diff --git a/Cargo.lock b/Cargo.lock index 1e3a7d3..1e8fb86 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -47,7 +47,7 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5ca11d4be1bab0c8bc8734a9aa7bf4ee8316d462a08c6ac5052f888fef5b494b" dependencies = [ - "windows-sys", + "windows-sys 0.48.0", ] [[package]] @@ -57,7 +57,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c677ab05e09154296dd37acecd46420c17b9713e8366facafa8fc0885167cf4c" dependencies = [ "anstyle", - "windows-sys", + "windows-sys 0.48.0", ] [[package]] @@ -123,6 +123,12 @@ version = "0.21.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ba43ea6f343b788c8764558649e08df62f86c6ef251fdaeb1ffd010a9ae50a2" +[[package]] +name = "base64" +version = "0.22.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" + [[package]] name = "bincode" version = "1.3.3" @@ -376,7 +382,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ac3e13f66a2f95e32a39eaa81f6b95d42878ca0e1db0c7543723dfe12557e860" dependencies = [ "libc", - "windows-sys", + "windows-sys 0.48.0", ] [[package]] @@ -487,6 +493,17 @@ dependencies = [ "version_check", ] +[[package]] +name = "getrandom" +version = "0.2.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "94b22e06ecb0110981051723910cbf0b5f5e09a2062dd7663334ee79a9d1286c" +dependencies = [ + "cfg-if", + "libc", + "wasi", +] + [[package]] name = "glob" version = "0.3.1" @@ -567,7 +584,7 @@ checksum = "cb0889898416213fab133e1d33a0e5858a48177452750691bde3666d0fdbaf8b" dependencies = [ "hermit-abi", "rustix", - "windows-sys", + "windows-sys 0.48.0", ] [[package]] @@ -619,8 +636,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6971da4d9c3aa03c3d8f3ff0f4155b534aad021292003895a469716b2a230378" dependencies = [ "base64 0.21.4", - "pem", - "ring", + "pem 1.1.1", + "ring 0.16.20", "serde", "serde_json", "simple_asn1", @@ -908,7 +925,7 @@ dependencies = [ "log", "oid", "parsec-client", - "pem", + "pem 1.1.1", "picky-asn1", "picky-asn1-der", "picky-asn1-x509", @@ -933,6 +950,16 @@ dependencies = [ "base64 0.13.1", ] +[[package]] +name = "pem" +version = "3.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae" +dependencies = [ + "base64 0.22.1", + "serde", +] + [[package]] name = "percent-encoding" version = "2.3.0" @@ -1075,10 +1102,11 @@ dependencies = [ [[package]] name = "rcgen" -version = "0.9.3" +version = "0.13.1" dependencies = [ - "pem", - "ring", + "pem 3.0.4", + "ring 0.17.8", + "rustls-pki-types", "time", "yasna 0.5.2", ] @@ -1130,12 +1158,27 @@ dependencies = [ "cc", "libc", "once_cell", - "spin", - "untrusted", + "spin 0.5.2", + "untrusted 0.7.1", "web-sys", "winapi", ] +[[package]] +name = "ring" +version = "0.17.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d" +dependencies = [ + "cc", + "cfg-if", + "getrandom", + "libc", + "spin 0.9.8", + "untrusted 0.9.0", + "windows-sys 0.52.0", +] + [[package]] name = "rustc-hash" version = "1.1.0" @@ -1161,9 +1204,15 @@ dependencies = [ "errno", "libc", "linux-raw-sys", - "windows-sys", + "windows-sys 0.48.0", ] +[[package]] +name = "rustls-pki-types" +version = "1.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d" + [[package]] name = "ryu" version = "1.0.15" @@ -1309,6 +1358,12 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" +[[package]] +name = "spin" +version = "0.9.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" + [[package]] name = "spki" version = "0.5.4" @@ -1468,6 +1523,12 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +[[package]] +name = "untrusted" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" + [[package]] name = "url" version = "2.4.1" @@ -1513,6 +1574,12 @@ dependencies = [ "winapi-util", ] +[[package]] +name = "wasi" +version = "0.11.0+wasi-snapshot-preview1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" + [[package]] name = "wasm-bindgen" version = "0.2.87" @@ -1614,7 +1681,16 @@ version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" dependencies = [ - "windows-targets", + "windows-targets 0.48.5", +] + +[[package]] +name = "windows-sys" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" +dependencies = [ + "windows-targets 0.52.5", ] [[package]] @@ -1623,13 +1699,29 @@ version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" dependencies = [ - "windows_aarch64_gnullvm", - "windows_aarch64_msvc", - "windows_i686_gnu", - "windows_i686_msvc", - "windows_x86_64_gnu", - "windows_x86_64_gnullvm", - "windows_x86_64_msvc", + "windows_aarch64_gnullvm 0.48.5", + "windows_aarch64_msvc 0.48.5", + "windows_i686_gnu 0.48.5", + "windows_i686_msvc 0.48.5", + "windows_x86_64_gnu 0.48.5", + "windows_x86_64_gnullvm 0.48.5", + "windows_x86_64_msvc 0.48.5", +] + +[[package]] +name = "windows-targets" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6f0713a46559409d202e70e28227288446bf7841d3211583a4b53e3f6d96e7eb" +dependencies = [ + "windows_aarch64_gnullvm 0.52.5", + "windows_aarch64_msvc 0.52.5", + "windows_i686_gnu 0.52.5", + "windows_i686_gnullvm", + "windows_i686_msvc 0.52.5", + "windows_x86_64_gnu 0.52.5", + "windows_x86_64_gnullvm 0.52.5", + "windows_x86_64_msvc 0.52.5", ] [[package]] @@ -1638,42 +1730,90 @@ version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263" + [[package]] name = "windows_aarch64_msvc" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" +[[package]] +name = "windows_aarch64_msvc" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6" + [[package]] name = "windows_i686_gnu" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" +[[package]] +name = "windows_i686_gnu" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "88ba073cf16d5372720ec942a8ccbf61626074c6d4dd2e745299726ce8b89670" + +[[package]] +name = "windows_i686_gnullvm" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9" + [[package]] name = "windows_i686_msvc" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" +[[package]] +name = "windows_i686_msvc" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf" + [[package]] name = "windows_x86_64_gnu" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" +[[package]] +name = "windows_x86_64_gnu" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4e4246f76bdeff09eb48875a0fd3e2af6aada79d409d33011886d3e1581517d9" + [[package]] name = "windows_x86_64_gnullvm" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596" + [[package]] name = "windows_x86_64_msvc" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" +[[package]] +name = "windows_x86_64_msvc" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0" + [[package]] name = "x509-parser" version = "0.13.2" diff --git a/Cargo.toml b/Cargo.toml index 94c94a4..cbeeeab 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -27,13 +27,13 @@ picky-asn1-x509 = "0.12.0" serde = "1.0.123" sha2 = "0.9.9" log = "0.4.14" -rcgen = { version = "0.9.2", features = ["pem"] } +rcgen = { version = "0.13.1", features = ["pem"] } [package.metadata.patch] crates=["rcgen"] [patch.crates-io] -rcgen = { path = './target/patch/rcgen-0.9.3' } +rcgen = { path = './target/patch/rcgen-0.13.1' } [lib] name = "parsec_tool" diff --git a/patches/rcgen+0.13.1.patch b/patches/rcgen+0.13.1.patch new file mode 100644 index 0000000..3c1e272 --- /dev/null +++ b/patches/rcgen+0.13.1.patch @@ -0,0 +1,67 @@ +diff --git a/src/key_pair.rs b/src/key_pair.rs +index 00beea6..1c71fc5 100644 +--- a/src/key_pair.rs ++++ b/src/key_pair.rs +@@ -252,6 +252,9 @@ impl KeyPair { + } else if alg == &PKCS_RSA_PSS_SHA256 { + let rsakp = RsaKeyPair::from_pkcs8(&serialized_der)._err()?; + KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA256) ++ }else if alg == &PKCS_RSA_PSS_SHA384 { ++ let rsakp = RsaKeyPair::from_pkcs8(&serialized_der)._err()?; ++ KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA384) + } else { + #[cfg(feature = "aws_lc_rs")] + if alg == &PKCS_ECDSA_P521_SHA512 { +diff --git a/src/sign_algo.rs b/src/sign_algo.rs +index 5d7052a..2c85d04 100644 +--- a/src/sign_algo.rs ++++ b/src/sign_algo.rs +@@ -89,6 +89,7 @@ impl SignatureAlgorithm { + &PKCS_RSA_SHA384, + &PKCS_RSA_SHA512, + //&PKCS_RSA_PSS_SHA256, ++ //&PKCS_RSA_PSS_SHA384, + &PKCS_ECDSA_P256_SHA256, + &PKCS_ECDSA_P384_SHA384, + #[cfg(feature = "aws_lc_rs")] +@@ -151,21 +152,37 @@ pub(crate) mod algo { + // support those: https://github.com/briansmith/ring/issues/1353 + // + /// RSA signing with PKCS#1 2.1 RSASSA-PSS padding and SHA-256 hashing as per [RFC 4055](https://tools.ietf.org/html/rfc4055) +- pub(crate) static PKCS_RSA_PSS_SHA256: SignatureAlgorithm = SignatureAlgorithm { ++ pub static PKCS_RSA_PSS_SHA256: SignatureAlgorithm = SignatureAlgorithm { + // We could also use RSA_ENCRYPTION here, but it's recommended + // to use ID-RSASSA-PSS if possible. + oids_sign_alg: &[&RSASSA_PSS], + #[cfg(feature = "crypto")] + sign_alg: SignAlgo::Rsa(&signature::RSA_PSS_SHA256), +- oid_components: RSASSA_PSS, //&[1, 2, 840, 113549, 1, 1, 13], ++ oid_components: RSASSA_PSS, //&[1, 2, 840, 113549, 1, 1, 10], + // rSASSA-PSS-SHA256-Params in RFC 4055 + params: SignatureAlgorithmParams::RsaPss { + // id-sha256 in https://datatracker.ietf.org/doc/html/rfc4055#section-2.1 + hash_algorithm: &[2, 16, 840, 1, 101, 3, 4, 2, 1], +- salt_length: 20, ++ salt_length: 32, + }, + }; + ++ /// RSA signing with PKCS#1 2.1 RSASSA-PSS padding and SHA-384 hashing as per [RFC 4055](https://tools.ietf.org/html/rfc4055) ++ pub static PKCS_RSA_PSS_SHA384 :SignatureAlgorithm = SignatureAlgorithm { ++ // We could also use OID_RSA_ENCRYPTION here, but it's recommended ++ // to use ID-RSASSA-PSS if possible. ++ oids_sign_alg: &[&RSASSA_PSS], ++ #[cfg(feature = "crypto")] ++ sign_alg :SignAlgo::Rsa(&signature::RSA_PSS_SHA384), ++ oid_components : RSASSA_PSS, //&[1, 2, 840, 113549, 1, 1, 10], ++ // rSASSA-PSS-SHA384-Params in RFC 4055 ++ params : SignatureAlgorithmParams::RsaPss { ++ // id-sha384 in https://datatracker.ietf.org/doc/html/rfc4055#section-2.1 ++ hash_algorithm : &[2, 16, 840, 1, 101, 3, 4, 2, 2], ++ salt_length : 48, ++ }, ++ }; ++ + /// ECDSA signing using the P-256 curves and SHA-256 hashing as per [RFC 5758](https://tools.ietf.org/html/rfc5758#section-3.2) + pub static PKCS_ECDSA_P256_SHA256: SignatureAlgorithm = SignatureAlgorithm { + oids_sign_alg: &[&EC_PUBLIC_KEY, &EC_SECP_256_R1], diff --git a/patches/rcgen+0.9.3.patch b/patches/rcgen+0.9.3.patch deleted file mode 100644 index 4352138..0000000 --- a/patches/rcgen+0.9.3.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff --git a/src/lib.rs b/src/lib.rs -index 565b3d6..23998c3 100644 ---- a/src/lib.rs -+++ b/src/lib.rs -@@ -1500,6 +1500,9 @@ impl KeyPair { - } else if alg == &PKCS_RSA_PSS_SHA256 { - let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?; - KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA256) -+ } else if alg == &PKCS_RSA_PSS_SHA384 { -+ let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?; -+ KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA384) - } else { - panic!("Unknown SignatureAlgorithm specified!"); - }; -@@ -1886,6 +1889,7 @@ impl SignatureAlgorithm { - &PKCS_RSA_SHA384, - &PKCS_RSA_SHA512, - //&PKCS_RSA_PSS_SHA256, -+ //&PKCS_RSA_PSS_SHA384, - &PKCS_ECDSA_P256_SHA256, - &PKCS_ECDSA_P384_SHA384, - &PKCS_ED25519 -@@ -1938,17 +1942,32 @@ pub static PKCS_RSA_SHA512 :SignatureAlgorithm = SignatureAlgorithm { - // support those: https://github.com/briansmith/ring/issues/1353 - // - /// RSA signing with PKCS#1 2.1 RSASSA-PSS padding and SHA-256 hashing as per [RFC 4055](https://tools.ietf.org/html/rfc4055) --static PKCS_RSA_PSS_SHA256 :SignatureAlgorithm = SignatureAlgorithm { -+pub static PKCS_RSA_PSS_SHA256 :SignatureAlgorithm = SignatureAlgorithm { - // We could also use OID_RSA_ENCRYPTION here, but it's recommended - // to use ID-RSASSA-PSS if possible. - oids_sign_alg :&[&OID_RSASSA_PSS], - sign_alg :SignAlgo::Rsa(), -- oid_components : &OID_RSASSA_PSS,//&[1, 2, 840, 113549, 1, 1, 13], -+ oid_components : &OID_RSASSA_PSS,//&[1, 2, 840, 113549, 1, 1, 11], - // rSASSA-PSS-SHA256-Params in RFC 4055 - params : SignatureAlgorithmParams::RsaPss { - // id-sha256 in https://datatracker.ietf.org/doc/html/rfc4055#section-2.1 - hash_algorithm : &[2, 16, 840, 1, 101, 3, 4, 2, 1], -- salt_length : 20, -+ salt_length : 32, -+ }, -+}; -+ -+/// RSA signing with PKCS#1 2.1 RSASSA-PSS padding and SHA-384 hashing as per [RFC 4055](https://tools.ietf.org/html/rfc4055) -+pub static PKCS_RSA_PSS_SHA384 :SignatureAlgorithm = SignatureAlgorithm { -+ // We could also use OID_RSA_ENCRYPTION here, but it's recommended -+ // to use ID-RSASSA-PSS if possible. -+ oids_sign_alg :&[&OID_RSASSA_PSS], -+ sign_alg :SignAlgo::Rsa(), -+ oid_components : &OID_RSASSA_PSS,//&[1, 2, 840, 113549, 1, 1, 12], -+ // rSASSA-PSS-SHA384-Params in RFC 4055 -+ params : SignatureAlgorithmParams::RsaPss { -+ // id-sha384 in https://datatracker.ietf.org/doc/html/rfc4055#section-2.1 -+ hash_algorithm : &[2, 16, 840, 1, 101, 3, 4, 2, 2], -+ salt_length : 48, - }, - }; - diff --git a/src/error.rs b/src/error.rs index 7d5cc9d..c749a94 100644 --- a/src/error.rs +++ b/src/error.rs @@ -30,7 +30,7 @@ pub enum Error { /// Error emanating from the rcgen create (can occur when creating certificates or CSRs) #[error(transparent)] - RcgenError(#[from] rcgen::RcgenError), + RcgenError(#[from] rcgen::Error), } /// Errors originating in the parsec-tool. diff --git a/src/subcommands/create_csr.rs b/src/subcommands/create_csr.rs index a25cac6..c81a9fe 100644 --- a/src/subcommands/create_csr.rs +++ b/src/subcommands/create_csr.rs @@ -12,10 +12,11 @@ use parsec_client::core::interface::operations::psa_algorithm::{ }; use parsec_client::core::interface::operations::psa_key_attributes::{EccFamily, Type}; use parsec_client::BasicClient; +use rcgen::Error as RcgenError; use rcgen::{ - Certificate, CertificateParams, DistinguishedName, DnType, KeyPair, RcgenError, RemoteKeyPair, - SignatureAlgorithm, PKCS_ECDSA_P256_SHA256, PKCS_ECDSA_P384_SHA384, PKCS_RSA_PSS_SHA256, - PKCS_RSA_PSS_SHA384, PKCS_RSA_SHA256, PKCS_RSA_SHA384, PKCS_RSA_SHA512, + CertificateParams, DistinguishedName, DnType, KeyPair, RemoteKeyPair, SignatureAlgorithm, + PKCS_ECDSA_P256_SHA256, PKCS_ECDSA_P384_SHA384, PKCS_RSA_PSS_SHA256, PKCS_RSA_PSS_SHA384, + PKCS_RSA_SHA256, PKCS_RSA_SHA384, PKCS_RSA_SHA512, }; /// Creates an X509 Certificate Signing Request (CSR) from a keypair, using the signing algorithm @@ -139,15 +140,13 @@ impl CreateCsr { ); } - let mut params = CertificateParams::new(subject_alt_names); - params.alg = rcgen_algorithm; - params.key_pair = Some(remote_key_pair); + let mut params = CertificateParams::new(subject_alt_names)?; params.distinguished_name = dn; - let cert = Certificate::from_params(params)?; - - let pem_string = cert.serialize_request_pem()?; + let cert = params.self_signed(&remote_key_pair)?; + let csr = cert.params().serialize_request(&remote_key_pair)?; + let pem_string = csr.pem()?; println!("{}", pem_string); Ok(()) diff --git a/tests/ci.sh b/tests/ci.sh index e6862af..3d63540 100755 --- a/tests/ci.sh +++ b/tests/ci.sh @@ -74,7 +74,7 @@ if cargo fmt -h; then cargo fmt --all -- --check fi if cargo clippy -h; then - cargo clippy --all-targets -- -D clippy::all -D clippy::cargo + cargo clippy --all-targets -- -D clippy::all -D clippy::cargo -A clippy::multiple_crate_versions fi #############