Create EncodingKey/DecodingKey from borrowed data

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## Unreleased
+
+- Breaking: Add lifetimes to `EncodingKey` and `DecodingKey`/`DecodingKeyKind`
+
 ## 10.3.0 (2026-01-27)
 
 - Export everything needed to define your own CryptoProvider
@@ -72,7 +76,7 @@
 
 
 ## 8.0.0 (2022-02-02)
- 
+
 - Add EdDSA algorithm
 - `sign`/`verify` now takes a `&[u8]` instead of `&str` to be more flexible
 - `DecodingKey` now own its data
@@ -109,7 +113,7 @@
 - Add support for PS256, PS384 and PS512
 - Add support for verifying with modulus/exponent components for RSA
 - Update to 2018 edition
-- Changed aud field type in Validation to `Option<HashSet<String>>`.  Audience 
+- Changed aud field type in Validation to `Option<HashSet<String>>`.  Audience
   validation now tests for "any-of-these" audience membership.
 - Add support for keys in PEM format
 - Add EncodingKey/DecodingKey API to improve performance and UX

src/crypto/aws_lc/ecdsa.rs

@@ -17,7 +17,7 @@ macro_rules! define_ecdsa_signer {
         pub struct $name(EcdsaKeyPair);
 
         impl $name {
-            pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
+            pub(crate) fn new(encoding_key: &EncodingKey<'_>) -> Result<Self> {
                 if encoding_key.family() != AlgorithmFamily::Ec {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }
@@ -50,7 +50,7 @@ macro_rules! define_ecdsa_verifier {
         pub struct $name(DecodingKey);
 
         impl $name {
-            pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
+            pub(crate) fn new(decoding_key: &DecodingKey<'_>) -> Result<Self> {
                 if decoding_key.family() != AlgorithmFamily::Ec {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }

src/crypto/aws_lc/eddsa.rs

@@ -10,7 +10,7 @@ use signature::{Error, Signer, Verifier};
 pub struct EdDSASigner(Ed25519KeyPair);
 
 impl EdDSASigner {
-    pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
+    pub(crate) fn new(encoding_key: &EncodingKey<'_>) -> Result<Self> {
         if encoding_key.family() != AlgorithmFamily::Ed {
             return Err(new_error(ErrorKind::InvalidKeyFormat));
         }
@@ -37,7 +37,7 @@ impl JwtSigner for EdDSASigner {
 pub struct EdDSAVerifier(DecodingKey);
 
 impl EdDSAVerifier {
-    pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
+    pub(crate) fn new(decoding_key: &DecodingKey<'_>) -> Result<Self> {
         if decoding_key.family() != AlgorithmFamily::Ed {
             return Err(new_error(ErrorKind::InvalidKeyFormat));
         }

src/crypto/aws_lc/hmac.rs

@@ -13,7 +13,7 @@ macro_rules! define_hmac_signer {
         pub struct $name(hmac::Key);
 
         impl $name {
-            pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
+            pub(crate) fn new(encoding_key: &EncodingKey<'_>) -> Result<Self> {
                 Ok(Self(hmac::Key::new($hmac_alg, encoding_key.try_get_hmac_secret()?)))
             }
         }
@@ -37,7 +37,7 @@ macro_rules! define_hmac_verifier {
         pub struct $name(hmac::Key);
 
         impl $name {
-            pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
+            pub(crate) fn new(decoding_key: &DecodingKey<'_>) -> Result<Self> {
                 Ok(Self(hmac::Key::new($hmac_alg, decoding_key.try_get_hmac_secret()?)))
             }
         }

src/crypto/aws_lc/mod.rs

@@ -57,7 +57,7 @@ fn compute_digest(data: &[u8], hash_function: ThumbprintHash) -> Vec<u8> {
     digest::digest(algorithm, data).as_ref().to_vec()
 }
 
-fn new_signer(algorithm: &Algorithm, key: &EncodingKey) -> Result<Box<dyn JwtSigner>, Error> {
+fn new_signer(algorithm: &Algorithm, key: &EncodingKey<'_>) -> Result<Box<dyn JwtSigner>, Error> {
     let jwt_signer = match algorithm {
         Algorithm::HS256 => Box::new(hmac::Hs256Signer::new(key)?) as Box<dyn JwtSigner>,
         Algorithm::HS384 => Box::new(hmac::Hs384Signer::new(key)?) as Box<dyn JwtSigner>,
@@ -78,7 +78,7 @@ fn new_signer(algorithm: &Algorithm, key: &EncodingKey) -> Result<Box<dyn JwtSig
 
 fn new_verifier(
     algorithm: &Algorithm,
-    key: &DecodingKey,
+    key: &DecodingKey<'_>,
 ) -> Result<Box<dyn super::JwtVerifier>, Error> {
     let jwt_verifier = match algorithm {
         Algorithm::HS256 => Box::new(hmac::Hs256Verifier::new(key)?) as Box<dyn JwtVerifier>,

src/crypto/aws_lc/rsa.rs

@@ -13,7 +13,7 @@ use crate::{Algorithm, DecodingKey, EncodingKey};
 /// Try to sign the `message` using an `RSA` `algorithm`.
 fn try_sign_rsa(
     algorithm: &'static dyn crypto_sig::RsaEncoding,
-    encoding_key: &EncodingKey,
+    encoding_key: &EncodingKey<'_>,
     msg: &[u8],
 ) -> std::result::Result<Vec<u8>, signature::Error> {
     let key_pair = crypto_sig::RsaKeyPair::from_der(encoding_key.inner())
@@ -33,7 +33,7 @@ fn try_sign_rsa(
 /// - If `decoding_key` is not from the RSA family.
 fn verify_rsa(
     algorithm: &'static crypto_sig::RsaParameters,
-    decoding_key: &DecodingKey,
+    decoding_key: &DecodingKey<'_>,
     msg: &[u8],
     signature: &[u8],
 ) -> std::result::Result<(), signature::Error> {
@@ -56,7 +56,7 @@ macro_rules! define_rsa_signer {
         pub struct $name(EncodingKey);
 
         impl $name {
-            pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
+            pub(crate) fn new(encoding_key: &EncodingKey<'_>) -> Result<Self> {
                 if encoding_key.family() != AlgorithmFamily::Rsa {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }
@@ -84,7 +84,7 @@ macro_rules! define_rsa_verifier {
         pub struct $name(DecodingKey);
 
         impl $name {
-            pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
+            pub(crate) fn new(decoding_key: &DecodingKey<'_>) -> Result<Self> {
                 if decoding_key.family() != AlgorithmFamily::Rsa {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }

src/crypto/mod.rs

@@ -45,7 +45,7 @@ pub trait JwtVerifier: Verifier<Vec<u8>> {
 /// the base64 url safe encoded of the result.
 ///
 /// If you just want to encode a JWT, use `encode` instead.
-pub fn sign(message: &[u8], key: &EncodingKey, algorithm: Algorithm) -> Result<String> {
+pub fn sign(message: &[u8], key: &EncodingKey<'_>, algorithm: Algorithm) -> Result<String> {
     let provider = (CryptoProvider::get_default().signer_factory)(&algorithm, key)?;
     Ok(b64_encode(provider.try_sign(message)?))
 }
@@ -61,7 +61,7 @@ pub fn sign(message: &[u8], key: &EncodingKey, algorithm: Algorithm) -> Result<S
 pub fn verify(
     signature: &str,
     message: &[u8],
-    key: &DecodingKey,
+    key: &DecodingKey<'_>,
     algorithm: Algorithm,
 ) -> Result<bool> {
     let provider = (CryptoProvider::get_default().verifier_factory)(&algorithm, key)?;

src/crypto/rust_crypto/ecdsa.rs

@@ -19,7 +19,7 @@ macro_rules! define_ecdsa_signer {
         pub struct $name($signing_key);
 
         impl $name {
-            pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
+            pub(crate) fn new(encoding_key: &EncodingKey<'_>) -> Result<Self> {
                 if encoding_key.family() != AlgorithmFamily::Ec {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }
@@ -51,7 +51,7 @@ macro_rules! define_ecdsa_verifier {
         pub struct $name($verifying_key);
 
         impl $name {
-            pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
+            pub(crate) fn new(decoding_key: &DecodingKey<'_>) -> Result<Self> {
                 if decoding_key.family() != AlgorithmFamily::Ec {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }

src/crypto/rust_crypto/eddsa.rs

@@ -11,7 +11,7 @@ use signature::{Error, Signer, Verifier};
 pub struct EdDSASigner(SigningKey);
 
 impl EdDSASigner {
-    pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
+    pub(crate) fn new(encoding_key: &EncodingKey<'_>) -> Result<Self> {
         if encoding_key.family() != AlgorithmFamily::Ed {
             return Err(new_error(ErrorKind::InvalidKeyFormat));
         }
@@ -38,7 +38,7 @@ impl JwtSigner for EdDSASigner {
 pub struct EdDSAVerifier(VerifyingKey);
 
 impl EdDSAVerifier {
-    pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
+    pub(crate) fn new(decoding_key: &DecodingKey<'_>) -> Result<Self> {
         if decoding_key.family() != AlgorithmFamily::Ed {
             return Err(new_error(ErrorKind::InvalidKeyFormat));
         }

src/crypto/rust_crypto/hmac.rs

@@ -19,7 +19,7 @@ macro_rules! define_hmac_signer {
         pub struct $name($hmac_type);
 
         impl $name {
-            pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
+            pub(crate) fn new(encoding_key: &EncodingKey<'_>) -> Result<Self> {
                 let inner = <$hmac_type>::new_from_slice(encoding_key.try_get_hmac_secret()?)
                     .map_err(|_e| crate::errors::ErrorKind::InvalidKeyFormat)?;
 
@@ -51,7 +51,7 @@ macro_rules! define_hmac_verifier {
         pub struct $name($hmac_type);
 
         impl $name {
-            pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
+            pub(crate) fn new(decoding_key: &DecodingKey<'_>) -> Result<Self> {
                 let inner = <$hmac_type>::new_from_slice(decoding_key.try_get_hmac_secret()?)
                     .map_err(|_e| crate::errors::ErrorKind::InvalidKeyFormat)?;
 

src/crypto/rust_crypto/mod.rs

@@ -63,7 +63,7 @@ fn compute_digest(data: &[u8], hash_function: ThumbprintHash) -> Vec<u8> {
     }
 }
 
-fn new_signer(algorithm: &Algorithm, key: &EncodingKey) -> Result<Box<dyn JwtSigner>, Error> {
+fn new_signer(algorithm: &Algorithm, key: &EncodingKey<'_>) -> Result<Box<dyn JwtSigner>, Error> {
     let jwt_signer = match algorithm {
         Algorithm::HS256 => Box::new(hmac::Hs256Signer::new(key)?) as Box<dyn JwtSigner>,
         Algorithm::HS384 => Box::new(hmac::Hs384Signer::new(key)?) as Box<dyn JwtSigner>,
@@ -84,7 +84,7 @@ fn new_signer(algorithm: &Algorithm, key: &EncodingKey) -> Result<Box<dyn JwtSig
 
 fn new_verifier(
     algorithm: &Algorithm,
-    key: &DecodingKey,
+    key: &DecodingKey<'_>,
 ) -> Result<Box<dyn super::JwtVerifier>, Error> {
     let jwt_verifier = match algorithm {
         Algorithm::HS256 => Box::new(hmac::Hs256Verifier::new(key)?) as Box<dyn JwtVerifier>,

src/crypto/rust_crypto/rsa.rs

@@ -20,7 +20,7 @@ use crate::errors::{ErrorKind, Result, new_error};
 use crate::{Algorithm, DecodingKey, EncodingKey};
 
 fn try_sign_rsa<H>(
-    encoding_key: &EncodingKey,
+    encoding_key: &EncodingKey<'_>,
     msg: &[u8],
     pss: bool,
 ) -> std::result::Result<Vec<u8>, signature::Error>
@@ -43,7 +43,7 @@ where
 
 fn verify_rsa<S: SignatureScheme, H: Digest + AssociatedOid>(
     scheme: S,
-    decoding_key: &DecodingKey,
+    decoding_key: &DecodingKey<'_>,
     msg: &[u8],
     signature: &[u8],
 ) -> std::result::Result<(), signature::Error> {
@@ -71,7 +71,7 @@ macro_rules! define_rsa_signer {
         pub struct $name(EncodingKey);
 
         impl $name {
-            pub(crate) fn new(encoding_key: &EncodingKey) -> Result<Self> {
+            pub(crate) fn new(encoding_key: &EncodingKey<'_>) -> Result<Self> {
                 if encoding_key.family() != AlgorithmFamily::Rsa {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }
@@ -99,7 +99,7 @@ macro_rules! define_rsa_verifier {
         pub struct $name(DecodingKey);
 
         impl $name {
-            pub(crate) fn new(decoding_key: &DecodingKey) -> Result<Self> {
+            pub(crate) fn new(decoding_key: &DecodingKey<'_>) -> Result<Self> {
                 if decoding_key.family() != AlgorithmFamily::Rsa {
                     return Err(new_error(ErrorKind::InvalidKeyFormat));
                 }