feat: add signer impl

- Add crate `rustls-mbedtls-provider-utils`
- Add signer impl

Author: Taowyoo

Cargo.lock

@@ -1,4 +1,9 @@
 [workspace]
-members = ["examples","rustls-mbedcrypto-provider", "rustls-mbedpki-provider"]
+members = [
+    "examples",
+    "rustls-mbedcrypto-provider",
+    "rustls-mbedpki-provider",
+    "rustls-mbedtls-provider-utils",
+]
 default-members = ["rustls-mbedcrypto-provider", "rustls-mbedpki-provider"]
 resolver = "2"

Cargo.toml

@@ -17,6 +17,10 @@ mbedtls = { version = "0.12.0-alpha.2", default-features = false, features = [
     "std",
 ] }
 log = { version = "0.4.4", optional = true }
+pki-types = { package = "rustls-pki-types", version = "0.2.1", features = [
+    "std",
+] }
+utils = { package = "rustls-mbedtls-provider-utils", path = "../rustls-mbedtls-provider-utils", version = "0.1.0-alpha.1" }
 
 [target.'cfg(target_env = "msvc")'.dependencies]
 # mbedtls need feature `time` to build when targeting msvc
@@ -33,7 +37,6 @@ webpki = { package = "rustls-webpki", version = "0.102.0-alpha.1", default-featu
     "alloc",
     "std",
 ] }
-pki-types = { package = "rustls-pki-types", version = "0.2.0" }
 webpki-roots = "0.26.0-alpha.1"
 rustls-pemfile = "2.0.0-alpha.1"
 env_logger = "0.10"

rustls-mbedcrypto-provider/Cargo.toml

@@ -8,7 +8,6 @@
 use super::agreement;
 use crate::error::mbedtls_err_to_rustls_general_error;
 
-use crate::log::error;
 use alloc::boxed::Box;
 use alloc::fmt;
 use alloc::format;
@@ -42,15 +41,12 @@ impl fmt::Debug for KxGroup {
 }
 
 impl SupportedKxGroup for KxGroup {
-    fn start(&self) -> Result<Box<dyn crypto::ActiveKeyExchange>, rustls::crypto::GetRandomFailed> {
+    fn start(&self) -> Result<Box<dyn crypto::ActiveKeyExchange>, Error> {
         let mut pk = PkMbed::generate_ec(
             &mut super::rng::rng_new().ok_or(rustls::crypto::GetRandomFailed)?,
             self.agreement_algorithm.group_id,
         )
-        .map_err(|_err| {
-            error!("Encountered error when generating ec key, mbedtls error: {}", _err);
-            rustls::crypto::GetRandomFailed
-        })?;
+        .map_err(|err| rustls::Error::General(format!("Encountered error when generating ec key, mbedtls error: {}", err)))?;
 
         fn get_key_pair(pk: &mut PkMbed, kx_group: &KxGroup) -> Result<KeyExchange, mbedtls::Error> {
             let group = EcGroup::new(kx_group.agreement_algorithm.group_id)?;
@@ -68,10 +64,7 @@ impl SupportedKxGroup for KxGroup {
 
         match get_key_pair(&mut pk, self) {
             Ok(group) => Ok(Box::new(group)),
-            Err(_err) => {
-                error!("Unexpected mbedtls error: {}", _err);
-                Err(rustls::crypto::GetRandomFailed)
-            }
+            Err(err) => Err(rustls::Error::General(format!("Unexpected mbedtls error: {}", err))),
         }
     }
 

rustls-mbedcrypto-provider/src/kx.rs

@@ -80,6 +80,8 @@ pub(crate) mod hash;
 pub(crate) mod hmac;
 pub(crate) mod kx;
 
+/// Message signing interfaces.
+pub mod signer;
 /// TLS1.2 ciphersuites implementation.
 #[cfg(feature = "tls12")]
 pub mod tls12;
@@ -137,6 +139,17 @@ impl rustls::crypto::CryptoProvider for Mbedtls {
     fn default_kx_groups(&self) -> &'static [&'static dyn rustls::crypto::SupportedKxGroup] {
         ALL_KX_GROUPS
     }
+
+    fn load_private_key(
+        &self,
+        _key_der: pki_types::PrivateKeyDer<'static>,
+    ) -> Result<alloc::sync::Arc<dyn rustls::sign::SigningKey>, rustls::Error> {
+        todo!()
+    }
+
+    fn signature_verification_algorithms(&self) -> rustls::WebPkiSupportedAlgorithms {
+        todo!()
+    }
 }
 
 /// The cipher suite configuration that an application should use by default.

rustls-mbedcrypto-provider/src/lib.rs

@@ -0,0 +1,111 @@
+use alloc::vec;
+use alloc::{boxed::Box, sync::Arc, vec::Vec};
+use core::fmt::Debug;
+use mbedtls::pk::ECDSA_MAX_LEN;
+use std::sync::Mutex;
+use utils::error::mbedtls_err_into_rustls_err;
+use utils::hash::{buffer_for_hash_type, rustls_signature_scheme_to_mbedtls_hash_type};
+use utils::pk::{rustls_signature_scheme_to_mbedtls_pk_options, rustls_signature_scheme_to_mbedtls_pk_type};
+
+///
+struct MbedTlsSigner(Arc<Mutex<mbedtls::pk::Pk>>, rustls::SignatureScheme);
+
+impl Debug for MbedTlsSigner {
+    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
+        f.debug_tuple("MbedTlsSigner")
+            .field(&"Arc<Mutex<mbedtls::pk::Pk>>")
+            .field(&self.1)
+            .finish()
+    }
+}
+
+impl rustls::sign::Signer for MbedTlsSigner {
+    fn sign(&self, message: &[u8]) -> Result<Vec<u8>, rustls::Error> {
+        let hash_type = rustls_signature_scheme_to_mbedtls_hash_type(self.1);
+        let mut hash = buffer_for_hash_type(hash_type).ok_or_else(|| rustls::Error::General("unexpected hash type".into()))?;
+        let hash_size = mbedtls::hash::Md::hash(hash_type, message, &mut hash).map_err(mbedtls_err_into_rustls_err)?;
+
+        let mut pk = self
+            .0
+            .lock()
+            .expect("poisoned PK lock!");
+        if let Some(opts) = rustls_signature_scheme_to_mbedtls_pk_options(self.1) {
+            pk.set_options(opts);
+        }
+
+        fn sig_len_for_pk(pk: &mbedtls::pk::Pk) -> usize {
+            match pk.pk_type() {
+                mbedtls::pk::Type::Eckey | mbedtls::pk::Type::EckeyDh | mbedtls::pk::Type::Ecdsa => ECDSA_MAX_LEN,
+                _ => pk.len() / 8,
+            }
+        }
+        let mut sig = vec![0; sig_len_for_pk(&pk)];
+        let sig_len = pk
+            .sign(
+                hash_type,
+                &hash[..hash_size],
+                &mut sig,
+                &mut crate::rng::rng_new().ok_or(rustls::Error::FailedToGetRandomBytes)?,
+            )
+            .map_err(mbedtls_err_into_rustls_err)?;
+        sig.truncate(sig_len);
+        Ok(sig)
+    }
+
+    fn scheme(&self) -> rustls::SignatureScheme {
+        self.1
+    }
+}
+
+/// A [`SigningKey`] implemented by using [`mbedtls`]
+///
+/// [`SigningKey`]: rustls::sign::SigningKey
+pub struct MbedTlsPkSigningKey(pub Arc<Mutex<mbedtls::pk::Pk>>);
+
+impl Debug for MbedTlsPkSigningKey {
+    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
+        f.debug_tuple("MbedTlsPkSigningKey")
+            .field(&"Arc<Mutex<mbedtls::pk::Pk>>")
+            .finish()
+    }
+}
+
+impl rustls::sign::SigningKey for MbedTlsPkSigningKey {
+    fn choose_scheme(&self, offered: &[rustls::SignatureScheme]) -> Option<Box<dyn rustls::sign::Signer>> {
+        for scheme in offered {
+            let scheme_type = rustls_signature_scheme_to_mbedtls_pk_type(scheme);
+            if let Some(scheme_type) = scheme_type {
+                if scheme_type
+                    == self
+                        .0
+                        .lock()
+                        .expect("poisoned pk lock")
+                        .pk_type()
+                {
+                    let signer = MbedTlsSigner(self.0.clone(), *scheme);
+                    return Some(Box::new(signer));
+                }
+            }
+        }
+        None
+    }
+
+    fn algorithm(&self) -> rustls::SignatureAlgorithm {
+        use rustls::SignatureAlgorithm;
+        match self
+            .0
+            .lock()
+            .expect("poisoned pk lock")
+            .pk_type()
+        {
+            mbedtls::pk::Type::Rsa => SignatureAlgorithm::RSA,
+            mbedtls::pk::Type::Ecdsa => SignatureAlgorithm::ECDSA,
+            mbedtls::pk::Type::RsassaPss => SignatureAlgorithm::RSA,
+            mbedtls::pk::Type::Eckey => SignatureAlgorithm::ECDSA,
+            mbedtls::pk::Type::RsaAlt => SignatureAlgorithm::DSA,
+            mbedtls::pk::Type::EckeyDh => SignatureAlgorithm::Anonymous,
+            mbedtls::pk::Type::Custom => SignatureAlgorithm::Anonymous,
+            mbedtls::pk::Type::None => SignatureAlgorithm::Anonymous,
+        }
+    }
+}

rustls-mbedcrypto-provider/src/signer.rs

@@ -10,7 +10,6 @@ use alloc::boxed::Box;
 use alloc::vec::Vec;
 use mbedtls::cipher::raw::{CipherId, CipherMode, CipherType};
 use mbedtls::cipher::{Authenticated, Cipher, Decryption, Encryption, Fresh};
-use rustls::cipher_suite::CipherSuiteCommon;
 use rustls::crypto::cipher::{
     make_tls12_aad, AeadKey, BorrowedPlainMessage, Iv, KeyBlockShape, MessageDecrypter, MessageEncrypter, Nonce, OpaqueMessage,
     PlainMessage, Tls12AeadAlgorithm, UnsupportedOperationError, NONCE_LEN,
@@ -20,7 +19,9 @@ use rustls::crypto::KeyExchangeAlgorithm;
 
 use super::aead::{self, Algorithm, AES128_GCM, AES256_GCM};
 use alloc::string::String;
-use rustls::{CipherSuite, ConnectionTrafficSecrets, Error, SignatureScheme, SupportedCipherSuite, Tls12CipherSuite};
+use rustls::{
+    CipherSuite, CipherSuiteCommon, ConnectionTrafficSecrets, Error, SignatureScheme, SupportedCipherSuite, Tls12CipherSuite,
+};
 
 pub(crate) const GCM_FIXED_IV_LEN: usize = 4;
 pub(crate) const GCM_EXPLICIT_NONCE_LEN: usize = 8;

rustls-mbedcrypto-provider/src/tls12.rs

@@ -12,15 +12,15 @@ use alloc::string::String;
 use alloc::vec::Vec;
 use mbedtls::cipher::raw::CipherType;
 use mbedtls::cipher::{Authenticated, Cipher, Decryption, Encryption, Fresh};
-use rustls::cipher_suite::CipherSuiteCommon;
 use rustls::crypto::cipher::{
     make_tls13_aad, AeadKey, BorrowedPlainMessage, Iv, MessageDecrypter, MessageEncrypter, Nonce, OpaqueMessage, PlainMessage,
     Tls13AeadAlgorithm, UnsupportedOperationError,
 };
 use rustls::crypto::tls13::HkdfUsingHmac;
 use rustls::internal::msgs::codec::Codec;
 use rustls::{
-    CipherSuite, ConnectionTrafficSecrets, ContentType, Error, ProtocolVersion, SupportedCipherSuite, Tls13CipherSuite,
+    CipherSuite, CipherSuiteCommon, ConnectionTrafficSecrets, ContentType, Error, ProtocolVersion, SupportedCipherSuite,
+    Tls13CipherSuite,
 };
 
 /// The TLS1.3 ciphersuite TLS_CHACHA20_POLY1305_SHA256

rustls-mbedcrypto-provider/src/tls13.rs

@@ -23,6 +23,7 @@ chrono = "0.4"
 pki-types = { package = "rustls-pki-types", version = "0.2.1", features = [
     "std",
 ] }
+utils = { package = "rustls-mbedtls-provider-utils", path = "../rustls-mbedtls-provider-utils", version = "0.1.0-alpha.1" }
 
 [target.'cfg(target_env = "msvc")'.dependencies]
 # mbedtls need feature `time` to build when targeting msvc

rustls-mbedpki-provider/Cargo.toml

@@ -5,18 +5,20 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
-use std::sync::Arc;
-
+use alloc::string::String;
+use alloc::sync::Arc;
+use alloc::vec;
+use alloc::vec::Vec;
 use chrono::NaiveDateTime;
 use pki_types::{CertificateDer, UnixTime};
 use rustls::{
     server::danger::{ClientCertVerified, ClientCertVerifier},
     DistinguishedName,
 };
+use utils::error::mbedtls_err_into_rustls_err_with_error_msg;
 
 use crate::{
-    mbedtls_err_into_rustls_err, mbedtls_err_into_rustls_err_with_error_msg, rustls_cert_to_mbedtls_cert,
-    verify_certificates_active, verify_tls_signature, CertActiveCheck,
+    mbedtls_err_into_rustls_err, rustls_cert_to_mbedtls_cert, verify_certificates_active, verify_tls_signature, CertActiveCheck,
 };
 
 /// A [`rustls`] [`ClientCertVerifier`] implemented using the PKI functionality of
@@ -29,6 +31,17 @@ pub struct MbedTlsClientCertVerifier {
     cert_active_check: CertActiveCheck,
 }
 
+impl std::fmt::Debug for MbedTlsClientCertVerifier {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("MbedTlsClientCertVerifier")
+            .field("trusted_cas", &"..")
+            .field("root_subjects", &self.root_subjects)
+            .field("verify_callback", &"..")
+            .field("cert_active_check", &self.cert_active_check)
+            .finish()
+    }
+}
+
 impl MbedTlsClientCertVerifier {
     /// Constructs a new [`MbedTlsClientCertVerifier`] object given the provided trusted certificate authority
     /// certificates.