From d1158afb3efc8d9ed20d4805f68836214355c1d4 Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Thu, 27 Oct 2022 11:42:46 +1100 Subject: [PATCH 1/8] Allow owned and borrowed data being passed into `from_raw` --- src/lib.rs | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index f1f9a8dd..d27a1a6c 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -30,6 +30,7 @@ println!("{}", cert.serialize_private_key_pem()); #![deny(missing_docs)] #![allow(clippy::complexity, clippy::style, clippy::pedantic)] +use std::borrow::Cow; use yasna::Tag; use yasna::models::ObjectIdentifier; #[cfg(feature = "pem")] @@ -1559,14 +1560,16 @@ impl KeyPair { }) } - fn from_raw(pkcs8: &[u8]) -> Result<(KeyPairKind, &'static SignatureAlgorithm), RcgenError> { - let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(pkcs8) { + fn from_raw<'b>(pkcs8: impl Into>) -> Result<(KeyPairKind, &'static SignatureAlgorithm), RcgenError> { + let pkcs8 = pkcs8.into(); + + let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(&pkcs8) { (KeyPairKind::Ed(edkp), &PKCS_ED25519) - } else if let Ok(eckp) = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8) { + } else if let Ok(eckp) = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &pkcs8) { (KeyPairKind::Ec(eckp), &PKCS_ECDSA_P256_SHA256) - } else if let Ok(eckp) = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8) { + } else if let Ok(eckp) = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, &pkcs8) { (KeyPairKind::Ec(eckp), &PKCS_ECDSA_P384_SHA384) - } else if let Ok(rsakp) = RsaKeyPair::from_pkcs8(pkcs8) { + } else if let Ok(rsakp) = RsaKeyPair::from_pkcs8(&pkcs8) { (KeyPairKind::Rsa(rsakp, &signature::RSA_PKCS1_SHA256), &PKCS_RSA_SHA256) } else { return Err(RcgenError::CouldNotParseKeyPair); From 0dc49c2bff7c9fcaa6cc5cfc4a73f735f6e2e121 Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Thu, 27 Oct 2022 11:44:46 +1100 Subject: [PATCH 2/8] Remove duplication from `TryFrom` impl --- src/lib.rs | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index d27a1a6c..ad6284fb 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1560,7 +1560,7 @@ impl KeyPair { }) } - fn from_raw<'b>(pkcs8: impl Into>) -> Result<(KeyPairKind, &'static SignatureAlgorithm), RcgenError> { + fn from_raw<'b>(pkcs8: impl Into>) -> Result { let pkcs8 = pkcs8.into(); let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(&pkcs8) { @@ -1574,7 +1574,12 @@ impl KeyPair { } else { return Err(RcgenError::CouldNotParseKeyPair); }; - Ok((kind, alg)) + + Ok(KeyPair { + kind, + alg, + serialized_der : pkcs8.into_owned(), + }) } } @@ -1690,12 +1695,7 @@ impl TryFrom<&[u8]> for KeyPair { type Error = RcgenError; fn try_from(pkcs8: &[u8]) -> Result { - let (kind, alg) = KeyPair::from_raw(pkcs8)?; - Ok(KeyPair { - kind, - alg, - serialized_der: pkcs8.to_vec(), - }) + KeyPair::from_raw(pkcs8) } } @@ -1703,12 +1703,7 @@ impl TryFrom> for KeyPair { type Error = RcgenError; fn try_from(pkcs8: Vec) -> Result { - let (kind, alg) = KeyPair::from_raw(pkcs8.as_slice())?; - Ok(KeyPair { - kind, - alg, - serialized_der: pkcs8, - }) + KeyPair::from_raw(pkcs8) } } From 35235140438e6821a28eb8e90d771b55f4050a3e Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Thu, 27 Oct 2022 11:48:42 +1100 Subject: [PATCH 3/8] Remove `TryFrom` implementations --- CHANGELOG.md | 4 +++ examples/rsa-irc.rs | 3 +- src/lib.rs | 70 ++++++++++++++++----------------------------- tests/botan.rs | 8 ++---- tests/webpki.rs | 6 ++-- 5 files changed, 35 insertions(+), 56 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 05dedee6..60ffd689 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,10 @@ # Changes +## Unreleased + +- Remove `TryFrom<[u8]>` and `TryFrom>` for `KeyPair` in favor of allowing `KeyPair::from_der` to take `impl Into>` which allows `Vec` as well as `[u8]`. + ## Release 0.10.0 - September 29, 2022 - Update x509-parser to 0.14. diff --git a/examples/rsa-irc.rs b/examples/rsa-irc.rs index ab69ba30..88f48b76 100644 --- a/examples/rsa-irc.rs +++ b/examples/rsa-irc.rs @@ -7,7 +7,6 @@ use rand::rngs::OsRng; use rcgen::{Certificate, CertificateParams, DistinguishedName, date_time_ymd}; use std::fs; -use std::convert::TryFrom; fn main() -> Result<(), Box> { let mut params :CertificateParams = Default::default(); @@ -21,7 +20,7 @@ fn main() -> Result<(), Box> { let bits = 2048; let private_key = RsaPrivateKey::new(&mut rng, bits)?; let private_key_der = private_key.to_pkcs8_der()?; - let key_pair = rcgen::KeyPair::try_from(private_key_der.as_ref()).unwrap(); + let key_pair = rcgen::KeyPair::from_der(private_key_der.as_ref()).unwrap(); params.key_pair = Some(key_pair); let cert = Certificate::from_params(params)?; diff --git a/src/lib.rs b/src/lib.rs index ad6284fb..5e32c11f 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1480,20 +1480,38 @@ pub struct KeyPair { } impl KeyPair { - /// Parses the key pair from the DER format - /// - /// Equivalent to using the [`TryFrom`] implementation. - pub fn from_der(der :&[u8]) -> Result { - Ok(der.try_into()?) + /// Parses the key pair from the DER format. + pub fn from_der<'b>(pkcs8: impl Into>) -> Result { + let pkcs8 = pkcs8.into(); + + let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(&pkcs8) { + (KeyPairKind::Ed(edkp), &PKCS_ED25519) + } else if let Ok(eckp) = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &pkcs8) { + (KeyPairKind::Ec(eckp), &PKCS_ECDSA_P256_SHA256) + } else if let Ok(eckp) = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, &pkcs8) { + (KeyPairKind::Ec(eckp), &PKCS_ECDSA_P384_SHA384) + } else if let Ok(rsakp) = RsaKeyPair::from_pkcs8(&pkcs8) { + (KeyPairKind::Rsa(rsakp, &signature::RSA_PKCS1_SHA256), &PKCS_RSA_SHA256) + } else { + return Err(RcgenError::CouldNotParseKeyPair); + }; + + Ok(KeyPair { + kind, + alg, + serialized_der : pkcs8.into_owned(), + }) } + /// Parses the key pair from the ASCII PEM format /// /// *This constructor is only available if rcgen is built with the "pem" feature* #[cfg(feature = "pem")] pub fn from_pem(pem_str :&str) -> Result { let private_key = pem::parse(pem_str)?; - let private_key_der :&[_] = &private_key.contents; - Ok(private_key_der.try_into()?) + let key_pair = KeyPair::from_der(&private_key.contents)?; + + Ok(key_pair) } /// Obtains the key pair from a raw public key and a remote private key @@ -1559,28 +1577,6 @@ impl KeyPair { serialized_der : pkcs8_vec, }) } - - fn from_raw<'b>(pkcs8: impl Into>) -> Result { - let pkcs8 = pkcs8.into(); - - let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(&pkcs8) { - (KeyPairKind::Ed(edkp), &PKCS_ED25519) - } else if let Ok(eckp) = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &pkcs8) { - (KeyPairKind::Ec(eckp), &PKCS_ECDSA_P256_SHA256) - } else if let Ok(eckp) = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, &pkcs8) { - (KeyPairKind::Ec(eckp), &PKCS_ECDSA_P384_SHA384) - } else if let Ok(rsakp) = RsaKeyPair::from_pkcs8(&pkcs8) { - (KeyPairKind::Rsa(rsakp, &signature::RSA_PKCS1_SHA256), &PKCS_RSA_SHA256) - } else { - return Err(RcgenError::CouldNotParseKeyPair); - }; - - Ok(KeyPair { - kind, - alg, - serialized_der : pkcs8.into_owned(), - }) - } } /// A private key that is not directly accessible, but can be used to sign messages @@ -1691,22 +1687,6 @@ impl From for RcgenError { } } -impl TryFrom<&[u8]> for KeyPair { - type Error = RcgenError; - - fn try_from(pkcs8: &[u8]) -> Result { - KeyPair::from_raw(pkcs8) - } -} - -impl TryFrom> for KeyPair { - type Error = RcgenError; - - fn try_from(pkcs8: Vec) -> Result { - KeyPair::from_raw(pkcs8) - } -} - impl KeyPair { /// Generate a new random key pair for the specified signature algorithm pub fn generate(alg :&'static SignatureAlgorithm) -> Result { diff --git a/tests/botan.rs b/tests/botan.rs index 00a96e71..2edb964f 100644 --- a/tests/botan.rs +++ b/tests/botan.rs @@ -1,6 +1,6 @@ #[cfg(feature = "x509-parser")] use rcgen::DnValue; -use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa}; +use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa, KeyPair}; mod util; @@ -151,14 +151,13 @@ fn test_botan_separate_ca() { #[cfg(feature = "x509-parser")] #[test] fn test_botan_imported_ca() { - use std::convert::TryInto; let mut params = default_params(); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); let ca_cert = Certificate::from_params(params).unwrap(); let (ca_cert_der, ca_key_der) = (ca_cert.serialize_der().unwrap(), ca_cert.serialize_private_key_der()); - let ca_key_pair = ca_key_der.as_slice().try_into().unwrap(); + let ca_key_pair = KeyPair::from_der(ca_key_der).unwrap(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der.as_slice(), ca_key_pair) .unwrap(); let imported_ca_cert = Certificate::from_params(imported_ca_cert_params).unwrap(); @@ -177,7 +176,6 @@ fn test_botan_imported_ca() { #[cfg(feature = "x509-parser")] #[test] fn test_botan_imported_ca_with_printable_string() { - use std::convert::TryInto; let mut params = default_params(); params.distinguished_name.push(DnType::CountryName, DnValue::PrintableString("US".to_string())); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); @@ -185,7 +183,7 @@ fn test_botan_imported_ca_with_printable_string() { let (ca_cert_der, ca_key_der) = (ca_cert.serialize_der().unwrap(), ca_cert.serialize_private_key_der()); - let ca_key_pair = ca_key_der.as_slice().try_into().unwrap(); + let ca_key_pair = KeyPair::from_der(ca_key_der).unwrap(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der.as_slice(), ca_key_pair) .unwrap(); let imported_ca_cert = Certificate::from_params(imported_ca_cert_params).unwrap(); diff --git a/tests/webpki.rs b/tests/webpki.rs index 75762c92..1f487678 100644 --- a/tests/webpki.rs +++ b/tests/webpki.rs @@ -333,14 +333,13 @@ fn test_webpki_separate_ca_name_constraints() { #[cfg(feature = "x509-parser")] #[test] fn test_webpki_imported_ca() { - use std::convert::TryInto; let mut params = util::default_params(); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); let ca_cert = Certificate::from_params(params).unwrap(); let (ca_cert_der, ca_key_der) = (ca_cert.serialize_der().unwrap(), ca_cert.serialize_private_key_der()); - let ca_key_pair = ca_key_der.as_slice().try_into().unwrap(); + let ca_key_pair = KeyPair::from_der(ca_key_der).unwrap(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der.as_slice(), ca_key_pair) .unwrap(); let imported_ca_cert = Certificate::from_params(imported_ca_cert_params).unwrap(); @@ -360,7 +359,6 @@ fn test_webpki_imported_ca() { #[cfg(feature = "x509-parser")] #[test] fn test_webpki_imported_ca_with_printable_string() { - use std::convert::TryInto; let mut params = util::default_params(); params.distinguished_name.push(DnType::CountryName, DnValue::PrintableString("US".to_string())); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); @@ -368,7 +366,7 @@ fn test_webpki_imported_ca_with_printable_string() { let (ca_cert_der, ca_key_der) = (ca_cert.serialize_der().unwrap(), ca_cert.serialize_private_key_der()); - let ca_key_pair = ca_key_der.as_slice().try_into().unwrap(); + let ca_key_pair = KeyPair::from_der(ca_key_der).unwrap(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der.as_slice(), ca_key_pair) .unwrap(); let imported_ca_cert = Certificate::from_params(imported_ca_cert_params).unwrap(); From c8cecf3eb3f917d6a85c0317b4a8a85040003e4f Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Thu, 27 Oct 2022 12:03:33 +1100 Subject: [PATCH 4/8] Use `std::error::Error::source` instead of embedding `Display` When possible, we should always delegate to the source error and have other utilities on top generate chains of the `Display`s. --- src/lib.rs | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 5e32c11f..dc802c49 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1660,13 +1660,35 @@ impl fmt::Display for RcgenError { Time => write!(f, "Time error")?, RemoteKeyError => write!(f, "Remote key error")?, #[cfg(feature = "pem")] - PemError(e) => write!(f, "PEM error: {}", e)?, + PemError(_) => write!(f, "PEM error")?, }; Ok(()) } } -impl Error for RcgenError {} +impl Error for RcgenError { + fn source(&self) -> Option<&(dyn Error + 'static)> { + match self { + #[cfg(feature = "pem")] + RcgenError::PemError(inner) => Some(inner), + RcgenError::RingKeyRejected(_) => None, + RcgenError::CouldNotParseCertificate => None, + RcgenError::CouldNotParseCertificationRequest => None, + RcgenError::CouldNotParseKeyPair => None, + #[cfg(feature = "x509-parser")] + RcgenError::InvalidNameType => None, + RcgenError::InvalidIpAddressOctetLength(_) => None, + RcgenError::KeyGenerationUnavailable => None, + #[cfg(feature = "x509-parser")] + RcgenError::UnsupportedExtension => None, + RcgenError::UnsupportedSignatureAlgorithm => None, + RcgenError::RingUnspecified => None, + RcgenError::CertificateKeyPairMismatch => None, + RcgenError::Time => None, + RcgenError::RemoteKeyError => None, + } + } +} impl From for RcgenError { fn from(_unspecified :ring::error::Unspecified) -> Self { From 7e5cd5e180b5a6918053786fdb74868d3b6a6daf Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Thu, 27 Oct 2022 12:04:24 +1100 Subject: [PATCH 5/8] Migrate `RcgenError::RingKeyRejected` to `String` This avoids depending on the deprecated `description_` function. --- src/lib.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index dc802c49..da43e5fb 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1620,7 +1620,7 @@ pub enum RcgenError { /// Unspecified `ring` error RingUnspecified, /// The `ring` library rejected the key upon loading - RingKeyRejected(&'static str), + RingKeyRejected(String), // TODO: Change this to `ring::error::KeyRejected` once it implements `PartialEq`. /// The provided certificate's signature algorithm /// is incompatible with the given key pair CertificateKeyPairMismatch, @@ -1653,7 +1653,7 @@ impl fmt::Display for RcgenError { #[cfg(feature = "x509-parser")] UnsupportedExtension => write!(f, "Unsupported extension requested in CSR")?, RingUnspecified => write!(f, "Unspecified ring error")?, - RingKeyRejected(e) => write!(f, "Key rejected by ring: {}", e)?, + RingKeyRejected(reason) => write!(f, "Key rejected by ring: {}", reason)?, CertificateKeyPairMismatch => write!(f, "The provided certificate's signature \ algorithm is incompatible with the given key pair")?, @@ -1698,7 +1698,7 @@ impl From for RcgenError { impl From for RcgenError { fn from(err :ring::error::KeyRejected) -> Self { - RcgenError::RingKeyRejected(err.description_()) + RcgenError::RingKeyRejected(err.to_string()) } } From 5a8a65457b016a603ba12cbd991c6dccd2436530 Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Thu, 27 Oct 2022 12:09:47 +1100 Subject: [PATCH 6/8] Upgrade to latest `ring` --- Cargo.lock | 39 ++++++++++++++++++++++++++------ Cargo.toml | 2 +- examples/rsa-irc-openssl.rs | 2 +- examples/rsa-irc.rs | 2 +- src/lib.rs | 44 ++++++++++++++++++++----------------- tests/botan.rs | 16 ++++++++------ tests/generic.rs | 2 +- tests/openssl.rs | 8 +++---- tests/webpki.rs | 28 +++++++++++------------ 9 files changed, 87 insertions(+), 56 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index f923b6e3..2571d008 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -255,7 +255,7 @@ version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" dependencies = [ - "spin", + "spin 0.5.2", ] [[package]] @@ -530,7 +530,7 @@ dependencies = [ "openssl", "pem", "rand", - "ring", + "ring 0.17.0-not-released-yet", "rsa", "time", "webpki", @@ -548,12 +548,25 @@ dependencies = [ "cc", "libc", "once_cell", - "spin", - "untrusted", + "spin 0.5.2", + "untrusted 0.7.1", "web-sys", "winapi", ] +[[package]] +name = "ring" +version = "0.17.0-not-released-yet" +source = "git+https://github.com/briansmith/ring#00fc3f35f3ed9e91fdb6b1e97226dc45cfe2c8f5" +dependencies = [ + "cc", + "libc", + "once_cell", + "spin 0.9.4", + "untrusted 0.9.0", + "winapi", +] + [[package]] name = "rsa" version = "0.6.1" @@ -595,6 +608,12 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" +[[package]] +name = "spin" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7f6002a767bff9e83f8eeecf883ecb8011875a21ae8da43bffb817a57e78cc09" + [[package]] name = "spki" version = "0.5.4" @@ -690,6 +709,12 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +[[package]] +name = "untrusted" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" + [[package]] name = "vcpkg" version = "0.2.15" @@ -778,8 +803,8 @@ version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" dependencies = [ - "ring", - "untrusted", + "ring 0.16.20", + "untrusted 0.7.1", ] [[package]] @@ -817,7 +842,7 @@ dependencies = [ "lazy_static", "nom", "oid-registry", - "ring", + "ring 0.16.20", "rusticata-macros", "thiserror", "time", diff --git a/Cargo.toml b/Cargo.toml index a376d35e..ab1b90b2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -21,7 +21,7 @@ required-features = ["pem"] [dependencies] yasna = { version = "0.5", features = ["time", "std"] } -ring = "0.16" +ring = { git = "https://github.com/briansmith/ring" } pem = { version = "1.0", optional = true } time = { version = "0.3.6", default-features = false } x509-parser = { version = "0.14", features = ["verify"], optional = true } diff --git a/examples/rsa-irc-openssl.rs b/examples/rsa-irc-openssl.rs index 8a2b8df5..e24cd2d3 100644 --- a/examples/rsa-irc-openssl.rs +++ b/examples/rsa-irc-openssl.rs @@ -15,7 +15,7 @@ fn main() -> Result<(), Box> { let pkey :openssl::pkey::PKey<_> = openssl::rsa::Rsa::generate(2048)?.try_into()?; let key_pair_pem = String::from_utf8(pkey.private_key_to_pem_pkcs8()?)?; - let key_pair = rcgen::KeyPair::from_pem(&key_pair_pem)?; + let key_pair = rcgen::KeyPair::from_pem(&key_pair_pem, &ring::rand::SystemRandom::new())?; params.key_pair = Some(key_pair); let cert = Certificate::from_params(params)?; diff --git a/examples/rsa-irc.rs b/examples/rsa-irc.rs index 88f48b76..45740677 100644 --- a/examples/rsa-irc.rs +++ b/examples/rsa-irc.rs @@ -20,7 +20,7 @@ fn main() -> Result<(), Box> { let bits = 2048; let private_key = RsaPrivateKey::new(&mut rng, bits)?; let private_key_der = private_key.to_pkcs8_der()?; - let key_pair = rcgen::KeyPair::from_der(private_key_der.as_ref()).unwrap(); + let key_pair = rcgen::KeyPair::from_der(private_key_der.as_ref(), &ring::rand::SystemRandom::new()).unwrap(); params.key_pair = Some(key_pair); let cert = Certificate::from_params(params)?; diff --git a/src/lib.rs b/src/lib.rs index da43e5fb..1d003ea8 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -37,8 +37,9 @@ use yasna::models::ObjectIdentifier; use pem::Pem; use std::convert::TryInto; use ring::digest; -use ring::signature::{EcdsaKeyPair, Ed25519KeyPair, RsaKeyPair, RsaEncoding}; -use ring::rand::SystemRandom; +use ring::rsa; +use ring::signature::{EcdsaKeyPair, Ed25519KeyPair, RsaEncoding}; +use ring::rand::{SecureRandom, SystemRandom}; use ring::signature::KeyPair as RingKeyPair; use ring::signature::{self, EcdsaSigningAlgorithm, EdDSAParameters}; use yasna::DERWriter; @@ -1449,7 +1450,7 @@ enum KeyPairKind { /// A Ed25519 key pair Ed(Ed25519KeyPair), /// A RSA key pair - Rsa(RsaKeyPair, &'static dyn RsaEncoding), + Rsa(rsa::KeyPair, &'static dyn RsaEncoding), /// A remote key pair Remote(Box), } @@ -1481,16 +1482,18 @@ pub struct KeyPair { impl KeyPair { /// Parses the key pair from the DER format. - pub fn from_der<'b>(pkcs8: impl Into>) -> Result { + /// + /// The required randomness is only used in the case of an ECDSA keypair. + pub fn from_der<'b>(pkcs8: impl Into>, rng: &dyn SecureRandom) -> Result { let pkcs8 = pkcs8.into(); let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(&pkcs8) { (KeyPairKind::Ed(edkp), &PKCS_ED25519) - } else if let Ok(eckp) = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &pkcs8) { + } else if let Ok(eckp) = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &pkcs8, rng) { (KeyPairKind::Ec(eckp), &PKCS_ECDSA_P256_SHA256) - } else if let Ok(eckp) = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, &pkcs8) { + } else if let Ok(eckp) = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, &pkcs8, rng) { (KeyPairKind::Ec(eckp), &PKCS_ECDSA_P384_SHA384) - } else if let Ok(rsakp) = RsaKeyPair::from_pkcs8(&pkcs8) { + } else if let Ok(rsakp) = rsa::KeyPair::from_pkcs8(&pkcs8) { (KeyPairKind::Rsa(rsakp, &signature::RSA_PKCS1_SHA256), &PKCS_RSA_SHA256) } else { return Err(RcgenError::CouldNotParseKeyPair); @@ -1505,11 +1508,12 @@ impl KeyPair { /// Parses the key pair from the ASCII PEM format /// + /// The required randomness is only used in the case of an ECDSA keypair. /// *This constructor is only available if rcgen is built with the "pem" feature* #[cfg(feature = "pem")] - pub fn from_pem(pem_str :&str) -> Result { + pub fn from_pem(pem_str :&str, rng: &dyn SecureRandom) -> Result { let private_key = pem::parse(pem_str)?; - let key_pair = KeyPair::from_der(&private_key.contents)?; + let key_pair = KeyPair::from_der(&private_key.contents, rng)?; Ok(key_pair) } @@ -1531,10 +1535,10 @@ impl KeyPair { /// /// *This constructor is only available if rcgen is built with the "pem" feature* #[cfg(feature = "pem")] - pub fn from_pem_and_sign_algo(pem_str :&str, alg :&'static SignatureAlgorithm) -> Result { + pub fn from_pem_and_sign_algo(pem_str :&str, alg :&'static SignatureAlgorithm, rng: &dyn SecureRandom) -> Result { let private_key = pem::parse(pem_str)?; let private_key_der :&[_] = &private_key.contents; - Ok(Self::from_der_and_sign_algo(private_key_der, alg)?) + Ok(Self::from_der_and_sign_algo(private_key_der, alg, rng)?) } /// Obtains the key pair from a DER formatted key @@ -1546,26 +1550,26 @@ impl KeyPair { /// key pair. However sometimes multiple signature algorithms fit for the /// same der key. In that instance, you can use this function to precisely /// specify the `SignatureAlgorithm`. - pub fn from_der_and_sign_algo(pkcs8 :&[u8], alg :&'static SignatureAlgorithm) -> Result { + pub fn from_der_and_sign_algo(pkcs8 :&[u8], alg :&'static SignatureAlgorithm, rng: &dyn SecureRandom) -> Result { let pkcs8_vec = pkcs8.to_vec(); let kind = if alg == &PKCS_ED25519 { KeyPairKind::Ed(Ed25519KeyPair::from_pkcs8_maybe_unchecked(pkcs8)?) } else if alg == &PKCS_ECDSA_P256_SHA256 { - KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8)?) + KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8, rng)?) } else if alg == &PKCS_ECDSA_P384_SHA384 { - KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8)?) + KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8, rng)?) } else if alg == &PKCS_RSA_SHA256 { - let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?; + let rsakp = rsa::KeyPair::from_pkcs8(pkcs8)?; KeyPairKind::Rsa(rsakp, &signature::RSA_PKCS1_SHA256) } else if alg == &PKCS_RSA_SHA384 { - let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?; + let rsakp = rsa::KeyPair::from_pkcs8(pkcs8)?; KeyPairKind::Rsa(rsakp, &signature::RSA_PKCS1_SHA384) } else if alg == &PKCS_RSA_SHA512 { - let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?; + let rsakp = rsa::KeyPair::from_pkcs8(pkcs8)?; KeyPairKind::Rsa(rsakp, &signature::RSA_PKCS1_SHA512) } else if alg == &PKCS_RSA_PSS_SHA256 { - let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?; + let rsakp = rsa::KeyPair::from_pkcs8(pkcs8)?; KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA256) } else { panic!("Unknown SignatureAlgorithm specified!"); @@ -1718,7 +1722,7 @@ impl KeyPair { let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, &system_random)?; let key_pair_serialized = key_pair_doc.as_ref().to_vec(); - let key_pair = EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref()).unwrap(); + let key_pair = EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref(), &system_random).unwrap(); Ok(KeyPair { kind : KeyPairKind::Ec(key_pair), alg, @@ -1775,7 +1779,7 @@ impl KeyPair { }, KeyPairKind::Rsa(kp, padding_alg) => { let system_random = SystemRandom::new(); - let mut signature = vec![0; kp.public_modulus_len()]; + let mut signature = vec![0; kp.public().modulus_len()]; kp.sign(*padding_alg, &system_random, msg, &mut signature)?; let sig = &signature.as_ref(); diff --git a/tests/botan.rs b/tests/botan.rs index 2edb964f..3e4396e2 100644 --- a/tests/botan.rs +++ b/tests/botan.rs @@ -1,6 +1,8 @@ #[cfg(feature = "x509-parser")] -use rcgen::DnValue; -use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa, KeyPair}; +use ring::rand::SystemRandom; +#[cfg(feature = "x509-parser")] +use rcgen::{DnValue, KeyPair}; +use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa}; mod util; @@ -85,7 +87,7 @@ fn test_botan_25519_v1_given() { let mut params = default_params(); params.alg = &rcgen::PKCS_ED25519; - let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V1).unwrap(); + let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V1, &ring::rand::SystemRandom::new()).unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -101,7 +103,7 @@ fn test_botan_25519_v2_given() { let mut params = default_params(); params.alg = &rcgen::PKCS_ED25519; - let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V2).unwrap(); + let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V2, &ring::rand::SystemRandom::new()).unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -117,7 +119,7 @@ fn test_botan_rsa_given() { let mut params = default_params(); params.alg = &rcgen::PKCS_RSA_SHA256; - let kp = rcgen::KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap(); + let kp = rcgen::KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM, &ring::rand::SystemRandom::new()).unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -157,7 +159,7 @@ fn test_botan_imported_ca() { let (ca_cert_der, ca_key_der) = (ca_cert.serialize_der().unwrap(), ca_cert.serialize_private_key_der()); - let ca_key_pair = KeyPair::from_der(ca_key_der).unwrap(); + let ca_key_pair = KeyPair::from_der(ca_key_der, &SystemRandom::new()).unwrap(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der.as_slice(), ca_key_pair) .unwrap(); let imported_ca_cert = Certificate::from_params(imported_ca_cert_params).unwrap(); @@ -183,7 +185,7 @@ fn test_botan_imported_ca_with_printable_string() { let (ca_cert_der, ca_key_der) = (ca_cert.serialize_der().unwrap(), ca_cert.serialize_private_key_der()); - let ca_key_pair = KeyPair::from_der(ca_key_der).unwrap(); + let ca_key_pair = KeyPair::from_der(ca_key_der, &SystemRandom::new()).unwrap(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der.as_slice(), ca_key_pair) .unwrap(); let imported_ca_cert = Certificate::from_params(imported_ca_cert_params).unwrap(); diff --git a/tests/generic.rs b/tests/generic.rs index 18c0334e..c8008ad4 100644 --- a/tests/generic.rs +++ b/tests/generic.rs @@ -33,7 +33,7 @@ fn test_key_params_mismatch() { if i != 0 { wrong_params.key_pair = Some(KeyPair::generate(kalg_1).unwrap()); } else { - let kp = KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap(); + let kp = KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM, &ring::rand::SystemRandom::new()).unwrap(); wrong_params.key_pair = Some(kp); } wrong_params.alg = *kalg_2; diff --git a/tests/openssl.rs b/tests/openssl.rs index bd8ac6ce..cdab5a4a 100644 --- a/tests/openssl.rs +++ b/tests/openssl.rs @@ -227,7 +227,7 @@ fn test_openssl_25519_v1_given() { let mut params = util::default_params(); params.alg = &rcgen::PKCS_ED25519; - let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V1).unwrap(); + let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V1, &ring::rand::SystemRandom::new()).unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -248,7 +248,7 @@ fn test_openssl_25519_v2_given() { let mut params = util::default_params(); params.alg = &rcgen::PKCS_ED25519; - let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V2).unwrap(); + let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V2, &ring::rand::SystemRandom::new()).unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -266,7 +266,7 @@ fn test_openssl_rsa_given() { let mut params = util::default_params(); params.alg = &rcgen::PKCS_RSA_SHA256; - let kp = rcgen::KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap(); + let kp = rcgen::KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM, &ring::rand::SystemRandom::new()).unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -288,7 +288,7 @@ fn test_openssl_rsa_combinations_given() { let mut params = util::default_params(); params.alg = alg; - let kp = rcgen::KeyPair::from_pem_and_sign_algo(util::RSA_TEST_KEY_PAIR_PEM, alg).unwrap(); + let kp = rcgen::KeyPair::from_pem_and_sign_algo(util::RSA_TEST_KEY_PAIR_PEM, alg, &ring::rand::SystemRandom::new()).unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); diff --git a/tests/webpki.rs b/tests/webpki.rs index 1f487678..8cdf0ac8 100644 --- a/tests/webpki.rs +++ b/tests/webpki.rs @@ -5,9 +5,9 @@ use webpki::{EndEntityCert, TlsServerTrustAnchors, TrustAnchor}; use webpki::SignatureAlgorithm; use webpki::{Time, DnsNameRef}; -use ring::{rand::SystemRandom}; +use ring::{rand::SystemRandom, rsa}; use ring::signature::{self, EcdsaKeyPair, EcdsaSigningAlgorithm, - Ed25519KeyPair, KeyPair as _, RsaEncoding, RsaKeyPair}; + Ed25519KeyPair, KeyPair as _, RsaEncoding}; use std::convert::TryFrom; @@ -15,7 +15,7 @@ mod util; fn sign_msg_ecdsa(cert :&Certificate, msg :&[u8], alg :&'static EcdsaSigningAlgorithm) -> Vec { let pk_der = cert.serialize_private_key_der(); - let key_pair = EcdsaKeyPair::from_pkcs8(&alg, &pk_der).unwrap(); + let key_pair = EcdsaKeyPair::from_pkcs8(&alg, &pk_der, &SystemRandom::new()).unwrap(); let system_random = SystemRandom::new(); let signature = key_pair.sign(&system_random, &msg).unwrap(); signature.as_ref().to_vec() @@ -30,9 +30,9 @@ fn sign_msg_ed25519(cert :&Certificate, msg :&[u8]) -> Vec { fn sign_msg_rsa(cert :&Certificate, msg :&[u8], encoding :&'static dyn RsaEncoding) -> Vec { let pk_der = cert.serialize_private_key_der(); - let key_pair = RsaKeyPair::from_pkcs8(&pk_der).unwrap(); + let key_pair = rsa::KeyPair::from_pkcs8(&pk_der).unwrap(); let system_random = SystemRandom::new(); - let mut signature = vec![0; key_pair.public_modulus_len()]; + let mut signature = vec![0; key_pair.public().modulus_len()]; key_pair.sign(encoding, &system_random, &msg, &mut signature).unwrap(); signature @@ -140,7 +140,7 @@ fn test_webpki_25519_v1_given() { let mut params = util::default_params(); params.alg = &rcgen::PKCS_ED25519; - let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V1).unwrap(); + let kp = KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V1, &SystemRandom::new()).unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -156,7 +156,7 @@ fn test_webpki_25519_v2_given() { let mut params = util::default_params(); params.alg = &rcgen::PKCS_ED25519; - let kp = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V2).unwrap(); + let kp = KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V2, &SystemRandom::new()).unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -172,7 +172,7 @@ fn test_webpki_rsa_given() { let mut params = util::default_params(); params.alg = &rcgen::PKCS_RSA_SHA256; - let kp = rcgen::KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap(); + let kp = KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM, &SystemRandom::new()).unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -186,7 +186,7 @@ fn test_webpki_rsa_given() { #[test] fn test_webpki_rsa_combinations_given() { - let configs :&[(_, _, &'static dyn signature::RsaEncoding)] = &[ + let configs :&[(_, _, &'static dyn RsaEncoding)] = &[ (&rcgen::PKCS_RSA_SHA256, &webpki::RSA_PKCS1_2048_8192_SHA256, &signature::RSA_PKCS1_SHA256), (&rcgen::PKCS_RSA_SHA384, &webpki::RSA_PKCS1_2048_8192_SHA384, &signature::RSA_PKCS1_SHA384), (&rcgen::PKCS_RSA_SHA512, &webpki::RSA_PKCS1_2048_8192_SHA512, &signature::RSA_PKCS1_SHA512), @@ -195,7 +195,7 @@ fn test_webpki_rsa_combinations_given() { for c in configs { let mut params = util::default_params(); params.alg = c.0; - let kp = rcgen::KeyPair::from_pem_and_sign_algo(util::RSA_TEST_KEY_PAIR_PEM, c.0).unwrap(); + let kp = KeyPair::from_pem_and_sign_algo(util::RSA_TEST_KEY_PAIR_PEM, c.0, &SystemRandom::new()).unwrap(); params.key_pair = Some(kp); let cert = Certificate::from_params(params).unwrap(); @@ -272,8 +272,8 @@ fn from_remote() { } let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap(); - let remote = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &key_pair.serialize_der()).unwrap(); - let key_pair = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &key_pair.serialize_der()).unwrap(); + let remote = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &key_pair.serialize_der(), &SystemRandom::new()).unwrap(); + let key_pair = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &key_pair.serialize_der(), &SystemRandom::new()).unwrap(); let remote = KeyPair::from_remote(Box::new(Remote(remote))).unwrap(); let mut params = util::default_params(); @@ -339,7 +339,7 @@ fn test_webpki_imported_ca() { let (ca_cert_der, ca_key_der) = (ca_cert.serialize_der().unwrap(), ca_cert.serialize_private_key_der()); - let ca_key_pair = KeyPair::from_der(ca_key_der).unwrap(); + let ca_key_pair = KeyPair::from_der(ca_key_der, &SystemRandom::new()).unwrap(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der.as_slice(), ca_key_pair) .unwrap(); let imported_ca_cert = Certificate::from_params(imported_ca_cert_params).unwrap(); @@ -366,7 +366,7 @@ fn test_webpki_imported_ca_with_printable_string() { let (ca_cert_der, ca_key_der) = (ca_cert.serialize_der().unwrap(), ca_cert.serialize_private_key_der()); - let ca_key_pair = KeyPair::from_der(ca_key_der).unwrap(); + let ca_key_pair = KeyPair::from_der(ca_key_der, &SystemRandom::new()).unwrap(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der.as_slice(), ca_key_pair) .unwrap(); let imported_ca_cert = Certificate::from_params(imported_ca_cert_params).unwrap(); From 5ddb2c0a8a184f6c74e674bf0859508c5d78a365 Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Thu, 27 Oct 2022 12:19:06 +1100 Subject: [PATCH 7/8] Expose randomness source for `KeyPair::generate` --- src/lib.rs | 14 ++++++++------ tests/generic.rs | 2 +- tests/webpki.rs | 2 +- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 1d003ea8..2966d31c 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1335,6 +1335,9 @@ fn write_general_subtrees(writer :DERWriter, tag :u64, general_subtrees :&[Gener impl Certificate { /// Generates a new certificate from the given parameters + /// + /// This function will generate a random (using `ring`'s [`SystemRandom`]) [`KeyPair`] if none is provided in the [`CertificateParams`]. + /// If you need to control the [`KeyPair`], set it ahead of time before calling this function. pub fn from_params(mut params :CertificateParams) -> Result { let key_pair = if let Some(key_pair) = params.key_pair.take() { if !key_pair.is_compatible(¶ms.alg) { @@ -1342,7 +1345,7 @@ impl Certificate { } key_pair } else { - KeyPair::generate(¶ms.alg)? + KeyPair::generate(¶ms.alg, &SystemRandom::new())? }; Ok(Certificate { @@ -1715,14 +1718,13 @@ impl From for RcgenError { impl KeyPair { /// Generate a new random key pair for the specified signature algorithm - pub fn generate(alg :&'static SignatureAlgorithm) -> Result { - let system_random = SystemRandom::new(); + pub fn generate(alg :&'static SignatureAlgorithm, rng: &dyn SecureRandom) -> Result { match alg.sign_alg { SignAlgo::EcDsa(sign_alg) => { - let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, &system_random)?; + let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, rng)?; let key_pair_serialized = key_pair_doc.as_ref().to_vec(); - let key_pair = EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref(), &system_random).unwrap(); + let key_pair = EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref(), rng).unwrap(); Ok(KeyPair { kind : KeyPairKind::Ec(key_pair), alg, @@ -1730,7 +1732,7 @@ impl KeyPair { }) }, SignAlgo::EdDsa(_sign_alg) => { - let key_pair_doc = Ed25519KeyPair::generate_pkcs8(&system_random)?; + let key_pair_doc = Ed25519KeyPair::generate_pkcs8(rng)?; let key_pair_serialized = key_pair_doc.as_ref().to_vec(); let key_pair = Ed25519KeyPair::from_pkcs8(&&key_pair_doc.as_ref()).unwrap(); diff --git a/tests/generic.rs b/tests/generic.rs index c8008ad4..2d195cde 100644 --- a/tests/generic.rs +++ b/tests/generic.rs @@ -31,7 +31,7 @@ fn test_key_params_mismatch() { let mut wrong_params = util::default_params(); if i != 0 { - wrong_params.key_pair = Some(KeyPair::generate(kalg_1).unwrap()); + wrong_params.key_pair = Some(KeyPair::generate(kalg_1, &ring::rand::SystemRandom::new()).unwrap()); } else { let kp = KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM, &ring::rand::SystemRandom::new()).unwrap(); wrong_params.key_pair = Some(kp); diff --git a/tests/webpki.rs b/tests/webpki.rs index 8cdf0ac8..4439c617 100644 --- a/tests/webpki.rs +++ b/tests/webpki.rs @@ -271,7 +271,7 @@ fn from_remote() { } } - let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap(); + let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256, &SystemRandom::new()).unwrap(); let remote = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &key_pair.serialize_der(), &SystemRandom::new()).unwrap(); let key_pair = EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, &key_pair.serialize_der(), &SystemRandom::new()).unwrap(); let remote = KeyPair::from_remote(Box::new(Remote(remote))).unwrap(); From 5ded8eb1fd4ec52ac90bf93c35419b625a9ef292 Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Thu, 27 Oct 2022 12:19:12 +1100 Subject: [PATCH 8/8] Update changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 60ffd689..dd937c30 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ ## Unreleased - Remove `TryFrom<[u8]>` and `TryFrom>` for `KeyPair` in favor of allowing `KeyPair::from_der` to take `impl Into>` which allows `Vec` as well as `[u8]`. +- Add `ring::rand::SecureRandom` parameter to: + - `KeyPair::generate` + - `KeyPair::from_der` + - `KeyPair::from_der_and_sign_algo` + - `KeyPair::from_pem` + - `KeyPair::from_pem_and_sign_algo` ## Release 0.10.0 - September 29, 2022