From 7c9b2d20c885652313cc82aa7a6dae287303b1b3 Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Tue, 3 Oct 2023 12:07:36 +1100 Subject: [PATCH] Bump to ring 0.17 --- CHANGELOG.md | 1 + Cargo.lock | 106 +++++++++++++++++++++++++++++++++++++++++++---- Cargo.toml | 2 +- src/key_pair.rs | 29 +++++++------ src/lib.rs | 5 ++- tests/generic.rs | 6 ++- tests/webpki.rs | 10 +++-- 7 files changed, 132 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 043e1e1a..baf51f59 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ## Unreleased - Remove `TryFrom<[u8]>` and `TryFrom>` for `KeyPair` in favor of allowing `KeyPair::from_der` to take `impl Into>` which allows `Vec` as well as `[u8]`. +- Upgrade to `ring` `v0.17`. ## Release 0.11.3 - October 1, 2023 diff --git a/Cargo.lock b/Cargo.lock index ae5da432..32e5d254 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -247,7 +247,7 @@ version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" dependencies = [ - "spin", + "spin 0.5.2", ] [[package]] @@ -510,7 +510,7 @@ dependencies = [ "openssl", "pem", "rand", - "ring", + "ring 0.17.0", "rsa", "rustls-webpki", "time", @@ -528,12 +528,26 @@ dependencies = [ "cc", "libc", "once_cell", - "spin", - "untrusted", + "spin 0.5.2", + "untrusted 0.7.1", "web-sys", "winapi", ] +[[package]] +name = "ring" +version = "0.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fb9d44f9bf6b635117787f72416783eb7e4227aaf255e5ce739563d817176a7e" +dependencies = [ + "cc", + "getrandom", + "libc", + "spin 0.9.8", + "untrusted 0.9.0", + "windows-sys", +] + [[package]] name = "rsa" version = "0.9.2" @@ -571,8 +585,8 @@ version = "0.101.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3c7d5dece342910d9ba34d259310cae3e0154b873b35408b787b59bce53d34fe" dependencies = [ - "ring", - "untrusted", + "ring 0.16.20", + "untrusted 0.7.1", ] [[package]] @@ -617,6 +631,12 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" +[[package]] +name = "spin" +version = "0.9.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" + [[package]] name = "spki" version = "0.7.2" @@ -739,6 +759,12 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +[[package]] +name = "untrusted" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" + [[package]] name = "vcpkg" version = "0.2.15" @@ -843,6 +869,72 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" +[[package]] +name = "windows-sys" +version = "0.48.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" +dependencies = [ + "windows-targets", +] + +[[package]] +name = "windows-targets" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" +dependencies = [ + "windows_aarch64_gnullvm", + "windows_aarch64_msvc", + "windows_i686_gnu", + "windows_i686_msvc", + "windows_x86_64_gnu", + "windows_x86_64_gnullvm", + "windows_x86_64_msvc", +] + +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" + +[[package]] +name = "windows_aarch64_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" + +[[package]] +name = "windows_i686_gnu" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" + +[[package]] +name = "windows_i686_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" + +[[package]] +name = "windows_x86_64_gnu" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" + +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" + +[[package]] +name = "windows_x86_64_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" + [[package]] name = "x509-parser" version = "0.15.1" @@ -855,7 +947,7 @@ dependencies = [ "lazy_static", "nom", "oid-registry", - "ring", + "ring 0.16.20", "rusticata-macros", "thiserror", "time", diff --git a/Cargo.toml b/Cargo.toml index 7d2119a7..a47fb72f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,7 +28,7 @@ required-features = ["pem"] [dependencies] yasna = { version = "0.5.2", features = ["time", "std"] } -ring = "0.16" +ring = "0.17" pem = { version = "3.0.2", optional = true } time = { version = "0.3.6", default-features = false } x509-parser = { version = "0.15", features = ["verify"], optional = true } diff --git a/src/key_pair.rs b/src/key_pair.rs index 9e29f51f..c2869aac 100644 --- a/src/key_pair.rs +++ b/src/key_pair.rs @@ -1,6 +1,6 @@ #[cfg(feature = "pem")] use pem::Pem; -use ring::rand::SystemRandom; +use ring::rand::{SecureRandom, SystemRandom}; use ring::signature::KeyPair as RingKeyPair; use ring::signature::{self, EcdsaKeyPair, Ed25519KeyPair, RsaEncoding, RsaKeyPair}; use std::fmt; @@ -55,7 +55,7 @@ impl KeyPair { /// /// Equivalent to using the [`TryFrom`] implementation. pub fn from_der(der: &[u8]) -> Result { - Ok(KeyPair::from_raw(der)?) + Ok(KeyPair::from_raw(der, &SystemRandom::new())?) } /// Returns the key pair's signature algorithm pub fn algorithm(&self) -> &'static SignatureAlgorithm { @@ -66,7 +66,7 @@ impl KeyPair { pub fn from_pem(pem_str: &str) -> Result { let private_key = pem::parse(pem_str)?; let private_key_der: &[_] = private_key.contents(); - Ok(KeyPair::from_raw(private_key_der)?) + Ok(KeyPair::from_raw(private_key_der, &SystemRandom::new())?) } /// Obtains the key pair from a raw public key and a remote private key @@ -105,6 +105,7 @@ impl KeyPair { pkcs8: &[u8], alg: &'static SignatureAlgorithm, ) -> Result { + let rng = &SystemRandom::new(); let pkcs8_vec = pkcs8.to_vec(); let kind = if alg == &PKCS_ED25519 { @@ -113,11 +114,13 @@ impl KeyPair { KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8( &signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8, + rng, )?) } else if alg == &PKCS_ECDSA_P384_SHA384 { KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8( &signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8, + rng, )?) } else if alg == &PKCS_RSA_SHA256 { let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?; @@ -142,15 +145,15 @@ impl KeyPair { }) } - pub(crate) fn from_raw(pkcs8: &[u8]) -> Result { + pub(crate) fn from_raw(pkcs8: &[u8], rng: &dyn SecureRandom) -> Result { let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(pkcs8) { (KeyPairKind::Ed(edkp), &PKCS_ED25519) } else if let Ok(eckp) = - EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8) + EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8, rng) { (KeyPairKind::Ec(eckp), &PKCS_ECDSA_P256_SHA256) } else if let Ok(eckp) = - EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8) + EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8, rng) { (KeyPairKind::Ec(eckp), &PKCS_ECDSA_P384_SHA384) } else if let Ok(rsakp) = RsaKeyPair::from_pkcs8(pkcs8) { @@ -187,15 +190,17 @@ pub trait RemoteKeyPair { impl KeyPair { /// Generate a new random key pair for the specified signature algorithm - pub fn generate(alg: &'static SignatureAlgorithm) -> Result { - let system_random = SystemRandom::new(); + pub fn generate( + alg: &'static SignatureAlgorithm, + rng: &dyn SecureRandom, + ) -> Result { match alg.sign_alg { SignAlgo::EcDsa(sign_alg) => { - let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, &system_random)?; + let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, rng)?; let key_pair_serialized = key_pair_doc.as_ref().to_vec(); let key_pair = - EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref()).unwrap(); + EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref(), rng).unwrap(); Ok(KeyPair { kind: KeyPairKind::Ec(key_pair), alg, @@ -203,7 +208,7 @@ impl KeyPair { }) }, SignAlgo::EdDsa(_sign_alg) => { - let key_pair_doc = Ed25519KeyPair::generate_pkcs8(&system_random)?; + let key_pair_doc = Ed25519KeyPair::generate_pkcs8(rng)?; let key_pair_serialized = key_pair_doc.as_ref().to_vec(); let key_pair = Ed25519KeyPair::from_pkcs8(&&key_pair_doc.as_ref()).unwrap(); @@ -251,7 +256,7 @@ impl KeyPair { }, KeyPairKind::Rsa(kp, padding_alg) => { let system_random = SystemRandom::new(); - let mut signature = vec![0; kp.public_modulus_len()]; + let mut signature = vec![0; kp.public().modulus_len()]; kp.sign(*padding_alg, &system_random, msg, &mut signature)?; let sig = &signature.as_ref(); writer.write_bitvec_bytes(&sig, &sig.len() * 8); diff --git a/src/lib.rs b/src/lib.rs index c04c6c8e..601f60b5 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1492,7 +1492,8 @@ fn write_general_subtrees(writer: DERWriter, tag: u64, general_subtrees: &[Gener impl Certificate { /// Generates a new certificate from the given parameters. /// - /// If there is no key pair included, then a new key pair will be generated and used. + /// If there is no key pair included, then a new key pair will be randomly generated and used. + /// If you want to control the [`KeyPair`] or the randomness used to generate it, set it ahead of time before calling this function. pub fn from_params(mut params: CertificateParams) -> Result { let key_pair = if let Some(key_pair) = params.key_pair.take() { if !key_pair.is_compatible(¶ms.alg) { @@ -1500,7 +1501,7 @@ impl Certificate { } key_pair } else { - KeyPair::generate(¶ms.alg)? + KeyPair::generate(¶ms.alg, &ring::rand::SystemRandom::new())? }; Ok(Certificate { params, key_pair }) diff --git a/tests/generic.rs b/tests/generic.rs index 30555418..56415703 100644 --- a/tests/generic.rs +++ b/tests/generic.rs @@ -35,7 +35,8 @@ mod test_key_params_mismatch { let mut wrong_params = util::default_params(); if i != 0 { - wrong_params.key_pair = Some(KeyPair::generate(kalg_1).unwrap()); + wrong_params.key_pair = + Some(KeyPair::generate(kalg_1, &ring::rand::SystemRandom::new()).unwrap()); } else { let kp = KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap(); wrong_params.key_pair = Some(kp); @@ -81,7 +82,8 @@ mod test_convert_x509_subject_alternative_name { let ca_der = cert.serialize_der().unwrap(); // Arbitrary key pair not used with the test, but required by the parsing function - let key_pair = KeyPair::generate(&PKCS_ECDSA_P256_SHA256).unwrap(); + let key_pair = + KeyPair::generate(&PKCS_ECDSA_P256_SHA256, &ring::rand::SystemRandom::new()).unwrap(); let actual = CertificateParams::from_ca_cert_der(&ca_der, key_pair).unwrap(); diff --git a/tests/webpki.rs b/tests/webpki.rs index 78b92e91..a12dae9c 100644 --- a/tests/webpki.rs +++ b/tests/webpki.rs @@ -25,7 +25,8 @@ mod util; fn sign_msg_ecdsa(cert: &Certificate, msg: &[u8], alg: &'static EcdsaSigningAlgorithm) -> Vec { let pk_der = cert.serialize_private_key_der(); - let key_pair = EcdsaKeyPair::from_pkcs8(&alg, &pk_der).unwrap(); + let key_pair = + EcdsaKeyPair::from_pkcs8(&alg, &pk_der, &ring::rand::SystemRandom::new()).unwrap(); let system_random = SystemRandom::new(); let signature = key_pair.sign(&system_random, &msg).unwrap(); signature.as_ref().to_vec() @@ -43,7 +44,7 @@ fn sign_msg_rsa(cert: &Certificate, msg: &[u8], encoding: &'static dyn RsaEncodi let pk_der = cert.serialize_private_key_der(); let key_pair = RsaKeyPair::from_pkcs8(&pk_der).unwrap(); let system_random = SystemRandom::new(); - let mut signature = vec![0; key_pair.public_modulus_len()]; + let mut signature = vec![0; key_pair.public().modulus_len()]; key_pair .sign(encoding, &system_random, &msg, &mut signature) .unwrap(); @@ -334,15 +335,18 @@ fn from_remote() { } } - let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap(); + let rng = ring::rand::SystemRandom::new(); + let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256, &rng).unwrap(); let remote = EcdsaKeyPair::from_pkcs8( &signature::ECDSA_P256_SHA256_ASN1_SIGNING, &key_pair.serialize_der(), + &rng, ) .unwrap(); let key_pair = EcdsaKeyPair::from_pkcs8( &signature::ECDSA_P256_SHA256_ASN1_SIGNING, &key_pair.serialize_der(), + &rng, ) .unwrap(); let remote = KeyPair::from_remote(Box::new(Remote(remote))).unwrap();