From 61c1226325b6c62656f9e9c276c860f907f46475 Mon Sep 17 00:00:00 2001 From: Justin Smith Date: Tue, 11 Feb 2025 09:51:50 -0500 Subject: [PATCH] Migrate functionality to ConstPointer<'_, EVP_PKEY> --- aws-lc-rs/src/agreement.rs | 6 +- aws-lc-rs/src/ec/encoding.rs | 6 +- aws-lc-rs/src/ec/key_pair.rs | 2 +- aws-lc-rs/src/ec/signature.rs | 2 +- aws-lc-rs/src/ed25519.rs | 24 +++--- aws-lc-rs/src/evp_pkey.rs | 122 +++++++++++++++---------------- aws-lc-rs/src/kem.rs | 2 +- aws-lc-rs/src/pqdsa.rs | 17 +++-- aws-lc-rs/src/pqdsa/key_pair.rs | 8 +- aws-lc-rs/src/pqdsa/signature.rs | 4 +- aws-lc-rs/src/rsa/encoding.rs | 4 +- aws-lc-rs/src/rsa/encryption.rs | 14 ++-- aws-lc-rs/src/rsa/key.rs | 14 ++-- aws-lc-rs/src/rsa/signature.rs | 4 +- 14 files changed, 116 insertions(+), 113 deletions(-) diff --git a/aws-lc-rs/src/agreement.rs b/aws-lc-rs/src/agreement.rs index cdd9d01cf9b..e8099cb2b66 100644 --- a/aws-lc-rs/src/agreement.rs +++ b/aws-lc-rs/src/agreement.rs @@ -403,7 +403,7 @@ impl PrivateKey { } KeyInner::X25519(priv_key) => { let mut buffer = [0u8; MAX_PUBLIC_KEY_LEN]; - let out_len = priv_key.marshal_raw_public_to_buffer(&mut buffer)?; + let out_len = priv_key.as_const().marshal_raw_public_to_buffer(&mut buffer)?; Ok(PublicKey { inner_key: self.inner_key.clone(), public_key: buffer, @@ -478,7 +478,7 @@ impl AsBigEndian> for PrivateKey { return Err(Unspecified); } let evp_pkey = self.inner_key.get_evp_pkey(); - Ok(Curve25519SeedBin::new(evp_pkey.marshal_raw_private_key()?)) + Ok(Curve25519SeedBin::new(evp_pkey.as_const().marshal_raw_private_key()?)) } } @@ -545,7 +545,7 @@ impl AsDer> for PublicKey { | KeyInner::ECDH_P384(evp_pkey) | KeyInner::ECDH_P521(evp_pkey) | KeyInner::X25519(evp_pkey) => { - let der = evp_pkey.marshal_rfc5280_public_key()?; + let der = evp_pkey.as_const().marshal_rfc5280_public_key()?; Ok(PublicKeyX509Der::from(Buffer::new(der))) } } diff --git a/aws-lc-rs/src/ec/encoding.rs b/aws-lc-rs/src/ec/encoding.rs index 2f79b169243..5fc2beee2d3 100644 --- a/aws-lc-rs/src/ec/encoding.rs +++ b/aws-lc-rs/src/ec/encoding.rs @@ -135,9 +135,9 @@ pub(crate) mod sec1 { compressed: bool, ) -> Result, Unspecified> { let pub_key_size = if compressed { - compressed_public_key_size_bytes(evp_pkey.key_size_bits()) + compressed_public_key_size_bytes(evp_pkey.as_const().key_size_bits()) } else { - uncompressed_public_key_size_bytes(evp_pkey.key_size_bits()) + uncompressed_public_key_size_bytes(evp_pkey.as_const().key_size_bits()) }; let mut cbb = LcCBB::new(pub_key_size); marshal_sec1_public_point_into_cbb(&mut cbb, evp_pkey, compressed)?; @@ -245,7 +245,7 @@ pub(crate) mod rfc5915 { let ec_key = evp_pkey.project_const_lifetime(unsafe { |evp_pkey| EVP_PKEY_get0_EC_KEY(*evp_pkey.as_const()) })?; - let mut cbb = LcCBB::new(evp_pkey.key_size_bytes()); + let mut cbb = LcCBB::new(evp_pkey.as_const().key_size_bytes()); let enc_flags = unsafe { EC_KEY_get_enc_flags(*ec_key) }; if 1 != unsafe { EC_KEY_marshal_private_key(cbb.as_mut_ptr(), *ec_key, enc_flags) } { return Err(Unspecified); diff --git a/aws-lc-rs/src/ec/key_pair.rs b/aws-lc-rs/src/ec/key_pair.rs index a9590d07251..1d666a8fa83 100644 --- a/aws-lc-rs/src/ec/key_pair.rs +++ b/aws-lc-rs/src/ec/key_pair.rs @@ -128,7 +128,7 @@ impl EcdsaKeyPair { /// pub fn to_pkcs8v1(&self) -> Result { Ok(Document::new( - self.evp_pkey.marshal_rfc5208_private_key(Version::V1)?, + self.evp_pkey.as_const().marshal_rfc5208_private_key(Version::V1)?, )) } diff --git a/aws-lc-rs/src/ec/signature.rs b/aws-lc-rs/src/ec/signature.rs index b72b15af69a..dc83bdee62f 100644 --- a/aws-lc-rs/src/ec/signature.rs +++ b/aws-lc-rs/src/ec/signature.rs @@ -121,7 +121,7 @@ impl AsDer> for PublicKey { /// # Errors /// Returns an error if the public key fails to marshal to X.509. fn as_der(&self) -> Result, Unspecified> { - let der = self.evp_pkey.marshal_rfc5280_public_key()?; + let der = self.evp_pkey.as_const().marshal_rfc5280_public_key()?; Ok(PublicKeyX509Der::new(der)) } } diff --git a/aws-lc-rs/src/ed25519.rs b/aws-lc-rs/src/ed25519.rs index 02c2f60de49..fa132b0faff 100644 --- a/aws-lc-rs/src/ed25519.rs +++ b/aws-lc-rs/src/ed25519.rs @@ -152,7 +152,7 @@ impl AsDer> for PublicKey { // 2:d=1 hl=2 l= 5 cons: SEQUENCE // 4:d=2 hl=2 l= 3 prim: OBJECT :ED25519 // 9:d=1 hl=2 l= 33 prim: BIT STRING - let der = self.evp_pkey.marshal_rfc5280_public_key()?; + let der = self.evp_pkey.as_const().marshal_rfc5280_public_key()?; Ok(PublicKeyX509Der::from(Buffer::new(der))) } } @@ -181,7 +181,7 @@ impl Ed25519KeyPair { let evp_pkey = generate_key()?; let mut public_key = [0u8; ED25519_PUBLIC_KEY_LEN]; - let out_len: usize = evp_pkey.marshal_raw_public_to_buffer(&mut public_key)?; + let out_len: usize = evp_pkey.as_const().marshal_raw_public_to_buffer(&mut public_key)?; debug_assert_eq!(public_key.len(), out_len); Ok(Self { @@ -218,7 +218,7 @@ impl Ed25519KeyPair { pub fn generate_pkcs8(_rng: &dyn SecureRandom) -> Result { let evp_pkey = generate_key()?; Ok(Document::new( - evp_pkey.marshal_rfc5208_private_key(Version::V2)?, + evp_pkey.as_const().marshal_rfc5208_private_key(Version::V2)?, )) } @@ -229,7 +229,7 @@ impl Ed25519KeyPair { /// pub fn to_pkcs8(&self) -> Result { Ok(Document::new( - self.evp_pkey.marshal_rfc5208_private_key(Version::V2)?, + self.evp_pkey.as_const().marshal_rfc5208_private_key(Version::V2)?, )) } @@ -250,7 +250,7 @@ impl Ed25519KeyPair { pub fn generate_pkcs8v1(_rng: &dyn SecureRandom) -> Result { let evp_pkey = generate_key()?; Ok(Document::new( - evp_pkey.marshal_rfc5208_private_key(Version::V1)?, + evp_pkey.as_const().marshal_rfc5208_private_key(Version::V1)?, )) } @@ -261,7 +261,7 @@ impl Ed25519KeyPair { /// pub fn to_pkcs8v1(&self) -> Result { Ok(Document::new( - self.evp_pkey.marshal_rfc5208_private_key(Version::V1)?, + self.evp_pkey.as_const().marshal_rfc5208_private_key(Version::V1)?, )) } @@ -306,7 +306,7 @@ impl Ed25519KeyPair { let evp_pkey = LcPtr::::parse_raw_private_key(seed, EVP_PKEY_ED25519)?; let mut derived_public_key = [0u8; ED25519_PUBLIC_KEY_LEN]; - let out_len: usize = evp_pkey.marshal_raw_public_to_buffer(&mut derived_public_key)?; + let out_len: usize = evp_pkey.as_const().marshal_raw_public_to_buffer(&mut derived_public_key)?; debug_assert_eq!(derived_public_key.len(), out_len); Ok(Self { @@ -359,10 +359,10 @@ impl Ed25519KeyPair { fn parse_pkcs8(pkcs8: &[u8]) -> Result { let evp_pkey = LcPtr::::parse_rfc5208_private_key(pkcs8, EVP_PKEY_ED25519)?; - evp_pkey.validate_as_ed25519()?; + evp_pkey.as_const().validate_as_ed25519()?; let mut public_key = [0u8; ED25519_PUBLIC_KEY_LEN]; - let out_len: usize = evp_pkey.marshal_raw_public_to_buffer(&mut public_key)?; + let out_len: usize = evp_pkey.as_const().marshal_raw_public_to_buffer(&mut public_key)?; debug_assert_eq!(public_key.len(), out_len); Ok(Self { @@ -405,7 +405,7 @@ impl Ed25519KeyPair { /// Currently the function cannot fail, but it might in future implementations. pub fn seed(&self) -> Result, Unspecified> { Ok(Seed { - bytes: self.evp_pkey.marshal_raw_private_key()?.into_boxed_slice(), + bytes: self.evp_pkey.as_const().marshal_raw_private_key()?.into_boxed_slice(), phantom: PhantomData, }) } @@ -418,7 +418,7 @@ impl AsDer> for Ed25519KeyPair { /// `error::Unspecified` on internal error. fn as_der(&self) -> Result, crate::error::Unspecified> { Ok(Pkcs8V1Der::new( - self.evp_pkey.marshal_rfc5208_private_key(Version::V1)?, + self.evp_pkey.as_const().marshal_rfc5208_private_key(Version::V1)?, )) } } @@ -430,7 +430,7 @@ impl AsDer> for Ed25519KeyPair { /// `error::Unspecified` on internal error. fn as_der(&self) -> Result, crate::error::Unspecified> { Ok(Pkcs8V2Der::new( - self.evp_pkey.marshal_rfc5208_private_key(Version::V2)?, + self.evp_pkey.as_const().marshal_rfc5208_private_key(Version::V2)?, )) } } diff --git a/aws-lc-rs/src/evp_pkey.rs b/aws-lc-rs/src/evp_pkey.rs index 7f660e98964..9edef5eb853 100644 --- a/aws-lc-rs/src/evp_pkey.rs +++ b/aws-lc-rs/src/evp_pkey.rs @@ -43,7 +43,7 @@ impl EVP_PKEY_CTX_consumer for T where T: Fn(*mut EVP_PKEY_CTX) -> Result<(), #[allow(non_upper_case_globals, clippy::type_complexity)] pub(crate) const No_EVP_PKEY_CTX_consumer: Option Result<(), ()>> = None; -impl LcPtr { +impl ConstPointer<'_, EVP_PKEY> { pub(crate) fn validate_as_ed25519(&self) -> Result<(), KeyRejected> { const ED25519_KEY_TYPE: c_int = EVP_PKEY_ED25519; const ED25519_MIN_BITS: c_int = 253; @@ -79,7 +79,7 @@ impl LcPtr { // EVP_PKEY_X448 = 961; // EVP_PKEY_ED448 = 960; pub(crate) fn id(&self) -> i32 { - unsafe { EVP_PKEY_id(*self.as_const()) } + unsafe { EVP_PKEY_id(**self) } } pub(crate) fn key_size_bytes(&self) -> usize { @@ -87,27 +87,21 @@ impl LcPtr { } pub(crate) fn key_size_bits(&self) -> usize { - unsafe { EVP_PKEY_bits(*self.as_const()) } - .try_into() - .unwrap() + unsafe { EVP_PKEY_bits(**self) }.try_into().unwrap() } pub(crate) fn signature_size_bytes(&self) -> usize { - unsafe { EVP_PKEY_size(*self.as_const()) } - .try_into() - .unwrap() + unsafe { EVP_PKEY_size(**self) }.try_into().unwrap() } #[allow(dead_code)] pub(crate) fn get_ec_key(&self) -> Result, KeyRejected> { - self.project_const_lifetime(unsafe { - |evp_pkey| EVP_PKEY_get0_EC_KEY(*evp_pkey.as_const()) - }) - .map_err(|()| KeyRejected::wrong_algorithm()) + self.project_const_lifetime(unsafe { |evp_pkey| EVP_PKEY_get0_EC_KEY(**evp_pkey) }) + .map_err(|()| KeyRejected::wrong_algorithm()) } pub(crate) fn get_rsa(&self) -> Result, KeyRejected> { - self.project_const_lifetime(unsafe { |evp_pkey| EVP_PKEY_get0_RSA(*evp_pkey.as_const()) }) + self.project_const_lifetime(unsafe { |evp_pkey| EVP_PKEY_get0_RSA(**evp_pkey) }) .map_err(|()| KeyRejected::wrong_algorithm()) } @@ -116,43 +110,27 @@ impl LcPtr { // size in bytes for keys ranging from 2048-bit to 4096-bit. So size the initial capacity to be roughly // 500% as a conservative estimate to avoid needing to reallocate for any key in that range. let mut cbb = LcCBB::new(self.key_size_bytes() * 5); - if 1 != unsafe { EVP_marshal_public_key(cbb.as_mut_ptr(), *self.as_const()) } { + if 1 != unsafe { EVP_marshal_public_key(cbb.as_mut_ptr(), **self) } { return Err(Unspecified); } cbb.into_vec() } - pub(crate) fn parse_rfc5280_public_key( - bytes: &[u8], - evp_pkey_type: c_int, - ) -> Result { - let mut cbs = cbs::build_CBS(bytes); - // Also checks the validity of the key - let evp_pkey = LcPtr::new(unsafe { EVP_parse_public_key(&mut cbs) }) - .map_err(|()| KeyRejected::invalid_encoding())?; - evp_pkey - .id() - .eq(&evp_pkey_type) - .then_some(evp_pkey) - .ok_or(KeyRejected::wrong_algorithm()) - } - pub(crate) fn marshal_rfc5208_private_key( &self, version: Version, ) -> Result, Unspecified> { - let key_size_bytes = TryInto::::try_into(unsafe { EVP_PKEY_bits(*self.as_const()) }) - .expect("fit in usize") - / 8; + let key_size_bytes = + TryInto::::try_into(unsafe { EVP_PKEY_bits(**self) }).expect("fit in usize") / 8; let mut cbb = LcCBB::new(key_size_bytes * 5); match version { Version::V1 => { - if 1 != unsafe { EVP_marshal_private_key(cbb.as_mut_ptr(), *self.as_const()) } { + if 1 != unsafe { EVP_marshal_private_key(cbb.as_mut_ptr(), **self) } { return Err(Unspecified); } } Version::V2 => { - if 1 != unsafe { EVP_marshal_private_key_v2(cbb.as_mut_ptr(), *self.as_const()) } { + if 1 != unsafe { EVP_marshal_private_key_v2(cbb.as_mut_ptr(), **self) } { return Err(Unspecified); } } @@ -160,32 +138,9 @@ impl LcPtr { cbb.into_vec() } - pub(crate) fn parse_rfc5208_private_key( - bytes: &[u8], - evp_pkey_type: c_int, - ) -> Result { - let mut cbs = cbs::build_CBS(bytes); - // Also checks the validity of the key - let evp_pkey = LcPtr::new(unsafe { EVP_parse_private_key(&mut cbs) }) - .map_err(|()| KeyRejected::invalid_encoding())?; - evp_pkey - .id() - .eq(&evp_pkey_type) - .then_some(evp_pkey) - .ok_or(KeyRejected::wrong_algorithm()) - } - - #[allow(non_snake_case)] - pub(crate) fn create_EVP_PKEY_CTX(&self) -> Result, ()> { - // The only modification made by EVP_PKEY_CTX_new to `priv_key` is to increment its - // refcount. The modification is made while holding a global lock: - // https://github.com/aws/aws-lc/blob/61503f7fe72457e12d3446853a5452d175560c49/crypto/refcount_lock.c#L29 - LcPtr::new(unsafe { EVP_PKEY_CTX_new(*self.as_mut_unsafe(), null_mut()) }) - } - pub(crate) fn marshal_raw_private_key(&self) -> Result, Unspecified> { let mut size = 0; - if 1 != unsafe { EVP_PKEY_get_raw_private_key(*self.as_const(), null_mut(), &mut size) } { + if 1 != unsafe { EVP_PKEY_get_raw_private_key(**self, null_mut(), &mut size) } { return Err(Unspecified); } let mut buffer = vec![0u8; size]; @@ -199,9 +154,7 @@ impl LcPtr { buffer: &mut [u8], ) -> Result { let mut key_len = buffer.len(); - if 1 == unsafe { - EVP_PKEY_get_raw_private_key(*self.as_const(), buffer.as_mut_ptr(), &mut key_len) - } { + if 1 == unsafe { EVP_PKEY_get_raw_private_key(**self, buffer.as_mut_ptr(), &mut key_len) } { Ok(key_len) } else { Err(Unspecified) @@ -211,7 +164,7 @@ impl LcPtr { #[allow(dead_code)] pub(crate) fn marshal_raw_public_key(&self) -> Result, Unspecified> { let mut size = 0; - if 1 != unsafe { EVP_PKEY_get_raw_public_key(*self.as_const(), null_mut(), &mut size) } { + if 1 != unsafe { EVP_PKEY_get_raw_public_key(**self, null_mut(), &mut size) } { return Err(Unspecified); } let mut buffer = vec![0u8; size]; @@ -229,7 +182,7 @@ impl LcPtr { // `EVP_PKEY_get_raw_public_key` writes the total length // to `encapsulate_key_size` in the event that the buffer we provide is larger then // required. - EVP_PKEY_get_raw_public_key(*self.as_const(), buffer.as_mut_ptr(), &mut key_len) + EVP_PKEY_get_raw_public_key(**self, buffer.as_mut_ptr(), &mut key_len) } { Ok(key_len) } else { @@ -237,6 +190,49 @@ impl LcPtr { } } +} + +impl LcPtr { + pub(crate) fn parse_rfc5280_public_key( + bytes: &[u8], + evp_pkey_type: c_int, + ) -> Result { + let mut cbs = cbs::build_CBS(bytes); + // Also checks the validity of the key + let evp_pkey = LcPtr::new(unsafe { EVP_parse_public_key(&mut cbs) }) + .map_err(|()| KeyRejected::invalid_encoding())?; + evp_pkey + .as_const() + .id() + .eq(&evp_pkey_type) + .then_some(evp_pkey) + .ok_or(KeyRejected::wrong_algorithm()) + } + + pub(crate) fn parse_rfc5208_private_key( + bytes: &[u8], + evp_pkey_type: c_int, + ) -> Result { + let mut cbs = cbs::build_CBS(bytes); + // Also checks the validity of the key + let evp_pkey = LcPtr::new(unsafe { EVP_parse_private_key(&mut cbs) }) + .map_err(|()| KeyRejected::invalid_encoding())?; + evp_pkey + .as_const() + .id() + .eq(&evp_pkey_type) + .then_some(evp_pkey) + .ok_or(KeyRejected::wrong_algorithm()) + } + + #[allow(non_snake_case)] + pub(crate) fn create_EVP_PKEY_CTX(&self) -> Result, ()> { + // The only modification made by EVP_PKEY_CTX_new to `priv_key` is to increment its + // refcount. The modification is made while holding a global lock: + // https://github.com/aws/aws-lc/blob/61503f7fe72457e12d3446853a5452d175560c49/crypto/refcount_lock.c#L29 + LcPtr::new(unsafe { EVP_PKEY_CTX_new(*self.as_mut_unsafe(), null_mut()) }) + } + pub(crate) fn parse_raw_private_key( bytes: &[u8], evp_pkey_type: c_int, diff --git a/aws-lc-rs/src/kem.rs b/aws-lc-rs/src/kem.rs index 8a54a5498e0..f7c25d2f884 100644 --- a/aws-lc-rs/src/kem.rs +++ b/aws-lc-rs/src/kem.rs @@ -362,7 +362,7 @@ where let mut encapsulate_bytes = vec![0u8; self.algorithm.encapsulate_key_size()]; let encapsulate_key_size = self .evp_pkey - .marshal_raw_public_to_buffer(&mut encapsulate_bytes)?; + .as_const().marshal_raw_public_to_buffer(&mut encapsulate_bytes)?; debug_assert_eq!(encapsulate_key_size, encapsulate_bytes.len()); encapsulate_bytes.truncate(encapsulate_key_size); diff --git a/aws-lc-rs/src/pqdsa.rs b/aws-lc-rs/src/pqdsa.rs index 51b0bed0295..edc2c59996b 100644 --- a/aws-lc-rs/src/pqdsa.rs +++ b/aws-lc-rs/src/pqdsa.rs @@ -81,7 +81,7 @@ pub(crate) fn validate_pqdsa_evp_key( evp_pkey: &LcPtr, id: &'static AlgorithmID, ) -> Result<(), KeyRejected> { - if evp_pkey.key_size_bytes() == id.pub_key_size_bytes() { + if evp_pkey.as_const().key_size_bytes() == id.pub_key_size_bytes() { Ok(()) } else { Err(KeyRejected::unspecified()) @@ -118,24 +118,27 @@ mod tests { fn test_keygen() { for nid in [NID_MLDSA44, NID_MLDSA65, NID_MLDSA87] { let key = evp_key_pqdsa_generate(nid).unwrap(); - println!("key size: {:?}", key.key_size_bytes()); + println!("key size: {:?}", key.as_const().key_size_bytes()); test_serialization_for(&key, &AlgorithmID::from_nid(nid).unwrap()); test_signing_for(&key, &AlgorithmID::from_nid(nid).unwrap()); } } fn test_serialization_for(evp_pkey: &LcPtr, id: &AlgorithmID) { - let public_buffer = evp_pkey.marshal_rfc5280_public_key().unwrap(); + let public_buffer = evp_pkey.as_const().marshal_rfc5280_public_key().unwrap(); println!("public marshall: {public_buffer:?}"); let key_public = LcPtr::::parse_rfc5280_public_key(&public_buffer, EVP_PKEY_PQDSA).unwrap(); - let private_buffer = evp_pkey.marshal_rfc5208_private_key(Version::V1).unwrap(); + let private_buffer = evp_pkey + .as_const() + .marshal_rfc5208_private_key(Version::V1) + .unwrap(); println!("private marshall: {private_buffer:?}"); let key_private = LcPtr::::parse_rfc5208_private_key(&private_buffer, EVP_PKEY_PQDSA).unwrap(); - let raw_public_buffer = key_public.marshal_raw_public_key().unwrap(); + let raw_public_buffer = key_public.as_const().marshal_raw_public_key().unwrap(); assert_eq!(raw_public_buffer.len(), id.pub_key_size_bytes()); println!("raw public size: {}", raw_public_buffer.len()); let key_public2 = @@ -145,7 +148,7 @@ mod tests { EVP_PKEY_cmp(*key_public.as_const(), *key_public2.as_const()) }); - let raw_private_buffer = key_private.marshal_raw_private_key().unwrap(); + let raw_private_buffer = key_private.as_const().marshal_raw_private_key().unwrap(); assert_eq!(raw_private_buffer.len(), id.priv_key_size_bytes()); println!("raw private size: {}", raw_private_buffer.len()); let key_private2 = @@ -161,7 +164,7 @@ mod tests { .sign(message, None, No_EVP_PKEY_CTX_consumer) .unwrap(); println!("signature size: {}", signature.len()); - assert_eq!(signature.len(), evp_pkey.signature_size_bytes()); + assert_eq!(signature.len(), evp_pkey.as_const().signature_size_bytes()); assert_eq!(signature.len(), id.signature_size_bytes()); evp_pkey .verify(message, None, No_EVP_PKEY_CTX_consumer, &signature) diff --git a/aws-lc-rs/src/pqdsa/key_pair.rs b/aws-lc-rs/src/pqdsa/key_pair.rs index b1343b55f04..99f231bc609 100644 --- a/aws-lc-rs/src/pqdsa/key_pair.rs +++ b/aws-lc-rs/src/pqdsa/key_pair.rs @@ -62,7 +62,7 @@ impl AsDer> for PqdsaPrivateKey<'_> { Ok(Pkcs8V1Der::new( self.0 .evp_pkey - .marshal_rfc5208_private_key(pkcs8::Version::V1)?, + .as_const().marshal_rfc5208_private_key(pkcs8::Version::V1)?, )) } } @@ -70,7 +70,7 @@ impl AsDer> for PqdsaPrivateKey<'_> { impl AsRawBytes> for PqdsaPrivateKey<'_> { fn as_raw_bytes(&self) -> Result, Unspecified> { Ok(PqdsaPrivateKeyBin::new( - self.0.evp_pkey.marshal_raw_private_key()?, + self.0.evp_pkey.as_const().marshal_raw_private_key()?, )) } } @@ -142,7 +142,7 @@ impl PqdsaKeyPair { // Verify the public/private key correspond let pub_evp_pkey = LcPtr::::parse_raw_public_key(raw_public_key, EVP_PKEY_PQDSA)?; - let pubkey_octets = priv_evp_pkey.marshal_raw_public_key()?; + let pubkey_octets = priv_evp_pkey.as_const().marshal_raw_public_key()?; verify_slices_are_equal(pubkey_octets.as_slice(), &pubkey.octets)?; Ok(Self { @@ -182,7 +182,7 @@ impl PqdsaKeyPair { /// Returns `Unspecified` if serialization fails. pub fn to_pkcs8(&self) -> Result { Ok(Document::new( - self.evp_pkey.marshal_rfc5208_private_key(Version::V1)?, + self.evp_pkey.as_const().marshal_rfc5208_private_key(Version::V1)?, )) } diff --git a/aws-lc-rs/src/pqdsa/signature.rs b/aws-lc-rs/src/pqdsa/signature.rs index 992af8bfd16..af385adc4bc 100644 --- a/aws-lc-rs/src/pqdsa/signature.rs +++ b/aws-lc-rs/src/pqdsa/signature.rs @@ -44,7 +44,7 @@ unsafe impl Sync for PublicKey {} impl PublicKey { pub(crate) fn from_private_evp_pkey(evp_pkey: &LcPtr) -> Result { - let octets = evp_pkey.marshal_raw_public_key()?; + let octets = evp_pkey.as_const().marshal_raw_public_key()?; Ok(Self { evp_pkey: evp_pkey.clone(), octets: octets.into_boxed_slice(), @@ -99,7 +99,7 @@ impl AsDer> for PublicKey { /// # Errors /// Returns an error if the public key fails to marshal to X.509. fn as_der(&self) -> Result, crate::error::Unspecified> { - let der = self.evp_pkey.marshal_rfc5280_public_key()?; + let der = self.evp_pkey.as_const().marshal_rfc5280_public_key()?; Ok(PublicKeyX509Der::from(Buffer::new(der))) } } diff --git a/aws-lc-rs/src/rsa/encoding.rs b/aws-lc-rs/src/rsa/encoding.rs index 11538c87cd9..7e54c53c28f 100644 --- a/aws-lc-rs/src/rsa/encoding.rs +++ b/aws-lc-rs/src/rsa/encoding.rs @@ -21,7 +21,7 @@ pub(in crate::rsa) mod rfc8017 { let mut pubkey_bytes = null_mut::(); let mut outlen: usize = 0; if 1 != unsafe { - RSA_public_key_to_bytes(&mut pubkey_bytes, &mut outlen, *pubkey.get_rsa()?) + RSA_public_key_to_bytes(&mut pubkey_bytes, &mut outlen, *pubkey.as_const().get_rsa()?) } { return Err(Unspecified); } @@ -85,7 +85,7 @@ pub(in crate::rsa) mod rfc5280 { pub(in crate::rsa) fn encode_public_key_der( key: &LcPtr, ) -> Result, Unspecified> { - let der = key.marshal_rfc5280_public_key()?; + let der = key.as_const().marshal_rfc5280_public_key()?; Ok(PublicKeyX509Der::from(Buffer::new(der))) } diff --git a/aws-lc-rs/src/rsa/encryption.rs b/aws-lc-rs/src/rsa/encryption.rs index d31187754e3..3dc58b3316f 100644 --- a/aws-lc-rs/src/rsa/encryption.rs +++ b/aws-lc-rs/src/rsa/encryption.rs @@ -44,7 +44,7 @@ impl PrivateDecryptingKey { if !is_rsa_key(key) { return Err(Unspecified); } - match key.key_size_bits() { + match key.as_const().key_size_bits() { 2048..=8192 => Ok(()), _ => Err(Unspecified), } @@ -105,13 +105,13 @@ impl PrivateDecryptingKey { /// Returns the RSA signature size in bytes. #[must_use] pub fn key_size_bytes(&self) -> usize { - self.0.signature_size_bytes() + self.0.as_const().signature_size_bytes() } /// Returns the RSA key size in bits. #[must_use] pub fn key_size_bits(&self) -> usize { - self.0.key_size_bits() + self.0.as_const().key_size_bits() } /// Retrieves the `PublicEncryptingKey` corresponding with this `PrivateDecryptingKey`. @@ -133,7 +133,7 @@ impl Debug for PrivateDecryptingKey { impl AsDer> for PrivateDecryptingKey { fn as_der(&self) -> Result, Unspecified> { Ok(Pkcs8V1Der::new( - self.0.marshal_rfc5208_private_key(Version::V1)?, + self.0.as_const().marshal_rfc5208_private_key(Version::V1)?, )) } } @@ -157,7 +157,7 @@ impl PublicEncryptingKey { if !is_rsa_key(key) { return Err(Unspecified); } - match key.key_size_bits() { + match key.as_const().key_size_bits() { 2048..=8192 => Ok(()), _ => Err(Unspecified), } @@ -174,13 +174,13 @@ impl PublicEncryptingKey { /// Returns the RSA signature size in bytes. #[must_use] pub fn key_size_bytes(&self) -> usize { - self.0.signature_size_bytes() + self.0.as_const().signature_size_bytes() } /// Returns the RSA key size in bits. #[must_use] pub fn key_size_bits(&self) -> usize { - self.0.key_size_bits() + self.0.as_const().key_size_bits() } } diff --git a/aws-lc-rs/src/rsa/key.rs b/aws-lc-rs/src/rsa/key.rs index 9214aeadf55..4649d4b6151 100644 --- a/aws-lc-rs/src/rsa/key.rs +++ b/aws-lc-rs/src/rsa/key.rs @@ -174,7 +174,7 @@ impl KeyPair { if !is_rsa_key(key) { return Err(KeyRejected::unspecified()); } - match key.key_size_bits() { + match key.as_const().key_size_bits() { 2048..=8192 => Ok(()), _ => Err(KeyRejected::unspecified()), } @@ -229,7 +229,7 @@ impl KeyPair { #[must_use] pub fn public_modulus_len(&self) -> usize { // This was already validated to be an RSA key so this can't fail - match self.evp_pkey.get_rsa() { + match self.evp_pkey.as_const().get_rsa() { Ok(rsa) => { // https://github.com/awslabs/aws-lc/blob/main/include/openssl/rsa.h#L99 unsafe { RSA_size(*rsa) as usize } @@ -259,7 +259,9 @@ impl crate::signature::KeyPair for KeyPair { impl AsDer> for KeyPair { fn as_der(&self) -> Result, Unspecified> { Ok(Pkcs8V1Der::new( - self.evp_pkey.marshal_rfc5208_private_key(Version::V1)?, + self.evp_pkey + .as_const() + .marshal_rfc5208_private_key(Version::V1)?, )) } } @@ -290,6 +292,7 @@ impl PublicKey { let key = encoding::rfc8017::encode_public_key_der(evp_pkey)?; #[cfg(feature = "ring-io")] { + let evp_pkey = evp_pkey.as_const(); let pubkey = evp_pkey.get_rsa()?; let modulus = pubkey.project_const_lifetime(unsafe { |pubkey| RSA_get0_n(**pubkey) })?; @@ -462,12 +465,13 @@ pub(super) fn generate_rsa_key(size: c_int) -> Result, Unspecifi #[must_use] pub(super) fn is_valid_fips_key(key: &LcPtr) -> bool { // This should always be an RSA key and must-never panic. - let rsa_key = key.get_rsa().expect("RSA EVP_PKEY"); + let evp_pkey = key.as_const(); + let rsa_key = evp_pkey.get_rsa().expect("RSA EVP_PKEY"); 1 == unsafe { RSA_check_fips(*rsa_key as *mut RSA) } } pub(super) fn is_rsa_key(key: &LcPtr) -> bool { - let id = key.id(); + let id = key.as_const().id(); id == EVP_PKEY_RSA || id == EVP_PKEY_RSA_PSS } diff --git a/aws-lc-rs/src/rsa/signature.rs b/aws-lc-rs/src/rsa/signature.rs index d1b18edf78d..164386c5b8f 100644 --- a/aws-lc-rs/src/rsa/signature.rs +++ b/aws-lc-rs/src/rsa/signature.rs @@ -109,7 +109,7 @@ impl RsaParameters { /// `error::Unspecified` on parse error. pub fn public_modulus_len(public_key: &[u8]) -> Result { let rsa = encoding::rfc8017::decode_public_key_der(public_key)?; - Ok(unsafe { RSA_bits(*rsa.get_rsa()?) }) + Ok(unsafe { RSA_bits(*rsa.as_const().get_rsa()?) }) } #[must_use] @@ -222,7 +222,7 @@ pub(crate) fn verify_rsa_signature( signature: &[u8], allowed_bit_size: &RangeInclusive, ) -> Result<(), Unspecified> { - if !allowed_bit_size.contains(&public_key.key_size_bits().try_into()?) { + if !allowed_bit_size.contains(&public_key.as_const().key_size_bits().try_into()?) { return Err(Unspecified); }