Expose randomness source for KeyPair::generate

rustls · Oct 27, 2022 · 5ddb2c0 · 5ddb2c0
1 parent 5a8a654
commit 5ddb2c0
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 8 deletions.
diff --git a/src/lib.rs b/src/lib.rs
@@ -1335,14 +1335,17 @@ fn write_general_subtrees(writer :DERWriter, tag :u64, general_subtrees :&[Gener
 
 impl Certificate {
 	/// Generates a new certificate from the given parameters
+	///
+	/// This function will generate a random (using `ring`'s [`SystemRandom`]) [`KeyPair`] if none is provided in the [`CertificateParams`].
+	/// If you need to control the [`KeyPair`], set it ahead of time before calling this function.
 	pub fn from_params(mut params :CertificateParams) -> Result<Self, RcgenError> {
 		let key_pair = if let Some(key_pair) = params.key_pair.take() {
 			if !key_pair.is_compatible(&params.alg) {
 				return Err(RcgenError::CertificateKeyPairMismatch);
 			}
 			key_pair
 		} else {
-			KeyPair::generate(&params.alg)?
+			KeyPair::generate(&params.alg, &SystemRandom::new())?
 		};
 
 		Ok(Certificate {
@@ -1715,22 +1718,21 @@ impl From<pem::PemError> for RcgenError {
 
 impl KeyPair {
 	/// Generate a new random key pair for the specified signature algorithm
-	pub fn generate(alg :&'static SignatureAlgorithm) -> Result<Self, RcgenError> {
-		let system_random = SystemRandom::new();
+	pub fn generate(alg :&'static SignatureAlgorithm, rng: &dyn SecureRandom) -> Result<Self, RcgenError> {
 		match alg.sign_alg {
 			SignAlgo::EcDsa(sign_alg) => {
-				let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, &system_random)?;
+				let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, rng)?;
 				let key_pair_serialized = key_pair_doc.as_ref().to_vec();
 
-				let key_pair = EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref(), &system_random).unwrap();
+				let key_pair = EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref(), rng).unwrap();
 				Ok(KeyPair {
 					kind : KeyPairKind::Ec(key_pair),
 					alg,
 					serialized_der : key_pair_serialized,
 				})
 			},
 			SignAlgo::EdDsa(_sign_alg) => {
-				let key_pair_doc = Ed25519KeyPair::generate_pkcs8(&system_random)?;
+				let key_pair_doc = Ed25519KeyPair::generate_pkcs8(rng)?;
 				let key_pair_serialized = key_pair_doc.as_ref().to_vec();
 
 				let key_pair = Ed25519KeyPair::from_pkcs8(&&key_pair_doc.as_ref()).unwrap();

diff --git a/tests/generic.rs b/tests/generic.rs
@@ -31,7 +31,7 @@ fn test_key_params_mismatch() {
 
 			let mut wrong_params = util::default_params();
 			if i != 0 {
-				wrong_params.key_pair = Some(KeyPair::generate(kalg_1).unwrap());
+				wrong_params.key_pair = Some(KeyPair::generate(kalg_1, &ring::rand::SystemRandom::new()).unwrap());
 			} else {
 				let kp = KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM, &ring::rand::SystemRandom::new()).unwrap();
 				wrong_params.key_pair = Some(kp);

diff --git a/tests/webpki.rs b/tests/webpki.rs
@@ -271,7 +271,7 @@ fn from_remote() {
 		}
 	}
 
-	let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
+	let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256, &SystemRandom::new()).unwrap();
 	let remote = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &key_pair.serialize_der(), &SystemRandom::new()).unwrap();
 	let key_pair = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &key_pair.serialize_der(), &SystemRandom::new()).unwrap();
 	let remote = KeyPair::from_remote(Box::new(Remote(remote))).unwrap();