                Ok(Self { key: value, alg })\n            }\n            _ =\u003e Err(InvalidSigningAlgorithmError),\n        }\n    }\n}\n\nimpl FromKey\u003cPrivateKey\u003e for Verifier {\n    type Error = InvalidSigningAlgorithmError;\n\n    /// Create a [`Verifier`] from the private key by\n    /// turning it into the public key and dropping the private parts afterwards\n    fn from_key(value: PrivateKey, alg: jwa::JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e {\n        Self::from_key(value.to_public_key(), alg)\n    }\n}\n\nimpl jws::Verifier for Verifier {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), jws::VerifyError\u003e {\n        match self.key.inner.verify(self.alg, msg, signature) {\n            Ok(true) =\u003e Ok(()),\n            Ok(false) =\u003e Err(jws::VerifyError::InvalidSignature),\n            Err(err) =\u003e Err(jws::VerifyError::CryptoBackend(err)),\n        }\n    }\n}\n","traces":[{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":15}},{"line":62,"address":[],"length":0,"stats":{"Line":15}},{"line":63,"address":[],"length":0,"stats":{"Line":15}},{"line":65,"address":[],"length":0,"stats":{"Line":15}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":23}},{"line":113,"address":[],"length":0,"stats":{"Line":23}},{"line":118,"address":[],"length":0,"stats":{"Line":33}},{"line":130,"address":[],"length":0,"stats":{"Line":33}},{"line":133,"address":[],"length":0,"stats":{"Line":33}},{"line":134,"address":[],"length":0,"stats":{"Line":33}},{"line":136,"address":[],"length":0,"stats":{"Line":33}},{"line":141,"address":[],"length":0,"stats":{"Line":33}},{"line":153,"address":[],"length":0,"stats":{"Line":66}},{"line":155,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":13}},{"line":161,"address":[],"length":0,"stats":{"Line":13}},{"line":163,"address":[],"length":0,"stats":{"Line":13}},{"line":164,"address":[],"length":0,"stats":{"Line":0}},{"line":165,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":1}},{"line":182,"address":[],"length":0,"stats":{"Line":2}},{"line":187,"address":[],"length":0,"stats":{"Line":16}},{"line":189,"address":[],"length":0,"stats":{"Line":16}},{"line":196,"address":[],"length":0,"stats":{"Line":2}},{"line":197,"address":[],"length":0,"stats":{"Line":2}},{"line":202,"address":[],"length":0,"stats":{"Line":0}},{"line":203,"address":[],"length":0,"stats":{"Line":0}},{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":210,"address":[],"length":0,"stats":{"Line":0}},{"line":211,"address":[],"length":0,"stats":{"Line":0}},{"line":212,"address":[],"length":0,"stats":{"Line":0}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":217,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":228,"address":[],"length":0,"stats":{"Line":0}},{"line":232,"address":[],"length":0,"stats":{"Line":0}},{"line":233,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":0}},{"line":237,"address":[],"length":0,"stats":{"Line":0}},{"line":240,"address":[],"length":0,"stats":{"Line":0}},{"line":245,"address":[],"length":0,"stats":{"Line":7}},{"line":246,"address":[],"length":0,"stats":{"Line":7}},{"line":251,"address":[],"length":0,"stats":{"Line":4}},{"line":270,"address":[],"length":0,"stats":{"Line":4}},{"line":271,"address":[],"length":0,"stats":{"Line":8}},{"line":275,"address":[],"length":0,"stats":{"Line":0}},{"line":276,"address":[],"length":0,"stats":{"Line":0}},{"line":277,"address":[],"length":0,"stats":{"Line":0}},{"line":278,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":0}},{"line":280,"address":[],"length":0,"stats":{"Line":0}},{"line":281,"address":[],"length":0,"stats":{"Line":0}},{"line":282,"address":[],"length":0,"stats":{"Line":0}},{"line":285,"address":[],"length":0,"stats":{"Line":0}},{"line":290,"address":[],"length":0,"stats":{"Line":59}},{"line":311,"address":[],"length":0,"stats":{"Line":118}},{"line":313,"address":[],"length":0,"stats":{"Line":0}},{"line":314,"address":[],"length":0,"stats":{"Line":0}},{"line":326,"address":[],"length":0,"stats":{"Line":6}},{"line":327,"address":[],"length":0,"stats":{"Line":6}},{"line":328,"address":[],"length":0,"stats":{"Line":6}},{"line":329,"address":[],"length":0,"stats":{"Line":6}},{"line":330,"address":[],"length":0,"stats":{"Line":6}},{"line":332,"address":[],"length":0,"stats":{"Line":6}},{"line":333,"address":[],"length":0,"stats":{"Line":6}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":336,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":6}},{"line":342,"address":[],"length":0,"stats":{"Line":6}},{"line":343,"address":[],"length":0,"stats":{"Line":6}},{"line":344,"address":[],"length":0,"stats":{"Line":6}},{"line":345,"address":[],"length":0,"stats":{"Line":6}},{"line":349,"address":[],"length":0,"stats":{"Line":0}},{"line":350,"address":[],"length":0,"stats":{"Line":0}},{"line":354,"address":[],"length":0,"stats":{"Line":0}},{"line":356,"address":[],"length":0,"stats":{"Line":0}},{"line":357,"address":[],"length":0,"stats":{"Line":0}},{"line":362,"address":[],"length":0,"stats":{"Line":6}},{"line":363,"address":[],"length":0,"stats":{"Line":6}},{"line":367,"address":[],"length":0,"stats":{"Line":6}},{"line":371,"address":[],"length":0,"stats":{"Line":6}},{"line":372,"address":[],"length":0,"stats":{"Line":0}},{"line":373,"address":[],"length":0,"stats":{"Line":0}},{"line":387,"address":[],"length":0,"stats":{"Line":0}},{"line":388,"address":[],"length":0,"stats":{"Line":0}},{"line":389,"address":[],"length":0,"stats":{"Line":0}},{"line":390,"address":[],"length":0,"stats":{"Line":0}},{"line":392,"address":[],"length":0,"stats":{"Line":0}},{"line":398,"address":[],"length":0,"stats":{"Line":0}},{"line":399,"address":[],"length":0,"stats":{"Line":0}},{"line":403,"address":[],"length":0,"stats":{"Line":0}},{"line":404,"address":[],"length":0,"stats":{"Line":0}},{"line":418,"address":[],"length":0,"stats":{"Line":0}},{"line":419,"address":[],"length":0,"stats":{"Line":0}},{"line":420,"address":[],"length":0,"stats":{"Line":0}},{"line":421,"address":[],"length":0,"stats":{"Line":0}},{"line":423,"address":[],"length":0,"stats":{"Line":0}},{"line":433,"address":[],"length":0,"stats":{"Line":0}},{"line":434,"address":[],"length":0,"stats":{"Line":0}},{"line":439,"address":[],"length":0,"stats":{"Line":0}},{"line":440,"address":[],"length":0,"stats":{"Line":0}},{"line":441,"address":[],"length":0,"stats":{"Line":0}},{"line":442,"address":[],"length":0,"stats":{"Line":0}},{"line":443,"address":[],"length":0,"stats":{"Line":0}}],"covered":45,"coverable":130},{"path":["/","home","stu","dev","rust","jose","src","crypto.rs"],"content":"//! Cryptographic primitives.\n//!\n//! This module contains all primitives required for the JOSE RFCs. It abstracts\n//! away the different cryptographic libraries and provides a common interface\n//! for them. The goal is to make it easy to switch between different libraries\n//! and implementations without changing the code that uses them.\n//!\n//! ## Random Number Generation\n//!\n//! Many of the private key types provide `generate` functions. These functions\n//! require access to secure, random data. Each backend provides it own way of\n//! getting secure random data from the underlying system. The\n//! `crypto-rustcrypto` and `crypto-ring` use the [`getrandom`] crate to get\n//! random data. In order to use the `jose` crate on `no_std` systems, the user\n//! must supply a custom random number generator by using the\n//! [`register_custom_getrandom`] macro.\n//!\n//! **Note:** The current version `ring` and Rust Crypto crates use the `0.2`\n//! version of the `getrandom` crate.\n//!\n//! [`register_custom_getrandom`]: (https://docs.rs/getrandom/0.2.10/getrandom/macro.register_custom_getrandom.html)\n//! [`getrandom`]: (https://docs.rs/getrandom/0.2.10/getrandom/index.html)\n\npub(crate) mod backend;\npub mod ec;\npub mod hmac;\npub mod okp;\npub mod rsa;\n\nuse core::{error, fmt};\n\nuse backend::interface;\n\nuse self::backend::Backend;\n\n/// The result type used for cryptographic operations.\npub type Result\u003cT, E = Error\u003e = core::result::Result\u003cT, E\u003e;\n\n/// The erased error type that is used to generalize all errors that all the\n/// cryptographic libraries can return.\npub struct Error {\n    inner: \u003cBackend as interface::Backend\u003e::Error,\n}\n\nimpl fmt::Display for Error {\n    fn fmt(\u0026self, _f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Display::fmt(\u0026self.inner, _f)\n    }\n}\n\nimpl fmt::Debug for Error {\n    fn fmt(\u0026self, _f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Debug::fmt(\u0026self.inner, _f)\n    }\n}\n\nimpl error::Error for Error {\n    fn source(\u0026self) -\u003e Option\u003c\u0026(dyn error::Error + 'static)\u003e {\n        error::Error::source(\u0026self.inner)\n    }\n}\n\nimpl\u003cE\u003e From\u003cE\u003e for Error\nwhere\n    \u003cBackend as interface::Backend\u003e::Error: From\u003cE\u003e,\n{\n    fn from(err: E) -\u003e Self {\n        Self {\n            inner: \u003cBackend as interface::Backend\u003e::Error::from(err),\n        }\n    }\n}\n\n/// Fills the given buffer with random data.\n#[inline]\n#[expect(unused)] // may be used in the future\npub(crate) fn fill_random(buf: \u0026mut [u8]) -\u003e Result\u003c()\u003e {\n    \u003cBackend as interface::Backend\u003e::fill_random(buf).map_err(|e| Error { inner: e })\n}\n\n/// Performs a quick Sha256 of the given data.\n#[inline]\npub(crate) fn sha256(data: \u0026[u8]) -\u003e [u8; 32] {\n    \u003cBackend as interface::Backend\u003e::sha256(data)\n}\n\n/// Performs a quick Sha384 of the given data.\n#[inline]\npub(crate) fn sha384(data: \u0026[u8]) -\u003e [u8; 48] {\n    \u003cBackend as interface::Backend\u003e::sha384(data)\n}\n\n/// Performs a quick Sha512 of the given data.\n#[inline]\npub(crate) fn sha512(data: \u0026[u8]) -\u003e [u8; 64] {\n    \u003cBackend as interface::Backend\u003e::sha512(data)\n}\n","traces":[{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":33}},{"line":84,"address":[],"length":0,"stats":{"Line":33}},{"line":89,"address":[],"length":0,"stats":{"Line":21}},{"line":90,"address":[],"length":0,"stats":{"Line":21}},{"line":95,"address":[],"length":0,"stats":{"Line":21}},{"line":96,"address":[],"length":0,"stats":{"Line":21}}],"covered":6,"coverable":16},{"path":["/","home","stu","dev","rust","jose","src","format","compact.rs"],"content":"use alloc::vec::Vec;\nuse core::{fmt, str::FromStr};\n\nuse super::{sealed, Format};\nuse crate::{\n    base64_url::NoBase64UrlString,\n    header,\n    jws::{PayloadData, SignError, Signer},\n    Base64UrlString, JoseHeader,\n};\n\n/// The compact representation is essentially a list of Base64Url\n/// strings that are separated by `.`.\n#[derive(Default, Debug, Clone, PartialEq, Eq, Hash)]\npub struct Compact {\n    parts: Vec\u003cBase64UrlString\u003e,\n}\n\nimpl Format for Compact {}\nimpl sealed::SealedFormat\u003cCompact\u003e for Compact {\n    type JwsHeader = JoseHeader\u003cCompact, header::Jws\u003e;\n    type SerializedJwsHeader = Base64UrlString;\n\n    fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(header: \u0026mut Self::JwsHeader, signer: \u0026dyn Signer\u003cS\u003e) {\n        header.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n    }\n\n    fn serialize_header(\n        header: Self::JwsHeader,\n    ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003ccore::convert::Infallible\u003e\u003e {\n        let (protected_header, _) = header.into_values().map_err(SignError::InvalidHeader)?;\n\n        if protected_header\n            .as_ref()\n            .map(|x| x.is_empty())\n            .unwrap_or(true)\n        {\n            return Err(SignError::EmptyProtectedHeader);\n        }\n\n        let header =\n            serde_json::to_string(\u0026protected_header).map_err(SignError::SerializeHeader)?;\n\n        let header = Base64UrlString::encode(header.as_bytes());\n\n        Ok(header)\n    }\n\n    fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e {\n        Some(hdr.as_bytes())\n    }\n\n    fn finalize(\n        header: Self::SerializedJwsHeader,\n        payload: Option\u003cPayloadData\u003e,\n        signature: \u0026[u8],\n    ) -\u003e Result\u003cSelf, serde_json::Error\u003e {\n        let mut compact = Compact::with_capacity(3);\n\n        compact.push_base64url(header);\n\n        let payload = match payload {\n            Some(PayloadData::Standard(b64)) =\u003e b64,\n            None =\u003e Base64UrlString::new(),\n        };\n\n        compact.parts.push(payload);\n        compact.push(signature);\n\n        Ok(compact)\n    }\n\n    fn finalize_jws_header_builder(\n        value_ref: \u0026mut Result\u003cSelf::JwsHeader, header::JoseHeaderBuilderError\u003e,\n        new_builder: header::JoseHeaderBuilder\u003cCompact, header::Jws\u003e,\n    ) {\n        *value_ref = new_builder.build();\n    }\n}\n\nimpl Compact {\n    pub(crate) fn with_capacity(cap: usize) -\u003e Self {\n        Compact {\n            parts: Vec::with_capacity(cap),\n        }\n    }\n\n    pub(crate) fn push_base64url(\u0026mut self, part: Base64UrlString) {\n        self.parts.push(part);\n    }\n\n    pub(crate) fn push(\u0026mut self, part: impl AsRef\u003c[u8]\u003e) {\n        self.parts.push(Base64UrlString::encode(part));\n    }\n\n    pub(crate) fn part(\u0026self, idx: usize) -\u003e Option\u003c\u0026Base64UrlString\u003e {\n        self.parts.get(idx)\n    }\n\n    pub(crate) fn len(\u0026self) -\u003e usize {\n        self.parts.len()\n    }\n}\n\nimpl FromStr for Compact {\n    type Err = NoBase64UrlString;\n\n    /// Verifies if every part of the string is valid base64url format\n    fn from_str(s: \u0026str) -\u003e Result\u003cSelf, Self::Err\u003e {\n        let parts = s\n            .split('.')\n            .map(Base64UrlString::from_str)\n            .collect::\u003cResult\u003cVec\u003c_\u003e, _\u003e\u003e()?;\n        Ok(Self { parts })\n    }\n}\n\nimpl fmt::Display for Compact {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let len = self.parts.len();\n\n        for (idx, part) in self.parts.iter().enumerate() {\n            fmt::Display::fmt(\u0026part, f)?;\n\n            if idx != len - 1 {\n                f.write_str(\".\")?;\n            }\n        }\n\n        Ok(())\n    }\n}\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":0}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":126,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":41},{"path":["/","home","stu","dev","rust","jose","src","format","json_flattened.rs"],"content":"use alloc::string::String;\nuse core::fmt;\n\nuse serde::{Deserialize, Serialize};\nuse serde_json::Value;\n\nuse super::{sealed, Format};\nuse crate::{\n    header,\n    jws::{PayloadData, SignError},\n    Base64UrlString, JoseHeader,\n};\n\n/// The flattened json serialization format.\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]\npub struct JsonFlattened {\n    pub(crate) payload: Option\u003cBase64UrlString\u003e,\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) protected: Option\u003cBase64UrlString\u003e,\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) header: Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    pub(crate) signature: Base64UrlString,\n}\n\nimpl Format for JsonFlattened {}\n\nimpl fmt::Display for JsonFlattened {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let repr = if f.alternate() {\n            serde_json::to_string_pretty(\u0026self).map_err(|_| fmt::Error)?\n        } else {\n            serde_json::to_string(\u0026self).map_err(|_| fmt::Error)?\n        };\n\n        f.write_str(\u0026repr)\n    }\n}\n\nimpl sealed::SealedFormat\u003cJsonFlattened\u003e for JsonFlattened {\n    type JwsHeader = JoseHeader\u003cJsonFlattened, header::Jws\u003e;\n    type SerializedJwsHeader = (\n        Option\u003cBase64UrlString\u003e,\n        Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    );\n\n    fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(\n        header: \u0026mut Self::JwsHeader,\n        signer: \u0026dyn crate::jws::Signer\u003cS\u003e,\n    ) {\n        header.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n    }\n\n    fn serialize_header(\n        header: Self::JwsHeader,\n    ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003ccore::convert::Infallible\u003e\u003e {\n        let (protected, unprotected) = header.into_values().map_err(SignError::InvalidHeader)?;\n\n        let protected = match protected {\n            Some(hdr) =\u003e {\n                let json = serde_json::to_string(\u0026hdr).map_err(SignError::SerializeHeader)?;\n\n                let encoded = Base64UrlString::encode(json);\n                Some(encoded)\n            }\n            None =\u003e None,\n        };\n\n        Ok((protected, unprotected))\n    }\n\n    fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e {\n        hdr.0.as_ref().map(|x| x.as_bytes())\n    }\n\n    fn finalize(\n        (protected, unprotected): Self::SerializedJwsHeader,\n        payload: Option\u003cPayloadData\u003e,\n        signature: \u0026[u8],\n    ) -\u003e Result\u003cSelf, serde_json::Error\u003e {\n        let payload = payload.map(|PayloadData::Standard(b64)| b64);\n\n        let signature = Base64UrlString::encode(signature);\n\n        Ok(JsonFlattened {\n            payload,\n            protected,\n            header: unprotected,\n            signature,\n        })\n    }\n\n    fn finalize_jws_header_builder(\n        value_ref: \u0026mut Result\u003cSelf::JwsHeader, header::JoseHeaderBuilderError\u003e,\n        new_builder: header::JoseHeaderBuilder\u003cJsonFlattened, header::Jws\u003e,\n    ) {\n        *value_ref = new_builder.build();\n    }\n}\n","traces":[{"line":28,"address":[],"length":0,"stats":{"Line":0}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}},{"line":32,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":24},{"path":["/","home","stu","dev","rust","jose","src","format","json_general.rs"],"content":"use alloc::{string::String, vec, vec::Vec};\nuse core::{convert::Infallible, fmt};\n\nuse serde::{Deserialize, Serialize};\nuse serde_json::Value;\n\nuse super::{sealed, Format};\nuse crate::{\n    header::{self, JoseHeaderBuilder, JoseHeaderBuilderError},\n    jws::{PayloadData, SignError, Signer},\n    Base64UrlString, JoseHeader,\n};\n\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]\npub(crate) struct Signature {\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) protected: Option\u003cBase64UrlString\u003e,\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    pub(crate) header: Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    pub(crate) signature: Base64UrlString,\n}\n\n/// The JSON General Serialization format as specified in [Section 7.2.1] in the\n/// JWS RFC.\n///\n/// [Section 7.2.1]: https://datatracker.ietf.org/doc/html/rfc7515#section-7.2.1\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]\npub struct JsonGeneral {\n    pub(crate) payload: Option\u003cBase64UrlString\u003e,\n    pub(crate) signatures: Vec\u003cSignature\u003e,\n}\n\nimpl fmt::Display for JsonGeneral {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        let repr = if f.alternate() {\n            serde_json::to_string_pretty(\u0026self).map_err(|_| fmt::Error)?\n        } else {\n            serde_json::to_string(\u0026self).map_err(|_| fmt::Error)?\n        };\n\n        f.write_str(\u0026repr)\n    }\n}\n\nimpl Format for JsonGeneral {}\n\nimpl sealed::SealedFormat\u003cJsonGeneral\u003e for JsonGeneral {\n    type JwsHeader = Vec\u003cJoseHeader\u003cJsonGeneral, header::Jws\u003e\u003e;\n    // this only a single header, even though JsonGeneral supports multiple headers,\n    // because this trait implementation is only be used for a single signer.\n    type SerializedJwsHeader = (\n        Option\u003cBase64UrlString\u003e,\n        Option\u003cserde_json::Map\u003cString, Value\u003e\u003e,\n    );\n\n    fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(header: \u0026mut Self::JwsHeader, signer: \u0026dyn Signer\u003cS\u003e) {\n        let Some(first) = header.first_mut() else {\n            return;\n        };\n\n        first.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n    }\n\n    fn serialize_header(\n        mut header: Self::JwsHeader,\n    ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003cInfallible\u003e\u003e {\n        let len = header.len();\n\n        let Some(header) = header.pop().filter(|_| len == 1) else {\n            return Err(SignError::HeaderCountMismatch);\n        };\n\n        let (protected, unprotected) = header.into_values().map_err(SignError::InvalidHeader)?;\n\n        let protected = match protected {\n            Some(hdr) =\u003e {\n                let json = serde_json::to_string(\u0026hdr).map_err(SignError::SerializeHeader)?;\n\n                let encoded = Base64UrlString::encode(json);\n                Some(encoded)\n            }\n            None =\u003e None,\n        };\n\n        Ok((protected, unprotected))\n    }\n\n    fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e {\n        hdr.0.as_ref().map(|x| x.as_bytes())\n    }\n\n    fn finalize(\n        header: Self::SerializedJwsHeader,\n        payload: Option\u003cPayloadData\u003e,\n        signature: \u0026[u8],\n    ) -\u003e Result\u003cSelf, serde_json::Error\u003e {\n        let payload = payload.map(|PayloadData::Standard(b64)| b64);\n\n        let signature = Base64UrlString::encode(signature);\n\n        Ok(JsonGeneral {\n            payload,\n            signatures: vec![Signature {\n                protected: header.0,\n                header: header.1,\n                signature,\n            }],\n        })\n    }\n\n    fn finalize_jws_header_builder(\n        value_ref: \u0026mut Result\u003cSelf::JwsHeader, JoseHeaderBuilderError\u003e,\n        new_builder: JoseHeaderBuilder\u003cJsonGeneral, header::Jws\u003e,\n    ) {\n        let header = match new_builder.build() {\n            Ok(header) =\u003e header,\n            Err(err) =\u003e {\n                *value_ref = Err(err);\n                return;\n            }\n        };\n\n        match value_ref {\n            Ok(headers) =\u003e headers.push(header),\n            Err(_) =\u003e *value_ref = Ok(vec![header]),\n        }\n    }\n}\n","traces":[{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":35},{"path":["/","home","stu","dev","rust","jose","src","format.rs"],"content":"//! Contains abstractions for different kinds of\n//! serialization formats.\n//!\n//! Currently, the only two formats are [`Compact`] and [`JsonFlattened`].\n\nmod compact;\nmod json_flattened;\nmod json_general;\n\nuse core::fmt;\n\npub use compact::Compact;\npub use json_flattened::JsonFlattened;\npub use json_general::JsonGeneral;\npub(crate) use json_general::Signature as JsonGeneralSignature;\n\nuse crate::sealed::Sealed;\n\npub(crate) mod sealed {\n    use alloc::fmt;\n    use core::convert::Infallible;\n\n    use crate::{\n        header::{self, JoseHeaderBuilder, JoseHeaderBuilderError},\n        jws::{PayloadData, SignError, Signer},\n    };\n\n    // We put all methods, types, etc into a sealed trait, so\n    // the user is not able to access these thing as they should\n    // only be used internally by this crate\n    pub trait SealedFormat\u003cF\u003e: Sized {\n        type JwsHeader: fmt::Debug;\n        type SerializedJwsHeader: fmt::Debug;\n\n        fn update_header\u003cS: AsRef\u003c[u8]\u003e\u003e(header: \u0026mut Self::JwsHeader, signer: \u0026dyn Signer\u003cS\u003e);\n\n        /// Serializes the header for this format.\n        ///\n        /// The returned values must be the serializd header and the\n        /// bytes that must be appended to the message for the signature.\n        fn serialize_header(\n            header: Self::JwsHeader,\n        ) -\u003e Result\u003cSelf::SerializedJwsHeader, SignError\u003cInfallible\u003e\u003e;\n\n        /// This method converts a serialized header into the message bytes\n        /// that are used for the signature.\n        fn message_from_header(hdr: \u0026Self::SerializedJwsHeader) -\u003e Option\u003c\u0026[u8]\u003e;\n\n        fn finalize(\n            header: Self::SerializedJwsHeader,\n            payload: Option\u003cPayloadData\u003e,\n            signature: \u0026[u8],\n        ) -\u003e Result\u003cSelf, serde_json::Error\u003e;\n\n        fn finalize_jws_header_builder(\n            value_ref: \u0026mut Result\u003cSelf::JwsHeader, JoseHeaderBuilderError\u003e,\n            new_builder: JoseHeaderBuilder\u003cF, header::Jws\u003e,\n        );\n    }\n}\n\n/// This trait represents any possible format in which a JWS or JWE can be\n/// represented.\npub trait Format: fmt::Display + sealed::SealedFormat\u003cSelf\u003e + Sized {}\n\n/// Used to parse a [`Compact`] or another format representation\n/// into a concrete type.\npub trait DecodeFormat\u003cF\u003e: Sealed + Sized {\n    /// The error that can occurr while parsing `Self` from the input.\n    type Error;\n\n    /// The decoded type to return.\n    type Decoded\u003cT\u003e;\n\n    /// Parse the input into a new [`Decoded`](Self::Decoded) instance of\n    /// `Self`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// this type.\n    fn decode(input: F) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e;\n}\n\n/// Used to parse a [`Compact`] or another format representation\n/// into a concrete type.\npub trait DecodeFormatWithContext\u003cF, C\u003e: Sealed + Sized {\n    /// The error that can occurr while parsing `Self` from the input.\n    type Error;\n\n    /// The decoded type to return.\n    type Decoded\u003cT\u003e;\n\n    /// Parse the input into a new [`Decoded`](Self::Decoded) instance of\n    /// `Self`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// this type.\n    fn decode_with_context(input: F, context: \u0026C) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e;\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","builder.rs"],"content":"use alloc::{\n    collections::{BTreeMap, BTreeSet},\n    string::String,\n    vec::Vec,\n};\nuse core::marker::PhantomData;\n\nuse mediatype::MediaTypeBuf;\nuse serde_json::Value;\n\nuse super::{\n    parameters::MediaTypeWithMaybeStrippedApplicationTopLevel, HeaderValue, Jwe, Jws, Type,\n};\nuse crate::{\n    format::Format,\n    header::parameters::Parameters,\n    jwa::{JsonWebContentEncryptionAlgorithm, JsonWebEncryptionAlgorithm, JsonWebSigningAlgorithm},\n    jwk::serde_impl::Base64DerCertificate,\n    JoseHeader, JsonWebKey, UntypedAdditionalProperties, Uri,\n};\n\n/// A builder for a [`JoseHeader`].\n#[derive(Debug)]\n#[non_exhaustive]\npub struct JoseHeaderBuilder\u003cF, T\u003e {\n    // data\n    critical_headers: Option\u003cBTreeSet\u003cString\u003e\u003e,\n    jwk_set_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    json_web_key: Option\u003cHeaderValue\u003cJsonWebKey\u003cUntypedAdditionalProperties\u003e\u003e\u003e,\n    key_identifier: Option\u003cHeaderValue\u003cString\u003e\u003e,\n    x509_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    x509_certificate_chain: Option\u003cHeaderValue\u003cVec\u003cVec\u003cu8\u003e\u003e\u003e\u003e,\n    x509_certificate_sha1_thumbprint: Option\u003cHeaderValue\u003c[u8; 20]\u003e\u003e,\n    x509_certificate_sha256_thumbprint: Option\u003cHeaderValue\u003c[u8; 32]\u003e\u003e,\n    typ: Option\u003cHeaderValue\u003cMediaTypeBuf\u003e\u003e,\n    content_type: Option\u003cHeaderValue\u003cMediaTypeBuf\u003e\u003e,\n    additional: BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e,\n    specific: Specific,\n    _phantom: PhantomData\u003c(F, T)\u003e,\n}\n\nimpl\u003cF, T\u003e JoseHeaderBuilder\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    /// Set the [`critical_headers`](crate::JoseHeader::critical_headers)\n    /// parameter.\n    pub fn critical_headers(self, critical_headers: Option\u003cBTreeSet\u003cString\u003e\u003e) -\u003e Self {\n        // since `crit` header is not allowed to be an empty array, an empty set is\n        // discarded setting `None` will remove any existing critical headers\n        // that may already be present\n        Self {\n            critical_headers,\n            ..self\n        }\n    }\n\n    /// Set [additional](crate::JoseHeader::additional) parameters.\n    ///\n    /// Note: Do not push parameter names that are understood by this\n    /// implementation. Instead, use the appropriate method to set the parameter\n    /// directly.\n    pub fn additional(self, additional: BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e) -\u003e Self {\n        Self { additional, ..self }\n    }\n\n    /// Create a new [`JoseHeaderBuilder`] in order to build a [`JoseHeader`].\n    pub fn new() -\u003e Self {\n        Self {\n            critical_headers: None,\n            jwk_set_url: None,\n            json_web_key: None,\n            key_identifier: None,\n            x509_url: None,\n            x509_certificate_chain: None,\n            x509_certificate_sha1_thumbprint: None,\n            x509_certificate_sha256_thumbprint: None,\n            typ: None,\n            content_type: None,\n            additional: BTreeMap::new(),\n            specific: T::specific_default(),\n            _phantom: PhantomData,\n        }\n    }\n\n    fn build_parameters(self) -\u003e Result\u003c(Parameters\u003c()\u003e, Specific), JoseHeaderBuilderError\u003e {\n        // oh dear god\n        let x509_certificate_chain = self\n            .x509_certificate_chain\n            .map(|v| v.map(|v| v.into_iter().map(Base64DerCertificate).collect::\u003cVec\u003c_\u003e\u003e()));\n\n        // FIXME: check if additional parameters contain parameters that are understood\n        // by our implementation and that should be set via their methods instead.\n\n        let parameters = Parameters {\n            critical_headers: self.critical_headers,\n            jwk_set_url: self.jwk_set_url,\n            json_web_key: self.json_web_key,\n            key_id: self.key_identifier,\n            x509_url: self.x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n            typ: self\n                .typ\n                .map(|v| v.map(MediaTypeWithMaybeStrippedApplicationTopLevel)),\n            content_type: self\n                .content_type\n                .map(|v| v.map(MediaTypeWithMaybeStrippedApplicationTopLevel)),\n            specific: (),\n            additional: self.additional,\n        };\n        Ok((parameters, self.specific))\n    }\n\n    /// Create a [`JoseHeaderBuilder`] from a [`JoseHeader`] preserving the\n    /// parameters.\n    pub fn from_header(header: JoseHeader\u003cF, T\u003e) -\u003e Self {\n        let parameters = header.parameters;\n        let specific = parameters.specific.into_specific();\n\n        let x509_certificate_chain = parameters\n            .x509_certificate_chain\n            .map(|v| v.map(|v| v.into_iter().map(|v| v.0).collect::\u003cVec\u003c_\u003e\u003e()));\n        Self {\n            critical_headers: parameters.critical_headers,\n            jwk_set_url: parameters.jwk_set_url,\n            json_web_key: parameters.json_web_key,\n            key_identifier: parameters.key_id,\n            x509_url: parameters.x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: parameters.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: parameters.x509_certificate_sha256_thumbprint,\n            typ: parameters.typ.map(|v| v.map(|v| v.0)),\n            content_type: parameters.content_type.map(|v| v.map(|v| v.0)),\n            additional: parameters.additional,\n            specific,\n            _phantom: PhantomData,\n        }\n    }\n}\n\nimpl\u003cF, T\u003e Default for JoseHeaderBuilder\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    fn default() -\u003e Self {\n        Self::new()\n    }\n}\n\n/// Specific parameters for Jws and Jwe. See [`Jws`] and [`Jwe`]\n#[derive(Debug)]\n#[non_exhaustive]\npub enum Specific {\n    Jws {\n        algorithm: Option\u003cHeaderValue\u003cJsonWebSigningAlgorithm\u003e\u003e,\n        // default: true\n        payload_base64_url_encoded: Option\u003cbool\u003e,\n    },\n    Jwe {\n        algorithm: Option\u003cHeaderValue\u003cJsonWebEncryptionAlgorithm\u003e\u003e,\n        content_encryption_algorithm: Option\u003cHeaderValue\u003cJsonWebContentEncryptionAlgorithm\u003e\u003e,\n    },\n}\n\n/// Errors that may occur while building a [`JoseHeader`] via\n/// [`JoseHeaderBuilder::build`].\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum JoseHeaderBuilderError {\n    /// There is no algorithm specified. Specify an algorithm via\n    /// [`JoseHeaderBuilder::algorithm`].\n    #[error(\"no algorithm set\")]\n    MissingAlgorithm,\n    /// There is no content encryption algorithm specified. Specify an content\n    /// encryption algorithm via\n    /// [`JoseHeaderBuilder::content_encryption_algorithm`].\n    ///\n    /// Note: This error may only occur while building a [`JoseHeader`] for\n    /// [`Jwe`].\n    #[error(\"no content encryption algorithm set\")]\n    MissingContentEncryptionAlgorithm,\n    /// One or more certificates in the X.509 certificate chain (set via\n    /// [`JoseHeaderBuilder::x509_certificate_chain`]) are invalid. E.g. not\n    /// valid DER-encoded.\n    #[error(\"the certificates in the certificate chain are invalid\")]\n    InvalidX509CertificateChain,\n}\n\nimpl\u003cF\u003e JoseHeaderBuilder\u003cF, Jws\u003e\nwhere\n    F: Format,\n{\n    /// Set the [`algorithm`](crate::JoseHeader::algorithm) parameter for\n    /// [`Jws`].\n    pub fn algorithm(self, algorithm: HeaderValue\u003cJsonWebSigningAlgorithm\u003e) -\u003e Self {\n        let specific = Specific::Jws {\n            algorithm: Some(algorithm),\n            payload_base64_url_encoded: match self.specific {\n                Specific::Jws {\n                    algorithm: _,\n                    payload_base64_url_encoded,\n                } =\u003e payload_base64_url_encoded,\n                // implementation must ensure a JoseHeaderBuilder\u003cF, Jws\u003e cannot be turned into an\n                // JoseHeaderBuilder\u003cF, Jwe\u003e\n                _ =\u003e unreachable!(),\n            },\n        };\n        Self { specific, ..self }\n    }\n\n    /// Set the [`payload_base64_url_encoded`](crate::JoseHeader::payload_base64_url_encoded) parameter for [`Jws`].\n    pub fn payload_base64_url_encoded(self, payload_base64_url_encoded: bool) -\u003e Self {\n        let specific = Specific::Jws {\n            algorithm: match self.specific {\n                Specific::Jws {\n                    algorithm,\n                    payload_base64_url_encoded: _,\n                } =\u003e algorithm,\n                _ =\u003e unreachable!(),\n            },\n            payload_base64_url_encoded: Some(payload_base64_url_encoded),\n        };\n        Self { specific, ..self }\n    }\n\n    /// Try to build a [`JoseHeader`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any of the values provided by the builder are\n    /// invalid. See [`JoseHeaderBuilderError`] for details.\n    pub fn build(self) -\u003e Result\u003cJoseHeader\u003cF, Jws\u003e, JoseHeaderBuilderError\u003e {\n        let (parameters, specific) = self.build_parameters()?;\n\n        let (algorithm, payload_base64_url_encoded) = match specific {\n            Specific::Jws {\n                algorithm,\n                payload_base64_url_encoded,\n            } =\u003e (\n                algorithm.ok_or(JoseHeaderBuilderError::MissingAlgorithm)?,\n                payload_base64_url_encoded,\n            ),\n            _ =\u003e unreachable!(),\n        };\n        let specific = Jws {\n            algorithm,\n            payload_base64_url_encoded,\n        };\n        Ok(JoseHeader {\n            _format: PhantomData,\n            parameters: Parameters {\n                specific,\n                critical_headers: parameters.critical_headers,\n                jwk_set_url: parameters.jwk_set_url,\n                json_web_key: parameters.json_web_key,\n                key_id: parameters.key_id,\n                x509_url: parameters.x509_url,\n                x509_certificate_chain: parameters.x509_certificate_chain,\n                x509_certificate_sha1_thumbprint: parameters.x509_certificate_sha1_thumbprint,\n                x509_certificate_sha256_thumbprint: parameters.x509_certificate_sha256_thumbprint,\n                typ: parameters.typ,\n                content_type: parameters.content_type,\n                additional: parameters.additional,\n            },\n        })\n    }\n}\n\nimpl\u003cF\u003e JoseHeaderBuilder\u003cF, Jwe\u003e\nwhere\n    F: Format,\n{\n    /// Set the [`algorithm`](crate::JoseHeader::algorithm) parameter for\n    /// [`Jwe`].\n    pub fn algorithm(self, algorithm: HeaderValue\u003cJsonWebEncryptionAlgorithm\u003e) -\u003e Self {\n        let specific = Specific::Jwe {\n            algorithm: Some(algorithm),\n            content_encryption_algorithm: match self.specific {\n                Specific::Jwe {\n                    algorithm: _,\n                    content_encryption_algorithm,\n                } =\u003e content_encryption_algorithm,\n                _ =\u003e unreachable!(),\n            },\n        };\n        Self { specific, ..self }\n    }\n\n    /// Set the [`content_encryption_algorithm`](crate::JoseHeader::content_encryption_algorithm) parameter for [`Jwe`].\n    pub fn content_encryption_algorithm(\n        self,\n        content_encryption_algorithm: HeaderValue\u003cJsonWebContentEncryptionAlgorithm\u003e,\n    ) -\u003e Self {\n        let specific = Specific::Jwe {\n            algorithm: match self.specific {\n                Specific::Jwe {\n                    algorithm,\n                    content_encryption_algorithm: _,\n                } =\u003e algorithm,\n                _ =\u003e unreachable!(),\n            },\n            content_encryption_algorithm: Some(content_encryption_algorithm),\n        };\n        Self { specific, ..self }\n    }\n\n    /// Try to build a [`JoseHeader`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any of the values provided by the builder are\n    /// invalid. See [`JoseHeaderBuilderError`] for details.\n    pub fn build(self) -\u003e Result\u003cJoseHeader\u003cF, Jwe\u003e, JoseHeaderBuilderError\u003e {\n        let (parameters, specific) = self.build_parameters()?;\n        let (algorithm, content_encryption_algorithm) = match specific {\n            Specific::Jwe {\n                algorithm,\n                content_encryption_algorithm,\n            } =\u003e (\n                algorithm.ok_or(JoseHeaderBuilderError::MissingAlgorithm)?,\n                content_encryption_algorithm.ok_or(JoseHeaderBuilderError::MissingAlgorithm)?,\n            ),\n            _ =\u003e unreachable!(),\n        };\n        let specific = Jwe {\n            algorithm,\n            content_encryption_algorithm,\n        };\n\n        Ok(JoseHeader {\n            _format: PhantomData,\n            parameters: Parameters {\n                specific,\n                critical_headers: parameters.critical_headers,\n                jwk_set_url: parameters.jwk_set_url,\n                json_web_key: parameters.json_web_key,\n                key_id: parameters.key_id,\n                x509_url: parameters.x509_url,\n                x509_certificate_chain: parameters.x509_certificate_chain,\n                x509_certificate_sha1_thumbprint: parameters.x509_certificate_sha1_thumbprint,\n                x509_certificate_sha256_thumbprint: parameters.x509_certificate_sha256_thumbprint,\n                typ: parameters.typ,\n                content_type: parameters.content_type,\n                additional: parameters.additional,\n            },\n        })\n    }\n}\n\nmacro_rules! setter {\n    ($($parameter:ident: $parameter_typ:ty),+,) =\u003e {\n        impl\u003cF, T\u003e JoseHeaderBuilder\u003cF, T\u003e\n        where\n            F: Format,\n            T: Type,\n        {\n            $(\n            #[doc = concat!(\"Set the [`\", stringify!($parameter), \"`](crate::JoseHeader::\", stringify!($parameter), \") parameter.\")]\n            pub fn $parameter(self, $parameter: Option\u003cHeaderValue\u003c$parameter_typ\u003e\u003e) -\u003e Self {\n                Self {\n                    $parameter,\n                    ..self\n                }\n            }\n            )+\n        }\n    };\n}\n\nsetter! {\n    x509_certificate_chain: Vec\u003cVec\u003cu8\u003e\u003e,\n    jwk_set_url: Uri,\n    json_web_key: JsonWebKey\u003cUntypedAdditionalProperties\u003e,\n    key_identifier: String,\n    x509_url: Uri,\n    x509_certificate_sha1_thumbprint: [u8; 20],\n    x509_certificate_sha256_thumbprint: [u8; 32],\n    typ: MediaTypeBuf,\n    content_type: MediaTypeBuf,\n}\n","traces":[{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":1}},{"line":81,"address":[],"length":0,"stats":{"Line":1}},{"line":82,"address":[],"length":0,"stats":{"Line":1}},{"line":87,"address":[],"length":0,"stats":{"Line":1}},{"line":89,"address":[],"length":0,"stats":{"Line":1}},{"line":90,"address":[],"length":0,"stats":{"Line":1}},{"line":91,"address":[],"length":0,"stats":{"Line":1}},{"line":97,"address":[],"length":0,"stats":{"Line":1}},{"line":98,"address":[],"length":0,"stats":{"Line":1}},{"line":99,"address":[],"length":0,"stats":{"Line":1}},{"line":100,"address":[],"length":0,"stats":{"Line":1}},{"line":101,"address":[],"length":0,"stats":{"Line":1}},{"line":103,"address":[],"length":0,"stats":{"Line":1}},{"line":104,"address":[],"length":0,"stats":{"Line":1}},{"line":105,"address":[],"length":0,"stats":{"Line":1}},{"line":108,"address":[],"length":0,"stats":{"Line":1}},{"line":111,"address":[],"length":0,"stats":{"Line":1}},{"line":112,"address":[],"length":0,"stats":{"Line":1}},{"line":114,"address":[],"length":0,"stats":{"Line":1}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":121,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":135,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":1}},{"line":150,"address":[],"length":0,"stats":{"Line":1}},{"line":199,"address":[],"length":0,"stats":{"Line":1}},{"line":201,"address":[],"length":0,"stats":{"Line":1}},{"line":202,"address":[],"length":0,"stats":{"Line":1}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":225,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":1}},{"line":237,"address":[],"length":0,"stats":{"Line":2}},{"line":239,"address":[],"length":0,"stats":{"Line":1}},{"line":240,"address":[],"length":0,"stats":{"Line":0}},{"line":241,"address":[],"length":0,"stats":{"Line":1}},{"line":242,"address":[],"length":0,"stats":{"Line":1}},{"line":243,"address":[],"length":0,"stats":{"Line":1}},{"line":244,"address":[],"length":0,"stats":{"Line":1}},{"line":245,"address":[],"length":0,"stats":{"Line":0}},{"line":253,"address":[],"length":0,"stats":{"Line":0}},{"line":254,"address":[],"length":0,"stats":{"Line":0}},{"line":255,"address":[],"length":0,"stats":{"Line":0}},{"line":256,"address":[],"length":0,"stats":{"Line":0}},{"line":257,"address":[],"length":0,"stats":{"Line":0}},{"line":258,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":260,"address":[],"length":0,"stats":{"Line":0}},{"line":261,"address":[],"length":0,"stats":{"Line":0}},{"line":262,"address":[],"length":0,"stats":{"Line":0}},{"line":263,"address":[],"length":0,"stats":{"Line":0}},{"line":264,"address":[],"length":0,"stats":{"Line":0}},{"line":265,"address":[],"length":0,"stats":{"Line":0}},{"line":266,"address":[],"length":0,"stats":{"Line":0}},{"line":267,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":0}},{"line":281,"address":[],"length":0,"stats":{"Line":0}},{"line":282,"address":[],"length":0,"stats":{"Line":0}},{"line":294,"address":[],"length":0,"stats":{"Line":0}},{"line":299,"address":[],"length":0,"stats":{"Line":0}},{"line":306,"address":[],"length":0,"stats":{"Line":0}},{"line":317,"address":[],"length":0,"stats":{"Line":0}},{"line":318,"address":[],"length":0,"stats":{"Line":0}},{"line":319,"address":[],"length":0,"stats":{"Line":0}},{"line":320,"address":[],"length":0,"stats":{"Line":0}},{"line":321,"address":[],"length":0,"stats":{"Line":0}},{"line":322,"address":[],"length":0,"stats":{"Line":0}},{"line":323,"address":[],"length":0,"stats":{"Line":0}},{"line":324,"address":[],"length":0,"stats":{"Line":0}},{"line":325,"address":[],"length":0,"stats":{"Line":0}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":336,"address":[],"length":0,"stats":{"Line":0}},{"line":337,"address":[],"length":0,"stats":{"Line":0}},{"line":338,"address":[],"length":0,"stats":{"Line":0}},{"line":339,"address":[],"length":0,"stats":{"Line":0}},{"line":340,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":0}},{"line":342,"address":[],"length":0,"stats":{"Line":0}},{"line":343,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":347,"address":[],"length":0,"stats":{"Line":0}},{"line":348,"address":[],"length":0,"stats":{"Line":0}},{"line":363,"address":[],"length":0,"stats":{"Line":0}},{"line":364,"address":[],"length":0,"stats":{"Line":0}},{"line":365,"address":[],"length":0,"stats":{"Line":0}},{"line":366,"address":[],"length":0,"stats":{"Line":0}}],"covered":31,"coverable":103},{"path":["/","home","stu","dev","rust","jose","src","header","error.rs"],"content":"use alloc::string::String;\n\n/// Errors that may occur while working [`JoseHeader`](super::JoseHeader)\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum Error {\n    /// Found a header parameter that must be protected in the unprotected\n    /// `header` parameter\n    #[error(\"found an unprotected header parameter, that must be proctected\")]\n    ExpectedProtected,\n    /// The `protected` and (unprotected) `header` parameter share members with\n    /// the same name\n    #[error(\"the protected and unprotected header parameters share members with the same name\")]\n    NotDisjoint,\n    /// Both the `protected` and (unprotected) `header` members in a JWS or JWE\n    /// are empty.\n    #[error(\"both the protected and unprotected header parameters are empty\")]\n    NoHeader,\n    /// The `protected` or the (unprotected) `header` member is present but\n    /// contains no members (it is an empty object `{}`)\n    #[error(\"the protected or the unprotected header parameter is empty\")]\n    EmptyHeader,\n    /// Found a header parameter name that is forbidden as per [section 4.1.11\n    /// of RFC 7515]\n    ///\n    /// [section 4.1.11 of RFC 7515]: \u003chttps://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11\u003e\n    #[error(\"found a forbidden header parameter: {0}\")]\n    ForbiddenHeader(String),\n    /// A REQUIRED header is missing (e.g. the `alg` header)\n    #[error(\"a required header is missing: {0}\")]\n    MissingHeader(String),\n    /// The `crit` header is present but an empty list (`[]`)\n    #[error(\"the crit header is empty\")]\n    EmptyCriticalHeaders,\n    /// A JSON deserialization error, see [`serde_json::Error`] for details.\n    #[error(transparent)]\n    JsonError(#[from] serde_json::Error),\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","parameters.rs"],"content":"use alloc::{\n    borrow::Cow,\n    collections::{BTreeMap, BTreeSet},\n    string::{String, ToString},\n    vec::Vec,\n};\n\nuse mediatype::MediaTypeBuf;\nuse serde::{de::Error, Deserialize, Serialize};\nuse serde_json::Value;\n\nuse super::HeaderValue;\nuse crate::{jwk::serde_impl::Base64DerCertificate, JsonWebKey, UntypedAdditionalProperties, Uri};\n\n#[derive(Debug)]\n#[non_exhaustive]\npub(crate) struct Parameters\u003cT\u003e {\n    /// `crit` header MUST always be protected\n    pub(crate) critical_headers: Option\u003cBTreeSet\u003cString\u003e\u003e,\n    /// `jku` parameter defined in section 4.1.2 of JWS and section 4.1.4 of JWE\n    pub(crate) jwk_set_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    /// `jwk` parameter defined in section 4.1.3 of JWS and section 4.1.5 of JWE\n    pub(crate) json_web_key: Option\u003cHeaderValue\u003cJsonWebKey\u003cUntypedAdditionalProperties\u003e\u003e\u003e,\n    // `kid` parameter defined in section 4.1.4 of JWS and section 4.1.6 of JWE\n    pub(crate) key_id: Option\u003cHeaderValue\u003cString\u003e\u003e,\n    /// `x5u` parameter defined in section 4.1.5 of JWS and section 4.1.7 of JWE\n    // FIXME: use url type instead\n    pub(crate) x509_url: Option\u003cHeaderValue\u003cUri\u003e\u003e,\n    /// `x5c` parameter defined in section 4.1.6 of JWS and section 4.1.8 of JWE\n    pub(crate) x509_certificate_chain: Option\u003cHeaderValue\u003cVec\u003cBase64DerCertificate\u003e\u003e\u003e,\n    /// `x5t` parameter defined in section 4.1.7 of JWS and section 4.1.9 of JWE\n    pub(crate) x509_certificate_sha1_thumbprint: Option\u003cHeaderValue\u003c[u8; 20]\u003e\u003e,\n    /// `x5t#S256` parameter defined in section 4.1.8 of JWS and section 4.1.10\n    /// of JWE\n    pub(crate) x509_certificate_sha256_thumbprint: Option\u003cHeaderValue\u003c[u8; 32]\u003e\u003e,\n    /// `typ` parameter defined in section 4.1.9 of JWS and section 4.1.11 of\n    /// JWE\n    pub(crate) typ: Option\u003cHeaderValue\u003cMediaTypeWithMaybeStrippedApplicationTopLevel\u003e\u003e,\n    /// `cty` parameter defined in section 4.1.10 of JWS and section 4.1.12 of\n    /// JWE\n    pub(crate) content_type: Option\u003cHeaderValue\u003cMediaTypeWithMaybeStrippedApplicationTopLevel\u003e\u003e,\n    // additional parameters specific to JWS or JWE (e.g. `enc` in JWE)\n    pub(crate) specific: T,\n    // an untyped list of other values that are not understood by this implementation\n    pub(crate) additional: BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e,\n}\n\n/// A wrapper type that incorporates the special handling of `application/X`\n/// media types in `typ` and `cty` header parameters as defined in [Section\n/// 4.1.9 of RFC 7515][1].\n///\n/// See [#128].\n///\n/// If the mediatype starts with `application/` and no other `/` is present,\n/// implementations should strip the `application/` to save space.\n///\n/// Since this is a serialization detail, we abstract it away, because the\n/// meaning remains the same and this way users can easily use the mediatype\n/// crate.\n///\n/// [#128]: \u003chttps://github.com/minkan-chat/jose/issues/128\u003e\n/// [1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9\u003e\n#[derive(Debug)]\npub(crate) struct MediaTypeWithMaybeStrippedApplicationTopLevel(pub(crate) MediaTypeBuf);\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for MediaTypeWithMaybeStrippedApplicationTopLevel {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let raw: Cow\u003c'_, str\u003e = Cow::deserialize(deserializer)?;\n        // if there is no `/` in the media type the RFC dictates to prepend\n        // `application/`\n        let corrected = if !raw.contains('/') {\n            alloc::format!(\"application/{raw}\")\n        } else {\n            raw.to_string()\n        };\n        let inner = MediaTypeBuf::from_string(corrected).map_err(D::Error::custom)?;\n        Ok(Self(inner))\n    }\n}\n\nimpl Serialize for MediaTypeWithMaybeStrippedApplicationTopLevel {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        let correct = self.0.to_string();\n        if self.0.ty() == mediatype::names::APPLICATION\n            // ensure media type contains exactly one slash (parameters included)\n            \u0026\u0026 correct.chars().filter(|c| *c == '/').count() == 1\n        {\n            let raw = correct.split_once('/').expect(\"contains one slash\").1;\n            // these should be UPPERCASE for interop with legacy implementation according to\n            // the JOSE RFCs..\n            const SHOULD_BE_UPPERCASE: [\u0026str; 2] = [\"jwt\", \"jose\"];\n            Ok(\n                if SHOULD_BE_UPPERCASE.contains(\u0026raw.to_lowercase().as_str()) {\n                    raw.to_uppercase().serialize(serializer)?\n                } else {\n                    raw.serialize(serializer)?\n                },\n            )\n        } else {\n            correct.serialize(serializer)\n        }\n    }\n}\n\n#[cfg(test)]\nmod tests {\n    use alloc::string::String;\n\n    use mediatype::{\n        names::{APPLICATION, JWT},\n        MediaType,\n    };\n    use serde::{Deserialize, Serialize};\n\n    use super::MediaTypeWithMaybeStrippedApplicationTopLevel;\n\n    #[derive(Deserialize, Serialize)]\n    struct Dummy {\n        typ: MediaTypeWithMaybeStrippedApplicationTopLevel,\n    }\n    #[test]\n    fn jwt_without_application_roundtrip() {\n        let payload = r#\"{\"typ\":\"JWT\"}\"#;\n        let a: Dummy = serde_json::from_str(payload).expect(\"valid\");\n        assert_eq!(a.typ.0, MediaType::new(APPLICATION, JWT));\n        let json: String = serde_json::to_string(\u0026a).expect(\"valid\");\n        assert_eq!(json, payload);\n    }\n}\n","traces":[{"line":67,"address":[],"length":0,"stats":{"Line":1}},{"line":71,"address":[],"length":0,"stats":{"Line":2}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":1}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":1}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":1}},{"line":89,"address":[],"length":0,"stats":{"Line":1}},{"line":90,"address":[],"length":0,"stats":{"Line":1}},{"line":92,"address":[],"length":0,"stats":{"Line":17}},{"line":94,"address":[],"length":0,"stats":{"Line":1}},{"line":99,"address":[],"length":0,"stats":{"Line":1}},{"line":100,"address":[],"length":0,"stats":{"Line":1}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}}],"covered":11,"coverable":16},{"path":["/","home","stu","dev","rust","jose","src","header","types","jwe.rs"],"content":"use crate::{\n    header::HeaderValue,\n    jwa::{JsonWebContentEncryptionAlgorithm, JsonWebEncryptionAlgorithm},\n    sealed::Sealed,\n};\n\n/// Parameters specific to Json Web Encryption\n#[derive(Debug)]\n#[non_exhaustive]\npub struct Jwe {\n    /// `alg` parameter\n    pub(crate) algorithm: HeaderValue\u003cJsonWebEncryptionAlgorithm\u003e,\n    /// `enc` parameter\n    pub(crate) content_encryption_algorithm: HeaderValue\u003cJsonWebContentEncryptionAlgorithm\u003e,\n    // FIXME: other JWE parameters (zip, epk, ...)\n}\n\nimpl Sealed for Jwe {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","types","jws.rs"],"content":"use crate::{header::HeaderValue, jwa::JsonWebSigningAlgorithm, sealed::Sealed};\n\n/// Parameters specific to Json Web Signatures\n#[derive(Debug)]\n#[non_exhaustive]\npub struct Jws {\n    // `alg` parameter\n    pub(crate) algorithm: HeaderValue\u003cJsonWebSigningAlgorithm\u003e,\n    /// `b64` parameter as defined by RFC 7797. This parameter is optional and\n    /// it's default value is `true`.\n    ///\n    /// If this value is `false`, the payload of the JWS is not base64 urlsafe\n    /// encoded. This can work for simple stuff like a hex string, but will\n    /// often cause parsing errors. Use of this option makes sense if the\n    /// payload of a JWS is detached.\n    ///\n    /// Note: In a JsonWebToken, this value MUST always be true. Therefore, the\n    /// payload MUST NOT use the unencoded payload option.\n    ///\n    /// Note: This header MUST be integrity protected.\n    pub(crate) payload_base64_url_encoded: Option\u003cbool\u003e,\n}\n\nimpl Sealed for Jws {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","header","types.rs"],"content":"mod jwe;\nmod jws;\n\nuse alloc::{\n    collections::BTreeMap,\n    string::{String, ToString},\n};\n\nuse serde_json::Value;\n\n#[doc(inline)]\npub use self::{jwe::*, jws::*};\nuse super::{builder::Specific, Error, HeaderDeserializer, HeaderValue};\nuse crate::sealed::Sealed;\n\n/// Trait used to specify where a [`JoseHeader`](super::JoseHeader) is being\n/// used. Implemented by [`Jws`] and [`Jwe`].\n///\n/// This trait is an implementation detailed and sealed. It is not relevant for\n/// developers using this crate.\npub trait Type: Sealed {\n    /// A list of parameters that are not allowed in the `crit` header.\n    ///\n    /// This list might grow or shrink. This is not considered a breaking\n    /// change.\n    fn forbidden_critical_headers() -\u003e \u0026'static [\u0026'static str];\n    /// Build the implementing type while preseving the [`HeaderDeserializer`]\n    ///\n    /// # Errors\n    ///\n    /// Should return an [`Error`] if deserialization fails or an invalid value\n    /// is detected.\n    fn from_deserializer(\n        de: HeaderDeserializer,\n    ) -\u003e Result\u003c(Self, HeaderDeserializer), (Error, HeaderDeserializer)\u003e\n    where\n        Self: Sized;\n\n    /// Implementation detail of\n    /// [`JoseHeaderBuilder`](super::JoseHeaderBuilder).\n    fn specific_default() -\u003e Specific;\n\n    /// Implementation detail of\n    /// [`JoseHeaderBuilder`](super::JoseHeaderBuilder).\n    fn into_specific(self) -\u003e Specific;\n\n    /// Convert fields into a Map that can be used for serialization\n    ///\n    /// # Errors\n    ///\n    /// May return an error if the conversion to [`Value`] fails.\n    fn into_map(self) -\u003e Result\u003cBTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e, Error\u003e;\n}\n\nimpl Type for Jws {\n    #[inline]\n    fn forbidden_critical_headers() -\u003e \u0026'static [\u0026'static str] {\n        // \u003chttps://www.rfc-editor.org/rfc/rfc7515.html#section-9.1.2\u003e\n        // FIXME: add parameters from JWA\n        \u0026[\n            \"alg\", \"jku\", \"jwk\", \"kid\", \"x5u\", \"x5c\", \"x5t\", \"x5t#S256\", \"typ\", \"cty\", \"crit\",\n        ]\n    }\n\n    fn from_deserializer(\n        mut de: HeaderDeserializer,\n    ) -\u003e Result\u003c(Self, HeaderDeserializer), (Error, HeaderDeserializer)\u003e\n    where\n        Self: Sized,\n    {\n        // \"try\" blocks hack\n        let mut t = || {\n            Ok(Self {\n                algorithm: de\n                    .deserialize_field(\"alg\")\n                    .transpose()?\n                    .ok_or(Error::MissingHeader(\"alg\".to_string()))?,\n                payload_base64_url_encoded: de\n                    .deserialize_field(\"b64\")\n                    .transpose()?\n                    // `b64` must be protected\n                    .map(|v| v.protected().ok_or(Error::ExpectedProtected))\n                    .transpose()?,\n            })\n        };\n        let s: Result\u003cJws, Error\u003e = t();\n        match s {\n            Ok(v) =\u003e Ok((v, de)),\n            Err(e) =\u003e Err((e, de)),\n        }\n    }\n\n    fn specific_default() -\u003e Specific {\n        Specific::Jws {\n            algorithm: None,\n            payload_base64_url_encoded: None,\n        }\n    }\n\n    fn into_specific(self) -\u003e Specific {\n        Specific::Jws {\n            algorithm: Some(self.algorithm),\n            payload_base64_url_encoded: self.payload_base64_url_encoded,\n        }\n    }\n\n    fn into_map(self) -\u003e Result\u003cBTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e, Error\u003e {\n        let mut map = BTreeMap::new();\n        map.insert(\n            \"alg\".to_string(),\n            self.algorithm.map(serde_json::to_value).transpose()?,\n        );\n\n        // if explictly set to true, set it even tho true is the default\n        if let Some(b64) = self.payload_base64_url_encoded {\n            map.insert(\n                \"b64\".to_string(),\n                HeaderValue::Protected(serde_json::to_value(b64)?),\n            );\n        }\n\n        Ok(map)\n    }\n}\n\nimpl Type for Jwe {\n    #[inline]\n    fn forbidden_critical_headers() -\u003e \u0026'static [\u0026'static str] {\n        // \u003chttps://www.rfc-editor.org/rfc/rfc7516.html#section-10.1.1\u003e\n        // FIXME: add parameters from JWA\n        \u0026[\n            \"alg\", \"enc\", \"zip\", \"jku\", \"jwk\", \"kid\", \"x5u\", \"x5c\", \"x5t\", \"x5t#S256\", \"typ\",\n            \"cty\", \"crit\",\n        ]\n    }\n\n    fn from_deserializer(\n        mut de: HeaderDeserializer,\n    ) -\u003e Result\u003c(Self, HeaderDeserializer), (Error, HeaderDeserializer)\u003e\n    where\n        Self: Sized,\n    {\n        // \"try\" blocks hack\n        let mut t = || {\n            Ok(Self {\n                algorithm: de\n                    .deserialize_field(\"alg\")\n                    .transpose()?\n                    .ok_or(Error::MissingHeader(\"alg\".to_string()))?,\n                content_encryption_algorithm: de\n                    .deserialize_field(\"enc\")\n                    .transpose()?\n                    .ok_or(Error::MissingHeader(\"enc\".to_string()))?,\n            })\n        };\n        let s: Result\u003cJwe, Error\u003e = t();\n        match s {\n            Ok(v) =\u003e Ok((v, de)),\n            Err(e) =\u003e Err((e, de)),\n        }\n    }\n\n    fn specific_default() -\u003e Specific {\n        Specific::Jwe {\n            algorithm: None,\n            content_encryption_algorithm: None,\n        }\n    }\n\n    fn into_specific(self) -\u003e Specific {\n        Specific::Jwe {\n            algorithm: Some(self.algorithm),\n            content_encryption_algorithm: Some(self.content_encryption_algorithm),\n        }\n    }\n\n    fn into_map(self) -\u003e Result\u003cBTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e, Error\u003e {\n        Ok([\n            (\n                \"alg\".to_string(),\n                self.algorithm.map(serde_json::to_value).transpose()?,\n            ),\n            (\n                \"enc\".to_string(),\n                self.content_encryption_algorithm\n                    .map(serde_json::to_value)\n                    .transpose()?,\n            ),\n        ]\n        .into_iter()\n        .collect())\n    }\n}\n","traces":[{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":1}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":145,"address":[],"length":0,"stats":{"Line":0}},{"line":146,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":148,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}},{"line":157,"address":[],"length":0,"stats":{"Line":0}},{"line":158,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":163,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":173,"address":[],"length":0,"stats":{"Line":0}},{"line":177,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":0}},{"line":184,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}},{"line":187,"address":[],"length":0,"stats":{"Line":0}},{"line":190,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}}],"covered":1,"coverable":65},{"path":["/","home","stu","dev","rust","jose","src","header","value.rs"],"content":"use core::ops::Deref;\n\nuse crate::sealed::Sealed;\n\n/// Some value `T` in either the protected or unprotected header.\n#[derive(Debug, PartialEq, Eq, PartialOrd, Ord)]\npub enum HeaderValue\u003cT\u003e {\n    /// `T` is in the `protected` header parameter and integrity protected.\n    Protected(T),\n    /// `T` is in the unprotected `header` parameter and NOT integrity\n    /// protected.\n    Unprotected(T),\n}\n\nimpl\u003cT\u003e Sealed for HeaderValue\u003cT\u003e {}\n\nimpl\u003cT\u003e HeaderValue\u003cT\u003e {\n    /// Convert from `\u0026HeaderValue\u003cT\u003e` to `HeaderValue\u003c\u0026T\u003e`.\n    ///\n    /// Works like [`Option::as_ref`]\n    pub fn as_ref(\u0026self) -\u003e HeaderValue\u003c\u0026'_ T\u003e {\n        match self {\n            HeaderValue::Protected(v) =\u003e HeaderValue::Protected(v),\n            HeaderValue::Unprotected(v) =\u003e HeaderValue::Unprotected(v),\n        }\n    }\n\n    /// Converts from `\u0026HeaderValue\u003cT\u003e` to `HeaderValue\u003c\u0026T::Target\u003e`.\n    ///\n    /// Works like [`Option::as_deref`]\n    pub fn as_deref(\u0026self) -\u003e HeaderValue\u003c\u0026T::Target\u003e\n    where\n        T: Deref,\n    {\n        match self.as_ref() {\n            HeaderValue::Protected(t) =\u003e HeaderValue::Protected(t.deref()),\n            HeaderValue::Unprotected(t) =\u003e HeaderValue::Unprotected(t.deref()),\n        }\n    }\n\n    /// Maps an `HeaderValue\u003cT\u003e` to `HeaderValue\u003cU\u003e` by applying a function to a\n    /// contained value.\n    pub fn map\u003cU, F\u003e(self, f: F) -\u003e HeaderValue\u003cU\u003e\n    where\n        F: FnOnce(T) -\u003e U,\n    {\n        match self {\n            HeaderValue::Protected(t) =\u003e HeaderValue::Protected(f(t)),\n            HeaderValue::Unprotected(t) =\u003e HeaderValue::Unprotected(f(t)),\n        }\n    }\n\n    /// Returns [`Some`] if `T` is in the `protected` parameter.\n    pub fn protected(self) -\u003e Option\u003cT\u003e {\n        match self {\n            Self::Protected(p) =\u003e Some(p),\n            _ =\u003e None,\n        }\n    }\n\n    /// Returns [`Some`] if `T` is in the unprotected `header` parameter.\n    pub fn unprotected(self) -\u003e Option\u003cT\u003e {\n        match self {\n            Self::Unprotected(u) =\u003e Some(u),\n            _ =\u003e None,\n        }\n    }\n\n    /// Returns the inner type `T` discarding the information about where `T` is\n    /// stored.\n    pub fn into_inner(self) -\u003e T {\n        match self {\n            Self::Protected(t) =\u003e t,\n            Self::Unprotected(t) =\u003e t,\n        }\n    }\n}\n\nimpl\u003cT\u003e HeaderValue\u003cOption\u003cT\u003e\u003e {\n    /// Transpose a [`HeaderValue\u003cOption\u003cT\u003e\u003e`] into [`Option\u003cHeaderValue\u003cT\u003e\u003e`]\n    pub fn transpose(self) -\u003e Option\u003cHeaderValue\u003cT\u003e\u003e {\n        Some(match self {\n            HeaderValue::Protected(p) =\u003e HeaderValue::Protected(p?),\n            HeaderValue::Unprotected(u) =\u003e HeaderValue::Unprotected(u?),\n        })\n    }\n}\n\nimpl\u003cT, E\u003e HeaderValue\u003cResult\u003cT, E\u003e\u003e {\n    /// Transpose a [`HeaderValue\u003cResult\u003cT, E\u003e\u003e`] into\n    /// [`Result\u003cHeaderValue\u003c`T`\u003e, E\u003e`]\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the inner [`Result`] contains an error.\n    pub fn transpose(self) -\u003e Result\u003cHeaderValue\u003cT\u003e, E\u003e {\n        Ok(match self {\n            Self::Protected(p) =\u003e HeaderValue::Protected(p?),\n            Self::Unprotected(u) =\u003e HeaderValue::Unprotected(u?),\n        })\n    }\n}\n","traces":[{"line":21,"address":[],"length":0,"stats":{"Line":1}},{"line":22,"address":[],"length":0,"stats":{"Line":1}},{"line":23,"address":[],"length":0,"stats":{"Line":1}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":81,"address":[],"length":0,"stats":{"Line":0}},{"line":82,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}}],"covered":3,"coverable":32},{"path":["/","home","stu","dev","rust","jose","src","header.rs"],"content":"//! [`JoseHeader`] and associated abstractions as defined in [section 4 of RFC\n//! 7515].\n//!\n//! [section 4 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4\u003e\nuse alloc::{\n    collections::{BTreeMap, BTreeSet},\n    string::{String, ToString},\n};\nuse core::{marker::PhantomData, ops::Deref};\n\nuse mediatype::MediaType;\nuse serde::Deserialize;\nuse serde_json::{Map, Value};\n\nmod builder;\nmod error;\nmod parameters;\nmod types;\nmod value;\n\nuse self::parameters::Parameters;\n#[doc(inline)]\npub use self::{\n    builder::{JoseHeaderBuilder, JoseHeaderBuilderError},\n    error::Error,\n    types::*,\n    value::*,\n};\nuse crate::{\n    format::Format,\n    jwa::{JsonWebContentEncryptionAlgorithm, JsonWebEncryptionAlgorithm, JsonWebSigningAlgorithm},\n    uri::BorrowedUri,\n    JsonWebKey, UntypedAdditionalProperties,\n};\n\n/// A [`JoseHeader`] is primarily used to specify how a JSON Web Signature or\n/// JSON Web Encryption should be processed.\n///\n/// Besides the [`algorithm`](JoseHeader::algorithm) used for the cryptographic\n/// primitives, it can also store additional metadata that should not be part of\n/// the payload.\n/// For example, the [`typ`](JoseHeader::typ) parameter may be used to specify a\n/// content type for the payload.\n///\n/// # Structure\n///\n/// A [`JoseHeader`] may be a bit different, depending where it is being used.\n/// Therefore, [`JoseHeader\u003cF, T\u003e`] has two generic types that define where and\n/// how exactly it is being used. `F` defines the [`Format`] that this\n/// [`JoseHeader`] is being used in. `T` defines whether the [`JoseHeader`] is\n/// part of a [JSON Web Signature][Jws] or [JSON Web Encryption][Jwe].\n///\n/// A [`JoseHeader`] can store parameters in two ways:\n///\n/// * [protected](HeaderValue::Protected): Parameters stored in the protected\n///   part of a [`JoseHeader`] **cannot** be modified without knowledge of the\n///   cryptographic key that was used to protect the payload.\n///\n/// * [unprotected](HeaderValue::Unprotected): Parameters stored in the\n///   unprotected part of a [`JoseHeader`] **can** be modified by anybody and\n///   *changes cannot be detected*. You therefore *MUST NOT* trust them.\n///\n/// Since most parameters are allowed in both of the two header parts, each\n/// parameter is wrapped in a [`HeaderValue\u003cT\u003e`] that specifies the part in\n/// which the paramter is stored.\n///\n/// # Parameter classes\n///\n/// [Section 4 of RFC 7515] defines three classes of header parameters:\n///\n/// * [Registered header parameters]: these parameters are registerd in the\n///   [IANA `JSON Web Signature and Encryption Header Parameters` registry].\n///   Most of them are implemented by this library and can be directly accessed\n///   via the methods on [`JoseHeader`]. If you find a registered parameter you\n///   need missing, you are welcome to open an issue or even better a pull\n///   request to support it.\n///\n/// * [Public header parameters]: these parameters are not registered but use a\n///   \"Collision-Resistant Name\" (e.g. they are prefixed by a domain you\n///   control) as defined in [section 2 of RFC 7515]. You may access them using\n///   [`JoseHeader::additional`].\n///\n/// * [Private header parameters]: these parameters are not registered either\n///   but do not use a \"Collisin-Resistant Name\" and are therefore subject to\n///   collision. You can also use them via [`JoseHeader::additional`] but their\n///   use is not recommended and if new paramters are registered that collide\n///   with a private parameter, your implementation may break.\n///\n/// # Examples\n///\n///\n/// ```\n/// use jose::{\n///     format::Compact,\n///     header::{HeaderValue, JoseHeader, Jws},\n///     jwa::Hmac,\n/// };\n///\n/// // we are going to build a `JoseHeader` for a `Compact` `Jws`\n/// let header = JoseHeader::\u003cCompact, Jws\u003e::builder()\n///     // we set the `alg` header parameter as an unprotected parameter\n///     .algorithm(HeaderValue::Unprotected(Hmac::Hs256.into()))\n///     // we set the `kid` header parameter as an protected parameter\n///     .key_identifier(Some(HeaderValue::Protected(\"key-1\".to_string())))\n///     .build()\n///     .unwrap();\n///\n/// assert_eq!(\n///     header.algorithm(),\n///     HeaderValue::Unprotected(\u0026Hmac::Hs256.into())\n/// );\n/// assert_eq!(\n///     header.key_identifier(),\n///     Some(HeaderValue::Protected(\"key-1\"))\n/// );\n/// ```\n///\n/// [section 2 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-2\u003e\n/// [Section 4 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4\u003e\n/// [IANA `JSON Web Signature and Encryption Header Parameters` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-header-parameters\u003e\n/// [Registered header parameters]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1\u003e\n/// [Public header parameters]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.2\u003e\n/// [Private header parameters]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.3\u003e\n#[derive(Debug)]\npub struct JoseHeader\u003cF, T\u003e {\n    parameters: Parameters\u003cT\u003e,\n    // marker for the format (compact, json general, json flattened)\n    _format: PhantomData\u003cF\u003e,\n}\n\nimpl\u003cF\u003e JoseHeader\u003cF, Jws\u003e\nwhere\n    F: Format,\n{\n    /// Method to override the alg and kid fields.\n    /// Only intended for internal usage.\n    pub(crate) fn overwrite_alg_and_key_id(\n        \u0026mut self,\n        alg: JsonWebSigningAlgorithm,\n        kid: Option\u003c\u0026str\u003e,\n    ) {\n        let is_protected = matches!(self.algorithm(), HeaderValue::Protected(_));\n\n        let alg = if is_protected {\n            HeaderValue::Protected(alg)\n        } else {\n            HeaderValue::Unprotected(alg)\n        };\n\n        let kid = kid.map(|s| {\n            let kid = s.to_string();\n            if is_protected {\n                HeaderValue::Protected(kid)\n            } else {\n                HeaderValue::Unprotected(kid)\n            }\n        });\n\n        self.parameters.key_id = kid;\n        self.parameters.specific.algorithm = alg;\n    }\n}\n\nimpl\u003cF, T\u003e JoseHeader\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    /// Build a new [`JoseHeader`].\n    pub fn builder() -\u003e JoseHeaderBuilder\u003cF, T\u003e {\n        JoseHeaderBuilder::default()\n    }\n\n    /// Modify this [`JoseHeader`] by turning it back into a\n    /// [`JoseHeaderBuilder`].\n    pub fn into_builder(self) -\u003e JoseHeaderBuilder\u003cF, T\u003e {\n        JoseHeaderBuilder::from_header(self)\n    }\n\n    /// Returns a url containing a link to a JSON Web Key Set as defined in\n    /// [section 5 of RFC 7517].\n    ///\n    /// This parameter is serialized as `jku` and defined in [section 4.1.2 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.2 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.2\u003e\n    /// [section 5 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-5\u003e\n    // FIXME: use url type instead\n    pub fn jwk_set_url(\u0026self) -\u003e Option\u003cHeaderValue\u003cBorrowedUri\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .jwk_set_url\n            .as_ref()\n            .map(|x| x.as_ref().map(|x| x.borrow()))\n    }\n\n    /// Depending where this [`JoseHeader`] is being used, in JWE it contains\n    /// the recipient's public key and in JWS it contains the signer's public\n    /// key.\n    ///\n    /// This parameter is serialized as `jwk` and defined in [section 4.1.3 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.3 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.3\u003e\n    pub fn json_web_key(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026JsonWebKey\u003cUntypedAdditionalProperties\u003e\u003e\u003e {\n        self.parameters\n            .json_web_key\n            .as_ref()\n            .map(HeaderValue::as_ref)\n    }\n\n    /// The identifier of the key used in this JWE or JWS used to give a hint to\n    /// recipient.\n    ///\n    /// It is a case-sensitive string. When used together with a [`JsonWebKey`]\n    /// via the [`jwk`](Self::json_web_key) parameter, it is used to match the\n    /// [Key ID](JsonWebKey::key_id) of the [`JsonWebKey`].\n    ///\n    /// This parameter is serialized as `jwk` and defined in [section 4.1.4 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.4 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4\u003e\n    pub fn key_identifier(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026str\u003e\u003e {\n        self.parameters.key_id.as_ref().map(HeaderValue::as_deref)\n    }\n\n    /// The X.509 URL parameter is an URI (as defined in [RFC 3986]) that refers\n    /// to a resource for the X.509 public key certificate or certificate chain\n    /// (as defined in [RFC 5280]) of the public key used in this JWE or JWS.\n    ///\n    /// This parameter is serialized as `x5u` and defined in [section 4.1.5 of\n    /// RFC 7515].\n    ///\n    /// [RFC 3986]: \u003chttps://datatracker.ietf.org/doc/html/rfc3986\u003e\n    /// [RFC 5280]: \u003chttps://datatracker.ietf.org/doc/html/rfc5280\u003e\n    /// [section 4.1.5 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.5\u003e\n    pub fn x509_url(\u0026self) -\u003e Option\u003cHeaderValue\u003cBorrowedUri\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .x509_url\n            .as_ref()\n            .map(|x| x.as_ref().map(|x| x.borrow()))\n    }\n\n    /// An [`Iterator`] over a X.509 certificate chain that certify the public\n    /// key used in this JWE or JWS.\n    ///\n    /// The first certificate in the [`Iterator`] returned by this method is the\n    /// PKIX certificate containing the key value as required by the RFC.\n    ///\n    /// Each [`Item`](Iterator::Item) will be the byte representation of a\n    /// DER-encoded X.509 certificate. This parameter works the same as\n    /// [`JsonWebKey::x509_certificate_chain`].\n    ///\n    /// This parameter is serialized as `x5u` and defined in [section 4.1.6 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.6 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6\u003e\n    pub fn x509_certificate_chain(\u0026self) -\u003e Option\u003cHeaderValue\u003cimpl Iterator\u003cItem = \u0026[u8]\u003e\u003e\u003e {\n        self.parameters\n            .x509_certificate_chain\n            .as_ref()\n            .map(HeaderValue::as_deref)\n            .map(|value| value.map(|certs| certs.iter().map(Deref::deref)))\n    }\n\n    /// This parameter is the SHA-1 hash of the DER-encoded X.509 certificate\n    /// (X.509 Certificate SHA-1 Thumbprint).\n    ///\n    /// # Warning: Cryptographically broken!\n    ///\n    /// TL;DR: check if you can use the [SHA-256\n    /// thumbprint](Self::x509_certificate_sha256_thumbprint) instead.\n    ///\n    /// The following text is taken from the `sha1` crate: \\\n    /// The SHA-1 hash function should be considered cryptographically broken\n    /// and unsuitable for further use in any security critical capacity, as it\n    /// is [practically vulnerable to chosen-prefix collisions](https://sha-mbles.github.io/).\n    ///\n    /// This parameter is serialized as `x5t` and defined in [section 4.1.7 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.7 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.7\u003e\n    // replace the hardcoded output size with the Sha1::OutputsizeUser value then\n    // they use const generics\n    pub fn x509_certificate_sha1_thumbprint(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026[u8; 20]\u003e\u003e {\n        self.parameters\n            .x509_certificate_sha1_thumbprint\n            .as_ref()\n            .map(HeaderValue::as_ref)\n    }\n\n    /// This parameter is the SHA-256 hash of the DER-encoded X.509 certificate\n    /// (X.509 Certificate SHA-256 Thumbprint).\n    ///\n    /// This parameter is serialized as `x5t#S256` and defined in [section 4.1.8\n    /// of RFC 7515].\n    ///\n    /// [section 4.1.8 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.8\u003e\n    pub fn x509_certificate_sha256_thumbprint(\u0026self) -\u003e Option\u003cHeaderValue\u003c\u0026[u8; 32]\u003e\u003e {\n        self.parameters\n            .x509_certificate_sha256_thumbprint\n            .as_ref()\n            .map(HeaderValue::as_ref)\n    }\n\n    /// The Type parameter is used to declare the [media type] of this\n    /// complete JWE or JWS.\n    ///\n    /// This parameter is serialized as `typ` and defined in [section 4.1.9 of\n    /// RFC 7515].\n    ///\n    /// # Note\n    ///\n    /// Media types that start with [`application`]`/` (top-level type) and\n    /// do not contain any other `/` are shortend to just the subtype according\n    /// to [section 4.1.9 of RFC 7515]. Therefore, for example,\n    /// `application/jwt` would become just `jwt`. However, since the RFC\n    /// recommends that the mediatype `jwt` and `jose` should be uppercase for\n    /// interop with legacy implementations, it would actually become `JWT`.\n    ///\n    ///\n    /// # Example\n    ///\n    /// When a [`JoseHeader`] is being used with a JSON Web Token and this\n    /// parameter is set, it is recommended that this type will be\n    /// [`application`]`/`[`jwt`] as defined in [section 5.1 of RFC 7519].\n    /// In the serialized form, `typ` will be `JWT`.\n    ///\n    /// [media type]: \u003chttps://www.iana.org/assignments/media-types\u003e\n    /// [section 4.1.9 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9\u003e\n    /// [`application`]: \u003cmediatype::names::APPLICATION\u003e\n    /// [`jwt`]: \u003cmediatype::names::JWT\u003e\n    /// [section 5.1 of RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519#section-5.1\u003e\n    pub fn typ(\u0026self) -\u003e Option\u003cHeaderValue\u003cMediaType\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .typ\n            .as_ref()\n            .map(|value| value.as_ref().map(|v| v.0.to_ref()))\n    }\n\n    /// The Content Type parameter is used to declare the [media type] of the\n    /// payload of a JWE or JWS.\n    ///\n    /// This parameter is serialized as `cty` and defined in [section 4.1.10 of\n    /// RFC 7515].\n    ///\n    /// # Example\n    ///\n    /// When a [`JoseHeader`] is being used with a JSON Web Token and nested\n    /// encryption or signing is employed, this parameter must be present and be\n    /// set to [`application`]`/`[`jwt`] as defined by [section 5.2 of RFC\n    /// 7519].\n    ///\n    /// [media type]: \u003chttps://www.iana.org/assignments/media-types\u003e\n    /// [section 4.1.10 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.10\u003e\n    /// [`application`]: \u003cmediatype::names::APPLICATION\u003e\n    /// [`jwt`]: \u003cmediatype::names::JWT\u003e\n    /// [section 5.2 of RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519#section-5.2\u003e\n    pub fn content_type(\u0026self) -\u003e Option\u003cHeaderValue\u003cMediaType\u003c'_\u003e\u003e\u003e {\n        self.parameters\n            .content_type\n            .as_ref()\n            .map(|value| value.as_ref().map(|v| v.0.to_ref()))\n    }\n\n    /// Get additional parameters by their serialized parameter name.\n    ///\n    /// Note: Parameters that are understood by this implementation (receivable\n    /// via the method on [`JoseHeader`]) will return [`None`]. Use the\n    /// appropriate method instead.\n    pub fn additional(\u0026self, parameter_name: impl AsRef\u003cstr\u003e) -\u003e Option\u003cHeaderValue\u003c\u0026Value\u003e\u003e {\n        self.parameters\n            .additional\n            .get(parameter_name.as_ref())\n            .map(|v| v.as_ref())\n    }\n\n    /// The Critical Header parameter is used to declare headers that must be\n    /// understood by an implementation.\n    ///\n    /// It is an [`Iterator`] over the parameter names of critical headers in\n    /// this [`JoseHeader`]. If there are no headers marked as critical, this\n    /// [`Iterator`] will be empty.\n    ///\n    /// This parameter is serialized as `crit` and defined in [section 4.1.11 of\n    /// RFC 7515].\n    ///\n    /// Note: Header names listed in this parameter have to be present and the\n    /// [`JoseHeader`] is considered invalid otherwise.\n    ///\n    /// Note: This header parameter is always integrity protected.\n    ///\n    /// [section 4.1.11 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.11\u003e\n    pub fn critical_headers(\u0026self) -\u003e impl Iterator\u003cItem = \u0026'_ str\u003e {\n        self.parameters\n            .critical_headers\n            .iter()\n            .flatten()\n            .map(Deref::deref)\n    }\n}\n\nimpl\u003cF\u003e JoseHeader\u003cF, Jws\u003e\nwhere\n    F: Format,\n{\n    /// The [signing algorithm](JsonWebSigningAlgorithm) used to create the\n    /// signature for the JWS this [`JoseHeader`] is contained in.\n    ///\n    /// This parameter is serialized as `alg` and defined in [section 4.1.1 of\n    /// RFC 7515].\n    ///\n    /// [section 4.1.1 of RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515#section-4.1.1\u003e\n    pub fn algorithm(\u0026self) -\u003e HeaderValue\u003c\u0026JsonWebSigningAlgorithm\u003e {\n        self.parameters.specific.algorithm.as_ref()\n    }\n\n    /// Whether the payload is being base64url encoded or not.\n    ///\n    /// This parameter is serialized as `b64` and defined in [section 3 of RFC\n    /// 7797].\n    ///\n    /// Note: This header parameter is always integrity protected.\n    ///\n    /// Note: This header parameter is OPTIONAL and has a default value of\n    /// `true`.\n    ///\n    /// [section 3 of RFC 7797]: \u003chttps://datatracker.ietf.org/doc/html/rfc7797#section-3\u003e\n    pub fn payload_base64_url_encoded(\u0026self) -\u003e bool {\n        self.parameters\n            .specific\n            .payload_base64_url_encoded\n            .unwrap_or(true)\n    }\n}\n\nimpl\u003cF\u003e JoseHeader\u003cF, Jwe\u003e\nwhere\n    F: Format,\n{\n    /// The [encryption algorithm][JsonWebEncryptionAlgorithm] used to\n    /// encryption the content encryption key (CEK).\n    ///\n    /// This parameter is serialized as `alg` and defined in [section 4.1.1 of\n    /// RFC 7516].\n    ///\n    /// [section 4.1.1 of RFC 7516]: \u003chttps://datatracker.ietf.org/doc/html/rfc7516/#section-4.1.1\u003e\n    pub fn algorithm(\u0026self) -\u003e HeaderValue\u003c\u0026JsonWebEncryptionAlgorithm\u003e {\n        self.parameters.specific.algorithm.as_ref()\n    }\n\n    /// The [encryption algorithm](JsonWebContentEncryptionAlgorithm) used to\n    /// encryption the payload of a JWE.\n    ///\n    /// This parameter is serialized as `enc` and defined in [section 4.1.2 of\n    /// RFC 7516].\n    ///\n    /// [section 4.1.2 of RFC 7516]: \u003chttps://datatracker.ietf.org/doc/html/rfc7516/#section-4.1.2\u003e\n    pub fn content_encryption_algorithm(\u0026self) -\u003e HeaderValue\u003c\u0026JsonWebContentEncryptionAlgorithm\u003e {\n        self.parameters\n            .specific\n            .content_encryption_algorithm\n            .as_ref()\n    }\n}\n\nimpl\u003cF, T\u003e JoseHeader\u003cF, T\u003e\nwhere\n    F: Format,\n    T: Type,\n{\n    /// Build a JoseHeader from its `header` and `protected` part.\n    ///\n    /// Note: The `protected` part must already be base64 decoded.\n    pub(crate) fn from_values(\n        protected: Option\u003cMap\u003cString, Value\u003e\u003e,\n        unprotected: Option\u003cMap\u003cString, Value\u003e\u003e,\n    ) -\u003e Result\u003cSelf, Error\u003e {\n        let de = HeaderDeserializer::from_values(protected, unprotected)?;\n        let (specific, mut de) = T::from_deserializer(de).map_err(|(e, _)| e)?;\n        Ok(Self {\n            parameters: Parameters {\n                critical_headers: de\n                    .deserialize_field(\"crit\")\n                    .transpose()?\n                    .map(|v| v.protected().ok_or(Error::ExpectedProtected))\n                    .transpose()?\n                    .map(|v: BTreeSet\u003c_\u003e| {\n                        // RFC 7515\n                        // `crit` must not be an empty list,\n                        // must not contain header names specified by the specification\n                        // FIXME: consider forbidden headers that are `Format` specific.\n                        if v.is_empty() {\n                            return Err(Error::EmptyCriticalHeaders);\n                        }\n                        for forbidden in T::forbidden_critical_headers() {\n                            if v.contains(*forbidden) {\n                                return Err(Error::ForbiddenHeader(forbidden.to_string()));\n                            }\n                        }\n                        Ok(v)\n                    })\n                    .transpose()?,\n                jwk_set_url: de.deserialize_field(\"jku\").transpose()?,\n                json_web_key: de.deserialize_field(\"jwk\").transpose()?,\n                key_id: de.deserialize_field(\"kid\").transpose()?,\n                x509_url: de.deserialize_field(\"x5u\").transpose()?,\n                x509_certificate_chain: de.deserialize_field(\"x5c\").transpose()?,\n                x509_certificate_sha1_thumbprint: de.deserialize_field(\"x5t\").transpose()?,\n                x509_certificate_sha256_thumbprint: de.deserialize_field(\"x5t#S256\").transpose()?,\n                typ: de.deserialize_field(\"typ\").transpose()?,\n                content_type: de.deserialize_field(\"cty\").transpose()?,\n                specific,\n                additional: de.additional(),\n            },\n            _format: PhantomData,\n        })\n    }\n\n    /// Returns `Result\u003c(Option\u003cProtected\u003e, Option\u003cUnprotected\u003e), Error\u003e`\n    #[allow(clippy::type_complexity)]\n    pub(crate) fn into_values(\n        self,\n    ) -\u003e Result\u003c(Option\u003cMap\u003cString, Value\u003e\u003e, Option\u003cMap\u003cString, Value\u003e\u003e), Error\u003e {\n        let parameters = self.parameters;\n\n        // use the existing Map with additional parameters. Parameters that collide with\n        // names understood by this library are replaced.\n        let mut collected_parameters = parameters.additional;\n\n        // insert crit header only if it is some and non empty as per RFC\n        if let Some(crit) = parameters.critical_headers {\n            if !crit.is_empty() {\n                collected_parameters.insert(\n                    \"crit\".to_string(),\n                    HeaderValue::Protected(serde_json::to_value(crit)?),\n                );\n            }\n        } else {\n            collected_parameters.remove(\"crit\");\n        }\n\n        // FIXME: optimize this code in a way that there are not this many inserts\n        macro_rules! insert {\n            ($($name:literal: $value:expr),+,) =\u003e {\n                $(if let Some(value) = $value {\n                    collected_parameters.insert(\n                        $name.to_string(),\n                        value.map(serde_json::to_value).transpose()?,\n                    );\n                } else {\n                    collected_parameters.remove($name);\n                })+\n            };\n        }\n        insert! {\n            \"jku\": parameters.jwk_set_url,\n            \"jwk\": parameters.json_web_key,\n            \"kid\": parameters.key_id,\n            \"x5u\": parameters.x509_url,\n            \"x5c\": parameters.x509_certificate_chain,\n            \"x5t\": parameters.x509_certificate_sha1_thumbprint,\n            \"x5t#S256\": parameters.x509_certificate_sha256_thumbprint,\n            \"typ\": parameters.typ,\n            \"cty\": parameters.content_type,\n        }\n\n        let mut protected = Map::new();\n        let mut unprotected = Map::new();\n        for (key, value) in collected_parameters\n            .into_iter()\n            .chain(parameters.specific.into_map()?)\n        {\n            match value {\n                HeaderValue::Protected(value) =\u003e protected.insert(key, value),\n                HeaderValue::Unprotected(value) =\u003e unprotected.insert(key, value),\n            };\n        }\n\n        let protected = match protected.is_empty() {\n            true =\u003e None,\n            false =\u003e Some(protected),\n        };\n\n        let unprotected = match unprotected.is_empty() {\n            true =\u003e None,\n            false =\u003e Some(unprotected),\n        };\n\n        Ok((protected, unprotected))\n    }\n}\n\n/// An implementation detail for [`JoseHeader`]\n#[derive(Debug)]\npub struct HeaderDeserializer {\n    protected: Map\u003cString, Value\u003e,\n    unprotected: Map\u003cString, Value\u003e,\n}\n\nimpl HeaderDeserializer {\n    /// Prepare the deserialize for deserialization and run a few checks\n    fn from_values(\n        protected: Option\u003cMap\u003cString, Value\u003e\u003e,\n        unprotected: Option\u003cMap\u003cString, Value\u003e\u003e,\n    ) -\u003e Result\u003cSelf, Error\u003e {\n        // ensure that if the header is present, it actually contains some members as\n        // per section 7.2.1 of RFC 7515\n        if let Some(ref p) = protected {\n            if p.is_empty() {\n                return Err(Error::EmptyHeader);\n            }\n        }\n        if let Some(ref u) = unprotected {\n            if u.is_empty() {\n                return Err(Error::EmptyHeader);\n            }\n        }\n\n        let (protected, unprotected) = match (protected, unprotected) {\n            (Some(protected), Some(unprotected)) =\u003e (protected, unprotected),\n            (Some(protected), None) =\u003e (protected, Map::new()),\n            (None, Some(unprotected)) =\u003e (Map::new(), unprotected),\n            (None, None) =\u003e return Err(Error::NoHeader),\n        };\n\n        let protected_keys: BTreeSet\u003c\u0026str\u003e = protected.keys().map(Deref::deref).collect();\n        let unprotected_keys: BTreeSet\u003c\u0026str\u003e = unprotected.keys().map(Deref::deref).collect();\n\n        // the members of `protected` and `header` must be disjoint, because otherwise\n        // an implementation must decide which header type takes priority\n        if !protected_keys.is_disjoint(\u0026unprotected_keys) {\n            return Err(Error::NotDisjoint);\n        }\n\n        Ok(Self {\n            protected,\n            unprotected,\n        })\n    }\n\n    fn deserialize_field\u003c'a, 'de, V\u003e(\n        \u0026'a mut self,\n        field: \u0026'a str,\n    ) -\u003e Option\u003cResult\u003cHeaderValue\u003cV\u003e, serde_json::Error\u003e\u003e\n    where\n        V: Deserialize\u003c'de\u003e,\n        'a: 'de,\n    {\n        // Security\n        //\n        // This method first looks at the `protected` header and if the requested field\n        // isn't in there, it looks in the `header` parameter (which is not integrity\n        // protected). A `HeaderDeserializer` should always ensure that the inner JSON\n        // Objects don't share the same parameters but even if they do, an attacker\n        // cannot overwrite protected headers via the unprotected header, because the\n        // protected header is searched first.\n\n        if let Some(p) = self.protected.remove(field) {\n            debug_assert_eq!(self.unprotected.remove(field), None);\n            return Some(V::deserialize(p).map(|v| HeaderValue::Protected(v)));\n        }\n\n        if let Some(u) = self.unprotected.remove(field) {\n            debug_assert_eq!(self.protected.remove(field), None);\n            return Some(V::deserialize(u).map(|v| HeaderValue::Unprotected(v)));\n        }\n\n        None\n    }\n\n    fn additional(self) -\u003e BTreeMap\u003cString, HeaderValue\u003cValue\u003e\u003e {\n        self.protected\n            .into_iter()\n            .map(|(field, value)| (field, HeaderValue::Protected(value)))\n            .chain(\n                self.unprotected\n                    .into_iter()\n                    .map(|(field, value)| (field, HeaderValue::Unprotected(value))),\n            )\n            .collect()\n    }\n}\n","traces":[{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":145,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":155,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":1}},{"line":171,"address":[],"length":0,"stats":{"Line":1}},{"line":176,"address":[],"length":0,"stats":{"Line":0}},{"line":177,"address":[],"length":0,"stats":{"Line":0}},{"line":189,"address":[],"length":0,"stats":{"Line":0}},{"line":190,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":0}},{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":206,"address":[],"length":0,"stats":{"Line":0}},{"line":208,"address":[],"length":0,"stats":{"Line":0}},{"line":222,"address":[],"length":0,"stats":{"Line":0}},{"line":223,"address":[],"length":0,"stats":{"Line":0}},{"line":236,"address":[],"length":0,"stats":{"Line":0}},{"line":237,"address":[],"length":0,"stats":{"Line":0}},{"line":238,"address":[],"length":0,"stats":{"Line":0}},{"line":240,"address":[],"length":0,"stats":{"Line":0}},{"line":257,"address":[],"length":0,"stats":{"Line":0}},{"line":258,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":261,"address":[],"length":0,"stats":{"Line":0}},{"line":262,"address":[],"length":0,"stats":{"Line":0}},{"line":284,"address":[],"length":0,"stats":{"Line":0}},{"line":285,"address":[],"length":0,"stats":{"Line":0}},{"line":286,"address":[],"length":0,"stats":{"Line":0}},{"line":288,"address":[],"length":0,"stats":{"Line":0}},{"line":298,"address":[],"length":0,"stats":{"Line":0}},{"line":299,"address":[],"length":0,"stats":{"Line":0}},{"line":300,"address":[],"length":0,"stats":{"Line":0}},{"line":302,"address":[],"length":0,"stats":{"Line":0}},{"line":333,"address":[],"length":0,"stats":{"Line":0}},{"line":334,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":337,"address":[],"length":0,"stats":{"Line":0}},{"line":358,"address":[],"length":0,"stats":{"Line":0}},{"line":359,"address":[],"length":0,"stats":{"Line":0}},{"line":360,"address":[],"length":0,"stats":{"Line":0}},{"line":362,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":372,"address":[],"length":0,"stats":{"Line":0}},{"line":373,"address":[],"length":0,"stats":{"Line":0}},{"line":374,"address":[],"length":0,"stats":{"Line":0}},{"line":393,"address":[],"length":0,"stats":{"Line":0}},{"line":394,"address":[],"length":0,"stats":{"Line":0}},{"line":395,"address":[],"length":0,"stats":{"Line":0}},{"line":398,"address":[],"length":0,"stats":{"Line":0}},{"line":413,"address":[],"length":0,"stats":{"Line":1}},{"line":414,"address":[],"length":0,"stats":{"Line":1}},{"line":428,"address":[],"length":0,"stats":{"Line":0}},{"line":429,"address":[],"length":0,"stats":{"Line":0}},{"line":430,"address":[],"length":0,"stats":{"Line":0}},{"line":431,"address":[],"length":0,"stats":{"Line":0}},{"line":447,"address":[],"length":0,"stats":{"Line":0}},{"line":448,"address":[],"length":0,"stats":{"Line":0}},{"line":458,"address":[],"length":0,"stats":{"Line":0}},{"line":459,"address":[],"length":0,"stats":{"Line":0}},{"line":460,"address":[],"length":0,"stats":{"Line":0}},{"line":461,"address":[],"length":0,"stats":{"Line":0}},{"line":474,"address":[],"length":0,"stats":{"Line":0}},{"line":478,"address":[],"length":0,"stats":{"Line":0}},{"line":479,"address":[],"length":0,"stats":{"Line":0}},{"line":480,"address":[],"length":0,"stats":{"Line":0}},{"line":481,"address":[],"length":0,"stats":{"Line":0}},{"line":482,"address":[],"length":0,"stats":{"Line":0}},{"line":483,"address":[],"length":0,"stats":{"Line":0}},{"line":484,"address":[],"length":0,"stats":{"Line":0}},{"line":485,"address":[],"length":0,"stats":{"Line":0}},{"line":486,"address":[],"length":0,"stats":{"Line":0}},{"line":487,"address":[],"length":0,"stats":{"Line":0}},{"line":492,"address":[],"length":0,"stats":{"Line":0}},{"line":493,"address":[],"length":0,"stats":{"Line":0}},{"line":495,"address":[],"length":0,"stats":{"Line":0}},{"line":496,"address":[],"length":0,"stats":{"Line":0}},{"line":497,"address":[],"length":0,"stats":{"Line":0}},{"line":500,"address":[],"length":0,"stats":{"Line":0}},{"line":502,"address":[],"length":0,"stats":{"Line":0}},{"line":503,"address":[],"length":0,"stats":{"Line":0}},{"line":504,"address":[],"length":0,"stats":{"Line":0}},{"line":505,"address":[],"length":0,"stats":{"Line":0}},{"line":506,"address":[],"length":0,"stats":{"Line":0}},{"line":507,"address":[],"length":0,"stats":{"Line":0}},{"line":508,"address":[],"length":0,"stats":{"Line":0}},{"line":509,"address":[],"length":0,"stats":{"Line":0}},{"line":510,"address":[],"length":0,"stats":{"Line":0}},{"line":511,"address":[],"length":0,"stats":{"Line":0}},{"line":512,"address":[],"length":0,"stats":{"Line":0}},{"line":513,"address":[],"length":0,"stats":{"Line":0}},{"line":515,"address":[],"length":0,"stats":{"Line":0}},{"line":521,"address":[],"length":0,"stats":{"Line":0}},{"line":524,"address":[],"length":0,"stats":{"Line":0}},{"line":528,"address":[],"length":0,"stats":{"Line":0}},{"line":531,"address":[],"length":0,"stats":{"Line":0}},{"line":532,"address":[],"length":0,"stats":{"Line":0}},{"line":533,"address":[],"length":0,"stats":{"Line":0}},{"line":534,"address":[],"length":0,"stats":{"Line":0}},{"line":535,"address":[],"length":0,"stats":{"Line":0}},{"line":539,"address":[],"length":0,"stats":{"Line":0}},{"line":543,"address":[],"length":0,"stats":{"Line":0}},{"line":544,"address":[],"length":0,"stats":{"Line":0}},{"line":545,"address":[],"length":0,"stats":{"Line":0}},{"line":546,"address":[],"length":0,"stats":{"Line":0}},{"line":547,"address":[],"length":0,"stats":{"Line":0}},{"line":548,"address":[],"length":0,"stats":{"Line":0}},{"line":551,"address":[],"length":0,"stats":{"Line":0}},{"line":552,"address":[],"length":0,"stats":{"Line":0}},{"line":555,"address":[],"length":0,"stats":{"Line":0}},{"line":556,"address":[],"length":0,"stats":{"Line":0}},{"line":557,"address":[],"length":0,"stats":{"Line":0}},{"line":558,"address":[],"length":0,"stats":{"Line":0}},{"line":559,"address":[],"length":0,"stats":{"Line":0}},{"line":560,"address":[],"length":0,"stats":{"Line":0}},{"line":561,"address":[],"length":0,"stats":{"Line":0}},{"line":562,"address":[],"length":0,"stats":{"Line":0}},{"line":563,"address":[],"length":0,"stats":{"Line":0}},{"line":564,"address":[],"length":0,"stats":{"Line":0}},{"line":567,"address":[],"length":0,"stats":{"Line":0}},{"line":568,"address":[],"length":0,"stats":{"Line":0}},{"line":569,"address":[],"length":0,"stats":{"Line":0}},{"line":570,"address":[],"length":0,"stats":{"Line":0}},{"line":571,"address":[],"length":0,"stats":{"Line":0}},{"line":573,"address":[],"length":0,"stats":{"Line":0}},{"line":574,"address":[],"length":0,"stats":{"Line":0}},{"line":575,"address":[],"length":0,"stats":{"Line":0}},{"line":579,"address":[],"length":0,"stats":{"Line":0}},{"line":580,"address":[],"length":0,"stats":{"Line":0}},{"line":581,"address":[],"length":0,"stats":{"Line":0}},{"line":584,"address":[],"length":0,"stats":{"Line":0}},{"line":585,"address":[],"length":0,"stats":{"Line":0}},{"line":586,"address":[],"length":0,"stats":{"Line":0}},{"line":589,"address":[],"length":0,"stats":{"Line":0}},{"line":602,"address":[],"length":0,"stats":{"Line":0}},{"line":608,"address":[],"length":0,"stats":{"Line":0}},{"line":610,"address":[],"length":0,"stats":{"Line":0}},{"line":613,"address":[],"length":0,"stats":{"Line":0}},{"line":615,"address":[],"length":0,"stats":{"Line":0}},{"line":619,"address":[],"length":0,"stats":{"Line":0}},{"line":620,"address":[],"length":0,"stats":{"Line":0}},{"line":621,"address":[],"length":0,"stats":{"Line":0}},{"line":622,"address":[],"length":0,"stats":{"Line":0}},{"line":623,"address":[],"length":0,"stats":{"Line":0}},{"line":632,"address":[],"length":0,"stats":{"Line":0}},{"line":635,"address":[],"length":0,"stats":{"Line":0}},{"line":636,"address":[],"length":0,"stats":{"Line":0}},{"line":637,"address":[],"length":0,"stats":{"Line":0}},{"line":641,"address":[],"length":0,"stats":{"Line":0}},{"line":658,"address":[],"length":0,"stats":{"Line":0}},{"line":659,"address":[],"length":0,"stats":{"Line":0}},{"line":660,"address":[],"length":0,"stats":{"Line":0}},{"line":663,"address":[],"length":0,"stats":{"Line":0}},{"line":664,"address":[],"length":0,"stats":{"Line":0}},{"line":665,"address":[],"length":0,"stats":{"Line":0}},{"line":668,"address":[],"length":0,"stats":{"Line":0}},{"line":671,"address":[],"length":0,"stats":{"Line":0}},{"line":672,"address":[],"length":0,"stats":{"Line":0}},{"line":674,"address":[],"length":0,"stats":{"Line":0}},{"line":676,"address":[],"length":0,"stats":{"Line":0}},{"line":677,"address":[],"length":0,"stats":{"Line":0}},{"line":678,"address":[],"length":0,"stats":{"Line":0}}],"covered":4,"coverable":172},{"path":["/","home","stu","dev","rust","jose","src","jwa","aes_cbc_hs.rs"],"content":"/// Authenticated encryption algorithms built using a composition of AES in\n/// Cipher Block Chaining (CBC) mode and HMAC as defined in [section 5.2 of RFC\n/// 7518]\n///\n/// [section 5.2 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\npub enum AesCbcHs {\n    /// AES_128_CBC_HMAC_SHA_256 authenticated encryption as defined in [section\n    /// 5.2.3]\n    ///\n    /// [section 5.2.3]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2.3\u003e\n    Aes128CbcHs256,\n    /// AES_192_CBC_HMAC_SHA_384 authenticated encryption algorithm as defined\n    /// in [section 5.2.4]\n    ///\n    /// [section 5.2.4]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2.4\u003e\n    Aes192CbcHs384,\n\n    /// AES_256_CBC_HMAC_SHA_512 authenticated encryption algorithm as defined\n    /// in [section 5.2.5]\n    ///\n    /// [section 5.2.5]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.2.5\u003e\n    Aes256CbcHs512,\n}\n\nimpl From\u003cAesCbcHs\u003e for super::JsonWebContentEncryptionAlgorithm {\n    fn from(x: AesCbcHs) -\u003e Self {\n        super::JsonWebContentEncryptionAlgorithm::AesCbcHs(x)\n    }\n}\n","traces":[{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":2},{"path":["/","home","stu","dev","rust","jose","src","jwa","aes_gcm.rs"],"content":"/// Different variants of AES GCM as in the table in [section 4.7 of RFC 7518]\n///\n/// [section 4.7 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.7\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum AesGcm {\n    /// Key wrapping with AES GCM using 128-bit key\n    Aes128,\n    /// Key wrapping with AES GCM using 192-bit key\n    Aes192,\n    /// Key wrapping with AES GCM using 256-bit key\n    Aes256,\n}\n\nimpl From\u003cAesGcm\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: AesGcm) -\u003e Self {\n        Self::AesGcmKw(x)\n    }\n}\n\nimpl From\u003cAesGcm\u003e for super::JsonWebAlgorithm {\n    fn from(x: AesGcm) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::AesGcmKw(x))\n    }\n}\n\nimpl From\u003cAesGcm\u003e for super::JsonWebContentEncryptionAlgorithm {\n    fn from(x: AesGcm) -\u003e Self {\n        super::JsonWebContentEncryptionAlgorithm::AesGcm(x)\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":28,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":6},{"path":["/","home","stu","dev","rust","jose","src","jwa","aes_kw.rs"],"content":"/// Key Wrapping with AES Key Wrap as defined in [section 4.4 of RFC 7518]\n///\n/// [section 4.4 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.4\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Copy, Hash)]\npub enum AesKw {\n    /// AES Key Wrap with default initial value using 128-bit key\n    Aes128,\n    /// AES Key Wrap with default initial value using 192-bit key\n    Aes192,\n    /// AES Key Wrap with default initial value using 256-bit key\n    Aes256,\n}\n\nimpl From\u003cAesKw\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: AesKw) -\u003e Self {\n        Self::AesKw(x)\n    }\n}\n\nimpl From\u003cAesKw\u003e for super::JsonWebAlgorithm {\n    fn from(x: AesKw) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::AesKw(x))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","ecdh_es.rs"],"content":"use super::AesKw;\n\n/// Different modes ECDH-ES can be used as defined in [section 4.6 of RFC 7518]\n///\n/// [section 4.6 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.6\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum EcDhES {\n    /// Using ECDH-ES directly without any wrapping\n    Direct,\n    /// ECDH-ES using Concat KDF and CEK wrapped with one variant of [AesKw]\n    AesKw(AesKw),\n}\n\nimpl From\u003cEcDhES\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: EcDhES) -\u003e Self {\n        Self::EcDhES(x)\n    }\n}\n\nimpl From\u003cEcDhES\u003e for super::JsonWebAlgorithm {\n    fn from(x: EcDhES) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::EcDhES(x))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","ecdsa.rs"],"content":"/// Digital Signature with ECDSA as defined in [section 3.4 of RFC 7518]\n///\n/// [section 3.4 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.4\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum EcDSA {\n    /// ECDSA using P-256 and SHA-256\n    Es256,\n    /// ECDSA using P-384 and SHA-384\n    Es384,\n    /// ECDSA using P-521 and SHA-512\n    Es512,\n    /// ECDSA using secp256k1 curve and SHA-256\n    ///\n    /// ECDSA with secp256k1 is defined in [RFC 8812 section 3]\n    ///\n    /// [RFC 8812 section 3]: \u003chttps://datatracker.ietf.org/doc/html/rfc8812#section-3\u003e\n    Es256K,\n}\n\nimpl From\u003cEcDSA\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: EcDSA) -\u003e Self {\n        Self::EcDSA(x)\n    }\n}\n\nimpl From\u003cEcDSA\u003e for super::JsonWebAlgorithm {\n    fn from(x: EcDSA) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::EcDSA(x))\n    }\n}\n","traces":[{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":6}},{"line":28,"address":[],"length":0,"stats":{"Line":6}}],"covered":2,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","hmac.rs"],"content":"/// HMAC with SHA-2 Functions as defined in [section 3.2 of RFC 7518]\n///\n/// [section 3.2 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.2\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum Hmac {\n    /// HMAC using SHA-256\n    Hs256,\n    /// HMAC using SHA-384\n    Hs384,\n    /// HMAC using SHA-512\n    Hs512,\n}\n\nimpl From\u003cHmac\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: Hmac) -\u003e Self {\n        Self::Hmac(x)\n    }\n}\n\nimpl From\u003cHmac\u003e for super::JsonWebAlgorithm {\n    fn from(x: Hmac) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Hmac(x))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":2}},{"line":22,"address":[],"length":0,"stats":{"Line":2}}],"covered":2,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","pbes2.rs"],"content":"/// A variant of Key Encryption with PBES2 as defined in the table of [section\n/// 4.8 of RFC 7518]\n///\n/// [section 4.8 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.8\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum Pbes2 {\n    /// PBES2 with HMAC SHA-256 and \"A128KW\" wrapping\n    Hs256Aes128,\n    /// PBES2 with HMAC SHA-384 and \"A192KW\" wrapping\n    Hs384Aes192,\n    /// PBES2 with HMAC SHA-512 and \"A256KW\" wrapping\n    Hs512Aes256,\n}\n\nimpl From\u003cPbes2\u003e for super::JsonWebEncryptionAlgorithm {\n    fn from(x: Pbes2) -\u003e Self {\n        Self::Pbes2(x)\n    }\n}\n\nimpl From\u003cPbes2\u003e for super::JsonWebAlgorithm {\n    fn from(x: Pbes2) -\u003e Self {\n        Self::Encryption(super::JsonWebEncryptionAlgorithm::Pbes2(x))\n    }\n}\n","traces":[{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":23,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa","rsaes_oaep.rs"],"content":"/// Key Encryption with RSAES OAEP as defined in [section 4.3 of RFC 7518]\n///\n/// [section 4.3 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.3\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsaesOaep {\n    /// RSAES OAEP using default parameters\n    RsaesOaep,\n    /// RSAES OAEP using SHA-256 and MGF1 with SHA-256\n    RsaesOaep256,\n}\n\nimpl From\u003cRsaesOaep\u003e for crate::jwa::JsonWebEncryptionAlgorithm {\n    fn from(x: RsaesOaep) -\u003e Self {\n        Self::RsaesOaep(x)\n    }\n}\n\nimpl From\u003cRsaesOaep\u003e for crate::jwa::JsonWebAlgorithm {\n    fn from(x: RsaesOaep) -\u003e Self {\n        Self::Encryption(crate::jwa::JsonWebEncryptionAlgorithm::RsaesOaep(x))\n    }\n}\n","traces":[{"line":13,"address":[],"length":0,"stats":{"Line":0}},{"line":14,"address":[],"length":0,"stats":{"Line":0}},{"line":19,"address":[],"length":0,"stats":{"Line":2}},{"line":20,"address":[],"length":0,"stats":{"Line":2}}],"covered":2,"coverable":4},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa","rsassa_pkcs1_v1_5.rs"],"content":"/// Digital Signature with RSASSA-PKCS1-v1_5 as defined in [section 3.3 of RFC\n/// 7518]\n///\n/// [section 3.3 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.3\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsassaPkcs1V1_5 {\n    /// RSASSA-PKCS1-v1_5 using SHA-256\n    Rs256,\n    /// RSASSA-PKCS1-v1_5 using SHA-384\n    Rs384,\n    /// RSASSA-PKCS1-v1_5 using SHA-512\n    Rs512,\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa","rsassa_pss.rs"],"content":"/// Digital Signature with RSASSA-PSS as defined in [section 3.5 of RFC 7518]\n///\n/// [section 3.5 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.5\u003e\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsassaPss {\n    /// RSASSA-PSS using SHA-256 and MGF1 with SHA-256\n    Ps256,\n    /// RSASSA-PSS using SHA-384 and MGF1 with SHA-384\n    Ps384,\n    /// RSASSA-PSS using SHA-512 and MGF1 with SHA-512\n    Ps512,\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","jwa","rsa.rs"],"content":"mod rsaes_oaep;\nmod rsassa_pkcs1_v1_5;\nmod rsassa_pss;\n\npub use self::{rsaes_oaep::RsaesOaep, rsassa_pkcs1_v1_5::RsassaPkcs1V1_5, rsassa_pss::RsassaPss};\n\n/// Some signing algorithm using a RSA key under the hood\n#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]\npub enum RsaSigning {\n    /// Digital Signature with RSASSA-PSS\n    Pss(RsassaPss),\n    /// Digital Signature with RSASSA-PKCS1-v1_5\n    RsPkcs1V1_5(RsassaPkcs1V1_5),\n}\n\nimpl From\u003cRsaSigning\u003e for super::JsonWebAlgorithm {\n    fn from(x: RsaSigning) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Rsa(x))\n    }\n}\n\nimpl From\u003cRsaSigning\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: RsaSigning) -\u003e Self {\n        Self::Rsa(x)\n    }\n}\n\nimpl From\u003cRsassaPss\u003e for RsaSigning {\n    fn from(x: RsassaPss) -\u003e Self {\n        RsaSigning::Pss(x)\n    }\n}\n\nimpl From\u003cRsassaPss\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: RsassaPss) -\u003e Self {\n        Self::Rsa(RsaSigning::Pss(x))\n    }\n}\n\nimpl From\u003cRsassaPss\u003e for super::JsonWebAlgorithm {\n    fn from(x: RsassaPss) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Rsa(RsaSigning::Pss(x)))\n    }\n}\n\nimpl From\u003cRsassaPkcs1V1_5\u003e for RsaSigning {\n    fn from(x: RsassaPkcs1V1_5) -\u003e Self {\n        RsaSigning::RsPkcs1V1_5(x)\n    }\n}\n\nimpl From\u003cRsassaPkcs1V1_5\u003e for super::JsonWebSigningAlgorithm {\n    fn from(x: RsassaPkcs1V1_5) -\u003e Self {\n        Self::Rsa(RsaSigning::RsPkcs1V1_5(x))\n    }\n}\n\nimpl From\u003cRsassaPkcs1V1_5\u003e for super::JsonWebAlgorithm {\n    fn from(x: RsassaPkcs1V1_5) -\u003e Self {\n        Self::Signing(super::JsonWebSigningAlgorithm::Rsa(\n            RsaSigning::RsPkcs1V1_5(x),\n        ))\n    }\n}\n","traces":[{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":18,"address":[],"length":0,"stats":{"Line":0}},{"line":23,"address":[],"length":0,"stats":{"Line":0}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":1}},{"line":60,"address":[],"length":0,"stats":{"Line":1}},{"line":61,"address":[],"length":0,"stats":{"Line":1}}],"covered":3,"coverable":17},{"path":["/","home","stu","dev","rust","jose","src","jwa.rs"],"content":"//! Implementation of JSON Web Algorithms (JWA) as defined in [RFC 7518]\n//!\n//! [RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518\u003e\n\nmod aes_cbc_hs;\nmod aes_gcm;\nmod aes_kw;\nmod ecdh_es;\nmod ecdsa;\nmod hmac;\nmod pbes2;\nmod rsa;\n\nuse alloc::{borrow::Cow, string::String};\n\nuse serde::{Deserialize, Serialize};\n\n#[doc(inline)]\npub use self::{\n    aes_cbc_hs::AesCbcHs,\n    aes_gcm::AesGcm,\n    aes_kw::AesKw,\n    ecdh_es::EcDhES,\n    ecdsa::EcDSA,\n    hmac::Hmac,\n    pbes2::Pbes2,\n    rsa::{RsaSigning, RsaesOaep, RsassaPkcs1V1_5, RsassaPss},\n};\n\n/// Either a JSON Web Algorithm for signing operations, or an algorithm for\n/// encryption operations. Possible values should be registered in the [IANA\n/// `JSON Web Signature and Encryption Algorithms` registry][1].\n///\n/// [1]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize)]\n#[serde(untagged)]\npub enum JsonWebAlgorithm {\n    /// Signing algorithm.\n    Signing(JsonWebSigningAlgorithm),\n\n    /// Encryption algorithm.\n    Encryption(JsonWebEncryptionAlgorithm),\n\n    /// Unknown algorithm.\n    Other(String),\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for JsonWebAlgorithm {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let name = Cow::\u003c'_, str\u003e::deserialize(deserializer)?;\n\n        let sign =\n            JsonWebSigningAlgorithm::from_str_without_other(name.as_ref()).map(Self::Signing);\n        let enc =\n            JsonWebEncryptionAlgorithm::from_str_without_other(name.as_ref()).map(Self::Encryption);\n\n        let alg = sign\n            .or(enc)\n            .unwrap_or_else(|| Self::Other(name.into_owned()));\n        Ok(alg)\n    }\n}\n\n/// A JSON Web Algorithm (JWA) for singing operations (JWS) as defined in [RFC\n/// 7518 section 3]\n///\n/// This enum covers the `alg` Header Parameter Values for JWS. It represents\n/// the table from [section 3.1].\n///\n/// [RFC 7518 section 3]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3\u003e\n/// [section 3.1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.1\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\n#[non_exhaustive]\npub enum JsonWebSigningAlgorithm {\n    /// HMAC with SHA-2 Functions\n    Hmac(Hmac),\n    /// RSASSA-PKCS1-v1_5 using SHA-2 Functions\n    /// Digital Signature with RSASSA-PSS\n    Rsa(RsaSigning),\n    /// Digital Signature with ECDSA\n    EcDSA(EcDSA),\n    /// Digital Signature with Edwards-curve Digital Signature Algorithm (EdDSA)\n    /// as defined in [section 3.1 of RFC 8037]\n    ///\n    /// Note: `EdDSA` should not be confused with\n    /// [`EcDSA`](JsonWebSigningAlgorithm::EcDSA).\n    /// Also note that an EdDSA signature can either be made using `Ed25519` or\n    /// `Ed448` but this information is not included.\n    ///\n    /// [section 3.1 of RFC 8037]: \u003chttps://datatracker.ietf.org/doc/html/rfc8037#section-3.1\u003e\n    EdDSA,\n    /// The \"none\" algorithm as defined in [section 3.6 of RFC 7518].\n    ///\n    /// Using this algorithm essentially means that there is\n    /// no integrity protection for the JWS.\n    ///\n    /// [section 3.6 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-3.6\u003e\n    None,\n    /// JSON Web Algorithms that are not recognised by this implementation.\n    ///\n    /// If you want to implement custom algorithms via a custom\n    /// [`Signer`](crate::jws::Signer) and [`Verifier`](crate::jws::Verifier)\n    /// type, you should use this type to define an identifier for your\n    /// algorithm.\n    ///\n    /// Note: When you deserialize the `alg` header parameter via the\n    /// [`JsonWebAlgorithm`] enum, this variant will never be\n    /// constructed.\n    Other(String),\n}\n\nimpl From\u003cJsonWebSigningAlgorithm\u003e for JsonWebAlgorithm {\n    fn from(x: JsonWebSigningAlgorithm) -\u003e Self {\n        Self::Signing(x)\n    }\n}\n\n// don't judge this macro please.\n// its ugly but it works\nimpl_serde_jwa!(\n    JsonWebSigningAlgorithm,\n    [\n        \"HS256\" =\u003e Self::Hmac(Hmac::Hs256); Self::Hmac(Hmac::Hs256),\n        \"HS384\" =\u003e Self::Hmac(Hmac::Hs384); Self::Hmac(Hmac::Hs384),\n        \"HS512\" =\u003e Self::Hmac(Hmac::Hs512); Self::Hmac(Hmac::Hs512),\n\n        \"RS256\" =\u003e Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs256)); Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs256)),\n        \"RS384\" =\u003e Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs384)); Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs384)),\n        \"RS512\" =\u003e Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs512)); Self::Rsa(RsaSigning::RsPkcs1V1_5(RsassaPkcs1V1_5::Rs512)),\n\n        \"ES256\" =\u003e Self::EcDSA(EcDSA::Es256); Self::EcDSA(EcDSA::Es256),\n        \"ES384\" =\u003e Self::EcDSA(EcDSA::Es384); Self::EcDSA(EcDSA::Es384),\n        \"ES512\" =\u003e Self::EcDSA(EcDSA::Es512); Self::EcDSA(EcDSA::Es512),\n        \"ES256K\" =\u003e Self::EcDSA(EcDSA::Es256K); Self::EcDSA(EcDSA::Es256K),\n\n        \"EdDSA\" =\u003e Self::EdDSA; Self::EdDSA,\n\n        \"PS256\" =\u003e Self::Rsa(RsaSigning::Pss(RsassaPss::Ps256)); Self::Rsa(RsaSigning::Pss(RsassaPss::Ps256)),\n        \"PS384\" =\u003e Self::Rsa(RsaSigning::Pss(RsassaPss::Ps384)); Self::Rsa(RsaSigning::Pss(RsassaPss::Ps384)),\n        \"PS512\" =\u003e Self::Rsa(RsaSigning::Pss(RsassaPss::Ps512)); Self::Rsa(RsaSigning::Pss(RsassaPss::Ps512)),\n\n\n        \"none\" =\u003e Self::None; Self::None,\n    ]\n);\n\n/// A JSON Web Algorithm (JWA) for encryption and decryption of Content\n/// Encryption Key (CEK) as defined in [RFC 7518 section 4]\n///\n/// This enum covers the `alg` Header Parameter Values for JWE. It represents\n/// the table from [section 4.1].\n///\n/// [RFC 7518 section 4]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4\u003e\n/// [section 4.1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.1\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\n#[non_exhaustive]\npub enum JsonWebEncryptionAlgorithm {\n    /// Key Encryption with RSAES-PKCS1-v1_5 as defined in [section 4.2]\n    ///\n    /// [section 4.2]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.2\u003e\n    Rsa1_5,\n    /// Key Encryption with RSAES OAEP\n    RsaesOaep(RsaesOaep),\n    /// AES Key Wrap\n    AesKw(AesKw),\n    /// Direct use of a shared symmetric key as the CEK as defined in [section\n    /// 4.5]\n    ///\n    /// [section 4.5]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-4.5\u003e\n    Direct,\n    /// Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES)\n    EcDhES(EcDhES),\n    /// Key wrapping with AES GCM\n    AesGcmKw(AesGcm),\n    /// PBES2 Key Encryption\n    Pbes2(Pbes2),\n    /// JSON Web Algorithms that are not recognised by this implementation.\n    ///\n    /// If you want to implement custom algorithms for use in JSON Web\n    /// encryption, you should use this variant to identify your algorithm.\n    ///\n    /// Note: When you deserialize the `alg` header parameter via the\n    /// [`JsonWebAlgorithm`] enum, this variant will never be\n    /// constructed.\n    Other(String),\n}\n\nimpl From\u003cJsonWebEncryptionAlgorithm\u003e for JsonWebAlgorithm {\n    fn from(x: JsonWebEncryptionAlgorithm) -\u003e Self {\n        Self::Encryption(x)\n    }\n}\n\nimpl_serde_jwa!(\n    JsonWebEncryptionAlgorithm,\n    [\n        \"RSA1_5\" =\u003e Self::Rsa1_5; Self::Rsa1_5,\n        \"RSA-OAEP\" =\u003e Self::RsaesOaep(RsaesOaep::RsaesOaep); Self::RsaesOaep(RsaesOaep::RsaesOaep),\n        \"RSA-OAEP-256\" =\u003e Self::RsaesOaep(RsaesOaep::RsaesOaep256); Self::RsaesOaep(RsaesOaep::RsaesOaep256),\n        \"A128KW\" =\u003e Self::AesKw(AesKw::Aes128); Self::AesKw(AesKw::Aes128),\n        \"A192KW\" =\u003e Self::AesKw(AesKw::Aes192); Self::AesKw(AesKw::Aes192),\n        \"A256KW\" =\u003e Self::AesKw(AesKw::Aes256); Self::AesKw(AesKw::Aes256),\n        \"dir\" =\u003e Self::Direct; Self::Direct,\n        \"ECDH-ES\" =\u003e Self::EcDhES(EcDhES::Direct); Self::EcDhES(EcDhES::Direct),\n        \"ECDH-ES+A128KW\" =\u003e Self::EcDhES(EcDhES::AesKw(AesKw::Aes128)); Self::EcDhES(EcDhES::AesKw(AesKw::Aes128)),\n        \"ECDH-ES+A192KW\" =\u003e Self::EcDhES(EcDhES::AesKw(AesKw::Aes192)); Self::EcDhES(EcDhES::AesKw(AesKw::Aes192)),\n        \"ECDH-ES+A256KW\" =\u003e Self::EcDhES(EcDhES::AesKw(AesKw::Aes256)); Self::EcDhES(EcDhES::AesKw(AesKw::Aes256)),\n        \"A128GCMKW\" =\u003e Self::AesGcmKw(AesGcm::Aes128); Self::AesGcmKw(AesGcm::Aes128),\n        \"A192GCMKW\" =\u003e Self::AesGcmKw(AesGcm::Aes192); Self::AesGcmKw(AesGcm::Aes192),\n        \"A256GCMKW\" =\u003e Self::AesGcmKw(AesGcm::Aes256); Self::AesGcmKw(AesGcm::Aes256),\n        \"PBES2-HS256+A128KW\" =\u003e Self::Pbes2(Pbes2::Hs256Aes128); Self::Pbes2(Pbes2::Hs256Aes128),\n        \"PBES2-HS384+A192KW\" =\u003e Self::Pbes2(Pbes2::Hs384Aes192); Self::Pbes2(Pbes2::Hs384Aes192),\n        \"PBES2-HS512+A256KW\" =\u003e Self::Pbes2(Pbes2::Hs512Aes256); Self::Pbes2(Pbes2::Hs512Aes256),\n    ]\n);\n\n/// A JSON Web Algorithm (JWA) for content encryption and decryption of a JWE as\n/// defined in [RFC 7518 section 5]\n///\n/// This enum covers the `enc` Header Parameter Values for JWE. It represents\n/// the table from [section 5.1].\n///\n/// [RFC 7518 section 5]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5\u003e\n/// [section 5.1]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-5.1\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Hash)]\n#[non_exhaustive]\npub enum JsonWebContentEncryptionAlgorithm {\n    /// Content Encryption using AES in CBC mode with HMAC\n    AesCbcHs(AesCbcHs),\n    /// Content Encryption using AES GCM\n    AesGcm(AesGcm),\n    /// JSON Web Algorithms that are not recognised by this implementation.\n    ///\n    /// Use this variant if you want to implement a custom content encryption\n    /// algorithm.\n    Other(String),\n}\n\nimpl_serde_jwa!(\n    JsonWebContentEncryptionAlgorithm,\n    [\n        \"A128CBC-HS256\" =\u003e Self::AesCbcHs(AesCbcHs::Aes128CbcHs256); Self::AesCbcHs(AesCbcHs::Aes128CbcHs256),\n        \"A192CBC-HS384\" =\u003e Self::AesCbcHs(AesCbcHs::Aes192CbcHs384); Self::AesCbcHs(AesCbcHs::Aes192CbcHs384),\n        \"A256CBC-HS512\" =\u003e Self::AesCbcHs(AesCbcHs::Aes256CbcHs512); Self::AesCbcHs(AesCbcHs::Aes256CbcHs512),\n\n        \"A128GCM\" =\u003e Self::AesGcm(AesGcm::Aes128); Self::AesGcm(AesGcm::Aes128),\n        \"A192GCM\" =\u003e Self::AesGcm(AesGcm::Aes192); Self::AesGcm(AesGcm::Aes192),\n        \"A256GCM\" =\u003e Self::AesGcm(AesGcm::Aes256); Self::AesGcm(AesGcm::Aes256),\n    ]\n);\n\n#[test]\nfn test_others_not_stealing() {\n    use alloc::string::ToString;\n    let jwe = \"dir\";\n    let jwa: JsonWebAlgorithm =\n        serde_json::from_value(serde_json::Value::String(jwe.to_string())).unwrap();\n    assert_eq!(\n        jwa,\n        JsonWebAlgorithm::Encryption(JsonWebEncryptionAlgorithm::Direct)\n    );\n}\n","traces":[{"line":49,"address":[],"length":0,"stats":{"Line":47}},{"line":53,"address":[],"length":0,"stats":{"Line":94}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":2}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":2}},{"line":117,"address":[],"length":0,"stats":{"Line":2}},{"line":192,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":0}}],"covered":5,"coverable":14},{"path":["/","home","stu","dev","rust","jose","src","jwe.rs"],"content":"//! Implementation of JSON Web Encryption (JWE) as defined in [RFC 7516]\n//!\n//! [RFC 7516]: \u003chttps://www.rfc-editor.org/rfc/rfc7516.html\u003e\n\n/// TODO\n#[derive(Debug)]\npub struct JsonWebEncryption {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","jwk","asymmetric.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\nuse super::{Private, Public, Thumbprint};\n\n/// Some kind of asymmetric cryptographic key which can be either [`Private`] or\n/// [`Public`]\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum AsymmetricJsonWebKey {\n    /// The private part of an asymmetric key\n    Private(Private),\n    /// The public part of an asymmetric key\n    Public(Public),\n}\n\nimpl crate::sealed::Sealed for AsymmetricJsonWebKey {}\nimpl Thumbprint for AsymmetricJsonWebKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            AsymmetricJsonWebKey::Private(key) =\u003e key.thumbprint_prehashed(),\n            AsymmetricJsonWebKey::Public(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cAsymmetricJsonWebKey\u003e for super::JsonWebKeyType {\n    fn from(x: AsymmetricJsonWebKey) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(x))\n    }\n}\n","traces":[{"line":20,"address":[],"length":0,"stats":{"Line":58}},{"line":21,"address":[],"length":0,"stats":{"Line":58}},{"line":22,"address":[],"length":0,"stats":{"Line":25}},{"line":23,"address":[],"length":0,"stats":{"Line":33}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":0}}],"covered":4,"coverable":6},{"path":["/","home","stu","dev","rust","jose","src","jwk","builder.rs"],"content":"use alloc::{string::String, vec::Vec};\nuse core::convert::Infallible;\n\nuse hashbrown::HashSet;\n\nuse super::{serde_impl::Base64DerCertificate, JsonWebKey, JsonWebKeyType, KeyOperation, KeyUsage};\nuse crate::{\n    jwa::JsonWebAlgorithm,\n    jwk::policy::{Checkable, Checked, Policy},\n    Uri,\n};\n\n/// Reasons the construction of a `JsonWebKey` via the\n/// [`JsonWebKeyBuilder::build`] method can fail.\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum JsonWebKeyBuildError\u003cP\u003e {\n    /// The [`JsonWebKeyType`] and [`JsonWebAlgorithm`] are not compatible.\n    ///\n    /// An example is usage of an RSA key with an Hmac Json web algorithm.\n    #[error(\"the `key_type` and `algorithm` are not compatible\")]\n    IncompatibleKeyType,\n    /// This error can only happen when using the\n    /// [`build_and_check`](JsonWebKeyBuilder::build_and_check) is used and the\n    /// policy check failed.\n    #[error(transparent)]\n    PolicyCheckFailed(P),\n}\n\n/// The builder for modifying a [`JsonWebKey`].\n#[derive(Debug, Clone)]\npub struct JsonWebKeyBuilder\u003cA\u003e {\n    pub(super) key_type: JsonWebKeyType,\n    pub(super) key_use: Option\u003cKeyUsage\u003e,\n    pub(super) key_operations: Option\u003cHashSet\u003cKeyOperation\u003e\u003e,\n    pub(super) algorithm: Option\u003cJsonWebAlgorithm\u003e,\n    pub(super) kid: Option\u003cString\u003e,\n    pub(super) x509_url: Option\u003cUri\u003e,\n    pub(super) x509_certificate_chain: Vec\u003cBase64DerCertificate\u003e,\n    pub(super) x509_certificate_sha1_thumbprint: Option\u003c[u8; 20]\u003e,\n    pub(super) x509_certificate_sha256_thumbprint: Option\u003c[u8; 32]\u003e,\n    pub(super) additional: A,\n}\n\nmacro_rules! gen_builder_methods {\n    ($($field:ident: $T:ty,)*) =\u003e {\n        $(#[doc = concat!(\"Override the `\", stringify!($field), \"` for this JWK.\")]\n        #[inline]\n        pub fn $field(mut self, $field: Option\u003cimpl Into\u003c$T\u003e\u003e) -\u003e Self {\n            self.$field = $field.map(Into::into);\n            self\n        })*\n    };\n}\n\nimpl JsonWebKeyBuilder\u003c()\u003e {\n    /// Create a new [`JsonWebKeyBuilder`] with the given key.\n    pub fn new(key_type: impl Into\u003cJsonWebKeyType\u003e) -\u003e Self {\n        Self {\n            key_type: key_type.into(),\n            key_use: None,\n            key_operations: None,\n            algorithm: None,\n            kid: None,\n            x509_url: None,\n            x509_certificate_chain: alloc::vec![],\n            x509_certificate_sha1_thumbprint: None,\n            x509_certificate_sha256_thumbprint: None,\n            additional: (),\n        }\n    }\n}\n\nimpl\u003cA\u003e JsonWebKeyBuilder\u003cA\u003e {\n    /// Try to construct the final [`JsonWebKey`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if any parameter is considered invalid. For example,\n    /// if a [`JsonWebKeyType`] is not compatible with the [`JsonWebAlgorithm`]\n    /// set.\n    pub fn build(self) -\u003e Result\u003cJsonWebKey\u003cA\u003e, JsonWebKeyBuildError\u003cInfallible\u003e\u003e {\n        let Self {\n            key_type,\n            key_use,\n            key_operations,\n            algorithm,\n            kid,\n            x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint,\n            additional,\n        } = self;\n\n        if let Some(ref algorithm) = algorithm {\n            if !key_type.compatible_with(algorithm) {\n                return Err(JsonWebKeyBuildError::IncompatibleKeyType);\n            }\n        }\n\n        Ok(JsonWebKey {\n            key_type,\n            key_use,\n            key_operations,\n            algorithm,\n            kid,\n            x509_url,\n            x509_certificate_chain,\n            x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint,\n            additional,\n        })\n    }\n\n    /// Try to construct the final [`JsonWebKey`], and then validates the\n    /// resulting JWK using the given [`Policy`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if any parameter is considered invalid, or the policy\n    /// check failed. For example, if a [`JsonWebKeyType`] is not compatible\n    /// with the [`JsonWebAlgorithm`] set.\n    // We think that this degree of complexity is acceptable and a type alias would make things even\n    // more complex\n    #[allow(clippy::type_complexity, clippy::result_large_err)]\n    pub fn build_and_check\u003cP: Policy\u003e(\n        self,\n        policy: P,\n    ) -\u003e Result\u003cChecked\u003cJsonWebKey\u003cA\u003e, P\u003e, JsonWebKeyBuildError\u003cP::Error\u003e\u003e\n    where\n        A: Checkable,\n    {\n        self.build()\n            .map_err(|e| match e {\n                JsonWebKeyBuildError::IncompatibleKeyType =\u003e {\n                    JsonWebKeyBuildError::IncompatibleKeyType\n                }\n                JsonWebKeyBuildError::PolicyCheckFailed(x) =\u003e match x {},\n            })?\n            .check(policy)\n            .map_err(|(_, e)| JsonWebKeyBuildError::PolicyCheckFailed(e))\n    }\n}\n\nimpl\u003cA\u003e JsonWebKeyBuilder\u003cA\u003e {\n    gen_builder_methods! {\n        key_use: KeyUsage,\n        key_operations: HashSet\u003cKeyOperation\u003e,\n        algorithm: JsonWebAlgorithm,\n        kid: String,\n        x509_url: Uri,\n        x509_certificate_sha1_thumbprint: [u8; 20],\n        x509_certificate_sha256_thumbprint: [u8; 32],\n    }\n\n    /// Override the `key_type` for this JWK.\n    #[inline]\n    pub fn key_type(mut self, key_type: JsonWebKeyType) -\u003e Self {\n        self.key_type = key_type;\n        self\n    }\n\n    /// Override the `x509_certificate_chain` for this JWK.\n    #[inline]\n    pub fn x509_certificate_chain(mut self, x509_certificate_chain: Vec\u003cVec\u003cu8\u003e\u003e) -\u003e Self {\n        self.x509_certificate_chain = x509_certificate_chain\n            .into_iter()\n            .map(Base64DerCertificate)\n            .collect();\n        self\n    }\n\n    /// Override the additional parameters for this JWK.\n    #[inline]\n    pub fn additional\u003cN\u003e(self, additional: N) -\u003e JsonWebKeyBuilder\u003cN\u003e {\n        JsonWebKeyBuilder {\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n            additional,\n        }\n    }\n}\n","traces":[{"line":49,"address":[],"length":0,"stats":{"Line":42}},{"line":50,"address":[],"length":0,"stats":{"Line":42}},{"line":51,"address":[],"length":0,"stats":{"Line":42}},{"line":52,"address":[],"length":0,"stats":{"Line":42}},{"line":58,"address":[],"length":0,"stats":{"Line":21}},{"line":60,"address":[],"length":0,"stats":{"Line":21}},{"line":66,"address":[],"length":0,"stats":{"Line":21}},{"line":69,"address":[],"length":0,"stats":{"Line":21}},{"line":82,"address":[],"length":0,"stats":{"Line":42}},{"line":83,"address":[],"length":0,"stats":{"Line":42}},{"line":84,"address":[],"length":0,"stats":{"Line":42}},{"line":85,"address":[],"length":0,"stats":{"Line":42}},{"line":86,"address":[],"length":0,"stats":{"Line":42}},{"line":87,"address":[],"length":0,"stats":{"Line":42}},{"line":88,"address":[],"length":0,"stats":{"Line":42}},{"line":89,"address":[],"length":0,"stats":{"Line":42}},{"line":90,"address":[],"length":0,"stats":{"Line":42}},{"line":91,"address":[],"length":0,"stats":{"Line":42}},{"line":92,"address":[],"length":0,"stats":{"Line":42}},{"line":93,"address":[],"length":0,"stats":{"Line":42}},{"line":94,"address":[],"length":0,"stats":{"Line":42}},{"line":96,"address":[],"length":0,"stats":{"Line":84}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":42}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":135,"address":[],"length":0,"stats":{"Line":0}},{"line":136,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":141,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":166,"address":[],"length":0,"stats":{"Line":0}},{"line":167,"address":[],"length":0,"stats":{"Line":0}},{"line":168,"address":[],"length":0,"stats":{"Line":0}},{"line":169,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":0}},{"line":171,"address":[],"length":0,"stats":{"Line":0}},{"line":176,"address":[],"length":0,"stats":{"Line":0}},{"line":178,"address":[],"length":0,"stats":{"Line":0}},{"line":179,"address":[],"length":0,"stats":{"Line":0}},{"line":180,"address":[],"length":0,"stats":{"Line":0}},{"line":181,"address":[],"length":0,"stats":{"Line":0}},{"line":182,"address":[],"length":0,"stats":{"Line":0}},{"line":183,"address":[],"length":0,"stats":{"Line":0}},{"line":184,"address":[],"length":0,"stats":{"Line":0}},{"line":185,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}}],"covered":23,"coverable":62},{"path":["/","home","stu","dev","rust","jose","src","jwk","key_ops.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\n/// This enum represents the key operations (`key_ops`) parameter as defined in\n/// [Section 4.3 of RFC 7517]. All possible values are registered in the [IANA\n/// `JSON Web Key Operations` registry].\n///\n/// This enum SHOULD NOT be used together with the [`KeyUsage`](super::KeyUsage)\n/// enum. If they are both present, their information MUST be consistent.\n///\n/// [Section 4.3 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.3\u003e\n/// [IANA `JSON Web Key Operations` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-key-operations\u003e\n#[non_exhaustive]\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum KeyOperation {\n    /// This key may compute digital signatures or MACs\n    Sign,\n    /// This key may verify digital signatures or MACs\n    Verify,\n    /// This key may encrypt content\n    Encrypt,\n    /// This key may decrypt content and validate decryption, if applicable\n    Decrypt,\n    /// This key may encrypt a key\n    WrapKey,\n    /// This key may decrypt a key and validate the decryption, if applicable\n    UnwrapKey,\n    /// This key may derive a key\n    DeriveKey,\n    /// This key may derive bits not to be used as a key\n    DeriveBits,\n    /// Some other case-sensitive [`String`] that did not match any of the\n    /// publicly known key operations\n    Other(String),\n}\n\nimpl Serialize for KeyOperation {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        match self {\n            Self::Sign =\u003e \"sign\",\n            Self::Verify =\u003e \"verify\",\n            Self::Encrypt =\u003e \"encrypt\",\n            Self::Decrypt =\u003e \"decrypt\",\n            Self::WrapKey =\u003e \"wrapKey\",\n            Self::UnwrapKey =\u003e \"unwrapKey\",\n            Self::DeriveKey =\u003e \"deriveKey\",\n            Self::DeriveBits =\u003e \"deriveBits\",\n            Self::Other(s) =\u003e s,\n        }\n        .serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for KeyOperation {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let val = \u003calloc::borrow::Cow\u003c'_, str\u003e\u003e::deserialize(deserializer)?;\n        Ok(match \u0026*val {\n            \"sign\" =\u003e Self::Sign,\n            \"verify\" =\u003e Self::Verify,\n            \"encrypt\" =\u003e Self::Encrypt,\n            \"decrypt\" =\u003e Self::Decrypt,\n            \"wrapKey\" =\u003e Self::WrapKey,\n            \"unwrapKey\" =\u003e Self::UnwrapKey,\n            \"deriveKey\" =\u003e Self::DeriveKey,\n            \"deriveBits\" =\u003e Self::DeriveBits,\n            _ =\u003e Self::Other(val.into_owned()),\n        })\n    }\n}\n","traces":[{"line":39,"address":[],"length":0,"stats":{"Line":10}},{"line":43,"address":[],"length":0,"stats":{"Line":10}},{"line":44,"address":[],"length":0,"stats":{"Line":2}},{"line":45,"address":[],"length":0,"stats":{"Line":4}},{"line":46,"address":[],"length":0,"stats":{"Line":2}},{"line":47,"address":[],"length":0,"stats":{"Line":2}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":50,"address":[],"length":0,"stats":{"Line":0}},{"line":51,"address":[],"length":0,"stats":{"Line":0}},{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":10}},{"line":59,"address":[],"length":0,"stats":{"Line":16}},{"line":63,"address":[],"length":0,"stats":{"Line":32}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":3}},{"line":66,"address":[],"length":0,"stats":{"Line":19}},{"line":67,"address":[],"length":0,"stats":{"Line":11}},{"line":68,"address":[],"length":0,"stats":{"Line":6}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}}],"covered":13,"coverable":24},{"path":["/","home","stu","dev","rust","jose","src","jwk","key_use.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\n/// This enum represents possible key usage (`use`) parameter as\n/// defined in [Section 4.2 of RFC 7517]. All possible values are registered in\n/// the [IANA `JSON Web Key Use` registry].\n///\n/// [Section 4.2 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.2\u003e\n/// [IANA `JSON Web Key Use` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-key-use\u003e\n#[non_exhaustive]\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum KeyUsage {\n    /// The `sig` (signature) value\n    Signing,\n    /// The `enc` (encryption) value\n    Encryption,\n    /// Some other case-sensitive [`String`] that did not match any of the\n    /// publicly known variants\n    Other(String),\n}\n\nimpl Serialize for KeyUsage {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        match self {\n            Self::Signing =\u003e \"sig\",\n            Self::Encryption =\u003e \"enc\",\n            Self::Other(s) =\u003e s,\n        }\n        .serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for KeyUsage {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let val = \u003calloc::borrow::Cow\u003c'_, str\u003e\u003e::deserialize(deserializer)?;\n        Ok(match \u0026*val {\n            \"sig\" =\u003e Self::Signing,\n            \"enc\" =\u003e Self::Encryption,\n            _ =\u003e Self::Other(val.into_owned()),\n        })\n    }\n}\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":34}},{"line":28,"address":[],"length":0,"stats":{"Line":34}},{"line":29,"address":[],"length":0,"stats":{"Line":28}},{"line":30,"address":[],"length":0,"stats":{"Line":6}},{"line":31,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":34}},{"line":38,"address":[],"length":0,"stats":{"Line":50}},{"line":42,"address":[],"length":0,"stats":{"Line":100}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":44,"address":[],"length":0,"stats":{"Line":44}},{"line":45,"address":[],"length":0,"stats":{"Line":12}},{"line":46,"address":[],"length":0,"stats":{"Line":0}}],"covered":9,"coverable":12},{"path":["/","home","stu","dev","rust","jose","src","jwk","policy","standard.rs"],"content":"use alloc::string::{String, ToString};\nuse core::fmt::Display;\n\nuse hashbrown::HashSet;\nuse thiserror::Error;\n\nuse super::{CryptographicOperation, Policy, PolicyError};\nuse crate::{\n    jwa::{JsonWebAlgorithm, JsonWebEncryptionAlgorithm, JsonWebSigningAlgorithm},\n    jwk::{KeyOperation, KeyUsage},\n};\n\n/// Reasons a [`StandardPolicy`] can deny a JWK.\n#[derive(Debug, Error)]\npub enum StandardPolicyFail {\n    /// A [`JsonWebKey`](crate::jwk::JsonWebKey) may not perform a\n    /// [`CryptographicOperation`]\n    #[error(\"this key may not perform this cryptographic operation\")]\n    OperationNotAllowed,\n    /// The [`JsonWebSigningAlgorithm::None`] algorithm is not allowed as this\n    /// indicates an unverified/unencrypted JWS/JWE.\n    #[error(\"`none` algorithm is not allowed\")]\n    NoneAlgorithm,\n    /// [`KeyUsage::Other`] can not be verified by the standard policy, thus\n    /// it's simply declined and the user needs to use a custom policy to\n    /// check it.\n    #[error(\"`use` contained custom usage which can't be checked\")]\n    OtherKeyUsage,\n    /// [`KeyOperation::Other`] can not be verified by the standard policy, thus\n    /// it's simply declined and the user needs to use a custom policy to\n    /// check it.\n    #[error(\"`key_ops` contained custom operation which can't be checked\")]\n    OtherKeyOperation,\n    /// If any of [`JsonWebSigningAlgorithm`] or [`JsonWebEncryptionAlgorithm`]\n    /// contains the `Other` variant, this error will be raised by the\n    /// [`StandardPolicy`] because it is not understood by the implementations\n    /// provided by this library.\n    ///\n    /// If you use custom implementations (for example, via your own\n    /// [`Signer`](crate::jws::Signer) type) and use custom values for your\n    /// algorithm identification, you should provide our own [`Policy`] that\n    /// compares the `Other` variants against values understood by your\n    /// implementation.\n    #[error(\"`alg` header contains an unknown value\")]\n    OtherAlgorithm,\n    /// Used for the [`PolicyError`] implementation\n    #[error(\"{0}\")]\n    Custom(String),\n}\n\nimpl PolicyError for StandardPolicyFail {\n    fn custom\u003cT\u003e(msg: T) -\u003e Self\n    where\n        T: Display,\n    {\n        Self::Custom(msg.to_string())\n    }\n}\n\n/// A [`Policy`] with reasonable rules. Use this struct if you want to have some\n/// secure defaults.\n///\n/// # Included checks\n///\n/// - [`JsonWebSigningAlgorithm::None`] is not allowed\n/// - `use` field must not contain [`KeyUsage::Other`] because it can't be\n///   verified\n/// - `key_ops` field must not contain [`KeyOperation::Other`] because it can't\n///   be verified\n#[non_exhaustive]\n#[derive(Debug, Default, Clone)]\npub struct StandardPolicy;\n\nimpl StandardPolicy {\n    /// Create a [`StandardPolicy`]\n    pub const fn new() -\u003e Self {\n        Self\n    }\n}\n\n// TODO: StandardPolicy should check that the JsonWebKeyType and the provided\n// Algorithm make sense\nimpl Policy for StandardPolicy {\n    type Error = StandardPolicyFail;\n\n    fn algorithm(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e Result\u003c(), Self::Error\u003e {\n        match alg {\n            JsonWebAlgorithm::Encryption(JsonWebEncryptionAlgorithm::Other(_))\n            | JsonWebAlgorithm::Signing(JsonWebSigningAlgorithm::Other(_)) =\u003e {\n                Err(StandardPolicyFail::OtherAlgorithm)\n            }\n\n            JsonWebAlgorithm::Signing(JsonWebSigningAlgorithm::None) =\u003e {\n                Err(StandardPolicyFail::NoneAlgorithm)\n            }\n            JsonWebAlgorithm::Other(..) =\u003e Err(StandardPolicyFail::OtherAlgorithm),\n            _ =\u003e Ok(()),\n        }\n    }\n\n    fn compare_key_ops_and_use(\n        \u0026self,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        if matches!(key_use, KeyUsage::Other(..)) {\n            return Err(StandardPolicyFail::OtherKeyUsage);\n        }\n\n        if key_ops.iter().any(|o| matches!(o, KeyOperation::Other(..))) {\n            return Err(StandardPolicyFail::OtherKeyOperation);\n        }\n\n        // TODO: check that the typed variants of KeyUsage and KeyOperation\n        Ok(())\n    }\n\n    fn may_perform_operation_key_ops(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        use CryptographicOperation::*;\n        match operation {\n            Encrypt if key_ops.contains(\u0026KeyOperation::Encrypt) =\u003e Ok(()),\n            Decrypt if key_ops.contains(\u0026KeyOperation::Encrypt) =\u003e Ok(()),\n            Sign if key_ops.contains(\u0026KeyOperation::Sign) =\u003e Ok(()),\n            Verify if key_ops.contains(\u0026KeyOperation::Verify) =\u003e Ok(()),\n            _ =\u003e Err(StandardPolicyFail::OperationNotAllowed),\n        }\n    }\n\n    fn may_perform_operation_key_use(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        use CryptographicOperation::*;\n        match operation {\n            Decrypt | Encrypt if key_use == \u0026KeyUsage::Encryption =\u003e Ok(()),\n            Sign | Verify if key_use == \u0026KeyUsage::Signing =\u003e Ok(()),\n            _ =\u003e Err(StandardPolicyFail::OperationNotAllowed),\n        }\n    }\n}\n","traces":[{"line":52,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":1}},{"line":77,"address":[],"length":0,"stats":{"Line":1}},{"line":86,"address":[],"length":0,"stats":{"Line":1}},{"line":87,"address":[],"length":0,"stats":{"Line":1}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":1}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}},{"line":111,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":126,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":1}},{"line":139,"address":[],"length":0,"stats":{"Line":1}},{"line":140,"address":[],"length":0,"stats":{"Line":0}},{"line":141,"address":[],"length":0,"stats":{"Line":3}},{"line":142,"address":[],"length":0,"stats":{"Line":0}}],"covered":8,"coverable":28},{"path":["/","home","stu","dev","rust","jose","src","jwk","policy.rs"],"content":"//! Validate jose data against some [`Policy`]\n\nmod standard;\nuse core::{\n    fmt::{Debug, Display},\n    ops::{Deref, DerefMut},\n};\n\nuse hashbrown::HashSet;\npub use standard::{StandardPolicy, StandardPolicyFail};\n\nuse crate::{\n    jwa::JsonWebAlgorithm,\n    jwk::{KeyOperation, KeyUsage},\n};\n\n/// A type `T` that was checked against a [`Policy`] `P`\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub struct Checked\u003cT, P\u003e {\n    /// The [`Policy`] this `T` was checked against\n    policy: P,\n    /// The data that were checked\n    data: T,\n}\n\nimpl\u003cT, P\u003e Deref for Checked\u003cT, P\u003e\nwhere\n    P: Policy,\n{\n    type Target = T;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.data\n    }\n}\n\nimpl\u003cT, P\u003e DerefMut for Checked\u003cT, P\u003e\nwhere\n    P: Policy,\n{\n    fn deref_mut(\u0026mut self) -\u003e \u0026mut Self::Target {\n        \u0026mut self.data\n    }\n}\n\nimpl\u003cT, P\u003e Checked\u003cT, P\u003e {\n    /// Create a new [`Checked\u003cT, P\u003e`]\n    ///\n    /// **Warning**: This function can't perform any validation/checks and\n    /// therefore MUST only be used after sufficient validation is already done.\n    pub fn new(data: T, policy: P) -\u003e Self\n    where\n        P: Policy,\n    {\n        Self { policy, data }\n    }\n\n    /// Turns this `Checked` into it's underlying values. `T` is the type that\n    /// was checked and `P` the [`Policy`] used to check `T`\n    pub fn into_inner(self) -\u003e (T, P) {\n        (self.data, self.policy)\n    }\n\n    /// Turns this `Checked` into it's underlying checked type `T`\n    pub fn into_type(self) -\u003e T {\n        self.into_inner().0\n    }\n\n    /// Turns this `Checked` into it's underlying [`Policy`] `P` that was used\n    /// to check `T`\n    pub fn into_policy(self) -\u003e P {\n        self.into_inner().1\n    }\n\n    /// Returns the [`Policy`] that was used to validate `T`\n    pub fn policy(\u0026self) -\u003e \u0026P\n    where\n        P: Policy,\n    {\n        \u0026self.policy\n    }\n}\n\n/// A trait to enforce some rules in jose\npub trait Policy {\n    /// The error type returned when any check of this policy fails.\n    type Error: PolicyError;\n\n    /// Checks the `alg` header\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the algorithm is not accepted (e.g.\n    /// because it is considered insecure)\n    fn algorithm(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Compares the `use` and `key_ops` parameters\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if key_use and key_ops are inconsistent\n    /// with each other\n    fn compare_key_ops_and_use(\n        \u0026self,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Checks if a [`JsonWebKey`](crate::jwk::JsonWebKey) with the given\n    /// [`KeyOperation`]s is allowed to perform a certain\n    /// [`CryptographicOperation`]\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the given\n    /// [`JsonWebKey`](crate::jwk::JsonWebKey) with this specific set of\n    /// [`KeyOperation`]s is not allowed to perform the\n    /// [`CryptographicOperation`] For example, this might be the case if\n    /// key_ops only contain [`KeyOperation::Encrypt`] but the\n    /// [`CryptographicOperation`] is [`Sign`](CryptographicOperation::Sign).\n    fn may_perform_operation_key_ops(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Checks if a [`JsonWebKey`](crate::jwk::JsonWebKey) with the given\n    /// [`KeyUsage`] parameter is allowed to perform a certain\n    /// [`CryptographicOperation`]\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the given\n    /// [`JsonWebKey`](crate::jwk::JsonWebKey) with this specific [`KeyUsage`]\n    /// is not allowed to perform the [`CryptographicOperation`]\n    fn may_perform_operation_key_use(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n    ) -\u003e Result\u003c(), Self::Error\u003e;\n\n    /// Checks both [`KeyUsage`] and [`KeyOperation`] for the given\n    /// [`CryptographicOperation`]\n    ///\n    /// The default implementation just calls\n    /// [`may_perform_operation_key_ops`](Self::may_perform_operation_key_ops)\n    /// and [`may_perform_operation_key_use`](Self::may_perform_operation_key_use).\n    ///\n    /// # Errors\n    ///\n    /// This should return an [`Err`] if the [`KeyUsage`] and [`KeyOperation`]\n    /// do not allow for the [`CryptographicOperation`]\n    fn may_perform_operation(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        self.may_perform_operation_key_ops(operation, key_ops)?;\n        self.may_perform_operation_key_use(operation, key_use)\n    }\n}\n\n/// An enum used to specify a cryptographic operation\n#[non_exhaustive]\n#[derive(Debug, PartialEq, Eq, Hash, Clone, Copy)]\npub enum CryptographicOperation {\n    /// Create a signature (used in JWS)\n    Sign,\n    /// Verify a signature (used in JWS)\n    Verify,\n    /// Encrypt something (used in JWE)\n    Encrypt,\n    /// Decrypt some ciphertext (used in JWE)\n    Decrypt,\n    // TODO: possibly add derive key and derive bits in case they are ever needed (maybe in JWE?)\n}\n\nimpl\u003cP: Policy\u003e Policy for \u0026P {\n    type Error = P::Error;\n\n    fn algorithm(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e Result\u003c(), Self::Error\u003e {\n        P::algorithm(self, alg)\n    }\n\n    fn compare_key_ops_and_use(\n        \u0026self,\n        key_use: \u0026KeyUsage,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        P::compare_key_ops_and_use(self, key_use, key_ops)\n    }\n\n    fn may_perform_operation_key_ops(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_ops: \u0026HashSet\u003cKeyOperation\u003e,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        P::may_perform_operation_key_ops(self, operation, key_ops)\n    }\n\n    fn may_perform_operation_key_use(\n        \u0026self,\n        operation: CryptographicOperation,\n        key_use: \u0026KeyUsage,\n    ) -\u003e Result\u003c(), Self::Error\u003e {\n        P::may_perform_operation_key_use(self, operation, key_use)\n    }\n}\n\n/// An error returned by the [`Policy`] trait\npub trait PolicyError {\n    /// A custom error message\n    fn custom\u003cT\u003e(msg: T) -\u003e Self\n    where\n        T: Display;\n}\n\n/// A type that can be checked against some [`Policy`]\npub trait Checkable: Sized {\n    /// Check [`self`] against a [`Policy`]\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any check against the [`Policy`] failed\n    fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e;\n}\n\n/// This implementation allows the default JsonWebKey (and others types with\n/// additional members) to implement Checkable where there are no additional\n/// members (`T = ()`)\nimpl Checkable for () {\n    fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n        Ok(Checked::new(self, policy))\n    }\n}\n","traces":[{"line":32,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":51,"address":[],"length":0,"stats":{"Line":2}},{"line":60,"address":[],"length":0,"stats":{"Line":1}},{"line":61,"address":[],"length":0,"stats":{"Line":1}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}},{"line":159,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":182,"address":[],"length":0,"stats":{"Line":0}},{"line":183,"address":[],"length":0,"stats":{"Line":0}},{"line":186,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":194,"address":[],"length":0,"stats":{"Line":0}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":202,"address":[],"length":0,"stats":{"Line":0}},{"line":207,"address":[],"length":0,"stats":{"Line":0}},{"line":233,"address":[],"length":0,"stats":{"Line":0}},{"line":234,"address":[],"length":0,"stats":{"Line":0}}],"covered":3,"coverable":26},{"path":["/","home","stu","dev","rust","jose","src","jwk","private.rs"],"content":"use alloc::{boxed::Box, string::String};\n\nuse serde::{Deserialize, Serialize};\n\nuse super::Thumbprint;\nuse crate::crypto::{ec, okp, rsa};\n\n/// The `private` part of some asymmetric cryptographic key\n#[non_exhaustive]\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum Private {\n    /// The private part of a Rsa key\n    Rsa(Box\u003crsa::PrivateKey\u003e),\n    /// The private part of an elliptic curve\n    Ec(EcPrivate),\n    /// The private part of an `OKP` key type, probably the private part of a\n    /// curve25519 or curve448 key\n    Okp(OkpPrivate),\n}\n\nimpl From\u003cPrivate\u003e for super::JsonWebKeyType {\n    fn from(x: Private) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(Box::new(super::AsymmetricJsonWebKey::Private(x)))\n    }\n}\n\nimpl crate::sealed::Sealed for Private {}\nimpl Thumbprint for Private {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            Private::Rsa(key) =\u003e key.thumbprint_prehashed(),\n            Private::Ec(key) =\u003e key.thumbprint_prehashed(),\n            Private::Okp(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\n/// The private part of some elliptic curve\n///\n/// Note: This does not include Curve25519 and Curve448. For these, see the\n/// `Okp` variant of the [`Private`](super::Private)\n/// enum.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum EcPrivate {\n    /// Private part of the P-256 curve\n    P256(ec::P256PrivateKey),\n    /// Private part of the P-384 curve\n    P384(ec::P384PrivateKey),\n    /// Private part of the P-521 curve\n    P521(ec::P521PrivateKey),\n    /// Private part of the secp256k1 curve\n    Secp256k1(ec::Secp256k1PrivateKey),\n}\n\nimpl crate::sealed::Sealed for EcPrivate {}\nimpl Thumbprint for EcPrivate {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            EcPrivate::P256(key) =\u003e key.thumbprint_prehashed(),\n            EcPrivate::P384(key) =\u003e key.thumbprint_prehashed(),\n            EcPrivate::P521(key) =\u003e key.thumbprint_prehashed(),\n            EcPrivate::Secp256k1(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cEcPrivate\u003e for super::JsonWebKeyType {\n    fn from(x: EcPrivate) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Private(super::Private::Ec(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(EcPrivate, \"crv\", \"EcCurve\", [\n    \"P-256\" =\u003e P256,\n    \"P-384\" =\u003e P384,\n    \"P-521\" =\u003e P521,\n    \"secp256k1\" =\u003e Secp256k1,\n]);\n\n/// The private part of ED keys, whose type is `OKP`.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum OkpPrivate {\n    /// Private part of the Ed25519 curve\n    Ed25519(okp::Ed25519PrivateKey),\n\n    /// Private part of the Ed448 curve\n    Ed448(okp::Ed448PrivateKey),\n}\n\nimpl crate::sealed::Sealed for OkpPrivate {}\nimpl Thumbprint for OkpPrivate {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            OkpPrivate::Ed25519(key) =\u003e key.thumbprint_prehashed(),\n            OkpPrivate::Ed448(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cOkpPrivate\u003e for super::JsonWebKeyType {\n    fn from(x: OkpPrivate) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Private(super::Private::Okp(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(OkpPrivate, \"crv\", \"OkpCurve\", [\n    \"Ed25519\" =\u003e Ed25519,\n    \"Ed448\" =\u003e Ed448,\n]);\n","traces":[{"line":23,"address":[],"length":0,"stats":{"Line":0}},{"line":24,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":25}},{"line":31,"address":[],"length":0,"stats":{"Line":25}},{"line":32,"address":[],"length":0,"stats":{"Line":6}},{"line":33,"address":[],"length":0,"stats":{"Line":13}},{"line":34,"address":[],"length":0,"stats":{"Line":6}},{"line":60,"address":[],"length":0,"stats":{"Line":13}},{"line":61,"address":[],"length":0,"stats":{"Line":13}},{"line":62,"address":[],"length":0,"stats":{"Line":4}},{"line":63,"address":[],"length":0,"stats":{"Line":3}},{"line":64,"address":[],"length":0,"stats":{"Line":3}},{"line":65,"address":[],"length":0,"stats":{"Line":3}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":6}},{"line":100,"address":[],"length":0,"stats":{"Line":6}},{"line":101,"address":[],"length":0,"stats":{"Line":3}},{"line":102,"address":[],"length":0,"stats":{"Line":3}},{"line":108,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":0}},{"line":110,"address":[],"length":0,"stats":{"Line":0}}],"covered":15,"coverable":23},{"path":["/","home","stu","dev","rust","jose","src","jwk","public.rs"],"content":"use alloc::string::String;\n\nuse serde::{Deserialize, Serialize};\n\nuse super::Thumbprint;\nuse crate::crypto::{ec, okp, rsa};\n\n/// The `public` part of some asymmetric cryptographic key\n#[non_exhaustive]\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum Public {\n    /// The public part of a Rsa key\n    Rsa(rsa::PublicKey),\n    /// The public part of an elliptic curve\n    Ec(EcPublic),\n    /// The public part of an `OKP` key type, probably the public part of a\n    /// curve25519 or curve448 key\n    Okp(OkpPublic),\n}\n\nimpl crate::sealed::Sealed for Public {}\nimpl Thumbprint for Public {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            Public::Rsa(key) =\u003e key.thumbprint_prehashed(),\n            Public::Ec(key) =\u003e key.thumbprint_prehashed(),\n            Public::Okp(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\n/// The public part of some elliptic curve\n///\n/// Note: This does not include Curve25519 and Curve448. For these, see the\n/// `Okp` variant of the [`Public`](super::Public) enum.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum EcPublic {\n    /// Public part of the P-256 curve\n    P256(ec::P256PublicKey),\n\n    /// Public part of the P-384 curve\n    P384(ec::P384PublicKey),\n\n    /// Public part of the P-521 curve\n    P521(ec::P521PublicKey),\n\n    /// Public part of the secp256k1 curve\n    Secp256k1(ec::Secp256k1PublicKey),\n}\n\nimpl crate::sealed::Sealed for EcPublic {}\nimpl Thumbprint for EcPublic {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            EcPublic::P256(key) =\u003e key.thumbprint_prehashed(),\n            EcPublic::P384(key) =\u003e key.thumbprint_prehashed(),\n            EcPublic::P521(key) =\u003e key.thumbprint_prehashed(),\n            EcPublic::Secp256k1(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cEcPublic\u003e for super::JsonWebKeyType {\n    fn from(x: EcPublic) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Public(super::Public::Ec(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(EcPublic, \"crv\", \"EcCurve\", [\n    \"P-256\" =\u003e P256,\n    \"P-384\" =\u003e P384,\n    \"P-521\" =\u003e P521,\n    \"secp256k1\" =\u003e Secp256k1,\n]);\n\n/// The public part of ED keys, whose type is `OKP`.\n#[non_exhaustive]\n#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]\n#[serde(untagged)]\npub enum OkpPublic {\n    /// Public part of the Ed25519 curve\n    Ed25519(okp::Ed25519PublicKey),\n\n    /// Public part of the Ed448 curve\n    Ed448(okp::Ed448PublicKey),\n}\n\nimpl crate::sealed::Sealed for OkpPublic {}\nimpl Thumbprint for OkpPublic {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            OkpPublic::Ed25519(key) =\u003e key.thumbprint_prehashed(),\n            OkpPublic::Ed448(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl From\u003cOkpPublic\u003e for super::JsonWebKeyType {\n    fn from(x: OkpPublic) -\u003e Self {\n        super::JsonWebKeyType::Asymmetric(alloc::boxed::Box::new(\n            super::AsymmetricJsonWebKey::Public(super::Public::Okp(x)),\n        ))\n    }\n}\n\nimpl_internally_tagged_deserialize!(OkpPublic, \"crv\", \"OkpCurve\", [\n    \"Ed25519\" =\u003e Ed25519,\n    \"Ed448\" =\u003e Ed448,\n]);\n","traces":[{"line":24,"address":[],"length":0,"stats":{"Line":33}},{"line":25,"address":[],"length":0,"stats":{"Line":33}},{"line":26,"address":[],"length":0,"stats":{"Line":15}},{"line":27,"address":[],"length":0,"stats":{"Line":12}},{"line":28,"address":[],"length":0,"stats":{"Line":6}},{"line":56,"address":[],"length":0,"stats":{"Line":12}},{"line":57,"address":[],"length":0,"stats":{"Line":12}},{"line":58,"address":[],"length":0,"stats":{"Line":3}},{"line":59,"address":[],"length":0,"stats":{"Line":3}},{"line":60,"address":[],"length":0,"stats":{"Line":3}},{"line":61,"address":[],"length":0,"stats":{"Line":3}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":6}},{"line":96,"address":[],"length":0,"stats":{"Line":6}},{"line":97,"address":[],"length":0,"stats":{"Line":3}},{"line":98,"address":[],"length":0,"stats":{"Line":3}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}}],"covered":15,"coverable":21},{"path":["/","home","stu","dev","rust","jose","src","jwk","serde_impl.rs"],"content":"use alloc::{borrow::Cow, vec::Vec};\nuse core::ops::Deref;\n\nuse base64ct::{Base64, Base64UrlUnpadded, Encoding};\nuse hashbrown::HashSet;\nuse serde::{de::Error, Deserialize, Deserializer, Serialize, Serializer};\n\nuse super::KeyOperation;\n\n/// Helper function to ensure that a [`HashSet`] is created from a [`Vec`]\n/// without duplicates\npub fn deserialize_ensure_set\u003c'de, D\u003e(\n    deserializer: D,\n) -\u003e Result\u003cOption\u003cHashSet\u003cKeyOperation\u003e\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    match \u003cOption\u003cVec\u003cKeyOperation\u003e\u003e as Deserialize\u003e::deserialize(deserializer)? {\n        Some(val) =\u003e {\n            let mut set = HashSet::new();\n            for o in val {\n                // detect duplicates in `key_ops` parameter. according to the rfc,\n                // \u003e Duplicate key operation values MUST NOT be present in the array.\n                // means: this is a set\n                if !set.insert(o) {\n                    return Err(\u003cD::Error as Error\u003e::custom(\n                        \"found duplicate in `key_ops` parameter\",\n                    ));\n                }\n            }\n            Ok(Some(set))\n        }\n        None =\u003e Ok(None),\n    }\n}\n\n/// serialize a generic array to base64 urlsafe nopad\npub fn serialize_ga\u003cconst N: usize, S\u003e(\n    // \u0026Option needed because serde passes an \u0026Option\u003cT\u003e instead of Option\u003c\u0026T\u003e\n    v: \u0026Option\u003c[u8; N]\u003e,\n    serializer: S,\n) -\u003e Result\u003cS::Ok, S::Error\u003e\nwhere\n    S: Serializer,\n{\n    let v = v.as_ref();\n    v.map(|v| Base64UrlUnpadded::encode_string(v))\n        .serialize(serializer)\n}\n\n/// deserialize a generic array from base64 urlsafe nopad\npub fn deserialize_ga\u003c'de, D, const N: usize\u003e(deserializer: D) -\u003e Result\u003cOption\u003c[u8; N]\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    Ok(match Option::\u003cCow\u003c'_, str\u003e\u003e::deserialize(deserializer)? {\n        Some(val) =\u003e {\n            let mut buf = [0u8; N];\n            Base64UrlUnpadded::decode(\u0026*val, \u0026mut buf).map_err(\u003cD::Error as Error\u003e::custom)?;\n            Some(buf)\n        }\n        None =\u003e None,\n    })\n}\n\npub fn serialize_ga_sha1\u003cS\u003e(v: \u0026Option\u003c[u8; 20]\u003e, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\nwhere\n    S: Serializer,\n{\n    serialize_ga::\u003c20, _\u003e(v, serializer)\n}\n\npub fn serialize_ga_sha256\u003cS\u003e(v: \u0026Option\u003c[u8; 32]\u003e, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\nwhere\n    S: Serializer,\n{\n    serialize_ga::\u003c32, _\u003e(v, serializer)\n}\n\npub fn deserialize_ga_sha1\u003c'de, D\u003e(deserializer: D) -\u003e Result\u003cOption\u003c[u8; 20]\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    deserialize_ga::\u003c_, 20\u003e(deserializer)\n}\n\npub fn deserialize_ga_sha256\u003c'de, D\u003e(deserializer: D) -\u003e Result\u003cOption\u003c[u8; 32]\u003e, D::Error\u003e\nwhere\n    D: Deserializer\u003c'de\u003e,\n{\n    deserialize_ga::\u003c_, 32\u003e(deserializer)\n}\n\n#[derive(Debug, Hash, PartialEq, Eq, Clone)]\npub(crate) struct Base64DerCertificate(pub Vec\u003cu8\u003e);\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Base64DerCertificate {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        let val = \u003calloc::borrow::Cow\u003c'_, str\u003e\u003e::deserialize(deserializer)?;\n        Ok(Self(\n            Base64::decode_vec(\u0026val).map_err(\u003cD::Error as Error\u003e::custom)?,\n        ))\n    }\n}\n\nimpl Deref for Base64DerCertificate {\n    type Target = [u8];\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        self.0.deref()\n    }\n}\n\nimpl Serialize for Base64DerCertificate {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: Serializer,\n    {\n        Base64::encode_string(\u0026self.0).serialize(serializer)\n    }\n}\n","traces":[{"line":12,"address":[],"length":0,"stats":{"Line":9}},{"line":18,"address":[],"length":0,"stats":{"Line":9}},{"line":19,"address":[],"length":0,"stats":{"Line":9}},{"line":20,"address":[],"length":0,"stats":{"Line":9}},{"line":21,"address":[],"length":0,"stats":{"Line":40}},{"line":25,"address":[],"length":0,"stats":{"Line":16}},{"line":26,"address":[],"length":0,"stats":{"Line":1}},{"line":27,"address":[],"length":0,"stats":{"Line":1}},{"line":31,"address":[],"length":0,"stats":{"Line":8}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":12}},{"line":46,"address":[],"length":0,"stats":{"Line":12}},{"line":47,"address":[],"length":0,"stats":{"Line":24}},{"line":48,"address":[],"length":0,"stats":{"Line":12}},{"line":52,"address":[],"length":0,"stats":{"Line":12}},{"line":56,"address":[],"length":0,"stats":{"Line":12}},{"line":57,"address":[],"length":0,"stats":{"Line":12}},{"line":58,"address":[],"length":0,"stats":{"Line":12}},{"line":59,"address":[],"length":0,"stats":{"Line":12}},{"line":60,"address":[],"length":0,"stats":{"Line":12}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":6}},{"line":70,"address":[],"length":0,"stats":{"Line":6}},{"line":73,"address":[],"length":0,"stats":{"Line":6}},{"line":77,"address":[],"length":0,"stats":{"Line":6}},{"line":80,"address":[],"length":0,"stats":{"Line":6}},{"line":84,"address":[],"length":0,"stats":{"Line":6}},{"line":87,"address":[],"length":0,"stats":{"Line":6}},{"line":91,"address":[],"length":0,"stats":{"Line":6}},{"line":98,"address":[],"length":0,"stats":{"Line":6}},{"line":102,"address":[],"length":0,"stats":{"Line":12}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":6}},{"line":122,"address":[],"length":0,"stats":{"Line":6}}],"covered":31,"coverable":37},{"path":["/","home","stu","dev","rust","jose","src","jwk","signer.rs"],"content":"use alloc::{borrow::ToOwned, string::String, vec::Vec};\n\nuse super::{\n    private::EcPrivate, symmetric::FromOctetSequenceError, AsymmetricJsonWebKey, FromKey,\n    JsonWebKeyType, OkpPrivate, Private, SymmetricJsonWebKey,\n};\nuse crate::{\n    crypto::{ec, hmac, okp, rsa},\n    jwa::{EcDSA, Hmac, JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::policy::{Checked, CryptographicOperation, Policy},\n    jws::{IntoSigner, InvalidSigningAlgorithmError, Signer},\n    JsonWebKey,\n};\n\n/// An abstract [`Signer`] over all possible [key types](JsonWebKeyType)\n// FIXME: make PR to dependencies to we can derive C-COMMON-TRAITS\n#[derive(Debug)]\npub struct JwkSigner {\n    inner: InnerSigner,\n    key_id: Option\u003cString\u003e,\n}\n\nimpl JwkSigner {\n    /// Create a [`JwkSigner`] from a [`JsonWebKeyType`] used with the provided\n    /// [`JsonWebAlgorithm`]\n    ///\n    /// # Errors\n    ///\n    /// This function returns an error if the provided [`JsonWebAlgorithm`] and\n    /// the actual [`JsonWebKeyType`] don't match. For example, you'll get an\n    /// error if you try to to use this function with a [symmetric\n    /// key](JsonWebKeyType::Symmetric) and an asymmetric key algorithm.\n    ///\n    /// E.g., this won't work:\n    ///     \n    /// ```\n    /// use jose::{\n    ///     jwa::{Hmac, JsonWebSigningAlgorithm},\n    ///     jwk::{FromJwkError, JsonWebKeyType, JwkSigner},\n    /// };\n    /// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n    /// let key: JsonWebKeyType = serde_json::from_str(\n    ///     r#\"\n    /// {\n    ///   \"kty\": \"EC\",\n    ///   \"kid\": \"6j1ImYAlN6DnVupozzN13UKnLR7BfEvngNmVl5bLlI0\",\n    ///   \"crv\": \"P-256\",\n    ///   \"x\": \"-HGJKqKLCoB6z4zlNKef927CODDulLcHdxNi2iUTi5g\",\n    ///   \"y\": \"GaVhYaBvIgSAaNLjXjVqOvtCGH56x5s4DnWMy9TXbTU\",\n    ///   \"d\": \"C6AV5ZvCGQevYYMJT15frXWuKaqEDthnSMtuJKEKykI\"\n    /// }\"#,\n    /// )?;\n    ///\n    /// // returns an error since a P-256 key cannot be used with Hmac\n    /// assert!(matches!(\n    ///     JwkSigner::new(key, JsonWebSigningAlgorithm::Hmac(Hmac::Hs256)),\n    ///     Err(FromJwkError::InvalidAlgorithm)\n    /// ));\n    /// # Ok(())\n    /// # }\n    /// ```\n    pub fn new(key: JsonWebKeyType, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cSelf, FromJwkError\u003e {\n        Ok(Self {\n            key_id: None,\n            inner: match key {\n                JsonWebKeyType::Asymmetric(key) =\u003e match *key {\n                    AsymmetricJsonWebKey::Public(_) =\u003e Err(FromJwkError::NoPrivateKey)?,\n                    AsymmetricJsonWebKey::Private(key) =\u003e match key {\n                        Private::Ec(key) =\u003e match key {\n                            EcPrivate::P256(key) =\u003e InnerSigner::Es256(key.into_signer(alg)?),\n                            EcPrivate::P384(key) =\u003e InnerSigner::Es384(key.into_signer(alg)?),\n                            EcPrivate::P521(key) =\u003e InnerSigner::Es512(key.into_signer(alg)?),\n                            EcPrivate::Secp256k1(key) =\u003e {\n                                InnerSigner::Secp256k1(key.into_signer(alg)?)\n                            }\n                        },\n                        Private::Rsa(key) =\u003e InnerSigner::Rsa((*key).into_signer(alg)?),\n                        Private::Okp(key) =\u003e match key {\n                            OkpPrivate::Ed25519(key) =\u003e InnerSigner::Ed25519(key.into_signer(alg)?),\n                            OkpPrivate::Ed448(key) =\u003e InnerSigner::Ed448(key.into_signer(alg)?),\n                        },\n                    },\n                },\n                JsonWebKeyType::Symmetric(key) =\u003e match key {\n                    SymmetricJsonWebKey::OctetSequence(ref key) =\u003e match alg {\n                        JsonWebSigningAlgorithm::Hmac(hs) =\u003e match hs {\n                            Hmac::Hs256 =\u003e InnerSigner::Hs256(key.into_signer(alg)?),\n                            Hmac::Hs384 =\u003e InnerSigner::Hs384(key.into_signer(alg)?),\n                            Hmac::Hs512 =\u003e InnerSigner::Hs512(key.into_signer(alg)?),\n                        },\n                        _ =\u003e Err(InvalidSigningAlgorithmError)?,\n                    },\n                },\n            },\n        })\n    }\n\n    /// Sets the key id for this [`Signer`].\n    ///\n    /// If this method is used, the [`kid`] header of the signed JWS will be set\n    /// to the given key id.\n    ///\n    /// [`kid`]: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4\n    pub fn with_key_id(mut self, key_id: String) -\u003e Self {\n        self.key_id = Some(key_id);\n        self\n    }\n\n    /// Sets the key id of this signer to `None`.\n    ///\n    /// Calling this method will result to omitting the [`kid`] header in the\n    /// signed JWS header.\n    ///\n    /// [`kid`]: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4\n    pub fn without_key_id(mut self) -\u003e Self {\n        self.key_id = None;\n        self\n    }\n}\n\nimpl Signer\u003cVec\u003cu8\u003e\u003e for JwkSigner {\n    fn sign(\u0026mut self, x: \u0026[u8]) -\u003e Result\u003cVec\u003cu8\u003e, crate::crypto::Error\u003e {\n        match \u0026mut self.inner {\n            InnerSigner::Rsa(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Hs256(s) =\u003e s.sign(x).map(|x| x.as_ref().to_vec()),\n            InnerSigner::Hs384(s) =\u003e s.sign(x).map(|x| x.as_ref().to_vec()),\n            InnerSigner::Hs512(s) =\u003e s.sign(x).map(|x| x.as_ref().to_vec()),\n            InnerSigner::Es256(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Es384(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Es512(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Secp256k1(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Ed448(s) =\u003e s.sign(x).map(|x| x.into()),\n            InnerSigner::Ed25519(s) =\u003e s.sign(x).map(|x| x.into()),\n        }\n    }\n\n    fn algorithm(\u0026self) -\u003e JsonWebSigningAlgorithm {\n        match self.inner {\n            InnerSigner::Hs256(_) =\u003e JsonWebSigningAlgorithm::Hmac(Hmac::Hs256),\n            InnerSigner::Hs384(_) =\u003e JsonWebSigningAlgorithm::Hmac(Hmac::Hs384),\n            InnerSigner::Hs512(_) =\u003e JsonWebSigningAlgorithm::Hmac(Hmac::Hs512),\n            InnerSigner::Es256(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256),\n            InnerSigner::Es384(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es384),\n            InnerSigner::Es512(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es512),\n            InnerSigner::Secp256k1(_) =\u003e JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256K),\n            InnerSigner::Rsa(ref rsa) =\u003e rsa.algorithm(),\n            InnerSigner::Ed25519(_) | InnerSigner::Ed448(_) =\u003e JsonWebSigningAlgorithm::EdDSA,\n        }\n    }\n\n    fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        self.key_id.as_deref()\n    }\n}\n\nimpl\u003cT, P\u003e TryFrom\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkSigner\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkSigner`] from a [`JsonWebKey`]\n    ///\n    /// # Errors\n    ///\n    /// This conversion fails if [`JsonWebKey::algorithm`] is [`None`]\n    fn try_from(jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e) -\u003e Result\u003cSelf, Self::Error\u003e {\n        let alg = jwk\n            .algorithm()\n            .ok_or(FromJwkError::InvalidAlgorithm)?\n            .to_owned();\n        let kid = jwk.kid.clone();\n        let mut signer = JwkSigner::from_key(jwk, alg)?;\n        signer.key_id = kid;\n        Ok(signer)\n    }\n}\n\nimpl\u003cT, P\u003e FromKey\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkSigner\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkSigner`] from a [`JsonWebKey`] overwriting\n    /// [`JsonWebKey::algorithm`] with `alg`.\n    fn from_key(\n        jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e,\n        alg: JsonWebAlgorithm,\n    ) -\u003e Result\u003cSelf, Self::Error\u003e {\n        if let Some(usage) = jwk.key_usage() {\n            jwk.policy()\n                .may_perform_operation_key_use(CryptographicOperation::Sign, usage)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        if let Some(ops) = jwk.key_operations() {\n            jwk.policy()\n                .may_perform_operation_key_ops(CryptographicOperation::Sign, ops)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        match alg {\n            JsonWebAlgorithm::Encryption(..) | JsonWebAlgorithm::Other(..) =\u003e {\n                Err(InvalidSigningAlgorithmError.into())\n            }\n            JsonWebAlgorithm::Signing(alg) =\u003e Self::new(jwk.into_type().key_type, alg),\n        }\n    }\n}\n\n/// An error returned when creating a [`JwkSigner`] from a [`JsonWebKeyType`]\n/// (or indirectly via [`JsonWebKey`])\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum FromJwkError {\n    /// A [`JsonWebKey`] has either the `use` or `key_ops` parameter set and one\n    /// of these parameters indicates that this key MAY NOT be used for signing\n    /// or verifying\n    #[error(\"key not allowed for signing\")]\n    OperationNotAllowed,\n    /// The algorithm can't be used with the provided [`JsonWebKeyType`]\n    #[error(\"this algorithm can't be used together with this JsonWebKey\")]\n    InvalidAlgorithm,\n    /// The provided [`JsonWebKeyType`] did not contain a [private\n    /// key](super::Private) which is needed by [`JwkSigner`] to create\n    /// signatures.\n    #[error(\"found variant which has no private key\")]\n    NoPrivateKey,\n    /// See the documentation of [`FromOctetSequenceError`] for details.\n    ///\n    /// Usually, [`FromOctetSequenceError::InvalidLength`] shouldn't be returend\n    /// since the key already exists at this point.\n    #[error(transparent)]\n    OctetSequence(#[from] FromOctetSequenceError),\n}\n\nimpl From\u003cInvalidSigningAlgorithmError\u003e for FromJwkError {\n    fn from(_: InvalidSigningAlgorithmError) -\u003e Self {\n        Self::InvalidAlgorithm\n    }\n}\n\n/// Abstract type with a variant for each [`Signer`]\n#[derive(Debug)]\nenum InnerSigner {\n    // symmetric algorithms\n    Hs256(hmac::Key\u003chmac::Hs256\u003e),\n    Hs384(hmac::Key\u003chmac::Hs384\u003e),\n    Hs512(hmac::Key\u003chmac::Hs512\u003e),\n    // asymmetric algorithms\n    Rsa(rsa::Signer),\n\n    Es256(ec::P256Signer),\n    Es384(ec::P384Signer),\n    Es512(ec::P521Signer),\n    Secp256k1(ec::Secp256k1Signer),\n\n    Ed25519(okp::Ed25519Signer),\n    Ed448(okp::Ed448Signer),\n}\n","traces":[{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":67,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":80,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":85,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":105,"address":[],"length":0,"stats":{"Line":0}},{"line":106,"address":[],"length":0,"stats":{"Line":0}},{"line":115,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":126,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":133,"address":[],"length":0,"stats":{"Line":0}},{"line":137,"address":[],"length":0,"stats":{"Line":0}},{"line":138,"address":[],"length":0,"stats":{"Line":0}},{"line":139,"address":[],"length":0,"stats":{"Line":0}},{"line":140,"address":[],"length":0,"stats":{"Line":0}},{"line":141,"address":[],"length":0,"stats":{"Line":0}},{"line":142,"address":[],"length":0,"stats":{"Line":0}},{"line":143,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":145,"address":[],"length":0,"stats":{"Line":0}},{"line":146,"address":[],"length":0,"stats":{"Line":0}},{"line":147,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":167,"address":[],"length":0,"stats":{"Line":0}},{"line":168,"address":[],"length":0,"stats":{"Line":0}},{"line":170,"address":[],"length":0,"stats":{"Line":0}},{"line":172,"address":[],"length":0,"stats":{"Line":0}},{"line":173,"address":[],"length":0,"stats":{"Line":0}},{"line":174,"address":[],"length":0,"stats":{"Line":0}},{"line":175,"address":[],"length":0,"stats":{"Line":0}},{"line":187,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":192,"address":[],"length":0,"stats":{"Line":0}},{"line":193,"address":[],"length":0,"stats":{"Line":0}},{"line":194,"address":[],"length":0,"stats":{"Line":0}},{"line":197,"address":[],"length":0,"stats":{"Line":0}},{"line":198,"address":[],"length":0,"stats":{"Line":0}},{"line":199,"address":[],"length":0,"stats":{"Line":0}},{"line":200,"address":[],"length":0,"stats":{"Line":0}},{"line":203,"address":[],"length":0,"stats":{"Line":0}},{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":207,"address":[],"length":0,"stats":{"Line":0}},{"line":239,"address":[],"length":0,"stats":{"Line":0}},{"line":240,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":77},{"path":["/","home","stu","dev","rust","jose","src","jwk","symmetric.rs"],"content":"//! Symmetric cryptography for JWS and JWE\n\nuse alloc::string::String;\n\nuse secrecy::{ExposeSecret, SecretBox};\nuse serde::{de::Error, Deserialize, Deserializer, Serialize};\nuse subtle::ConstantTimeEq;\nuse zeroize::Zeroize;\n\nuse super::thumbprint::{self, Thumbprint};\nuse crate::{base64_url::Base64UrlBytes, jws::InvalidSigningAlgorithmError};\n\n/// Symmetric Keys\n///\n/// Symmetric keys only have a secret value, therefore, they MUST only be used\n/// in a protected environment.\n/// For example, with a symmetric key, checking the validity of a\n/// [`JsonWebSignature`](crate::JsonWebSignature) cannot be done on the client\n/// side, because it leaks the key and the client can then create own\n/// signatures.\n///\n/// See \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6.4\u003e\n#[non_exhaustive]\n#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum SymmetricJsonWebKey {\n    /// `oct` \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6.4\u003e\n    OctetSequence(OctetSequence),\n}\n\nimpl crate::sealed::Sealed for SymmetricJsonWebKey {}\nimpl Thumbprint for SymmetricJsonWebKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            SymmetricJsonWebKey::OctetSequence(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\n/// [`OctetSequence`] is the simplest and only available\n/// [`SymmetricJsonWebKey`].\n///\n/// However, because its length is not defined, it cannot be generated directly.\n/// Instead, you should use [`HmacKey\u003cH\u003e`](crate::crypto::hmac::Key)\n/// with the appropriate key size, for example\n/// [`Hs512`](crate::crypto::hmac::Hs512) and then, if needed, convert\n/// it to a [`JsonWebKey`](crate::JsonWebKey) using\n/// [`IntoJsonWebKey`](crate::jwk::IntoJsonWebKey).\n///\n/// \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6.4.1\u003e\n#[derive(Debug, Clone, Zeroize)]\npub struct OctetSequence(SecretBox\u003c[u8]\u003e);\n\nimpl OctetSequence {\n    pub(crate) fn new(x: SecretBox\u003c[u8]\u003e) -\u003e Self {\n        Self(x)\n    }\n\n    /// Returns the bytes of this octet sequence.\n    pub(crate) fn bytes(\u0026self) -\u003e \u0026SecretBox\u003c[u8]\u003e {\n        \u0026self.0\n    }\n\n    /// Returns the bytes of this octet sequence.\n    pub(crate) fn into_bytes(self) -\u003e SecretBox\u003c[u8]\u003e {\n        self.0\n    }\n\n    /// Returns the number of bytes that are in this octet sequence.\n    #[inline]\n    pub fn len(\u0026self) -\u003e usize {\n        self.0.expose_secret().len()\n    }\n\n    /// Returns `true` if this octet sequence has a length of zero.\n    #[inline]\n    pub fn is_empty(\u0026self) -\u003e bool {\n        self.len() == 0\n    }\n}\n\nimpl PartialEq for OctetSequence {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        bool::from(self.0.expose_secret().ct_eq(other.0.expose_secret()))\n    }\n}\nimpl Eq for OctetSequence {}\n\nimpl crate::sealed::Sealed for OctetSequence {}\nimpl Thumbprint for OctetSequence {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        thumbprint::serialize_key_thumbprint(self)\n    }\n}\n\nimpl From\u003cSymmetricJsonWebKey\u003e for super::JsonWebKeyType {\n    fn from(x: SymmetricJsonWebKey) -\u003e Self {\n        super::JsonWebKeyType::Symmetric(x)\n    }\n}\n\nimpl From\u003cOctetSequence\u003e for super::JsonWebKeyType {\n    fn from(x: OctetSequence) -\u003e Self {\n        super::JsonWebKeyType::Symmetric(SymmetricJsonWebKey::OctetSequence(x))\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for OctetSequence {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        #[derive(Deserialize)]\n        struct Repr {\n            kty: String,\n            k: Base64UrlBytes,\n        }\n\n        let repr = Repr::deserialize(deserializer)?;\n        if repr.kty != \"oct\" {\n            return Err(D::Error::custom(\"`kty` field is required to be `oct`\"));\n        }\n        Ok(Self(SecretBox::new(repr.k.0.into_boxed_slice())))\n    }\n}\n\nimpl Serialize for OctetSequence {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        #[derive(Serialize)]\n        struct Repr\u003c'a\u003e {\n            kty: \u0026'static str,\n            k: \u0026'a Base64UrlBytes,\n        }\n        Repr {\n            kty: \"oct\",\n            k: \u0026Base64UrlBytes(self.0.expose_secret().to_vec()),\n        }\n        .serialize(serializer)\n    }\n}\n\n/// An error that can occur when creating an\n/// [`HmacKey`](crate::crypto::hmac::Key) from an [`OctetSequence`].\n#[derive(Debug, thiserror::Error)]\npub enum FromOctetSequenceError {\n    /// An invalid signing algorithm was used\n    #[error(transparent)]\n    InvalidSigningAlgorithm(#[from] InvalidSigningAlgorithmError),\n\n    /// A key from which a signer should've been created had an invalid length\n    #[error(\"the length of the is invalid\")]\n    InvalidLength,\n\n    /// Crypto backend threw an unknown error.\n    #[error(\"the crypto backend failed\")]\n    Crypto(\n        #[from]\n        #[source]\n        crate::crypto::Error,\n    ),\n}\n","traces":[{"line":33,"address":[],"length":0,"stats":{"Line":6}},{"line":34,"address":[],"length":0,"stats":{"Line":6}},{"line":35,"address":[],"length":0,"stats":{"Line":6}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":61,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":1}},{"line":72,"address":[],"length":0,"stats":{"Line":1}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":3}},{"line":84,"address":[],"length":0,"stats":{"Line":3}},{"line":91,"address":[],"length":0,"stats":{"Line":6}},{"line":92,"address":[],"length":0,"stats":{"Line":6}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":0}},{"line":109,"address":[],"length":0,"stats":{"Line":65}},{"line":119,"address":[],"length":0,"stats":{"Line":130}},{"line":120,"address":[],"length":0,"stats":{"Line":0}},{"line":121,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":6}},{"line":128,"address":[],"length":0,"stats":{"Line":10}},{"line":139,"address":[],"length":0,"stats":{"Line":10}},{"line":141,"address":[],"length":0,"stats":{"Line":10}}],"covered":15,"coverable":29},{"path":["/","home","stu","dev","rust","jose","src","jwk","thumbprint.rs"],"content":"use alloc::{collections::BTreeMap, string::String};\n\nuse serde::Serialize;\n\nuse crate::sealed::Sealed;\n\n/// This trait is implemented by all key types, and can be used\n/// to compute the thumbprint of any private, public or symmetric key.\n///\n/// If you want to use custom hashing functions, call the\n/// [`Self::thumbprint_prehashed`] method and hash the result yourself.\npub trait Thumbprint: Sealed {\n    /// Compute the thumbprint JSON string of this key.\n    ///\n    /// This method does not perform any hashing, it only returns\n    /// the constructed JSON string, so that it can be hashed\n    /// with some custom hashing algorithm that is not supported\n    /// natively by this crate.\n    ///\n    /// For common hashing methods have a look at these methods:\n    ///\n    /// - SHA256 - [`thumbprint_sha256`](Self::thumbprint_sha256)\n    /// - SHA384 - [`thumbprint_sha384`](Self::thumbprint_sha384)\n    /// - SHA512 - [`thumbprint_sha512`](Self::thumbprint_sha512)\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_prehashed(\u0026self) -\u003e String;\n\n    /// Computes the SHA256-hashed thumbprint of this key.\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_sha256(\u0026self) -\u003e [u8; 32] {\n        let msg = self.thumbprint_prehashed();\n        crate::crypto::sha256(msg.as_bytes())\n    }\n\n    /// Computes the SHA384-hashed thumbprint of this key.\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_sha384(\u0026self) -\u003e [u8; 48] {\n        let msg = self.thumbprint_prehashed();\n        crate::crypto::sha384(msg.as_bytes())\n    }\n\n    /// Computes the SHA512-hashed thumbprint of this key.\n    ///\n    /// # Errors\n    ///\n    /// This method can fail if the underlying key fails to be serialized.\n    fn thumbprint_sha512(\u0026self) -\u003e [u8; 64] {\n        let msg = self.thumbprint_prehashed();\n        crate::crypto::sha512(msg.as_bytes())\n    }\n}\n\npub(crate) fn serialize_key_thumbprint\u003cT: Serialize\u003e(key: \u0026T) -\u003e String {\n    let obj = serde_json::to_value(key).expect(\"serialization of OctetSequence can not fail\");\n\n    let map = match obj {\n        serde_json::Value::Object(map) =\u003e BTreeMap::from_iter(map),\n        _ =\u003e unreachable!(\"all keytypes must serialize to structs\"),\n    };\n\n    serde_json::to_string(\u0026map).expect(\"BTreeMap serialization can not fail\")\n}\n","traces":[{"line":36,"address":[],"length":0,"stats":{"Line":33}},{"line":37,"address":[],"length":0,"stats":{"Line":33}},{"line":38,"address":[],"length":0,"stats":{"Line":33}},{"line":46,"address":[],"length":0,"stats":{"Line":21}},{"line":47,"address":[],"length":0,"stats":{"Line":21}},{"line":48,"address":[],"length":0,"stats":{"Line":21}},{"line":56,"address":[],"length":0,"stats":{"Line":21}},{"line":57,"address":[],"length":0,"stats":{"Line":21}},{"line":58,"address":[],"length":0,"stats":{"Line":21}},{"line":62,"address":[],"length":0,"stats":{"Line":78}},{"line":63,"address":[],"length":0,"stats":{"Line":78}},{"line":65,"address":[],"length":0,"stats":{"Line":156}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":70,"address":[],"length":0,"stats":{"Line":0}}],"covered":12,"coverable":14},{"path":["/","home","stu","dev","rust","jose","src","jwk","verifier.rs"],"content":"use alloc::borrow::ToOwned;\n\nuse super::{\n    private::EcPrivate, public::EcPublic, AsymmetricJsonWebKey, FromJwkError, FromKey, OkpPrivate,\n    OkpPublic, Private, Public, SymmetricJsonWebKey,\n};\nuse crate::{\n    crypto::{ec, hmac, okp, rsa},\n    jwa::{Hmac, JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::{\n        policy::{Checked, CryptographicOperation, Policy},\n        JsonWebKeyType,\n    },\n    jws::{IntoVerifier, InvalidSigningAlgorithmError, Verifier, VerifyError},\n    JsonWebKey,\n};\n#[derive(Debug)]\n/// An abstract [`Verifier`] over all possible [key types](JsonWebKeyType)\npub struct JwkVerifier {\n    inner: InnerVerifier,\n}\n\nimpl JwkVerifier {\n    /// Create a [`JwkVerifier`] from a [`JsonWebKeyType`] used with the\n    /// provided [`JsonWebAlgorithm`].\n    ///\n    /// # Errors\n    ///\n    /// This function returns an error if the provided [`JsonWebAlgorithm`] and\n    /// the actual [`JsonWebKeyType`] don't match. Since this type is the\n    /// counterpart to [`JwkSigner`](super::JwkSigner) it behaves almost\n    /// identical. See it's error documentation for details.\n    pub fn new(key: JsonWebKeyType, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cSelf, FromJwkError\u003e {\n        Ok(Self {\n            inner: match key {\n                JsonWebKeyType::Asymmetric(key) =\u003e match *key {\n                    AsymmetricJsonWebKey::Public(key) =\u003e match key {\n                        Public::Ec(key) =\u003e match key {\n                            EcPublic::P256(key) =\u003e InnerVerifier::Es256(key.into_verifier(alg)?),\n                            EcPublic::P384(key) =\u003e InnerVerifier::Es384(key.into_verifier(alg)?),\n                            EcPublic::P521(key) =\u003e InnerVerifier::Es512(key.into_verifier(alg)?),\n                            EcPublic::Secp256k1(key) =\u003e {\n                                InnerVerifier::Secp256k1(key.into_verifier(alg)?)\n                            }\n                        },\n                        Public::Rsa(key) =\u003e InnerVerifier::Rsa(key.into_verifier(alg)?),\n                        Public::Okp(key) =\u003e match key {\n                            OkpPublic::Ed25519(key) =\u003e {\n                                InnerVerifier::Ed25519(key.into_verifier(alg)?)\n                            }\n                            OkpPublic::Ed448(key) =\u003e InnerVerifier::Ed448(key.into_verifier(alg)?),\n                        },\n                    },\n                    AsymmetricJsonWebKey::Private(key) =\u003e match key {\n                        Private::Ec(key) =\u003e match key {\n                            EcPrivate::P256(key) =\u003e InnerVerifier::Es256(key.into_verifier(alg)?),\n                            EcPrivate::P384(key) =\u003e InnerVerifier::Es384(key.into_verifier(alg)?),\n                            EcPrivate::P521(key) =\u003e InnerVerifier::Es512(key.into_verifier(alg)?),\n                            EcPrivate::Secp256k1(key) =\u003e {\n                                InnerVerifier::Secp256k1(key.into_verifier(alg)?)\n                            }\n                        },\n                        Private::Rsa(key) =\u003e InnerVerifier::Rsa((*key).into_verifier(alg)?),\n                        Private::Okp(key) =\u003e match key {\n                            OkpPrivate::Ed25519(key) =\u003e {\n                                InnerVerifier::Ed25519(key.into_verifier(alg)?)\n                            }\n                            OkpPrivate::Ed448(key) =\u003e InnerVerifier::Ed448(key.into_verifier(alg)?),\n                        },\n                    },\n                },\n                JsonWebKeyType::Symmetric(key) =\u003e match key {\n                    SymmetricJsonWebKey::OctetSequence(ref key) =\u003e match alg {\n                        JsonWebSigningAlgorithm::Hmac(hs) =\u003e match hs {\n                            Hmac::Hs256 =\u003e InnerVerifier::Hs256(key.into_verifier(alg)?),\n                            Hmac::Hs384 =\u003e InnerVerifier::Hs384(key.into_verifier(alg)?),\n                            Hmac::Hs512 =\u003e InnerVerifier::Hs512(key.into_verifier(alg)?),\n                        },\n                        _ =\u003e Err(InvalidSigningAlgorithmError)?,\n                    },\n                },\n            },\n        })\n    }\n}\n\nimpl Verifier for JwkVerifier {\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), VerifyError\u003e {\n        match \u0026mut self.inner {\n            InnerVerifier::Hs256(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Hs384(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Hs512(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Rsa(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Es256(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Es384(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Es512(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Secp256k1(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Ed448(verifier) =\u003e verifier.verify(msg, signature),\n            InnerVerifier::Ed25519(verifier) =\u003e verifier.verify(msg, signature),\n        }\n    }\n}\n\nimpl\u003cT, P\u003e FromKey\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkVerifier\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkVerifier`] form a [`JsonWebKey`] overwriting\n    /// [`JsonWebKey::algorithm`] with `alg`.\n    fn from_key(\n        jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e,\n        alg: JsonWebAlgorithm,\n    ) -\u003e Result\u003cSelf, Self::Error\u003e {\n        if let Some(usage) = jwk.key_usage() {\n            jwk.policy()\n                .may_perform_operation_key_use(CryptographicOperation::Verify, usage)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        if let Some(ops) = jwk.key_operations() {\n            jwk.policy()\n                .may_perform_operation_key_ops(CryptographicOperation::Verify, ops)\n                .map_err(|_| FromJwkError::OperationNotAllowed)?\n        }\n\n        match alg {\n            JsonWebAlgorithm::Encryption(..) | JsonWebAlgorithm::Other(..) =\u003e {\n                Err(FromJwkError::InvalidAlgorithm)\n            }\n            JsonWebAlgorithm::Signing(alg) =\u003e Self::new(jwk.into_type().key_type, alg),\n        }\n    }\n}\n\nimpl\u003cT, P\u003e TryFrom\u003cChecked\u003cJsonWebKey\u003cT\u003e, P\u003e\u003e for JwkVerifier\nwhere\n    P: Policy,\n{\n    type Error = FromJwkError;\n\n    /// Create a [`JwkVerifier`] from a [`JsonWebKey`]\n    ///\n    /// # Errors\n    ///\n    /// This conversion fails if [`JsonWebKey::algorithm`] is [`None`]\n    fn try_from(jwk: Checked\u003cJsonWebKey\u003cT\u003e, P\u003e) -\u003e Result\u003cSelf, Self::Error\u003e {\n        let alg = jwk\n            .algorithm()\n            .ok_or(FromJwkError::InvalidAlgorithm)?\n            .to_owned();\n        JwkVerifier::from_key(jwk, alg)\n    }\n}\n/// Abstract type with a variant for each [`Verifier`]\n#[derive(Debug)]\nenum InnerVerifier {\n    // symmetric algorithms\n    Hs256(hmac::Key\u003chmac::Hs256\u003e),\n    Hs384(hmac::Key\u003chmac::Hs384\u003e),\n    Hs512(hmac::Key\u003chmac::Hs512\u003e),\n    // asymmetric algorithms\n    Rsa(rsa::Verifier),\n\n    Es256(ec::P256Verifier),\n    Es384(ec::P384Verifier),\n    Es512(ec::P521Verifier),\n    Secp256k1(ec::Secp256k1Verifier),\n\n    Ed25519(okp::Ed25519Verifier),\n    Ed448(okp::Ed448Verifier),\n}\n","traces":[{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":37,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":0}},{"line":39,"address":[],"length":0,"stats":{"Line":0}},{"line":40,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":43,"address":[],"length":0,"stats":{"Line":0}},{"line":46,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":49,"address":[],"length":0,"stats":{"Line":0}},{"line":51,"address":[],"length":0,"stats":{"Line":0}},{"line":54,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":58,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":74,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":77,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":116,"address":[],"length":0,"stats":{"Line":0}},{"line":117,"address":[],"length":0,"stats":{"Line":0}},{"line":118,"address":[],"length":0,"stats":{"Line":0}},{"line":119,"address":[],"length":0,"stats":{"Line":0}},{"line":122,"address":[],"length":0,"stats":{"Line":0}},{"line":123,"address":[],"length":0,"stats":{"Line":0}},{"line":124,"address":[],"length":0,"stats":{"Line":0}},{"line":125,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":130,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":148,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":0}},{"line":151,"address":[],"length":0,"stats":{"Line":0}},{"line":153,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":64},{"path":["/","home","stu","dev","rust","jose","src","jwk.rs"],"content":"//! [`JsonWebKey`] and connected things\n\nuse alloc::{boxed::Box, string::String, vec, vec::Vec};\nuse core::{\n    fmt::Debug,\n    ops::{ControlFlow, Deref},\n};\n\nuse hashbrown::HashSet;\nuse serde::{de::DeserializeOwned, Deserialize, Serialize};\n\nuse crate::{\n    crypto::hmac::{self, Variant as _},\n    jwa::{\n        AesGcm, AesKw, EcDSA, Hmac, JsonWebAlgorithm, JsonWebEncryptionAlgorithm,\n        JsonWebSigningAlgorithm, Pbes2,\n    },\n    sealed::Sealed,\n    uri::BorrowedUri,\n    UntypedAdditionalProperties, Uri,\n};\n\npub mod symmetric;\n\nmod asymmetric;\nmod builder;\nmod key_ops;\nmod key_use;\npub mod policy;\nmod private;\nmod public;\npub(crate) mod serde_impl;\nmod signer;\npub(crate) mod thumbprint;\nmod verifier;\n\n#[doc(inline)]\npub use self::{\n    asymmetric::AsymmetricJsonWebKey,\n    builder::{JsonWebKeyBuildError, JsonWebKeyBuilder},\n    key_ops::KeyOperation,\n    key_use::KeyUsage,\n    private::{EcPrivate, OkpPrivate, Private},\n    public::{EcPublic, OkpPublic, Public},\n    signer::{FromJwkError, JwkSigner},\n    symmetric::SymmetricJsonWebKey,\n    thumbprint::Thumbprint,\n    verifier::JwkVerifier,\n};\nuse self::{\n    policy::{Checkable, Checked, CryptographicOperation, Policy, PolicyError as _},\n    serde_impl::Base64DerCertificate,\n};\n\n/// A [`JsonWebKey`] is a [JSON Object](serde_json::Value::Object) representing\n/// the components of a cryptographic keys that can be used for\n/// [JWE](crate::jwe::JsonWebEncryption) and\n/// [JWS](crate::jws::JsonWebSignature).\n///\n/// The format of Json Web Keys is defined in [RFC 7517] with key specific\n/// parameters defined in [section 6 of RFC 7518]. The [`JsonWebKey`] struct is\n/// an abstract representation of all possible key types. The [`JsonWebKeyType`]\n/// enum is used to specialize on concrete key type.\n///\n/// # Comparison and equality\n///\n/// It is not defined how to determine if a [`JsonWebKey`] is [equal](PartialEq)\n/// to another. Therefore, [`JsonWebKey`] *does not* implement [`PartialEq`].\n/// If you want to compare a [`JsonWebKey`], you should either use something\n/// like the [`kid`](JsonWebKey::key_id) parameter or a [`Thumbprint`] of\n/// the key (or ideally, a [`Thumbprint`] as [`kid`](JsonWebKey::key_id)).\n///\n/// You should *avoid* comparing the serialized form of a [`JsonWebKey`] as it\n/// may contain optional parameters, which may not always be present and would\n/// lead to unexpected results.\n///\n/// # Examples\n///\n/// Parse a JsonWebKey from its json representation:\n///\n/// ```\n/// # // std is available in tests\n/// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n/// use jose::{jwk::KeyUsage, JsonWebKey};\n///\n/// // The following json object represents a RSA key used for signing\n/// let json = r#\"\n/// {\n///  \"kty\": \"RSA\",\n///  \"kid\": \"bilbo.baggins@hobbiton.example\",\n///  \"use\": \"sig\",\n///  \"n\": \"n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT-O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqVwGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuCLqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5gHdrNP5zw\",\n///  \"e\": \"AQAB\"\n/// }\"#;\n///\n/// // deserialize the key from it's json representation using serde_json\n/// let jwk: JsonWebKey = serde_json::from_str(json)?;\n///\n/// // You can use the JsonWebKey to access parameters defined by the spec.\n/// // For example, we might want to ensure that this key is for signing by\n/// // checking the `use` parameter\n/// assert_eq!(jwk.key_usage(), Some(\u0026KeyUsage::Signing));\n/// # Ok(())\n/// # }\n/// ```\n///\n/// ## Additional parameters\n///\n/// The spec allows custom/additional parameters that are not registered in the\n/// [IANA `JSON Web Key Parameters` registry]. The `A` generic parameter of\n/// [`JsonWebKey\u003cA\u003e`] allows you to bring your own type to do just that.\n///\n/// To do so, create a container type that holds all your parameters (and maybe\n/// even another container).\n/// Imagine we have a custom parameter `intended_party` which holds a [`String`]\n/// identifying the application which should use the [`JsonWebKey`]:\n///\n/// ```\n/// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n/// use jose::JsonWebKey;\n/// use serde::{Deserialize, Serialize};\n///\n/// // don't forget to derive or implement the serde traits since they are used for (de)serialization\n/// #[derive(Deserialize, Serialize)]\n/// struct MyCustomParameters {\n///     intended_party: String,\n/// }\n///\n/// /// A type alias so we dont have to type so much\n/// type MyJsonWebKey = JsonWebKey\u003cMyCustomParameters\u003e;\n///\n/// // consider the same key as before but this time it needs our custom parameter `intended_party`\n/// let json = r#\"\n/// {\n///  \"intended_party\": \"my_application\",\n///  \"kty\": \"RSA\",\n///  \"kid\": \"bilbo.baggins@hobbiton.example\",\n///  \"use\": \"sig\",\n///  \"n\": \"n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT-O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqVwGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuCLqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5gHdrNP5zw\",\n///  \"e\": \"AQAB\"\n/// }\"#;\n///\n/// let jwk: MyJsonWebKey = serde_json::from_str(json)?;\n///\n/// // access the custom parameter\n/// assert_eq!(\"my_application\", jwk.additional().intended_party.as_str());\n/// # Ok(())\n/// # }\n/// ```\n///\n/// ### Implementing [`Checkable`] for your additional type\n///\n/// The [`Checkable`] trait should be implemented by types that can utilize some\n/// (potentially expensive) checks to ensure their validity optionally using a\n/// [`Policy`]. For example, [`JsonWebKey`] implements the [`Checkable`] trait\n/// to validate some parameters which can't be validated during deserialization.\n///\n/// For [`JsonWebKey`] to implement [`Checkable`], your additional type also\n/// needs to implement [`Checkable`]. If we recall the example from before, we\n/// might want to ensure that our `intended_party` parameter containts only\n/// ascii characters. An implementation for that purpose might look like this:\n/// ```\n/// # fn main() -\u003e Result\u003c(), Box\u003cdyn std::error::Error\u003e\u003e {\n/// use jose::jwk::policy::{Checkable, Checked, Policy, PolicyError};\n/// use serde::{Deserialize, Serialize};\n/// // our type from before\n/// #[derive(Deserialize, Serialize)]\n/// struct MyCustomParameters {\n///     intended_party: String,\n/// }\n///\n/// impl Checkable for MyCustomParameters {\n///     fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n///         if self.intended_party.is_ascii() {\n///             Ok(Checked::new(self, policy))\n///         } else {\n///             Err((\n///                 self,\n///                 \u003cP::Error as PolicyError\u003e::custom(\n///                     \"`intended_party` parameter must contain ascii characters only\",\n///                 ),\n///             ))\n///         }\n///     }\n/// }\n/// # Ok(())\n/// # }\n/// ```\n///\n/// [RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517\u003e\n/// [section 6 of RFC 7518]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6\u003e\n/// [IANA `Json Web Key Parameters` registry]: \u003chttps://www.iana.org/assignments/jose/jose.xhtml#web-key-parameters\u003e\n#[derive(Debug, Deserialize, Serialize, Clone)]\npub struct JsonWebKey\u003cA = ()\u003e {\n    /// Additional members in the JWK as permitted by the fourth paragraph of\n    /// [section 4]\n    ///\n    /// [section 4]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4\u003e\n    // Note: `A` is first because otherwise it is possible to overwrite parameters set by us\n    #[serde(flatten)]\n    additional: A,\n    /// `kty` parameter section 4.1\n    /// Note that the [`JsonWebKeyType`] enum does way more than just\n    /// checking/storing the `kty` parameter\n    #[serde(flatten)]\n    key_type: JsonWebKeyType,\n    /// `use` parameter section 4.2\n    #[serde(rename = \"use\", skip_serializing_if = \"Option::is_none\")]\n    key_use: Option\u003cKeyUsage\u003e,\n    /// `key_ops` parameter section 4.3\n    #[serde(\n        deserialize_with = \"serde_impl::deserialize_ensure_set\",\n        rename = \"key_ops\",\n        skip_serializing_if = \"Option::is_none\",\n        // default needed because else serde will error if the `key_ops` parameter is not present\n        default\n    )]\n    key_operations: Option\u003cHashSet\u003cKeyOperation\u003e\u003e,\n    /// `alg` parameter section 4.4\n    #[serde(rename = \"alg\", skip_serializing_if = \"Option::is_none\")]\n    algorithm: Option\u003cJsonWebAlgorithm\u003e,\n    /// `kid` parameter section 4.4\n    // FIXME: Consider an enum if this value is a valid JWK Thumbprint,\n    // see \u003chttps://www.rfc-editor.org/rfc/rfc7638\u003e\n    #[serde(skip_serializing_if = \"Option::is_none\")]\n    kid: Option\u003cString\u003e,\n    /// `x5u` parameter section 4.6\n    // FIXME: considerung to ensure the protocol\n    // uses TLS or some other form of integrity protection.\n    // There are other things to consider, see the relevant section in the RFC.\n    #[serde(rename = \"x5u\", skip_serializing_if = \"Option::is_none\")]\n    x509_url: Option\u003cUri\u003e,\n    /// `x5c` parameter section 4.7\n    // If the `x5c` parameter is not present, this will be an empty Vec\n    // FIXME: find a good way and crate to parse the DER-encoded X.509 certificate(s)\n    #[serde(rename = \"x5c\", skip_serializing_if = \"Vec::is_empty\", default)]\n    x509_certificate_chain: Vec\u003cBase64DerCertificate\u003e,\n    /// `x5t` parameter section 4.8\n    #[serde(\n        serialize_with = \"serde_impl::serialize_ga_sha1\",\n        deserialize_with = \"serde_impl::deserialize_ga_sha1\",\n        rename = \"x5t\",\n        default,\n        skip_serializing_if = \"Option::is_none\"\n    )]\n    x509_certificate_sha1_thumbprint: Option\u003c[u8; 20]\u003e,\n    /// `x5t#S256` parameter section 4.9\n    #[serde(\n        serialize_with = \"serde_impl::serialize_ga_sha256\",\n        deserialize_with = \"serde_impl::deserialize_ga_sha256\",\n        rename = \"x5t#S256\",\n        default,\n        skip_serializing_if = \"Option::is_none\"\n    )]\n    x509_certificate_sha256_thumbprint: Option\u003c[u8; 32]\u003e,\n}\n\nimpl JsonWebKey\u003c()\u003e {\n    pub(crate) fn new_with_algorithm(\n        key_type: JsonWebKeyType,\n        alg: Option\u003cJsonWebAlgorithm\u003e,\n    ) -\u003e Self {\n        Self {\n            key_type,\n            key_use: None,\n            key_operations: None,\n            algorithm: alg,\n            kid: None,\n            x509_url: None,\n            x509_certificate_chain: vec![],\n            x509_certificate_sha1_thumbprint: None,\n            x509_certificate_sha256_thumbprint: None,\n            additional: (),\n        }\n    }\n}\n\nimpl JsonWebKey\u003c()\u003e {\n    /// Create a [`JsonWebKeyBuilder`] to construct a new JWK.\n    pub fn builder(key_type: impl Into\u003cJsonWebKeyType\u003e) -\u003e JsonWebKeyBuilder\u003c()\u003e {\n        JsonWebKeyBuilder::new(key_type)\n    }\n}\n\nimpl\u003cT\u003e JsonWebKey\u003cT\u003e {\n    /// Turn this Json Web Key into a builder to modify it's contents.\n    pub fn into_builder(self) -\u003e JsonWebKeyBuilder\u003cT\u003e {\n        JsonWebKeyBuilder {\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n            additional: self.additional,\n        }\n    }\n\n    /// [Section 4.1 of RFC 7517] defines the `kty` (Key Type) Parameter.\n    ///\n    /// Since the `kty` parameter is used to distinguish different key types, we\n    /// use the [`JsonWebKeyType`] to also store key specific data. You can\n    /// match the [`JsonWebKeyType`] to determine the exact key type used.\n    ///\n    /// [Section 4.1 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.1\u003e\n    pub fn key_type(\u0026self) -\u003e \u0026JsonWebKeyType {\n        \u0026self.key_type\n    }\n\n    /// [Section 4.2 of RFC 7517] defines the `use` (Public Key Use) Parameter.\n    ///\n    /// See the documentation of [`KeyUsage`] for details.\n    ///\n    /// [Section 4.2 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.2\u003e\n    pub fn key_usage(\u0026self) -\u003e Option\u003c\u0026KeyUsage\u003e {\n        self.key_use.as_ref()\n    }\n\n    /// [Section 4.3 of RFC 7517] defines the `key_ops` (Key Operations)\n    /// Parameter.\n    ///\n    /// It is a set of different operations a key may perform.\n    /// See the documentation of [`KeyOperation`] for details.\n    ///\n    /// [Section 4.3 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.3\u003e\n    pub fn key_operations(\u0026self) -\u003e Option\u003c\u0026HashSet\u003cKeyOperation\u003e\u003e {\n        self.key_operations.as_ref()\n    }\n\n    /// [Section 4.4 of RFC 7517] defines the `alg` (Algorithm) Parameter.\n    ///\n    /// See the documentation of [`JsonWebAlgorithm`] for details.\n    ///\n    /// [Section 4.4 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.4\u003e\n    pub fn algorithm(\u0026self) -\u003e Option\u003c\u0026JsonWebAlgorithm\u003e {\n        self.algorithm.as_ref()\n    }\n\n    /// [Section 4.5 of RFC 7517] defines the `kid` (Key ID) Parameter.\n    ///\n    /// [Section 4.5 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.5\u003e\n    pub fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        self.kid.as_deref()\n    }\n\n    /// [Section 4.6 of RFC 7517] defines the `x5u` (X.509 URL) Parameter.\n    ///\n    /// [Section 4.6 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.6\u003e\n    pub fn x509_url(\u0026self) -\u003e Option\u003cBorrowedUri\u003c'_\u003e\u003e {\n        self.x509_url.as_ref().map(|x| x.borrow())\n    }\n\n    /// [Section 4.7 of RFC 7517] defines the `x5c` (X.509 Certificate Chain)\n    /// Parameter.\n    ///\n    /// This parameter is a list of X.509 certificates. The first certificate in\n    /// the [`ExactSizeIterator`] returned by this method is the PKIX\n    /// certificate containing the key value as required by the RFC. Note\n    /// that this parameter is OPTIONAL and if not present, this\n    /// [`ExactSizeIterator`] will be empty ([`next`](Iterator::next) will be\n    /// [`None`] and [`len`](ExactSizeIterator::len) will be `0`).\n    ///\n    /// Each [`Item`](Iterator::Item) will be the byte representation of a\n    /// DER-encoded X.509 certificate.\n    ///\n    /// [Section 4.7 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.7\u003e\n    pub fn x509_certificate_chain(\u0026self) -\u003e impl ExactSizeIterator\u003cItem = \u0026[u8]\u003e {\n        self.x509_certificate_chain.iter().map(Deref::deref)\n    }\n\n    /// [Section 4.8 of RFC 7517] defines the `x5t` (X.509 Certificate SHA-1\n    /// Thumbprint) Parameter.\n    ///\n    /// It is the SHA-1 hash of the DER-encoded X.509 certificate.\n    ///\n    /// # Warning: Cryptographically broken!\n    ///\n    /// TL;DR: check if you can use the [SHA-256\n    /// thumbprint](JsonWebKey::x509_certificate_sha256_thumbprint) instead.\n    ///\n    /// The following text is taken from the `sha1` crate: \\\n    /// The SHA-1 hash function should be considered cryptographically broken\n    /// and unsuitable for further use in any security critical capacity, as it\n    /// is [practically vulnerable to chosen-prefix collisions](https://sha-mbles.github.io/).\n    ///\n    /// [Section 4.8 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.8\u003e\n    // replace the hardcoded output size with the Sha1::OutputsizeUser value then\n    // they use const generics\n    pub fn x509_certificate_sha1_thumbprint(\u0026self) -\u003e Option\u003c\u0026[u8; 20]\u003e {\n        self.x509_certificate_sha1_thumbprint.as_ref()\n    }\n\n    /// [Section 4.9 of RFC 7517] defines the `x5t#S256` (X.509 Certificate\n    /// SHA-256 Thumbprint) Parameter.\n    ///\n    /// It is the SHA-256 hash of the DER-encoded X.509 certificate.\n    ///\n    /// [Section 4.9 of RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4.9\u003e\n    pub fn x509_certificate_sha256_thumbprint(\u0026self) -\u003e Option\u003c\u0026[u8; 32]\u003e {\n        self.x509_certificate_sha256_thumbprint.as_ref()\n    }\n\n    /// Additional members in the [`JsonWebKey`] as permitted by the fourth\n    /// paragraph of [section 4 in RFC 7517]\n    ///\n    /// [section 4 in RFC 7517]: \u003chttps://datatracker.ietf.org/doc/html/rfc7517#section-4\u003e\n    pub fn additional(\u0026self) -\u003e \u0026T {\n        \u0026self.additional\n    }\n\n    /// Checks if this [`JsonWebKey`] is a symmetric key.\n    #[inline]\n    pub fn is_symmetric(\u0026self) -\u003e bool {\n        matches!(self.key_type, JsonWebKeyType::Symmetric(_))\n    }\n\n    /// Checks if this [`JsonWebKey`] is an asymmetric key.\n    #[inline]\n    pub fn is_asymmetric(\u0026self) -\u003e bool {\n        matches!(self.key_type, JsonWebKeyType::Asymmetric(_))\n    }\n\n    /// Checks if this [`JsonWebKey`] can be used for signing.\n    ///\n    /// For asymmetric keys, this method is equivalent to checking\n    /// if this key is a private key.\n    /// For symmetric keys, this always returns `true`.\n    #[inline]\n    pub fn is_signing_key(\u0026self) -\u003e bool {\n        match self.key_type() {\n            JsonWebKeyType::Symmetric(_) =\u003e true,\n            JsonWebKeyType::Asymmetric(ref key) =\u003e match \u0026**key {\n                AsymmetricJsonWebKey::Private(_) =\u003e true,\n                AsymmetricJsonWebKey::Public(_) =\u003e false,\n            },\n        }\n    }\n\n    /// Strips the secret material from this [`JsonWebKey`].\n    ///\n    /// After calling this method, the key can safely be shared as it\n    /// only contains the public parts.\n    ///\n    /// For symmetric keys, this method returns [`None`], as symmetric\n    /// keys will always hold the secret material.\n    #[doc(alias = \"strip_private_material\")]\n    pub fn strip_secret_material(mut self) -\u003e Option\u003cSelf\u003e {\n        let key = match self.key_type {\n            JsonWebKeyType::Symmetric(_) =\u003e return None,\n            JsonWebKeyType::Asymmetric(ref key) =\u003e key,\n        };\n\n        match \u0026**key {\n            // public keys are no-ops\n            AsymmetricJsonWebKey::Public(_) =\u003e Some(self),\n            AsymmetricJsonWebKey::Private(Private::Okp(okp)) =\u003e {\n                let key = match okp {\n                    OkpPrivate::Ed25519(key) =\u003e OkpPublic::Ed25519(key.to_public_key()),\n                    OkpPrivate::Ed448(key) =\u003e OkpPublic::Ed448(key.to_public_key()),\n                };\n\n                self.key_type = JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(\n                    Public::Okp(key),\n                )));\n\n                Some(self)\n            }\n            AsymmetricJsonWebKey::Private(Private::Ec(ec)) =\u003e {\n                let pub_key = match ec {\n                    EcPrivate::P256(key) =\u003e EcPublic::P256(key.to_public_key()),\n                    EcPrivate::P384(key) =\u003e EcPublic::P384(key.to_public_key()),\n                    EcPrivate::P521(key) =\u003e EcPublic::P521(key.to_public_key()),\n                    EcPrivate::Secp256k1(key) =\u003e EcPublic::Secp256k1(key.to_public_key()),\n                };\n\n                self.key_type = JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(\n                    Public::Ec(pub_key),\n                )));\n\n                Some(self)\n            }\n            AsymmetricJsonWebKey::Private(Private::Rsa(rsa)) =\u003e {\n                let pub_key = Public::Rsa(rsa.to_public_key());\n\n                self.key_type =\n                    JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(pub_key)));\n\n                Some(self)\n            }\n        }\n    }\n\n    /// Converts this [`JsonWebKey`] into a [`JsonWebKey`] that is only meant to\n    /// be uesd for verifying signatures.\n    ///\n    /// For asymmetric keys, this operation is equivalent to converting a\n    /// private key into it's public key.\n    ///\n    /// For symmetric keys, this operation is a no-op, as the secret material\n    /// can not be removed from the key.\n    #[doc(alias = \"into_public_key\")]\n    pub fn into_verifying_key(mut self) -\u003e Self {\n        match self.key_type {\n            // symmetric keys are no-op\n            JsonWebKeyType::Symmetric(_) =\u003e self,\n            JsonWebKeyType::Asymmetric(ref key) =\u003e match \u0026**key {\n                // public keys are no-ops too\n                AsymmetricJsonWebKey::Public(_) =\u003e self,\n                AsymmetricJsonWebKey::Private(Private::Okp(okp)) =\u003e {\n                    let key = match okp {\n                        OkpPrivate::Ed25519(key) =\u003e OkpPublic::Ed25519(key.to_public_key()),\n                        OkpPrivate::Ed448(key) =\u003e OkpPublic::Ed448(key.to_public_key()),\n                    };\n\n                    self.key_type = JsonWebKeyType::Asymmetric(Box::new(\n                        AsymmetricJsonWebKey::Public(Public::Okp(key)),\n                    ));\n\n                    self\n                }\n                AsymmetricJsonWebKey::Private(Private::Ec(ec)) =\u003e {\n                    let pub_key = match ec {\n                        EcPrivate::P256(key) =\u003e EcPublic::P256(key.to_public_key()),\n                        EcPrivate::P384(key) =\u003e EcPublic::P384(key.to_public_key()),\n                        EcPrivate::P521(key) =\u003e EcPublic::P521(key.to_public_key()),\n                        EcPrivate::Secp256k1(key) =\u003e EcPublic::Secp256k1(key.to_public_key()),\n                    };\n\n                    self.key_type = JsonWebKeyType::Asymmetric(Box::new(\n                        AsymmetricJsonWebKey::Public(Public::Ec(pub_key)),\n                    ));\n\n                    self\n                }\n                AsymmetricJsonWebKey::Private(Private::Rsa(rsa)) =\u003e {\n                    let pub_key = Public::Rsa(rsa.to_public_key());\n\n                    self.key_type =\n                        JsonWebKeyType::Asymmetric(Box::new(AsymmetricJsonWebKey::Public(pub_key)));\n\n                    self\n                }\n            },\n        }\n    }\n}\n\nimpl\u003cT: Serialize\u003e JsonWebKey\u003cT\u003e {\n    /// Converts this [`JsonWebKey`] with custom additional parameters,\n    /// into a [`JsonWebKey`] with untyped additional parameters.\n    ///\n    /// # Errors\n    ///\n    /// This function fails if the serialization of the additional parameters\n    /// failed, or the serialization does not result in a JSON object.\n    pub fn into_untyped_additional(\n        self,\n    ) -\u003e Result\u003cJsonWebKey\u003cUntypedAdditionalProperties\u003e, serde_json::Error\u003e {\n        let value = serde_json::to_value(\u0026self.additional)?;\n        let additional: UntypedAdditionalProperties = serde_json::from_value(value)?;\n\n        Ok(JsonWebKey {\n            additional,\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n        })\n    }\n}\n\nimpl JsonWebKey\u003cUntypedAdditionalProperties\u003e {\n    /// Deserializes the additional members of this [`JsonWebKey`]\n    /// to the given type.\n    ///\n    /// # Errors\n    ///\n    /// The given type failed to be deserialized from the additional members.\n    pub fn deserialize_additional\u003cT: DeserializeOwned\u003e(\n        self,\n    ) -\u003e Result\u003cJsonWebKey\u003cT\u003e, serde_json::Error\u003e {\n        let additional = serde_json::from_value(self.additional.into())?;\n\n        Ok(JsonWebKey {\n            additional,\n            key_type: self.key_type,\n            key_use: self.key_use,\n            key_operations: self.key_operations,\n            algorithm: self.algorithm,\n            kid: self.kid,\n            x509_url: self.x509_url,\n            x509_certificate_chain: self.x509_certificate_chain,\n            x509_certificate_sha1_thumbprint: self.x509_certificate_sha1_thumbprint,\n            x509_certificate_sha256_thumbprint: self.x509_certificate_sha256_thumbprint,\n        })\n    }\n}\n\nimpl\u003cT\u003e Checkable for JsonWebKey\u003cT\u003e\nwhere\n    T: Checkable,\n{\n    fn check\u003cP: Policy\u003e(self, policy: P) -\u003e Result\u003cChecked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n        if let Some(alg) = self.algorithm() {\n            if let Err(e) = policy.algorithm(alg) {\n                return Err((self, e));\n            }\n\n            let operations = match alg {\n                JsonWebAlgorithm::Encryption(..) =\u003e [\n                    CryptographicOperation::Encrypt,\n                    CryptographicOperation::Decrypt,\n                ],\n                JsonWebAlgorithm::Signing(..) =\u003e {\n                    [CryptographicOperation::Sign, CryptographicOperation::Verify]\n                }\n                JsonWebAlgorithm::Other(..) =\u003e {\n                    return Err((self, P::Error::custom(\"specified key algorithm is unknown\")))\n                }\n            };\n            debug_assert!(!operations.is_empty());\n\n            if let Some(key_use) = self.key_usage() {\n                // The following ensures that at least one `operation` is allowed with the\n                // current key usage (returns Ok(())). If Ok(()) is returned, it\n                // short-circuits\n                match operations.iter().try_fold(None, |_, operation| {\n                    match policy.may_perform_operation_key_use(*operation, key_use) {\n                        Ok(_) =\u003e ControlFlow::Break(()),\n                        Err(err) =\u003e ControlFlow::Continue(Some(err)),\n                    }\n                }) {\n                    ControlFlow::Break(_) =\u003e (),\n                    ControlFlow::Continue(err) =\u003e {\n                        return Err((\n                            self,\n                            // Safety\n                            //\n                            // First of, this could use unwrap_unchecked but doesn't since we\n                            // forbid unsafe code in this crate. However, it would be safe,\n                            // because: the call to the Policy returns\n                            // Result\u003c(), err\u003e and if it's Ok, it\n                            // will break and this branch will never get called. If the call\n                            // failed, the inital state of `None` will be set to\n                            // Continue(Some(err)), which will be the value in this branch\n                            err.expect(\"at least one call has been made to the Policy\"),\n                        ));\n                    }\n                }\n            }\n\n            if let Some(key_ops) = self.key_operations() {\n                // The following ensures tthat at loeast one `operation` is allowed with the\n                // current key operations. If Ok(()) is returned, it short-circuits.\n                // For example, a key might have a signing algorithm, but only\n                // `KeyOperation::Verify` is set since it is a public key and can't perform\n                // signing operations. In this case, it has the same signing algorithm.\n                match operations.iter().try_fold(None, |_, operation| {\n                    match policy.may_perform_operation_key_ops(*operation, key_ops) {\n                        Ok(_) =\u003e ControlFlow::Break(()),\n                        Err(err) =\u003e ControlFlow::Continue(Some(err)),\n                    }\n                }) {\n                    ControlFlow::Break(_) =\u003e (),\n                    ControlFlow::Continue(err) =\u003e {\n                        return Err((\n                            self,\n                            // Same rules as for the code with `key_usage` from above apply.\n                            err.expect(\"at leat one call has been made to the Policy\"),\n                        ));\n                    }\n                }\n            }\n        }\n\n        if let (Some(key_use), Some(key_ops)) = (self.key_usage(), self.key_operations()) {\n            if let Err(e) = policy.compare_key_ops_and_use(key_use, key_ops) {\n                return Err((self, e));\n            }\n        }\n\n        match self.additional.check(policy) {\n            Err(e) =\u003e Err((\n                Self {\n                    additional: e.0,\n                    ..self\n                },\n                e.1,\n            )),\n            Ok(o) =\u003e {\n                let (additional, p) = o.into_inner();\n                Ok(Checked::new(Self { additional, ..self }, p))\n            }\n        }\n    }\n}\n\nimpl Sealed for JsonWebKey {}\nimpl Thumbprint for JsonWebKey {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        self.key_type().thumbprint_prehashed()\n    }\n}\n\n/// A [`JsonWebKey`] represents a cryptographic key. It can either be symmetric\n/// or asymmetric. In the latter case, it can store public or private\n/// information about the key. This enum represents the key types as defined in\n/// [RFC 7518 section 6].\n///\n/// [RFC 7518 section 6]: \u003chttps://datatracker.ietf.org/doc/html/rfc7518#section-6\u003e\n#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize, Hash)]\n#[serde(untagged)]\npub enum JsonWebKeyType {\n    /// A symmetric cryptographic key\n    Symmetric(SymmetricJsonWebKey),\n    /// An asymmetric cryptographic key\n    Asymmetric(Box\u003cAsymmetricJsonWebKey\u003e),\n}\n\nimpl Sealed for JsonWebKeyType {}\nimpl Thumbprint for JsonWebKeyType {\n    fn thumbprint_prehashed(\u0026self) -\u003e String {\n        match self {\n            JsonWebKeyType::Symmetric(key) =\u003e key.thumbprint_prehashed(),\n            JsonWebKeyType::Asymmetric(key) =\u003e key.thumbprint_prehashed(),\n        }\n    }\n}\n\nimpl JsonWebKeyType {\n    pub(self) fn compatible_with(\u0026self, alg: \u0026JsonWebAlgorithm) -\u003e bool {\n        use JsonWebAlgorithm::*;\n        use JsonWebKeyType::*;\n\n        // it is unreadable with the matches! macro and there's no benefit\n        #[allow(clippy::match_like_matches_macro)]\n        match (self, alg) {\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Signing(JsonWebSigningAlgorithm::Hmac(hmac)),\n            ) =\u003e match (hmac, key.len()) {\n                (Hmac::Hs256, hmac::Hs256::OUTPUT_SIZE_BYTES..)\n                | (Hmac::Hs384, hmac::Hs384::OUTPUT_SIZE_BYTES..)\n                | (Hmac::Hs512, hmac::Hs512::OUTPUT_SIZE_BYTES..) =\u003e true,\n                _ =\u003e false,\n            },\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Encryption(JsonWebEncryptionAlgorithm::AesKw(aes)),\n            ) =\u003e matches!(\n                (aes, key.len()),\n                (AesKw::Aes128, 16) | (AesKw::Aes192, 24) | (AesKw::Aes256, 32)\n            ),\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Encryption(JsonWebEncryptionAlgorithm::AesGcmKw(aes)),\n            ) =\u003e matches!(\n                (aes, key.len()),\n                (AesGcm::Aes128, 16) | (AesGcm::Aes192, 24) | (AesGcm::Aes256, 32)\n            ),\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(key)),\n                Encryption(JsonWebEncryptionAlgorithm::Pbes2(pbes2)),\n            ) =\u003e matches!(\n                (pbes2, key.len()),\n                (Pbes2::Hs256Aes128, 16) | (Pbes2::Hs384Aes192, 24) | (Pbes2::Hs512Aes256, 32)\n            ),\n            (\n                Symmetric(SymmetricJsonWebKey::OctetSequence(..)),\n                Encryption(JsonWebEncryptionAlgorithm::Direct),\n            ) =\u003e true,\n            (Asymmetric(key), alg) =\u003e match (\u0026**key, alg) {\n                (\n                    AsymmetricJsonWebKey::Public(Public::Ec(..))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(..)),\n                    Encryption(JsonWebEncryptionAlgorithm::EcDhES(..)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::P256(..)))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::P256(..))),\n                    Signing(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::P384(..)))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::P384(..))),\n                    Signing(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es384)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Ec(EcPublic::Secp256k1(..)))\n                    | AsymmetricJsonWebKey::Private(Private::Ec(EcPrivate::Secp256k1(..))),\n                    Signing(JsonWebSigningAlgorithm::EcDSA(EcDSA::Es256K)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Okp(\n                        OkpPublic::Ed25519(..) | OkpPublic::Ed448(..),\n                    ))\n                    | AsymmetricJsonWebKey::Private(Private::Okp(\n                        OkpPrivate::Ed25519(..) | OkpPrivate::Ed448(..),\n                    )),\n                    Signing(JsonWebSigningAlgorithm::EdDSA),\n                    // FIXME: look how encryption is handled and which algorithm is used\n                    //| Encryption(JsonWebEncryptionAlgorithm::EcDhES(..)),\n                )\n                | (\n                    AsymmetricJsonWebKey::Public(Public::Rsa(..))\n                    | AsymmetricJsonWebKey::Private(Private::Rsa(..)),\n                    Signing(JsonWebSigningAlgorithm::Rsa(..))\n                    | Encryption(JsonWebEncryptionAlgorithm::Rsa1_5)\n                    | Encryption(JsonWebEncryptionAlgorithm::RsaesOaep(..)),\n                ) =\u003e true,\n                _ =\u003e false,\n            },\n            _ =\u003e false,\n        }\n    }\n}\n\n/// A trait for a [`Signer`](crate::jws::Signer) or\n/// [`Verifier`](crate::jws::Verifier) to implement if it can be created from\n/// key material as long as the algorithm is known\npub trait FromKey\u003cK\u003e: Sized {\n    /// The error returned if the conversion failed\n    type Error;\n\n    /// Turn `K` into this [`Signer`](crate::jws::Signer) or\n    /// [`Verifier`](crate::jws::Verifier).\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the conversion failed\n    fn from_key(value: K, alg: JsonWebAlgorithm) -\u003e Result\u003cSelf, Self::Error\u003e;\n}\n\n/// A trait for different key types to implement if they can be converted into a\n/// [`JsonWebKey`].\n///\n/// This trait, and deserialization, is the only public way of creating a\n/// [`JsonWebKey`].\npub trait IntoJsonWebKey: Sealed {\n    /// One key type may be used for multiple [`JsonWebAlgorithm`]s.\n    ///\n    /// This algorithm can be specified using this type.\n    type Algorithm;\n\n    /// The error that can occurr when converting this key into a JWK.\n    type Error;\n\n    /// Turns this key mateiral into a [`JsonWebKey`] for the given algorithm.\n    ///\n    /// If the given argument is `None`, the `alg` header field of the resulting\n    /// JWK will be None.\n    ///\n    /// # Errors\n    ///\n    /// Returns an [`Err`] if the conversion fails.\n    fn into_jwk(self, alg: Option\u003cimpl Into\u003cSelf::Algorithm\u003e\u003e) -\u003e Result\u003cJsonWebKey, Self::Error\u003e;\n}\n\n/// Hash implementation for all types that implement `Thumbprint` trait\nmod hash_impl {\n    use core::hash::{Hash, Hasher};\n\n    use super::{symmetric::OctetSequence, JsonWebKey};\n    use crate::crypto::{ec, okp, rsa};\n\n    impl_thumbprint_hash_trait!(ec::P256PublicKey, ec::P256PrivateKey);\n    impl_thumbprint_hash_trait!(ec::P384PublicKey, ec::P384PrivateKey);\n    impl_thumbprint_hash_trait!(ec::P521PublicKey, ec::P521PrivateKey);\n    impl_thumbprint_hash_trait!(ec::Secp256k1PublicKey, ec::Secp256k1PrivateKey);\n    impl_thumbprint_hash_trait!(okp::Ed25519PublicKey, okp::Ed25519PrivateKey);\n    impl_thumbprint_hash_trait!(okp::Ed448PublicKey, okp::Ed448PrivateKey);\n    impl_thumbprint_hash_trait!(rsa::PublicKey, rsa::PrivateKey);\n    impl_thumbprint_hash_trait!(OctetSequence);\n\n    /// The [`Hash`] implementation of [`JsonWebKey`] uses the [`Hash`]\n    /// implementation of the underlying\n    /// [`JsonWebKeyType`](super::JsonWebKeyType).\n    ///\n    /// **Note**: [`Hash`] and [`Thumbprint`](super::Thumbprint) are used\n    /// differently. A [`Thumbprint`](super::Thumbprint) does does distinguish\n    /// between a private and a public key. But the [`Hash`] implementation of\n    /// all [`JsonWebKey`]s does, because otherwise two different versions of\n    /// [`JsonWebKey`] with different capabilities would have the same hash.\n    impl Hash for JsonWebKey {\n        fn hash\u003cH: Hasher\u003e(\u0026self, state: \u0026mut H) {\n            self.key_type.hash(state);\n        }\n    }\n\n    #[test]\n    fn smoke() {\n        use crate::{jwk::Thumbprint, JsonWebKey};\n\n        #[allow(unused_extern_crates)]\n        extern crate std;\n\n        // This is a serialized asymmetric key. The private key part is stored in\n        // the `d` parameter\n        let serialized_private_key = r#\"\n{\n    \"crv\": \"P-256\",\n    \"kty\": \"EC\",\n     \"x\": \"1uiXGPoQ3eLR3VOsCfnx1YzIJZGUQLbVfbl1CpCHcs0\",\n     \"y\": \"danaoyQqKi48vlB2jnCoFmq3PdIbYwIRJyNKWiindZM\",\n     \"d\": \"eLGzm5zd242okyN9SQBvmaC_4EPvASCgMhFgwtBvf3k\",\n     \"alg\": \"ES256\"\n}\n\"#;\n        let private_key: JsonWebKey =\n            serde_json::from_str(serialized_private_key).expect(\"valid key\");\n\n        let expected_prehash = r#\"{\"crv\":\"P-256\",\"kty\":\"EC\",\"x\":\"1uiXGPoQ3eLR3VOsCfnx1YzIJZGUQLbVfbl1CpCHcs0\",\"y\":\"danaoyQqKi48vlB2jnCoFmq3PdIbYwIRJyNKWiindZM\"}\"#;\n        assert_eq!(private_key.thumbprint_prehashed(), expected_prehash);\n\n        let mut hasher = std::hash::DefaultHasher::default();\n        private_key.hash(\u0026mut hasher);\n        let hash_private = hasher.finish();\n\n        let serialized_public_key = r#\"\n{\n    \"crv\": \"P-256\",\n    \"kty\": \"EC\",\n     \"x\": \"1uiXGPoQ3eLR3VOsCfnx1YzIJZGUQLbVfbl1CpCHcs0\",\n     \"y\": \"danaoyQqKi48vlB2jnCoFmq3PdIbYwIRJyNKWiindZM\",\n     \"alg\": \"ES256\"\n}\n\"#;\n\n        let public_key: JsonWebKey = serde_json::from_str(serialized_public_key).unwrap();\n        let mut hasher = std::hash::DefaultHasher::default();\n        public_key.hash(\u0026mut hasher);\n        let hash_public = hasher.finish();\n        assert_ne!(hash_private, hash_public);\n    }\n}\n","traces":[{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":270,"address":[],"length":0,"stats":{"Line":0}},{"line":273,"address":[],"length":0,"stats":{"Line":0}},{"line":280,"address":[],"length":0,"stats":{"Line":21}},{"line":281,"address":[],"length":0,"stats":{"Line":21}},{"line":287,"address":[],"length":0,"stats":{"Line":21}},{"line":289,"address":[],"length":0,"stats":{"Line":21}},{"line":290,"address":[],"length":0,"stats":{"Line":21}},{"line":291,"address":[],"length":0,"stats":{"Line":21}},{"line":292,"address":[],"length":0,"stats":{"Line":21}},{"line":293,"address":[],"length":0,"stats":{"Line":21}},{"line":294,"address":[],"length":0,"stats":{"Line":21}},{"line":295,"address":[],"length":0,"stats":{"Line":21}},{"line":296,"address":[],"length":0,"stats":{"Line":21}},{"line":297,"address":[],"length":0,"stats":{"Line":21}},{"line":298,"address":[],"length":0,"stats":{"Line":21}},{"line":309,"address":[],"length":0,"stats":{"Line":214}},{"line":310,"address":[],"length":0,"stats":{"Line":214}},{"line":318,"address":[],"length":0,"stats":{"Line":8}},{"line":319,"address":[],"length":0,"stats":{"Line":8}},{"line":329,"address":[],"length":0,"stats":{"Line":3}},{"line":330,"address":[],"length":0,"stats":{"Line":3}},{"line":338,"address":[],"length":0,"stats":{"Line":14}},{"line":339,"address":[],"length":0,"stats":{"Line":14}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":352,"address":[],"length":0,"stats":{"Line":0}},{"line":353,"address":[],"length":0,"stats":{"Line":0}},{"line":370,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":392,"address":[],"length":0,"stats":{"Line":2}},{"line":393,"address":[],"length":0,"stats":{"Line":2}},{"line":402,"address":[],"length":0,"stats":{"Line":2}},{"line":403,"address":[],"length":0,"stats":{"Line":2}},{"line":410,"address":[],"length":0,"stats":{"Line":5}},{"line":411,"address":[],"length":0,"stats":{"Line":5}},{"line":416,"address":[],"length":0,"stats":{"Line":17}},{"line":417,"address":[],"length":0,"stats":{"Line":33}},{"line":422,"address":[],"length":0,"stats":{"Line":16}},{"line":423,"address":[],"length":0,"stats":{"Line":16}},{"line":432,"address":[],"length":0,"stats":{"Line":17}},{"line":433,"address":[],"length":0,"stats":{"Line":17}},{"line":434,"address":[],"length":0,"stats":{"Line":1}},{"line":435,"address":[],"length":0,"stats":{"Line":16}},{"line":436,"address":[],"length":0,"stats":{"Line":8}},{"line":437,"address":[],"length":0,"stats":{"Line":8}},{"line":450,"address":[],"length":0,"stats":{"Line":18}},{"line":451,"address":[],"length":0,"stats":{"Line":35}},{"line":452,"address":[],"length":0,"stats":{"Line":1}},{"line":453,"address":[],"length":0,"stats":{"Line":17}},{"line":456,"address":[],"length":0,"stats":{"Line":9}},{"line":458,"address":[],"length":0,"stats":{"Line":8}},{"line":459,"address":[],"length":0,"stats":{"Line":2}},{"line":460,"address":[],"length":0,"stats":{"Line":4}},{"line":461,"address":[],"length":0,"stats":{"Line":1}},{"line":462,"address":[],"length":0,"stats":{"Line":1}},{"line":465,"address":[],"length":0,"stats":{"Line":2}},{"line":466,"address":[],"length":0,"stats":{"Line":2}},{"line":469,"address":[],"length":0,"stats":{"Line":2}},{"line":471,"address":[],"length":0,"stats":{"Line":5}},{"line":472,"address":[],"length":0,"stats":{"Line":10}},{"line":473,"address":[],"length":0,"stats":{"Line":2}},{"line":474,"address":[],"length":0,"stats":{"Line":1}},{"line":475,"address":[],"length":0,"stats":{"Line":1}},{"line":476,"address":[],"length":0,"stats":{"Line":1}},{"line":479,"address":[],"length":0,"stats":{"Line":5}},{"line":480,"address":[],"length":0,"stats":{"Line":5}},{"line":483,"address":[],"length":0,"stats":{"Line":5}},{"line":485,"address":[],"length":0,"stats":{"Line":2}},{"line":486,"address":[],"length":0,"stats":{"Line":2}},{"line":488,"address":[],"length":0,"stats":{"Line":2}},{"line":489,"address":[],"length":0,"stats":{"Line":2}},{"line":491,"address":[],"length":0,"stats":{"Line":2}},{"line":505,"address":[],"length":0,"stats":{"Line":18}},{"line":506,"address":[],"length":0,"stats":{"Line":18}},{"line":508,"address":[],"length":0,"stats":{"Line":1}},{"line":509,"address":[],"length":0,"stats":{"Line":26}},{"line":511,"address":[],"length":0,"stats":{"Line":8}},{"line":512,"address":[],"length":0,"stats":{"Line":2}},{"line":513,"address":[],"length":0,"stats":{"Line":4}},{"line":514,"address":[],"length":0,"stats":{"Line":1}},{"line":515,"address":[],"length":0,"stats":{"Line":1}},{"line":518,"address":[],"length":0,"stats":{"Line":2}},{"line":519,"address":[],"length":0,"stats":{"Line":2}},{"line":522,"address":[],"length":0,"stats":{"Line":2}},{"line":524,"address":[],"length":0,"stats":{"Line":5}},{"line":525,"address":[],"length":0,"stats":{"Line":10}},{"line":526,"address":[],"length":0,"stats":{"Line":2}},{"line":527,"address":[],"length":0,"stats":{"Line":1}},{"line":528,"address":[],"length":0,"stats":{"Line":1}},{"line":529,"address":[],"length":0,"stats":{"Line":1}},{"line":532,"address":[],"length":0,"stats":{"Line":5}},{"line":533,"address":[],"length":0,"stats":{"Line":5}},{"line":536,"address":[],"length":0,"stats":{"Line":5}},{"line":538,"address":[],"length":0,"stats":{"Line":2}},{"line":539,"address":[],"length":0,"stats":{"Line":2}},{"line":541,"address":[],"length":0,"stats":{"Line":2}},{"line":542,"address":[],"length":0,"stats":{"Line":2}},{"line":544,"address":[],"length":0,"stats":{"Line":2}},{"line":559,"address":[],"length":0,"stats":{"Line":1}},{"line":562,"address":[],"length":0,"stats":{"Line":2}},{"line":563,"address":[],"length":0,"stats":{"Line":1}},{"line":565,"address":[],"length":0,"stats":{"Line":0}},{"line":566,"address":[],"length":0,"stats":{"Line":0}},{"line":567,"address":[],"length":0,"stats":{"Line":0}},{"line":568,"address":[],"length":0,"stats":{"Line":0}},{"line":569,"address":[],"length":0,"stats":{"Line":0}},{"line":570,"address":[],"length":0,"stats":{"Line":0}},{"line":571,"address":[],"length":0,"stats":{"Line":0}},{"line":572,"address":[],"length":0,"stats":{"Line":0}},{"line":573,"address":[],"length":0,"stats":{"Line":0}},{"line":574,"address":[],"length":0,"stats":{"Line":0}},{"line":575,"address":[],"length":0,"stats":{"Line":0}},{"line":587,"address":[],"length":0,"stats":{"Line":1}},{"line":590,"address":[],"length":0,"stats":{"Line":2}},{"line":592,"address":[],"length":0,"stats":{"Line":0}},{"line":593,"address":[],"length":0,"stats":{"Line":0}},{"line":594,"address":[],"length":0,"stats":{"Line":0}},{"line":595,"address":[],"length":0,"stats":{"Line":0}},{"line":596,"address":[],"length":0,"stats":{"Line":0}},{"line":597,"address":[],"length":0,"stats":{"Line":0}},{"line":598,"address":[],"length":0,"stats":{"Line":0}},{"line":599,"address":[],"length":0,"stats":{"Line":0}},{"line":600,"address":[],"length":0,"stats":{"Line":0}},{"line":601,"address":[],"length":0,"stats":{"Line":0}},{"line":602,"address":[],"length":0,"stats":{"Line":0}},{"line":611,"address":[],"length":0,"stats":{"Line":1}},{"line":612,"address":[],"length":0,"stats":{"Line":2}},{"line":613,"address":[],"length":0,"stats":{"Line":0}},{"line":614,"address":[],"length":0,"stats":{"Line":0}},{"line":617,"address":[],"length":0,"stats":{"Line":2}},{"line":618,"address":[],"length":0,"stats":{"Line":0}},{"line":619,"address":[],"length":0,"stats":{"Line":0}},{"line":620,"address":[],"length":0,"stats":{"Line":0}},{"line":622,"address":[],"length":0,"stats":{"Line":0}},{"line":623,"address":[],"length":0,"stats":{"Line":1}},{"line":625,"address":[],"length":0,"stats":{"Line":0}},{"line":626,"address":[],"length":0,"stats":{"Line":0}},{"line":629,"address":[],"length":0,"stats":{"Line":0}},{"line":631,"address":[],"length":0,"stats":{"Line":2}},{"line":635,"address":[],"length":0,"stats":{"Line":1}},{"line":636,"address":[],"length":0,"stats":{"Line":1}},{"line":637,"address":[],"length":0,"stats":{"Line":1}},{"line":638,"address":[],"length":0,"stats":{"Line":0}},{"line":641,"address":[],"length":0,"stats":{"Line":1}},{"line":642,"address":[],"length":0,"stats":{"Line":0}},{"line":643,"address":[],"length":0,"stats":{"Line":0}},{"line":644,"address":[],"length":0,"stats":{"Line":0}},{"line":654,"address":[],"length":0,"stats":{"Line":0}},{"line":660,"address":[],"length":0,"stats":{"Line":1}},{"line":666,"address":[],"length":0,"stats":{"Line":0}},{"line":667,"address":[],"length":0,"stats":{"Line":0}},{"line":668,"address":[],"length":0,"stats":{"Line":0}},{"line":669,"address":[],"length":0,"stats":{"Line":0}},{"line":672,"address":[],"length":0,"stats":{"Line":0}},{"line":673,"address":[],"length":0,"stats":{"Line":0}},{"line":674,"address":[],"length":0,"stats":{"Line":0}},{"line":675,"address":[],"length":0,"stats":{"Line":0}},{"line":677,"address":[],"length":0,"stats":{"Line":0}},{"line":684,"address":[],"length":0,"stats":{"Line":1}},{"line":685,"address":[],"length":0,"stats":{"Line":0}},{"line":686,"address":[],"length":0,"stats":{"Line":0}},{"line":690,"address":[],"length":0,"stats":{"Line":1}},{"line":691,"address":[],"length":0,"stats":{"Line":0}},{"line":692,"address":[],"length":0,"stats":{"Line":0}},{"line":693,"address":[],"length":0,"stats":{"Line":0}},{"line":694,"address":[],"length":0,"stats":{"Line":0}},{"line":696,"address":[],"length":0,"stats":{"Line":0}},{"line":698,"address":[],"length":0,"stats":{"Line":1}},{"line":699,"address":[],"length":0,"stats":{"Line":1}},{"line":700,"address":[],"length":0,"stats":{"Line":1}},{"line":708,"address":[],"length":0,"stats":{"Line":64}},{"line":709,"address":[],"length":0,"stats":{"Line":64}},{"line":730,"address":[],"length":0,"stats":{"Line":64}},{"line":731,"address":[],"length":0,"stats":{"Line":64}},{"line":732,"address":[],"length":0,"stats":{"Line":6}},{"line":733,"address":[],"length":0,"stats":{"Line":58}},{"line":739,"address":[],"length":0,"stats":{"Line":42}},{"line":745,"address":[],"length":0,"stats":{"Line":42}},{"line":747,"address":[],"length":0,"stats":{"Line":0}},{"line":748,"address":[],"length":0,"stats":{"Line":0}},{"line":749,"address":[],"length":0,"stats":{"Line":0}},{"line":750,"address":[],"length":0,"stats":{"Line":0}},{"line":751,"address":[],"length":0,"stats":{"Line":0}},{"line":752,"address":[],"length":0,"stats":{"Line":0}},{"line":753,"address":[],"length":0,"stats":{"Line":0}},{"line":756,"address":[],"length":0,"stats":{"Line":0}},{"line":757,"address":[],"length":0,"stats":{"Line":0}},{"line":758,"address":[],"length":0,"stats":{"Line":0}},{"line":759,"address":[],"length":0,"stats":{"Line":0}},{"line":763,"address":[],"length":0,"stats":{"Line":0}},{"line":764,"address":[],"length":0,"stats":{"Line":0}},{"line":765,"address":[],"length":0,"stats":{"Line":0}},{"line":766,"address":[],"length":0,"stats":{"Line":0}},{"line":770,"address":[],"length":0,"stats":{"Line":0}},{"line":771,"address":[],"length":0,"stats":{"Line":0}},{"line":772,"address":[],"length":0,"stats":{"Line":0}},{"line":773,"address":[],"length":0,"stats":{"Line":0}},{"line":779,"address":[],"length":0,"stats":{"Line":0}},{"line":780,"address":[],"length":0,"stats":{"Line":38}},{"line":818,"address":[],"length":0,"stats":{"Line":0}},{"line":819,"address":[],"length":0,"stats":{"Line":38}},{"line":821,"address":[],"length":0,"stats":{"Line":4}},{"line":893,"address":[],"length":0,"stats":{"Line":2}},{"line":894,"address":[],"length":0,"stats":{"Line":2}}],"covered":123,"coverable":205},{"path":["/","home","stu","dev","rust","jose","src","jws","builder.rs"],"content":"use crate::{\n    format::Format,\n    header::{self, HeaderValue, JoseHeaderBuilder, JoseHeaderBuilderError},\n    jwa::JsonWebSigningAlgorithm,\n    JoseHeader, JsonWebSignature,\n};\n\n/// Builds a [`JsonWebSignature`] with custom header parameters.\n#[derive(Debug)]\npub struct JsonWebSignatureBuilder\u003cF: Format\u003e {\n    header: Option\u003cResult\u003cF::JwsHeader, JoseHeaderBuilderError\u003e\u003e,\n}\n\nimpl\u003cF: Format\u003e JsonWebSignatureBuilder\u003cF\u003e {\n    pub(super) fn new() -\u003e Self {\n        Self { header: None }\n    }\n\n    /// Configures the custom header for this [`JsonWebSignature`].\n    ///\n    /// For [`Compact`](crate::format::Compact) and\n    /// [`JsonFlattened`](crate::format::JsonFlattened) format, this method\n    /// will set the single protected, and unprotected header if JSON flattened,\n    /// header.\n    ///\n    /// ## Support for empty protected headers\n    ///\n    /// The [JWS RFC] allows for the protected header to be empty, and instead\n    /// supply all necessary parameters in the unprotected header. By\n    /// default, the `jose` crate will overwrite the `alg` field (and\n    /// optionally `kid` field) in the protected header, with the signing\n    /// algorithm used in the signing operation.\n    /// To achieve that the `alg` field is set on the unprotected header, one\n    /// must set the `alg`\n    /// field to `HeaderValue::Protected(JsonWebSigningAlgorithm::None)`\n    /// manually.\n    ///\n    /// However, you must note, that this feature is not supported for the\n    /// [`Compact`](crate::format::Compact) format, becuase that format can only\n    /// have a protected header.\n    ///\n    /// ```\n    /// # use jose::{format::*, jws::*, header::HeaderValue, jwa::*};\n    /// # fn main() {\n    /// let jws = JsonWebSignature::\u003cJsonFlattened, _\u003e::builder()\n    ///     .header(|b| b.algorithm(HeaderValue::Unprotected(JsonWebSigningAlgorithm::None)))\n    ///     .build(())\n    ///     .unwrap();\n    /// # }\n    /// ```\n    ///\n    /// [JWS RFC]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515\u003e\n    pub fn header\u003c\n        CB: FnOnce(JoseHeaderBuilder\u003cF, header::Jws\u003e) -\u003e JoseHeaderBuilder\u003cF, header::Jws\u003e,\n    \u003e(\n        mut self,\n        callback: CB,\n    ) -\u003e Self {\n        let mut header = match self.header {\n            Some(Ok(hdr)) =\u003e Ok(hdr),\n\n            // when there was an error setting the previous header,\n            // do not overwrite the header value, because we want\n            // to keep the error and report it in the `build` method\n            Some(Err(_)) =\u003e return self,\n\n            // this `Err` value is just used as a placeholder to be replaced\n            None =\u003e Err(JoseHeaderBuilderError::MissingAlgorithm),\n        };\n\n        let builder = JoseHeader::\u003cF, header::Jws\u003e::builder()\n            .algorithm(HeaderValue::Protected(JsonWebSigningAlgorithm::None));\n        let builder = callback(builder);\n\n        F::finalize_jws_header_builder(\u0026mut header, builder);\n        self.header = Some(header);\n\n        self\n    }\n\n    /// Finalizes this builder and returns the creates [`JsonWebSignature`].\n    ///\n    /// # Errors\n    ///\n    /// Fails if the supplied header parameters were invalid.\n    pub fn build\u003cT\u003e(self, payload: T) -\u003e Result\u003cJsonWebSignature\u003cF, T\u003e, JoseHeaderBuilderError\u003e {\n        let header = match self.header {\n            Some(hdr) =\u003e hdr?,\n            None =\u003e {\n                let default_header = JoseHeader::\u003cF, header::Jws\u003e::builder()\n                    .algorithm(HeaderValue::Protected(JsonWebSigningAlgorithm::None));\n\n                let mut header = Err(JoseHeaderBuilderError::MissingAlgorithm);\n                F::finalize_jws_header_builder(\u0026mut header, default_header);\n                header?\n            }\n        };\n\n        Ok(JsonWebSignature::new(header, payload))\n    }\n}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":0}},{"line":60,"address":[],"length":0,"stats":{"Line":0}},{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":71,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":0}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":76,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":0}},{"line":86,"address":[],"length":0,"stats":{"Line":0}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":90,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":99,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":22},{"path":["/","home","stu","dev","rust","jose","src","jws","sign.rs"],"content":"use core::fmt;\n\nuse crate::{\n    crypto,\n    format::Format,\n    jwa::{JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::FromKey,\n};\n\n/// This type indicates that the inner value is signed using a [signing\n/// algorithm].\n///\n/// # Generic Arguments\n///\n/// - `T` is the inner type that is signed\n/// - `S` is the signature\n///\n/// [signing algorithm]: crate::jwa::JsonWebSigningAlgorithm\n#[derive(Debug, PartialEq, Eq, Hash)]\npub struct Signed\u003cF\u003e {\n    pub(crate) value: F,\n}\n\nimpl\u003cF: Format\u003e fmt::Display for Signed\u003cF\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt::Display::fmt(\u0026self.value, f)\n    }\n}\n\nimpl\u003cF: Format\u003e Signed\u003cF\u003e {\n    /// Encodes this signed value into the format of the signed JWS.\n    #[inline]\n    pub fn encode(self) -\u003e F {\n        self.value\n    }\n}\n\n/// This trait represents anything that can be used to sign a JWS, JWE, or\n/// whatever.\n///\n/// A message is signed by just passing the raw bytes that should be signed.\n///\n/// To be able to be used as a [`Signer`], one must provide the sign operation\n/// itself, and also needs to [specify the algorithm] used for signing. The\n/// algorithm will be used as the value for the `alg` field inside the\n/// [`JoseHeader`](crate::header::JoseHeader) for the signed type.\n///\n/// [specify the algorithm]: Signer::algorithm\npub trait Signer\u003cS: AsRef\u003c[u8]\u003e\u003e {\n    /// Signs a raw byte message using this signer, returning a signature.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the signing operation fails.\n    /// An error usually only appears when communicating with external signers.\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cS, crypto::Error\u003e;\n\n    /// Return the type of signing algorithm used by this signer.\n    fn algorithm(\u0026self) -\u003e JsonWebSigningAlgorithm;\n\n    /// JsonWebSignatures *can* contain a key id which is specified\n    /// by this method.\n    fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        None\n    }\n\n    /// Returns a new [`Signer`] that wraps `self`, but returns `None` when\n    /// calling the `key_id` method.\n    fn without_key_id(self) -\u003e SignerWithoutKeyId\u003cSelf\u003e\n    where\n        Self: Sized,\n    {\n        SignerWithoutKeyId { inner: self }\n    }\n}\n\n/// Wrapper type around an existing [`Signer`] that will always return `None`\n/// for the key id.\n///\n/// This is useful if you parse a JWK, which has a Key ID, but you do not want\n/// to add this ID to the header in a JWS.\n#[derive(Debug, Clone)]\npub struct SignerWithoutKeyId\u003cS\u003e {\n    inner: S,\n}\n\nimpl\u003cSIG: AsRef\u003c[u8]\u003e, S: Signer\u003cSIG\u003e\u003e Signer\u003cSIG\u003e for SignerWithoutKeyId\u003cS\u003e {\n    fn sign(\u0026mut self, msg: \u0026[u8]) -\u003e Result\u003cSIG, crypto::Error\u003e {\n        S::sign(\u0026mut self.inner, msg)\n    }\n\n    fn algorithm(\u0026self) -\u003e JsonWebSigningAlgorithm {\n        S::algorithm(\u0026self.inner)\n    }\n\n    fn key_id(\u0026self) -\u003e Option\u003c\u0026str\u003e {\n        None\n    }\n}\n\n/// An error returned if something expected a different\n/// [`JsonWebAlgorithm`]\n#[derive(Debug, thiserror::Error, PartialEq, Eq)]\n#[error(\"Invalid algorithm\")]\npub struct InvalidSigningAlgorithmError;\n\n/// A trait to turn something into a [`Signer`].\n///\n/// Some key types like the [`Rsa`](crate::crypto::rsa::PrivateKey) key type\n/// need to know which [algorithm](JsonWebSigningAlgorithm) to use.\npub trait IntoSigner\u003cT, S\u003e\nwhere\n    T: Signer\u003cS\u003e,\n    S: AsRef\u003c[u8]\u003e,\n{\n    /// The error returned if the conversion failed\n    type Error;\n\n    /// Turn `self` into the [`Signer`] `T`\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the conversion failed\n    fn into_signer(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cT, Self::Error\u003e;\n}\n\nimpl\u003cK, T, S\u003e IntoSigner\u003cT, S\u003e for K\nwhere\n    T: FromKey\u003cK\u003e + Signer\u003cS\u003e,\n    S: AsRef\u003c[u8]\u003e,\n{\n    type Error = \u003cT as FromKey\u003cK\u003e\u003e::Error;\n\n    fn into_signer(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cT, Self::Error\u003e {\n        T::from_key(self, JsonWebAlgorithm::Signing(alg))\n    }\n}\n","traces":[{"line":25,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":33,"address":[],"length":0,"stats":{"Line":0}},{"line":34,"address":[],"length":0,"stats":{"Line":0}},{"line":63,"address":[],"length":0,"stats":{"Line":0}},{"line":64,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":96,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":134,"address":[],"length":0,"stats":{"Line":0}},{"line":135,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":15},{"path":["/","home","stu","dev","rust","jose","src","jws","verify.rs"],"content":"use alloc::vec::Vec;\nuse core::ops::{Deref, DerefMut};\n\nuse thiserror::Error;\n\nuse super::JsonWebSignature;\nuse crate::{\n    crypto,\n    format::{DecodeFormat, DecodeFormatWithContext, Format, JsonGeneral},\n    jwa::{JsonWebAlgorithm, JsonWebSigningAlgorithm},\n    jwk::FromKey,\n};\n\n/// The error indicating if either the signature is invalid, or if the\n/// cyptographic operation failed.\n#[derive(Debug, Error)]\npub enum VerifyError {\n    /// The signature is invalid.\n    #[error(\"signature is invalid\")]\n    InvalidSignature,\n\n    /// The crypto backend threw an error.\n    #[error(\"crypto backend error\")]\n    CryptoBackend(\n        #[from]\n        #[source]\n        crypto::Error,\n    ),\n}\n\n/// This trait represents anything that can be used to verify a JWS, JWE, or\n/// whatever.\npub trait Verifier {\n    /// The `verify` operation.\n    ///\n    /// If the message is valid, returns `Ok(())`.\n    ///\n    /// # Errors\n    ///\n    /// Returns [`VerifyError`] if anything went wrong during signature\n    /// verification or if the signature is just invalid.\n    fn verify(\u0026mut self, msg: \u0026[u8], signature: \u0026[u8]) -\u003e Result\u003c(), VerifyError\u003e;\n}\n\n/// This wrapper type represents a [JWS](crate::JsonWebSignature) that was\n/// parsed from user input, but the data integrity was not verified, thus it\n/// might contain corrupted or malicious data.\n///\n/// An [`Unverified`] struct can be verified using the [`verify`](Self::verify)\n/// method.\n#[derive(Debug)]\npub struct Unverified\u003cT\u003e {\n    pub(crate) value: T,\n    pub(crate) signature: Vec\u003cu8\u003e,\n    pub(crate) msg: Vec\u003cu8\u003e,\n}\n\nimpl\u003cT\u003e Unverified\u003cT\u003e {\n    /// Parse the input format to an unverified representation of `T`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// the `T` type.\n    pub fn decode\u003cF: Format\u003e(input: F) -\u003e Result\u003cSelf, T::Error\u003e\n    where\n        T: DecodeFormat\u003cF, Decoded\u003cT\u003e = Unverified\u003cT\u003e\u003e,\n    {\n        T::decode(input)\n    }\n\n    /// Parse the input format to an unverified representation of `T`, with the\n    /// given context.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// the `T` type.\n    pub fn decode_with_context\u003cF: Format, C\u003e(input: F, context: \u0026C) -\u003e Result\u003cSelf, T::Error\u003e\n    where\n        T: DecodeFormatWithContext\u003cF, C, Decoded\u003cT\u003e = Unverified\u003cT\u003e\u003e,\n    {\n        T::decode_with_context(input, context)\n    }\n\n    /// Verify this struct using the given verifier, returning a [`Verified`]\n    /// representation of the inner type.\n    ///\n    /// # Errors\n    ///\n    /// Returns [`VerifyError`] if anything went wrong during signature\n    /// verification or if the signature is just invalid.\n    pub fn verify(self, verifier: \u0026mut dyn Verifier) -\u003e Result\u003cVerified\u003cT\u003e, VerifyError\u003e {\n        verifier.verify(\u0026self.msg, \u0026self.signature)?;\n        Ok(Verified(self.value))\n    }\n}\n\nimpl\u003cT, F\u003e Unverified\u003cJsonWebSignature\u003cF, T\u003e\u003e\nwhere\n    F: Format,\n{\n    /// Exposes the **unverified** [`JoseHeader`](crate::JoseHeader) of this\n    /// [`JsonWebSignature`]\n    ///\n    /// You usually **should not use this method**. Instead, verify the\n    /// [`JsonWebSignature`] and potentially protected headers first, to avoid\n    /// creating security vulnerabilities.\n    ///\n    /// # When to use\n    ///\n    /// One use case is to determine which key was used to create this signature\n    /// in the first place. For example, consider you have a list of public\n    /// keys used by the same party. If you were not able to peek inside to\n    /// get a hint of the key used, for example via\n    /// [`JoseHeader::key_identifier`](crate::JoseHeader::key_identifier), you\n    /// would have to try each key until either a signature is valid or\n    /// there are no keys left.\n    ///\n    /// However, note that, since the header is not verified yet, an attacker\n    /// can spoof the key hint. For example, you MUST still make sure that the\n    /// key in the hint is actually established and does not belong to some\n    /// other party which might still be in your list of keys but is unrelated.\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// [`JoseHeader`](crate::JoseHeader), including\n    /// [`HeaderValue::Protected`](crate::header::HeaderValue). Thus, you should\n    /// use this method only within isolated code regions.\n    pub fn expose_unverified_header(\u0026self) -\u003e \u0026F::JwsHeader {\n        \u0026self.value.header\n    }\n\n    /// Exposes the **unverified** [`payload`](JsonWebSignature::payload) of\n    /// this [`JsonWebSignature`]\n    ///\n    /// You **should never have the need to use this method**. If you have\n    /// information in the payload that you need in order to verify the\n    /// signature, you are using it wrong. Instead, such information should be\n    /// put in the [`JoseHeader`](crate::JoseHeader) and can be accessed via\n    /// [`expose_unverified_header]`](Self::expose_unverified_header).\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// payload `T`. Thus, you should use this method only within isolated code\n    /// regions.\n    pub fn expose_unverified_payload(\u0026self) -\u003e \u0026T {\n        \u0026self.value.payload\n    }\n\n    /// Exposes the **unverified** raw signature in its byte representation\n    ///\n    /// Note: raw means that it is already base64 decoded.\n    ///\n    /// There is absolutely no reason to use this method. If you want to use\n    /// your own code for verification, you should create your own [`Verifier`]\n    /// instead.\n    pub fn expose_unverified_raw_signature(\u0026self) -\u003e \u0026[u8] {\n        self.signature.as_slice()\n    }\n}\n\n/// This wrapper type represents a [JWS](crate::JsonWebSignature) that was\n/// parsed from user input, but the data integrity was not verified, thus it\n/// might contain corrupted or malicious data.\n///\n/// Compared to [`Unverified`] this type can contain multiple signatures that\n/// need to be verified. An instance of this type can only be obtained by\n/// decoding a JWS using the [`JsonGeneral`] format.\n#[derive(Debug)]\npub struct ManyUnverified\u003cT\u003e {\n    pub(crate) value: T,\n    // Vec\u003c(msg, signature)\u003e\n    pub(crate) signatures: Vec\u003c(Vec\u003cu8\u003e, Vec\u003cu8\u003e)\u003e,\n}\n\nimpl\u003cT\u003e ManyUnverified\u003cT\u003e {\n    /// Parses a JWS in the [`JsonGeneral`] format into an unverified\n    /// representation of `T`.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the input format has an invalid representation for\n    /// the `T` type.\n    pub fn decode(input: JsonGeneral) -\u003e Result\u003cSelf, T::Error\u003e\n    where\n        T: DecodeFormat\u003cJsonGeneral, Decoded\u003cT\u003e = ManyUnverified\u003cT\u003e\u003e,\n    {\n        T::decode(input)\n    }\n\n    /// Returns the number of signatures in this JWS.\n    pub fn signature_count(\u0026self) -\u003e usize {\n        self.signatures.len()\n    }\n\n    /// Verify this struct using the given verifies, returning a [`Verified`]\n    /// representation of the inner type.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the number of verifiers does not match the number of\n    /// signatures, or if anything went wrong during a signature\n    /// verification or if one of the signatures is just invalid.\n    // TODO: consider using a more specific error type to give the usermore\n    // information about the error\n    pub fn verify_many\u003c'a\u003e(\n        self,\n        verifiers: impl IntoIterator\u003cItem = \u0026'a mut dyn Verifier\u003e,\n    ) -\u003e Result\u003cVerified\u003cT\u003e, VerifyError\u003e {\n        let verifiers = verifiers.into_iter().collect::\u003cVec\u003c_\u003e\u003e();\n        if verifiers.len() != self.signatures.len() {\n            return Err(VerifyError::InvalidSignature);\n        }\n\n        for (verifier, (msg, signature)) in verifiers.into_iter().zip(self.signatures) {\n            verifier.verify(\u0026msg, \u0026signature)?;\n        }\n\n        Ok(Verified(self.value))\n    }\n}\n\nimpl\u003cT, F\u003e ManyUnverified\u003cJsonWebSignature\u003cF, T\u003e\u003e\nwhere\n    F: Format,\n{\n    /// Exposes the **unverified** [`JoseHeader`](crate::JoseHeader) of this\n    /// [`JsonWebSignature`]\n    ///\n    /// You usually **should not use this method**. Instead, verify the\n    /// [`JsonWebSignature`] and potentially protected headers first, to avoid\n    /// creating security vulnerabilities.\n    ///\n    /// # When to use\n    ///\n    /// One use case is to determine which key was used to create this signature\n    /// in the first place. For example, consider you have a list of public\n    /// keys used by the same party. If you were not able to peek inside to\n    /// get a hint of the key used, for example via\n    /// [`JoseHeader::key_identifier`](crate::JoseHeader::key_identifier), you\n    /// would have to try each key until either a signature is valid or\n    /// there are no keys left.\n    ///\n    /// However, note that, since the header is not verified yet, an attacker\n    /// can spoof the key hint. For example, you MUST still make sure that the\n    /// key in the hint is actually established and does not belong to some\n    /// other party which might still be in your list of keys but is unrelated.\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// [`JoseHeader`](crate::JoseHeader), including\n    /// [`HeaderValue::Protected`](crate::header::HeaderValue). Thus, you should\n    /// use this method only within isolated code regions.\n    pub fn expose_unverified_header(\u0026self) -\u003e \u0026F::JwsHeader {\n        \u0026self.value.header\n    }\n\n    /// Exposes the **unverified** [`payload`](JsonWebSignature::payload) of\n    /// this [`JsonWebSignature`]\n    ///\n    /// You **should never have the need to use this method**. If you have\n    /// information in the payload that you need in order to verify the\n    /// signature, you are using it wrong. Instead, such information should be\n    /// put in the [`JoseHeader`](crate::JoseHeader) and can be accessed via\n    /// [`expose_unverified_header]`](Self::expose_unverified_header).\n    ///\n    /// # Security\n    ///\n    /// Every security garantee given by this crate is broken for the returned\n    /// payload `T`. Thus, you should use this method only within isolated code\n    /// regions.\n    pub fn expose_unverified_payload(\u0026self) -\u003e \u0026T {\n        \u0026self.value.payload\n    }\n\n    /// Exposes an [`Iterator`] over the **unverified** signatures and their\n    /// corresponding messages.\n    ///\n    /// It returns an [`Iterator`] over `(message, signature)` for each\n    /// signature. Note: raw means that they are already base64 decoded.\n    ///\n    /// There is absolutely no reason to use this method. If you want to use\n    /// your own code for verification, you should create your own [`Verifier`]\n    /// instead.\n    pub fn expose_unverified_raw_signatures(\u0026self) -\u003e impl Iterator\u003cItem = (\u0026[u8], \u0026[u8])\u003e {\n        self.signatures\n            .iter()\n            .map(|(msg, sig)| (msg.as_slice(), sig.as_slice()))\n    }\n}\n\n/// Wrapper type around a JWS, or JWE that was verified using a [`Verifier`].\n#[derive(Debug)]\npub struct Verified\u003cT\u003e(T);\n\nimpl\u003cT\u003e Verified\u003cT\u003e {\n    /// Turns self into it's inner `T`.\n    pub fn into_inner(self) -\u003e T {\n        self.0\n    }\n}\n\nimpl\u003cT\u003e Deref for Verified\u003cT\u003e {\n    type Target = T;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\nimpl\u003cT\u003e DerefMut for Verified\u003cT\u003e {\n    fn deref_mut(\u0026mut self) -\u003e \u0026mut Self::Target {\n        \u0026mut self.0\n    }\n}\n\n/// A trait to turn something into a [`Verifier`]\n///\n/// Some key types like the [`Rsa`](crate::crypto::rsa::PublicKey) key type need\n/// to know which [algorithm](JsonWebSigningAlgorithm) to use.\npub trait IntoVerifier\u003cV\u003e\nwhere\n    V: Verifier,\n{\n    /// The error returned if the conversion failed\n    type Error;\n\n    /// Turn `self` into the [`Verifier`] `V`\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the conversion failed\n    fn into_verifier(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cV, Self::Error\u003e;\n}\n\nimpl\u003cK, V\u003e IntoVerifier\u003cV\u003e for K\nwhere\n    V: FromKey\u003cK\u003e + Verifier,\n{\n    type Error = \u003cV as FromKey\u003cK\u003e\u003e::Error;\n\n    fn into_verifier(self, alg: JsonWebSigningAlgorithm) -\u003e Result\u003cV, Self::Error\u003e {\n        V::from_key(self, JsonWebAlgorithm::Signing(alg))\n    }\n}\n","traces":[{"line":65,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":79,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":94,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":149,"address":[],"length":0,"stats":{"Line":0}},{"line":150,"address":[],"length":0,"stats":{"Line":0}},{"line":160,"address":[],"length":0,"stats":{"Line":0}},{"line":161,"address":[],"length":0,"stats":{"Line":0}},{"line":187,"address":[],"length":0,"stats":{"Line":0}},{"line":191,"address":[],"length":0,"stats":{"Line":0}},{"line":195,"address":[],"length":0,"stats":{"Line":0}},{"line":196,"address":[],"length":0,"stats":{"Line":0}},{"line":209,"address":[],"length":0,"stats":{"Line":0}},{"line":213,"address":[],"length":0,"stats":{"Line":0}},{"line":214,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":218,"address":[],"length":0,"stats":{"Line":0}},{"line":219,"address":[],"length":0,"stats":{"Line":0}},{"line":222,"address":[],"length":0,"stats":{"Line":0}},{"line":258,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":276,"address":[],"length":0,"stats":{"Line":0}},{"line":277,"address":[],"length":0,"stats":{"Line":0}},{"line":289,"address":[],"length":0,"stats":{"Line":0}},{"line":290,"address":[],"length":0,"stats":{"Line":0}},{"line":292,"address":[],"length":0,"stats":{"Line":0}},{"line":302,"address":[],"length":0,"stats":{"Line":0}},{"line":303,"address":[],"length":0,"stats":{"Line":0}},{"line":310,"address":[],"length":0,"stats":{"Line":0}},{"line":311,"address":[],"length":0,"stats":{"Line":0}},{"line":316,"address":[],"length":0,"stats":{"Line":0}},{"line":317,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":347,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":39},{"path":["/","home","stu","dev","rust","jose","src","jws.rs"],"content":"//! Implementation of JSON Web Signature (JWS) as defined in [RFC 7515]\n//!\n//! [RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515\u003e\n\nuse alloc::{format, string::String, vec, vec::Vec};\n\nuse thiserror::Error;\n\nuse crate::{\n    crypto,\n    format::{\n        Compact, DecodeFormat, DecodeFormatWithContext, Format, JsonFlattened, JsonGeneral,\n        JsonGeneralSignature,\n    },\n    header, Base64UrlString, JoseHeader,\n};\n\nmod builder;\nmod sign;\nmod verify;\n\n#[doc(inline)]\npub use {builder::*, sign::*, verify::*};\n\n// FIXME: check section 5.3. (string comparison) and verify correctness\n// FIXME: protected headers\n// FIXME: unencoded payload (IMPORTANT: check that string is all ascii, except\n// `.` character)\n\n/// The kind of payload used in a JWS.\n///\n/// Kind means that a payload data is either attached, or detached.\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum PayloadKind {\n    /// Attached payload.\n    ///\n    /// The payload data will be put into the JWS.\n    /// This is the standard kind.\n    Attached(PayloadData),\n\n    /// Detached payload.\n    ///\n    /// Detached payload is a special payload\n    /// representation of a JWS, specified\n    /// in [Appendix F](https://datatracker.ietf.org/doc/html/rfc7515#appendix-F)\n    /// of the JWS RFC.\n    ///\n    /// Essentially, the payload is not put into the JWS,\n    /// instead it's only used for signing.\n    Detached(PayloadData),\n}\n\n/// The raw payload data that should be stored in the JWS.\n#[derive(Debug, Clone, Hash, PartialEq, Eq)]\npub enum PayloadData {\n    /// The given base64 string will just be used as the payload.\n    Standard(Base64UrlString),\n}\n\n/// Represents anything that can be serialized into a raw payload.\n///\n/// This is required to be implemented when trying to sign a JWS, or encrypt a\n/// JWE.\n///\n/// # Examples\n///\n/// ```\n/// # extern crate alloc;\n/// # use alloc::string::{FromUtf8Error, String};\n/// # use core::convert::Infallible;\n/// # use jose::Base64UrlString;\n/// # use jose::jws::{FromRawPayload, IntoPayload, PayloadKind, PayloadData};\n///\n/// #[derive(Debug, PartialEq, Eq)]\n/// struct StringPayload(String);\n///\n/// impl IntoPayload for StringPayload {\n///     type Error = Infallible;\n///\n///     fn into_payload(self) -\u003e Result\u003cPayloadKind, Self::Error\u003e {\n///         let s = Base64UrlString::encode(self.0);\n///         Ok(PayloadKind::Attached(PayloadData::Standard(s)))\n///     }\n/// }\n/// ```\npub trait IntoPayload {\n    /// The error that can occurr while providing the payload in the\n    /// [`Self::into_payload`] method.\n    type Error;\n\n    /// First, this method must insert the raw bytes representation of this\n    /// payload into the given `digest`, which is later used for creating the\n    /// signature. Then the method must return the [kind of\n    /// payload](PayloadKind) to use in the resulting JWS.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if it failed to provide the payload.\n    fn into_payload(self) -\u003e Result\u003cPayloadKind, Self::Error\u003e;\n}\n\n/// Represents anything that can be parsed from a raw payload.\n///\n/// This is required to be implemented when trying to decoe a JWS, or encrypt a\n/// JWE, from it's format representation.\npub trait FromRawPayload: Sized {\n    /// The error that can occurr in any of the `from_*` methods.\n    type Error;\n\n    /// The additional context that is passed when decoding a payload.\n    type Context;\n\n    /// Converts a standard, attached [`PayloadData`] into this payload type.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the operation failed.\n    fn from_attached(context: \u0026Self::Context, payload: PayloadData) -\u003e Result\u003cSelf, Self::Error\u003e;\n\n    /// Construts this payload type from a detached content.\n    ///\n    /// For context, the header of the JWS will be provided,\n    /// to get / construct the payload.\n    ///\n    /// In addition to `Self`, the raw payload data must be\n    /// returned, in order to verify the signature.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the operation failed.\n    fn from_detached\u003cF, T\u003e(\n        context: \u0026Self::Context,\n        header: \u0026JoseHeader\u003cF, T\u003e,\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e;\n\n    /// Construts this payload type from a detached content.\n    ///\n    /// This method is only used when verifying JWS in JSON General format.\n    /// For context, all the header of the JWS will be provided,\n    /// to get / construct the payload.\n    ///\n    /// In addition to `Self`, the raw payload data must be\n    /// returned, in order to verify the signature.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the operation failed.\n    fn from_detached_many\u003cF, T\u003e(\n        context: \u0026Self::Context,\n        headers: \u0026[JoseHeader\u003cF, T\u003e],\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e;\n}\n\n/// Different kinds of errors that can occurr while signing a JWS.\n#[derive(Debug, Error)]\npub enum SignError\u003cP\u003e {\n    /// The number of headers in the JWS does not match the number of\n    /// [`Signer`]s.\n    ///\n    /// This error is only possible when using the [`JsonGeneral`] format.\n    #[error(\"the number of headers does not match the number of signers\")]\n    HeaderCountMismatch,\n    /// Failed to serialize the [`JoseHeader`].\n    #[error(\"failed to serialize header: {0}\")]\n    SerializeHeader(#[source] serde_json::Error),\n    /// The `protected` part of the header was empty, which is disallowed in the\n    /// compact format.\n    #[error(\"the protected header was empty on a compact JWS\")]\n    EmptyProtectedHeader,\n    /// The header of the JWS is invalid.\n    #[error(\"invalid JWS header: {0}\")]\n    InvalidHeader(#[source] header::Error),\n    /// The underlying signing operation of the given signer failed.\n    #[error(transparent)]\n    Sign(crypto::Error),\n    /// Failed to convert payload into it's raw byte representation.\n    #[error(transparent)]\n    Payload(P),\n}\n\n/// Represents a JSON Web Signature (JWS) as defined in [RFC 7515].\n///\n/// The JWS is a format for representing digitally signed or MACed (Message\n/// Authentication Code) content using JSON. The JSON representation is used\n/// to convey the payload, the signature, and optionally additional meta-data\n/// about the payload and signature.\n///\n/// The [`JsonWebSignature`] struct has two type parameters:\n///\n/// * `F`: The format of the JWS. This can be either [`Compact`] or\n///   [`JsonFlattened`].\n/// * `T`: The type of the payload. This can be any type that implements the\n///   [`IntoPayload`] trait and also the [`FromRawPayload`] trait.\n///\n/// [RFC 7515]: \u003chttps://datatracker.ietf.org/doc/html/rfc7515\u003e\n#[derive(Debug)]\npub struct JsonWebSignature\u003cF: Format, T = ()\u003e {\n    header: F::JwsHeader,\n    payload: T,\n}\n\nimpl\u003cF: Format\u003e JsonWebSignature\u003cF, ()\u003e {\n    /// Constructs a [`JsonWebSignatureBuilder`].\n    pub fn builder() -\u003e JsonWebSignatureBuilder\u003cF\u003e {\n        JsonWebSignatureBuilder::new()\n    }\n}\n\nimpl\u003cF: Format, T\u003e JsonWebSignature\u003cF, T\u003e {\n    pub(crate) fn new(header: F::JwsHeader, payload: T) -\u003e Self {\n        Self { header, payload }\n    }\n\n    /// Returns a reference to the payload of this JWS.\n    pub fn payload(\u0026self) -\u003e \u0026T {\n        \u0026self.payload\n    }\n}\n\nimpl\u003cT\u003e JsonWebSignature\u003cCompact, T\u003e {\n    /// Returns a reference to the [`JoseHeader`] of\n    /// this JWS.\n    pub fn header(\u0026self) -\u003e \u0026JoseHeader\u003cCompact, header::Jws\u003e {\n        \u0026self.header\n    }\n}\n\nimpl\u003cT\u003e JsonWebSignature\u003cJsonFlattened, T\u003e {\n    /// Returns a reference to the [`JoseHeader`] of\n    /// this JWS.\n    pub fn header(\u0026self) -\u003e \u0026JoseHeader\u003cJsonFlattened, header::Jws\u003e {\n        \u0026self.header\n    }\n}\n\nimpl\u003cT\u003e JsonWebSignature\u003cJsonGeneral, T\u003e {\n    /// Returns a reference to the list of [`JoseHeader`] of this JWS.\n    pub fn header(\u0026self) -\u003e \u0026Vec\u003cJoseHeader\u003cJsonGeneral, header::Jws\u003e\u003e {\n        \u0026self.header\n    }\n}\n\nimpl\u003cF: Format, T: IntoPayload\u003e JsonWebSignature\u003cF, T\u003e {\n    /// Signs this [`JsonWebSignature`] using the given `signer`.\n    ///\n    /// When signing the JWS, some fields of the header of this JWS may be\n    /// updated. For example, the `alg` header parameter will be updated to\n    /// reflect the algorithm used to sign the JWS, and the `kid` header\n    /// parameter may be updated using the value from the given [`Signer`].\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if any step of the signing operation failed.\n    /// This may include:\n    /// - The header is invalid or failed to serialize.\n    /// - The header is invalid after updating it with the given signer.\n    /// - The underlying signing operation of the given signer failed.\n    /// - The payload failed to provide it's raw byte representation.\n    pub fn sign\u003cS: AsRef\u003c[u8]\u003e\u003e(\n        mut self,\n        signer: \u0026mut dyn Signer\u003cS\u003e,\n    ) -\u003e Result\u003cSigned\u003cF\u003e, SignError\u003cT::Error\u003e\u003e {\n        F::update_header(\u0026mut self.header, signer);\n\n        let serialized_header = F::serialize_header(self.header).map_err(|x| match x {\n            SignError::HeaderCountMismatch =\u003e SignError::HeaderCountMismatch,\n            SignError::SerializeHeader(x) =\u003e SignError::SerializeHeader(x),\n            SignError::InvalidHeader(x) =\u003e SignError::InvalidHeader(x),\n            SignError::EmptyProtectedHeader =\u003e SignError::EmptyProtectedHeader,\n            SignError::Sign(x) =\u003e SignError::Sign(x),\n            SignError::Payload(x) =\u003e match x {},\n        })?;\n\n        let mut msg = F::message_from_header(\u0026serialized_header)\n            .map(|x| x.to_vec())\n            .unwrap_or_default();\n        msg.push(b'.');\n\n        let payload = self.payload.into_payload().map_err(SignError::Payload)?;\n        let payload = match payload {\n            PayloadKind::Attached(PayloadData::Standard(b64)) =\u003e {\n                msg.extend(b64.as_bytes());\n                Some(PayloadData::Standard(b64))\n            }\n            PayloadKind::Detached(PayloadData::Standard(b64)) =\u003e {\n                msg.extend(b64.as_bytes());\n                None\n            }\n        };\n\n        let signature = signer.sign(\u0026msg).map_err(SignError::Sign)?;\n\n        Ok(Signed {\n            value: F::finalize(serialized_header, payload, signature.as_ref())\n                .map_err(SignError::SerializeHeader)?,\n        })\n    }\n}\n\nimpl\u003cT: IntoPayload\u003e JsonWebSignature\u003cJsonGeneral, T\u003e {\n    /// Signs this JWS using multiple signers.\n    ///\n    /// This is only supported when the JWS is in the [`JsonGeneral`] format.\n    ///\n    /// # Errors\n    ///\n    /// Returns an error if the length of the given iterator of signers does\n    /// not match the number of headers in this JWS.\n    /// Otherwise, this method may return the same errors as the normal sign\n    /// operation.\n    pub fn sign_many\u003c's, S: AsRef\u003c[u8]\u003e + 's\u003e(\n        self,\n        signers: impl IntoIterator\u003cItem = \u0026's mut dyn Signer\u003cS\u003e\u003e,\n    ) -\u003e Result\u003cSigned\u003cJsonGeneral\u003e, SignError\u003cT::Error\u003e\u003e {\n        if self.header.is_empty() {\n            // this is unreachable right now, but we don't want to panic, so just return a\n            // kind of matching error\n            return Err(SignError::HeaderCountMismatch);\n        }\n\n        let signers = signers.into_iter().collect::\u003cVec\u003c_\u003e\u003e();\n\n        if signers.len() != self.header.len() {\n            return Err(SignError::HeaderCountMismatch);\n        }\n\n        let payload = self.payload.into_payload().map_err(SignError::Payload)?;\n        let payload_msg = match payload {\n            PayloadKind::Attached(PayloadData::Standard(ref b64)) =\u003e b64.as_bytes(),\n            PayloadKind::Detached(PayloadData::Standard(ref b64)) =\u003e b64.as_bytes(),\n        };\n\n        let mut signatures = vec![];\n\n        for (mut hdr, signer) in self.header.into_iter().zip(signers) {\n            hdr.overwrite_alg_and_key_id(signer.algorithm(), signer.key_id());\n\n            let mut msg = vec![];\n\n            let serialized_hdr = {\n                let (protected, unprotected) =\n                    hdr.into_values().map_err(SignError::InvalidHeader)?;\n\n                let protected = match protected {\n                    Some(hdr) =\u003e {\n                        let json =\n                            serde_json::to_string(\u0026hdr).map_err(SignError::SerializeHeader)?;\n\n                        let encoded = Base64UrlString::encode(json);\n                        msg.extend(encoded.as_bytes());\n                        Some(encoded)\n                    }\n                    None =\u003e None,\n                };\n\n                (protected, unprotected)\n            };\n\n            msg.push(b'.');\n            msg.extend(payload_msg);\n\n            let signature = signer.sign(\u0026msg).map_err(SignError::Sign)?;\n\n            signatures.push(JsonGeneralSignature {\n                protected: serialized_hdr.0,\n                header: serialized_hdr.1,\n                signature: Base64UrlString::encode(signature.as_ref()),\n            });\n        }\n\n        let payload = match payload {\n            PayloadKind::Attached(PayloadData::Standard(s)) =\u003e Some(s),\n            PayloadKind::Detached(_) =\u003e None,\n        };\n\n        Ok(Signed {\n            value: JsonGeneral {\n                payload,\n                signatures,\n            },\n        })\n    }\n}\n\n/// Different kinds of errors that can occurr while parsing a JWS from it's\n/// compact format.\n#[derive(Debug, Error)]\npub enum ParseCompactError\u003cP\u003e {\n    /// `crit` header field contained an unsupported name.\n    #[error(\"encountered unsupported critical headers (crit header field)\")]\n    UnsupportedCriticalHeader,\n    /// One of the parts was invalid UTF8\n    #[error(\"one of the parts was an invalid UTF-8 byte sequence\")]\n    InvalidUtf8Encoding,\n    /// One of the parts was an invalid Json string\n    #[error(\"one of the parts was an invalid json string\")]\n    InvalidJson(#[source] serde_json::Error),\n    /// The header of the JWS is invalid.\n    #[error(\"invalid JWS header: {0}\")]\n    InvalidHeader(#[source] header::Error),\n    /// Got a `Compact` with less or more than three elements.\n    #[error(\"got compact representation that didn't have 3 parts\")]\n    InvalidLength,\n    /// Failed to parse the payload.\n    #[error(transparent)]\n    Payload(P),\n}\n\nimpl\u003cF: Format, T\u003e crate::sealed::Sealed for JsonWebSignature\u003cF, T\u003e {}\n\nimpl\u003cT: FromRawPayload\u003cContext = ()\u003e\u003e DecodeFormat\u003cCompact\u003e for JsonWebSignature\u003cCompact, T\u003e {\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseCompactError\u003cT::Error\u003e;\n\n    fn decode(input: Compact) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        Self::decode_with_context(input, \u0026())\n    }\n}\n\nimpl\u003cC, T: FromRawPayload\u003cContext = C\u003e\u003e DecodeFormatWithContext\u003cCompact, C\u003e\n    for JsonWebSignature\u003cCompact, T\u003e\n{\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseCompactError\u003cT::Error\u003e;\n\n    fn decode_with_context(input: Compact, context: \u0026C) -\u003e Result\u003cUnverified\u003cSelf\u003e, Self::Error\u003e {\n        if input.len() != 3 {\n            return Err(ParseCompactError::InvalidLength);\n        }\n\n        let (header, raw_header) = {\n            let raw = input.part(0).expect(\"`len()` is checked above to be 3\");\n            let json = String::from_utf8(raw.decode())\n                .map_err(|_| ParseCompactError::InvalidUtf8Encoding)?;\n\n            let header = serde_json::from_str::\u003cserde_json::Map\u003cString, serde_json::Value\u003e\u003e(\u0026json)\n                .map_err(ParseCompactError::InvalidJson)?;\n\n            let header = JoseHeader::from_values(Some(header), None)\n                .map_err(ParseCompactError::InvalidHeader)?;\n\n            (header, raw)\n        };\n\n        let (payload, raw_payload) = {\n            let raw = input.part(1).expect(\"`len()` is checked above to be 3\");\n\n            // if payload is empty, detached payload\n            let (payload, raw) = if raw.is_empty() {\n                T::from_detached(context, \u0026header).map_err(ParseCompactError::Payload)?\n            } else {\n                let data = PayloadData::Standard(raw.clone());\n\n                (\n                    T::from_attached(context, data.clone()).map_err(ParseCompactError::Payload)?,\n                    data,\n                )\n            };\n\n            (payload, raw)\n        };\n        let PayloadData::Standard(raw_payload) = raw_payload;\n\n        let signature = input.part(2).expect(\"`len()` is checked above to be 3\");\n\n        let msg = format!(\"{raw_header}.{raw_payload}\");\n\n        Ok(Unverified {\n            value: JsonWebSignature { header, payload },\n            signature: signature.decode(),\n            msg: msg.into_bytes(),\n        })\n    }\n}\n\nfn parse_json_header\u003cF: Format, E\u003e(\n    protected: Option\u003c\u0026Base64UrlString\u003e,\n    header: Option\u003cserde_json::Map\u003cString, serde_json::Value\u003e\u003e,\n) -\u003e Result\u003cJoseHeader\u003cF, header::Jws\u003e, ParseJsonError\u003cE\u003e\u003e {\n    let protected = match protected {\n        Some(encoded) =\u003e {\n            let json = String::from_utf8(encoded.decode())\n                .map_err(|_| ParseJsonError::InvalidUtf8Encoding)?;\n\n            let values = serde_json::from_str::\u003cserde_json::Map\u003cString, serde_json::Value\u003e\u003e(\u0026json)\n                .map_err(ParseJsonError::InvalidJson)?;\n            Some(values)\n        }\n        None =\u003e None,\n    };\n\n    JoseHeader::from_values(protected, header).map_err(ParseJsonError::InvalidHeader)\n}\n\n/// Different kinds of errors that can occurr while parsing a JWS from it's\n/// JSON, general or flattened, format.\n#[derive(Debug, Error)]\npub enum ParseJsonError\u003cP\u003e {\n    /// The `signatures` array was empty.\n    ///\n    /// This error can only happen when decoding the [`JsonGeneral`] format.\n    #[error(\"the signatures array was empty\")]\n    EmptySignatures,\n    /// The header of the JWS is invalid.\n    #[error(\"invalid JWS header: {0}\")]\n    InvalidHeader(#[source] header::Error),\n    /// The protected header or signature contained invalid UTF-8\n    #[error(\"protected header or signature contained invalid UTF-8\")]\n    InvalidUtf8Encoding,\n    /// The protected header contained invalid JSON\n    #[error(\"protected header contained invalid JSON\")]\n    InvalidJson(#[source] serde_json::Error),\n    /// Failed to parse the payload.\n    #[error(transparent)]\n    Payload(P),\n}\n\nimpl\u003cT: FromRawPayload\u003cContext = ()\u003e\u003e DecodeFormat\u003cJsonFlattened\u003e\n    for JsonWebSignature\u003cJsonFlattened, T\u003e\n{\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode(input: JsonFlattened) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        Self::decode_with_context(input, \u0026())\n    }\n}\n\nimpl\u003cC, T: FromRawPayload\u003cContext = C\u003e\u003e DecodeFormatWithContext\u003cJsonFlattened, C\u003e\n    for JsonWebSignature\u003cJsonFlattened, T\u003e\n{\n    type Decoded\u003cD\u003e = Unverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode_with_context(\n        JsonFlattened {\n            payload,\n            protected,\n            header,\n            signature,\n        }: JsonFlattened,\n        context: \u0026C,\n    ) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        let protected_str = protected.clone().unwrap_or_default().into_inner();\n        let header = parse_json_header(protected.as_ref(), header)?;\n\n        let (payload, raw_payload) = match payload {\n            Some(b64) =\u003e (\n                T::from_attached(context, PayloadData::Standard(b64.clone()))\n                    .map_err(ParseJsonError::Payload)?,\n                PayloadData::Standard(b64),\n            ),\n            None =\u003e T::from_detached(context, \u0026header).map_err(ParseJsonError::Payload)?,\n        };\n        let PayloadData::Standard(raw_payload) = raw_payload;\n\n        let msg = format!(\"{protected_str}.{raw_payload}\");\n        Ok(Unverified {\n            value: JsonWebSignature { header, payload },\n            signature: signature.decode(),\n            msg: msg.into_bytes(),\n        })\n    }\n}\n\nimpl\u003cT: FromRawPayload\u003cContext = ()\u003e\u003e DecodeFormat\u003cJsonGeneral\u003e\n    for JsonWebSignature\u003cJsonGeneral, T\u003e\n{\n    type Decoded\u003cD\u003e = ManyUnverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode(input: JsonGeneral) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        Self::decode_with_context(input, \u0026())\n    }\n}\n\nimpl\u003cC, T: FromRawPayload\u003cContext = C\u003e\u003e DecodeFormatWithContext\u003cJsonGeneral, C\u003e\n    for JsonWebSignature\u003cJsonGeneral, T\u003e\n{\n    type Decoded\u003cD\u003e = ManyUnverified\u003cD\u003e;\n    type Error = ParseJsonError\u003cT::Error\u003e;\n\n    fn decode_with_context(\n        JsonGeneral {\n            payload,\n            signatures,\n        }: JsonGeneral,\n        context: \u0026C,\n    ) -\u003e Result\u003cSelf::Decoded\u003cSelf\u003e, Self::Error\u003e {\n        if signatures.is_empty() {\n            return Err(ParseJsonError::EmptySignatures);\n        }\n\n        let mut headers = Vec::with_capacity(signatures.len());\n        let mut sigs = Vec::with_capacity(signatures.len());\n\n        for sig in signatures {\n            let header = parse_json_header(sig.protected.as_ref(), sig.header)?;\n\n            headers.push(header);\n            sigs.push((sig.protected.unwrap_or_default(), sig.signature.decode()));\n        }\n\n        let (payload, raw_payload) = match payload {\n            Some(b64) =\u003e (\n                T::from_attached(context, PayloadData::Standard(b64.clone()))\n                    .map_err(ParseJsonError::Payload)?,\n                PayloadData::Standard(b64),\n            ),\n            None =\u003e T::from_detached_many(context, \u0026headers).map_err(ParseJsonError::Payload)?,\n        };\n        let PayloadData::Standard(raw_payload) = raw_payload;\n\n        let unverified_signatures = sigs\n            .into_iter()\n            .map(|(protected, signature)| {\n                let msg = format!(\"{protected}.{raw_payload}\");\n\n                (msg.into_bytes(), signature)\n            })\n            .collect();\n\n        Ok(ManyUnverified {\n            value: JsonWebSignature {\n                header: headers,\n                payload,\n            },\n            signatures: unverified_signatures,\n        })\n    }\n}\n","traces":[{"line":204,"address":[],"length":0,"stats":{"Line":0}},{"line":205,"address":[],"length":0,"stats":{"Line":0}},{"line":210,"address":[],"length":0,"stats":{"Line":0}},{"line":215,"address":[],"length":0,"stats":{"Line":0}},{"line":216,"address":[],"length":0,"stats":{"Line":0}},{"line":223,"address":[],"length":0,"stats":{"Line":0}},{"line":224,"address":[],"length":0,"stats":{"Line":0}},{"line":231,"address":[],"length":0,"stats":{"Line":0}},{"line":232,"address":[],"length":0,"stats":{"Line":0}},{"line":238,"address":[],"length":0,"stats":{"Line":0}},{"line":239,"address":[],"length":0,"stats":{"Line":0}},{"line":259,"address":[],"length":0,"stats":{"Line":0}},{"line":263,"address":[],"length":0,"stats":{"Line":0}},{"line":265,"address":[],"length":0,"stats":{"Line":0}},{"line":266,"address":[],"length":0,"stats":{"Line":0}},{"line":267,"address":[],"length":0,"stats":{"Line":0}},{"line":268,"address":[],"length":0,"stats":{"Line":0}},{"line":269,"address":[],"length":0,"stats":{"Line":0}},{"line":270,"address":[],"length":0,"stats":{"Line":0}},{"line":271,"address":[],"length":0,"stats":{"Line":0}},{"line":274,"address":[],"length":0,"stats":{"Line":0}},{"line":275,"address":[],"length":0,"stats":{"Line":0}},{"line":277,"address":[],"length":0,"stats":{"Line":0}},{"line":279,"address":[],"length":0,"stats":{"Line":0}},{"line":280,"address":[],"length":0,"stats":{"Line":0}},{"line":281,"address":[],"length":0,"stats":{"Line":0}},{"line":282,"address":[],"length":0,"stats":{"Line":0}},{"line":283,"address":[],"length":0,"stats":{"Line":0}},{"line":285,"address":[],"length":0,"stats":{"Line":0}},{"line":286,"address":[],"length":0,"stats":{"Line":0}},{"line":287,"address":[],"length":0,"stats":{"Line":0}},{"line":291,"address":[],"length":0,"stats":{"Line":0}},{"line":293,"address":[],"length":0,"stats":{"Line":0}},{"line":294,"address":[],"length":0,"stats":{"Line":0}},{"line":295,"address":[],"length":0,"stats":{"Line":0}},{"line":311,"address":[],"length":0,"stats":{"Line":0}},{"line":315,"address":[],"length":0,"stats":{"Line":0}},{"line":318,"address":[],"length":0,"stats":{"Line":0}},{"line":321,"address":[],"length":0,"stats":{"Line":0}},{"line":323,"address":[],"length":0,"stats":{"Line":0}},{"line":324,"address":[],"length":0,"stats":{"Line":0}},{"line":327,"address":[],"length":0,"stats":{"Line":0}},{"line":328,"address":[],"length":0,"stats":{"Line":0}},{"line":329,"address":[],"length":0,"stats":{"Line":0}},{"line":330,"address":[],"length":0,"stats":{"Line":0}},{"line":333,"address":[],"length":0,"stats":{"Line":0}},{"line":335,"address":[],"length":0,"stats":{"Line":0}},{"line":336,"address":[],"length":0,"stats":{"Line":0}},{"line":338,"address":[],"length":0,"stats":{"Line":0}},{"line":340,"address":[],"length":0,"stats":{"Line":0}},{"line":341,"address":[],"length":0,"stats":{"Line":0}},{"line":342,"address":[],"length":0,"stats":{"Line":0}},{"line":344,"address":[],"length":0,"stats":{"Line":0}},{"line":345,"address":[],"length":0,"stats":{"Line":0}},{"line":346,"address":[],"length":0,"stats":{"Line":0}},{"line":347,"address":[],"length":0,"stats":{"Line":0}},{"line":349,"address":[],"length":0,"stats":{"Line":0}},{"line":350,"address":[],"length":0,"stats":{"Line":0}},{"line":351,"address":[],"length":0,"stats":{"Line":0}},{"line":353,"address":[],"length":0,"stats":{"Line":0}},{"line":356,"address":[],"length":0,"stats":{"Line":0}},{"line":359,"address":[],"length":0,"stats":{"Line":0}},{"line":360,"address":[],"length":0,"stats":{"Line":0}},{"line":362,"address":[],"length":0,"stats":{"Line":0}},{"line":364,"address":[],"length":0,"stats":{"Line":0}},{"line":365,"address":[],"length":0,"stats":{"Line":0}},{"line":366,"address":[],"length":0,"stats":{"Line":0}},{"line":367,"address":[],"length":0,"stats":{"Line":0}},{"line":371,"address":[],"length":0,"stats":{"Line":0}},{"line":372,"address":[],"length":0,"stats":{"Line":0}},{"line":373,"address":[],"length":0,"stats":{"Line":0}},{"line":376,"address":[],"length":0,"stats":{"Line":0}},{"line":377,"address":[],"length":0,"stats":{"Line":0}},{"line":378,"address":[],"length":0,"stats":{"Line":0}},{"line":379,"address":[],"length":0,"stats":{"Line":0}},{"line":415,"address":[],"length":0,"stats":{"Line":0}},{"line":416,"address":[],"length":0,"stats":{"Line":0}},{"line":426,"address":[],"length":0,"stats":{"Line":0}},{"line":427,"address":[],"length":0,"stats":{"Line":0}},{"line":428,"address":[],"length":0,"stats":{"Line":0}},{"line":431,"address":[],"length":0,"stats":{"Line":0}},{"line":432,"address":[],"length":0,"stats":{"Line":0}},{"line":433,"address":[],"length":0,"stats":{"Line":0}},{"line":434,"address":[],"length":0,"stats":{"Line":0}},{"line":436,"address":[],"length":0,"stats":{"Line":0}},{"line":437,"address":[],"length":0,"stats":{"Line":0}},{"line":439,"address":[],"length":0,"stats":{"Line":0}},{"line":440,"address":[],"length":0,"stats":{"Line":0}},{"line":442,"address":[],"length":0,"stats":{"Line":0}},{"line":445,"address":[],"length":0,"stats":{"Line":0}},{"line":446,"address":[],"length":0,"stats":{"Line":0}},{"line":449,"address":[],"length":0,"stats":{"Line":0}},{"line":450,"address":[],"length":0,"stats":{"Line":0}},{"line":452,"address":[],"length":0,"stats":{"Line":0}},{"line":455,"address":[],"length":0,"stats":{"Line":0}},{"line":456,"address":[],"length":0,"stats":{"Line":0}},{"line":460,"address":[],"length":0,"stats":{"Line":0}},{"line":462,"address":[],"length":0,"stats":{"Line":0}},{"line":464,"address":[],"length":0,"stats":{"Line":0}},{"line":466,"address":[],"length":0,"stats":{"Line":0}},{"line":468,"address":[],"length":0,"stats":{"Line":0}},{"line":469,"address":[],"length":0,"stats":{"Line":0}},{"line":470,"address":[],"length":0,"stats":{"Line":0}},{"line":471,"address":[],"length":0,"stats":{"Line":0}},{"line":476,"address":[],"length":0,"stats":{"Line":0}},{"line":480,"address":[],"length":0,"stats":{"Line":0}},{"line":481,"address":[],"length":0,"stats":{"Line":0}},{"line":482,"address":[],"length":0,"stats":{"Line":0}},{"line":483,"address":[],"length":0,"stats":{"Line":0}},{"line":485,"address":[],"length":0,"stats":{"Line":0}},{"line":486,"address":[],"length":0,"stats":{"Line":0}},{"line":487,"address":[],"length":0,"stats":{"Line":0}},{"line":489,"address":[],"length":0,"stats":{"Line":0}},{"line":492,"address":[],"length":0,"stats":{"Line":0}},{"line":524,"address":[],"length":0,"stats":{"Line":0}},{"line":525,"address":[],"length":0,"stats":{"Line":0}},{"line":535,"address":[],"length":0,"stats":{"Line":0}},{"line":544,"address":[],"length":0,"stats":{"Line":0}},{"line":545,"address":[],"length":0,"stats":{"Line":0}},{"line":547,"address":[],"length":0,"stats":{"Line":0}},{"line":548,"address":[],"length":0,"stats":{"Line":0}},{"line":549,"address":[],"length":0,"stats":{"Line":0}},{"line":550,"address":[],"length":0,"stats":{"Line":0}},{"line":551,"address":[],"length":0,"stats":{"Line":0}},{"line":553,"address":[],"length":0,"stats":{"Line":0}},{"line":555,"address":[],"length":0,"stats":{"Line":0}},{"line":557,"address":[],"length":0,"stats":{"Line":0}},{"line":558,"address":[],"length":0,"stats":{"Line":0}},{"line":559,"address":[],"length":0,"stats":{"Line":0}},{"line":560,"address":[],"length":0,"stats":{"Line":0}},{"line":561,"address":[],"length":0,"stats":{"Line":0}},{"line":572,"address":[],"length":0,"stats":{"Line":0}},{"line":573,"address":[],"length":0,"stats":{"Line":0}},{"line":583,"address":[],"length":0,"stats":{"Line":0}},{"line":590,"address":[],"length":0,"stats":{"Line":0}},{"line":591,"address":[],"length":0,"stats":{"Line":0}},{"line":594,"address":[],"length":0,"stats":{"Line":0}},{"line":595,"address":[],"length":0,"stats":{"Line":0}},{"line":597,"address":[],"length":0,"stats":{"Line":0}},{"line":598,"address":[],"length":0,"stats":{"Line":0}},{"line":600,"address":[],"length":0,"stats":{"Line":0}},{"line":601,"address":[],"length":0,"stats":{"Line":0}},{"line":604,"address":[],"length":0,"stats":{"Line":0}},{"line":605,"address":[],"length":0,"stats":{"Line":0}},{"line":606,"address":[],"length":0,"stats":{"Line":0}},{"line":607,"address":[],"length":0,"stats":{"Line":0}},{"line":608,"address":[],"length":0,"stats":{"Line":0}},{"line":610,"address":[],"length":0,"stats":{"Line":0}},{"line":612,"address":[],"length":0,"stats":{"Line":0}},{"line":614,"address":[],"length":0,"stats":{"Line":0}},{"line":616,"address":[],"length":0,"stats":{"Line":0}},{"line":617,"address":[],"length":0,"stats":{"Line":0}},{"line":619,"address":[],"length":0,"stats":{"Line":0}},{"line":623,"address":[],"length":0,"stats":{"Line":0}},{"line":624,"address":[],"length":0,"stats":{"Line":0}},{"line":625,"address":[],"length":0,"stats":{"Line":0}},{"line":626,"address":[],"length":0,"stats":{"Line":0}},{"line":628,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":158},{"path":["/","home","stu","dev","rust","jose","src","jwt.rs"],"content":"//! JsonWebToken (JWT) implementation\n//!\n//! JWTs are the most common use of JOSE.\n\nuse alloc::string::String;\n\nuse serde::{de::DeserializeOwned, Deserialize, Serialize};\n\nuse crate::{\n    format::{self, Compact},\n    jws::{FromRawPayload, IntoPayload, JsonWebSignatureBuilder, PayloadData, PayloadKind},\n    Base64UrlString, JsonWebSignature, Jws,\n};\n\n/// A JSON Web Token (JWT) as defined in [RFC 7519].\n///\n/// Since a JWT is only allowed to be serialized in the compact format, the\n/// `F` type parameter is fixed to [`Compact`] in this type\n/// alias.\n///\n/// [RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519\u003e\npub type JsonWebToken\u003cA\u003e = JsonWebSignature\u003cformat::Compact, Claims\u003cA\u003e\u003e;\n\nimpl JsonWebToken\u003c()\u003e {\n    /// Returns a [`JsonWebSignatureBuilder`] for a [`JsonWebToken`]\n    // this method is needed because of interference problems if it is named\n    // builder directly.\n    pub fn builder_jwt() -\u003e JsonWebSignatureBuilder\u003cCompact\u003e {\n        Jws::builder()\n    }\n}\n\n/// The claims of a JSON Web Token (JWT) as defined in [RFC 7519].\n///\n/// The `A` type parameter is used to specify the type of the additional\n/// parameters of the claims. If no additional parameters are required,\n/// the unit type `()` can be used.\n///\n/// [RFC 7519]: \u003chttps://datatracker.ietf.org/doc/html/rfc7519\u003e\n#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Default)]\npub struct Claims\u003cA = ()\u003e {\n    /// The \"iss\" (issuer) claim identifies the principal that issued the JWT.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1).\n    #[serde(rename = \"iss\", skip_serializing_if = \"Option::is_none\")]\n    pub issuer: Option\u003cString\u003e,\n\n    /// The \"sub\" (subject) claim identifies the principal that is the subject\n    /// of the JWT.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.2](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2).\n    #[serde(rename = \"sub\", skip_serializing_if = \"Option::is_none\")]\n    pub subject: Option\u003cString\u003e,\n\n    /// The \"aud\" (audience) claim identifies the recipients that the JWT is\n    /// intended for.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3).\n    #[serde(rename = \"aud\", skip_serializing_if = \"Option::is_none\")]\n    pub audience: Option\u003cString\u003e,\n\n    /// The \"exp\" (expiration time) claim identifies the expiration time on or\n    /// after which the JWT MUST NOT be accepted for processing.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.4](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4).\n    #[serde(rename = \"exp\", skip_serializing_if = \"Option::is_none\")]\n    pub expiration: Option\u003cu64\u003e,\n\n    /// The \"nbf\" (not before) claim identifies the time before which the JWT\n    /// MUST NOT be accepted for processing.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.5](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5).\n    #[serde(rename = \"nbf\", skip_serializing_if = \"Option::is_none\")]\n    pub not_before: Option\u003cu64\u003e,\n\n    /// The \"iat\" (issued at) claim identifies the time at which the JWT was\n    /// issued.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.6](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6).\n    #[serde(rename = \"iat\", skip_serializing_if = \"Option::is_none\")]\n    pub issued_at: Option\u003cu64\u003e,\n\n    /// The \"jti\" (JWT ID) claim provides a unique identifier for the JWT.\n    ///\n    /// As defined in [RFC 7519 Section 4.1.7](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7).\n    #[serde(rename = \"jti\", skip_serializing_if = \"Option::is_none\")]\n    pub jwt_id: Option\u003cString\u003e,\n\n    /// Additional, potentially unregistered JWT claims.\n    #[serde(flatten)]\n    pub additional: A,\n}\n\nimpl\u003cA\u003e IntoPayload for Claims\u003cA\u003e\nwhere\n    A: Serialize,\n{\n    type Error = serde_json::Error;\n\n    fn into_payload(self) -\u003e Result\u003cPayloadKind, Self::Error\u003e {\n        let encoded = serde_json::to_vec(\u0026self)?;\n        Ok(PayloadKind::Attached(PayloadData::Standard(\n            Base64UrlString::encode(encoded),\n        )))\n    }\n}\n\n/// Error returned by [`FromRawPayload`] implementation of [`Claims`]\n#[derive(Debug, thiserror::Error)]\n#[non_exhaustive]\npub enum ClaimsDecodeError {\n    /// [`Claims`] does not support this operation.\n    #[error(\"Operation not supported.\")]\n    OperationUnsupported,\n    /// Error while deserializing underlying Json\n    #[error(transparent)]\n    Json(#[from] serde_json::Error),\n}\n\nimpl\u003cA\u003e FromRawPayload for Claims\u003cA\u003e\nwhere\n    A: DeserializeOwned,\n{\n    type Context = ();\n    type Error = ClaimsDecodeError;\n\n    fn from_attached(_: \u0026Self::Context, payload: PayloadData) -\u003e Result\u003cSelf, Self::Error\u003e {\n        let data = match payload {\n            PayloadData::Standard(data) =\u003e data.decode(),\n        };\n        let claims: Claims\u003cA\u003e = serde_json::from_slice(\u0026data)?;\n        Ok(claims)\n    }\n\n    /// Detached is not supported with [`JsonWebToken`]\n    ///\n    /// # Returns\n    ///\n    /// Always returns [`ClaimsDecodeError::OperationUnsupported`]\n    fn from_detached\u003cF, T\u003e(\n        _: \u0026Self::Context,\n        _: \u0026crate::JoseHeader\u003cF, T\u003e,\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e {\n        Err(ClaimsDecodeError::OperationUnsupported)\n    }\n\n    /// Detached is not supported with [`JsonWebToken`]\n    ///\n    /// # Returns\n    ///\n    /// Always returns [`ClaimsDecodeError::OperationUnsupported`]\n    fn from_detached_many\u003cF, T\u003e(\n        _: \u0026Self::Context,\n        _: \u0026[crate::JoseHeader\u003cF, T\u003e],\n    ) -\u003e Result\u003c(Self, PayloadData), Self::Error\u003e {\n        Err(ClaimsDecodeError::OperationUnsupported)\n    }\n}\n","traces":[{"line":28,"address":[],"length":0,"stats":{"Line":0}},{"line":29,"address":[],"length":0,"stats":{"Line":0}},{"line":100,"address":[],"length":0,"stats":{"Line":0}},{"line":101,"address":[],"length":0,"stats":{"Line":0}},{"line":102,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":127,"address":[],"length":0,"stats":{"Line":0}},{"line":128,"address":[],"length":0,"stats":{"Line":0}},{"line":129,"address":[],"length":0,"stats":{"Line":0}},{"line":131,"address":[],"length":0,"stats":{"Line":0}},{"line":132,"address":[],"length":0,"stats":{"Line":0}},{"line":140,"address":[],"length":0,"stats":{"Line":0}},{"line":144,"address":[],"length":0,"stats":{"Line":0}},{"line":152,"address":[],"length":0,"stats":{"Line":0}},{"line":156,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":15},{"path":["/","home","stu","dev","rust","jose","src","lib.rs"],"content":"#![doc = include_str!(\"../README.md\")]\n#![allow(clippy::doc_overindented_list_items)]\n#![warn(\n    missing_docs,\n    missing_debug_implementations,\n    trivial_casts,\n    trivial_numeric_casts,\n    unused_extern_crates,\n    unused_import_braces,\n    explicit_outlives_requirements,\n    clippy::missing_errors_doc\n)]\n#![deny(\n    rustdoc::broken_intra_doc_links,\n    rustdoc::bare_urls,\n    macro_use_extern_crate,\n    non_ascii_idents,\n    elided_lifetimes_in_paths\n)]\n#![forbid(unsafe_code)]\n#![cfg_attr(not(feature = \"std\"), no_std)]\n#![cfg_attr(feature = \"std\", allow(unused_qualifications))]\n#![cfg_attr(docsrs, feature(doc_auto_cfg))]\n\nextern crate alloc;\n\n#[macro_use]\nmod macros;\n\npub(crate) mod base64_url;\n#[macro_use]\npub(crate) mod tagged_visitor;\npub(crate) mod sealed;\n\npub mod crypto;\npub mod format;\npub mod header;\npub mod jwa;\npub mod jwe;\npub mod jwk;\npub mod jws;\npub mod jwt;\nmod uri;\n\nuse alloc::string::String;\n\npub use base64_url::Base64UrlString;\npub use uri::Uri;\n\n#[doc(inline)]\npub use self::{header::JoseHeader, jwk::JsonWebKey, jws::JsonWebSignature, jwt::JsonWebToken};\n\n/// Type alias to make [`JsonWebSignature`] easier to access.\npub type Jws\u003cF = format::Compact, T = ()\u003e = JsonWebSignature\u003cF, T\u003e;\n\n/// Type alias to make [`JsonWebToken`] easier to access.\npub type Jwt\u003cA = ()\u003e = JsonWebToken\u003cA\u003e;\n\n/// Type alias to make [`JsonWebKey`] easier to access.\npub type Jwk\u003cA = ()\u003e = JsonWebKey\u003cA\u003e;\n\n/// This type is used when the type of the additional parameters\n/// of a [`JsonWebKey`], or a [`JoseHeader`] can not be\n/// specified, but must not be discarded.\npub type UntypedAdditionalProperties = serde_json::Map\u003cString, serde_json::Value\u003e;\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","macros.rs"],"content":"macro_rules! impl_serde_jwa {\n    ($T:ty, [\n        $($name:literal =\u003e $val:expr; $valp:pat,)*\n    ]) =\u003e {\n\n        impl core::fmt::Display for $T {\n            fn fmt(\u0026self, f: \u0026mut core::fmt::Formatter\u003c'_\u003e) -\u003e core::fmt::Result {\n                match \u0026self {\n                    $($valp =\u003e write!(f, \"{}\", $name),)*\n                    Self::Other(other) =\u003e write!(f, \"{}\", other),\n                }\n            }\n        }\n        #[allow(unused_qualifications)]\n        impl\u003c'de\u003e serde::Deserialize\u003c'de\u003e for $T {\n            fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n            where\n                D: serde::Deserializer\u003c'de\u003e,\n            {\n                let name = \u003calloc::borrow::Cow\u003c'_, str\u003e as serde::Deserialize\u003e::deserialize(deserializer)?;\n\n                Ok(Self::from_str_without_other(\u0026name).unwrap_or_else(|| {\n                    Self::Other(name.into_owned())\n                }))\n            }\n        }\n\n        #[allow(unused_qualifications)]\n        impl serde::Serialize for $T {\n            fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n            where\n                S: serde::Serializer,\n            {\n                let name = match self {\n                    $($valp =\u003e $name,)*\n                    Self::Other(custom) =\u003e custom,\n                };\n                \u003c\u0026str as serde::Serialize\u003e::serialize(\u0026name, serializer)\n            }\n        }\n\n        impl $T {\n            /// Tries to parse the given name into a variant, and returns `None`\n            /// if no variant matched.\n            pub(crate) fn from_str_without_other(name: \u0026str) -\u003e Option\u003cSelf\u003e {\n                match name {\n                    $($name =\u003e Some($val),)*\n                    _ =\u003e None,\n                }\n            }\n        }\n    };\n}\n\nmacro_rules! impl_internally_tagged_deserialize {\n    ($T:ty, $tag:literal, $expecting:literal, [$($name:literal =\u003e $i:ident),* $(,)?]) =\u003e {\n        #[allow(unused_qualifications)]\n        impl\u003c'de\u003e serde::Deserialize\u003c'de\u003e for $T {\n            fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cSelf, D::Error\u003e\n            where\n                D: serde::Deserializer\u003c'de\u003e,\n            {\n                #[derive(Clone, Copy, Deserialize)]\n                enum Tag {\n                    $(#[serde(rename = $name)]\n                    $i,)*\n                }\n\n                let tagged =\n                    deserializer.deserialize_any(crate::tagged_visitor::TaggedContentVisitor::new($tag, $expecting))?;\n\n                match tagged.tag {\n                    $(Tag::$i =\u003e Deserialize::deserialize(tagged.content).map(\u003c$T\u003e::$i),)*\n                }\n                .map_err(|x| x.into_error())\n            }\n        }\n    };\n}\n\nmacro_rules! impl_thumbprint_hash_trait {\n    ($symmetric:ty) =\u003e {\n        #[allow(rustdoc::redundant_explicit_links)]\n        /// The [`Hash`](core::hash::Hash) implementation uses\n        /// [`Thumbprint::thumbprint_prehashed`](crate::jwk::Thumbprint::thumbprint_prehashed)\n        impl core::hash::Hash for $symmetric {\n            fn hash\u003cH\u003e(\u0026self, state: \u0026mut H)\n            where\n                H: core::hash::Hasher,\n            {\n                alloc::format!(\n                    \"symmetric:{}\",\n                    \u003c$symmetric as crate::jwk::Thumbprint\u003e::thumbprint_prehashed(\u0026self)\n                )\n                .hash(state)\n            }\n        }\n    };\n    ($public:ty, $private:ty) =\u003e {\n        #[allow(rustdoc::redundant_explicit_links)]\n        /// The [`Hash`](core::hash::Hash) implementation uses\n        /// [`Thumbprint::thumbprint_prehashed`](crate::jwk::Thumbprint::thumbprint_prehashed)\n        impl core::hash::Hash for $public {\n            fn hash\u003cH\u003e(\u0026self, state: \u0026mut H)\n            where\n                H: core::hash::Hasher,\n            {\n                alloc::format!(\n                    \"public:{}\",\n                    \u003c$public as crate::jwk::Thumbprint\u003e::thumbprint_prehashed(\u0026self)\n                )\n                .hash(state)\n            }\n        }\n        #[allow(rustdoc::redundant_explicit_links)]\n        /// The [`Hash`](core::hash::Hash) implementation uses\n        /// [`Thumbprint::thumbprint_prehashed`](crate::jwk::Thumbprint::thumbprint_prehashed)\n        impl core::hash::Hash for $private {\n            fn hash\u003cH\u003e(\u0026self, state: \u0026mut H)\n            where\n                H: core::hash::Hasher,\n            {\n                alloc::format!(\n                    \"private:{}\",\n                    \u003c$private as crate::jwk::Thumbprint\u003e::thumbprint_prehashed(\u0026self)\n                )\n                .hash(state)\n            }\n        }\n    };\n}\n","traces":[{"line":7,"address":[],"length":0,"stats":{"Line":0}},{"line":8,"address":[],"length":0,"stats":{"Line":0}},{"line":9,"address":[],"length":0,"stats":{"Line":0}},{"line":10,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":17,"address":[],"length":0,"stats":{"Line":0}},{"line":18,"address":[],"length":0,"stats":{"Line":0}},{"line":20,"address":[],"length":0,"stats":{"Line":0}},{"line":22,"address":[],"length":0,"stats":{"Line":0}},{"line":23,"address":[],"length":0,"stats":{"Line":0}},{"line":30,"address":[],"length":0,"stats":{"Line":28}},{"line":31,"address":[],"length":0,"stats":{"Line":28}},{"line":32,"address":[],"length":0,"stats":{"Line":28}},{"line":34,"address":[],"length":0,"stats":{"Line":34}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":38,"address":[],"length":0,"stats":{"Line":28}},{"line":45,"address":[],"length":0,"stats":{"Line":94}},{"line":46,"address":[],"length":0,"stats":{"Line":94}},{"line":47,"address":[],"length":0,"stats":{"Line":49}},{"line":48,"address":[],"length":0,"stats":{"Line":49}},{"line":59,"address":[],"length":0,"stats":{"Line":118}},{"line":60,"address":[],"length":0,"stats":{"Line":118}},{"line":61,"address":[],"length":0,"stats":{"Line":118}},{"line":69,"address":[],"length":0,"stats":{"Line":60}},{"line":70,"address":[],"length":0,"stats":{"Line":176}},{"line":72,"address":[],"length":0,"stats":{"Line":0}},{"line":73,"address":[],"length":0,"stats":{"Line":24}},{"line":75,"address":[],"length":0,"stats":{"Line":20}},{"line":87,"address":[],"length":0,"stats":{"Line":0}},{"line":88,"address":[],"length":0,"stats":{"Line":0}},{"line":89,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":93,"address":[],"length":0,"stats":{"Line":0}},{"line":95,"address":[],"length":0,"stats":{"Line":0}},{"line":104,"address":[],"length":0,"stats":{"Line":1}},{"line":105,"address":[],"length":0,"stats":{"Line":1}},{"line":106,"address":[],"length":0,"stats":{"Line":1}},{"line":108,"address":[],"length":0,"stats":{"Line":1}},{"line":109,"address":[],"length":0,"stats":{"Line":1}},{"line":110,"address":[],"length":0,"stats":{"Line":1}},{"line":112,"address":[],"length":0,"stats":{"Line":1}},{"line":119,"address":[],"length":0,"stats":{"Line":1}},{"line":120,"address":[],"length":0,"stats":{"Line":1}},{"line":121,"address":[],"length":0,"stats":{"Line":1}},{"line":123,"address":[],"length":0,"stats":{"Line":1}},{"line":124,"address":[],"length":0,"stats":{"Line":1}},{"line":125,"address":[],"length":0,"stats":{"Line":1}},{"line":127,"address":[],"length":0,"stats":{"Line":1}}],"covered":30,"coverable":49},{"path":["/","home","stu","dev","rust","jose","src","sealed.rs"],"content":"/// A trait to protect traits meant only to be implemented by types from this\n/// crate from types outside this crate ([`C-SEALED`])\n///\n/// [`C-SEALED`]: \u003chttps://rust-lang.github.io/api-guidelines/future-proofing.html\u003e\npub trait Sealed {}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","src","tagged_visitor.rs"],"content":"use alloc::{collections::BTreeMap, fmt};\nuse core::marker::PhantomData;\n\nuse serde::{\n    de::{self, DeserializeSeed, MapAccess, Visitor},\n    Deserialize, Deserializer,\n};\nuse serde_value::Value;\n\npub(crate) struct TaggedContent\u003cT\u003e {\n    pub tag: T,\n    pub content: Value,\n}\n\npub(crate) struct TaggedContentVisitor\u003c'de, T\u003e {\n    tag_name: \u0026'static str,\n    expecting: \u0026'static str,\n    _tag: PhantomData\u003cT\u003e,\n    _content: PhantomData\u003c\u0026'de [u8]\u003e,\n}\n\nimpl\u003cT\u003e TaggedContentVisitor\u003c'_, T\u003e {\n    pub fn new(tag_name: \u0026'static str, expecting: \u0026'static str) -\u003e Self {\n        Self {\n            tag_name,\n            expecting,\n            _tag: PhantomData,\n            _content: PhantomData,\n        }\n    }\n}\n\nimpl\u003c'de, T\u003e DeserializeSeed\u003c'de\u003e for TaggedContentVisitor\u003c'de, T\u003e\nwhere\n    T: Deserialize\u003c'de\u003e + Clone,\n{\n    type Value = TaggedContent\u003cT\u003e;\n\n    fn deserialize\u003cD\u003e(self, deserializer: D) -\u003e Result\u003cSelf::Value, D::Error\u003e\n    where\n        D: Deserializer\u003c'de\u003e,\n    {\n        // Internally tagged enums are only supported in self-describing\n        // formats.\n        deserializer.deserialize_any(self)\n    }\n}\n\nimpl\u003c'de, T\u003e Visitor\u003c'de\u003e for TaggedContentVisitor\u003c'de, T\u003e\nwhere\n    T: Deserialize\u003c'de\u003e + Clone,\n{\n    type Value = TaggedContent\u003cT\u003e;\n\n    fn expecting(\u0026self, fmt: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        fmt.write_str(self.expecting)\n    }\n\n    fn visit_map\u003cM\u003e(self, mut map: M) -\u003e Result\u003cSelf::Value, M::Error\u003e\n    where\n        M: MapAccess\u003c'de\u003e,\n    {\n        let mut tag = None;\n        let mut content = BTreeMap::new();\n\n        while let Some(k) = map.next_key::\u003cValue\u003e()? {\n            let val = if matches!(k, Value::String(ref s) if s == self.tag_name) {\n                let val = map.next_value::\u003cValue\u003e()?;\n                tag = Some(val.clone().deserialize_into().map_err(|e| e.into_error())?);\n                val\n            } else {\n                map.next_value()?\n            };\n\n            content.insert(k, val);\n        }\n\n        match tag {\n            None =\u003e Err(de::Error::missing_field(self.tag_name)),\n            Some(tag) =\u003e Ok(TaggedContent {\n                tag,\n                content: Value::Map(content),\n            }),\n        }\n    }\n}\n","traces":[{"line":23,"address":[],"length":0,"stats":{"Line":118}},{"line":39,"address":[],"length":0,"stats":{"Line":0}},{"line":45,"address":[],"length":0,"stats":{"Line":0}},{"line":55,"address":[],"length":0,"stats":{"Line":0}},{"line":56,"address":[],"length":0,"stats":{"Line":0}},{"line":59,"address":[],"length":0,"stats":{"Line":118}},{"line":63,"address":[],"length":0,"stats":{"Line":118}},{"line":64,"address":[],"length":0,"stats":{"Line":118}},{"line":66,"address":[],"length":0,"stats":{"Line":790}},{"line":67,"address":[],"length":0,"stats":{"Line":856}},{"line":68,"address":[],"length":0,"stats":{"Line":184}},{"line":69,"address":[],"length":0,"stats":{"Line":124}},{"line":70,"address":[],"length":0,"stats":{"Line":0}},{"line":72,"address":[],"length":0,"stats":{"Line":260}},{"line":75,"address":[],"length":0,"stats":{"Line":0}},{"line":78,"address":[],"length":0,"stats":{"Line":86}},{"line":79,"address":[],"length":0,"stats":{"Line":26}},{"line":80,"address":[],"length":0,"stats":{"Line":60}},{"line":81,"address":[],"length":0,"stats":{"Line":60}},{"line":82,"address":[],"length":0,"stats":{"Line":60}}],"covered":14,"coverable":20},{"path":["/","home","stu","dev","rust","jose","src","uri.rs"],"content":"use alloc::string::String;\nuse core::{fmt, ops::Deref};\n\nuse serde::{Deserialize, Serialize};\n\n/// A serializable URI type implemented using [`serde`] and [`fluent_uri`].\n///\n/// This is a thing wrapper around a [`fluent_uri::Uri\u003cString\u003e`] that implements\n/// [`Serialize`] and [`Deserialize`].\n#[derive(Debug, Clone, Default)]\npub struct Uri(fluent_uri::Uri\u003cString\u003e);\n\nimpl Uri {\n    /// Borrows this URI.\n    pub fn borrow(\u0026self) -\u003e BorrowedUri\u003c'_\u003e {\n        BorrowedUri(self.0.borrow())\n    }\n\n    /// Turns this URI into the underlying [`fluent_uri::Uri\u003cString\u003e`].\n    pub fn into_inner(self) -\u003e fluent_uri::Uri\u003cString\u003e {\n        self.0\n    }\n}\n\nimpl PartialEq for Uri {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.0.as_str().eq(other.0.as_str())\n    }\n}\nimpl Eq for Uri {}\n\nimpl Deref for Uri {\n    type Target = fluent_uri::Uri\u003cString\u003e;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\nimpl From\u003cfluent_uri::Uri\u003cString\u003e\u003e for Uri {\n    fn from(uri: fluent_uri::Uri\u003cString\u003e) -\u003e Self {\n        Self(uri)\n    }\n}\n\nimpl fmt::Display for Uri {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        self.0.fmt(f)\n    }\n}\n\nimpl Serialize for Uri {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        self.0.as_str().serialize(serializer)\n    }\n}\n\nimpl\u003c'de\u003e Deserialize\u003c'de\u003e for Uri {\n    fn deserialize\u003cD\u003e(deserializer: D) -\u003e Result\u003cUri, D::Error\u003e\n    where\n        D: serde::Deserializer\u003c'de\u003e,\n    {\n        let uri = String::deserialize(deserializer)?;\n\n        Ok(Uri(\n            fluent_uri::Uri::parse(uri).map_err(serde::de::Error::custom)?\n        ))\n    }\n}\n\n/// A borrowed version of the [`Uri`].\n///\n/// This is a thing wrapper around a [`fluent_uri::Uri\u003c\u0026str\u003e`] that implements\n/// [`Serialize`].\n#[derive(Debug)]\npub struct BorrowedUri\u003c's\u003e(fluent_uri::Uri\u003c\u0026's str\u003e);\n\nimpl BorrowedUri\u003c'_\u003e {\n    /// Turns this borrowed URI into an owned [`Uri`].\n    pub fn to_owned(\u0026self) -\u003e Uri {\n        Uri(self.0.to_owned())\n    }\n}\n\nimpl\u003c's\u003e Deref for BorrowedUri\u003c's\u003e {\n    type Target = fluent_uri::Uri\u003c\u0026's str\u003e;\n\n    fn deref(\u0026self) -\u003e \u0026Self::Target {\n        \u0026self.0\n    }\n}\n\nimpl fmt::Display for BorrowedUri\u003c'_\u003e {\n    fn fmt(\u0026self, f: \u0026mut fmt::Formatter\u003c'_\u003e) -\u003e fmt::Result {\n        self.0.fmt(f)\n    }\n}\n\nimpl Serialize for BorrowedUri\u003c'_\u003e {\n    fn serialize\u003cS\u003e(\u0026self, serializer: S) -\u003e Result\u003cS::Ok, S::Error\u003e\n    where\n        S: serde::Serializer,\n    {\n        self.0.as_str().serialize(serializer)\n    }\n}\n\nimpl PartialEq for BorrowedUri\u003c'_\u003e {\n    fn eq(\u0026self, other: \u0026Self) -\u003e bool {\n        self.0.as_str().eq(other.0.as_str())\n    }\n}\nimpl Eq for BorrowedUri\u003c'_\u003e {}\n","traces":[{"line":15,"address":[],"length":0,"stats":{"Line":0}},{"line":16,"address":[],"length":0,"stats":{"Line":0}},{"line":20,"address":[],"length":0,"stats":{"Line":0}},{"line":21,"address":[],"length":0,"stats":{"Line":0}},{"line":26,"address":[],"length":0,"stats":{"Line":0}},{"line":27,"address":[],"length":0,"stats":{"Line":0}},{"line":35,"address":[],"length":0,"stats":{"Line":0}},{"line":36,"address":[],"length":0,"stats":{"Line":0}},{"line":41,"address":[],"length":0,"stats":{"Line":0}},{"line":42,"address":[],"length":0,"stats":{"Line":0}},{"line":47,"address":[],"length":0,"stats":{"Line":0}},{"line":48,"address":[],"length":0,"stats":{"Line":0}},{"line":53,"address":[],"length":0,"stats":{"Line":0}},{"line":57,"address":[],"length":0,"stats":{"Line":0}},{"line":62,"address":[],"length":0,"stats":{"Line":0}},{"line":66,"address":[],"length":0,"stats":{"Line":0}},{"line":68,"address":[],"length":0,"stats":{"Line":0}},{"line":69,"address":[],"length":0,"stats":{"Line":0}},{"line":83,"address":[],"length":0,"stats":{"Line":0}},{"line":84,"address":[],"length":0,"stats":{"Line":0}},{"line":91,"address":[],"length":0,"stats":{"Line":0}},{"line":92,"address":[],"length":0,"stats":{"Line":0}},{"line":97,"address":[],"length":0,"stats":{"Line":0}},{"line":98,"address":[],"length":0,"stats":{"Line":0}},{"line":103,"address":[],"length":0,"stats":{"Line":0}},{"line":107,"address":[],"length":0,"stats":{"Line":0}},{"line":112,"address":[],"length":0,"stats":{"Line":0}},{"line":113,"address":[],"length":0,"stats":{"Line":0}}],"covered":0,"coverable":28},{"path":["/","home","stu","dev","rust","jose","target","debug","build","eyre-43034007078a440d","out","probe.rs"],"content":"\n    #![allow(dead_code)]\n\n    #[track_caller]\n    fn foo() {\n        let _location = std::panic::Location::caller();\n    }\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","target","debug","build","eyre-75120121d1e0e56e","out","probe.rs"],"content":"\n    #![allow(dead_code)]\n\n    #[track_caller]\n    fn foo() {\n        let _location = std::panic::Location::caller();\n    }\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","common","mod.rs"],"content":"//! Common test helpers.\n\nuse serde_json::Value;\n\npub type TestResult\u003cT = ()\u003e = Result\u003cT, Box\u003cdyn std::error::Error\u003e\u003e;\n\n/// Reads a key file from the `tests/vectors/jwk` directory.\npub fn read_jwk(name: \u0026str) -\u003e TestResult\u003cValue\u003e {\n    let json = std::fs::read_to_string(format!(\n        \"{}/tests/vectors/jwk/{name}.json\",\n        env!(\"CARGO_MANIFEST_DIR\"),\n    ))?;\n    let key: Value = serde_json::from_str(\u0026json)?;\n\n    Ok(key)\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","header.rs"],"content":"use jose::{\n    format::Compact,\n    header::{HeaderValue, Jws},\n    jwa::JsonWebSigningAlgorithm,\n    JoseHeader,\n};\n\n#[test]\nfn build_header() {\n    let builder = JoseHeader::\u003cCompact, Jws\u003e::builder();\n    let header = builder\n        .algorithm(HeaderValue::Protected(JsonWebSigningAlgorithm::None))\n        .build()\n        .unwrap();\n    assert_eq!(\n        header.algorithm(),\n        HeaderValue::Protected(\u0026JsonWebSigningAlgorithm::None)\n    );\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","jwk.rs"],"content":"use jose::{\n    crypto::hmac,\n    jwa::{self, JsonWebAlgorithm},\n    jwk::{self, policy::Checkable, FromKey as _, Thumbprint as _},\n    Base64UrlString, JsonWebKey,\n};\nuse pretty_assertions::assert_eq;\nuse serde::{Deserialize, Serialize};\n\nuse crate::common::{read_jwk, TestResult};\n\nmod common;\n\nfn roundtrip(file: \u0026str, unsupported: bool, check: fn(\u0026JsonWebKey)) -\u003e TestResult {\n    let mut json_key = read_jwk(file)?;\n    let json_key_str = serde_json::to_string(\u0026json_key)?;\n\n    let jwk = match serde_json::from_value::\u003cJsonWebKey\u003e(json_key.clone()) {\n        Ok(..) if unsupported =\u003e panic!(\"Unsupported key type was successful\"),\n        Ok(jwk) =\u003e jwk,\n        Err(..) if unsupported =\u003e return Ok(()),\n        Err(e) =\u003e return Err(e.into()),\n    };\n    check(\u0026jwk);\n\n    // we want to deserialize the JWK from an owned value, and a borrowed value\n    let jwk_from_str = serde_json::from_str::\u003cJsonWebKey\u003e(\u0026json_key_str)?;\n    assert_eq!(jwk.key_type(), jwk_from_str.key_type());\n\n    let mut serialized = serde_json::to_value(\u0026jwk)?;\n    let mut serialized_from_str = serde_json::to_value(\u0026jwk_from_str)?;\n\n    // removes the field `name` from the given json value, mostly because some\n    // fields are serialized non-deterministic (key_ops), because the order is\n    // random\n    let remove_field = |value: \u0026mut serde_json::Value, name: \u0026str| {\n        if let Some(obj) = value.as_object_mut() {\n            obj.remove(name);\n        }\n    };\n\n    let mut remove_field_from_all = |name: \u0026str| {\n        remove_field(\u0026mut json_key, name);\n        remove_field(\u0026mut serialized, name);\n        remove_field(\u0026mut serialized_from_str, name);\n    };\n\n    remove_field_from_all(\"key_ops\");\n\n    assert_eq!(json_key, serialized);\n    assert_eq!(json_key, serialized_from_str);\n\n    // now try constructing a builder using this key, and check invalid\n    // algorithm\n    let err = JsonWebKey::builder(jwk.key_type().clone())\n        .algorithm(Some(JsonWebAlgorithm::Other(\"foo\".to_string())))\n        .build()\n        .unwrap_err();\n    assert!(matches!(\n        err,\n        jwk::JsonWebKeyBuildError::IncompatibleKeyType\n    ));\n\n    let err = jwk\n        .into_builder()\n        .algorithm(Some(JsonWebAlgorithm::Other(\"foo\".to_string())))\n        .build()\n        .unwrap_err();\n    assert!(matches!(\n        err,\n        jwk::JsonWebKeyBuildError::IncompatibleKeyType\n    ));\n\n    Ok(())\n}\n\nfn roundtrip_pair(\n    private: \u0026str,\n    public: \u0026str,\n    unsupported: bool,\n    check: fn(\u0026JsonWebKey),\n) -\u003e TestResult {\n    roundtrip(private, unsupported, check)?;\n    roundtrip(public, unsupported, check)?;\n\n    let private_key: JsonWebKey = serde_json::from_value(read_jwk(private)?)?;\n    let public_key: JsonWebKey = serde_json::from_value(read_jwk(public)?)?;\n\n    assert!(private_key.is_signing_key());\n    assert!(!public_key.is_signing_key());\n\n    assert!(!private_key.is_symmetric());\n    assert!(!public_key.is_symmetric());\n\n    assert!(private_key.is_asymmetric());\n    assert!(public_key.is_asymmetric());\n\n    let stripped = private_key.clone().strip_secret_material().unwrap();\n    assert_eq!(stripped.key_type(), public_key.key_type());\n\n    let stripped_from_public = public_key.clone().strip_secret_material().unwrap();\n    assert_eq!(stripped_from_public.key_type(), public_key.key_type());\n\n    let into_verifying = private_key.into_verifying_key();\n    assert_eq!(into_verifying.key_type(), public_key.key_type());\n\n    let public_into_verifying = public_key.clone().into_verifying_key();\n    assert_eq!(public_into_verifying.key_type(), public_key.key_type());\n\n    Ok(())\n}\n\nfn assert_thumbprint(jwk: \u0026JsonWebKey, sha256: \u0026str, sha384: \u0026str, sha512: \u0026str) {\n    let print_sha256 = Base64UrlString::encode(jwk.thumbprint_sha256());\n    assert_eq!(\u0026*print_sha256, sha256);\n\n    let print_sha384 = Base64UrlString::encode(jwk.thumbprint_sha384());\n    assert_eq!(\u0026*print_sha384, sha384);\n\n    let print_sha512 = Base64UrlString::encode(jwk.thumbprint_sha512());\n    assert_eq!(\u0026*print_sha512, sha512);\n}\n\npub mod roundtrip {\n    use jose::{jwa, jwk};\n    use pretty_assertions::assert_eq;\n\n    use crate::{assert_thumbprint, common::TestResult, roundtrip, roundtrip_pair};\n\n    #[test]\n    fn _3_1_and_2_ec() -\u003e TestResult {\n        roundtrip_pair(\n            \"3_2.ec_private_key\",\n            \"3_1.ec_public_key\",\n            // RustCrypto and ring do not support P-521 curve\n            cfg!(feature = \"crypto-rustcrypto\") || cfg!(feature = \"crypto-ring\"),\n            |jwk| {\n                assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Signing));\n                assert_thumbprint(\n                    jwk,\n                    \"dHri3SADZkrush5HU_50AoRhcKFryN-PI6jPBtPL55M\",\n                    \"HncTFMje-quVjjwt2ufqfFb75ZwHLDh9M-VY4wJ9awQkfbu194TmVpeGbG6Ykb9b\",\n                    \"i8RIsIb6HVP2AO9o38HtraybJAP5veAfBIgynNUqpxlhuvq2UDgSA3JFgGgle1YvmCQDHllAn7MG52Idb8B4fA\"\n                );\n            },\n        )\n    }\n\n    #[test]\n    fn _3_3_and_4_rsa() -\u003e TestResult {\n        roundtrip_pair(\"3_4.rsa_private_key\", \"3_3.rsa_public_key\", false, |jwk| {\n            assert_thumbprint(\n                jwk,\n                \"9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI\",\n                \"iRBthSmwxk6o9pTGF6a9yLHohmMXSFRvKoN9rgcbOWFgLldwqED1DrOgDtLq5Q4R\",\n                \"FerGBUpYnzT0ptNAC7Y3qNpGINqILXdZ_9-Na3UkPUtDznnAChw7NWluNRjx-lmKDnuO1CpmIZL7e2bzRkQBew\",\n            );\n        })\n    }\n\n    #[test]\n    fn _3_5_symmetric_key_mac() -\u003e TestResult {\n        roundtrip(\"3_5.symmetric_key_mac_computation\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::Hmac::Hs256))\n            );\n\n            assert!(jwk.is_symmetric());\n            assert!(jwk.is_signing_key());\n\n            assert_eq!(jwk.key_type(), jwk.clone().into_verifying_key().key_type());\n\n            assert_thumbprint(\n                jwk,\n                \"RtoRur_1Dir5M4wuOfqNkDYOf9O_4RJ-aHkTA75RLA8\",\n                \"KG7sBEFjGfsIG21uR9cggZfOEIdKSvylcD7ndWgQsnG2k_5Wpw700r__c63SBBwf\",\n                \"EI4XUPoajddrVSS3fgSS6AcPt1uuacMmuYIi9i4A2CgjnWHuUV1qyNks84w03blKdF75HPSTJTJWgqRNEU_ZIg\"\n            );\n        })\n    }\n\n    #[test]\n    fn _3_6_symmetric_key_encryption() -\u003e TestResult {\n        roundtrip(\"3_6.symmetric_key_encryption\", false, |jwk| {\n            // NOTE: We do not support A256GCM as a JWK, because it's a one-time use\n            // session key, and must not be stored or reused\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::Other(\"A256GCM\".to_string()))\n            );\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Encryption));\n\n            assert_thumbprint(\n                jwk,\n                \"VDMp1ZgGGv1OKgOeDc1EUKHXNQzMdLkCnxPETHdA4v0\",\n                \"4YmDfp3zlozmoDxrRxpMBiU6XHA9X82IKNW3bWiitdnudrwmAiKOi4yWWj4fyeYm\",\n                \"FmHGxbagOqt0LS__rv4hIpgnQ9pAB7nDneYNPN9i1gHIbvJJILw-VyyYIP_RTgsOU7K683SdE5aeplCUqz4ZaA\"\n            );\n        })\n    }\n\n    #[test]\n    fn ed25519() -\u003e TestResult {\n        roundtrip_pair(\"ed25519\", \"ed25519.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(\n                    jwa::JsonWebSigningAlgorithm::EdDSA\n                ))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"IpNACexNZWO9hVeADtTT0Nvturu6OtMV3B4u1OVr1fU\",\n                \"NibgvGWph4nhazrZ1PcyRXYy55bdTotSDi1L4iE8gB0VtxDhh_a-du0fSnGExFwa\",\n                \"uS4j-x1iQUeF2a4a7M3iHZhPQGwyKgXU2Fh_GeNn9_uw_KAj1VTmNVenxTiFdDqcDHoWBemcLjioFY4slFbIZA\",\n            );\n        })\n    }\n\n    #[test]\n    fn rsa_enc_optional_parameters() -\u003e TestResult {\n        roundtrip(\"jwk_optional_parameters_rsa_enc.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::RsaesOaep::RsaesOaep))\n            );\n\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Encryption));\n            assert!(jwk.x509_certificate_sha1_thumbprint().is_some());\n            assert!(jwk.x509_certificate_sha256_thumbprint().is_some());\n\n            assert_thumbprint(\n                jwk,\n                \"ZwmJSHbFy5nl7WenHepIG5N9Rz16NH8SPGeqoZPTTuc\",\n                \"06f-mujFCZ0cUPKCgm0m7EuE0TW2mUmoQ0I519rD73v5JDAWti5QsuOX2PqTYuhV\",\n                \"EaW6WfYvQ5rauUmOYPZi82-ADGjmOb3Jz76jNVHUIQ_vA42s7CFve47jVTyb1n3UQbqLw3DDguD4u0wlFL4sbg\"\n            );\n        })\n    }\n\n    #[test]\n    fn rsa_sign_optional_parameters() -\u003e TestResult {\n        roundtrip(\"jwk_optional_parameters_rsa_sig.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::RsassaPkcs1V1_5::Rs256))\n            );\n\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Signing));\n            assert!(jwk.x509_certificate_sha1_thumbprint().is_some());\n            assert!(jwk.x509_certificate_sha256_thumbprint().is_some());\n\n            assert_thumbprint(\n                jwk,\n                \"bVeakRIe7OjtcR6E5FfkZvFAhEXfhIboYrcZ7OhZ1UY\",\n                \"_jnSoeQaW04m5PzXFnP7w2Zl_WFEop1UEKZ2vGHtQCdfsSqOkLhTbn2vyaDcMbHQ\",\n                \"cHiM1PMNsVve19_e5cfCiJqIMnQhYx0CkcvmiNCdwulCJ5B5ftaAvFYwr7_NQCMTQeXMcTKdbsP2a4mEKojPaQ\"\n            );\n        })\n    }\n\n    #[test]\n    fn rsa_with_key_ops_for_enc() -\u003e TestResult {\n        roundtrip(\"key_ops_rsa_enc.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::RsaesOaep::RsaesOaep))\n            );\n\n            let ops = jwk.key_operations().unwrap();\n\n            assert_eq!(ops.len(), 2);\n            assert!(ops.contains(\u0026jwk::KeyOperation::Encrypt));\n            assert!(ops.contains(\u0026jwk::KeyOperation::Decrypt));\n\n            assert_eq!(jwk.key_usage(), Some(\u0026jwk::KeyUsage::Encryption));\n\n            assert_thumbprint(\n                jwk,\n                \"ZwmJSHbFy5nl7WenHepIG5N9Rz16NH8SPGeqoZPTTuc\",\n                \"06f-mujFCZ0cUPKCgm0m7EuE0TW2mUmoQ0I519rD73v5JDAWti5QsuOX2PqTYuhV\",\n                \"EaW6WfYvQ5rauUmOYPZi82-ADGjmOb3Jz76jNVHUIQ_vA42s7CFve47jVTyb1n3UQbqLw3DDguD4u0wlFL4sbg\"\n            );\n        })\n    }\n\n    #[test]\n    fn p256() -\u003e TestResult {\n        roundtrip_pair(\"p256\", \"p256.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es256))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"6j1ImYAlN6DnVupozzN13UKnLR7BfEvngNmVl5bLlI0\",\n                \"u5W5WvG_wZc2u18HY0hqP48hVOOwytBz3BZzBimJl43SA3A4l-INFnhMNLEWL8a3\",\n                \"8fmi-z_V-FykWlKQAscDYj3I_uonEd2-0ChLqb7BwRJqnQiitQ9widx6Pk9ewMkhFk8NnBr1hCFa51kyrg7Pyw\"\n            );\n        })\n    }\n\n    #[test]\n    fn p384() -\u003e TestResult {\n        roundtrip_pair(\"p384\", \"p384.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es384))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"B_9VooM6jEuy9OvK_plFUDVADfKKnjCUPrqfc5Wtgq4\",\n                \"TXXx3K1KOHjCKWt_bY9cFZfsI9E8NUw8sK1xSOfd0jVgaBMiCP1hFvsxaamAQfK5\",\n                \"AtsWpt8bdnsqT49ovBfv67rhq_PB2eqnhvJ4F-uH-STeCZTVO97hWeEc0zGoOT18XtmHf_2o6ENmwIv9gcXyRQ\"\n            );\n        })\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn secp256k1() -\u003e TestResult {\n        roundtrip_pair(\"k256\", \"k256.pub\", false, |jwk| {\n            assert_eq!(\n                jwk.algorithm(),\n                Some(\u0026jwa::JsonWebAlgorithm::from(jwa::EcDSA::Es256K))\n            );\n\n            assert_thumbprint(\n                jwk,\n                \"i0H0zy_Zyc4g9gUfIU3ZgSk21eC_a9B-J_keq5eRVq4\",\n                \"NWo1frAmwhk6vYKYK0YCTpJWbgvI-EDV5ZvEFvA_7V4y6VRAG0l4Q_uNkFIiisuL\",\n                \"E1oJ78FUrNMsq66wi7AT8jIU4QUMoV_JnYiCqwy2vgDod7yDHMXLkweJ0Vhd1A1TJysPMFNr4Q8yVvQ4Q1fXKg\"\n            );\n        })\n    }\n\n    #[test]\n    fn rsa() -\u003e TestResult {\n        roundtrip_pair(\"rsa\", \"rsa.pub\", false, |jwk| {\n            assert_thumbprint(\n                jwk,\n                \"nYPs6qc5zj3VOVKr4yY-EzirO-AcdUl0JC5bcXKGE6Y\",\n                \"JhX_riWIrTLs3p7SnueDgpcO27pDgXh1xQOivPzOKsU3CaQgHoLgiKIinmb2CMoE\",\n                \"DQd_FsR8hTwlVrv3WGQP2E1KQejcBbJCFtqWy489xmmPm8LdNT91zYFX-yTghCtq2zutBGYY2mkwIWN-VQWYyQ\"\n            );\n        })\n    }\n\n    #[test]\n    #[cfg_attr(\n        any(\n            feature = \"crypto-ring\",\n            feature = \"crypto-aws-lc\",\n            feature = \"crypto-rustcrypto\"\n        ),\n        ignore\n    )]\n    fn ed448() -\u003e TestResult {\n        roundtrip_pair(\"ed448\", \"ed448.pub\", false, |jwk| {\n            assert_thumbprint(\n                jwk,\n                \"-K8d13H2SA_vuRYSxn05sQN4hAkeWXFt5XainSnkfZc\",\n                \"a_AWZk_w5qSm2XziCOKyHRLU1amUzTlbb1df8Q0JCx3bOaQp0YcLqdHS2Sbyw2PQ\",\n                \"qM1ai1zIZ-NRzbkOKxVkOY6DXVXmDWsSXMCQRRy7oIZEwRzQ0gQK5c-cruMkpyYcBs7ftQcofV_YXWfCdKhSWw\",\n            );\n        })\n    }\n}\n\n// TODO: test to ensure correct length of x, y, d\n\n#[test]\nfn deny_duplicates_key_operations() {\n    let key = r#\"\n{\n    \"key_ops\": [\"encrypt\", \"decrypt\", \"encrypt\"],\n    \"kty\": \"oct\",\n    \"alg\": \"HS256\",\n    \"k\": \"hJtXIZ2uSN5kbQfbtTNWbpdmhkV8FJG-Onbc6mxCcYg\"\n}\n\"#;\n\n    serde_json::from_str::\u003cJsonWebKey\u003e(key).unwrap_err();\n}\n\n#[test]\nfn deny_hmac_key_with_short_key() -\u003e TestResult {\n    let raw_key = r#\"{\"kty\": \"oct\", \"k\": \"QUFBQQ\"}\"#;\n    let key = serde_json::from_str::\u003cjwk::symmetric::OctetSequence\u003e(raw_key)?;\n\n    let hmac = hmac::Key::\u003chmac::Hs256\u003e::from_key(\u0026key, jwa::Hmac::Hs256.into());\n\n    assert!(matches!(\n        hmac.unwrap_err(),\n        jwk::symmetric::FromOctetSequenceError::InvalidLength\n    ));\n\n    Ok(())\n}\n\npub mod generate {\n    use jose::{\n        crypto::{\n            ec::{P256PrivateKey, P384PrivateKey, P521PrivateKey},\n            hmac, okp, rsa,\n        },\n        jwk::Thumbprint as _,\n    };\n\n    use crate::common::TestResult;\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn ec_p256() -\u003e TestResult {\n        let p256 = P256PrivateKey::generate()?;\n        let p256_pub = p256.to_public_key();\n        assert_eq!(p256.thumbprint_sha256(), p256_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn ec_p384() -\u003e TestResult {\n        let p384 = P384PrivateKey::generate()?;\n        let p384_pub = p384.to_public_key();\n        assert_eq!(p384.thumbprint_sha256(), p384_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(any(feature = \"crypto-rustcrypto\", feature = \"crypto-ring\"), ignore)]\n    fn ec_p521() -\u003e TestResult {\n        let p521 = P521PrivateKey::generate()?;\n        let p521_pub = p521.to_public_key();\n        assert_eq!(p521.thumbprint_sha256(), p521_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn rsa() -\u003e TestResult {\n        let rsa = rsa::PrivateKey::generate(4096)?;\n        let rsa_pub = rsa.to_public_key();\n        assert_eq!(rsa.thumbprint_sha256(), rsa_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    fn hmac() -\u003e TestResult {\n        let _hmac = hmac::Key::\u003chmac::Hs256\u003e::generate()?;\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(feature = \"crypto-ring\", ignore)]\n    fn ed25519() -\u003e TestResult {\n        let ed25519 = okp::PrivateKey::\u003cokp::Ed25519\u003e::generate()?;\n        let ed25519_pub = ed25519.to_public_key();\n        assert_eq!(ed25519.thumbprint_sha256(), ed25519_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n\n    #[test]\n    #[cfg_attr(\n        any(\n            feature = \"crypto-rustcrypto\",\n            feature = \"crypto-ring\",\n            feature = \"crypto-aws-lc\"\n        ),\n        ignore\n    )]\n    fn ed448() -\u003e TestResult {\n        let ed448 = okp::PrivateKey::\u003cokp::Ed448\u003e::generate()?;\n        let ed448_pub = ed448.to_public_key();\n        assert_eq!(ed448.thumbprint_sha256(), ed448_pub.thumbprint_sha256());\n\n        Ok(())\n    }\n}\n\n#[test]\nfn convert_to_public_key() -\u003e TestResult {\n    let private_json = read_jwk(\"p256\")?;\n    let public_json = read_jwk(\"p256.pub\")?;\n\n    let private: JsonWebKey = serde_json::from_value(private_json)?;\n    let public: JsonWebKey = serde_json::from_value(public_json)?;\n\n    let public_converted = private.clone().into_verifying_key();\n    assert_eq!(public.key_type(), public_converted.key_type());\n\n    let public_converted = private.strip_secret_material().unwrap();\n    assert_eq!(public.key_type(), public_converted.key_type());\n\n    Ok(())\n}\n\n#[test]\nfn symmetric_key_can_not_strip_secret() -\u003e TestResult {\n    let key = read_jwk(\"3_5.symmetric_key_mac_computation\")?;\n    let key: JsonWebKey = serde_json::from_value(key)?;\n    assert!(key.strip_secret_material().is_none());\n\n    Ok(())\n}\n\n#[test]\nfn additional_properties() -\u003e TestResult {\n    #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]\n    struct Additional {\n        #[serde(rename = \"additional/one\")]\n        one: String,\n        another_additional: i32,\n    }\n\n    impl Checkable for Additional {\n        fn check\u003cP: jwk::policy::Policy\u003e(\n            self,\n            policy: P,\n        ) -\u003e Result\u003cjwk::policy::Checked\u003cSelf, P\u003e, (Self, P::Error)\u003e {\n            Ok(jwk::policy::Checked::new(self, policy))\n        }\n    }\n\n    let key = read_jwk(\"rsa_with_additional_props.pub\")?;\n    let key: JsonWebKey\u003cAdditional\u003e = serde_json::from_value(key)?;\n\n    assert_eq!(key.additional().one.as_str(), \"my rsa key\");\n    assert_eq!(key.additional().another_additional, 1);\n\n    let untyped = key.clone().into_untyped_additional()?;\n    assert_eq!(\n        untyped\n            .clone()\n            .deserialize_additional::\u003cAdditional\u003e()?\n            .additional(),\n        key.additional()\n    );\n\n    let untyped = untyped.additional();\n\n    assert_eq!(untyped[\"additional/one\"], \"my rsa key\");\n    assert_eq!(untyped[\"another_additional\"], 1);\n\n    let _checked = key.check(jwk::policy::StandardPolicy::new()).unwrap();\n\n    Ok(())\n}\n","traces":[],"covered":0,"coverable":0},{"path":["/","home","stu","dev","rust","jose","tests","jws.rs"],"content":"","traces":[],"covered":0,"coverable":0}]};
-    </script>
-    <script crossorigin>/** @license React v16.13.1
- * react.production.min.js
- *
- * Copyright (c) Facebook, Inc. and its affiliates.
- *
- * This source code is licensed under the MIT license found in the
- * LICENSE file in the root directory of this source tree.
- */
-'use strict';(function(d,r){"object"===typeof exports&&"undefined"!==typeof module?r(exports):"function"===typeof define&&define.amd?define(["exports"],r):(d=d||self,r(d.React={}))})(this,function(d){function r(a){for(var b="https://reactjs.org/docs/error-decoder.html?invariant="+a,c=1;c<arguments.length;c++)b+="&args[]="+encodeURIComponent(arguments[c]);return"Minified React error #"+a+"; visit "+b+" for the full message or use the non-minified dev environment for full errors and additional helpful warnings."}
-function w(a,b,c){this.props=a;this.context=b;this.refs=ba;this.updater=c||ca}function da(){}function L(a,b,c){this.props=a;this.context=b;this.refs=ba;this.updater=c||ca}function ea(a,b,c){var g,e={},fa=null,d=null;if(null!=b)for(g in void 0!==b.ref&&(d=b.ref),void 0!==b.key&&(fa=""+b.key),b)ha.call(b,g)&&!ia.hasOwnProperty(g)&&(e[g]=b[g]);var h=arguments.length-2;if(1===h)e.children=c;else if(1<h){for(var k=Array(h),f=0;f<h;f++)k[f]=arguments[f+2];e.children=k}if(a&&a.defaultProps)for(g in h=a.defaultProps,
-h)void 0===e[g]&&(e[g]=h[g]);return{$$typeof:x,type:a,key:fa,ref:d,props:e,_owner:M.current}}function va(a,b){return{$$typeof:x,type:a.type,key:b,ref:a.ref,props:a.props,_owner:a._owner}}function N(a){return"object"===typeof a&&null!==a&&a.$$typeof===x}function wa(a){var b={"=":"=0",":":"=2"};return"$"+(""+a).replace(/[=:]/g,function(a){return b[a]})}function ja(a,b,c,g){if(C.length){var e=C.pop();e.result=a;e.keyPrefix=b;e.func=c;e.context=g;e.count=0;return e}return{result:a,keyPrefix:b,func:c,
-context:g,count:0}}function ka(a){a.result=null;a.keyPrefix=null;a.func=null;a.context=null;a.count=0;10>C.length&&C.push(a)}function O(a,b,c,g){var e=typeof a;if("undefined"===e||"boolean"===e)a=null;var d=!1;if(null===a)d=!0;else switch(e){case "string":case "number":d=!0;break;case "object":switch(a.$$typeof){case x:case xa:d=!0}}if(d)return c(g,a,""===b?"."+P(a,0):b),1;d=0;b=""===b?".":b+":";if(Array.isArray(a))for(var f=0;f<a.length;f++){e=a[f];var h=b+P(e,f);d+=O(e,h,c,g)}else if(null===a||
-"object"!==typeof a?h=null:(h=la&&a[la]||a["@@iterator"],h="function"===typeof h?h:null),"function"===typeof h)for(a=h.call(a),f=0;!(e=a.next()).done;)e=e.value,h=b+P(e,f++),d+=O(e,h,c,g);else if("object"===e)throw c=""+a,Error(r(31,"[object Object]"===c?"object with keys {"+Object.keys(a).join(", ")+"}":c,""));return d}function Q(a,b,c){return null==a?0:O(a,"",b,c)}function P(a,b){return"object"===typeof a&&null!==a&&null!=a.key?wa(a.key):b.toString(36)}function ya(a,b,c){a.func.call(a.context,b,
-a.count++)}function za(a,b,c){var g=a.result,e=a.keyPrefix;a=a.func.call(a.context,b,a.count++);Array.isArray(a)?R(a,g,c,function(a){return a}):null!=a&&(N(a)&&(a=va(a,e+(!a.key||b&&b.key===a.key?"":(""+a.key).replace(ma,"$&/")+"/")+c)),g.push(a))}function R(a,b,c,g,e){var d="";null!=c&&(d=(""+c).replace(ma,"$&/")+"/");b=ja(b,d,g,e);Q(a,za,b);ka(b)}function t(){var a=na.current;if(null===a)throw Error(r(321));return a}function S(a,b){var c=a.length;a.push(b);a:for(;;){var g=c-1>>>1,e=a[g];if(void 0!==
-e&&0<D(e,b))a[g]=b,a[c]=e,c=g;else break a}}function n(a){a=a[0];return void 0===a?null:a}function E(a){var b=a[0];if(void 0!==b){var c=a.pop();if(c!==b){a[0]=c;a:for(var g=0,e=a.length;g<e;){var d=2*(g+1)-1,f=a[d],h=d+1,k=a[h];if(void 0!==f&&0>D(f,c))void 0!==k&&0>D(k,f)?(a[g]=k,a[h]=c,g=h):(a[g]=f,a[d]=c,g=d);else if(void 0!==k&&0>D(k,c))a[g]=k,a[h]=c,g=h;else break a}}return b}return null}function D(a,b){var c=a.sortIndex-b.sortIndex;return 0!==c?c:a.id-b.id}function F(a){for(var b=n(u);null!==
-b;){if(null===b.callback)E(u);else if(b.startTime<=a)E(u),b.sortIndex=b.expirationTime,S(p,b);else break;b=n(u)}}function T(a){y=!1;F(a);if(!v)if(null!==n(p))v=!0,z(U);else{var b=n(u);null!==b&&G(T,b.startTime-a)}}function U(a,b){v=!1;y&&(y=!1,V());H=!0;var c=m;try{F(b);for(l=n(p);null!==l&&(!(l.expirationTime>b)||a&&!W());){var g=l.callback;if(null!==g){l.callback=null;m=l.priorityLevel;var e=g(l.expirationTime<=b);b=q();"function"===typeof e?l.callback=e:l===n(p)&&E(p);F(b)}else E(p);l=n(p)}if(null!==
-l)var d=!0;else{var f=n(u);null!==f&&G(T,f.startTime-b);d=!1}return d}finally{l=null,m=c,H=!1}}function oa(a){switch(a){case 1:return-1;case 2:return 250;case 5:return 1073741823;case 4:return 1E4;default:return 5E3}}var f="function"===typeof Symbol&&Symbol.for,x=f?Symbol.for("react.element"):60103,xa=f?Symbol.for("react.portal"):60106,Aa=f?Symbol.for("react.fragment"):60107,Ba=f?Symbol.for("react.strict_mode"):60108,Ca=f?Symbol.for("react.profiler"):60114,Da=f?Symbol.for("react.provider"):60109,
-Ea=f?Symbol.for("react.context"):60110,Fa=f?Symbol.for("react.forward_ref"):60112,Ga=f?Symbol.for("react.suspense"):60113,Ha=f?Symbol.for("react.memo"):60115,Ia=f?Symbol.for("react.lazy"):60116,la="function"===typeof Symbol&&Symbol.iterator,pa=Object.getOwnPropertySymbols,Ja=Object.prototype.hasOwnProperty,Ka=Object.prototype.propertyIsEnumerable,I=function(){try{if(!Object.assign)return!1;var a=new String("abc");a[5]="de";if("5"===Object.getOwnPropertyNames(a)[0])return!1;var b={};for(a=0;10>a;a++)b["_"+
-String.fromCharCode(a)]=a;if("0123456789"!==Object.getOwnPropertyNames(b).map(function(a){return b[a]}).join(""))return!1;var c={};"abcdefghijklmnopqrst".split("").forEach(function(a){c[a]=a});return"abcdefghijklmnopqrst"!==Object.keys(Object.assign({},c)).join("")?!1:!0}catch(g){return!1}}()?Object.assign:function(a,b){if(null===a||void 0===a)throw new TypeError("Object.assign cannot be called with null or undefined");var c=Object(a);for(var g,e=1;e<arguments.length;e++){var d=Object(arguments[e]);
-for(var f in d)Ja.call(d,f)&&(c[f]=d[f]);if(pa){g=pa(d);for(var h=0;h<g.length;h++)Ka.call(d,g[h])&&(c[g[h]]=d[g[h]])}}return c},ca={isMounted:function(a){return!1},enqueueForceUpdate:function(a,b,c){},enqueueReplaceState:function(a,b,c,d){},enqueueSetState:function(a,b,c,d){}},ba={};w.prototype.isReactComponent={};w.prototype.setState=function(a,b){if("object"!==typeof a&&"function"!==typeof a&&null!=a)throw Error(r(85));this.updater.enqueueSetState(this,a,b,"setState")};w.prototype.forceUpdate=
-function(a){this.updater.enqueueForceUpdate(this,a,"forceUpdate")};da.prototype=w.prototype;f=L.prototype=new da;f.constructor=L;I(f,w.prototype);f.isPureReactComponent=!0;var M={current:null},ha=Object.prototype.hasOwnProperty,ia={key:!0,ref:!0,__self:!0,__source:!0},ma=/\/+/g,C=[],na={current:null},X;if("undefined"===typeof window||"function"!==typeof MessageChannel){var A=null,qa=null,ra=function(){if(null!==A)try{var a=q();A(!0,a);A=null}catch(b){throw setTimeout(ra,0),b;}},La=Date.now();var q=
-function(){return Date.now()-La};var z=function(a){null!==A?setTimeout(z,0,a):(A=a,setTimeout(ra,0))};var G=function(a,b){qa=setTimeout(a,b)};var V=function(){clearTimeout(qa)};var W=function(){return!1};f=X=function(){}}else{var Y=window.performance,sa=window.Date,Ma=window.setTimeout,Na=window.clearTimeout;"undefined"!==typeof console&&(f=window.cancelAnimationFrame,"function"!==typeof window.requestAnimationFrame&&console.error("This browser doesn't support requestAnimationFrame. Make sure that you load a polyfill in older browsers. https://fb.me/react-polyfills"),
-"function"!==typeof f&&console.error("This browser doesn't support cancelAnimationFrame. Make sure that you load a polyfill in older browsers. https://fb.me/react-polyfills"));if("object"===typeof Y&&"function"===typeof Y.now)q=function(){return Y.now()};else{var Oa=sa.now();q=function(){return sa.now()-Oa}}var J=!1,K=null,Z=-1,ta=5,ua=0;W=function(){return q()>=ua};f=function(){};X=function(a){0>a||125<a?console.error("forceFrameRate takes a positive int between 0 and 125, forcing framerates higher than 125 fps is not unsupported"):
-ta=0<a?Math.floor(1E3/a):5};var B=new MessageChannel,aa=B.port2;B.port1.onmessage=function(){if(null!==K){var a=q();ua=a+ta;try{K(!0,a)?aa.postMessage(null):(J=!1,K=null)}catch(b){throw aa.postMessage(null),b;}}else J=!1};z=function(a){K=a;J||(J=!0,aa.postMessage(null))};G=function(a,b){Z=Ma(function(){a(q())},b)};V=function(){Na(Z);Z=-1}}var p=[],u=[],Pa=1,l=null,m=3,H=!1,v=!1,y=!1,Qa=0;B={ReactCurrentDispatcher:na,ReactCurrentOwner:M,IsSomeRendererActing:{current:!1},assign:I};I(B,{Scheduler:{__proto__:null,
-unstable_ImmediatePriority:1,unstable_UserBlockingPriority:2,unstable_NormalPriority:3,unstable_IdlePriority:5,unstable_LowPriority:4,unstable_runWithPriority:function(a,b){switch(a){case 1:case 2:case 3:case 4:case 5:break;default:a=3}var c=m;m=a;try{return b()}finally{m=c}},unstable_next:function(a){switch(m){case 1:case 2:case 3:var b=3;break;default:b=m}var c=m;m=b;try{return a()}finally{m=c}},unstable_scheduleCallback:function(a,b,c){var d=q();if("object"===typeof c&&null!==c){var e=c.delay;
-e="number"===typeof e&&0<e?d+e:d;c="number"===typeof c.timeout?c.timeout:oa(a)}else c=oa(a),e=d;c=e+c;a={id:Pa++,callback:b,priorityLevel:a,startTime:e,expirationTime:c,sortIndex:-1};e>d?(a.sortIndex=e,S(u,a),null===n(p)&&a===n(u)&&(y?V():y=!0,G(T,e-d))):(a.sortIndex=c,S(p,a),v||H||(v=!0,z(U)));return a},unstable_cancelCallback:function(a){a.callback=null},unstable_wrapCallback:function(a){var b=m;return function(){var c=m;m=b;try{return a.apply(this,arguments)}finally{m=c}}},unstable_getCurrentPriorityLevel:function(){return m},
-unstable_shouldYield:function(){var a=q();F(a);var b=n(p);return b!==l&&null!==l&&null!==b&&null!==b.callback&&b.startTime<=a&&b.expirationTime<l.expirationTime||W()},unstable_requestPaint:f,unstable_continueExecution:function(){v||H||(v=!0,z(U))},unstable_pauseExecution:function(){},unstable_getFirstCallbackNode:function(){return n(p)},get unstable_now(){return q},get unstable_forceFrameRate(){return X},unstable_Profiling:null},SchedulerTracing:{__proto__:null,__interactionsRef:null,__subscriberRef:null,
-unstable_clear:function(a){return a()},unstable_getCurrent:function(){return null},unstable_getThreadID:function(){return++Qa},unstable_trace:function(a,b,c){return c()},unstable_wrap:function(a){return a},unstable_subscribe:function(a){},unstable_unsubscribe:function(a){}}});d.Children={map:function(a,b,c){if(null==a)return a;var d=[];R(a,d,null,b,c);return d},forEach:function(a,b,c){if(null==a)return a;b=ja(null,null,b,c);Q(a,ya,b);ka(b)},count:function(a){return Q(a,function(){return null},null)},
-toArray:function(a){var b=[];R(a,b,null,function(a){return a});return b},only:function(a){if(!N(a))throw Error(r(143));return a}};d.Component=w;d.Fragment=Aa;d.Profiler=Ca;d.PureComponent=L;d.StrictMode=Ba;d.Suspense=Ga;d.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED=B;d.cloneElement=function(a,b,c){if(null===a||void 0===a)throw Error(r(267,a));var d=I({},a.props),e=a.key,f=a.ref,m=a._owner;if(null!=b){void 0!==b.ref&&(f=b.ref,m=M.current);void 0!==b.key&&(e=""+b.key);if(a.type&&a.type.defaultProps)var h=
-a.type.defaultProps;for(k in b)ha.call(b,k)&&!ia.hasOwnProperty(k)&&(d[k]=void 0===b[k]&&void 0!==h?h[k]:b[k])}var k=arguments.length-2;if(1===k)d.children=c;else if(1<k){h=Array(k);for(var l=0;l<k;l++)h[l]=arguments[l+2];d.children=h}return{$$typeof:x,type:a.type,key:e,ref:f,props:d,_owner:m}};d.createContext=function(a,b){void 0===b&&(b=null);a={$$typeof:Ea,_calculateChangedBits:b,_currentValue:a,_currentValue2:a,_threadCount:0,Provider:null,Consumer:null};a.Provider={$$typeof:Da,_context:a};return a.Consumer=
-a};d.createElement=ea;d.createFactory=function(a){var b=ea.bind(null,a);b.type=a;return b};d.createRef=function(){return{current:null}};d.forwardRef=function(a){return{$$typeof:Fa,render:a}};d.isValidElement=N;d.lazy=function(a){return{$$typeof:Ia,_ctor:a,_status:-1,_result:null}};d.memo=function(a,b){return{$$typeof:Ha,type:a,compare:void 0===b?null:b}};d.useCallback=function(a,b){return t().useCallback(a,b)};d.useContext=function(a,b){return t().useContext(a,b)};d.useDebugValue=function(a,b){};
-d.useEffect=function(a,b){return t().useEffect(a,b)};d.useImperativeHandle=function(a,b,c){return t().useImperativeHandle(a,b,c)};d.useLayoutEffect=function(a,b){return t().useLayoutEffect(a,b)};d.useMemo=function(a,b){return t().useMemo(a,b)};d.useReducer=function(a,b,c){return t().useReducer(a,b,c)};d.useRef=function(a){return t().useRef(a)};d.useState=function(a){return t().useState(a)};d.version="16.13.1"});
-</script>
-    <script crossorigin>/** @license React v16.13.1
- * react-dom.production.min.js
- *
- * Copyright (c) Facebook, Inc. and its affiliates.
- *
- * This source code is licensed under the MIT license found in the
- * LICENSE file in the root directory of this source tree.
- */
-/*
- Modernizr 3.0.0pre (Custom Build) | MIT
-*/
-'use strict';(function(I,ea){"object"===typeof exports&&"undefined"!==typeof module?ea(exports,require("react")):"function"===typeof define&&define.amd?define(["exports","react"],ea):(I=I||self,ea(I.ReactDOM={},I.React))})(this,function(I,ea){function k(a){for(var b="https://reactjs.org/docs/error-decoder.html?invariant="+a,c=1;c<arguments.length;c++)b+="&args[]="+encodeURIComponent(arguments[c]);return"Minified React error #"+a+"; visit "+b+" for the full message or use the non-minified dev environment for full errors and additional helpful warnings."}
-function ji(a,b,c,d,e,f,g,h,m){yb=!1;gc=null;ki.apply(li,arguments)}function mi(a,b,c,d,e,f,g,h,m){ji.apply(this,arguments);if(yb){if(yb){var n=gc;yb=!1;gc=null}else throw Error(k(198));hc||(hc=!0,pd=n)}}function lf(a,b,c){var d=a.type||"unknown-event";a.currentTarget=mf(c);mi(d,b,void 0,a);a.currentTarget=null}function nf(){if(ic)for(var a in cb){var b=cb[a],c=ic.indexOf(a);if(!(-1<c))throw Error(k(96,a));if(!jc[c]){if(!b.extractEvents)throw Error(k(97,a));jc[c]=b;c=b.eventTypes;for(var d in c){var e=
-void 0;var f=c[d],g=b,h=d;if(qd.hasOwnProperty(h))throw Error(k(99,h));qd[h]=f;var m=f.phasedRegistrationNames;if(m){for(e in m)m.hasOwnProperty(e)&&of(m[e],g,h);e=!0}else f.registrationName?(of(f.registrationName,g,h),e=!0):e=!1;if(!e)throw Error(k(98,d,a));}}}}function of(a,b,c){if(db[a])throw Error(k(100,a));db[a]=b;rd[a]=b.eventTypes[c].dependencies}function pf(a){var b=!1,c;for(c in a)if(a.hasOwnProperty(c)){var d=a[c];if(!cb.hasOwnProperty(c)||cb[c]!==d){if(cb[c])throw Error(k(102,c));cb[c]=
-d;b=!0}}b&&nf()}function qf(a){if(a=rf(a)){if("function"!==typeof sd)throw Error(k(280));var b=a.stateNode;b&&(b=td(b),sd(a.stateNode,a.type,b))}}function sf(a){eb?fb?fb.push(a):fb=[a]:eb=a}function tf(){if(eb){var a=eb,b=fb;fb=eb=null;qf(a);if(b)for(a=0;a<b.length;a++)qf(b[a])}}function ud(){if(null!==eb||null!==fb)vd(),tf()}function uf(a,b,c){if(wd)return a(b,c);wd=!0;try{return vf(a,b,c)}finally{wd=!1,ud()}}function ni(a){if(wf.call(xf,a))return!0;if(wf.call(yf,a))return!1;if(oi.test(a))return xf[a]=
-!0;yf[a]=!0;return!1}function pi(a,b,c,d){if(null!==c&&0===c.type)return!1;switch(typeof b){case "function":case "symbol":return!0;case "boolean":if(d)return!1;if(null!==c)return!c.acceptsBooleans;a=a.toLowerCase().slice(0,5);return"data-"!==a&&"aria-"!==a;default:return!1}}function qi(a,b,c,d){if(null===b||"undefined"===typeof b||pi(a,b,c,d))return!0;if(d)return!1;if(null!==c)switch(c.type){case 3:return!b;case 4:return!1===b;case 5:return isNaN(b);case 6:return isNaN(b)||1>b}return!1}function L(a,
-b,c,d,e,f){this.acceptsBooleans=2===b||3===b||4===b;this.attributeName=d;this.attributeNamespace=e;this.mustUseProperty=c;this.propertyName=a;this.type=b;this.sanitizeURL=f}function xd(a,b,c,d){var e=E.hasOwnProperty(b)?E[b]:null;var f=null!==e?0===e.type:d?!1:!(2<b.length)||"o"!==b[0]&&"O"!==b[0]||"n"!==b[1]&&"N"!==b[1]?!1:!0;f||(qi(b,c,e,d)&&(c=null),d||null===e?ni(b)&&(null===c?a.removeAttribute(b):a.setAttribute(b,""+c)):e.mustUseProperty?a[e.propertyName]=null===c?3===e.type?!1:"":c:(b=e.attributeName,
-d=e.attributeNamespace,null===c?a.removeAttribute(b):(e=e.type,c=3===e||4===e&&!0===c?"":""+c,d?a.setAttributeNS(d,b,c):a.setAttribute(b,c))))}function zb(a){if(null===a||"object"!==typeof a)return null;a=zf&&a[zf]||a["@@iterator"];return"function"===typeof a?a:null}function ri(a){if(-1===a._status){a._status=0;var b=a._ctor;b=b();a._result=b;b.then(function(b){0===a._status&&(b=b.default,a._status=1,a._result=b)},function(b){0===a._status&&(a._status=2,a._result=b)})}}function na(a){if(null==a)return null;
-if("function"===typeof a)return a.displayName||a.name||null;if("string"===typeof a)return a;switch(a){case Ma:return"Fragment";case gb:return"Portal";case kc:return"Profiler";case Af:return"StrictMode";case lc:return"Suspense";case yd:return"SuspenseList"}if("object"===typeof a)switch(a.$$typeof){case Bf:return"Context.Consumer";case Cf:return"Context.Provider";case zd:var b=a.render;b=b.displayName||b.name||"";return a.displayName||(""!==b?"ForwardRef("+b+")":"ForwardRef");case Ad:return na(a.type);
-case Df:return na(a.render);case Ef:if(a=1===a._status?a._result:null)return na(a)}return null}function Bd(a){var b="";do{a:switch(a.tag){case 3:case 4:case 6:case 7:case 10:case 9:var c="";break a;default:var d=a._debugOwner,e=a._debugSource,f=na(a.type);c=null;d&&(c=na(d.type));d=f;f="";e?f=" (at "+e.fileName.replace(si,"")+":"+e.lineNumber+")":c&&(f=" (created by "+c+")");c="\n    in "+(d||"Unknown")+f}b+=c;a=a.return}while(a);return b}function va(a){switch(typeof a){case "boolean":case "number":case "object":case "string":case "undefined":return a;
-default:return""}}function Ff(a){var b=a.type;return(a=a.nodeName)&&"input"===a.toLowerCase()&&("checkbox"===b||"radio"===b)}function ti(a){var b=Ff(a)?"checked":"value",c=Object.getOwnPropertyDescriptor(a.constructor.prototype,b),d=""+a[b];if(!a.hasOwnProperty(b)&&"undefined"!==typeof c&&"function"===typeof c.get&&"function"===typeof c.set){var e=c.get,f=c.set;Object.defineProperty(a,b,{configurable:!0,get:function(){return e.call(this)},set:function(a){d=""+a;f.call(this,a)}});Object.defineProperty(a,
-b,{enumerable:c.enumerable});return{getValue:function(){return d},setValue:function(a){d=""+a},stopTracking:function(){a._valueTracker=null;delete a[b]}}}}function mc(a){a._valueTracker||(a._valueTracker=ti(a))}function Gf(a){if(!a)return!1;var b=a._valueTracker;if(!b)return!0;var c=b.getValue();var d="";a&&(d=Ff(a)?a.checked?"true":"false":a.value);a=d;return a!==c?(b.setValue(a),!0):!1}function Cd(a,b){var c=b.checked;return M({},b,{defaultChecked:void 0,defaultValue:void 0,value:void 0,checked:null!=
-c?c:a._wrapperState.initialChecked})}function Hf(a,b){var c=null==b.defaultValue?"":b.defaultValue,d=null!=b.checked?b.checked:b.defaultChecked;c=va(null!=b.value?b.value:c);a._wrapperState={initialChecked:d,initialValue:c,controlled:"checkbox"===b.type||"radio"===b.type?null!=b.checked:null!=b.value}}function If(a,b){b=b.checked;null!=b&&xd(a,"checked",b,!1)}function Dd(a,b){If(a,b);var c=va(b.value),d=b.type;if(null!=c)if("number"===d){if(0===c&&""===a.value||a.value!=c)a.value=""+c}else a.value!==
-""+c&&(a.value=""+c);else if("submit"===d||"reset"===d){a.removeAttribute("value");return}b.hasOwnProperty("value")?Ed(a,b.type,c):b.hasOwnProperty("defaultValue")&&Ed(a,b.type,va(b.defaultValue));null==b.checked&&null!=b.defaultChecked&&(a.defaultChecked=!!b.defaultChecked)}function Jf(a,b,c){if(b.hasOwnProperty("value")||b.hasOwnProperty("defaultValue")){var d=b.type;if(!("submit"!==d&&"reset"!==d||void 0!==b.value&&null!==b.value))return;b=""+a._wrapperState.initialValue;c||b===a.value||(a.value=
-b);a.defaultValue=b}c=a.name;""!==c&&(a.name="");a.defaultChecked=!!a._wrapperState.initialChecked;""!==c&&(a.name=c)}function Ed(a,b,c){if("number"!==b||a.ownerDocument.activeElement!==a)null==c?a.defaultValue=""+a._wrapperState.initialValue:a.defaultValue!==""+c&&(a.defaultValue=""+c)}function ui(a){var b="";ea.Children.forEach(a,function(a){null!=a&&(b+=a)});return b}function Fd(a,b){a=M({children:void 0},b);if(b=ui(b.children))a.children=b;return a}function hb(a,b,c,d){a=a.options;if(b){b={};
-for(var e=0;e<c.length;e++)b["$"+c[e]]=!0;for(c=0;c<a.length;c++)e=b.hasOwnProperty("$"+a[c].value),a[c].selected!==e&&(a[c].selected=e),e&&d&&(a[c].defaultSelected=!0)}else{c=""+va(c);b=null;for(e=0;e<a.length;e++){if(a[e].value===c){a[e].selected=!0;d&&(a[e].defaultSelected=!0);return}null!==b||a[e].disabled||(b=a[e])}null!==b&&(b.selected=!0)}}function Gd(a,b){if(null!=b.dangerouslySetInnerHTML)throw Error(k(91));return M({},b,{value:void 0,defaultValue:void 0,children:""+a._wrapperState.initialValue})}
-function Kf(a,b){var c=b.value;if(null==c){c=b.children;b=b.defaultValue;if(null!=c){if(null!=b)throw Error(k(92));if(Array.isArray(c)){if(!(1>=c.length))throw Error(k(93));c=c[0]}b=c}null==b&&(b="");c=b}a._wrapperState={initialValue:va(c)}}function Lf(a,b){var c=va(b.value),d=va(b.defaultValue);null!=c&&(c=""+c,c!==a.value&&(a.value=c),null==b.defaultValue&&a.defaultValue!==c&&(a.defaultValue=c));null!=d&&(a.defaultValue=""+d)}function Mf(a,b){b=a.textContent;b===a._wrapperState.initialValue&&""!==
-b&&null!==b&&(a.value=b)}function Nf(a){switch(a){case "svg":return"http://www.w3.org/2000/svg";case "math":return"http://www.w3.org/1998/Math/MathML";default:return"http://www.w3.org/1999/xhtml"}}function Hd(a,b){return null==a||"http://www.w3.org/1999/xhtml"===a?Nf(b):"http://www.w3.org/2000/svg"===a&&"foreignObject"===b?"http://www.w3.org/1999/xhtml":a}function nc(a,b){var c={};c[a.toLowerCase()]=b.toLowerCase();c["Webkit"+a]="webkit"+b;c["Moz"+a]="moz"+b;return c}function oc(a){if(Id[a])return Id[a];
-if(!ib[a])return a;var b=ib[a],c;for(c in b)if(b.hasOwnProperty(c)&&c in Of)return Id[a]=b[c];return a}function Jd(a){var b=Pf.get(a);void 0===b&&(b=new Map,Pf.set(a,b));return b}function Na(a){var b=a,c=a;if(a.alternate)for(;b.return;)b=b.return;else{a=b;do b=a,0!==(b.effectTag&1026)&&(c=b.return),a=b.return;while(a)}return 3===b.tag?c:null}function Qf(a){if(13===a.tag){var b=a.memoizedState;null===b&&(a=a.alternate,null!==a&&(b=a.memoizedState));if(null!==b)return b.dehydrated}return null}function Rf(a){if(Na(a)!==
-a)throw Error(k(188));}function vi(a){var b=a.alternate;if(!b){b=Na(a);if(null===b)throw Error(k(188));return b!==a?null:a}for(var c=a,d=b;;){var e=c.return;if(null===e)break;var f=e.alternate;if(null===f){d=e.return;if(null!==d){c=d;continue}break}if(e.child===f.child){for(f=e.child;f;){if(f===c)return Rf(e),a;if(f===d)return Rf(e),b;f=f.sibling}throw Error(k(188));}if(c.return!==d.return)c=e,d=f;else{for(var g=!1,h=e.child;h;){if(h===c){g=!0;c=e;d=f;break}if(h===d){g=!0;d=e;c=f;break}h=h.sibling}if(!g){for(h=
-f.child;h;){if(h===c){g=!0;c=f;d=e;break}if(h===d){g=!0;d=f;c=e;break}h=h.sibling}if(!g)throw Error(k(189));}}if(c.alternate!==d)throw Error(k(190));}if(3!==c.tag)throw Error(k(188));return c.stateNode.current===c?a:b}function Sf(a){a=vi(a);if(!a)return null;for(var b=a;;){if(5===b.tag||6===b.tag)return b;if(b.child)b.child.return=b,b=b.child;else{if(b===a)break;for(;!b.sibling;){if(!b.return||b.return===a)return null;b=b.return}b.sibling.return=b.return;b=b.sibling}}return null}function jb(a,b){if(null==
-b)throw Error(k(30));if(null==a)return b;if(Array.isArray(a)){if(Array.isArray(b))return a.push.apply(a,b),a;a.push(b);return a}return Array.isArray(b)?[a].concat(b):[a,b]}function Kd(a,b,c){Array.isArray(a)?a.forEach(b,c):a&&b.call(c,a)}function pc(a){null!==a&&(Ab=jb(Ab,a));a=Ab;Ab=null;if(a){Kd(a,wi);if(Ab)throw Error(k(95));if(hc)throw a=pd,hc=!1,pd=null,a;}}function Ld(a){a=a.target||a.srcElement||window;a.correspondingUseElement&&(a=a.correspondingUseElement);return 3===a.nodeType?a.parentNode:
-a}function Tf(a){if(!wa)return!1;a="on"+a;var b=a in document;b||(b=document.createElement("div"),b.setAttribute(a,"return;"),b="function"===typeof b[a]);return b}function Uf(a){a.topLevelType=null;a.nativeEvent=null;a.targetInst=null;a.ancestors.length=0;10>qc.length&&qc.push(a)}function Vf(a,b,c,d){if(qc.length){var e=qc.pop();e.topLevelType=a;e.eventSystemFlags=d;e.nativeEvent=b;e.targetInst=c;return e}return{topLevelType:a,eventSystemFlags:d,nativeEvent:b,targetInst:c,ancestors:[]}}function Wf(a){var b=
-a.targetInst,c=b;do{if(!c){a.ancestors.push(c);break}var d=c;if(3===d.tag)d=d.stateNode.containerInfo;else{for(;d.return;)d=d.return;d=3!==d.tag?null:d.stateNode.containerInfo}if(!d)break;b=c.tag;5!==b&&6!==b||a.ancestors.push(c);c=Bb(d)}while(c);for(c=0;c<a.ancestors.length;c++){b=a.ancestors[c];var e=Ld(a.nativeEvent);d=a.topLevelType;var f=a.nativeEvent,g=a.eventSystemFlags;0===c&&(g|=64);for(var h=null,m=0;m<jc.length;m++){var n=jc[m];n&&(n=n.extractEvents(d,b,f,e,g))&&(h=jb(h,n))}pc(h)}}function Md(a,
-b,c){if(!c.has(a)){switch(a){case "scroll":Cb(b,"scroll",!0);break;case "focus":case "blur":Cb(b,"focus",!0);Cb(b,"blur",!0);c.set("blur",null);c.set("focus",null);break;case "cancel":case "close":Tf(a)&&Cb(b,a,!0);break;case "invalid":case "submit":case "reset":break;default:-1===Db.indexOf(a)&&w(a,b)}c.set(a,null)}}function xi(a,b){var c=Jd(b);Nd.forEach(function(a){Md(a,b,c)});yi.forEach(function(a){Md(a,b,c)})}function Od(a,b,c,d,e){return{blockedOn:a,topLevelType:b,eventSystemFlags:c|32,nativeEvent:e,
-container:d}}function Xf(a,b){switch(a){case "focus":case "blur":xa=null;break;case "dragenter":case "dragleave":ya=null;break;case "mouseover":case "mouseout":za=null;break;case "pointerover":case "pointerout":Eb.delete(b.pointerId);break;case "gotpointercapture":case "lostpointercapture":Fb.delete(b.pointerId)}}function Gb(a,b,c,d,e,f){if(null===a||a.nativeEvent!==f)return a=Od(b,c,d,e,f),null!==b&&(b=Hb(b),null!==b&&Yf(b)),a;a.eventSystemFlags|=d;return a}function zi(a,b,c,d,e){switch(b){case "focus":return xa=
-Gb(xa,a,b,c,d,e),!0;case "dragenter":return ya=Gb(ya,a,b,c,d,e),!0;case "mouseover":return za=Gb(za,a,b,c,d,e),!0;case "pointerover":var f=e.pointerId;Eb.set(f,Gb(Eb.get(f)||null,a,b,c,d,e));return!0;case "gotpointercapture":return f=e.pointerId,Fb.set(f,Gb(Fb.get(f)||null,a,b,c,d,e)),!0}return!1}function Ai(a){var b=Bb(a.target);if(null!==b){var c=Na(b);if(null!==c)if(b=c.tag,13===b){if(b=Qf(c),null!==b){a.blockedOn=b;Pd(a.priority,function(){Bi(c)});return}}else if(3===b&&c.stateNode.hydrate){a.blockedOn=
-3===c.tag?c.stateNode.containerInfo:null;return}}a.blockedOn=null}function rc(a){if(null!==a.blockedOn)return!1;var b=Qd(a.topLevelType,a.eventSystemFlags,a.container,a.nativeEvent);if(null!==b){var c=Hb(b);null!==c&&Yf(c);a.blockedOn=b;return!1}return!0}function Zf(a,b,c){rc(a)&&c.delete(b)}function Ci(){for(Rd=!1;0<fa.length;){var a=fa[0];if(null!==a.blockedOn){a=Hb(a.blockedOn);null!==a&&Di(a);break}var b=Qd(a.topLevelType,a.eventSystemFlags,a.container,a.nativeEvent);null!==b?a.blockedOn=b:fa.shift()}null!==
-xa&&rc(xa)&&(xa=null);null!==ya&&rc(ya)&&(ya=null);null!==za&&rc(za)&&(za=null);Eb.forEach(Zf);Fb.forEach(Zf)}function Ib(a,b){a.blockedOn===b&&(a.blockedOn=null,Rd||(Rd=!0,$f(ag,Ci)))}function bg(a){if(0<fa.length){Ib(fa[0],a);for(var b=1;b<fa.length;b++){var c=fa[b];c.blockedOn===a&&(c.blockedOn=null)}}null!==xa&&Ib(xa,a);null!==ya&&Ib(ya,a);null!==za&&Ib(za,a);b=function(b){return Ib(b,a)};Eb.forEach(b);Fb.forEach(b);for(b=0;b<Jb.length;b++)c=Jb[b],c.blockedOn===a&&(c.blockedOn=null);for(;0<Jb.length&&
-(b=Jb[0],null===b.blockedOn);)Ai(b),null===b.blockedOn&&Jb.shift()}function Sd(a,b){for(var c=0;c<a.length;c+=2){var d=a[c],e=a[c+1],f="on"+(e[0].toUpperCase()+e.slice(1));f={phasedRegistrationNames:{bubbled:f,captured:f+"Capture"},dependencies:[d],eventPriority:b};Td.set(d,b);cg.set(d,f);dg[e]=f}}function w(a,b){Cb(b,a,!1)}function Cb(a,b,c){var d=Td.get(b);switch(void 0===d?2:d){case 0:d=Ei.bind(null,b,1,a);break;case 1:d=Fi.bind(null,b,1,a);break;default:d=sc.bind(null,b,1,a)}c?a.addEventListener(b,
-d,!0):a.addEventListener(b,d,!1)}function Ei(a,b,c,d){Oa||vd();var e=sc,f=Oa;Oa=!0;try{eg(e,a,b,c,d)}finally{(Oa=f)||ud()}}function Fi(a,b,c,d){Gi(Hi,sc.bind(null,a,b,c,d))}function sc(a,b,c,d){if(tc)if(0<fa.length&&-1<Nd.indexOf(a))a=Od(null,a,b,c,d),fa.push(a);else{var e=Qd(a,b,c,d);if(null===e)Xf(a,d);else if(-1<Nd.indexOf(a))a=Od(e,a,b,c,d),fa.push(a);else if(!zi(e,a,b,c,d)){Xf(a,d);a=Vf(a,d,null,b);try{uf(Wf,a)}finally{Uf(a)}}}}function Qd(a,b,c,d){c=Ld(d);c=Bb(c);if(null!==c){var e=Na(c);if(null===
-e)c=null;else{var f=e.tag;if(13===f){c=Qf(e);if(null!==c)return c;c=null}else if(3===f){if(e.stateNode.hydrate)return 3===e.tag?e.stateNode.containerInfo:null;c=null}else e!==c&&(c=null)}}a=Vf(a,d,c,b);try{uf(Wf,a)}finally{Uf(a)}return null}function fg(a,b,c){return null==b||"boolean"===typeof b||""===b?"":c||"number"!==typeof b||0===b||Kb.hasOwnProperty(a)&&Kb[a]?(""+b).trim():b+"px"}function gg(a,b){a=a.style;for(var c in b)if(b.hasOwnProperty(c)){var d=0===c.indexOf("--"),e=fg(c,b[c],d);"float"===
-c&&(c="cssFloat");d?a.setProperty(c,e):a[c]=e}}function Ud(a,b){if(b){if(Ii[a]&&(null!=b.children||null!=b.dangerouslySetInnerHTML))throw Error(k(137,a,""));if(null!=b.dangerouslySetInnerHTML){if(null!=b.children)throw Error(k(60));if(!("object"===typeof b.dangerouslySetInnerHTML&&"__html"in b.dangerouslySetInnerHTML))throw Error(k(61));}if(null!=b.style&&"object"!==typeof b.style)throw Error(k(62,""));}}function Vd(a,b){if(-1===a.indexOf("-"))return"string"===typeof b.is;switch(a){case "annotation-xml":case "color-profile":case "font-face":case "font-face-src":case "font-face-uri":case "font-face-format":case "font-face-name":case "missing-glyph":return!1;
-default:return!0}}function oa(a,b){a=9===a.nodeType||11===a.nodeType?a:a.ownerDocument;var c=Jd(a);b=rd[b];for(var d=0;d<b.length;d++)Md(b[d],a,c)}function uc(){}function Wd(a){a=a||("undefined"!==typeof document?document:void 0);if("undefined"===typeof a)return null;try{return a.activeElement||a.body}catch(b){return a.body}}function hg(a){for(;a&&a.firstChild;)a=a.firstChild;return a}function ig(a,b){var c=hg(a);a=0;for(var d;c;){if(3===c.nodeType){d=a+c.textContent.length;if(a<=b&&d>=b)return{node:c,
-offset:b-a};a=d}a:{for(;c;){if(c.nextSibling){c=c.nextSibling;break a}c=c.parentNode}c=void 0}c=hg(c)}}function jg(a,b){return a&&b?a===b?!0:a&&3===a.nodeType?!1:b&&3===b.nodeType?jg(a,b.parentNode):"contains"in a?a.contains(b):a.compareDocumentPosition?!!(a.compareDocumentPosition(b)&16):!1:!1}function kg(){for(var a=window,b=Wd();b instanceof a.HTMLIFrameElement;){try{var c="string"===typeof b.contentWindow.location.href}catch(d){c=!1}if(c)a=b.contentWindow;else break;b=Wd(a.document)}return b}
-function Xd(a){var b=a&&a.nodeName&&a.nodeName.toLowerCase();return b&&("input"===b&&("text"===a.type||"search"===a.type||"tel"===a.type||"url"===a.type||"password"===a.type)||"textarea"===b||"true"===a.contentEditable)}function lg(a,b){switch(a){case "button":case "input":case "select":case "textarea":return!!b.autoFocus}return!1}function Yd(a,b){return"textarea"===a||"option"===a||"noscript"===a||"string"===typeof b.children||"number"===typeof b.children||"object"===typeof b.dangerouslySetInnerHTML&&
-null!==b.dangerouslySetInnerHTML&&null!=b.dangerouslySetInnerHTML.__html}function kb(a){for(;null!=a;a=a.nextSibling){var b=a.nodeType;if(1===b||3===b)break}return a}function mg(a){a=a.previousSibling;for(var b=0;a;){if(8===a.nodeType){var c=a.data;if(c===ng||c===Zd||c===$d){if(0===b)return a;b--}else c===og&&b++}a=a.previousSibling}return null}function Bb(a){var b=a[Aa];if(b)return b;for(var c=a.parentNode;c;){if(b=c[Lb]||c[Aa]){c=b.alternate;if(null!==b.child||null!==c&&null!==c.child)for(a=mg(a);null!==
-a;){if(c=a[Aa])return c;a=mg(a)}return b}a=c;c=a.parentNode}return null}function Hb(a){a=a[Aa]||a[Lb];return!a||5!==a.tag&&6!==a.tag&&13!==a.tag&&3!==a.tag?null:a}function Pa(a){if(5===a.tag||6===a.tag)return a.stateNode;throw Error(k(33));}function ae(a){return a[vc]||null}function pa(a){do a=a.return;while(a&&5!==a.tag);return a?a:null}function pg(a,b){var c=a.stateNode;if(!c)return null;var d=td(c);if(!d)return null;c=d[b];a:switch(b){case "onClick":case "onClickCapture":case "onDoubleClick":case "onDoubleClickCapture":case "onMouseDown":case "onMouseDownCapture":case "onMouseMove":case "onMouseMoveCapture":case "onMouseUp":case "onMouseUpCapture":case "onMouseEnter":(d=
-!d.disabled)||(a=a.type,d=!("button"===a||"input"===a||"select"===a||"textarea"===a));a=!d;break a;default:a=!1}if(a)return null;if(c&&"function"!==typeof c)throw Error(k(231,b,typeof c));return c}function qg(a,b,c){if(b=pg(a,c.dispatchConfig.phasedRegistrationNames[b]))c._dispatchListeners=jb(c._dispatchListeners,b),c._dispatchInstances=jb(c._dispatchInstances,a)}function Ji(a){if(a&&a.dispatchConfig.phasedRegistrationNames){for(var b=a._targetInst,c=[];b;)c.push(b),b=pa(b);for(b=c.length;0<b--;)qg(c[b],
-"captured",a);for(b=0;b<c.length;b++)qg(c[b],"bubbled",a)}}function be(a,b,c){a&&c&&c.dispatchConfig.registrationName&&(b=pg(a,c.dispatchConfig.registrationName))&&(c._dispatchListeners=jb(c._dispatchListeners,b),c._dispatchInstances=jb(c._dispatchInstances,a))}function Ki(a){a&&a.dispatchConfig.registrationName&&be(a._targetInst,null,a)}function lb(a){Kd(a,Ji)}function rg(){if(wc)return wc;var a,b=ce,c=b.length,d,e="value"in Ba?Ba.value:Ba.textContent,f=e.length;for(a=0;a<c&&b[a]===e[a];a++);var g=
-c-a;for(d=1;d<=g&&b[c-d]===e[f-d];d++);return wc=e.slice(a,1<d?1-d:void 0)}function xc(){return!0}function yc(){return!1}function R(a,b,c,d){this.dispatchConfig=a;this._targetInst=b;this.nativeEvent=c;a=this.constructor.Interface;for(var e in a)a.hasOwnProperty(e)&&((b=a[e])?this[e]=b(c):"target"===e?this.target=d:this[e]=c[e]);this.isDefaultPrevented=(null!=c.defaultPrevented?c.defaultPrevented:!1===c.returnValue)?xc:yc;this.isPropagationStopped=yc;return this}function Li(a,b,c,d){if(this.eventPool.length){var e=
-this.eventPool.pop();this.call(e,a,b,c,d);return e}return new this(a,b,c,d)}function Mi(a){if(!(a instanceof this))throw Error(k(279));a.destructor();10>this.eventPool.length&&this.eventPool.push(a)}function sg(a){a.eventPool=[];a.getPooled=Li;a.release=Mi}function tg(a,b){switch(a){case "keyup":return-1!==Ni.indexOf(b.keyCode);case "keydown":return 229!==b.keyCode;case "keypress":case "mousedown":case "blur":return!0;default:return!1}}function ug(a){a=a.detail;return"object"===typeof a&&"data"in
-a?a.data:null}function Oi(a,b){switch(a){case "compositionend":return ug(b);case "keypress":if(32!==b.which)return null;vg=!0;return wg;case "textInput":return a=b.data,a===wg&&vg?null:a;default:return null}}function Pi(a,b){if(mb)return"compositionend"===a||!de&&tg(a,b)?(a=rg(),wc=ce=Ba=null,mb=!1,a):null;switch(a){case "paste":return null;case "keypress":if(!(b.ctrlKey||b.altKey||b.metaKey)||b.ctrlKey&&b.altKey){if(b.char&&1<b.char.length)return b.char;if(b.which)return String.fromCharCode(b.which)}return null;
-case "compositionend":return xg&&"ko"!==b.locale?null:b.data;default:return null}}function yg(a){var b=a&&a.nodeName&&a.nodeName.toLowerCase();return"input"===b?!!Qi[a.type]:"textarea"===b?!0:!1}function zg(a,b,c){a=R.getPooled(Ag.change,a,b,c);a.type="change";sf(c);lb(a);return a}function Ri(a){pc(a)}function zc(a){var b=Pa(a);if(Gf(b))return a}function Si(a,b){if("change"===a)return b}function Bg(){Mb&&(Mb.detachEvent("onpropertychange",Cg),Nb=Mb=null)}function Cg(a){if("value"===a.propertyName&&
-zc(Nb))if(a=zg(Nb,a,Ld(a)),Oa)pc(a);else{Oa=!0;try{ee(Ri,a)}finally{Oa=!1,ud()}}}function Ti(a,b,c){"focus"===a?(Bg(),Mb=b,Nb=c,Mb.attachEvent("onpropertychange",Cg)):"blur"===a&&Bg()}function Ui(a,b){if("selectionchange"===a||"keyup"===a||"keydown"===a)return zc(Nb)}function Vi(a,b){if("click"===a)return zc(b)}function Wi(a,b){if("input"===a||"change"===a)return zc(b)}function Xi(a){var b=this.nativeEvent;return b.getModifierState?b.getModifierState(a):(a=Yi[a])?!!b[a]:!1}function fe(a){return Xi}
-function Zi(a,b){return a===b&&(0!==a||1/a===1/b)||a!==a&&b!==b}function Ob(a,b){if(Qa(a,b))return!0;if("object"!==typeof a||null===a||"object"!==typeof b||null===b)return!1;var c=Object.keys(a),d=Object.keys(b);if(c.length!==d.length)return!1;for(d=0;d<c.length;d++)if(!$i.call(b,c[d])||!Qa(a[c[d]],b[c[d]]))return!1;return!0}function Dg(a,b){var c=b.window===b?b.document:9===b.nodeType?b:b.ownerDocument;if(ge||null==nb||nb!==Wd(c))return null;c=nb;"selectionStart"in c&&Xd(c)?c={start:c.selectionStart,
-end:c.selectionEnd}:(c=(c.ownerDocument&&c.ownerDocument.defaultView||window).getSelection(),c={anchorNode:c.anchorNode,anchorOffset:c.anchorOffset,focusNode:c.focusNode,focusOffset:c.focusOffset});return Pb&&Ob(Pb,c)?null:(Pb=c,a=R.getPooled(Eg.select,he,a,b),a.type="select",a.target=nb,lb(a),a)}function Ac(a){var b=a.keyCode;"charCode"in a?(a=a.charCode,0===a&&13===b&&(a=13)):a=b;10===a&&(a=13);return 32<=a||13===a?a:0}function q(a,b){0>ob||(a.current=ie[ob],ie[ob]=null,ob--)}function y(a,b,c){ob++;
-ie[ob]=a.current;a.current=b}function pb(a,b){var c=a.type.contextTypes;if(!c)return Ca;var d=a.stateNode;if(d&&d.__reactInternalMemoizedUnmaskedChildContext===b)return d.__reactInternalMemoizedMaskedChildContext;var e={},f;for(f in c)e[f]=b[f];d&&(a=a.stateNode,a.__reactInternalMemoizedUnmaskedChildContext=b,a.__reactInternalMemoizedMaskedChildContext=e);return e}function N(a){a=a.childContextTypes;return null!==a&&void 0!==a}function Fg(a,b,c){if(B.current!==Ca)throw Error(k(168));y(B,b);y(G,c)}
-function Gg(a,b,c){var d=a.stateNode;a=b.childContextTypes;if("function"!==typeof d.getChildContext)return c;d=d.getChildContext();for(var e in d)if(!(e in a))throw Error(k(108,na(b)||"Unknown",e));return M({},c,{},d)}function Bc(a){a=(a=a.stateNode)&&a.__reactInternalMemoizedMergedChildContext||Ca;Ra=B.current;y(B,a);y(G,G.current);return!0}function Hg(a,b,c){var d=a.stateNode;if(!d)throw Error(k(169));c?(a=Gg(a,b,Ra),d.__reactInternalMemoizedMergedChildContext=a,q(G),q(B),y(B,a)):q(G);y(G,c)}function Cc(){switch(aj()){case Dc:return 99;
-case Ig:return 98;case Jg:return 97;case Kg:return 96;case Lg:return 95;default:throw Error(k(332));}}function Mg(a){switch(a){case 99:return Dc;case 98:return Ig;case 97:return Jg;case 96:return Kg;case 95:return Lg;default:throw Error(k(332));}}function Da(a,b){a=Mg(a);return bj(a,b)}function Ng(a,b,c){a=Mg(a);return je(a,b,c)}function Og(a){null===qa?(qa=[a],Ec=je(Dc,Pg)):qa.push(a);return Qg}function ha(){if(null!==Ec){var a=Ec;Ec=null;Rg(a)}Pg()}function Pg(){if(!ke&&null!==qa){ke=!0;var a=0;
-try{var b=qa;Da(99,function(){for(;a<b.length;a++){var c=b[a];do c=c(!0);while(null!==c)}});qa=null}catch(c){throw null!==qa&&(qa=qa.slice(a+1)),je(Dc,ha),c;}finally{ke=!1}}}function Fc(a,b,c){c/=10;return 1073741821-(((1073741821-a+b/10)/c|0)+1)*c}function aa(a,b){if(a&&a.defaultProps){b=M({},b);a=a.defaultProps;for(var c in a)void 0===b[c]&&(b[c]=a[c])}return b}function le(){Gc=qb=Hc=null}function me(a){var b=Ic.current;q(Ic);a.type._context._currentValue=b}function Sg(a,b){for(;null!==a;){var c=
-a.alternate;if(a.childExpirationTime<b)a.childExpirationTime=b,null!==c&&c.childExpirationTime<b&&(c.childExpirationTime=b);else if(null!==c&&c.childExpirationTime<b)c.childExpirationTime=b;else break;a=a.return}}function rb(a,b){Hc=a;Gc=qb=null;a=a.dependencies;null!==a&&null!==a.firstContext&&(a.expirationTime>=b&&(ia=!0),a.firstContext=null)}function W(a,b){if(Gc!==a&&!1!==b&&0!==b){if("number"!==typeof b||1073741823===b)Gc=a,b=1073741823;b={context:a,observedBits:b,next:null};if(null===qb){if(null===
-Hc)throw Error(k(308));qb=b;Hc.dependencies={expirationTime:0,firstContext:b,responders:null}}else qb=qb.next=b}return a._currentValue}function ne(a){a.updateQueue={baseState:a.memoizedState,baseQueue:null,shared:{pending:null},effects:null}}function oe(a,b){a=a.updateQueue;b.updateQueue===a&&(b.updateQueue={baseState:a.baseState,baseQueue:a.baseQueue,shared:a.shared,effects:a.effects})}function Ea(a,b){a={expirationTime:a,suspenseConfig:b,tag:Tg,payload:null,callback:null,next:null};return a.next=
-a}function Fa(a,b){a=a.updateQueue;if(null!==a){a=a.shared;var c=a.pending;null===c?b.next=b:(b.next=c.next,c.next=b);a.pending=b}}function Ug(a,b){var c=a.alternate;null!==c&&oe(c,a);a=a.updateQueue;c=a.baseQueue;null===c?(a.baseQueue=b.next=b,b.next=b):(b.next=c.next,c.next=b)}function Qb(a,b,c,d){var e=a.updateQueue;Ga=!1;var f=e.baseQueue,g=e.shared.pending;if(null!==g){if(null!==f){var h=f.next;f.next=g.next;g.next=h}f=g;e.shared.pending=null;h=a.alternate;null!==h&&(h=h.updateQueue,null!==h&&
-(h.baseQueue=g))}if(null!==f){h=f.next;var m=e.baseState,n=0,k=null,ba=null,l=null;if(null!==h){var p=h;do{g=p.expirationTime;if(g<d){var t={expirationTime:p.expirationTime,suspenseConfig:p.suspenseConfig,tag:p.tag,payload:p.payload,callback:p.callback,next:null};null===l?(ba=l=t,k=m):l=l.next=t;g>n&&(n=g)}else{null!==l&&(l=l.next={expirationTime:1073741823,suspenseConfig:p.suspenseConfig,tag:p.tag,payload:p.payload,callback:p.callback,next:null});Vg(g,p.suspenseConfig);a:{var q=a,r=p;g=b;t=c;switch(r.tag){case 1:q=
-r.payload;if("function"===typeof q){m=q.call(t,m,g);break a}m=q;break a;case 3:q.effectTag=q.effectTag&-4097|64;case Tg:q=r.payload;g="function"===typeof q?q.call(t,m,g):q;if(null===g||void 0===g)break a;m=M({},m,g);break a;case Jc:Ga=!0}}null!==p.callback&&(a.effectTag|=32,g=e.effects,null===g?e.effects=[p]:g.push(p))}p=p.next;if(null===p||p===h)if(g=e.shared.pending,null===g)break;else p=f.next=g.next,g.next=h,e.baseQueue=f=g,e.shared.pending=null}while(1)}null===l?k=m:l.next=ba;e.baseState=k;e.baseQueue=
-l;Kc(n);a.expirationTime=n;a.memoizedState=m}}function Wg(a,b,c){a=b.effects;b.effects=null;if(null!==a)for(b=0;b<a.length;b++){var d=a[b],e=d.callback;if(null!==e){d.callback=null;d=e;e=c;if("function"!==typeof d)throw Error(k(191,d));d.call(e)}}}function Lc(a,b,c,d){b=a.memoizedState;c=c(d,b);c=null===c||void 0===c?b:M({},b,c);a.memoizedState=c;0===a.expirationTime&&(a.updateQueue.baseState=c)}function Xg(a,b,c,d,e,f,g){a=a.stateNode;return"function"===typeof a.shouldComponentUpdate?a.shouldComponentUpdate(d,
-f,g):b.prototype&&b.prototype.isPureReactComponent?!Ob(c,d)||!Ob(e,f):!0}function Yg(a,b,c){var d=!1,e=Ca;var f=b.contextType;"object"===typeof f&&null!==f?f=W(f):(e=N(b)?Ra:B.current,d=b.contextTypes,f=(d=null!==d&&void 0!==d)?pb(a,e):Ca);b=new b(c,f);a.memoizedState=null!==b.state&&void 0!==b.state?b.state:null;b.updater=Mc;a.stateNode=b;b._reactInternalFiber=a;d&&(a=a.stateNode,a.__reactInternalMemoizedUnmaskedChildContext=e,a.__reactInternalMemoizedMaskedChildContext=f);return b}function Zg(a,
-b,c,d){a=b.state;"function"===typeof b.componentWillReceiveProps&&b.componentWillReceiveProps(c,d);"function"===typeof b.UNSAFE_componentWillReceiveProps&&b.UNSAFE_componentWillReceiveProps(c,d);b.state!==a&&Mc.enqueueReplaceState(b,b.state,null)}function pe(a,b,c,d){var e=a.stateNode;e.props=c;e.state=a.memoizedState;e.refs=$g;ne(a);var f=b.contextType;"object"===typeof f&&null!==f?e.context=W(f):(f=N(b)?Ra:B.current,e.context=pb(a,f));Qb(a,c,e,d);e.state=a.memoizedState;f=b.getDerivedStateFromProps;
-"function"===typeof f&&(Lc(a,b,f,c),e.state=a.memoizedState);"function"===typeof b.getDerivedStateFromProps||"function"===typeof e.getSnapshotBeforeUpdate||"function"!==typeof e.UNSAFE_componentWillMount&&"function"!==typeof e.componentWillMount||(b=e.state,"function"===typeof e.componentWillMount&&e.componentWillMount(),"function"===typeof e.UNSAFE_componentWillMount&&e.UNSAFE_componentWillMount(),b!==e.state&&Mc.enqueueReplaceState(e,e.state,null),Qb(a,c,e,d),e.state=a.memoizedState);"function"===
-typeof e.componentDidMount&&(a.effectTag|=4)}function Rb(a,b,c){a=c.ref;if(null!==a&&"function"!==typeof a&&"object"!==typeof a){if(c._owner){c=c._owner;if(c){if(1!==c.tag)throw Error(k(309));var d=c.stateNode}if(!d)throw Error(k(147,a));var e=""+a;if(null!==b&&null!==b.ref&&"function"===typeof b.ref&&b.ref._stringRef===e)return b.ref;b=function(a){var b=d.refs;b===$g&&(b=d.refs={});null===a?delete b[e]:b[e]=a};b._stringRef=e;return b}if("string"!==typeof a)throw Error(k(284));if(!c._owner)throw Error(k(290,
-a));}return a}function Nc(a,b){if("textarea"!==a.type)throw Error(k(31,"[object Object]"===Object.prototype.toString.call(b)?"object with keys {"+Object.keys(b).join(", ")+"}":b,""));}function ah(a){function b(b,c){if(a){var d=b.lastEffect;null!==d?(d.nextEffect=c,b.lastEffect=c):b.firstEffect=b.lastEffect=c;c.nextEffect=null;c.effectTag=8}}function c(c,d){if(!a)return null;for(;null!==d;)b(c,d),d=d.sibling;return null}function d(a,b){for(a=new Map;null!==b;)null!==b.key?a.set(b.key,b):a.set(b.index,
-b),b=b.sibling;return a}function e(a,b){a=Sa(a,b);a.index=0;a.sibling=null;return a}function f(b,c,d){b.index=d;if(!a)return c;d=b.alternate;if(null!==d)return d=d.index,d<c?(b.effectTag=2,c):d;b.effectTag=2;return c}function g(b){a&&null===b.alternate&&(b.effectTag=2);return b}function h(a,b,c,d){if(null===b||6!==b.tag)return b=qe(c,a.mode,d),b.return=a,b;b=e(b,c);b.return=a;return b}function m(a,b,c,d){if(null!==b&&b.elementType===c.type)return d=e(b,c.props),d.ref=Rb(a,b,c),d.return=a,d;d=Oc(c.type,
-c.key,c.props,null,a.mode,d);d.ref=Rb(a,b,c);d.return=a;return d}function n(a,b,c,d){if(null===b||4!==b.tag||b.stateNode.containerInfo!==c.containerInfo||b.stateNode.implementation!==c.implementation)return b=re(c,a.mode,d),b.return=a,b;b=e(b,c.children||[]);b.return=a;return b}function l(a,b,c,d,f){if(null===b||7!==b.tag)return b=Ha(c,a.mode,d,f),b.return=a,b;b=e(b,c);b.return=a;return b}function ba(a,b,c){if("string"===typeof b||"number"===typeof b)return b=qe(""+b,a.mode,c),b.return=a,b;if("object"===
-typeof b&&null!==b){switch(b.$$typeof){case Pc:return c=Oc(b.type,b.key,b.props,null,a.mode,c),c.ref=Rb(a,null,b),c.return=a,c;case gb:return b=re(b,a.mode,c),b.return=a,b}if(Qc(b)||zb(b))return b=Ha(b,a.mode,c,null),b.return=a,b;Nc(a,b)}return null}function p(a,b,c,d){var e=null!==b?b.key:null;if("string"===typeof c||"number"===typeof c)return null!==e?null:h(a,b,""+c,d);if("object"===typeof c&&null!==c){switch(c.$$typeof){case Pc:return c.key===e?c.type===Ma?l(a,b,c.props.children,d,e):m(a,b,c,
-d):null;case gb:return c.key===e?n(a,b,c,d):null}if(Qc(c)||zb(c))return null!==e?null:l(a,b,c,d,null);Nc(a,c)}return null}function t(a,b,c,d,e){if("string"===typeof d||"number"===typeof d)return a=a.get(c)||null,h(b,a,""+d,e);if("object"===typeof d&&null!==d){switch(d.$$typeof){case Pc:return a=a.get(null===d.key?c:d.key)||null,d.type===Ma?l(b,a,d.props.children,e,d.key):m(b,a,d,e);case gb:return a=a.get(null===d.key?c:d.key)||null,n(b,a,d,e)}if(Qc(d)||zb(d))return a=a.get(c)||null,l(b,a,d,e,null);
-Nc(b,d)}return null}function q(e,g,h,m){for(var n=null,k=null,l=g,r=g=0,C=null;null!==l&&r<h.length;r++){l.index>r?(C=l,l=null):C=l.sibling;var O=p(e,l,h[r],m);if(null===O){null===l&&(l=C);break}a&&l&&null===O.alternate&&b(e,l);g=f(O,g,r);null===k?n=O:k.sibling=O;k=O;l=C}if(r===h.length)return c(e,l),n;if(null===l){for(;r<h.length;r++)l=ba(e,h[r],m),null!==l&&(g=f(l,g,r),null===k?n=l:k.sibling=l,k=l);return n}for(l=d(e,l);r<h.length;r++)C=t(l,e,r,h[r],m),null!==C&&(a&&null!==C.alternate&&l.delete(null===
-C.key?r:C.key),g=f(C,g,r),null===k?n=C:k.sibling=C,k=C);a&&l.forEach(function(a){return b(e,a)});return n}function w(e,g,h,n){var m=zb(h);if("function"!==typeof m)throw Error(k(150));h=m.call(h);if(null==h)throw Error(k(151));for(var l=m=null,r=g,C=g=0,O=null,v=h.next();null!==r&&!v.done;C++,v=h.next()){r.index>C?(O=r,r=null):O=r.sibling;var q=p(e,r,v.value,n);if(null===q){null===r&&(r=O);break}a&&r&&null===q.alternate&&b(e,r);g=f(q,g,C);null===l?m=q:l.sibling=q;l=q;r=O}if(v.done)return c(e,r),m;
-if(null===r){for(;!v.done;C++,v=h.next())v=ba(e,v.value,n),null!==v&&(g=f(v,g,C),null===l?m=v:l.sibling=v,l=v);return m}for(r=d(e,r);!v.done;C++,v=h.next())v=t(r,e,C,v.value,n),null!==v&&(a&&null!==v.alternate&&r.delete(null===v.key?C:v.key),g=f(v,g,C),null===l?m=v:l.sibling=v,l=v);a&&r.forEach(function(a){return b(e,a)});return m}return function(a,d,f,h){var m="object"===typeof f&&null!==f&&f.type===Ma&&null===f.key;m&&(f=f.props.children);var n="object"===typeof f&&null!==f;if(n)switch(f.$$typeof){case Pc:a:{n=
-f.key;for(m=d;null!==m;){if(m.key===n){switch(m.tag){case 7:if(f.type===Ma){c(a,m.sibling);d=e(m,f.props.children);d.return=a;a=d;break a}break;default:if(m.elementType===f.type){c(a,m.sibling);d=e(m,f.props);d.ref=Rb(a,m,f);d.return=a;a=d;break a}}c(a,m);break}else b(a,m);m=m.sibling}f.type===Ma?(d=Ha(f.props.children,a.mode,h,f.key),d.return=a,a=d):(h=Oc(f.type,f.key,f.props,null,a.mode,h),h.ref=Rb(a,d,f),h.return=a,a=h)}return g(a);case gb:a:{for(m=f.key;null!==d;){if(d.key===m)if(4===d.tag&&d.stateNode.containerInfo===
-f.containerInfo&&d.stateNode.implementation===f.implementation){c(a,d.sibling);d=e(d,f.children||[]);d.return=a;a=d;break a}else{c(a,d);break}else b(a,d);d=d.sibling}d=re(f,a.mode,h);d.return=a;a=d}return g(a)}if("string"===typeof f||"number"===typeof f)return f=""+f,null!==d&&6===d.tag?(c(a,d.sibling),d=e(d,f),d.return=a,a=d):(c(a,d),d=qe(f,a.mode,h),d.return=a,a=d),g(a);if(Qc(f))return q(a,d,f,h);if(zb(f))return w(a,d,f,h);n&&Nc(a,f);if("undefined"===typeof f&&!m)switch(a.tag){case 1:case 0:throw a=
-a.type,Error(k(152,a.displayName||a.name||"Component"));}return c(a,d)}}function Ta(a){if(a===Sb)throw Error(k(174));return a}function se(a,b){y(Tb,b);y(Ub,a);y(ja,Sb);a=b.nodeType;switch(a){case 9:case 11:b=(b=b.documentElement)?b.namespaceURI:Hd(null,"");break;default:a=8===a?b.parentNode:b,b=a.namespaceURI||null,a=a.tagName,b=Hd(b,a)}q(ja);y(ja,b)}function tb(a){q(ja);q(Ub);q(Tb)}function bh(a){Ta(Tb.current);var b=Ta(ja.current);var c=Hd(b,a.type);b!==c&&(y(Ub,a),y(ja,c))}function te(a){Ub.current===
-a&&(q(ja),q(Ub))}function Rc(a){for(var b=a;null!==b;){if(13===b.tag){var c=b.memoizedState;if(null!==c&&(c=c.dehydrated,null===c||c.data===$d||c.data===Zd))return b}else if(19===b.tag&&void 0!==b.memoizedProps.revealOrder){if(0!==(b.effectTag&64))return b}else if(null!==b.child){b.child.return=b;b=b.child;continue}if(b===a)break;for(;null===b.sibling;){if(null===b.return||b.return===a)return null;b=b.return}b.sibling.return=b.return;b=b.sibling}return null}function ue(a,b){return{responder:a,props:b}}
-function S(){throw Error(k(321));}function ve(a,b){if(null===b)return!1;for(var c=0;c<b.length&&c<a.length;c++)if(!Qa(a[c],b[c]))return!1;return!0}function we(a,b,c,d,e,f){Ia=f;z=b;b.memoizedState=null;b.updateQueue=null;b.expirationTime=0;Sc.current=null===a||null===a.memoizedState?dj:ej;a=c(d,e);if(b.expirationTime===Ia){f=0;do{b.expirationTime=0;if(!(25>f))throw Error(k(301));f+=1;J=K=null;b.updateQueue=null;Sc.current=fj;a=c(d,e)}while(b.expirationTime===Ia)}Sc.current=Tc;b=null!==K&&null!==K.next;
-Ia=0;J=K=z=null;Uc=!1;if(b)throw Error(k(300));return a}function ub(){var a={memoizedState:null,baseState:null,baseQueue:null,queue:null,next:null};null===J?z.memoizedState=J=a:J=J.next=a;return J}function vb(){if(null===K){var a=z.alternate;a=null!==a?a.memoizedState:null}else a=K.next;var b=null===J?z.memoizedState:J.next;if(null!==b)J=b,K=a;else{if(null===a)throw Error(k(310));K=a;a={memoizedState:K.memoizedState,baseState:K.baseState,baseQueue:K.baseQueue,queue:K.queue,next:null};null===J?z.memoizedState=
-J=a:J=J.next=a}return J}function Ua(a,b){return"function"===typeof b?b(a):b}function Vc(a,b,c){b=vb();c=b.queue;if(null===c)throw Error(k(311));c.lastRenderedReducer=a;var d=K,e=d.baseQueue,f=c.pending;if(null!==f){if(null!==e){var g=e.next;e.next=f.next;f.next=g}d.baseQueue=e=f;c.pending=null}if(null!==e){e=e.next;d=d.baseState;var h=g=f=null,m=e;do{var n=m.expirationTime;if(n<Ia){var l={expirationTime:m.expirationTime,suspenseConfig:m.suspenseConfig,action:m.action,eagerReducer:m.eagerReducer,eagerState:m.eagerState,
-next:null};null===h?(g=h=l,f=d):h=h.next=l;n>z.expirationTime&&(z.expirationTime=n,Kc(n))}else null!==h&&(h=h.next={expirationTime:1073741823,suspenseConfig:m.suspenseConfig,action:m.action,eagerReducer:m.eagerReducer,eagerState:m.eagerState,next:null}),Vg(n,m.suspenseConfig),d=m.eagerReducer===a?m.eagerState:a(d,m.action);m=m.next}while(null!==m&&m!==e);null===h?f=d:h.next=g;Qa(d,b.memoizedState)||(ia=!0);b.memoizedState=d;b.baseState=f;b.baseQueue=h;c.lastRenderedState=d}return[b.memoizedState,
-c.dispatch]}function Wc(a,b,c){b=vb();c=b.queue;if(null===c)throw Error(k(311));c.lastRenderedReducer=a;var d=c.dispatch,e=c.pending,f=b.memoizedState;if(null!==e){c.pending=null;var g=e=e.next;do f=a(f,g.action),g=g.next;while(g!==e);Qa(f,b.memoizedState)||(ia=!0);b.memoizedState=f;null===b.baseQueue&&(b.baseState=f);c.lastRenderedState=f}return[f,d]}function xe(a){var b=ub();"function"===typeof a&&(a=a());b.memoizedState=b.baseState=a;a=b.queue={pending:null,dispatch:null,lastRenderedReducer:Ua,
-lastRenderedState:a};a=a.dispatch=ch.bind(null,z,a);return[b.memoizedState,a]}function ye(a,b,c,d){a={tag:a,create:b,destroy:c,deps:d,next:null};b=z.updateQueue;null===b?(b={lastEffect:null},z.updateQueue=b,b.lastEffect=a.next=a):(c=b.lastEffect,null===c?b.lastEffect=a.next=a:(d=c.next,c.next=a,a.next=d,b.lastEffect=a));return a}function dh(a){return vb().memoizedState}function ze(a,b,c,d){var e=ub();z.effectTag|=a;e.memoizedState=ye(1|b,c,void 0,void 0===d?null:d)}function Ae(a,b,c,d){var e=vb();
-d=void 0===d?null:d;var f=void 0;if(null!==K){var g=K.memoizedState;f=g.destroy;if(null!==d&&ve(d,g.deps)){ye(b,c,f,d);return}}z.effectTag|=a;e.memoizedState=ye(1|b,c,f,d)}function eh(a,b){return ze(516,4,a,b)}function Xc(a,b){return Ae(516,4,a,b)}function fh(a,b){return Ae(4,2,a,b)}function gh(a,b){if("function"===typeof b)return a=a(),b(a),function(){b(null)};if(null!==b&&void 0!==b)return a=a(),b.current=a,function(){b.current=null}}function hh(a,b,c){c=null!==c&&void 0!==c?c.concat([a]):null;
-return Ae(4,2,gh.bind(null,b,a),c)}function Be(a,b){}function ih(a,b){ub().memoizedState=[a,void 0===b?null:b];return a}function Yc(a,b){var c=vb();b=void 0===b?null:b;var d=c.memoizedState;if(null!==d&&null!==b&&ve(b,d[1]))return d[0];c.memoizedState=[a,b];return a}function jh(a,b){var c=vb();b=void 0===b?null:b;var d=c.memoizedState;if(null!==d&&null!==b&&ve(b,d[1]))return d[0];a=a();c.memoizedState=[a,b];return a}function Ce(a,b,c){var d=Cc();Da(98>d?98:d,function(){a(!0)});Da(97<d?97:d,function(){var d=
-X.suspense;X.suspense=void 0===b?null:b;try{a(!1),c()}finally{X.suspense=d}})}function ch(a,b,c){var d=ka(),e=Vb.suspense;d=Va(d,a,e);e={expirationTime:d,suspenseConfig:e,action:c,eagerReducer:null,eagerState:null,next:null};var f=b.pending;null===f?e.next=e:(e.next=f.next,f.next=e);b.pending=e;f=a.alternate;if(a===z||null!==f&&f===z)Uc=!0,e.expirationTime=Ia,z.expirationTime=Ia;else{if(0===a.expirationTime&&(null===f||0===f.expirationTime)&&(f=b.lastRenderedReducer,null!==f))try{var g=b.lastRenderedState,
-h=f(g,c);e.eagerReducer=f;e.eagerState=h;if(Qa(h,g))return}catch(m){}finally{}Ja(a,d)}}function kh(a,b){var c=la(5,null,null,0);c.elementType="DELETED";c.type="DELETED";c.stateNode=b;c.return=a;c.effectTag=8;null!==a.lastEffect?(a.lastEffect.nextEffect=c,a.lastEffect=c):a.firstEffect=a.lastEffect=c}function lh(a,b){switch(a.tag){case 5:var c=a.type;b=1!==b.nodeType||c.toLowerCase()!==b.nodeName.toLowerCase()?null:b;return null!==b?(a.stateNode=b,!0):!1;case 6:return b=""===a.pendingProps||3!==b.nodeType?
-null:b,null!==b?(a.stateNode=b,!0):!1;case 13:return!1;default:return!1}}function De(a){if(Wa){var b=Ka;if(b){var c=b;if(!lh(a,b)){b=kb(c.nextSibling);if(!b||!lh(a,b)){a.effectTag=a.effectTag&-1025|2;Wa=!1;ra=a;return}kh(ra,c)}ra=a;Ka=kb(b.firstChild)}else a.effectTag=a.effectTag&-1025|2,Wa=!1,ra=a}}function mh(a){for(a=a.return;null!==a&&5!==a.tag&&3!==a.tag&&13!==a.tag;)a=a.return;ra=a}function Zc(a){if(a!==ra)return!1;if(!Wa)return mh(a),Wa=!0,!1;var b=a.type;if(5!==a.tag||"head"!==b&&"body"!==
-b&&!Yd(b,a.memoizedProps))for(b=Ka;b;)kh(a,b),b=kb(b.nextSibling);mh(a);if(13===a.tag){a=a.memoizedState;a=null!==a?a.dehydrated:null;if(!a)throw Error(k(317));a:{a=a.nextSibling;for(b=0;a;){if(8===a.nodeType){var c=a.data;if(c===og){if(0===b){Ka=kb(a.nextSibling);break a}b--}else c!==ng&&c!==Zd&&c!==$d||b++}a=a.nextSibling}Ka=null}}else Ka=ra?kb(a.stateNode.nextSibling):null;return!0}function Ee(){Ka=ra=null;Wa=!1}function T(a,b,c,d){b.child=null===a?Fe(b,null,c,d):wb(b,a.child,c,d)}function nh(a,
-b,c,d,e){c=c.render;var f=b.ref;rb(b,e);d=we(a,b,c,d,f,e);if(null!==a&&!ia)return b.updateQueue=a.updateQueue,b.effectTag&=-517,a.expirationTime<=e&&(a.expirationTime=0),sa(a,b,e);b.effectTag|=1;T(a,b,d,e);return b.child}function oh(a,b,c,d,e,f){if(null===a){var g=c.type;if("function"===typeof g&&!Ge(g)&&void 0===g.defaultProps&&null===c.compare&&void 0===c.defaultProps)return b.tag=15,b.type=g,ph(a,b,g,d,e,f);a=Oc(c.type,null,d,null,b.mode,f);a.ref=b.ref;a.return=b;return b.child=a}g=a.child;if(e<
-f&&(e=g.memoizedProps,c=c.compare,c=null!==c?c:Ob,c(e,d)&&a.ref===b.ref))return sa(a,b,f);b.effectTag|=1;a=Sa(g,d);a.ref=b.ref;a.return=b;return b.child=a}function ph(a,b,c,d,e,f){return null!==a&&Ob(a.memoizedProps,d)&&a.ref===b.ref&&(ia=!1,e<f)?(b.expirationTime=a.expirationTime,sa(a,b,f)):He(a,b,c,d,f)}function qh(a,b){var c=b.ref;if(null===a&&null!==c||null!==a&&a.ref!==c)b.effectTag|=128}function He(a,b,c,d,e){var f=N(c)?Ra:B.current;f=pb(b,f);rb(b,e);c=we(a,b,c,d,f,e);if(null!==a&&!ia)return b.updateQueue=
-a.updateQueue,b.effectTag&=-517,a.expirationTime<=e&&(a.expirationTime=0),sa(a,b,e);b.effectTag|=1;T(a,b,c,e);return b.child}function rh(a,b,c,d,e){if(N(c)){var f=!0;Bc(b)}else f=!1;rb(b,e);if(null===b.stateNode)null!==a&&(a.alternate=null,b.alternate=null,b.effectTag|=2),Yg(b,c,d),pe(b,c,d,e),d=!0;else if(null===a){var g=b.stateNode,h=b.memoizedProps;g.props=h;var m=g.context,n=c.contextType;"object"===typeof n&&null!==n?n=W(n):(n=N(c)?Ra:B.current,n=pb(b,n));var l=c.getDerivedStateFromProps,k="function"===
-typeof l||"function"===typeof g.getSnapshotBeforeUpdate;k||"function"!==typeof g.UNSAFE_componentWillReceiveProps&&"function"!==typeof g.componentWillReceiveProps||(h!==d||m!==n)&&Zg(b,g,d,n);Ga=!1;var p=b.memoizedState;g.state=p;Qb(b,d,g,e);m=b.memoizedState;h!==d||p!==m||G.current||Ga?("function"===typeof l&&(Lc(b,c,l,d),m=b.memoizedState),(h=Ga||Xg(b,c,h,d,p,m,n))?(k||"function"!==typeof g.UNSAFE_componentWillMount&&"function"!==typeof g.componentWillMount||("function"===typeof g.componentWillMount&&
-g.componentWillMount(),"function"===typeof g.UNSAFE_componentWillMount&&g.UNSAFE_componentWillMount()),"function"===typeof g.componentDidMount&&(b.effectTag|=4)):("function"===typeof g.componentDidMount&&(b.effectTag|=4),b.memoizedProps=d,b.memoizedState=m),g.props=d,g.state=m,g.context=n,d=h):("function"===typeof g.componentDidMount&&(b.effectTag|=4),d=!1)}else g=b.stateNode,oe(a,b),h=b.memoizedProps,g.props=b.type===b.elementType?h:aa(b.type,h),m=g.context,n=c.contextType,"object"===typeof n&&null!==
-n?n=W(n):(n=N(c)?Ra:B.current,n=pb(b,n)),l=c.getDerivedStateFromProps,(k="function"===typeof l||"function"===typeof g.getSnapshotBeforeUpdate)||"function"!==typeof g.UNSAFE_componentWillReceiveProps&&"function"!==typeof g.componentWillReceiveProps||(h!==d||m!==n)&&Zg(b,g,d,n),Ga=!1,m=b.memoizedState,g.state=m,Qb(b,d,g,e),p=b.memoizedState,h!==d||m!==p||G.current||Ga?("function"===typeof l&&(Lc(b,c,l,d),p=b.memoizedState),(l=Ga||Xg(b,c,h,d,m,p,n))?(k||"function"!==typeof g.UNSAFE_componentWillUpdate&&
-"function"!==typeof g.componentWillUpdate||("function"===typeof g.componentWillUpdate&&g.componentWillUpdate(d,p,n),"function"===typeof g.UNSAFE_componentWillUpdate&&g.UNSAFE_componentWillUpdate(d,p,n)),"function"===typeof g.componentDidUpdate&&(b.effectTag|=4),"function"===typeof g.getSnapshotBeforeUpdate&&(b.effectTag|=256)):("function"!==typeof g.componentDidUpdate||h===a.memoizedProps&&m===a.memoizedState||(b.effectTag|=4),"function"!==typeof g.getSnapshotBeforeUpdate||h===a.memoizedProps&&m===
-a.memoizedState||(b.effectTag|=256),b.memoizedProps=d,b.memoizedState=p),g.props=d,g.state=p,g.context=n,d=l):("function"!==typeof g.componentDidUpdate||h===a.memoizedProps&&m===a.memoizedState||(b.effectTag|=4),"function"!==typeof g.getSnapshotBeforeUpdate||h===a.memoizedProps&&m===a.memoizedState||(b.effectTag|=256),d=!1);return Ie(a,b,c,d,f,e)}function Ie(a,b,c,d,e,f){qh(a,b);var g=0!==(b.effectTag&64);if(!d&&!g)return e&&Hg(b,c,!1),sa(a,b,f);d=b.stateNode;gj.current=b;var h=g&&"function"!==typeof c.getDerivedStateFromError?
-null:d.render();b.effectTag|=1;null!==a&&g?(b.child=wb(b,a.child,null,f),b.child=wb(b,null,h,f)):T(a,b,h,f);b.memoizedState=d.state;e&&Hg(b,c,!0);return b.child}function sh(a){var b=a.stateNode;b.pendingContext?Fg(a,b.pendingContext,b.pendingContext!==b.context):b.context&&Fg(a,b.context,!1);se(a,b.containerInfo)}function th(a,b,c){var d=b.mode,e=b.pendingProps,f=D.current,g=!1,h;(h=0!==(b.effectTag&64))||(h=0!==(f&2)&&(null===a||null!==a.memoizedState));h?(g=!0,b.effectTag&=-65):null!==a&&null===
-a.memoizedState||void 0===e.fallback||!0===e.unstable_avoidThisFallback||(f|=1);y(D,f&1);if(null===a){void 0!==e.fallback&&De(b);if(g){g=e.fallback;e=Ha(null,d,0,null);e.return=b;if(0===(b.mode&2))for(a=null!==b.memoizedState?b.child.child:b.child,e.child=a;null!==a;)a.return=e,a=a.sibling;c=Ha(g,d,c,null);c.return=b;e.sibling=c;b.memoizedState=Je;b.child=e;return c}d=e.children;b.memoizedState=null;return b.child=Fe(b,null,d,c)}if(null!==a.memoizedState){a=a.child;d=a.sibling;if(g){e=e.fallback;
-c=Sa(a,a.pendingProps);c.return=b;if(0===(b.mode&2)&&(g=null!==b.memoizedState?b.child.child:b.child,g!==a.child))for(c.child=g;null!==g;)g.return=c,g=g.sibling;d=Sa(d,e);d.return=b;c.sibling=d;c.childExpirationTime=0;b.memoizedState=Je;b.child=c;return d}c=wb(b,a.child,e.children,c);b.memoizedState=null;return b.child=c}a=a.child;if(g){g=e.fallback;e=Ha(null,d,0,null);e.return=b;e.child=a;null!==a&&(a.return=e);if(0===(b.mode&2))for(a=null!==b.memoizedState?b.child.child:b.child,e.child=a;null!==
-a;)a.return=e,a=a.sibling;c=Ha(g,d,c,null);c.return=b;e.sibling=c;c.effectTag|=2;e.childExpirationTime=0;b.memoizedState=Je;b.child=e;return c}b.memoizedState=null;return b.child=wb(b,a,e.children,c)}function uh(a,b){a.expirationTime<b&&(a.expirationTime=b);var c=a.alternate;null!==c&&c.expirationTime<b&&(c.expirationTime=b);Sg(a.return,b)}function Ke(a,b,c,d,e,f){var g=a.memoizedState;null===g?a.memoizedState={isBackwards:b,rendering:null,renderingStartTime:0,last:d,tail:c,tailExpiration:0,tailMode:e,
-lastEffect:f}:(g.isBackwards=b,g.rendering=null,g.renderingStartTime=0,g.last=d,g.tail=c,g.tailExpiration=0,g.tailMode=e,g.lastEffect=f)}function vh(a,b,c){var d=b.pendingProps,e=d.revealOrder,f=d.tail;T(a,b,d.children,c);d=D.current;if(0!==(d&2))d=d&1|2,b.effectTag|=64;else{if(null!==a&&0!==(a.effectTag&64))a:for(a=b.child;null!==a;){if(13===a.tag)null!==a.memoizedState&&uh(a,c);else if(19===a.tag)uh(a,c);else if(null!==a.child){a.child.return=a;a=a.child;continue}if(a===b)break a;for(;null===a.sibling;){if(null===
-a.return||a.return===b)break a;a=a.return}a.sibling.return=a.return;a=a.sibling}d&=1}y(D,d);if(0===(b.mode&2))b.memoizedState=null;else switch(e){case "forwards":c=b.child;for(e=null;null!==c;)a=c.alternate,null!==a&&null===Rc(a)&&(e=c),c=c.sibling;c=e;null===c?(e=b.child,b.child=null):(e=c.sibling,c.sibling=null);Ke(b,!1,e,c,f,b.lastEffect);break;case "backwards":c=null;e=b.child;for(b.child=null;null!==e;){a=e.alternate;if(null!==a&&null===Rc(a)){b.child=e;break}a=e.sibling;e.sibling=c;c=e;e=a}Ke(b,
-!0,c,null,f,b.lastEffect);break;case "together":Ke(b,!1,null,null,void 0,b.lastEffect);break;default:b.memoizedState=null}return b.child}function sa(a,b,c){null!==a&&(b.dependencies=a.dependencies);var d=b.expirationTime;0!==d&&Kc(d);if(b.childExpirationTime<c)return null;if(null!==a&&b.child!==a.child)throw Error(k(153));if(null!==b.child){a=b.child;c=Sa(a,a.pendingProps);b.child=c;for(c.return=b;null!==a.sibling;)a=a.sibling,c=c.sibling=Sa(a,a.pendingProps),c.return=b;c.sibling=null}return b.child}
-function $c(a,b){switch(a.tailMode){case "hidden":b=a.tail;for(var c=null;null!==b;)null!==b.alternate&&(c=b),b=b.sibling;null===c?a.tail=null:c.sibling=null;break;case "collapsed":c=a.tail;for(var d=null;null!==c;)null!==c.alternate&&(d=c),c=c.sibling;null===d?b||null===a.tail?a.tail=null:a.tail.sibling=null:d.sibling=null}}function hj(a,b,c){var d=b.pendingProps;switch(b.tag){case 2:case 16:case 15:case 0:case 11:case 7:case 8:case 12:case 9:case 14:return null;case 1:return N(b.type)&&(q(G),q(B)),
-null;case 3:return tb(),q(G),q(B),c=b.stateNode,c.pendingContext&&(c.context=c.pendingContext,c.pendingContext=null),null!==a&&null!==a.child||!Zc(b)||(b.effectTag|=4),wh(b),null;case 5:te(b);c=Ta(Tb.current);var e=b.type;if(null!==a&&null!=b.stateNode)ij(a,b,e,d,c),a.ref!==b.ref&&(b.effectTag|=128);else{if(!d){if(null===b.stateNode)throw Error(k(166));return null}a=Ta(ja.current);if(Zc(b)){d=b.stateNode;e=b.type;var f=b.memoizedProps;d[Aa]=b;d[vc]=f;switch(e){case "iframe":case "object":case "embed":w("load",
-d);break;case "video":case "audio":for(a=0;a<Db.length;a++)w(Db[a],d);break;case "source":w("error",d);break;case "img":case "image":case "link":w("error",d);w("load",d);break;case "form":w("reset",d);w("submit",d);break;case "details":w("toggle",d);break;case "input":Hf(d,f);w("invalid",d);oa(c,"onChange");break;case "select":d._wrapperState={wasMultiple:!!f.multiple};w("invalid",d);oa(c,"onChange");break;case "textarea":Kf(d,f),w("invalid",d),oa(c,"onChange")}Ud(e,f);a=null;for(var g in f)if(f.hasOwnProperty(g)){var h=
-f[g];"children"===g?"string"===typeof h?d.textContent!==h&&(a=["children",h]):"number"===typeof h&&d.textContent!==""+h&&(a=["children",""+h]):db.hasOwnProperty(g)&&null!=h&&oa(c,g)}switch(e){case "input":mc(d);Jf(d,f,!0);break;case "textarea":mc(d);Mf(d);break;case "select":case "option":break;default:"function"===typeof f.onClick&&(d.onclick=uc)}c=a;b.updateQueue=c;null!==c&&(b.effectTag|=4)}else{g=9===c.nodeType?c:c.ownerDocument;"http://www.w3.org/1999/xhtml"===a&&(a=Nf(e));"http://www.w3.org/1999/xhtml"===
-a?"script"===e?(a=g.createElement("div"),a.innerHTML="<script>\x3c/script>",a=a.removeChild(a.firstChild)):"string"===typeof d.is?a=g.createElement(e,{is:d.is}):(a=g.createElement(e),"select"===e&&(g=a,d.multiple?g.multiple=!0:d.size&&(g.size=d.size))):a=g.createElementNS(a,e);a[Aa]=b;a[vc]=d;jj(a,b,!1,!1);b.stateNode=a;g=Vd(e,d);switch(e){case "iframe":case "object":case "embed":w("load",a);h=d;break;case "video":case "audio":for(h=0;h<Db.length;h++)w(Db[h],a);h=d;break;case "source":w("error",a);
-h=d;break;case "img":case "image":case "link":w("error",a);w("load",a);h=d;break;case "form":w("reset",a);w("submit",a);h=d;break;case "details":w("toggle",a);h=d;break;case "input":Hf(a,d);h=Cd(a,d);w("invalid",a);oa(c,"onChange");break;case "option":h=Fd(a,d);break;case "select":a._wrapperState={wasMultiple:!!d.multiple};h=M({},d,{value:void 0});w("invalid",a);oa(c,"onChange");break;case "textarea":Kf(a,d);h=Gd(a,d);w("invalid",a);oa(c,"onChange");break;default:h=d}Ud(e,h);var m=h;for(f in m)if(m.hasOwnProperty(f)){var n=
-m[f];"style"===f?gg(a,n):"dangerouslySetInnerHTML"===f?(n=n?n.__html:void 0,null!=n&&xh(a,n)):"children"===f?"string"===typeof n?("textarea"!==e||""!==n)&&Wb(a,n):"number"===typeof n&&Wb(a,""+n):"suppressContentEditableWarning"!==f&&"suppressHydrationWarning"!==f&&"autoFocus"!==f&&(db.hasOwnProperty(f)?null!=n&&oa(c,f):null!=n&&xd(a,f,n,g))}switch(e){case "input":mc(a);Jf(a,d,!1);break;case "textarea":mc(a);Mf(a);break;case "option":null!=d.value&&a.setAttribute("value",""+va(d.value));break;case "select":a.multiple=
-!!d.multiple;c=d.value;null!=c?hb(a,!!d.multiple,c,!1):null!=d.defaultValue&&hb(a,!!d.multiple,d.defaultValue,!0);break;default:"function"===typeof h.onClick&&(a.onclick=uc)}lg(e,d)&&(b.effectTag|=4)}null!==b.ref&&(b.effectTag|=128)}return null;case 6:if(a&&null!=b.stateNode)kj(a,b,a.memoizedProps,d);else{if("string"!==typeof d&&null===b.stateNode)throw Error(k(166));c=Ta(Tb.current);Ta(ja.current);Zc(b)?(c=b.stateNode,d=b.memoizedProps,c[Aa]=b,c.nodeValue!==d&&(b.effectTag|=4)):(c=(9===c.nodeType?
-c:c.ownerDocument).createTextNode(d),c[Aa]=b,b.stateNode=c)}return null;case 13:q(D);d=b.memoizedState;if(0!==(b.effectTag&64))return b.expirationTime=c,b;c=null!==d;d=!1;null===a?void 0!==b.memoizedProps.fallback&&Zc(b):(e=a.memoizedState,d=null!==e,c||null===e||(e=a.child.sibling,null!==e&&(f=b.firstEffect,null!==f?(b.firstEffect=e,e.nextEffect=f):(b.firstEffect=b.lastEffect=e,e.nextEffect=null),e.effectTag=8)));if(c&&!d&&0!==(b.mode&2))if(null===a&&!0!==b.memoizedProps.unstable_avoidThisFallback||
-0!==(D.current&1))F===Xa&&(F=ad);else{if(F===Xa||F===ad)F=bd;0!==Xb&&null!==U&&(Ya(U,P),yh(U,Xb))}if(c||d)b.effectTag|=4;return null;case 4:return tb(),wh(b),null;case 10:return me(b),null;case 17:return N(b.type)&&(q(G),q(B)),null;case 19:q(D);d=b.memoizedState;if(null===d)return null;e=0!==(b.effectTag&64);f=d.rendering;if(null===f)if(e)$c(d,!1);else{if(F!==Xa||null!==a&&0!==(a.effectTag&64))for(f=b.child;null!==f;){a=Rc(f);if(null!==a){b.effectTag|=64;$c(d,!1);e=a.updateQueue;null!==e&&(b.updateQueue=
-e,b.effectTag|=4);null===d.lastEffect&&(b.firstEffect=null);b.lastEffect=d.lastEffect;for(d=b.child;null!==d;)e=d,f=c,e.effectTag&=2,e.nextEffect=null,e.firstEffect=null,e.lastEffect=null,a=e.alternate,null===a?(e.childExpirationTime=0,e.expirationTime=f,e.child=null,e.memoizedProps=null,e.memoizedState=null,e.updateQueue=null,e.dependencies=null):(e.childExpirationTime=a.childExpirationTime,e.expirationTime=a.expirationTime,e.child=a.child,e.memoizedProps=a.memoizedProps,e.memoizedState=a.memoizedState,
-e.updateQueue=a.updateQueue,f=a.dependencies,e.dependencies=null===f?null:{expirationTime:f.expirationTime,firstContext:f.firstContext,responders:f.responders}),d=d.sibling;y(D,D.current&1|2);return b.child}f=f.sibling}}else{if(!e)if(a=Rc(f),null!==a){if(b.effectTag|=64,e=!0,c=a.updateQueue,null!==c&&(b.updateQueue=c,b.effectTag|=4),$c(d,!0),null===d.tail&&"hidden"===d.tailMode&&!f.alternate)return b=b.lastEffect=d.lastEffect,null!==b&&(b.nextEffect=null),null}else 2*Y()-d.renderingStartTime>d.tailExpiration&&
-1<c&&(b.effectTag|=64,e=!0,$c(d,!1),b.expirationTime=b.childExpirationTime=c-1);d.isBackwards?(f.sibling=b.child,b.child=f):(c=d.last,null!==c?c.sibling=f:b.child=f,d.last=f)}return null!==d.tail?(0===d.tailExpiration&&(d.tailExpiration=Y()+500),c=d.tail,d.rendering=c,d.tail=c.sibling,d.lastEffect=b.lastEffect,d.renderingStartTime=Y(),c.sibling=null,b=D.current,y(D,e?b&1|2:b&1),c):null}throw Error(k(156,b.tag));}function lj(a,b){switch(a.tag){case 1:return N(a.type)&&(q(G),q(B)),b=a.effectTag,b&4096?
-(a.effectTag=b&-4097|64,a):null;case 3:tb();q(G);q(B);b=a.effectTag;if(0!==(b&64))throw Error(k(285));a.effectTag=b&-4097|64;return a;case 5:return te(a),null;case 13:return q(D),b=a.effectTag,b&4096?(a.effectTag=b&-4097|64,a):null;case 19:return q(D),null;case 4:return tb(),null;case 10:return me(a),null;default:return null}}function Le(a,b){return{value:a,source:b,stack:Bd(b)}}function Me(a,b){var c=b.source,d=b.stack;null===d&&null!==c&&(d=Bd(c));null!==c&&na(c.type);b=b.value;null!==a&&1===a.tag&&
-na(a.type);try{console.error(b)}catch(e){setTimeout(function(){throw e;})}}function mj(a,b){try{b.props=a.memoizedProps,b.state=a.memoizedState,b.componentWillUnmount()}catch(c){Za(a,c)}}function zh(a){var b=a.ref;if(null!==b)if("function"===typeof b)try{b(null)}catch(c){Za(a,c)}else b.current=null}function nj(a,b){switch(b.tag){case 0:case 11:case 15:case 22:return;case 1:if(b.effectTag&256&&null!==a){var c=a.memoizedProps,d=a.memoizedState;a=b.stateNode;b=a.getSnapshotBeforeUpdate(b.elementType===
-b.type?c:aa(b.type,c),d);a.__reactInternalSnapshotBeforeUpdate=b}return;case 3:case 5:case 6:case 4:case 17:return}throw Error(k(163));}function Ah(a,b){b=b.updateQueue;b=null!==b?b.lastEffect:null;if(null!==b){var c=b=b.next;do{if((c.tag&a)===a){var d=c.destroy;c.destroy=void 0;void 0!==d&&d()}c=c.next}while(c!==b)}}function Bh(a,b){b=b.updateQueue;b=null!==b?b.lastEffect:null;if(null!==b){var c=b=b.next;do{if((c.tag&a)===a){var d=c.create;c.destroy=d()}c=c.next}while(c!==b)}}function oj(a,b,c,d){switch(c.tag){case 0:case 11:case 15:case 22:Bh(3,
-c);return;case 1:a=c.stateNode;c.effectTag&4&&(null===b?a.componentDidMount():(d=c.elementType===c.type?b.memoizedProps:aa(c.type,b.memoizedProps),a.componentDidUpdate(d,b.memoizedState,a.__reactInternalSnapshotBeforeUpdate)));b=c.updateQueue;null!==b&&Wg(c,b,a);return;case 3:b=c.updateQueue;if(null!==b){a=null;if(null!==c.child)switch(c.child.tag){case 5:a=c.child.stateNode;break;case 1:a=c.child.stateNode}Wg(c,b,a)}return;case 5:a=c.stateNode;null===b&&c.effectTag&4&&lg(c.type,c.memoizedProps)&&
-a.focus();return;case 6:return;case 4:return;case 12:return;case 13:null===c.memoizedState&&(c=c.alternate,null!==c&&(c=c.memoizedState,null!==c&&(c=c.dehydrated,null!==c&&bg(c))));return;case 19:case 17:case 20:case 21:return}throw Error(k(163));}function Ch(a,b,c){"function"===typeof Ne&&Ne(b);switch(b.tag){case 0:case 11:case 14:case 15:case 22:a=b.updateQueue;if(null!==a&&(a=a.lastEffect,null!==a)){var d=a.next;Da(97<c?97:c,function(){var a=d;do{var c=a.destroy;if(void 0!==c){var g=b;try{c()}catch(h){Za(g,
-h)}}a=a.next}while(a!==d)})}break;case 1:zh(b);c=b.stateNode;"function"===typeof c.componentWillUnmount&&mj(b,c);break;case 5:zh(b);break;case 4:Dh(a,b,c)}}function Eh(a){var b=a.alternate;a.return=null;a.child=null;a.memoizedState=null;a.updateQueue=null;a.dependencies=null;a.alternate=null;a.firstEffect=null;a.lastEffect=null;a.pendingProps=null;a.memoizedProps=null;a.stateNode=null;null!==b&&Eh(b)}function Fh(a){return 5===a.tag||3===a.tag||4===a.tag}function Gh(a){a:{for(var b=a.return;null!==
-b;){if(Fh(b)){var c=b;break a}b=b.return}throw Error(k(160));}b=c.stateNode;switch(c.tag){case 5:var d=!1;break;case 3:b=b.containerInfo;d=!0;break;case 4:b=b.containerInfo;d=!0;break;default:throw Error(k(161));}c.effectTag&16&&(Wb(b,""),c.effectTag&=-17);a:b:for(c=a;;){for(;null===c.sibling;){if(null===c.return||Fh(c.return)){c=null;break a}c=c.return}c.sibling.return=c.return;for(c=c.sibling;5!==c.tag&&6!==c.tag&&18!==c.tag;){if(c.effectTag&2)continue b;if(null===c.child||4===c.tag)continue b;
-else c.child.return=c,c=c.child}if(!(c.effectTag&2)){c=c.stateNode;break a}}d?Oe(a,c,b):Pe(a,c,b)}function Oe(a,b,c){var d=a.tag,e=5===d||6===d;if(e)a=e?a.stateNode:a.stateNode.instance,b?8===c.nodeType?c.parentNode.insertBefore(a,b):c.insertBefore(a,b):(8===c.nodeType?(b=c.parentNode,b.insertBefore(a,c)):(b=c,b.appendChild(a)),c=c._reactRootContainer,null!==c&&void 0!==c||null!==b.onclick||(b.onclick=uc));else if(4!==d&&(a=a.child,null!==a))for(Oe(a,b,c),a=a.sibling;null!==a;)Oe(a,b,c),a=a.sibling}
-function Pe(a,b,c){var d=a.tag,e=5===d||6===d;if(e)a=e?a.stateNode:a.stateNode.instance,b?c.insertBefore(a,b):c.appendChild(a);else if(4!==d&&(a=a.child,null!==a))for(Pe(a,b,c),a=a.sibling;null!==a;)Pe(a,b,c),a=a.sibling}function Dh(a,b,c){for(var d=b,e=!1,f,g;;){if(!e){e=d.return;a:for(;;){if(null===e)throw Error(k(160));f=e.stateNode;switch(e.tag){case 5:g=!1;break a;case 3:f=f.containerInfo;g=!0;break a;case 4:f=f.containerInfo;g=!0;break a}e=e.return}e=!0}if(5===d.tag||6===d.tag){a:for(var h=
-a,m=d,n=c,l=m;;)if(Ch(h,l,n),null!==l.child&&4!==l.tag)l.child.return=l,l=l.child;else{if(l===m)break a;for(;null===l.sibling;){if(null===l.return||l.return===m)break a;l=l.return}l.sibling.return=l.return;l=l.sibling}g?(h=f,m=d.stateNode,8===h.nodeType?h.parentNode.removeChild(m):h.removeChild(m)):f.removeChild(d.stateNode)}else if(4===d.tag){if(null!==d.child){f=d.stateNode.containerInfo;g=!0;d.child.return=d;d=d.child;continue}}else if(Ch(a,d,c),null!==d.child){d.child.return=d;d=d.child;continue}if(d===
-b)break;for(;null===d.sibling;){if(null===d.return||d.return===b)return;d=d.return;4===d.tag&&(e=!1)}d.sibling.return=d.return;d=d.sibling}}function Qe(a,b){switch(b.tag){case 0:case 11:case 14:case 15:case 22:Ah(3,b);return;case 1:return;case 5:var c=b.stateNode;if(null!=c){var d=b.memoizedProps,e=null!==a?a.memoizedProps:d;a=b.type;var f=b.updateQueue;b.updateQueue=null;if(null!==f){c[vc]=d;"input"===a&&"radio"===d.type&&null!=d.name&&If(c,d);Vd(a,e);b=Vd(a,d);for(e=0;e<f.length;e+=2){var g=f[e],
-h=f[e+1];"style"===g?gg(c,h):"dangerouslySetInnerHTML"===g?xh(c,h):"children"===g?Wb(c,h):xd(c,g,h,b)}switch(a){case "input":Dd(c,d);break;case "textarea":Lf(c,d);break;case "select":b=c._wrapperState.wasMultiple,c._wrapperState.wasMultiple=!!d.multiple,a=d.value,null!=a?hb(c,!!d.multiple,a,!1):b!==!!d.multiple&&(null!=d.defaultValue?hb(c,!!d.multiple,d.defaultValue,!0):hb(c,!!d.multiple,d.multiple?[]:"",!1))}}}return;case 6:if(null===b.stateNode)throw Error(k(162));b.stateNode.nodeValue=b.memoizedProps;
-return;case 3:b=b.stateNode;b.hydrate&&(b.hydrate=!1,bg(b.containerInfo));return;case 12:return;case 13:c=b;null===b.memoizedState?d=!1:(d=!0,c=b.child,Re=Y());if(null!==c)a:for(a=c;;){if(5===a.tag)f=a.stateNode,d?(f=f.style,"function"===typeof f.setProperty?f.setProperty("display","none","important"):f.display="none"):(f=a.stateNode,e=a.memoizedProps.style,e=void 0!==e&&null!==e&&e.hasOwnProperty("display")?e.display:null,f.style.display=fg("display",e));else if(6===a.tag)a.stateNode.nodeValue=d?
-"":a.memoizedProps;else if(13===a.tag&&null!==a.memoizedState&&null===a.memoizedState.dehydrated){f=a.child.sibling;f.return=a;a=f;continue}else if(null!==a.child){a.child.return=a;a=a.child;continue}if(a===c)break;for(;null===a.sibling;){if(null===a.return||a.return===c)break a;a=a.return}a.sibling.return=a.return;a=a.sibling}Hh(b);return;case 19:Hh(b);return;case 17:return}throw Error(k(163));}function Hh(a){var b=a.updateQueue;if(null!==b){a.updateQueue=null;var c=a.stateNode;null===c&&(c=a.stateNode=
-new pj);b.forEach(function(b){var d=qj.bind(null,a,b);c.has(b)||(c.add(b),b.then(d,d))})}}function Ih(a,b,c){c=Ea(c,null);c.tag=3;c.payload={element:null};var d=b.value;c.callback=function(){cd||(cd=!0,Se=d);Me(a,b)};return c}function Jh(a,b,c){c=Ea(c,null);c.tag=3;var d=a.type.getDerivedStateFromError;if("function"===typeof d){var e=b.value;c.payload=function(){Me(a,b);return d(e)}}var f=a.stateNode;null!==f&&"function"===typeof f.componentDidCatch&&(c.callback=function(){"function"!==typeof d&&
-(null===La?La=new Set([this]):La.add(this),Me(a,b));var c=b.stack;this.componentDidCatch(b.value,{componentStack:null!==c?c:""})});return c}function ka(){return(p&(ca|ma))!==H?1073741821-(Y()/10|0):0!==dd?dd:dd=1073741821-(Y()/10|0)}function Va(a,b,c){b=b.mode;if(0===(b&2))return 1073741823;var d=Cc();if(0===(b&4))return 99===d?1073741823:1073741822;if((p&ca)!==H)return P;if(null!==c)a=Fc(a,c.timeoutMs|0||5E3,250);else switch(d){case 99:a=1073741823;break;case 98:a=Fc(a,150,100);break;case 97:case 96:a=
-Fc(a,5E3,250);break;case 95:a=2;break;default:throw Error(k(326));}null!==U&&a===P&&--a;return a}function ed(a,b){a.expirationTime<b&&(a.expirationTime=b);var c=a.alternate;null!==c&&c.expirationTime<b&&(c.expirationTime=b);var d=a.return,e=null;if(null===d&&3===a.tag)e=a.stateNode;else for(;null!==d;){c=d.alternate;d.childExpirationTime<b&&(d.childExpirationTime=b);null!==c&&c.childExpirationTime<b&&(c.childExpirationTime=b);if(null===d.return&&3===d.tag){e=d.stateNode;break}d=d.return}null!==e&&
-(U===e&&(Kc(b),F===bd&&Ya(e,P)),yh(e,b));return e}function fd(a){var b=a.lastExpiredTime;if(0!==b)return b;b=a.firstPendingTime;if(!Kh(a,b))return b;var c=a.lastPingedTime;a=a.nextKnownPendingLevel;a=c>a?c:a;return 2>=a&&b!==a?0:a}function V(a){if(0!==a.lastExpiredTime)a.callbackExpirationTime=1073741823,a.callbackPriority=99,a.callbackNode=Og(Te.bind(null,a));else{var b=fd(a),c=a.callbackNode;if(0===b)null!==c&&(a.callbackNode=null,a.callbackExpirationTime=0,a.callbackPriority=90);else{var d=ka();
-1073741823===b?d=99:1===b||2===b?d=95:(d=10*(1073741821-b)-10*(1073741821-d),d=0>=d?99:250>=d?98:5250>=d?97:95);if(null!==c){var e=a.callbackPriority;if(a.callbackExpirationTime===b&&e>=d)return;c!==Qg&&Rg(c)}a.callbackExpirationTime=b;a.callbackPriority=d;b=1073741823===b?Og(Te.bind(null,a)):Ng(d,Lh.bind(null,a),{timeout:10*(1073741821-b)-Y()});a.callbackNode=b}}}function Lh(a,b){dd=0;if(b)return b=ka(),Ue(a,b),V(a),null;var c=fd(a);if(0!==c){b=a.callbackNode;if((p&(ca|ma))!==H)throw Error(k(327));
-xb();a===U&&c===P||$a(a,c);if(null!==t){var d=p;p|=ca;var e=Mh();do try{rj();break}catch(h){Nh(a,h)}while(1);le();p=d;gd.current=e;if(F===hd)throw b=id,$a(a,c),Ya(a,c),V(a),b;if(null===t)switch(e=a.finishedWork=a.current.alternate,a.finishedExpirationTime=c,d=F,U=null,d){case Xa:case hd:throw Error(k(345));case Oh:Ue(a,2<c?2:c);break;case ad:Ya(a,c);d=a.lastSuspendedTime;c===d&&(a.nextKnownPendingLevel=Ve(e));if(1073741823===ta&&(e=Re+Ph-Y(),10<e)){if(jd){var f=a.lastPingedTime;if(0===f||f>=c){a.lastPingedTime=
-c;$a(a,c);break}}f=fd(a);if(0!==f&&f!==c)break;if(0!==d&&d!==c){a.lastPingedTime=d;break}a.timeoutHandle=We(ab.bind(null,a),e);break}ab(a);break;case bd:Ya(a,c);d=a.lastSuspendedTime;c===d&&(a.nextKnownPendingLevel=Ve(e));if(jd&&(e=a.lastPingedTime,0===e||e>=c)){a.lastPingedTime=c;$a(a,c);break}e=fd(a);if(0!==e&&e!==c)break;if(0!==d&&d!==c){a.lastPingedTime=d;break}1073741823!==Yb?d=10*(1073741821-Yb)-Y():1073741823===ta?d=0:(d=10*(1073741821-ta)-5E3,e=Y(),c=10*(1073741821-c)-e,d=e-d,0>d&&(d=0),d=
-(120>d?120:480>d?480:1080>d?1080:1920>d?1920:3E3>d?3E3:4320>d?4320:1960*sj(d/1960))-d,c<d&&(d=c));if(10<d){a.timeoutHandle=We(ab.bind(null,a),d);break}ab(a);break;case Xe:if(1073741823!==ta&&null!==kd){f=ta;var g=kd;d=g.busyMinDurationMs|0;0>=d?d=0:(e=g.busyDelayMs|0,f=Y()-(10*(1073741821-f)-(g.timeoutMs|0||5E3)),d=f<=e?0:e+d-f);if(10<d){Ya(a,c);a.timeoutHandle=We(ab.bind(null,a),d);break}}ab(a);break;default:throw Error(k(329));}V(a);if(a.callbackNode===b)return Lh.bind(null,a)}}return null}function Te(a){var b=
-a.lastExpiredTime;b=0!==b?b:1073741823;if((p&(ca|ma))!==H)throw Error(k(327));xb();a===U&&b===P||$a(a,b);if(null!==t){var c=p;p|=ca;var d=Mh();do try{tj();break}catch(e){Nh(a,e)}while(1);le();p=c;gd.current=d;if(F===hd)throw c=id,$a(a,b),Ya(a,b),V(a),c;if(null!==t)throw Error(k(261));a.finishedWork=a.current.alternate;a.finishedExpirationTime=b;U=null;ab(a);V(a)}return null}function uj(){if(null!==bb){var a=bb;bb=null;a.forEach(function(a,c){Ue(c,a);V(c)});ha()}}function Qh(a,b){var c=p;p|=1;try{return a(b)}finally{p=
-c,p===H&&ha()}}function Rh(a,b){var c=p;p&=-2;p|=Ye;try{return a(b)}finally{p=c,p===H&&ha()}}function $a(a,b){a.finishedWork=null;a.finishedExpirationTime=0;var c=a.timeoutHandle;-1!==c&&(a.timeoutHandle=-1,vj(c));if(null!==t)for(c=t.return;null!==c;){var d=c;switch(d.tag){case 1:d=d.type.childContextTypes;null!==d&&void 0!==d&&(q(G),q(B));break;case 3:tb();q(G);q(B);break;case 5:te(d);break;case 4:tb();break;case 13:q(D);break;case 19:q(D);break;case 10:me(d)}c=c.return}U=a;t=Sa(a.current,null);
-P=b;F=Xa;id=null;Yb=ta=1073741823;kd=null;Xb=0;jd=!1}function Nh(a,b){do{try{le();Sc.current=Tc;if(Uc)for(var c=z.memoizedState;null!==c;){var d=c.queue;null!==d&&(d.pending=null);c=c.next}Ia=0;J=K=z=null;Uc=!1;if(null===t||null===t.return)return F=hd,id=b,t=null;a:{var e=a,f=t.return,g=t,h=b;b=P;g.effectTag|=2048;g.firstEffect=g.lastEffect=null;if(null!==h&&"object"===typeof h&&"function"===typeof h.then){var m=h;if(0===(g.mode&2)){var n=g.alternate;n?(g.updateQueue=n.updateQueue,g.memoizedState=
-n.memoizedState,g.expirationTime=n.expirationTime):(g.updateQueue=null,g.memoizedState=null)}var l=0!==(D.current&1),k=f;do{var p;if(p=13===k.tag){var q=k.memoizedState;if(null!==q)p=null!==q.dehydrated?!0:!1;else{var w=k.memoizedProps;p=void 0===w.fallback?!1:!0!==w.unstable_avoidThisFallback?!0:l?!1:!0}}if(p){var y=k.updateQueue;if(null===y){var r=new Set;r.add(m);k.updateQueue=r}else y.add(m);if(0===(k.mode&2)){k.effectTag|=64;g.effectTag&=-2981;if(1===g.tag)if(null===g.alternate)g.tag=17;else{var O=
-Ea(1073741823,null);O.tag=Jc;Fa(g,O)}g.expirationTime=1073741823;break a}h=void 0;g=b;var v=e.pingCache;null===v?(v=e.pingCache=new wj,h=new Set,v.set(m,h)):(h=v.get(m),void 0===h&&(h=new Set,v.set(m,h)));if(!h.has(g)){h.add(g);var x=xj.bind(null,e,m,g);m.then(x,x)}k.effectTag|=4096;k.expirationTime=b;break a}k=k.return}while(null!==k);h=Error((na(g.type)||"A React component")+" suspended while rendering, but no fallback UI was specified.\n\nAdd a <Suspense fallback=...> component higher in the tree to provide a loading indicator or placeholder to display."+
-Bd(g))}F!==Xe&&(F=Oh);h=Le(h,g);k=f;do{switch(k.tag){case 3:m=h;k.effectTag|=4096;k.expirationTime=b;var A=Ih(k,m,b);Ug(k,A);break a;case 1:m=h;var u=k.type,B=k.stateNode;if(0===(k.effectTag&64)&&("function"===typeof u.getDerivedStateFromError||null!==B&&"function"===typeof B.componentDidCatch&&(null===La||!La.has(B)))){k.effectTag|=4096;k.expirationTime=b;var H=Jh(k,m,b);Ug(k,H);break a}}k=k.return}while(null!==k)}t=Sh(t)}catch(cj){b=cj;continue}break}while(1)}function Mh(a){a=gd.current;gd.current=
-Tc;return null===a?Tc:a}function Vg(a,b){a<ta&&2<a&&(ta=a);null!==b&&a<Yb&&2<a&&(Yb=a,kd=b)}function Kc(a){a>Xb&&(Xb=a)}function tj(){for(;null!==t;)t=Th(t)}function rj(){for(;null!==t&&!yj();)t=Th(t)}function Th(a){var b=zj(a.alternate,a,P);a.memoizedProps=a.pendingProps;null===b&&(b=Sh(a));Uh.current=null;return b}function Sh(a){t=a;do{var b=t.alternate;a=t.return;if(0===(t.effectTag&2048)){b=hj(b,t,P);if(1===P||1!==t.childExpirationTime){for(var c=0,d=t.child;null!==d;){var e=d.expirationTime,
-f=d.childExpirationTime;e>c&&(c=e);f>c&&(c=f);d=d.sibling}t.childExpirationTime=c}if(null!==b)return b;null!==a&&0===(a.effectTag&2048)&&(null===a.firstEffect&&(a.firstEffect=t.firstEffect),null!==t.lastEffect&&(null!==a.lastEffect&&(a.lastEffect.nextEffect=t.firstEffect),a.lastEffect=t.lastEffect),1<t.effectTag&&(null!==a.lastEffect?a.lastEffect.nextEffect=t:a.firstEffect=t,a.lastEffect=t))}else{b=lj(t);if(null!==b)return b.effectTag&=2047,b;null!==a&&(a.firstEffect=a.lastEffect=null,a.effectTag|=
-2048)}b=t.sibling;if(null!==b)return b;t=a}while(null!==t);F===Xa&&(F=Xe);return null}function Ve(a){var b=a.expirationTime;a=a.childExpirationTime;return b>a?b:a}function ab(a){var b=Cc();Da(99,Aj.bind(null,a,b));return null}function Aj(a,b){do xb();while(null!==Zb);if((p&(ca|ma))!==H)throw Error(k(327));var c=a.finishedWork,d=a.finishedExpirationTime;if(null===c)return null;a.finishedWork=null;a.finishedExpirationTime=0;if(c===a.current)throw Error(k(177));a.callbackNode=null;a.callbackExpirationTime=
-0;a.callbackPriority=90;a.nextKnownPendingLevel=0;var e=Ve(c);a.firstPendingTime=e;d<=a.lastSuspendedTime?a.firstSuspendedTime=a.lastSuspendedTime=a.nextKnownPendingLevel=0:d<=a.firstSuspendedTime&&(a.firstSuspendedTime=d-1);d<=a.lastPingedTime&&(a.lastPingedTime=0);d<=a.lastExpiredTime&&(a.lastExpiredTime=0);a===U&&(t=U=null,P=0);1<c.effectTag?null!==c.lastEffect?(c.lastEffect.nextEffect=c,e=c.firstEffect):e=c:e=c.firstEffect;if(null!==e){var f=p;p|=ma;Uh.current=null;Ze=tc;var g=kg();if(Xd(g)){if("selectionStart"in
-g)var h={start:g.selectionStart,end:g.selectionEnd};else a:{h=(h=g.ownerDocument)&&h.defaultView||window;var m=h.getSelection&&h.getSelection();if(m&&0!==m.rangeCount){h=m.anchorNode;var n=m.anchorOffset,q=m.focusNode;m=m.focusOffset;try{h.nodeType,q.nodeType}catch(sb){h=null;break a}var ba=0,w=-1,y=-1,B=0,D=0,r=g,z=null;b:for(;;){for(var v;;){r!==h||0!==n&&3!==r.nodeType||(w=ba+n);r!==q||0!==m&&3!==r.nodeType||(y=ba+m);3===r.nodeType&&(ba+=r.nodeValue.length);if(null===(v=r.firstChild))break;z=r;
-r=v}for(;;){if(r===g)break b;z===h&&++B===n&&(w=ba);z===q&&++D===m&&(y=ba);if(null!==(v=r.nextSibling))break;r=z;z=r.parentNode}r=v}h=-1===w||-1===y?null:{start:w,end:y}}else h=null}h=h||{start:0,end:0}}else h=null;$e={activeElementDetached:null,focusedElem:g,selectionRange:h};tc=!1;l=e;do try{Bj()}catch(sb){if(null===l)throw Error(k(330));Za(l,sb);l=l.nextEffect}while(null!==l);l=e;do try{for(g=a,h=b;null!==l;){var x=l.effectTag;x&16&&Wb(l.stateNode,"");if(x&128){var A=l.alternate;if(null!==A){var u=
-A.ref;null!==u&&("function"===typeof u?u(null):u.current=null)}}switch(x&1038){case 2:Gh(l);l.effectTag&=-3;break;case 6:Gh(l);l.effectTag&=-3;Qe(l.alternate,l);break;case 1024:l.effectTag&=-1025;break;case 1028:l.effectTag&=-1025;Qe(l.alternate,l);break;case 4:Qe(l.alternate,l);break;case 8:n=l,Dh(g,n,h),Eh(n)}l=l.nextEffect}}catch(sb){if(null===l)throw Error(k(330));Za(l,sb);l=l.nextEffect}while(null!==l);u=$e;A=kg();x=u.focusedElem;h=u.selectionRange;if(A!==x&&x&&x.ownerDocument&&jg(x.ownerDocument.documentElement,
-x)){null!==h&&Xd(x)&&(A=h.start,u=h.end,void 0===u&&(u=A),"selectionStart"in x?(x.selectionStart=A,x.selectionEnd=Math.min(u,x.value.length)):(u=(A=x.ownerDocument||document)&&A.defaultView||window,u.getSelection&&(u=u.getSelection(),n=x.textContent.length,g=Math.min(h.start,n),h=void 0===h.end?g:Math.min(h.end,n),!u.extend&&g>h&&(n=h,h=g,g=n),n=ig(x,g),q=ig(x,h),n&&q&&(1!==u.rangeCount||u.anchorNode!==n.node||u.anchorOffset!==n.offset||u.focusNode!==q.node||u.focusOffset!==q.offset)&&(A=A.createRange(),
-A.setStart(n.node,n.offset),u.removeAllRanges(),g>h?(u.addRange(A),u.extend(q.node,q.offset)):(A.setEnd(q.node,q.offset),u.addRange(A))))));A=[];for(u=x;u=u.parentNode;)1===u.nodeType&&A.push({element:u,left:u.scrollLeft,top:u.scrollTop});"function"===typeof x.focus&&x.focus();for(x=0;x<A.length;x++)u=A[x],u.element.scrollLeft=u.left,u.element.scrollTop=u.top}tc=!!Ze;$e=Ze=null;a.current=c;l=e;do try{for(x=a;null!==l;){var F=l.effectTag;F&36&&oj(x,l.alternate,l);if(F&128){A=void 0;var E=l.ref;if(null!==
-E){var G=l.stateNode;switch(l.tag){case 5:A=G;break;default:A=G}"function"===typeof E?E(A):E.current=A}}l=l.nextEffect}}catch(sb){if(null===l)throw Error(k(330));Za(l,sb);l=l.nextEffect}while(null!==l);l=null;Cj();p=f}else a.current=c;if(ld)ld=!1,Zb=a,$b=b;else for(l=e;null!==l;)b=l.nextEffect,l.nextEffect=null,l=b;b=a.firstPendingTime;0===b&&(La=null);1073741823===b?a===af?ac++:(ac=0,af=a):ac=0;"function"===typeof bf&&bf(c.stateNode,d);V(a);if(cd)throw cd=!1,a=Se,Se=null,a;if((p&Ye)!==H)return null;
-ha();return null}function Bj(){for(;null!==l;){var a=l.effectTag;0!==(a&256)&&nj(l.alternate,l);0===(a&512)||ld||(ld=!0,Ng(97,function(){xb();return null}));l=l.nextEffect}}function xb(){if(90!==$b){var a=97<$b?97:$b;$b=90;return Da(a,Dj)}}function Dj(){if(null===Zb)return!1;var a=Zb;Zb=null;if((p&(ca|ma))!==H)throw Error(k(331));var b=p;p|=ma;for(a=a.current.firstEffect;null!==a;){try{var c=a;if(0!==(c.effectTag&512))switch(c.tag){case 0:case 11:case 15:case 22:Ah(5,c),Bh(5,c)}}catch(d){if(null===
-a)throw Error(k(330));Za(a,d)}c=a.nextEffect;a.nextEffect=null;a=c}p=b;ha();return!0}function Vh(a,b,c){b=Le(c,b);b=Ih(a,b,1073741823);Fa(a,b);a=ed(a,1073741823);null!==a&&V(a)}function Za(a,b){if(3===a.tag)Vh(a,a,b);else for(var c=a.return;null!==c;){if(3===c.tag){Vh(c,a,b);break}else if(1===c.tag){var d=c.stateNode;if("function"===typeof c.type.getDerivedStateFromError||"function"===typeof d.componentDidCatch&&(null===La||!La.has(d))){a=Le(b,a);a=Jh(c,a,1073741823);Fa(c,a);c=ed(c,1073741823);null!==
-c&&V(c);break}}c=c.return}}function xj(a,b,c){var d=a.pingCache;null!==d&&d.delete(b);U===a&&P===c?F===bd||F===ad&&1073741823===ta&&Y()-Re<Ph?$a(a,P):jd=!0:Kh(a,c)&&(b=a.lastPingedTime,0!==b&&b<c||(a.lastPingedTime=c,V(a)))}function qj(a,b){var c=a.stateNode;null!==c&&c.delete(b);b=0;0===b&&(b=ka(),b=Va(b,a,null));a=ed(a,b);null!==a&&V(a)}function Ej(a){if("undefined"===typeof __REACT_DEVTOOLS_GLOBAL_HOOK__)return!1;var b=__REACT_DEVTOOLS_GLOBAL_HOOK__;if(b.isDisabled||!b.supportsFiber)return!0;try{var c=
-b.inject(a);bf=function(a,e){try{b.onCommitFiberRoot(c,a,void 0,64===(a.current.effectTag&64))}catch(f){}};Ne=function(a){try{b.onCommitFiberUnmount(c,a)}catch(e){}}}catch(d){}return!0}function Fj(a,b,c,d){this.tag=a;this.key=c;this.sibling=this.child=this.return=this.stateNode=this.type=this.elementType=null;this.index=0;this.ref=null;this.pendingProps=b;this.dependencies=this.memoizedState=this.updateQueue=this.memoizedProps=null;this.mode=d;this.effectTag=0;this.lastEffect=this.firstEffect=this.nextEffect=
-null;this.childExpirationTime=this.expirationTime=0;this.alternate=null}function Ge(a){a=a.prototype;return!(!a||!a.isReactComponent)}function Gj(a){if("function"===typeof a)return Ge(a)?1:0;if(void 0!==a&&null!==a){a=a.$$typeof;if(a===zd)return 11;if(a===Ad)return 14}return 2}function Sa(a,b){var c=a.alternate;null===c?(c=la(a.tag,b,a.key,a.mode),c.elementType=a.elementType,c.type=a.type,c.stateNode=a.stateNode,c.alternate=a,a.alternate=c):(c.pendingProps=b,c.effectTag=0,c.nextEffect=null,c.firstEffect=
-null,c.lastEffect=null);c.childExpirationTime=a.childExpirationTime;c.expirationTime=a.expirationTime;c.child=a.child;c.memoizedProps=a.memoizedProps;c.memoizedState=a.memoizedState;c.updateQueue=a.updateQueue;b=a.dependencies;c.dependencies=null===b?null:{expirationTime:b.expirationTime,firstContext:b.firstContext,responders:b.responders};c.sibling=a.sibling;c.index=a.index;c.ref=a.ref;return c}function Oc(a,b,c,d,e,f){var g=2;d=a;if("function"===typeof a)Ge(a)&&(g=1);else if("string"===typeof a)g=
-5;else a:switch(a){case Ma:return Ha(c.children,e,f,b);case Hj:g=8;e|=7;break;case Af:g=8;e|=1;break;case kc:return a=la(12,c,b,e|8),a.elementType=kc,a.type=kc,a.expirationTime=f,a;case lc:return a=la(13,c,b,e),a.type=lc,a.elementType=lc,a.expirationTime=f,a;case yd:return a=la(19,c,b,e),a.elementType=yd,a.expirationTime=f,a;default:if("object"===typeof a&&null!==a)switch(a.$$typeof){case Cf:g=10;break a;case Bf:g=9;break a;case zd:g=11;break a;case Ad:g=14;break a;case Ef:g=16;d=null;break a;case Df:g=
-22;break a}throw Error(k(130,null==a?a:typeof a,""));}b=la(g,c,b,e);b.elementType=a;b.type=d;b.expirationTime=f;return b}function Ha(a,b,c,d){a=la(7,a,d,b);a.expirationTime=c;return a}function qe(a,b,c){a=la(6,a,null,b);a.expirationTime=c;return a}function re(a,b,c){b=la(4,null!==a.children?a.children:[],a.key,b);b.expirationTime=c;b.stateNode={containerInfo:a.containerInfo,pendingChildren:null,implementation:a.implementation};return b}function Ij(a,b,c){this.tag=b;this.current=null;this.containerInfo=
-a;this.pingCache=this.pendingChildren=null;this.finishedExpirationTime=0;this.finishedWork=null;this.timeoutHandle=-1;this.pendingContext=this.context=null;this.hydrate=c;this.callbackNode=null;this.callbackPriority=90;this.lastExpiredTime=this.lastPingedTime=this.nextKnownPendingLevel=this.lastSuspendedTime=this.firstSuspendedTime=this.firstPendingTime=0}function Kh(a,b){var c=a.firstSuspendedTime;a=a.lastSuspendedTime;return 0!==c&&c>=b&&a<=b}function Ya(a,b){var c=a.firstSuspendedTime,d=a.lastSuspendedTime;
-c<b&&(a.firstSuspendedTime=b);if(d>b||0===c)a.lastSuspendedTime=b;b<=a.lastPingedTime&&(a.lastPingedTime=0);b<=a.lastExpiredTime&&(a.lastExpiredTime=0)}function yh(a,b){b>a.firstPendingTime&&(a.firstPendingTime=b);var c=a.firstSuspendedTime;0!==c&&(b>=c?a.firstSuspendedTime=a.lastSuspendedTime=a.nextKnownPendingLevel=0:b>=a.lastSuspendedTime&&(a.lastSuspendedTime=b+1),b>a.nextKnownPendingLevel&&(a.nextKnownPendingLevel=b))}function Ue(a,b){var c=a.lastExpiredTime;if(0===c||c>b)a.lastExpiredTime=b}
-function md(a,b,c,d){var e=b.current,f=ka(),g=Vb.suspense;f=Va(f,e,g);a:if(c){c=c._reactInternalFiber;b:{if(Na(c)!==c||1!==c.tag)throw Error(k(170));var h=c;do{switch(h.tag){case 3:h=h.stateNode.context;break b;case 1:if(N(h.type)){h=h.stateNode.__reactInternalMemoizedMergedChildContext;break b}}h=h.return}while(null!==h);throw Error(k(171));}if(1===c.tag){var m=c.type;if(N(m)){c=Gg(c,m,h);break a}}c=h}else c=Ca;null===b.context?b.context=c:b.pendingContext=c;b=Ea(f,g);b.payload={element:a};d=void 0===
-d?null:d;null!==d&&(b.callback=d);Fa(e,b);Ja(e,f);return f}function cf(a){a=a.current;if(!a.child)return null;switch(a.child.tag){case 5:return a.child.stateNode;default:return a.child.stateNode}}function Wh(a,b){a=a.memoizedState;null!==a&&null!==a.dehydrated&&a.retryTime<b&&(a.retryTime=b)}function df(a,b){Wh(a,b);(a=a.alternate)&&Wh(a,b)}function ef(a,b,c){c=null!=c&&!0===c.hydrate;var d=new Ij(a,b,c),e=la(3,null,null,2===b?7:1===b?3:0);d.current=e;e.stateNode=d;ne(e);a[Lb]=d.current;c&&0!==b&&
-xi(a,9===a.nodeType?a:a.ownerDocument);this._internalRoot=d}function bc(a){return!(!a||1!==a.nodeType&&9!==a.nodeType&&11!==a.nodeType&&(8!==a.nodeType||" react-mount-point-unstable "!==a.nodeValue))}function Jj(a,b){b||(b=a?9===a.nodeType?a.documentElement:a.firstChild:null,b=!(!b||1!==b.nodeType||!b.hasAttribute("data-reactroot")));if(!b)for(var c;c=a.lastChild;)a.removeChild(c);return new ef(a,0,b?{hydrate:!0}:void 0)}function nd(a,b,c,d,e){var f=c._reactRootContainer;if(f){var g=f._internalRoot;
-if("function"===typeof e){var h=e;e=function(){var a=cf(g);h.call(a)}}md(b,g,a,e)}else{f=c._reactRootContainer=Jj(c,d);g=f._internalRoot;if("function"===typeof e){var m=e;e=function(){var a=cf(g);m.call(a)}}Rh(function(){md(b,g,a,e)})}return cf(g)}function Kj(a,b,c){var d=3<arguments.length&&void 0!==arguments[3]?arguments[3]:null;return{$$typeof:gb,key:null==d?null:""+d,children:a,containerInfo:b,implementation:c}}function Xh(a,b){var c=2<arguments.length&&void 0!==arguments[2]?arguments[2]:null;
-if(!bc(b))throw Error(k(200));return Kj(a,b,null,c)}if(!ea)throw Error(k(227));var ki=function(a,b,c,d,e,f,g,h,m){var n=Array.prototype.slice.call(arguments,3);try{b.apply(c,n)}catch(C){this.onError(C)}},yb=!1,gc=null,hc=!1,pd=null,li={onError:function(a){yb=!0;gc=a}},td=null,rf=null,mf=null,ic=null,cb={},jc=[],qd={},db={},rd={},wa=!("undefined"===typeof window||"undefined"===typeof window.document||"undefined"===typeof window.document.createElement),M=ea.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED.assign,
-sd=null,eb=null,fb=null,ee=function(a,b){return a(b)},eg=function(a,b,c,d,e){return a(b,c,d,e)},vd=function(){},vf=ee,Oa=!1,wd=!1,Z=ea.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED.Scheduler,Lj=Z.unstable_cancelCallback,ff=Z.unstable_now,$f=Z.unstable_scheduleCallback,Mj=Z.unstable_shouldYield,Yh=Z.unstable_requestPaint,Pd=Z.unstable_runWithPriority,Nj=Z.unstable_getCurrentPriorityLevel,Oj=Z.unstable_ImmediatePriority,Zh=Z.unstable_UserBlockingPriority,ag=Z.unstable_NormalPriority,Pj=Z.unstable_LowPriority,
-Qj=Z.unstable_IdlePriority,oi=/^[:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$/,wf=Object.prototype.hasOwnProperty,yf={},xf={},E={};"children dangerouslySetInnerHTML defaultValue defaultChecked innerHTML suppressContentEditableWarning suppressHydrationWarning style".split(" ").forEach(function(a){E[a]=
-new L(a,0,!1,a,null,!1)});[["acceptCharset","accept-charset"],["className","class"],["htmlFor","for"],["httpEquiv","http-equiv"]].forEach(function(a){var b=a[0];E[b]=new L(b,1,!1,a[1],null,!1)});["contentEditable","draggable","spellCheck","value"].forEach(function(a){E[a]=new L(a,2,!1,a.toLowerCase(),null,!1)});["autoReverse","externalResourcesRequired","focusable","preserveAlpha"].forEach(function(a){E[a]=new L(a,2,!1,a,null,!1)});"allowFullScreen async autoFocus autoPlay controls default defer disabled disablePictureInPicture formNoValidate hidden loop noModule noValidate open playsInline readOnly required reversed scoped seamless itemScope".split(" ").forEach(function(a){E[a]=
-new L(a,3,!1,a.toLowerCase(),null,!1)});["checked","multiple","muted","selected"].forEach(function(a){E[a]=new L(a,3,!0,a,null,!1)});["capture","download"].forEach(function(a){E[a]=new L(a,4,!1,a,null,!1)});["cols","rows","size","span"].forEach(function(a){E[a]=new L(a,6,!1,a,null,!1)});["rowSpan","start"].forEach(function(a){E[a]=new L(a,5,!1,a.toLowerCase(),null,!1)});var gf=/[\-:]([a-z])/g,hf=function(a){return a[1].toUpperCase()};"accent-height alignment-baseline arabic-form baseline-shift cap-height clip-path clip-rule color-interpolation color-interpolation-filters color-profile color-rendering dominant-baseline enable-background fill-opacity fill-rule flood-color flood-opacity font-family font-size font-size-adjust font-stretch font-style font-variant font-weight glyph-name glyph-orientation-horizontal glyph-orientation-vertical horiz-adv-x horiz-origin-x image-rendering letter-spacing lighting-color marker-end marker-mid marker-start overline-position overline-thickness paint-order panose-1 pointer-events rendering-intent shape-rendering stop-color stop-opacity strikethrough-position strikethrough-thickness stroke-dasharray stroke-dashoffset stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity stroke-width text-anchor text-decoration text-rendering underline-position underline-thickness unicode-bidi unicode-range units-per-em v-alphabetic v-hanging v-ideographic v-mathematical vector-effect vert-adv-y vert-origin-x vert-origin-y word-spacing writing-mode xmlns:xlink x-height".split(" ").forEach(function(a){var b=
-a.replace(gf,hf);E[b]=new L(b,1,!1,a,null,!1)});"xlink:actuate xlink:arcrole xlink:role xlink:show xlink:title xlink:type".split(" ").forEach(function(a){var b=a.replace(gf,hf);E[b]=new L(b,1,!1,a,"http://www.w3.org/1999/xlink",!1)});["xml:base","xml:lang","xml:space"].forEach(function(a){var b=a.replace(gf,hf);E[b]=new L(b,1,!1,a,"http://www.w3.org/XML/1998/namespace",!1)});["tabIndex","crossOrigin"].forEach(function(a){E[a]=new L(a,1,!1,a.toLowerCase(),null,!1)});E.xlinkHref=new L("xlinkHref",1,
-!1,"xlink:href","http://www.w3.org/1999/xlink",!0);["src","href","action","formAction"].forEach(function(a){E[a]=new L(a,1,!1,a.toLowerCase(),null,!0)});var da=ea.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED;da.hasOwnProperty("ReactCurrentDispatcher")||(da.ReactCurrentDispatcher={current:null});da.hasOwnProperty("ReactCurrentBatchConfig")||(da.ReactCurrentBatchConfig={suspense:null});var si=/^(.*)[\\\/]/,Q="function"===typeof Symbol&&Symbol.for,Pc=Q?Symbol.for("react.element"):60103,gb=Q?Symbol.for("react.portal"):
-60106,Ma=Q?Symbol.for("react.fragment"):60107,Af=Q?Symbol.for("react.strict_mode"):60108,kc=Q?Symbol.for("react.profiler"):60114,Cf=Q?Symbol.for("react.provider"):60109,Bf=Q?Symbol.for("react.context"):60110,Hj=Q?Symbol.for("react.concurrent_mode"):60111,zd=Q?Symbol.for("react.forward_ref"):60112,lc=Q?Symbol.for("react.suspense"):60113,yd=Q?Symbol.for("react.suspense_list"):60120,Ad=Q?Symbol.for("react.memo"):60115,Ef=Q?Symbol.for("react.lazy"):60116,Df=Q?Symbol.for("react.block"):60121,zf="function"===
-typeof Symbol&&Symbol.iterator,od,xh=function(a){return"undefined"!==typeof MSApp&&MSApp.execUnsafeLocalFunction?function(b,c,d,e){MSApp.execUnsafeLocalFunction(function(){return a(b,c,d,e)})}:a}(function(a,b){if("http://www.w3.org/2000/svg"!==a.namespaceURI||"innerHTML"in a)a.innerHTML=b;else{od=od||document.createElement("div");od.innerHTML="<svg>"+b.valueOf().toString()+"</svg>";for(b=od.firstChild;a.firstChild;)a.removeChild(a.firstChild);for(;b.firstChild;)a.appendChild(b.firstChild)}}),Wb=function(a,
-b){if(b){var c=a.firstChild;if(c&&c===a.lastChild&&3===c.nodeType){c.nodeValue=b;return}}a.textContent=b},ib={animationend:nc("Animation","AnimationEnd"),animationiteration:nc("Animation","AnimationIteration"),animationstart:nc("Animation","AnimationStart"),transitionend:nc("Transition","TransitionEnd")},Id={},Of={};wa&&(Of=document.createElement("div").style,"AnimationEvent"in window||(delete ib.animationend.animation,delete ib.animationiteration.animation,delete ib.animationstart.animation),"TransitionEvent"in
-window||delete ib.transitionend.transition);var $h=oc("animationend"),ai=oc("animationiteration"),bi=oc("animationstart"),ci=oc("transitionend"),Db="abort canplay canplaythrough durationchange emptied encrypted ended error loadeddata loadedmetadata loadstart pause play playing progress ratechange seeked seeking stalled suspend timeupdate volumechange waiting".split(" "),Pf=new ("function"===typeof WeakMap?WeakMap:Map),Ab=null,wi=function(a){if(a){var b=a._dispatchListeners,c=a._dispatchInstances;
-if(Array.isArray(b))for(var d=0;d<b.length&&!a.isPropagationStopped();d++)lf(a,b[d],c[d]);else b&&lf(a,b,c);a._dispatchListeners=null;a._dispatchInstances=null;a.isPersistent()||a.constructor.release(a)}},qc=[],Rd=!1,fa=[],xa=null,ya=null,za=null,Eb=new Map,Fb=new Map,Jb=[],Nd="mousedown mouseup touchcancel touchend touchstart auxclick dblclick pointercancel pointerdown pointerup dragend dragstart drop compositionend compositionstart keydown keypress keyup input textInput close cancel copy cut paste click change contextmenu reset submit".split(" "),
-yi="focus blur dragenter dragleave mouseover mouseout pointerover pointerout gotpointercapture lostpointercapture".split(" "),dg={},cg=new Map,Td=new Map,Rj=["abort","abort",$h,"animationEnd",ai,"animationIteration",bi,"animationStart","canplay","canPlay","canplaythrough","canPlayThrough","durationchange","durationChange","emptied","emptied","encrypted","encrypted","ended","ended","error","error","gotpointercapture","gotPointerCapture","load","load","loadeddata","loadedData","loadedmetadata","loadedMetadata",
-"loadstart","loadStart","lostpointercapture","lostPointerCapture","playing","playing","progress","progress","seeking","seeking","stalled","stalled","suspend","suspend","timeupdate","timeUpdate",ci,"transitionEnd","waiting","waiting"];Sd("blur blur cancel cancel click click close close contextmenu contextMenu copy copy cut cut auxclick auxClick dblclick doubleClick dragend dragEnd dragstart dragStart drop drop focus focus input input invalid invalid keydown keyDown keypress keyPress keyup keyUp mousedown mouseDown mouseup mouseUp paste paste pause pause play play pointercancel pointerCancel pointerdown pointerDown pointerup pointerUp ratechange rateChange reset reset seeked seeked submit submit touchcancel touchCancel touchend touchEnd touchstart touchStart volumechange volumeChange".split(" "),
-0);Sd("drag drag dragenter dragEnter dragexit dragExit dragleave dragLeave dragover dragOver mousemove mouseMove mouseout mouseOut mouseover mouseOver pointermove pointerMove pointerout pointerOut pointerover pointerOver scroll scroll toggle toggle touchmove touchMove wheel wheel".split(" "),1);Sd(Rj,2);(function(a,b){for(var c=0;c<a.length;c++)Td.set(a[c],b)})("change selectionchange textInput compositionstart compositionend compositionupdate".split(" "),0);var Hi=Zh,Gi=Pd,tc=!0,Kb={animationIterationCount:!0,
-borderImageOutset:!0,borderImageSlice:!0,borderImageWidth:!0,boxFlex:!0,boxFlexGroup:!0,boxOrdinalGroup:!0,columnCount:!0,columns:!0,flex:!0,flexGrow:!0,flexPositive:!0,flexShrink:!0,flexNegative:!0,flexOrder:!0,gridArea:!0,gridRow:!0,gridRowEnd:!0,gridRowSpan:!0,gridRowStart:!0,gridColumn:!0,gridColumnEnd:!0,gridColumnSpan:!0,gridColumnStart:!0,fontWeight:!0,lineClamp:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,tabSize:!0,widows:!0,zIndex:!0,zoom:!0,fillOpacity:!0,floodOpacity:!0,stopOpacity:!0,
-strokeDasharray:!0,strokeDashoffset:!0,strokeMiterlimit:!0,strokeOpacity:!0,strokeWidth:!0},Sj=["Webkit","ms","Moz","O"];Object.keys(Kb).forEach(function(a){Sj.forEach(function(b){b=b+a.charAt(0).toUpperCase()+a.substring(1);Kb[b]=Kb[a]})});var Ii=M({menuitem:!0},{area:!0,base:!0,br:!0,col:!0,embed:!0,hr:!0,img:!0,input:!0,keygen:!0,link:!0,meta:!0,param:!0,source:!0,track:!0,wbr:!0}),ng="$",og="/$",$d="$?",Zd="$!",Ze=null,$e=null,We="function"===typeof setTimeout?setTimeout:void 0,vj="function"===
-typeof clearTimeout?clearTimeout:void 0,jf=Math.random().toString(36).slice(2),Aa="__reactInternalInstance$"+jf,vc="__reactEventHandlers$"+jf,Lb="__reactContainere$"+jf,Ba=null,ce=null,wc=null;M(R.prototype,{preventDefault:function(){this.defaultPrevented=!0;var a=this.nativeEvent;a&&(a.preventDefault?a.preventDefault():"unknown"!==typeof a.returnValue&&(a.returnValue=!1),this.isDefaultPrevented=xc)},stopPropagation:function(){var a=this.nativeEvent;a&&(a.stopPropagation?a.stopPropagation():"unknown"!==
-typeof a.cancelBubble&&(a.cancelBubble=!0),this.isPropagationStopped=xc)},persist:function(){this.isPersistent=xc},isPersistent:yc,destructor:function(){var a=this.constructor.Interface,b;for(b in a)this[b]=null;this.nativeEvent=this._targetInst=this.dispatchConfig=null;this.isPropagationStopped=this.isDefaultPrevented=yc;this._dispatchInstances=this._dispatchListeners=null}});R.Interface={type:null,target:null,currentTarget:function(){return null},eventPhase:null,bubbles:null,cancelable:null,timeStamp:function(a){return a.timeStamp||
-Date.now()},defaultPrevented:null,isTrusted:null};R.extend=function(a){function b(){return c.apply(this,arguments)}var c=this,d=function(){};d.prototype=c.prototype;d=new d;M(d,b.prototype);b.prototype=d;b.prototype.constructor=b;b.Interface=M({},c.Interface,a);b.extend=c.extend;sg(b);return b};sg(R);var Tj=R.extend({data:null}),Uj=R.extend({data:null}),Ni=[9,13,27,32],de=wa&&"CompositionEvent"in window,cc=null;wa&&"documentMode"in document&&(cc=document.documentMode);var Vj=wa&&"TextEvent"in window&&
-!cc,xg=wa&&(!de||cc&&8<cc&&11>=cc),wg=String.fromCharCode(32),ua={beforeInput:{phasedRegistrationNames:{bubbled:"onBeforeInput",captured:"onBeforeInputCapture"},dependencies:["compositionend","keypress","textInput","paste"]},compositionEnd:{phasedRegistrationNames:{bubbled:"onCompositionEnd",captured:"onCompositionEndCapture"},dependencies:"blur compositionend keydown keypress keyup mousedown".split(" ")},compositionStart:{phasedRegistrationNames:{bubbled:"onCompositionStart",captured:"onCompositionStartCapture"},
-dependencies:"blur compositionstart keydown keypress keyup mousedown".split(" ")},compositionUpdate:{phasedRegistrationNames:{bubbled:"onCompositionUpdate",captured:"onCompositionUpdateCapture"},dependencies:"blur compositionupdate keydown keypress keyup mousedown".split(" ")}},vg=!1,mb=!1,Wj={eventTypes:ua,extractEvents:function(a,b,c,d,e){var f;if(de)b:{switch(a){case "compositionstart":var g=ua.compositionStart;break b;case "compositionend":g=ua.compositionEnd;break b;case "compositionupdate":g=
-ua.compositionUpdate;break b}g=void 0}else mb?tg(a,c)&&(g=ua.compositionEnd):"keydown"===a&&229===c.keyCode&&(g=ua.compositionStart);g?(xg&&"ko"!==c.locale&&(mb||g!==ua.compositionStart?g===ua.compositionEnd&&mb&&(f=rg()):(Ba=d,ce="value"in Ba?Ba.value:Ba.textContent,mb=!0)),e=Tj.getPooled(g,b,c,d),f?e.data=f:(f=ug(c),null!==f&&(e.data=f)),lb(e),f=e):f=null;(a=Vj?Oi(a,c):Pi(a,c))?(b=Uj.getPooled(ua.beforeInput,b,c,d),b.data=a,lb(b)):b=null;return null===f?b:null===b?f:[f,b]}},Qi={color:!0,date:!0,
-datetime:!0,"datetime-local":!0,email:!0,month:!0,number:!0,password:!0,range:!0,search:!0,tel:!0,text:!0,time:!0,url:!0,week:!0},Ag={change:{phasedRegistrationNames:{bubbled:"onChange",captured:"onChangeCapture"},dependencies:"blur change click focus input keydown keyup selectionchange".split(" ")}},Mb=null,Nb=null,kf=!1;wa&&(kf=Tf("input")&&(!document.documentMode||9<document.documentMode));var Xj={eventTypes:Ag,_isInputEventSupported:kf,extractEvents:function(a,b,c,d,e){e=b?Pa(b):window;var f=
-e.nodeName&&e.nodeName.toLowerCase();if("select"===f||"input"===f&&"file"===e.type)var g=Si;else if(yg(e))if(kf)g=Wi;else{g=Ui;var h=Ti}else(f=e.nodeName)&&"input"===f.toLowerCase()&&("checkbox"===e.type||"radio"===e.type)&&(g=Vi);if(g&&(g=g(a,b)))return zg(g,c,d);h&&h(a,e,b);"blur"===a&&(a=e._wrapperState)&&a.controlled&&"number"===e.type&&Ed(e,"number",e.value)}},dc=R.extend({view:null,detail:null}),Yi={Alt:"altKey",Control:"ctrlKey",Meta:"metaKey",Shift:"shiftKey"},di=0,ei=0,fi=!1,gi=!1,ec=dc.extend({screenX:null,
-screenY:null,clientX:null,clientY:null,pageX:null,pageY:null,ctrlKey:null,shiftKey:null,altKey:null,metaKey:null,getModifierState:fe,button:null,buttons:null,relatedTarget:function(a){return a.relatedTarget||(a.fromElement===a.srcElement?a.toElement:a.fromElement)},movementX:function(a){if("movementX"in a)return a.movementX;var b=di;di=a.screenX;return fi?"mousemove"===a.type?a.screenX-b:0:(fi=!0,0)},movementY:function(a){if("movementY"in a)return a.movementY;var b=ei;ei=a.screenY;return gi?"mousemove"===
-a.type?a.screenY-b:0:(gi=!0,0)}}),hi=ec.extend({pointerId:null,width:null,height:null,pressure:null,tangentialPressure:null,tiltX:null,tiltY:null,twist:null,pointerType:null,isPrimary:null}),fc={mouseEnter:{registrationName:"onMouseEnter",dependencies:["mouseout","mouseover"]},mouseLeave:{registrationName:"onMouseLeave",dependencies:["mouseout","mouseover"]},pointerEnter:{registrationName:"onPointerEnter",dependencies:["pointerout","pointerover"]},pointerLeave:{registrationName:"onPointerLeave",dependencies:["pointerout",
-"pointerover"]}},Yj={eventTypes:fc,extractEvents:function(a,b,c,d,e){var f="mouseover"===a||"pointerover"===a,g="mouseout"===a||"pointerout"===a;if(f&&0===(e&32)&&(c.relatedTarget||c.fromElement)||!g&&!f)return null;f=d.window===d?d:(f=d.ownerDocument)?f.defaultView||f.parentWindow:window;if(g){if(g=b,b=(b=c.relatedTarget||c.toElement)?Bb(b):null,null!==b){var h=Na(b);if(b!==h||5!==b.tag&&6!==b.tag)b=null}}else g=null;if(g===b)return null;if("mouseout"===a||"mouseover"===a){var m=ec;var n=fc.mouseLeave;
-var l=fc.mouseEnter;var k="mouse"}else if("pointerout"===a||"pointerover"===a)m=hi,n=fc.pointerLeave,l=fc.pointerEnter,k="pointer";a=null==g?f:Pa(g);f=null==b?f:Pa(b);n=m.getPooled(n,g,c,d);n.type=k+"leave";n.target=a;n.relatedTarget=f;c=m.getPooled(l,b,c,d);c.type=k+"enter";c.target=f;c.relatedTarget=a;d=g;k=b;if(d&&k)a:{m=d;l=k;g=0;for(a=m;a;a=pa(a))g++;a=0;for(b=l;b;b=pa(b))a++;for(;0<g-a;)m=pa(m),g--;for(;0<a-g;)l=pa(l),a--;for(;g--;){if(m===l||m===l.alternate)break a;m=pa(m);l=pa(l)}m=null}else m=
-null;l=m;for(m=[];d&&d!==l;){g=d.alternate;if(null!==g&&g===l)break;m.push(d);d=pa(d)}for(d=[];k&&k!==l;){g=k.alternate;if(null!==g&&g===l)break;d.push(k);k=pa(k)}for(k=0;k<m.length;k++)be(m[k],"bubbled",n);for(k=d.length;0<k--;)be(d[k],"captured",c);return 0===(e&64)?[n]:[n,c]}},Qa="function"===typeof Object.is?Object.is:Zi,$i=Object.prototype.hasOwnProperty,Zj=wa&&"documentMode"in document&&11>=document.documentMode,Eg={select:{phasedRegistrationNames:{bubbled:"onSelect",captured:"onSelectCapture"},
-dependencies:"blur contextmenu dragend focus keydown keyup mousedown mouseup selectionchange".split(" ")}},nb=null,he=null,Pb=null,ge=!1,ak={eventTypes:Eg,extractEvents:function(a,b,c,d,e,f){e=f||(d.window===d?d.document:9===d.nodeType?d:d.ownerDocument);if(!(f=!e)){a:{e=Jd(e);f=rd.onSelect;for(var g=0;g<f.length;g++)if(!e.has(f[g])){e=!1;break a}e=!0}f=!e}if(f)return null;e=b?Pa(b):window;switch(a){case "focus":if(yg(e)||"true"===e.contentEditable)nb=e,he=b,Pb=null;break;case "blur":Pb=he=nb=null;
-break;case "mousedown":ge=!0;break;case "contextmenu":case "mouseup":case "dragend":return ge=!1,Dg(c,d);case "selectionchange":if(Zj)break;case "keydown":case "keyup":return Dg(c,d)}return null}},bk=R.extend({animationName:null,elapsedTime:null,pseudoElement:null}),ck=R.extend({clipboardData:function(a){return"clipboardData"in a?a.clipboardData:window.clipboardData}}),dk=dc.extend({relatedTarget:null}),ek={Esc:"Escape",Spacebar:" ",Left:"ArrowLeft",Up:"ArrowUp",Right:"ArrowRight",Down:"ArrowDown",
-Del:"Delete",Win:"OS",Menu:"ContextMenu",Apps:"ContextMenu",Scroll:"ScrollLock",MozPrintableKey:"Unidentified"},fk={8:"Backspace",9:"Tab",12:"Clear",13:"Enter",16:"Shift",17:"Control",18:"Alt",19:"Pause",20:"CapsLock",27:"Escape",32:" ",33:"PageUp",34:"PageDown",35:"End",36:"Home",37:"ArrowLeft",38:"ArrowUp",39:"ArrowRight",40:"ArrowDown",45:"Insert",46:"Delete",112:"F1",113:"F2",114:"F3",115:"F4",116:"F5",117:"F6",118:"F7",119:"F8",120:"F9",121:"F10",122:"F11",123:"F12",144:"NumLock",145:"ScrollLock",
-224:"Meta"},gk=dc.extend({key:function(a){if(a.key){var b=ek[a.key]||a.key;if("Unidentified"!==b)return b}return"keypress"===a.type?(a=Ac(a),13===a?"Enter":String.fromCharCode(a)):"keydown"===a.type||"keyup"===a.type?fk[a.keyCode]||"Unidentified":""},location:null,ctrlKey:null,shiftKey:null,altKey:null,metaKey:null,repeat:null,locale:null,getModifierState:fe,charCode:function(a){return"keypress"===a.type?Ac(a):0},keyCode:function(a){return"keydown"===a.type||"keyup"===a.type?a.keyCode:0},which:function(a){return"keypress"===
-a.type?Ac(a):"keydown"===a.type||"keyup"===a.type?a.keyCode:0}}),hk=ec.extend({dataTransfer:null}),ik=dc.extend({touches:null,targetTouches:null,changedTouches:null,altKey:null,metaKey:null,ctrlKey:null,shiftKey:null,getModifierState:fe}),jk=R.extend({propertyName:null,elapsedTime:null,pseudoElement:null}),kk=ec.extend({deltaX:function(a){return"deltaX"in a?a.deltaX:"wheelDeltaX"in a?-a.wheelDeltaX:0},deltaY:function(a){return"deltaY"in a?a.deltaY:"wheelDeltaY"in a?-a.wheelDeltaY:"wheelDelta"in a?
--a.wheelDelta:0},deltaZ:null,deltaMode:null}),lk={eventTypes:dg,extractEvents:function(a,b,c,d,e){e=cg.get(a);if(!e)return null;switch(a){case "keypress":if(0===Ac(c))return null;case "keydown":case "keyup":a=gk;break;case "blur":case "focus":a=dk;break;case "click":if(2===c.button)return null;case "auxclick":case "dblclick":case "mousedown":case "mousemove":case "mouseup":case "mouseout":case "mouseover":case "contextmenu":a=ec;break;case "drag":case "dragend":case "dragenter":case "dragexit":case "dragleave":case "dragover":case "dragstart":case "drop":a=
-hk;break;case "touchcancel":case "touchend":case "touchmove":case "touchstart":a=ik;break;case $h:case ai:case bi:a=bk;break;case ci:a=jk;break;case "scroll":a=dc;break;case "wheel":a=kk;break;case "copy":case "cut":case "paste":a=ck;break;case "gotpointercapture":case "lostpointercapture":case "pointercancel":case "pointerdown":case "pointermove":case "pointerout":case "pointerover":case "pointerup":a=hi;break;default:a=R}b=a.getPooled(e,b,c,d);lb(b);return b}};(function(a){if(ic)throw Error(k(101));
-ic=Array.prototype.slice.call(a);nf()})("ResponderEventPlugin SimpleEventPlugin EnterLeaveEventPlugin ChangeEventPlugin SelectEventPlugin BeforeInputEventPlugin".split(" "));(function(a,b,c){td=a;rf=b;mf=c})(ae,Hb,Pa);pf({SimpleEventPlugin:lk,EnterLeaveEventPlugin:Yj,ChangeEventPlugin:Xj,SelectEventPlugin:ak,BeforeInputEventPlugin:Wj});var ie=[],ob=-1,Ca={},B={current:Ca},G={current:!1},Ra=Ca,bj=Pd,je=$f,Rg=Lj,aj=Nj,Dc=Oj,Ig=Zh,Jg=ag,Kg=Pj,Lg=Qj,Qg={},yj=Mj,Cj=void 0!==Yh?Yh:function(){},qa=null,
-Ec=null,ke=!1,ii=ff(),Y=1E4>ii?ff:function(){return ff()-ii},Ic={current:null},Hc=null,qb=null,Gc=null,Tg=0,Jc=2,Ga=!1,Vb=da.ReactCurrentBatchConfig,$g=(new ea.Component).refs,Mc={isMounted:function(a){return(a=a._reactInternalFiber)?Na(a)===a:!1},enqueueSetState:function(a,b,c){a=a._reactInternalFiber;var d=ka(),e=Vb.suspense;d=Va(d,a,e);e=Ea(d,e);e.payload=b;void 0!==c&&null!==c&&(e.callback=c);Fa(a,e);Ja(a,d)},enqueueReplaceState:function(a,b,c){a=a._reactInternalFiber;var d=ka(),e=Vb.suspense;
-d=Va(d,a,e);e=Ea(d,e);e.tag=1;e.payload=b;void 0!==c&&null!==c&&(e.callback=c);Fa(a,e);Ja(a,d)},enqueueForceUpdate:function(a,b){a=a._reactInternalFiber;var c=ka(),d=Vb.suspense;c=Va(c,a,d);d=Ea(c,d);d.tag=Jc;void 0!==b&&null!==b&&(d.callback=b);Fa(a,d);Ja(a,c)}},Qc=Array.isArray,wb=ah(!0),Fe=ah(!1),Sb={},ja={current:Sb},Ub={current:Sb},Tb={current:Sb},D={current:0},Sc=da.ReactCurrentDispatcher,X=da.ReactCurrentBatchConfig,Ia=0,z=null,K=null,J=null,Uc=!1,Tc={readContext:W,useCallback:S,useContext:S,
-useEffect:S,useImperativeHandle:S,useLayoutEffect:S,useMemo:S,useReducer:S,useRef:S,useState:S,useDebugValue:S,useResponder:S,useDeferredValue:S,useTransition:S},dj={readContext:W,useCallback:ih,useContext:W,useEffect:eh,useImperativeHandle:function(a,b,c){c=null!==c&&void 0!==c?c.concat([a]):null;return ze(4,2,gh.bind(null,b,a),c)},useLayoutEffect:function(a,b){return ze(4,2,a,b)},useMemo:function(a,b){var c=ub();b=void 0===b?null:b;a=a();c.memoizedState=[a,b];return a},useReducer:function(a,b,c){var d=
-ub();b=void 0!==c?c(b):b;d.memoizedState=d.baseState=b;a=d.queue={pending:null,dispatch:null,lastRenderedReducer:a,lastRenderedState:b};a=a.dispatch=ch.bind(null,z,a);return[d.memoizedState,a]},useRef:function(a){var b=ub();a={current:a};return b.memoizedState=a},useState:xe,useDebugValue:Be,useResponder:ue,useDeferredValue:function(a,b){var c=xe(a),d=c[0],e=c[1];eh(function(){var c=X.suspense;X.suspense=void 0===b?null:b;try{e(a)}finally{X.suspense=c}},[a,b]);return d},useTransition:function(a){var b=
-xe(!1),c=b[0];b=b[1];return[ih(Ce.bind(null,b,a),[b,a]),c]}},ej={readContext:W,useCallback:Yc,useContext:W,useEffect:Xc,useImperativeHandle:hh,useLayoutEffect:fh,useMemo:jh,useReducer:Vc,useRef:dh,useState:function(a){return Vc(Ua)},useDebugValue:Be,useResponder:ue,useDeferredValue:function(a,b){var c=Vc(Ua),d=c[0],e=c[1];Xc(function(){var c=X.suspense;X.suspense=void 0===b?null:b;try{e(a)}finally{X.suspense=c}},[a,b]);return d},useTransition:function(a){var b=Vc(Ua),c=b[0];b=b[1];return[Yc(Ce.bind(null,
-b,a),[b,a]),c]}},fj={readContext:W,useCallback:Yc,useContext:W,useEffect:Xc,useImperativeHandle:hh,useLayoutEffect:fh,useMemo:jh,useReducer:Wc,useRef:dh,useState:function(a){return Wc(Ua)},useDebugValue:Be,useResponder:ue,useDeferredValue:function(a,b){var c=Wc(Ua),d=c[0],e=c[1];Xc(function(){var c=X.suspense;X.suspense=void 0===b?null:b;try{e(a)}finally{X.suspense=c}},[a,b]);return d},useTransition:function(a){var b=Wc(Ua),c=b[0];b=b[1];return[Yc(Ce.bind(null,b,a),[b,a]),c]}},ra=null,Ka=null,Wa=
-!1,gj=da.ReactCurrentOwner,ia=!1,Je={dehydrated:null,retryTime:0};var jj=function(a,b,c,d){for(c=b.child;null!==c;){if(5===c.tag||6===c.tag)a.appendChild(c.stateNode);else if(4!==c.tag&&null!==c.child){c.child.return=c;c=c.child;continue}if(c===b)break;for(;null===c.sibling;){if(null===c.return||c.return===b)return;c=c.return}c.sibling.return=c.return;c=c.sibling}};var wh=function(a){};var ij=function(a,b,c,d,e){var f=a.memoizedProps;if(f!==d){var g=b.stateNode;Ta(ja.current);a=null;switch(c){case "input":f=
-Cd(g,f);d=Cd(g,d);a=[];break;case "option":f=Fd(g,f);d=Fd(g,d);a=[];break;case "select":f=M({},f,{value:void 0});d=M({},d,{value:void 0});a=[];break;case "textarea":f=Gd(g,f);d=Gd(g,d);a=[];break;default:"function"!==typeof f.onClick&&"function"===typeof d.onClick&&(g.onclick=uc)}Ud(c,d);var h,m;c=null;for(h in f)if(!d.hasOwnProperty(h)&&f.hasOwnProperty(h)&&null!=f[h])if("style"===h)for(m in g=f[h],g)g.hasOwnProperty(m)&&(c||(c={}),c[m]="");else"dangerouslySetInnerHTML"!==h&&"children"!==h&&"suppressContentEditableWarning"!==
-h&&"suppressHydrationWarning"!==h&&"autoFocus"!==h&&(db.hasOwnProperty(h)?a||(a=[]):(a=a||[]).push(h,null));for(h in d){var k=d[h];g=null!=f?f[h]:void 0;if(d.hasOwnProperty(h)&&k!==g&&(null!=k||null!=g))if("style"===h)if(g){for(m in g)!g.hasOwnProperty(m)||k&&k.hasOwnProperty(m)||(c||(c={}),c[m]="");for(m in k)k.hasOwnProperty(m)&&g[m]!==k[m]&&(c||(c={}),c[m]=k[m])}else c||(a||(a=[]),a.push(h,c)),c=k;else"dangerouslySetInnerHTML"===h?(k=k?k.__html:void 0,g=g?g.__html:void 0,null!=k&&g!==k&&(a=a||
-[]).push(h,k)):"children"===h?g===k||"string"!==typeof k&&"number"!==typeof k||(a=a||[]).push(h,""+k):"suppressContentEditableWarning"!==h&&"suppressHydrationWarning"!==h&&(db.hasOwnProperty(h)?(null!=k&&oa(e,h),a||g===k||(a=[])):(a=a||[]).push(h,k))}c&&(a=a||[]).push("style",c);e=a;if(b.updateQueue=e)b.effectTag|=4}};var kj=function(a,b,c,d){c!==d&&(b.effectTag|=4)};var pj="function"===typeof WeakSet?WeakSet:Set,wj="function"===typeof WeakMap?WeakMap:Map,sj=Math.ceil,gd=da.ReactCurrentDispatcher,
-Uh=da.ReactCurrentOwner,H=0,Ye=8,ca=16,ma=32,Xa=0,hd=1,Oh=2,ad=3,bd=4,Xe=5,p=H,U=null,t=null,P=0,F=Xa,id=null,ta=1073741823,Yb=1073741823,kd=null,Xb=0,jd=!1,Re=0,Ph=500,l=null,cd=!1,Se=null,La=null,ld=!1,Zb=null,$b=90,bb=null,ac=0,af=null,dd=0,Ja=function(a,b){if(50<ac)throw ac=0,af=null,Error(k(185));a=ed(a,b);if(null!==a){var c=Cc();1073741823===b?(p&Ye)!==H&&(p&(ca|ma))===H?Te(a):(V(a),p===H&&ha()):V(a);(p&4)===H||98!==c&&99!==c||(null===bb?bb=new Map([[a,b]]):(c=bb.get(a),(void 0===c||c>b)&&bb.set(a,
-b)))}};var zj=function(a,b,c){var d=b.expirationTime;if(null!==a){var e=b.pendingProps;if(a.memoizedProps!==e||G.current)ia=!0;else{if(d<c){ia=!1;switch(b.tag){case 3:sh(b);Ee();break;case 5:bh(b);if(b.mode&4&&1!==c&&e.hidden)return b.expirationTime=b.childExpirationTime=1,null;break;case 1:N(b.type)&&Bc(b);break;case 4:se(b,b.stateNode.containerInfo);break;case 10:d=b.memoizedProps.value;e=b.type._context;y(Ic,e._currentValue);e._currentValue=d;break;case 13:if(null!==b.memoizedState){d=b.child.childExpirationTime;
-if(0!==d&&d>=c)return th(a,b,c);y(D,D.current&1);b=sa(a,b,c);return null!==b?b.sibling:null}y(D,D.current&1);break;case 19:d=b.childExpirationTime>=c;if(0!==(a.effectTag&64)){if(d)return vh(a,b,c);b.effectTag|=64}e=b.memoizedState;null!==e&&(e.rendering=null,e.tail=null);y(D,D.current);if(!d)return null}return sa(a,b,c)}ia=!1}}else ia=!1;b.expirationTime=0;switch(b.tag){case 2:d=b.type;null!==a&&(a.alternate=null,b.alternate=null,b.effectTag|=2);a=b.pendingProps;e=pb(b,B.current);rb(b,c);e=we(null,
-b,d,a,e,c);b.effectTag|=1;if("object"===typeof e&&null!==e&&"function"===typeof e.render&&void 0===e.$$typeof){b.tag=1;b.memoizedState=null;b.updateQueue=null;if(N(d)){var f=!0;Bc(b)}else f=!1;b.memoizedState=null!==e.state&&void 0!==e.state?e.state:null;ne(b);var g=d.getDerivedStateFromProps;"function"===typeof g&&Lc(b,d,g,a);e.updater=Mc;b.stateNode=e;e._reactInternalFiber=b;pe(b,d,a,c);b=Ie(null,b,d,!0,f,c)}else b.tag=0,T(null,b,e,c),b=b.child;return b;case 16:a:{e=b.elementType;null!==a&&(a.alternate=
-null,b.alternate=null,b.effectTag|=2);a=b.pendingProps;ri(e);if(1!==e._status)throw e._result;e=e._result;b.type=e;f=b.tag=Gj(e);a=aa(e,a);switch(f){case 0:b=He(null,b,e,a,c);break a;case 1:b=rh(null,b,e,a,c);break a;case 11:b=nh(null,b,e,a,c);break a;case 14:b=oh(null,b,e,aa(e.type,a),d,c);break a}throw Error(k(306,e,""));}return b;case 0:return d=b.type,e=b.pendingProps,e=b.elementType===d?e:aa(d,e),He(a,b,d,e,c);case 1:return d=b.type,e=b.pendingProps,e=b.elementType===d?e:aa(d,e),rh(a,b,d,e,c);
-case 3:sh(b);d=b.updateQueue;if(null===a||null===d)throw Error(k(282));d=b.pendingProps;e=b.memoizedState;e=null!==e?e.element:null;oe(a,b);Qb(b,d,null,c);d=b.memoizedState.element;if(d===e)Ee(),b=sa(a,b,c);else{if(e=b.stateNode.hydrate)Ka=kb(b.stateNode.containerInfo.firstChild),ra=b,e=Wa=!0;if(e)for(c=Fe(b,null,d,c),b.child=c;c;)c.effectTag=c.effectTag&-3|1024,c=c.sibling;else T(a,b,d,c),Ee();b=b.child}return b;case 5:return bh(b),null===a&&De(b),d=b.type,e=b.pendingProps,f=null!==a?a.memoizedProps:
-null,g=e.children,Yd(d,e)?g=null:null!==f&&Yd(d,f)&&(b.effectTag|=16),qh(a,b),b.mode&4&&1!==c&&e.hidden?(b.expirationTime=b.childExpirationTime=1,b=null):(T(a,b,g,c),b=b.child),b;case 6:return null===a&&De(b),null;case 13:return th(a,b,c);case 4:return se(b,b.stateNode.containerInfo),d=b.pendingProps,null===a?b.child=wb(b,null,d,c):T(a,b,d,c),b.child;case 11:return d=b.type,e=b.pendingProps,e=b.elementType===d?e:aa(d,e),nh(a,b,d,e,c);case 7:return T(a,b,b.pendingProps,c),b.child;case 8:return T(a,
-b,b.pendingProps.children,c),b.child;case 12:return T(a,b,b.pendingProps.children,c),b.child;case 10:a:{d=b.type._context;e=b.pendingProps;g=b.memoizedProps;f=e.value;var h=b.type._context;y(Ic,h._currentValue);h._currentValue=f;if(null!==g)if(h=g.value,f=Qa(h,f)?0:("function"===typeof d._calculateChangedBits?d._calculateChangedBits(h,f):1073741823)|0,0===f){if(g.children===e.children&&!G.current){b=sa(a,b,c);break a}}else for(h=b.child,null!==h&&(h.return=b);null!==h;){var m=h.dependencies;if(null!==
-m){g=h.child;for(var l=m.firstContext;null!==l;){if(l.context===d&&0!==(l.observedBits&f)){1===h.tag&&(l=Ea(c,null),l.tag=Jc,Fa(h,l));h.expirationTime<c&&(h.expirationTime=c);l=h.alternate;null!==l&&l.expirationTime<c&&(l.expirationTime=c);Sg(h.return,c);m.expirationTime<c&&(m.expirationTime=c);break}l=l.next}}else g=10===h.tag?h.type===b.type?null:h.child:h.child;if(null!==g)g.return=h;else for(g=h;null!==g;){if(g===b){g=null;break}h=g.sibling;if(null!==h){h.return=g.return;g=h;break}g=g.return}h=
-g}T(a,b,e.children,c);b=b.child}return b;case 9:return e=b.type,f=b.pendingProps,d=f.children,rb(b,c),e=W(e,f.unstable_observedBits),d=d(e),b.effectTag|=1,T(a,b,d,c),b.child;case 14:return e=b.type,f=aa(e,b.pendingProps),f=aa(e.type,f),oh(a,b,e,f,d,c);case 15:return ph(a,b,b.type,b.pendingProps,d,c);case 17:return d=b.type,e=b.pendingProps,e=b.elementType===d?e:aa(d,e),null!==a&&(a.alternate=null,b.alternate=null,b.effectTag|=2),b.tag=1,N(d)?(a=!0,Bc(b)):a=!1,rb(b,c),Yg(b,d,e),pe(b,d,e,c),Ie(null,
-b,d,!0,a,c);case 19:return vh(a,b,c)}throw Error(k(156,b.tag));};var bf=null,Ne=null,la=function(a,b,c,d){return new Fj(a,b,c,d)};ef.prototype.render=function(a){md(a,this._internalRoot,null,null)};ef.prototype.unmount=function(){var a=this._internalRoot,b=a.containerInfo;md(null,a,null,function(){b[Lb]=null})};var Di=function(a){if(13===a.tag){var b=Fc(ka(),150,100);Ja(a,b);df(a,b)}};var Yf=function(a){13===a.tag&&(Ja(a,3),df(a,3))};var Bi=function(a){if(13===a.tag){var b=ka();b=Va(b,a,null);Ja(a,
-b);df(a,b)}};sd=function(a,b,c){switch(b){case "input":Dd(a,c);b=c.name;if("radio"===c.type&&null!=b){for(c=a;c.parentNode;)c=c.parentNode;c=c.querySelectorAll("input[name="+JSON.stringify(""+b)+'][type="radio"]');for(b=0;b<c.length;b++){var d=c[b];if(d!==a&&d.form===a.form){var e=ae(d);if(!e)throw Error(k(90));Gf(d);Dd(d,e)}}}break;case "textarea":Lf(a,c);break;case "select":b=c.value,null!=b&&hb(a,!!c.multiple,b,!1)}};(function(a,b,c,d){ee=a;eg=b;vd=c;vf=d})(Qh,function(a,b,c,d,e){var f=p;p|=4;
-try{return Da(98,a.bind(null,b,c,d,e))}finally{p=f,p===H&&ha()}},function(){(p&(1|ca|ma))===H&&(uj(),xb())},function(a,b){var c=p;p|=2;try{return a(b)}finally{p=c,p===H&&ha()}});var mk={Events:[Hb,Pa,ae,pf,qd,lb,function(a){Kd(a,Ki)},sf,tf,sc,pc,xb,{current:!1}]};(function(a){var b=a.findFiberByHostInstance;return Ej(M({},a,{overrideHookState:null,overrideProps:null,setSuspenseHandler:null,scheduleUpdate:null,currentDispatcherRef:da.ReactCurrentDispatcher,findHostInstanceByFiber:function(a){a=Sf(a);
-return null===a?null:a.stateNode},findFiberByHostInstance:function(a){return b?b(a):null},findHostInstancesForRefresh:null,scheduleRefresh:null,scheduleRoot:null,setRefreshHandler:null,getCurrentFiber:null}))})({findFiberByHostInstance:Bb,bundleType:0,version:"16.13.1",rendererPackageName:"react-dom"});I.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED=mk;I.createPortal=Xh;I.findDOMNode=function(a){if(null==a)return null;if(1===a.nodeType)return a;var b=a._reactInternalFiber;if(void 0===
-b){if("function"===typeof a.render)throw Error(k(188));throw Error(k(268,Object.keys(a)));}a=Sf(b);a=null===a?null:a.stateNode;return a};I.flushSync=function(a,b){if((p&(ca|ma))!==H)throw Error(k(187));var c=p;p|=1;try{return Da(99,a.bind(null,b))}finally{p=c,ha()}};I.hydrate=function(a,b,c){if(!bc(b))throw Error(k(200));return nd(null,a,b,!0,c)};I.render=function(a,b,c){if(!bc(b))throw Error(k(200));return nd(null,a,b,!1,c)};I.unmountComponentAtNode=function(a){if(!bc(a))throw Error(k(40));return a._reactRootContainer?
-(Rh(function(){nd(null,null,a,!1,function(){a._reactRootContainer=null;a[Lb]=null})}),!0):!1};I.unstable_batchedUpdates=Qh;I.unstable_createPortal=function(a,b){return Xh(a,b,2<arguments.length&&void 0!==arguments[2]?arguments[2]:null)};I.unstable_renderSubtreeIntoContainer=function(a,b,c,d){if(!bc(c))throw Error(k(200));if(null==a||void 0===a._reactInternalFiber)throw Error(k(38));return nd(a,b,c,!1,d)};I.version="16.13.1"});
-</script>
-    <script>const e = React.createElement;
-
-function pathToString(path) {
-  if (path[0] === '/') {
-    return '/' + path.slice(1).join('/');
-  } else {
-    return path.join('/');
-  }
-}
-
-function findCommonPath(files) {
-  if (!files || !files.length) {
-    return [];
-  }
-
-  function isPrefix(arr, prefix) {
-    if (arr.length < prefix.length) {
-      return false;
-    }
-    for (let i = prefix.length - 1; i >= 0; --i) {
-      if (arr[i] !== prefix[i]) {
-        return false;
-      }
-    }
-    return true;
-  }
-
-  let commonPath = files[0].path.slice(0, -1);
-  while (commonPath.length) {
-    if (files.every(file => isPrefix(file.path, commonPath))) {
-      break;
-    }
-    commonPath.pop();
-  }
-  return commonPath;
-}
-
-function findFolders(files) {
-  if (!files || !files.length) {
-    return [];
-  }
-
-  let folders = files.filter(file => file.path.length > 1).map(file => file.path[0]);
-  folders = [...new Set(folders)]; // unique
-  folders.sort();
-
-  folders = folders.map(folder => {
-    let filesInFolder = files
-      .filter(file => file.path[0] === folder)
-      .map(file => ({
-        ...file,
-        path: file.path.slice(1),
-        parent: [...file.parent, file.path[0]],
-      }));
-
-    const children = findFolders(filesInFolder); // recursion
-
-    return {
-      is_folder: true,
-      path: [folder],
-      parent: files[0].parent,
-      children,
-      covered: children.reduce((sum, file) => sum + file.covered, 0),
-      coverable: children.reduce((sum, file) => sum + file.coverable, 0),
-      prevRun: {
-        covered: children.reduce((sum, file) => sum + file.prevRun.covered, 0),
-        coverable: children.reduce((sum, file) => sum + file.prevRun.coverable, 0),
-      }
-    };
-  });
-
-  return [
-    ...folders,
-    ...files.filter(file => file.path.length === 1),
-  ];
-}
-
-class App extends React.Component {
-  constructor(...args) {
-    super(...args);
-
-    this.state = {
-      current: [],
-    };
-  }
-
-  componentDidMount() {
-    this.updateStateFromLocation();
-    window.addEventListener("hashchange", () => this.updateStateFromLocation(), false);
-  }
-
-  updateStateFromLocation() {
-    if (window.location.hash.length > 1) {
-      const current = window.location.hash.substr(1).split('/');
-      this.setState({current});
-    } else {
-      this.setState({current: []});
-    }
-  }
-
-  getCurrentPath() {
-    let file = this.props.root;
-    let path = [file];
-    for (let p of this.state.current) {
-      file = file.children.find(file => file.path[0] === p);
-      if (!file) {
-        return path;
-      }
-      path.push(file);
-    }
-    return path;
-  }
-
-  render() {
-    const path = this.getCurrentPath();
-    const file = path[path.length - 1];
-
-    let w = null;
-    if (file.is_folder) {
-      w = e(FilesList, {
-        folder: file,
-        onSelectFile: this.selectFile.bind(this),
-        onBack: path.length > 1 ? this.back.bind(this) : null,
-      });
-    } else {
-      w = e(DisplayFile, {
-        file,
-        onBack: this.back.bind(this),
-      });
-    }
-
-    return e('div', {className: 'app'}, w);
-  }
-
-  selectFile(file) {
-    this.setState(({current}) => {
-      return {current: [...current, file.path[0]]};
-    }, () => this.updateHash());
-  }
-
-  back(file) {
-    this.setState(({current}) => {
-      return {current: current.slice(0, current.length - 1)};
-    }, () => this.updateHash());
-  }
-
-  updateHash() {
-    if (!this.state.current || !this.state.current.length) {
-      window.location = '#';
-    } else {
-      window.location = '#' + this.state.current.join('/');
-    }
-  }
-}
-
-function FilesList({folder, onSelectFile, onBack}) {
-  let files = folder.children;
-  return e('div', {className: 'display-folder'},
-    e(FileHeader, {file: folder, onBack}),
-    e('table', {className: 'files-list'},
-      e('thead', {className: 'files-list__head'},
-        e('tr', null,
-          e('th', null, "Path"),
-          e('th', null, "Coverage")
-        )
-      ),
-      e('tbody', {className: 'files-list__body'},
-        files.map(file => e(File, {file, onClick: onSelectFile}))
-      )
-    )
-  );
-}
-
-function File({file, onClick}) {
-  const coverage = file.coverable ? file.covered / file.coverable * 100 : -1;
-  const coverageDelta = file.prevRun &&
-    (file.covered / file.coverable * 100 - file.prevRun.covered / file.prevRun.coverable * 100);
-
-  return e('tr', {
-      className: 'files-list__file'
-        + (coverage >= 0 && coverage < 50 ? ' files-list__file_low': '')
-        + (coverage >= 50 && coverage < 80 ? ' files-list__file_medium': '')
-        + (coverage >= 80 ? ' files-list__file_high': '')
-        + (file.is_folder ? ' files-list__file_folder': ''),
-      onClick: () => onClick(file),
-    },
-    e('td', null, e('a', null, pathToString(file.path))),
-    e('td', null,
-      file.covered + ' / ' + file.coverable +
-      (coverage >= 0 ? ' (' + coverage.toFixed(2) + '%)' : ''),
-      e('span', {title: 'Change from the previous run'},
-        (coverageDelta ? ` (${coverageDelta > 0 ? '+' : ''}${coverageDelta.toFixed(2)}%)` : ''))
-    )
-  );
-}
-
-function DisplayFile({file, onBack}) {
-  return e('div', {className: 'display-file'},
-    e(FileHeader, {file, onBack}),
-    e(FileContent, {file})
-  );
-}
-
-function FileHeader({file, onBack}) {
-  const coverage = file.covered / file.coverable * 100;
-  const coverageDelta = file.prevRun && (coverage - file.prevRun.covered / file.prevRun.coverable * 100);
-
-  return e('div', {className: 'file-header'},
-    onBack ? e('a', {className: 'file-header__back', onClick: onBack}, 'Back') : null,
-    e('div', {className: 'file-header__name'}, pathToString([...file.parent, ...file.path])),
-    e('div', {className: 'file-header__stat'},
-      'Covered: ' + file.covered + ' of ' + file.coverable +
-      (file.coverable ? ' (' + coverage.toFixed(2) + '%)' : ''),
-      e('span', {title: 'Change from the previous run'},
-        (coverageDelta ? ` (${coverageDelta > 0 ? '+' : ''}${coverageDelta.toFixed(2)}%)` : ''))
-    )
-  );
-}
-
-function FileContent({file}) {
-  return e('pre', {className: 'file-content'},
-    file.content.split(/\r?\n/).map((line, index) => {
-      const trace = file.traces.find(trace => trace.line === index + 1);
-      const covered = trace && trace.stats.Line;
-      const uncovered = trace && !trace.stats.Line;
-      return e('code', {
-          className: 'code-line'
-            + (covered ? ' code-line_covered' : '')
-            + (uncovered ? ' code-line_uncovered' : ''),
-          title: trace ? JSON.stringify(trace.stats, null, 2) : null,
-        }, line);
-    })
-  );
-}
-
-(function(){
-  const commonPath = findCommonPath(data.files);
-  const prevFilesMap = new Map();
-
-  previousData && previousData.files.forEach((file) => {
-    const path = file.path.slice(commonPath.length).join('/');
-    prevFilesMap.set(path, file);
-  });
-
-  const files = data.files.map((file) => {
-    const path = file.path.slice(commonPath.length);
-    const { covered = 0, coverable = 0 } = prevFilesMap.get(path.join('/')) || {};
-    return {
-      ...file,
-      path,
-      parent: commonPath,
-      prevRun: { covered, coverable },
-    };
-  });
-
-  const children = findFolders(files);
-
-  const root = {
-    is_folder: true,
-    children,
-    path: commonPath,
-    parent: [],
-    covered: children.reduce((sum, file) => sum + file.covered, 0),
-    coverable: children.reduce((sum, file) => sum + file.coverable, 0),
-    prevRun: {
-      covered: children.reduce((sum, file) => sum + file.prevRun.covered, 0),
-      coverable: children.reduce((sum, file) => sum + file.prevRun.coverable, 0),
-    }
-  };
-
-  ReactDOM.render(e(App, {root, prevFilesMap}), document.getElementById('root'));
-}());
-</script>
-</body>
-</html>
\ No newline at end of file