diff --git a/CHANGELOG.md b/CHANGELOG.md index 9280db67..a4fd52a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,13 @@ Errors are usually not comparable. Use `matches!` instead. - Remove `TryFrom<[u8]>` and `TryFrom>` for `KeyPair` in favor of allowing `KeyPair::from_der` to take `impl Into>` which allows `Vec` as well as `[u8]`. +- Upgrade to `ring` `v0.17`. +- Add `ring::rand::SecureRandom` parameter to: + - `KeyPair::generate` + - `KeyPair::from_der` + - `KeyPair::from_der_and_sign_algo` + - `KeyPair::from_pem` + - `KeyPair::from_pem_and_sign_algo` ## Release 0.11.3 - October 1, 2023 diff --git a/Cargo.lock b/Cargo.lock index ae5da432..32e5d254 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -247,7 +247,7 @@ version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" dependencies = [ - "spin", + "spin 0.5.2", ] [[package]] @@ -510,7 +510,7 @@ dependencies = [ "openssl", "pem", "rand", - "ring", + "ring 0.17.0", "rsa", "rustls-webpki", "time", @@ -528,12 +528,26 @@ dependencies = [ "cc", "libc", "once_cell", - "spin", - "untrusted", + "spin 0.5.2", + "untrusted 0.7.1", "web-sys", "winapi", ] +[[package]] +name = "ring" +version = "0.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fb9d44f9bf6b635117787f72416783eb7e4227aaf255e5ce739563d817176a7e" +dependencies = [ + "cc", + "getrandom", + "libc", + "spin 0.9.8", + "untrusted 0.9.0", + "windows-sys", +] + [[package]] name = "rsa" version = "0.9.2" @@ -571,8 +585,8 @@ version = "0.101.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3c7d5dece342910d9ba34d259310cae3e0154b873b35408b787b59bce53d34fe" dependencies = [ - "ring", - "untrusted", + "ring 0.16.20", + "untrusted 0.7.1", ] [[package]] @@ -617,6 +631,12 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" +[[package]] +name = "spin" +version = "0.9.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" + [[package]] name = "spki" version = "0.7.2" @@ -739,6 +759,12 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +[[package]] +name = "untrusted" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" + [[package]] name = "vcpkg" version = "0.2.15" @@ -843,6 +869,72 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" +[[package]] +name = "windows-sys" +version = "0.48.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" +dependencies = [ + "windows-targets", +] + +[[package]] +name = "windows-targets" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" +dependencies = [ + "windows_aarch64_gnullvm", + "windows_aarch64_msvc", + "windows_i686_gnu", + "windows_i686_msvc", + "windows_x86_64_gnu", + "windows_x86_64_gnullvm", + "windows_x86_64_msvc", +] + +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" + +[[package]] +name = "windows_aarch64_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" + +[[package]] +name = "windows_i686_gnu" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" + +[[package]] +name = "windows_i686_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" + +[[package]] +name = "windows_x86_64_gnu" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" + +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" + +[[package]] +name = "windows_x86_64_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" + [[package]] name = "x509-parser" version = "0.15.1" @@ -855,7 +947,7 @@ dependencies = [ "lazy_static", "nom", "oid-registry", - "ring", + "ring 0.16.20", "rusticata-macros", "thiserror", "time", diff --git a/Cargo.toml b/Cargo.toml index 7d2119a7..a47fb72f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,7 +28,7 @@ required-features = ["pem"] [dependencies] yasna = { version = "0.5.2", features = ["time", "std"] } -ring = "0.16" +ring = "0.17" pem = { version = "3.0.2", optional = true } time = { version = "0.3.6", default-features = false } x509-parser = { version = "0.15", features = ["verify"], optional = true } diff --git a/examples/rsa-irc-openssl.rs b/examples/rsa-irc-openssl.rs index 0ac72f60..f2b72056 100644 --- a/examples/rsa-irc-openssl.rs +++ b/examples/rsa-irc-openssl.rs @@ -13,7 +13,7 @@ fn main() -> Result<(), Box> { let pkey: openssl::pkey::PKey<_> = openssl::rsa::Rsa::generate(2048)?.try_into()?; let key_pair_pem = String::from_utf8(pkey.private_key_to_pem_pkcs8()?)?; - let key_pair = rcgen::KeyPair::from_pem(&key_pair_pem)?; + let key_pair = rcgen::KeyPair::from_pem(&key_pair_pem, &ring::rand::SystemRandom::new())?; params.key_pair = Some(key_pair); let cert = Certificate::from_params(params)?; diff --git a/examples/rsa-irc.rs b/examples/rsa-irc.rs index fbd0be3e..5ce91665 100644 --- a/examples/rsa-irc.rs +++ b/examples/rsa-irc.rs @@ -19,7 +19,9 @@ fn main() -> Result<(), Box> { let bits = 2048; let private_key = RsaPrivateKey::new(&mut rng, bits)?; let private_key_der = private_key.to_pkcs8_der()?; - let key_pair = rcgen::KeyPair::from_der(private_key_der.as_bytes()).unwrap(); + let key_pair = + rcgen::KeyPair::from_der(private_key_der.as_bytes(), &ring::rand::SystemRandom::new()) + .unwrap(); params.key_pair = Some(key_pair); let cert = Certificate::from_params(params)?; diff --git a/src/key_pair.rs b/src/key_pair.rs index 415db0fa..c234649b 100644 --- a/src/key_pair.rs +++ b/src/key_pair.rs @@ -1,6 +1,6 @@ #[cfg(feature = "pem")] use pem::Pem; -use ring::rand::SystemRandom; +use ring::rand::{SecureRandom, SystemRandom}; use ring::signature::KeyPair as RingKeyPair; use ring::signature::{self, EcdsaKeyPair, Ed25519KeyPair, RsaEncoding, RsaKeyPair}; use std::borrow::Cow; @@ -55,8 +55,8 @@ impl KeyPair { /// Parses the key pair from the DER format /// /// Equivalent to using the [`TryFrom`] implementation. - pub fn from_der(der: &[u8]) -> Result { - Ok(KeyPair::from_raw(der)?) + pub fn from_der(der: &[u8], rng: &dyn SecureRandom) -> Result { + Ok(KeyPair::from_raw(der, rng)?) } /// Returns the key pair's signature algorithm pub fn algorithm(&self) -> &'static SignatureAlgorithm { @@ -64,10 +64,10 @@ impl KeyPair { } /// Parses the key pair from the ASCII PEM format #[cfg(feature = "pem")] - pub fn from_pem(pem_str: &str) -> Result { + pub fn from_pem(pem_str: &str, rng: &dyn SecureRandom) -> Result { let private_key = pem::parse(pem_str)?; let private_key_der: &[_] = private_key.contents(); - Ok(KeyPair::from_raw(private_key_der)?) + Ok(KeyPair::from_raw(private_key_der, rng)?) } /// Obtains the key pair from a raw public key and a remote private key @@ -87,10 +87,11 @@ impl KeyPair { pub fn from_pem_and_sign_algo( pem_str: &str, alg: &'static SignatureAlgorithm, + rng: &dyn SecureRandom, ) -> Result { let private_key = pem::parse(pem_str)?; let private_key_der: &[_] = private_key.contents(); - Ok(Self::from_der_and_sign_algo(private_key_der, alg)?) + Ok(Self::from_der_and_sign_algo(private_key_der, alg, rng)?) } /// Obtains the key pair from a DER formatted key @@ -105,6 +106,7 @@ impl KeyPair { pub fn from_der_and_sign_algo( pkcs8: &[u8], alg: &'static SignatureAlgorithm, + rng: &dyn SecureRandom, ) -> Result { let pkcs8_vec = pkcs8.to_vec(); @@ -114,11 +116,13 @@ impl KeyPair { KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8( &signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8, + rng, )?) } else if alg == &PKCS_ECDSA_P384_SHA384 { KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8( &signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8, + rng, )?) } else if alg == &PKCS_RSA_SHA256 { let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?; @@ -143,17 +147,20 @@ impl KeyPair { }) } - pub(crate) fn from_raw<'b>(pkcs8: impl Into>) -> Result { + pub(crate) fn from_raw<'b>( + pkcs8: impl Into>, + rng: &dyn SecureRandom, + ) -> Result { let pkcs8 = pkcs8.into(); let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(&pkcs8) { (KeyPairKind::Ed(edkp), &PKCS_ED25519) } else if let Ok(eckp) = - EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &pkcs8) + EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &pkcs8, rng) { (KeyPairKind::Ec(eckp), &PKCS_ECDSA_P256_SHA256) } else if let Ok(eckp) = - EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, &pkcs8) + EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, &pkcs8, rng) { (KeyPairKind::Ec(eckp), &PKCS_ECDSA_P384_SHA384) } else if let Ok(rsakp) = RsaKeyPair::from_pkcs8(&pkcs8) { @@ -190,15 +197,17 @@ pub trait RemoteKeyPair { impl KeyPair { /// Generate a new random key pair for the specified signature algorithm - pub fn generate(alg: &'static SignatureAlgorithm) -> Result { - let system_random = SystemRandom::new(); + pub fn generate( + alg: &'static SignatureAlgorithm, + rng: &dyn SecureRandom, + ) -> Result { match alg.sign_alg { SignAlgo::EcDsa(sign_alg) => { - let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, &system_random)?; + let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, rng)?; let key_pair_serialized = key_pair_doc.as_ref().to_vec(); let key_pair = - EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref()).unwrap(); + EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref(), rng).unwrap(); Ok(KeyPair { kind: KeyPairKind::Ec(key_pair), alg, @@ -206,7 +215,7 @@ impl KeyPair { }) }, SignAlgo::EdDsa(_sign_alg) => { - let key_pair_doc = Ed25519KeyPair::generate_pkcs8(&system_random)?; + let key_pair_doc = Ed25519KeyPair::generate_pkcs8(rng)?; let key_pair_serialized = key_pair_doc.as_ref().to_vec(); let key_pair = Ed25519KeyPair::from_pkcs8(&&key_pair_doc.as_ref()).unwrap(); @@ -254,7 +263,7 @@ impl KeyPair { }, KeyPairKind::Rsa(kp, padding_alg) => { let system_random = SystemRandom::new(); - let mut signature = vec![0; kp.public_modulus_len()]; + let mut signature = vec![0; kp.public().modulus_len()]; kp.sign(*padding_alg, &system_random, msg, &mut signature)?; let sig = &signature.as_ref(); writer.write_bitvec_bytes(&sig, &sig.len() * 8); @@ -363,7 +372,7 @@ mod test { let pkcs8 = EcdsaKeyPair::generate_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, &rng).unwrap(); let der = pkcs8.as_ref().to_vec(); - let key_pair = KeyPair::from_der(&der).unwrap(); + let key_pair = KeyPair::from_der(&der, &rng).unwrap(); assert_eq!(key_pair.algorithm(), &PKCS_ECDSA_P256_SHA256); } } diff --git a/src/lib.rs b/src/lib.rs index e3aa036e..5481b717 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1492,7 +1492,8 @@ fn write_general_subtrees(writer: DERWriter, tag: u64, general_subtrees: &[Gener impl Certificate { /// Generates a new certificate from the given parameters. /// - /// If there is no key pair included, then a new key pair will be generated and used. + /// If there is no key pair included, then a new key pair will be randomly generated and used. + /// If you want to control the [`KeyPair`] or the randomness used to generate it, set it ahead of time before calling this function. pub fn from_params(mut params: CertificateParams) -> Result { let key_pair = if let Some(key_pair) = params.key_pair.take() { if !key_pair.is_compatible(¶ms.alg) { @@ -1500,7 +1501,7 @@ impl Certificate { } key_pair } else { - KeyPair::generate(¶ms.alg)? + KeyPair::generate(¶ms.alg, &ring::rand::SystemRandom::new())? }; Ok(Certificate { params, key_pair }) diff --git a/tests/botan.rs b/tests/botan.rs index a33d51d1..4562729e 100644 --- a/tests/botan.rs +++ b/tests/botan.rs @@ -102,7 +102,11 @@ fn test_botan_25519_v1_given() { let mut params = default_params(); params.alg = &rcgen::PKCS_ED25519; - let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V1).unwrap(); + let kp = rcgen::KeyPair::from_pem( + util::ED25519_TEST_KEY_PAIR_PEM_V1, + &ring::rand::SystemRandom::new(), + ) + .unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -118,7 +122,11 @@ fn test_botan_25519_v2_given() { let mut params = default_params(); params.alg = &rcgen::PKCS_ED25519; - let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V2).unwrap(); + let kp = rcgen::KeyPair::from_pem( + util::ED25519_TEST_KEY_PAIR_PEM_V2, + &ring::rand::SystemRandom::new(), + ) + .unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -134,7 +142,11 @@ fn test_botan_rsa_given() { let mut params = default_params(); params.alg = &rcgen::PKCS_RSA_SHA256; - let kp = rcgen::KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap(); + let kp = rcgen::KeyPair::from_pem( + util::RSA_TEST_KEY_PAIR_PEM, + &ring::rand::SystemRandom::new(), + ) + .unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -181,7 +193,8 @@ fn test_botan_imported_ca() { ca_cert.serialize_private_key_der(), ); - let ca_key_pair = KeyPair::from_der(ca_key_der.as_slice()).unwrap(); + let ca_key_pair = + KeyPair::from_der(ca_key_der.as_slice(), &ring::rand::SystemRandom::new()).unwrap(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der.as_slice(), ca_key_pair).unwrap(); let imported_ca_cert = Certificate::from_params(imported_ca_cert_params).unwrap(); @@ -217,7 +230,8 @@ fn test_botan_imported_ca_with_printable_string() { ca_cert.serialize_private_key_der(), ); - let ca_key_pair = KeyPair::from_der(ca_key_der.as_slice()).unwrap(); + let ca_key_pair = + KeyPair::from_der(ca_key_der.as_slice(), &ring::rand::SystemRandom::new()).unwrap(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der.as_slice(), ca_key_pair).unwrap(); let imported_ca_cert = Certificate::from_params(imported_ca_cert_params).unwrap(); diff --git a/tests/generic.rs b/tests/generic.rs index 679fea97..183daf80 100644 --- a/tests/generic.rs +++ b/tests/generic.rs @@ -35,9 +35,14 @@ mod test_key_params_mismatch { let mut wrong_params = util::default_params(); if i != 0 { - wrong_params.key_pair = Some(KeyPair::generate(kalg_1).unwrap()); + wrong_params.key_pair = + Some(KeyPair::generate(kalg_1, &ring::rand::SystemRandom::new()).unwrap()); } else { - let kp = KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap(); + let kp = KeyPair::from_pem( + util::RSA_TEST_KEY_PAIR_PEM, + &ring::rand::SystemRandom::new(), + ) + .unwrap(); wrong_params.key_pair = Some(kp); } wrong_params.alg = *kalg_2; @@ -83,7 +88,8 @@ mod test_convert_x509_subject_alternative_name { let ca_der = cert.serialize_der().unwrap(); // Arbitrary key pair not used with the test, but required by the parsing function - let key_pair = KeyPair::generate(&PKCS_ECDSA_P256_SHA256).unwrap(); + let key_pair = + KeyPair::generate(&PKCS_ECDSA_P256_SHA256, &ring::rand::SystemRandom::new()).unwrap(); let actual = CertificateParams::from_ca_cert_der(&ca_der, key_pair).unwrap(); diff --git a/tests/openssl.rs b/tests/openssl.rs index b7d82756..45f27e67 100644 --- a/tests/openssl.rs +++ b/tests/openssl.rs @@ -233,7 +233,11 @@ fn test_openssl_25519_v1_given() { let mut params = util::default_params(); params.alg = &rcgen::PKCS_ED25519; - let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V1).unwrap(); + let kp = rcgen::KeyPair::from_pem( + util::ED25519_TEST_KEY_PAIR_PEM_V1, + &ring::rand::SystemRandom::new(), + ) + .unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -254,7 +258,11 @@ fn test_openssl_25519_v2_given() { let mut params = util::default_params(); params.alg = &rcgen::PKCS_ED25519; - let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V2).unwrap(); + let kp = rcgen::KeyPair::from_pem( + util::ED25519_TEST_KEY_PAIR_PEM_V2, + &ring::rand::SystemRandom::new(), + ) + .unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -272,7 +280,11 @@ fn test_openssl_rsa_given() { let mut params = util::default_params(); params.alg = &rcgen::PKCS_RSA_SHA256; - let kp = rcgen::KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap(); + let kp = rcgen::KeyPair::from_pem( + util::RSA_TEST_KEY_PAIR_PEM, + &ring::rand::SystemRandom::new(), + ) + .unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -294,7 +306,12 @@ fn test_openssl_rsa_combinations_given() { let mut params = util::default_params(); params.alg = alg; - let kp = rcgen::KeyPair::from_pem_and_sign_algo(util::RSA_TEST_KEY_PAIR_PEM, alg).unwrap(); + let kp = rcgen::KeyPair::from_pem_and_sign_algo( + util::RSA_TEST_KEY_PAIR_PEM, + alg, + &ring::rand::SystemRandom::new(), + ) + .unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); diff --git a/tests/webpki.rs b/tests/webpki.rs index 78b92e91..1b32ea2c 100644 --- a/tests/webpki.rs +++ b/tests/webpki.rs @@ -25,7 +25,8 @@ mod util; fn sign_msg_ecdsa(cert: &Certificate, msg: &[u8], alg: &'static EcdsaSigningAlgorithm) -> Vec { let pk_der = cert.serialize_private_key_der(); - let key_pair = EcdsaKeyPair::from_pkcs8(&alg, &pk_der).unwrap(); + let key_pair = + EcdsaKeyPair::from_pkcs8(&alg, &pk_der, &ring::rand::SystemRandom::new()).unwrap(); let system_random = SystemRandom::new(); let signature = key_pair.sign(&system_random, &msg).unwrap(); signature.as_ref().to_vec() @@ -43,7 +44,7 @@ fn sign_msg_rsa(cert: &Certificate, msg: &[u8], encoding: &'static dyn RsaEncodi let pk_der = cert.serialize_private_key_der(); let key_pair = RsaKeyPair::from_pkcs8(&pk_der).unwrap(); let system_random = SystemRandom::new(); - let mut signature = vec![0; key_pair.public_modulus_len()]; + let mut signature = vec![0; key_pair.public().modulus_len()]; key_pair .sign(encoding, &system_random, &msg, &mut signature) .unwrap(); @@ -163,7 +164,11 @@ fn test_webpki_25519_v1_given() { let mut params = util::default_params(); params.alg = &rcgen::PKCS_ED25519; - let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V1).unwrap(); + let kp = rcgen::KeyPair::from_pem( + util::ED25519_TEST_KEY_PAIR_PEM_V1, + &ring::rand::SystemRandom::new(), + ) + .unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -180,7 +185,11 @@ fn test_webpki_25519_v2_given() { let mut params = util::default_params(); params.alg = &rcgen::PKCS_ED25519; - let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V2).unwrap(); + let kp = rcgen::KeyPair::from_pem( + util::ED25519_TEST_KEY_PAIR_PEM_V2, + &ring::rand::SystemRandom::new(), + ) + .unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -197,7 +206,11 @@ fn test_webpki_rsa_given() { let mut params = util::default_params(); params.alg = &rcgen::PKCS_RSA_SHA256; - let kp = rcgen::KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap(); + let kp = rcgen::KeyPair::from_pem( + util::RSA_TEST_KEY_PAIR_PEM, + &ring::rand::SystemRandom::new(), + ) + .unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -237,7 +250,12 @@ fn test_webpki_rsa_combinations_given() { for c in configs { let mut params = util::default_params(); params.alg = c.0; - let kp = rcgen::KeyPair::from_pem_and_sign_algo(util::RSA_TEST_KEY_PAIR_PEM, c.0).unwrap(); + let kp = rcgen::KeyPair::from_pem_and_sign_algo( + util::RSA_TEST_KEY_PAIR_PEM, + c.0, + &ring::rand::SystemRandom::new(), + ) + .unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -334,15 +352,18 @@ fn from_remote() { } } - let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap(); + let rng = ring::rand::SystemRandom::new(); + let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256, &rng).unwrap(); let remote = EcdsaKeyPair::from_pkcs8( &signature::ECDSA_P256_SHA256_ASN1_SIGNING, &key_pair.serialize_der(), + &rng, ) .unwrap(); let key_pair = EcdsaKeyPair::from_pkcs8( &signature::ECDSA_P256_SHA256_ASN1_SIGNING, &key_pair.serialize_der(), + &rng, ) .unwrap(); let remote = KeyPair::from_remote(Box::new(Remote(remote))).unwrap(); @@ -413,7 +434,8 @@ fn test_webpki_imported_ca() { ca_cert.serialize_private_key_der(), ); - let ca_key_pair = KeyPair::from_der(ca_key_der.as_slice()).unwrap(); + let ca_key_pair = + KeyPair::from_der(ca_key_der.as_slice(), &ring::rand::SystemRandom::new()).unwrap(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der.as_slice(), ca_key_pair).unwrap(); let imported_ca_cert = Certificate::from_params(imported_ca_cert_params).unwrap(); @@ -455,7 +477,8 @@ fn test_webpki_imported_ca_with_printable_string() { ca_cert.serialize_private_key_der(), ); - let ca_key_pair = KeyPair::from_der(ca_key_der.as_slice()).unwrap(); + let ca_key_pair = + KeyPair::from_der(ca_key_der.as_slice(), &ring::rand::SystemRandom::new()).unwrap(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der.as_slice(), ca_key_pair).unwrap(); let imported_ca_cert = Certificate::from_params(imported_ca_cert_params).unwrap();