use pki types in function that parse der

Author: Tudyx

Cargo.lock

@@ -7,6 +7,8 @@ pem = "3.0.2"
 rand = "0.8"
 ring = "0.17"
 x509-parser = "0.15.1"
+pki-types = { package = "rustls-pki-types", version = "1" }
+rustls-pemfile = "2"
 
 [workspace.package]
 license = "MIT OR Apache-2.0"

Cargo.toml

@@ -33,12 +33,15 @@ pem = { workspace = true, optional = true }
 time = { version = "0.3.6", default-features = false }
 x509-parser = { workspace = true, features = ["verify"], optional = true }
 zeroize = { version = "1.2", optional = true }
+pki-types = { workspace = true }
+rustls-pemfile = { workspace = true, optional = true }
 
 [features]
 default = ["crypto", "pem", "ring"]
 crypto = []
 aws_lc_rs = ["crypto", "dep:aws-lc-rs"]
 ring = ["crypto", "dep:ring"]
+pem = ["dep:rustls-pemfile", "dep:pem"]
 
 
 [package.metadata.docs.rs]
@@ -52,7 +55,6 @@ allowed_external_types = [
 
 [dev-dependencies]
 openssl = "0.10"
-pki-types = { package = "rustls-pki-types", version = "1" }
 x509-parser = { workspace = true, features = ["verify"] }
 rustls-webpki = { version = "0.102", features = ["std"] }
 botan = { version = "0.10", features = ["vendored"] }

rcgen/Cargo.toml

@@ -1,3 +1,5 @@
+use pki_types::PrivatePkcs8KeyDer;
+
 fn main() -> Result<(), Box<dyn std::error::Error>> {
 	use rand::rngs::OsRng;
 	use rsa::pkcs8::EncodePrivateKey;
@@ -16,7 +18,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
 	let bits = 2048;
 	let private_key = RsaPrivateKey::new(&mut rng, bits)?;
 	let private_key_der = private_key.to_pkcs8_der()?;
-	let key_pair = rcgen::KeyPair::try_from(private_key_der.as_bytes()).unwrap();
+	let key_pair = rcgen::KeyPair::from_der(PrivatePkcs8KeyDer::from(private_key_der.as_bytes()))?;
 
 	let cert = Certificate::generate_self_signed(params, &key_pair)?;
 	let pem_serialized = cert.pem();

rcgen/examples/rsa-irc.rs

@@ -1,6 +1,8 @@
 #[cfg(feature = "pem")]
 use pem::Pem;
 #[cfg(feature = "crypto")]
+use pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer};
+#[cfg(feature = "crypto")]
 use std::convert::TryFrom;
 use std::fmt;
 use yasna::DERWriter;
@@ -116,8 +118,8 @@ impl KeyPair {
 	///
 	/// Equivalent to using the [`TryFrom`] implementation.
 	#[cfg(feature = "crypto")]
-	pub fn from_der(der: &[u8]) -> Result<Self, Error> {
-		Ok(der.try_into()?)
+	pub fn from_der<'a>(der: impl Into<PrivateKeyDer<'a>>) -> Result<Self, Error> {
+		der.into().try_into()
 	}
 
 	/// Returns the key pair's signature algorithm
@@ -128,9 +130,12 @@ impl KeyPair {
 	/// Parses the key pair from the ASCII PEM format
 	#[cfg(all(feature = "pem", feature = "crypto"))]
 	pub fn from_pem(pem_str: &str) -> Result<Self, Error> {
-		let private_key = pem::parse(pem_str)._err()?;
-		let private_key_der: &[_] = private_key.contents();
-		Ok(private_key_der.try_into()?)
+		let mut reader = std::io::BufReader::new(pem_str.as_bytes());
+		let private_key = rustls_pemfile::private_key(&mut reader)
+			.ok()
+			.flatten()
+			.ok_or_else(|| Error::CouldNotParseKeyPair)?;
+		private_key.try_into()
 	}
 
 	/// Obtains the key pair from a raw public key and a remote private key
@@ -151,9 +156,12 @@ impl KeyPair {
 		pem_str: &str,
 		alg: &'static SignatureAlgorithm,
 	) -> Result<Self, Error> {
-		let private_key = pem::parse(pem_str)._err()?;
-		let private_key_der: &[_] = private_key.contents();
-		Ok(Self::from_der_and_sign_algo(private_key_der, alg)?)
+		let mut reader = std::io::BufReader::new(pem_str.as_bytes());
+		let private_key = rustls_pemfile::private_key(&mut reader)
+			.ok()
+			.flatten()
+			.ok_or_else(|| Error::CouldNotParseKeyPair)?;
+		Ok(Self::from_der_and_sign_algo(private_key, alg)?)
 	}
 
 	/// Obtains the key pair from a DER formatted key
@@ -166,38 +174,42 @@ impl KeyPair {
 	/// same der key. In that instance, you can use this function to precisely
 	/// specify the `SignatureAlgorithm`.
 	#[cfg(feature = "crypto")]
-	pub fn from_der_and_sign_algo(
-		pkcs8: &[u8],
+	pub fn from_der_and_sign_algo<'a>(
+		der: impl Into<PrivateKeyDer<'a>>,
 		alg: &'static SignatureAlgorithm,
 	) -> Result<Self, Error> {
 		let rng = &SystemRandom::new();
-		let pkcs8_vec = pkcs8.to_vec();
+		let pkcs8_vec = match &der.into() {
+			PrivateKeyDer::Pkcs8(private_key) => Ok(private_key.secret_pkcs8_der()),
+			_ => Err(Error::CouldNotParseKeyPair),
+		}?
+		.to_vec();
 
 		let kind = if alg == &PKCS_ED25519 {
-			KeyPairKind::Ed(Ed25519KeyPair::from_pkcs8_maybe_unchecked(pkcs8)._err()?)
+			KeyPairKind::Ed(Ed25519KeyPair::from_pkcs8_maybe_unchecked(&pkcs8_vec)._err()?)
 		} else if alg == &PKCS_ECDSA_P256_SHA256 {
 			KeyPairKind::Ec(ecdsa_from_pkcs8(
 				&signature::ECDSA_P256_SHA256_ASN1_SIGNING,
-				pkcs8,
+				&pkcs8_vec,
 				rng,
 			)?)
 		} else if alg == &PKCS_ECDSA_P384_SHA384 {
 			KeyPairKind::Ec(ecdsa_from_pkcs8(
 				&signature::ECDSA_P384_SHA384_ASN1_SIGNING,
-				pkcs8,
+				&pkcs8_vec,
 				rng,
 			)?)
 		} else if alg == &PKCS_RSA_SHA256 {
-			let rsakp = RsaKeyPair::from_pkcs8(pkcs8)._err()?;
+			let rsakp = RsaKeyPair::from_pkcs8(&pkcs8_vec)._err()?;
 			KeyPairKind::Rsa(rsakp, &signature::RSA_PKCS1_SHA256)
 		} else if alg == &PKCS_RSA_SHA384 {
-			let rsakp = RsaKeyPair::from_pkcs8(pkcs8)._err()?;
+			let rsakp = RsaKeyPair::from_pkcs8(&pkcs8_vec)._err()?;
 			KeyPairKind::Rsa(rsakp, &signature::RSA_PKCS1_SHA384)
 		} else if alg == &PKCS_RSA_SHA512 {
-			let rsakp = RsaKeyPair::from_pkcs8(pkcs8)._err()?;
+			let rsakp = RsaKeyPair::from_pkcs8(&pkcs8_vec)._err()?;
 			KeyPairKind::Rsa(rsakp, &signature::RSA_PKCS1_SHA512)
 		} else if alg == &PKCS_RSA_PSS_SHA256 {
-			let rsakp = RsaKeyPair::from_pkcs8(pkcs8)._err()?;
+			let rsakp = RsaKeyPair::from_pkcs8(&pkcs8_vec)._err()?;
 			KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA256)
 		} else {
 			panic!("Unknown SignatureAlgorithm specified!");
@@ -212,8 +224,9 @@ impl KeyPair {
 
 	#[cfg(feature = "crypto")]
 	pub(crate) fn from_raw(
-		pkcs8: &[u8],
+		pkcs8: &PrivatePkcs8KeyDer,
 	) -> Result<(KeyPairKind, &'static SignatureAlgorithm), Error> {
+		let pkcs8 = pkcs8.secret_pkcs8_der();
 		let rng = SystemRandom::new();
 		let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(pkcs8) {
 			(KeyPairKind::Ed(edkp), &PKCS_ED25519)
@@ -352,29 +365,18 @@ impl KeyPair {
 }
 
 #[cfg(feature = "crypto")]
-impl TryFrom<&[u8]> for KeyPair {
-	type Error = Error;
-
-	fn try_from(pkcs8: &[u8]) -> Result<KeyPair, Error> {
-		let (kind, alg) = KeyPair::from_raw(pkcs8)?;
-		Ok(KeyPair {
-			kind,
-			alg,
-			serialized_der: pkcs8.to_vec(),
-		})
-	}
-}
-
-#[cfg(feature = "crypto")]
-impl TryFrom<Vec<u8>> for KeyPair {
+impl TryFrom<PrivateKeyDer<'_>> for KeyPair {
 	type Error = Error;
 
-	fn try_from(pkcs8: Vec<u8>) -> Result<KeyPair, Error> {
-		let (kind, alg) = KeyPair::from_raw(pkcs8.as_slice())?;
+	fn try_from(private_key: PrivateKeyDer) -> Result<KeyPair, Error> {
+		let (kind, alg) = match &private_key {
+			PrivateKeyDer::Pkcs8(private_key) => KeyPair::from_raw(private_key),
+			_ => Err(Error::CouldNotParseKeyPair),
+		}?;
 		Ok(KeyPair {
 			kind,
 			alg,
-			serialized_der: pkcs8,
+			serialized_der: private_key.secret_der().to_vec(),
 		})
 	}
 }

rcgen/src/key_pair.rs

@@ -12,6 +12,7 @@ bpaf = { version = "0.9.5", features = ["derive"] }
 pem = { workspace = true }
 ring = { workspace = true }
 rand = { workspace = true }
+pki-types = { workspace = true }
 anyhow = "1.0.75"
 
 [dev-dependencies]

rustls-cert-gen/Cargo.toml

@@ -1,4 +1,5 @@
 use bpaf::Bpaf;
+use pki_types::PrivatePkcs8KeyDer;
 use rcgen::{
 	BasicConstraints, Certificate, CertificateParams, DistinguishedName, DnType,
 	DnValue::PrintableString, ExtendedKeyUsagePurpose, IsCa, KeyPair, KeyUsagePurpose, SanType,
@@ -232,8 +233,10 @@ impl KeyPairAlgorithm {
 				let alg = &rcgen::PKCS_ED25519;
 				let pkcs8_bytes =
 					Ed25519KeyPair::generate_pkcs8(&rng).or(Err(rcgen::Error::RingUnspecified))?;
-
-				rcgen::KeyPair::from_der_and_sign_algo(pkcs8_bytes.as_ref(), alg)
+				rcgen::KeyPair::from_der_and_sign_algo(
+					PrivatePkcs8KeyDer::from(pkcs8_bytes.as_ref()),
+					alg,
+				)
 			},
 			KeyPairAlgorithm::EcdsaP256 => {
 				use ring::signature::EcdsaKeyPair;
@@ -244,7 +247,10 @@ impl KeyPairAlgorithm {
 				let pkcs8_bytes =
 					EcdsaKeyPair::generate_pkcs8(&ECDSA_P256_SHA256_ASN1_SIGNING, &rng)
 						.or(Err(rcgen::Error::RingUnspecified))?;
-				rcgen::KeyPair::from_der_and_sign_algo(pkcs8_bytes.as_ref(), alg)
+				rcgen::KeyPair::from_der_and_sign_algo(
+					PrivatePkcs8KeyDer::from(pkcs8_bytes.as_ref()),
+					alg,
+				)
 			},
 			KeyPairAlgorithm::EcdsaP384 => {
 				use ring::signature::EcdsaKeyPair;
@@ -256,7 +262,10 @@ impl KeyPairAlgorithm {
 					EcdsaKeyPair::generate_pkcs8(&ECDSA_P384_SHA384_ASN1_SIGNING, &rng)
 						.or(Err(rcgen::Error::RingUnspecified))?;
 
-				rcgen::KeyPair::from_der_and_sign_algo(pkcs8_bytes.as_ref(), alg)
+				rcgen::KeyPair::from_der_and_sign_algo(
+					PrivatePkcs8KeyDer::from(pkcs8_bytes.as_ref()),
+					alg,
+				)
 			},
 		}
 	}