Skip to content

Commit

Permalink
Bump to ring 0.17
Browse files Browse the repository at this point in the history
  • Loading branch information
@thomaseizinger
thomaseizinger committed Oct 3, 2023
1 parent ac30cea commit 7c9b2d2
Show file tree
Hide file tree
Showing 7 changed files with 132 additions and 27 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
## Unreleased

- Remove `TryFrom<[u8]>` and `TryFrom<Vec<u8>>` for `KeyPair` in favor of allowing `KeyPair::from_der` to take `impl Into<Cow<'b, [u8]>>` which allows `Vec<u8>` as well as `[u8]`.
- Upgrade to `ring` `v0.17`.

## Release 0.11.3 - October 1, 2023

Expand Down
106 changes: 99 additions & 7 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ required-features = ["pem"]

[dependencies]
yasna = { version = "0.5.2", features = ["time", "std"] }
ring = "0.16"
ring = "0.17"
pem = { version = "3.0.2", optional = true }
time = { version = "0.3.6", default-features = false }
x509-parser = { version = "0.15", features = ["verify"], optional = true }
Expand Down
29 changes: 17 additions & 12 deletions src/key_pair.rs
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#[cfg(feature = "pem")]
use pem::Pem;
use ring::rand::SystemRandom;
use ring::rand::{SecureRandom, SystemRandom};
use ring::signature::KeyPair as RingKeyPair;
use ring::signature::{self, EcdsaKeyPair, Ed25519KeyPair, RsaEncoding, RsaKeyPair};
use std::fmt;
Expand Down Expand Up @@ -55,7 +55,7 @@ impl KeyPair {
///
/// Equivalent to using the [`TryFrom`] implementation.
pub fn from_der(der: &[u8]) -> Result<Self, RcgenError> {
Ok(KeyPair::from_raw(der)?)
Ok(KeyPair::from_raw(der, &SystemRandom::new())?)
}
/// Returns the key pair's signature algorithm
pub fn algorithm(&self) -> &'static SignatureAlgorithm {
Expand All @@ -66,7 +66,7 @@ impl KeyPair {
pub fn from_pem(pem_str: &str) -> Result<Self, RcgenError> {
let private_key = pem::parse(pem_str)?;
let private_key_der: &[_] = private_key.contents();
Ok(KeyPair::from_raw(private_key_der)?)
Ok(KeyPair::from_raw(private_key_der, &SystemRandom::new())?)
}

/// Obtains the key pair from a raw public key and a remote private key
Expand Down Expand Up @@ -105,6 +105,7 @@ impl KeyPair {
pkcs8: &[u8],
alg: &'static SignatureAlgorithm,
) -> Result<Self, RcgenError> {
let rng = &SystemRandom::new();
let pkcs8_vec = pkcs8.to_vec();

let kind = if alg == &PKCS_ED25519 {
Expand All @@ -113,11 +114,13 @@ impl KeyPair {
KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8(
&signature::ECDSA_P256_SHA256_ASN1_SIGNING,
pkcs8,
rng,
)?)
} else if alg == &PKCS_ECDSA_P384_SHA384 {
KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8(
&signature::ECDSA_P384_SHA384_ASN1_SIGNING,
pkcs8,
rng,
)?)
} else if alg == &PKCS_RSA_SHA256 {
let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?;
Expand All @@ -142,15 +145,15 @@ impl KeyPair {
})
}

pub(crate) fn from_raw(pkcs8: &[u8]) -> Result<KeyPair, RcgenError> {
pub(crate) fn from_raw(pkcs8: &[u8], rng: &dyn SecureRandom) -> Result<KeyPair, RcgenError> {
let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(pkcs8) {
(KeyPairKind::Ed(edkp), &PKCS_ED25519)
} else if let Ok(eckp) =
EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8)
EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8, rng)
{
(KeyPairKind::Ec(eckp), &PKCS_ECDSA_P256_SHA256)
} else if let Ok(eckp) =
EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8)
EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8, rng)
{
(KeyPairKind::Ec(eckp), &PKCS_ECDSA_P384_SHA384)
} else if let Ok(rsakp) = RsaKeyPair::from_pkcs8(pkcs8) {
Expand Down Expand Up @@ -187,23 +190,25 @@ pub trait RemoteKeyPair {

impl KeyPair {
/// Generate a new random key pair for the specified signature algorithm
pub fn generate(alg: &'static SignatureAlgorithm) -> Result<Self, RcgenError> {
let system_random = SystemRandom::new();
pub fn generate(
alg: &'static SignatureAlgorithm,
rng: &dyn SecureRandom,
) -> Result<Self, RcgenError> {
match alg.sign_alg {
SignAlgo::EcDsa(sign_alg) => {
let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, &system_random)?;
let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, rng)?;
let key_pair_serialized = key_pair_doc.as_ref().to_vec();

let key_pair =
EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref()).unwrap();
EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref(), rng).unwrap();
Ok(KeyPair {
kind: KeyPairKind::Ec(key_pair),
alg,
serialized_der: key_pair_serialized,
})
},
SignAlgo::EdDsa(_sign_alg) => {
let key_pair_doc = Ed25519KeyPair::generate_pkcs8(&system_random)?;
let key_pair_doc = Ed25519KeyPair::generate_pkcs8(rng)?;
let key_pair_serialized = key_pair_doc.as_ref().to_vec();

let key_pair = Ed25519KeyPair::from_pkcs8(&&key_pair_doc.as_ref()).unwrap();
Expand Down Expand Up @@ -251,7 +256,7 @@ impl KeyPair {
},
KeyPairKind::Rsa(kp, padding_alg) => {
let system_random = SystemRandom::new();
let mut signature = vec![0; kp.public_modulus_len()];
let mut signature = vec![0; kp.public().modulus_len()];
kp.sign(*padding_alg, &system_random, msg, &mut signature)?;
let sig = &signature.as_ref();
writer.write_bitvec_bytes(&sig, &sig.len() * 8);
Expand Down
5 changes: 3 additions & 2 deletions src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1492,15 +1492,16 @@ fn write_general_subtrees(writer: DERWriter, tag: u64, general_subtrees: &[Gener
impl Certificate {
/// Generates a new certificate from the given parameters.
///
/// If there is no key pair included, then a new key pair will be generated and used.
/// If there is no key pair included, then a new key pair will be randomly generated and used.
/// If you want to control the [`KeyPair`] or the randomness used to generate it, set it ahead of time before calling this function.
pub fn from_params(mut params: CertificateParams) -> Result<Self, RcgenError> {
let key_pair = if let Some(key_pair) = params.key_pair.take() {
if !key_pair.is_compatible(&params.alg) {
return Err(RcgenError::CertificateKeyPairMismatch);
}
key_pair
} else {
KeyPair::generate(&params.alg)?
KeyPair::generate(&params.alg, &ring::rand::SystemRandom::new())?
};

Ok(Certificate { params, key_pair })
Expand Down
6 changes: 4 additions & 2 deletions tests/generic.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@ mod test_key_params_mismatch {

let mut wrong_params = util::default_params();
if i != 0 {
wrong_params.key_pair = Some(KeyPair::generate(kalg_1).unwrap());
wrong_params.key_pair =
Some(KeyPair::generate(kalg_1, &ring::rand::SystemRandom::new()).unwrap());
} else {
let kp = KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap();
wrong_params.key_pair = Some(kp);
Expand Down Expand Up @@ -81,7 +82,8 @@ mod test_convert_x509_subject_alternative_name {
let ca_der = cert.serialize_der().unwrap();

// Arbitrary key pair not used with the test, but required by the parsing function
let key_pair = KeyPair::generate(&PKCS_ECDSA_P256_SHA256).unwrap();
let key_pair =
KeyPair::generate(&PKCS_ECDSA_P256_SHA256, &ring::rand::SystemRandom::new()).unwrap();

let actual = CertificateParams::from_ca_cert_der(&ca_der, key_pair).unwrap();

Expand Down
10 changes: 7 additions & 3 deletions tests/webpki.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ mod util;

fn sign_msg_ecdsa(cert: &Certificate, msg: &[u8], alg: &'static EcdsaSigningAlgorithm) -> Vec<u8> {
let pk_der = cert.serialize_private_key_der();
let key_pair = EcdsaKeyPair::from_pkcs8(&alg, &pk_der).unwrap();
let key_pair =
EcdsaKeyPair::from_pkcs8(&alg, &pk_der, &ring::rand::SystemRandom::new()).unwrap();
let system_random = SystemRandom::new();
let signature = key_pair.sign(&system_random, &msg).unwrap();
signature.as_ref().to_vec()
Expand All @@ -43,7 +44,7 @@ fn sign_msg_rsa(cert: &Certificate, msg: &[u8], encoding: &'static dyn RsaEncodi
let pk_der = cert.serialize_private_key_der();
let key_pair = RsaKeyPair::from_pkcs8(&pk_der).unwrap();
let system_random = SystemRandom::new();
let mut signature = vec![0; key_pair.public_modulus_len()];
let mut signature = vec![0; key_pair.public().modulus_len()];
key_pair
.sign(encoding, &system_random, &msg, &mut signature)
.unwrap();
Expand Down Expand Up @@ -334,15 +335,18 @@ fn from_remote() {
}
}

let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
let rng = ring::rand::SystemRandom::new();
let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256, &rng).unwrap();
let remote = EcdsaKeyPair::from_pkcs8(
&signature::ECDSA_P256_SHA256_ASN1_SIGNING,
&key_pair.serialize_der(),
&rng,
)
.unwrap();
let key_pair = EcdsaKeyPair::from_pkcs8(
&signature::ECDSA_P256_SHA256_ASN1_SIGNING,
&key_pair.serialize_der(),
&rng,
)
.unwrap();
let remote = KeyPair::from_remote(Box::new(Remote(remote))).unwrap();
Expand Down

0 comments on commit 7c9b2d2

Please sign in to comment.