Skip to content

Commit 7c9b2d2

Browse files
thomaseizingerthomaseizinger
committed
Bump to ring 0.17
1 parent ac30cea commit 7c9b2d2

7 files changed

Lines changed: 132 additions & 27 deletions

File tree

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
## Unreleased
55

66
- Remove `TryFrom<[u8]>` and `TryFrom<Vec<u8>>` for `KeyPair` in favor of allowing `KeyPair::from_der` to take `impl Into<Cow<'b, [u8]>>` which allows `Vec<u8>` as well as `[u8]`.
7+
- Upgrade to `ring` `v0.17`.
78

89
## Release 0.11.3 - October 1, 2023
910

Cargo.lock

Lines changed: 99 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ required-features = ["pem"]
2828

2929
[dependencies]
3030
yasna = { version = "0.5.2", features = ["time", "std"] }
31-
ring = "0.16"
31+
ring = "0.17"
3232
pem = { version = "3.0.2", optional = true }
3333
time = { version = "0.3.6", default-features = false }
3434
x509-parser = { version = "0.15", features = ["verify"], optional = true }

src/key_pair.rs

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
#[cfg(feature = "pem")]
22
use pem::Pem;
3-
use ring::rand::SystemRandom;
3+
use ring::rand::{SecureRandom, SystemRandom};
44
use ring::signature::KeyPair as RingKeyPair;
55
use ring::signature::{self, EcdsaKeyPair, Ed25519KeyPair, RsaEncoding, RsaKeyPair};
66
use std::fmt;
@@ -55,7 +55,7 @@ impl KeyPair {
5555
///
5656
/// Equivalent to using the [`TryFrom`] implementation.
5757
pub fn from_der(der: &[u8]) -> Result<Self, RcgenError> {
58-
Ok(KeyPair::from_raw(der)?)
58+
Ok(KeyPair::from_raw(der, &SystemRandom::new())?)
5959
}
6060
/// Returns the key pair's signature algorithm
6161
pub fn algorithm(&self) -> &'static SignatureAlgorithm {
@@ -66,7 +66,7 @@ impl KeyPair {
6666
pub fn from_pem(pem_str: &str) -> Result<Self, RcgenError> {
6767
let private_key = pem::parse(pem_str)?;
6868
let private_key_der: &[_] = private_key.contents();
69-
Ok(KeyPair::from_raw(private_key_der)?)
69+
Ok(KeyPair::from_raw(private_key_der, &SystemRandom::new())?)
7070
}
7171

7272
/// Obtains the key pair from a raw public key and a remote private key
@@ -105,6 +105,7 @@ impl KeyPair {
105105
pkcs8: &[u8],
106106
alg: &'static SignatureAlgorithm,
107107
) -> Result<Self, RcgenError> {
108+
let rng = &SystemRandom::new();
108109
let pkcs8_vec = pkcs8.to_vec();
109110

110111
let kind = if alg == &PKCS_ED25519 {
@@ -113,11 +114,13 @@ impl KeyPair {
113114
KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8(
114115
&signature::ECDSA_P256_SHA256_ASN1_SIGNING,
115116
pkcs8,
117+
rng,
116118
)?)
117119
} else if alg == &PKCS_ECDSA_P384_SHA384 {
118120
KeyPairKind::Ec(EcdsaKeyPair::from_pkcs8(
119121
&signature::ECDSA_P384_SHA384_ASN1_SIGNING,
120122
pkcs8,
123+
rng,
121124
)?)
122125
} else if alg == &PKCS_RSA_SHA256 {
123126
let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?;
@@ -142,15 +145,15 @@ impl KeyPair {
142145
})
143146
}
144147

145-
pub(crate) fn from_raw(pkcs8: &[u8]) -> Result<KeyPair, RcgenError> {
148+
pub(crate) fn from_raw(pkcs8: &[u8], rng: &dyn SecureRandom) -> Result<KeyPair, RcgenError> {
146149
let (kind, alg) = if let Ok(edkp) = Ed25519KeyPair::from_pkcs8_maybe_unchecked(pkcs8) {
147150
(KeyPairKind::Ed(edkp), &PKCS_ED25519)
148151
} else if let Ok(eckp) =
149-
EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8)
152+
EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, pkcs8, rng)
150153
{
151154
(KeyPairKind::Ec(eckp), &PKCS_ECDSA_P256_SHA256)
152155
} else if let Ok(eckp) =
153-
EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8)
156+
EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P384_SHA384_ASN1_SIGNING, pkcs8, rng)
154157
{
155158
(KeyPairKind::Ec(eckp), &PKCS_ECDSA_P384_SHA384)
156159
} else if let Ok(rsakp) = RsaKeyPair::from_pkcs8(pkcs8) {
@@ -187,23 +190,25 @@ pub trait RemoteKeyPair {
187190

188191
impl KeyPair {
189192
/// Generate a new random key pair for the specified signature algorithm
190-
pub fn generate(alg: &'static SignatureAlgorithm) -> Result<Self, RcgenError> {
191-
let system_random = SystemRandom::new();
193+
pub fn generate(
194+
alg: &'static SignatureAlgorithm,
195+
rng: &dyn SecureRandom,
196+
) -> Result<Self, RcgenError> {
192197
match alg.sign_alg {
193198
SignAlgo::EcDsa(sign_alg) => {
194-
let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, &system_random)?;
199+
let key_pair_doc = EcdsaKeyPair::generate_pkcs8(sign_alg, rng)?;
195200
let key_pair_serialized = key_pair_doc.as_ref().to_vec();
196201

197202
let key_pair =
198-
EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref()).unwrap();
203+
EcdsaKeyPair::from_pkcs8(&sign_alg, &&key_pair_doc.as_ref(), rng).unwrap();
199204
Ok(KeyPair {
200205
kind: KeyPairKind::Ec(key_pair),
201206
alg,
202207
serialized_der: key_pair_serialized,
203208
})
204209
},
205210
SignAlgo::EdDsa(_sign_alg) => {
206-
let key_pair_doc = Ed25519KeyPair::generate_pkcs8(&system_random)?;
211+
let key_pair_doc = Ed25519KeyPair::generate_pkcs8(rng)?;
207212
let key_pair_serialized = key_pair_doc.as_ref().to_vec();
208213

209214
let key_pair = Ed25519KeyPair::from_pkcs8(&&key_pair_doc.as_ref()).unwrap();
@@ -251,7 +256,7 @@ impl KeyPair {
251256
},
252257
KeyPairKind::Rsa(kp, padding_alg) => {
253258
let system_random = SystemRandom::new();
254-
let mut signature = vec![0; kp.public_modulus_len()];
259+
let mut signature = vec![0; kp.public().modulus_len()];
255260
kp.sign(*padding_alg, &system_random, msg, &mut signature)?;
256261
let sig = &signature.as_ref();
257262
writer.write_bitvec_bytes(&sig, &sig.len() * 8);

src/lib.rs

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1492,15 +1492,16 @@ fn write_general_subtrees(writer: DERWriter, tag: u64, general_subtrees: &[Gener
14921492
impl Certificate {
14931493
/// Generates a new certificate from the given parameters.
14941494
///
1495-
/// If there is no key pair included, then a new key pair will be generated and used.
1495+
/// If there is no key pair included, then a new key pair will be randomly generated and used.
1496+
/// If you want to control the [`KeyPair`] or the randomness used to generate it, set it ahead of time before calling this function.
14961497
pub fn from_params(mut params: CertificateParams) -> Result<Self, RcgenError> {
14971498
let key_pair = if let Some(key_pair) = params.key_pair.take() {
14981499
if !key_pair.is_compatible(&params.alg) {
14991500
return Err(RcgenError::CertificateKeyPairMismatch);
15001501
}
15011502
key_pair
15021503
} else {
1503-
KeyPair::generate(&params.alg)?
1504+
KeyPair::generate(&params.alg, &ring::rand::SystemRandom::new())?
15041505
};
15051506

15061507
Ok(Certificate { params, key_pair })

tests/generic.rs

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,8 @@ mod test_key_params_mismatch {
3535

3636
let mut wrong_params = util::default_params();
3737
if i != 0 {
38-
wrong_params.key_pair = Some(KeyPair::generate(kalg_1).unwrap());
38+
wrong_params.key_pair =
39+
Some(KeyPair::generate(kalg_1, &ring::rand::SystemRandom::new()).unwrap());
3940
} else {
4041
let kp = KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap();
4142
wrong_params.key_pair = Some(kp);
@@ -81,7 +82,8 @@ mod test_convert_x509_subject_alternative_name {
8182
let ca_der = cert.serialize_der().unwrap();
8283

8384
// Arbitrary key pair not used with the test, but required by the parsing function
84-
let key_pair = KeyPair::generate(&PKCS_ECDSA_P256_SHA256).unwrap();
85+
let key_pair =
86+
KeyPair::generate(&PKCS_ECDSA_P256_SHA256, &ring::rand::SystemRandom::new()).unwrap();
8587

8688
let actual = CertificateParams::from_ca_cert_der(&ca_der, key_pair).unwrap();
8789

tests/webpki.rs

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,8 @@ mod util;
2525

2626
fn sign_msg_ecdsa(cert: &Certificate, msg: &[u8], alg: &'static EcdsaSigningAlgorithm) -> Vec<u8> {
2727
let pk_der = cert.serialize_private_key_der();
28-
let key_pair = EcdsaKeyPair::from_pkcs8(&alg, &pk_der).unwrap();
28+
let key_pair =
29+
EcdsaKeyPair::from_pkcs8(&alg, &pk_der, &ring::rand::SystemRandom::new()).unwrap();
2930
let system_random = SystemRandom::new();
3031
let signature = key_pair.sign(&system_random, &msg).unwrap();
3132
signature.as_ref().to_vec()
@@ -43,7 +44,7 @@ fn sign_msg_rsa(cert: &Certificate, msg: &[u8], encoding: &'static dyn RsaEncodi
4344
let pk_der = cert.serialize_private_key_der();
4445
let key_pair = RsaKeyPair::from_pkcs8(&pk_der).unwrap();
4546
let system_random = SystemRandom::new();
46-
let mut signature = vec![0; key_pair.public_modulus_len()];
47+
let mut signature = vec![0; key_pair.public().modulus_len()];
4748
key_pair
4849
.sign(encoding, &system_random, &msg, &mut signature)
4950
.unwrap();
@@ -334,15 +335,18 @@ fn from_remote() {
334335
}
335336
}
336337

337-
let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
338+
let rng = ring::rand::SystemRandom::new();
339+
let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256, &rng).unwrap();
338340
let remote = EcdsaKeyPair::from_pkcs8(
339341
&signature::ECDSA_P256_SHA256_ASN1_SIGNING,
340342
&key_pair.serialize_der(),
343+
&rng,
341344
)
342345
.unwrap();
343346
let key_pair = EcdsaKeyPair::from_pkcs8(
344347
&signature::ECDSA_P256_SHA256_ASN1_SIGNING,
345348
&key_pair.serialize_der(),
349+
&rng,
346350
)
347351
.unwrap();
348352
let remote = KeyPair::from_remote(Box::new(Remote(remote))).unwrap();

0 commit comments

Comments
 (0)