Feature to build with(out) cryptographic primitives

Author: corrideat

rcgen/Cargo.toml

@@ -31,9 +31,10 @@ x509-parser = { workspace = true, features = ["verify"], optional = true }
 zeroize = { version = "1.2", optional = true }
 
 [features]
-default = ["pem", "ring"]
-aws_lc_rs = ["dep:aws-lc-rs"]
-ring = ["dep:ring"]
+default = ["crypto", "pem", "ring"]
+crypto = []
+aws_lc_rs = ["crypto", "dep:aws-lc-rs"]
+ring = ["crypto", "dep:ring"]
 
 
 [package.metadata.docs.rs]

rcgen/src/error.rs

@@ -43,6 +43,9 @@ pub enum Error {
 	InvalidCrlNextUpdate,
 	/// CRL issuer specifies Key Usages that don't include cRLSign.
 	IssuerNotCrlSigner,
+	#[cfg(not(feature = "crypto"))]
+	/// Missing serial number
+	MissingSerialNumber,
 }
 
 impl fmt::Display for Error {
@@ -91,6 +94,8 @@ impl fmt::Display for Error {
 				f,
 				"CRL issuer must specify no key usage, or key usage including cRLSign"
 			)?,
+			#[cfg(not(feature = "crypto"))]
+			MissingSerialNumber => write!(f, "A serial number must be specified")?,
 		};
 		Ok(())
 	}

rcgen/src/key_pair.rs

@@ -1,30 +1,38 @@
 #[cfg(feature = "pem")]
 use pem::Pem;
+#[cfg(feature = "crypto")]
 use std::convert::TryFrom;
 use std::fmt;
 use yasna::DERWriter;
 
+#[cfg(any(feature = "crypto", feature = "pem"))]
 use crate::error::ExternalError;
-use crate::ring_like::error as ring_error;
-use crate::ring_like::rand::SystemRandom;
-use crate::ring_like::signature::{
-	self, EcdsaKeyPair, Ed25519KeyPair, KeyPair as RingKeyPair, RsaEncoding, RsaKeyPair,
+#[cfg(feature = "crypto")]
+use crate::ring_like::{
+	error as ring_error,
+	rand::SystemRandom,
+	signature::{
+		self, EcdsaKeyPair, Ed25519KeyPair, KeyPair as RingKeyPair, RsaEncoding, RsaKeyPair,
+	},
+	{ecdsa_from_pkcs8, rsa_key_pair_public_modulus_len},
 };
-use crate::ring_like::{ecdsa_from_pkcs8, rsa_key_pair_public_modulus_len};
-use crate::sign_algo::algo::*;
-use crate::sign_algo::SignAlgo;
+#[cfg(feature = "crypto")]
+use crate::sign_algo::{algo::*, SignAlgo};
 #[cfg(feature = "pem")]
 use crate::ENCODE_CONFIG;
-use crate::{Error, SignatureAlgorithm};
+use crate::{sign_algo::SignatureAlgorithm, Error};
 
 /// A key pair variant
 #[allow(clippy::large_enum_variant)]
 pub(crate) enum KeyPairKind {
 	/// A Ecdsa key pair
+	#[cfg(feature = "crypto")]
 	Ec(EcdsaKeyPair),
 	/// A Ed25519 key pair
+	#[cfg(feature = "crypto")]
 	Ed(Ed25519KeyPair),
 	/// A RSA key pair
+	#[cfg(feature = "crypto")]
 	Rsa(RsaKeyPair, &'static dyn RsaEncoding),
 	/// A remote key pair
 	Remote(Box<dyn RemoteKeyPair + Send + Sync>),
@@ -33,8 +41,11 @@ pub(crate) enum KeyPairKind {
 impl fmt::Debug for KeyPairKind {
 	fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
 		match self {
+			#[cfg(feature = "crypto")]
 			Self::Ec(key_pair) => write!(f, "{:?}", key_pair),
+			#[cfg(feature = "crypto")]
 			Self::Ed(key_pair) => write!(f, "{:?}", key_pair),
+			#[cfg(feature = "crypto")]
 			Self::Rsa(key_pair, _) => write!(f, "{:?}", key_pair),
 			Self::Remote(_) => write!(f, "Box<dyn RemotePrivateKey>"),
 		}
@@ -59,6 +70,7 @@ impl KeyPair {
 	/// Parses the key pair from the DER format
 	///
 	/// Equivalent to using the [`TryFrom`] implementation.
+	#[cfg(feature = "crypto")]
 	pub fn from_der(der: &[u8]) -> Result<Self, Error> {
 		Ok(der.try_into()?)
 	}
@@ -69,7 +81,7 @@ impl KeyPair {
 	}
 
 	/// Parses the key pair from the ASCII PEM format
-	#[cfg(feature = "pem")]
+	#[cfg(all(feature = "pem", feature = "crypto"))]
 	pub fn from_pem(pem_str: &str) -> Result<Self, Error> {
 		let private_key = pem::parse(pem_str)._err()?;
 		let private_key_der: &[_] = private_key.contents();
@@ -89,7 +101,7 @@ impl KeyPair {
 	/// using the specified [`SignatureAlgorithm`]
 	///
 	/// Same as [from_pem_and_sign_algo](Self::from_pem_and_sign_algo).
-	#[cfg(feature = "pem")]
+	#[cfg(all(feature = "pem", feature = "crypto"))]
 	pub fn from_pem_and_sign_algo(
 		pem_str: &str,
 		alg: &'static SignatureAlgorithm,
@@ -108,6 +120,7 @@ impl KeyPair {
 	/// key pair. However, sometimes multiple signature algorithms fit for the
 	/// same der key. In that instance, you can use this function to precisely
 	/// specify the `SignatureAlgorithm`.
+	#[cfg(feature = "crypto")]
 	pub fn from_der_and_sign_algo(
 		pkcs8: &[u8],
 		alg: &'static SignatureAlgorithm,
@@ -152,6 +165,7 @@ impl KeyPair {
 		})
 	}
 
+	#[cfg(feature = "crypto")]
 	pub(crate) fn from_raw(
 		pkcs8: &[u8],
 	) -> Result<(KeyPairKind, &'static SignatureAlgorithm), Error> {
@@ -178,6 +192,7 @@ impl KeyPair {
 	}
 
 	/// Generate a new random key pair for the specified signature algorithm
+	#[cfg(feature = "crypto")]
 	pub fn generate(alg: &'static SignatureAlgorithm) -> Result<Self, Error> {
 		let rng = &SystemRandom::new();
 
@@ -227,10 +242,22 @@ impl KeyPair {
 				return Err(Error::CertificateKeyPairMismatch)
 			},
 			Some(kp) => Ok(kp),
-			None => KeyPair::generate(sig_alg),
+			None => {
+				if cfg!(not(feature = "crypto")) {
+					return Err(Error::KeyGenerationUnavailable);
+				} else {
+					KeyPair::generate(sig_alg)
+				}
+			},
 		}
 	}
 
+	/// Generate a new random key pair for the specified signature algorithm
+	#[cfg(not(feature = "crypto"))]
+	pub fn generate(_alg: &'static SignatureAlgorithm) -> Result<Self, Error> {
+		Err(Error::KeyGenerationUnavailable)
+	}
+
 	/// Get the raw public key of this key pair
 	///
 	/// The key is in raw format, as how [`ring::signature::KeyPair::public_key`]
@@ -253,17 +280,20 @@ impl KeyPair {
 
 	pub(crate) fn sign(&self, msg: &[u8], writer: DERWriter) -> Result<(), Error> {
 		match &self.kind {
+			#[cfg(feature = "crypto")]
 			KeyPairKind::Ec(kp) => {
 				let system_random = SystemRandom::new();
 				let signature = kp.sign(&system_random, msg)._err()?;
 				let sig = &signature.as_ref();
 				writer.write_bitvec_bytes(&sig, &sig.len() * 8);
 			},
+			#[cfg(feature = "crypto")]
 			KeyPairKind::Ed(kp) => {
 				let signature = kp.sign(msg);
 				let sig = &signature.as_ref();
 				writer.write_bitvec_bytes(&sig, &sig.len() * 8);
 			},
+			#[cfg(feature = "crypto")]
 			KeyPairKind::Rsa(kp, padding_alg) => {
 				let system_random = SystemRandom::new();
 				let mut signature = vec![0; rsa_key_pair_public_modulus_len(kp)];
@@ -303,6 +333,7 @@ impl KeyPair {
 	///
 	/// Panics if called on a remote key pair.
 	pub fn serialize_der(&self) -> Vec<u8> {
+		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
 		if let KeyPairKind::Remote(_) = self.kind {
 			panic!("Serializing a remote key pair is not supported")
 		}
@@ -315,6 +346,7 @@ impl KeyPair {
 	///
 	/// Panics if called on a remote key pair.
 	pub fn serialized_der(&self) -> &[u8] {
+		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
 		if let KeyPairKind::Remote(_) = self.kind {
 			panic!("Serializing a remote key pair is not supported")
 		}
@@ -324,6 +356,7 @@ impl KeyPair {
 
 	/// Access the remote key pair if it is a remote one
 	pub fn as_remote(&self) -> Option<&(dyn RemoteKeyPair + Send + Sync)> {
+		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
 		if let KeyPairKind::Remote(remote) = &self.kind {
 			Some(remote.as_ref())
 		} else {
@@ -340,6 +373,7 @@ impl KeyPair {
 	}
 }
 
+#[cfg(feature = "crypto")]
 impl TryFrom<&[u8]> for KeyPair {
 	type Error = Error;
 
@@ -353,6 +387,7 @@ impl TryFrom<&[u8]> for KeyPair {
 	}
 }
 
+#[cfg(feature = "crypto")]
 impl TryFrom<Vec<u8>> for KeyPair {
 	type Error = Error;
 
@@ -372,8 +407,11 @@ impl PublicKeyData for KeyPair {
 	}
 	fn raw_bytes(&self) -> &[u8] {
 		match &self.kind {
+			#[cfg(feature = "crypto")]
 			KeyPairKind::Ec(kp) => kp.public_key().as_ref(),
+			#[cfg(feature = "crypto")]
 			KeyPairKind::Ed(kp) => kp.public_key().as_ref(),
+			#[cfg(feature = "crypto")]
 			KeyPairKind::Rsa(kp, _) => kp.public_key().as_ref(),
 			KeyPairKind::Remote(kp) => kp.public_key(),
 		}
@@ -395,12 +433,14 @@ pub trait RemoteKeyPair {
 	fn algorithm(&self) -> &'static SignatureAlgorithm;
 }
 
+#[cfg(feature = "crypto")]
 impl<T> ExternalError<T> for Result<T, ring_error::KeyRejected> {
 	fn _err(self) -> Result<T, Error> {
 		self.map_err(|e| Error::RingKeyRejected(e.to_string()))
 	}
 }
 
+#[cfg(feature = "crypto")]
 impl<T> ExternalError<T> for Result<T, ring_error::Unspecified> {
 	fn _err(self) -> Result<T, Error> {
 		self.map_err(|_| Error::RingUnspecified)

rcgen/src/lib.rs

@@ -35,6 +35,7 @@ println!("{}", key_pair.serialize_pem());
 
 #[cfg(feature = "pem")]
 use pem::Pem;
+#[cfg(feature = "crypto")]
 use ring_like::digest;
 use std::collections::HashMap;
 use std::convert::TryFrom;
@@ -552,6 +553,7 @@ pub struct CertificateParams {
 
 impl Default for CertificateParams {
 	fn default() -> Self {
+		use crate::sign_algo::algo::*;
 		// not_before and not_after set to reasonably long dates
 		let not_before = date_time_ymd(1975, 01, 01);
 		let not_after = date_time_ymd(4096, 01, 01);
@@ -572,7 +574,10 @@ impl Default for CertificateParams {
 			custom_extensions: Vec::new(),
 			key_pair: None,
 			use_authority_key_identifier_extension: false,
+			#[cfg(feature = "crypto")]
 			key_identifier_method: KeyIdMethod::Sha256,
+			#[cfg(not(feature = "crypto"))]
+			key_identifier_method: KeyIdMethod::PreSpecified(Vec::new()),
 		}
 	}
 }
@@ -965,11 +970,18 @@ impl CertificateParams {
 			if let Some(ref serial) = self.serial_number {
 				writer.next().write_bigint_bytes(serial.as_ref(), true);
 			} else {
-				let hash = digest::digest(&digest::SHA256, pub_key.raw_bytes());
-				// RFC 5280 specifies at most 20 bytes for a serial number
-				let mut sl = hash.as_ref()[0..20].to_vec();
-				sl[0] = sl[0] & 0x7f; // MSB must be 0 to ensure encoding bignum in 20 bytes
-				writer.next().write_bigint_bytes(&sl, true);
+				#[cfg(feature = "crypto")]
+				{
+					let hash = digest::digest(&digest::SHA256, pub_key.raw_bytes());
+					// RFC 5280 specifies at most 20 bytes for a serial number
+					let mut sl = hash.as_ref()[0..20].to_vec();
+					sl[0] = sl[0] & 0x7f; // MSB must be 0 to ensure encoding bignum in 20 bytes
+					writer.next().write_bigint_bytes(&sl, true);
+				}
+				#[cfg(not(feature = "crypto"))]
+				if self.serial_number.is_none() {
+					return Err(Error::MissingSerialNumber);
+				}
 			};
 			// Write signature algorithm
 			sig_alg.write_alg_ident(writer.next());
@@ -1172,7 +1184,6 @@ impl CertificateParams {
 			Ok(())
 		})
 	}
-
 	fn serialize_der_with_signer<K: PublicKeyData>(
 		&self,
 		pub_key: &K,
@@ -1370,10 +1381,13 @@ impl CustomExtension {
 #[non_exhaustive]
 pub enum KeyIdMethod {
 	/// RFC 7093 method 1 - a truncated SHA256 digest.
+	#[cfg(feature = "crypto")]
 	Sha256,
 	/// RFC 7093 method 2 - a truncated SHA384 digest.
+	#[cfg(feature = "crypto")]
 	Sha384,
 	/// RFC 7093 method 3 - a truncated SHA512 digest.
+	#[cfg(feature = "crypto")]
 	Sha512,
 	/// Pre-specified identifier. The exact given value is used as the key identifier.
 	PreSpecified(Vec<u8>),
@@ -1389,15 +1403,21 @@ impl KeyIdMethod {
 	/// X.509v3 extensions.
 	pub(crate) fn derive(&self, subject_public_key_info: impl AsRef<[u8]>) -> Vec<u8> {
 		let digest_method = match &self {
+			#[cfg(feature = "crypto")]
 			Self::Sha256 => &digest::SHA256,
+			#[cfg(feature = "crypto")]
 			Self::Sha384 => &digest::SHA384,
+			#[cfg(feature = "crypto")]
 			Self::Sha512 => &digest::SHA512,
 			Self::PreSpecified(b) => {
 				return b.to_vec();
 			},
 		};
-		let digest = digest::digest(digest_method, subject_public_key_info.as_ref());
-		digest.as_ref()[0..20].to_vec()
+		#[cfg(feature = "crypto")]
+		{
+			let digest = digest::digest(digest_method, subject_public_key_info.as_ref());
+			digest.as_ref()[0..20].to_vec()
+		}
 	}
 }
 

rcgen/src/ring_like.rs

@@ -1,12 +1,15 @@
-#[cfg(feature = "ring")]
+#[cfg(all(feature = "crypto", feature = "ring"))]
 pub(crate) use ring::*;
 
-#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+#[cfg(all(feature = "crypto", not(feature = "ring"), feature = "aws_lc_rs"))]
 pub(crate) use aws_lc_rs::*;
 
+#[cfg(feature = "crypto")]
 use crate::error::ExternalError;
+#[cfg(feature = "crypto")]
 use crate::Error;
 
+#[cfg(feature = "crypto")]
 pub(crate) fn ecdsa_from_pkcs8(
 	alg: &'static signature::EcdsaSigningAlgorithm,
 	pkcs8: &[u8],
@@ -23,6 +26,7 @@ pub(crate) fn ecdsa_from_pkcs8(
 	}
 }
 
+#[cfg(feature = "crypto")]
 pub(crate) fn rsa_key_pair_public_modulus_len(kp: &signature::RsaKeyPair) -> usize {
 	#[cfg(feature = "ring")]
 	{
@@ -35,5 +39,5 @@ pub(crate) fn rsa_key_pair_public_modulus_len(kp: &signature::RsaKeyPair) -> usi
 	}
 }
 
-#[cfg(not(any(feature = "ring", feature = "aws_lc_rs")))]
-compile_error!("At least one of the 'ring' or 'aws_lc_rs' features must be activated");
+#[cfg(all(feature = "crypto", not(any(feature = "ring", feature = "aws_lc_rs"))))]
+compile_error!("At least one of the 'ring' or 'aws_lc_rs' features must be activated when the 'crypto' feature is enabled");