borrowed-remote-key

rustls · Jan 17, 2024 · ccdfaf3 · ccdfaf3
1 parent 30489d7
commit ccdfaf3
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 51 deletions.
diff --git a/rcgen/src/csr.rs b/rcgen/src/csr.rs
@@ -22,14 +22,14 @@ impl PublicKeyData for PublicKey {
 }
 
 /// Parameters for a certificate signing request
-pub struct CertificateSigningRequestParams {
+pub struct CertificateSigningRequestParams<'a> {
 	/// Parameters for the certificate to be signed.
-	pub params: CertificateParams,
+	pub params: CertificateParams<'a>,
 	/// Public key to include in the certificate signing request.
 	pub public_key: PublicKey,
 }
 
-impl CertificateSigningRequestParams {
+impl CertificateSigningRequestParams<'_> {
 	/// Parse a certificate signing request from the ASCII PEM format
 	///
 	/// See [`from_der`](Self::from_der) for more details.

diff --git a/rcgen/src/key_pair.rs b/rcgen/src/key_pair.rs
@@ -19,18 +19,18 @@ use crate::{Error, SignatureAlgorithm};
 
 /// A key pair variant
 #[allow(clippy::large_enum_variant)]
-pub(crate) enum KeyPairKind {
+pub(crate) enum KeyPairKind<'a> {
 	/// A Ecdsa key pair
 	Ec(EcdsaKeyPair),
 	/// A Ed25519 key pair
 	Ed(Ed25519KeyPair),
 	/// A RSA key pair
 	Rsa(RsaKeyPair, &'static dyn RsaEncoding),
 	/// A remote key pair
-	Remote(Box<dyn RemoteKeyPair + Send + Sync>),
+	Remote(&'a (dyn RemoteKeyPair + Send + Sync)),
 }
 
-impl fmt::Debug for KeyPairKind {
+impl fmt::Debug for KeyPairKind<'_> {
 	fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
 		match self {
 			Self::Ec(key_pair) => write!(f, "{:?}", key_pair),
@@ -49,13 +49,13 @@ impl fmt::Debug for KeyPairKind {
 /// for how to generate RSA keys in the wanted format
 /// and conversion between the formats.
 #[derive(Debug)]
-pub struct KeyPair {
-	pub(crate) kind: KeyPairKind,
+pub struct KeyPair<'a> {
+	pub(crate) kind: KeyPairKind<'a>,
 	pub(crate) alg: &'static SignatureAlgorithm,
 	pub(crate) serialized_der: Vec<u8>,
 }
 
-impl KeyPair {
+impl<'a> KeyPair<'a> {
 	/// Parses the key pair from the DER format
 	///
 	/// Equivalent to using the [`TryFrom`] implementation.
@@ -77,7 +77,7 @@ impl KeyPair {
 	}
 
 	/// Obtains the key pair from a raw public key and a remote private key
-	pub fn from_remote(key_pair: Box<dyn RemoteKeyPair + Send + Sync>) -> Result<Self, Error> {
+	pub fn from_remote(key_pair: &'a (dyn RemoteKeyPair + Send + Sync)) -> Result<Self, Error> {
 		Ok(Self {
 			alg: key_pair.algorithm(),
 			kind: KeyPairKind::Remote(key_pair),
@@ -154,7 +154,7 @@ impl KeyPair {
 
 	pub(crate) fn from_raw(
 		pkcs8: &[u8],
-	) -> Result<(KeyPairKind, &'static SignatureAlgorithm), Error> {
+	) -> Result<(KeyPairKind<'a>, &'static SignatureAlgorithm), Error> {
 		let rng = SystemRandom::new();
 		let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(pkcs8) {
 			(KeyPairKind::Ed(edkp), &PKCS_ED25519)
@@ -219,7 +219,7 @@ impl KeyPair {
 	/// If `None` is provided for `existing_key_pair` a new key pair compatible with `sig_alg`
 	/// is generated from scratch.
 	pub(crate) fn validate_or_generate(
-		existing_key_pair: &mut Option<KeyPair>,
+		existing_key_pair: &mut Option<KeyPair<'a>>,
 		sig_alg: &'static SignatureAlgorithm,
 	) -> Result<Self, Error> {
 		match existing_key_pair.take() {
@@ -251,32 +251,39 @@ impl KeyPair {
 		std::iter::once(self.alg)
 	}
 
-	pub(crate) fn sign(&self, msg: &[u8], writer: DERWriter) -> Result<(), Error> {
-		match &self.kind {
+	fn sign_raw(&self, msg: &[u8]) -> Result<Vec<u8>, Error> {
+		let signature = match &self.kind {
 			KeyPairKind::Ec(kp) => {
 				let system_random = SystemRandom::new();
 				let signature = kp.sign(&system_random, msg)._err()?;
-				let sig = &signature.as_ref();
-				writer.write_bitvec_bytes(&sig, &sig.len() * 8);
+
+				signature.as_ref().to_vec()
 			},
 			KeyPairKind::Ed(kp) => {
 				let signature = kp.sign(msg);
-				let sig = &signature.as_ref();
-				writer.write_bitvec_bytes(&sig, &sig.len() * 8);
+
+				signature.as_ref().to_vec()
 			},
 			KeyPairKind::Rsa(kp, padding_alg) => {
 				let system_random = SystemRandom::new();
 				let mut signature = vec![0; rsa_key_pair_public_modulus_len(kp)];
 				kp.sign(*padding_alg, &system_random, msg, &mut signature)
 					._err()?;
-				let sig = &signature.as_ref();
-				writer.write_bitvec_bytes(&sig, &sig.len() * 8);
+
+				signature
 			},
 			KeyPairKind::Remote(kp) => {
 				let signature = kp.sign(msg)?;
-				writer.write_bitvec_bytes(&signature, &signature.len() * 8);
+
+				signature
 			},
-		}
+		};
+		Ok(signature)
+	}
+
+	pub(crate) fn sign(&self, msg: &[u8], writer: DERWriter) -> Result<(), Error> {
+		let sig = self.sign_raw(msg)?;
+		writer.write_bitvec_bytes(&sig, &sig.len() * 8);
 		Ok(())
 	}
 
@@ -324,8 +331,8 @@ impl KeyPair {
 
 	/// Access the remote key pair if it is a remote one
 	pub fn as_remote(&self) -> Option<&(dyn RemoteKeyPair + Send + Sync)> {
-		if let KeyPairKind::Remote(remote) = &self.kind {
-			Some(remote.as_ref())
+		if let KeyPairKind::Remote(remote) = self.kind {
+			Some(remote)
 		} else {
 			None
 		}
@@ -340,23 +347,23 @@ impl KeyPair {
 	}
 }
 
-impl TryFrom<&[u8]> for KeyPair {
+impl<'a> TryFrom<&[u8]> for KeyPair<'a> {
 	type Error = Error;
 
-	fn try_from(pkcs8: &[u8]) -> Result<KeyPair, Error> {
+	fn try_from(pkcs8: &[u8]) -> Result<KeyPair<'a>, Error> {
 		let (kind, alg) = KeyPair::from_raw(pkcs8)?;
 		Ok(KeyPair {
 			kind,
 			alg,
-			serialized_der: pkcs8.to_vec(),
+			serialized_der: pkcs8.to_vec().into(),
 		})
 	}
 }
 
-impl TryFrom<Vec<u8>> for KeyPair {
+impl<'a> TryFrom<Vec<u8>> for KeyPair<'a> {
 	type Error = Error;
 
-	fn try_from(pkcs8: Vec<u8>) -> Result<KeyPair, Error> {
+	fn try_from(pkcs8: Vec<u8>) -> Result<KeyPair<'a>, Error> {
 		let (kind, alg) = KeyPair::from_raw(pkcs8.as_slice())?;
 		Ok(KeyPair {
 			kind,
@@ -366,7 +373,7 @@ impl TryFrom<Vec<u8>> for KeyPair {
 	}
 }
 
-impl PublicKeyData for KeyPair {
+impl PublicKeyData for KeyPair<'_> {
 	fn alg(&self) -> &SignatureAlgorithm {
 		self.alg
 	}
@@ -395,6 +402,20 @@ pub trait RemoteKeyPair {
 	fn algorithm(&self) -> &'static SignatureAlgorithm;
 }
 
+impl RemoteKeyPair for KeyPair<'_> {
+	fn public_key(&self) -> &[u8] {
+		self.public_key_raw()
+	}
+
+	fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, Error> {
+		self.sign_raw(msg)
+	}
+
+	fn algorithm(&self) -> &'static SignatureAlgorithm {
+		self.alg
+	}
+}
+
 impl<T> ExternalError<T> for Result<T, ring_error::KeyRejected> {
 	fn _err(self) -> Result<T, Error> {
 		self.map_err(|e| Error::RingKeyRejected(e.to_string()))
@@ -432,6 +453,7 @@ pub(crate) trait PublicKeyData {
 mod test {
 	use super::*;
 
+	use crate::key_pair;
 	use crate::ring_like::rand::SystemRandom;
 	use crate::ring_like::signature::{EcdsaKeyPair, ECDSA_P256_SHA256_FIXED_SIGNING};
 
@@ -444,4 +466,24 @@ mod test {
 		let key_pair = KeyPair::from_der(&der).unwrap();
 		assert_eq!(key_pair.algorithm(), &PKCS_ECDSA_P256_SHA256);
 	}
+
+	#[test]
+	fn test_remote_key_pair() {
+		let key_pair = KeyPair::generate(&PKCS_ECDSA_P256_SHA256).unwrap();
+		assert_eq!(key_pair.algorithm(), &PKCS_ECDSA_P256_SHA256);
+		let remote_key1 = KeyPair::from_remote(&key_pair).unwrap();
+		let remote_key2 = KeyPair::from_remote(&key_pair).unwrap();
+		assert_eq!(remote_key1.algorithm(), key_pair.algorithm());
+		assert_eq!(remote_key2.algorithm(), key_pair.algorithm());
+		assert_eq!(remote_key1.public_key_der(), key_pair.public_key_der());
+		assert_eq!(remote_key2.public_key_der(), key_pair.public_key_der());
+	}
+
+	#[test]
+	#[should_panic]
+	fn test_remote_key_pair() {
+		let key_pair = KeyPair::generate(&PKCS_ECDSA_P256_SHA256).unwrap();
+		let remote_key = KeyPair::from_remote(&key_pair).unwrap();
+		remote_key.serialize_der();
+	}
 }
diff --git a/rcgen/src/lib.rs b/rcgen/src/lib.rs
@@ -70,16 +70,16 @@ pub use crate::sign_algo::SignatureAlgorithm;
 pub type RcgenError = Error;
 
 /// An issued certificate, together with the subject keypair.
-pub struct CertifiedKey {
+pub struct CertifiedKey<'a> {
 	/// An issued certificate.
-	pub cert: Certificate,
+	pub cert: Certificate<'a>,
 	/// The certificate's subject key pair.
-	pub key_pair: KeyPair,
+	pub key_pair: KeyPair<'a>,
 }
 
 /// An issued certificate together with the parameters used to generate it.
-pub struct Certificate {
-	params: CertificateParams,
+pub struct Certificate<'a> {
+	params: CertificateParams<'a>,
 	subject_public_key_info: Vec<u8>,
 	der: Vec<u8>,
 }
@@ -112,9 +112,9 @@ println!("{}", key_pair.serialize_pem());
 ```
 "##
 )]
-pub fn generate_simple_self_signed(
+pub fn generate_simple_self_signed<'a>(
 	subject_alt_names: impl Into<Vec<String>>,
-) -> Result<CertifiedKey, Error> {
+) -> Result<CertifiedKey<'a>, Error> {
 	Certificate::generate_self_signed(CertificateParams::new(subject_alt_names))
 }
 
@@ -522,7 +522,7 @@ impl<'a> Iterator for DistinguishedNameIterator<'a> {
 /// Parameters used for certificate generation
 #[allow(missing_docs)]
 #[non_exhaustive]
-pub struct CertificateParams {
+pub struct CertificateParams<'a> {
 	pub alg: &'static SignatureAlgorithm,
 	pub not_before: OffsetDateTime,
 	pub not_after: OffsetDateTime,
@@ -541,7 +541,7 @@ pub struct CertificateParams {
 	pub crl_distribution_points: Vec<CrlDistributionPoint>,
 	pub custom_extensions: Vec<CustomExtension>,
 	/// The certificate's key pair, a new random key pair will be generated if this is `None`
-	pub key_pair: Option<KeyPair>,
+	pub key_pair: Option<KeyPair<'a>>,
 	/// If `true`, the 'Authority Key Identifier' extension will be added to the generated cert
 	pub use_authority_key_identifier_extension: bool,
 	/// Method to generate key identifiers from public keys
@@ -550,7 +550,7 @@ pub struct CertificateParams {
 	pub key_identifier_method: KeyIdMethod,
 }
 
-impl Default for CertificateParams {
+impl Default for CertificateParams<'_> {
 	fn default() -> Self {
 		// not_before and not_after set to reasonably long dates
 		let not_before = date_time_ymd(1975, 01, 01);
@@ -577,7 +577,7 @@ impl Default for CertificateParams {
 	}
 }
 
-impl CertificateParams {
+impl<'a> CertificateParams<'a> {
 	/// Generate certificate parameters with reasonable defaults
 	pub fn new(subject_alt_names: impl Into<Vec<String>>) -> Self {
 		let subject_alt_names = subject_alt_names
@@ -598,7 +598,7 @@ impl CertificateParams {
 	///
 	/// See [`from_ca_cert_der`](Self::from_ca_cert_der) for more details.
 	#[cfg(all(feature = "pem", feature = "x509-parser"))]
-	pub fn from_ca_cert_pem(pem_str: &str, key_pair: KeyPair) -> Result<Self, Error> {
+	pub fn from_ca_cert_pem(pem_str: &str, key_pair: KeyPair<'a>) -> Result<Self, Error> {
 		let certificate = pem::parse(pem_str).or(Err(Error::CouldNotParseCertificate))?;
 		Self::from_ca_cert_der(certificate.contents(), key_pair)
 	}
@@ -619,7 +619,7 @@ impl CertificateParams {
 	/// for the presence of the `BasicConstraints` extension, or perform any other
 	/// validation.
 	#[cfg(feature = "x509-parser")]
-	pub fn from_ca_cert_der(ca_cert: &[u8], key_pair: KeyPair) -> Result<Self, Error> {
+	pub fn from_ca_cert_der(ca_cert: &[u8], key_pair: KeyPair<'a>) -> Result<Self, Error> {
 		let (_remainder, x509) = x509_parser::parse_x509_certificate(ca_cert)
 			.or(Err(Error::CouldNotParseCertificate))?;
 
@@ -1510,7 +1510,7 @@ fn write_general_subtrees(writer: DERWriter, tag: u64, general_subtrees: &[Gener
 	});
 }
 
-impl Certificate {
+impl<'a> Certificate<'a> {
 	/// Generates a new self-signed certificate from the given parameters.
 	///
 	/// If [`CertificateParams::key_pair`] is not set to a pre-generated key, a new key pair
@@ -1553,10 +1553,10 @@ impl Certificate {
 	/// [`Certificate::pem`]. Similarly the private key of the returned [`KeyPair`] may be
 	/// serialized using [`KeyPair::serialize_der`] and [`KeyPair::serialize_pem`].
 	pub fn generate(
-		mut params: CertificateParams,
+		mut params: CertificateParams<'a>,
 		issuer: &Certificate,
 		issuer_key: &KeyPair,
-	) -> Result<CertifiedKey, Error> {
+	) -> Result<CertifiedKey<'a>, Error> {
 		let key_pair = KeyPair::validate_or_generate(&mut params.key_pair, params.alg)?;
 		let subject_public_key_info = key_pair.public_key_der();
 		let der = params.serialize_der_with_signer(
@@ -1587,10 +1587,10 @@ impl Certificate {
 	/// The returned [`Certificate`] may be serialized using [`Certificate::der`] and
 	/// [`Certificate::pem`].
 	pub fn from_request(
-		request: CertificateSigningRequestParams,
+		request: CertificateSigningRequestParams<'a>,
 		issuer: &Certificate,
 		issuer_key: &KeyPair,
-	) -> Result<Certificate, Error> {
+	) -> Result<Certificate<'a>, Error> {
 		let der = request.params.serialize_der_with_signer(
 			&request.public_key,
 			request.params.alg,
@@ -1722,21 +1722,21 @@ fn write_x509_authority_key_identifier(writer: DERWriter, aki: Vec<u8>) {
 }
 
 #[cfg(feature = "zeroize")]
-impl zeroize::Zeroize for KeyPair {
+impl zeroize::Zeroize for KeyPair<'_> {
 	fn zeroize(&mut self) {
 		self.serialized_der.zeroize();
 	}
 }
 
 #[cfg(feature = "zeroize")]
-impl zeroize::Zeroize for CertificateSigningRequestParams {
+impl zeroize::Zeroize for CertificateSigningRequestParams<'_> {
 	fn zeroize(&mut self) {
 		self.params.zeroize();
 	}
 }
 
 #[cfg(feature = "zeroize")]
-impl zeroize::Zeroize for CertificateParams {
+impl zeroize::Zeroize for CertificateParams<'_> {
 	fn zeroize(&mut self) {
 		self.key_pair.zeroize();
 	}