Skip to content

Upgrade to ring 0.17 #166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 4, 2023
Merged

Upgrade to ring 0.17 #166

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9ac73e0
Don't depend on deprecated `description_`
thomaseizinger Oct 3, 2023
dc38152
Bump to ring 0.17
thomaseizinger Oct 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
## Unreleased

- Rename `RcGenError` to `Error` to avoid stuttering when used fully-qualified via `rcgen::`.
- Upgrade to `ring` `v0.17`.

## Release 0.11.3 - October 1, 2023

Expand Down
106 changes: 99 additions & 7 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ required-features = ["pem"]

[dependencies]
yasna = { version = "0.5.2", features = ["time", "std"] }
ring = "0.16"
ring = "0.17"
pem = { version = "3.0.2", optional = true }
time = { version = "0.3.6", default-features = false }
x509-parser = { version = "0.15", features = ["verify"], optional = true }
Expand Down
4 changes: 2 additions & 2 deletions src/error.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ pub enum Error {
/// Unspecified `ring` error
RingUnspecified,
/// The `ring` library rejected the key upon loading
RingKeyRejected(&'static str),
RingKeyRejected(String),
/// The provided certificate's signature algorithm
/// is incompatible with the given key pair
CertificateKeyPairMismatch,
Expand Down Expand Up @@ -106,7 +106,7 @@ impl From<ring::error::Unspecified> for Error {

impl From<ring::error::KeyRejected> for Error {
fn from(err: ring::error::KeyRejected) -> Self {
Error::RingKeyRejected(err.description_())
Error::RingKeyRejected(err.to_string())
}
}

Expand Down
19 changes: 12 additions & 7 deletions src/key_pair.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ impl KeyPair {
pkcs8: &[u8],
alg: &'static SignatureAlgorithm,
) -> Result<Self, Error> {
let rng = &SystemRandom::new();
let pkcs8_vec = pkcs8.to_vec();

let kind = if alg == &PKCS_ED25519 {
Expand All @@ -114,11 +115,13 @@ impl KeyPair {
KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8(
&signature::ECDSA_P256_SHA256_ASN1_SIGNING,
pkcs8,
rng,
)?)
} else if alg == &PKCS_ECDSA_P384_SHA384 {
KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8(
&signature::ECDSA_P384_SHA384_ASN1_SIGNING,
pkcs8,
rng,
)?)
} else if alg == &PKCS_RSA_SHA256 {
let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?;
Expand Down Expand Up @@ -146,14 +149,15 @@ impl KeyPair {
pub(crate) fn from_raw(
pkcs8: &[u8],
) -> Result<(KeyPairKind, &'static SignatureAlgorithm), Error> {
let rng = SystemRandom::new();
let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(pkcs8) {
(KeyPairKind::Ed(edkp), &PKCS_ED25519)
} else if let Ok(eckp) =
EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8)
EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8, &rng)
{
(KeyPairKind::Ec(eckp), &PKCS_ECDSA_P256_SHA256)
} else if let Ok(eckp) =
EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8)
EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8, &rng)
{
(KeyPairKind::Ec(eckp), &PKCS_ECDSA_P384_SHA384)
} else if let Ok(rsakp) = RsaKeyPair::from_pkcs8(pkcs8) {
Expand Down Expand Up @@ -212,22 +216,23 @@ impl TryFrom<Vec<u8>> for KeyPair {
impl KeyPair {
/// Generate a new random key pair for the specified signature algorithm
pub fn generate(alg: &'static SignatureAlgorithm) -> Result<Self, Error> {
let system_random = SystemRandom::new();
let rng = &SystemRandom::new();

match alg.sign_alg {
SignAlgo::EcDsa(sign_alg) => {
let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, &system_random)?;
let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, rng)?;
let key_pair_serialized = key_pair_doc.as_ref().to_vec();

let key_pair =
EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref()).unwrap();
EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref(), rng).unwrap();
Ok(KeyPair {
kind: KeyPairKind::Ec(key_pair),
alg,
serialized_der: key_pair_serialized,
})
},
SignAlgo::EdDsa(_sign_alg) => {
let key_pair_doc = Ed25519KeyPair::generate_pkcs8(&system_random)?;
let key_pair_doc = Ed25519KeyPair::generate_pkcs8(rng)?;
let key_pair_serialized = key_pair_doc.as_ref().to_vec();

let key_pair = Ed25519KeyPair::from_pkcs8(&&key_pair_doc.as_ref()).unwrap();
Expand Down Expand Up @@ -275,7 +280,7 @@ impl KeyPair {
},
KeyPairKind::Rsa(kp, padding_alg) => {
let system_random = SystemRandom::new();
let mut signature = vec![0; kp.public_modulus_len()];
let mut signature = vec![0; kp.public().modulus_len()];
kp.sign(*padding_alg, &system_random, msg, &mut signature)?;
let sig = &signature.as_ref();
writer.write_bitvec_bytes(&sig, &sig.len() * 8);
Expand Down
3 changes: 2 additions & 1 deletion src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1492,7 +1492,8 @@ fn write_general_subtrees(writer: DERWriter, tag: u64, general_subtrees: &[Gener
impl Certificate {
/// Generates a new certificate from the given parameters.
///
/// If there is no key pair included, then a new key pair will be generated and used.
/// If you want to control the [`KeyPair`] or the randomness used to generate it, set the [`CertificateParams::key_pair`]
/// field ahead of time before calling this function.
pub fn from_params(mut params: CertificateParams) -> Result<Self, Error> {
let key_pair = if let Some(key_pair) = params.key_pair.take() {
if !key_pair.is_compatible(&params.alg) {
Expand Down
8 changes: 6 additions & 2 deletions tests/webpki.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ mod util;

fn sign_msg_ecdsa(cert: &Certificate, msg: &[u8], alg: &'static EcdsaSigningAlgorithm) -> Vec<u8> {
let pk_der = cert.serialize_private_key_der();
let key_pair = EcdsaKeyPair::from_pkcs8(&alg, &pk_der).unwrap();
let key_pair =
EcdsaKeyPair::from_pkcs8(&alg, &pk_der, &ring::rand::SystemRandom::new()).unwrap();
let system_random = SystemRandom::new();
let signature = key_pair.sign(&system_random, &msg).unwrap();
signature.as_ref().to_vec()
Expand All @@ -43,7 +44,7 @@ fn sign_msg_rsa(cert: &Certificate, msg: &[u8], encoding: &'static dyn RsaEncodi
let pk_der = cert.serialize_private_key_der();
let key_pair = RsaKeyPair::from_pkcs8(&pk_der).unwrap();
let system_random = SystemRandom::new();
let mut signature = vec![0; key_pair.public_modulus_len()];
let mut signature = vec![0; key_pair.public().modulus_len()];
key_pair
.sign(encoding, &system_random, &msg, &mut signature)
.unwrap();
Expand Down Expand Up @@ -334,15 +335,18 @@ fn from_remote() {
}
}

let rng = ring::rand::SystemRandom::new();
let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
let remote = EcdsaKeyPair::from_pkcs8(
&signature::ECDSA_P256_SHA256_ASN1_SIGNING,
&key_pair.serialize_der(),
&rng,
)
.unwrap();
let key_pair = EcdsaKeyPair::from_pkcs8(
&signature::ECDSA_P256_SHA256_ASN1_SIGNING,
&key_pair.serialize_der(),
&rng,
)
.unwrap();
let remote = KeyPair::from_remote(Box::new(Remote(remote))).unwrap();
Expand Down