alexrudy · alexrudy · Nov 26, 2023 · Nov 26, 2023
diff --git a/Cargo.toml b/Cargo.toml
@@ -30,7 +30,7 @@ serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 sha1 = "0.10"
 sha2 = "0.10"
-signature = { version = "2.2", features = ["digest"] }
+signature = { version = "2.2", features = ["digest", "std"] }
 thiserror = "1"
 url = { version = "2.5", features = ["serde"] }
 zeroize = { version = "1.7", features = ["serde", "derive"] }

diff --git a/src/algorithms/mod.rs b/src/algorithms/mod.rs
@@ -153,6 +153,32 @@ pub trait JoseAlgorithm {
     type Signature: SignatureEncoding;
 }
 
+/// A trait to associate an alogritm identifier with an algorithm.
+///
+/// This is a dynamic version of [`JoseAlgorithm`], which allows for
+/// dynamic dispatch of the algorithm, and object-safety for the trait.
+///
+/// This trait does not need to be implemented manually, as it is implemented
+/// for any type which implements [`JoseAlgorithm`].
+pub trait DynJoseAlgorithm {
+    /// The type of the signature, which must support encoding.
+    type Signature: SignatureEncoding;
+
+    /// The identifier for this algorithm when used in a JWT registered header.
+    fn identifier(&self) -> AlgorithmIdentifier;
+}
+
+impl<T> DynJoseAlgorithm for T
+where
+    T: JoseAlgorithm,
+{
+    type Signature = T::Signature;
+
+    fn identifier(&self) -> AlgorithmIdentifier {
+        T::IDENTIFIER
+    }
+}
+
 /// A trait to associate an algorithm with a digest for signing.
 pub trait JoseDigestAlgorithm: JoseAlgorithm {
     /// The digest algorithm used by this signature.
@@ -162,7 +188,7 @@ pub trait JoseDigestAlgorithm: JoseAlgorithm {
 /// A trait to represent an algorithm which can sign a JWT.
 ///
 /// This trait should apply to signing keys.
-pub trait TokenSigner: JoseAlgorithm {
+pub trait TokenSigner: DynJoseAlgorithm {
     /// Sign the contents of the JWT, when provided with the base64url-encoded header
     /// and payload. This is the JWS Signature value, and will be base64url-encoded
     /// and appended to the compact representation of the JWT.
@@ -207,7 +233,7 @@ where
 ///
 /// This trait should apply to the equivalent of public keys, which have enough information
 /// to verify a JWT signature, but not necessarily to sing it.
-pub trait TokenVerifier: JoseAlgorithm {
+pub trait TokenVerifier: DynJoseAlgorithm {
     /// Verify the signature of the JWT, when provided with the base64url-encoded header
     /// and payload.
     fn verify_token(

diff --git a/src/jose/mod.rs b/src/jose/mod.rs
@@ -187,7 +187,7 @@ impl<H> Header<H, UnsignedHeader> {
         A: crate::algorithms::TokenSigner + crate::key::SerializeJWK + Clone,
     {
         let state = SignedHeader {
-            algorithm: A::IDENTIFIER,
+            algorithm: key.identifier(),
             key: DerivedKeyValue::derive(self.state.key, key),
             thumbprint: DerivedKeyValue::derive(self.state.thumbprint, key),
             thumbprint_sha256: DerivedKeyValue::derive(self.state.thumbprint_sha256, key),
@@ -260,10 +260,10 @@ impl<H> Header<H, RenderedHeader> {
     where
         A: crate::algorithms::TokenVerifier + crate::key::SerializeJWK,
     {
-        if *self.algorithm() != A::IDENTIFIER {
+        if *self.algorithm() != key.identifier() {
             panic!(
                 "algorithm mismatch: expected header to have {:?}, got {:?}",
-                A::IDENTIFIER,
+                key.identifier(),
                 self.algorithm()
             );
         }

diff --git a/src/token/mod.rs b/src/token/mod.rs
@@ -467,9 +467,9 @@ where
         P: Serialize,
         H: Serialize,
     {
-        if A::IDENTIFIER != *self.state.header.algorithm() {
+        if algorithm.identifier() != *self.state.header.algorithm() {
             return Err(TokenVerifyingError::Algorithm(
-                A::IDENTIFIER,
+                algorithm.identifier(),
                 *self.state.header.algorithm(),
             ));
         }

diff --git a/src/token/state.rs b/src/token/state.rs
@@ -3,7 +3,7 @@ use serde::Serialize;
 use signature::SignatureEncoding;
 
 use crate::{
-    algorithms::{JoseAlgorithm, SignatureBytes, TokenSigner},
+    algorithms::{DynJoseAlgorithm, SignatureBytes, TokenSigner},
     base64data::Base64Signature,
     jose,
     key::SerializeJWK,
@@ -92,7 +92,7 @@ impl<H> MaybeSigned for Unsigned<H> {
 #[serde(bound(serialize = "H: Serialize, Alg: Clone, Alg::Signature: Serialize",))]
 pub struct Signed<H, Alg>
 where
-    Alg: JoseAlgorithm + SerializeJWK,
+    Alg: DynJoseAlgorithm + SerializeJWK,
 {
     pub(super) header: jose::Header<H, jose::SignedHeader<Alg>>,
     pub(super) signature: Alg::Signature,
@@ -143,15 +143,15 @@ where
 #[serde(bound(serialize = "H: Serialize, Alg: Clone, Alg::Signature: Serialize",))]
 pub struct Verified<H, Alg>
 where
-    Alg: JoseAlgorithm + SerializeJWK,
+    Alg: DynJoseAlgorithm + SerializeJWK,
 {
     pub(super) header: jose::Header<H, jose::SignedHeader<Alg>>,
     pub(super) signature: Alg::Signature,
 }
 
 impl<H, Alg> MaybeSigned for Verified<H, Alg>
 where
-    Alg: JoseAlgorithm + SerializeJWK,
+    Alg: DynJoseAlgorithm + SerializeJWK,
 {
     type HeaderState = jose::SignedHeader<Alg>;
     type Header = H;
@@ -175,7 +175,7 @@ where
 
 impl<H, Alg> HasSignature for Verified<H, Alg>
 where
-    Alg: JoseAlgorithm + SerializeJWK,
+    Alg: DynJoseAlgorithm + SerializeJWK,
 {
     type Signature = Alg::Signature;