Add toDerBytes to SSLPrivateKey (#540)

gjcairo · web-flow · commit 9173d857dec4 · 2025-06-16T11:35:42.000+01:00
This PR adds new API (`SSLPrivateKey/toDerBytes()`) to get the DER bytes
for a private key.
This is only supported for native (EVP) keys; if using a custom key, an
empty array of bytes will be returned instead.
diff --git a/Sources/NIOSSL/CustomPrivateKey.swift b/Sources/NIOSSL/CustomPrivateKey.swift
@@ -41,6 +41,11 @@ public protocol NIOSSLCustomPrivateKey: _NIOPreconcurrencySendable {
     /// The signature algorithms supported by this key.
     var signatureAlgorithms: [SignatureAlgorithm] { get }
 
+    /// The DER bytes for this private key.
+    ///
+    /// Custom key implementations should return an appropriate value, but by default, an empty array will be returned.
+    var derBytes: [UInt8] { get }
+
     /// Called to perform a signing operation.
     ///
     /// The data being passed to the call has not been hashed, and it is the responsibility of the implementer
@@ -75,12 +80,14 @@ public protocol NIOSSLCustomPrivateKey: _NIOPreconcurrencySendable {
     func decrypt(channel: Channel, data: ByteBuffer) -> EventLoopFuture<ByteBuffer>
 }
 
+extension NIOSSLCustomPrivateKey {
+    @inlinable public var derBytes: [UInt8] { [] }
+}
+
 /// This is a type-erased wrapper that can be used to encapsulate a NIOSSLCustomPrivateKey and provide it with
 /// hashability and equatability.
 ///
-/// While generally speaking type-erasure has some nasty performance problems, we only need the type-erasure for
-/// Hashable conformance, which we don't use in any production code: only the tests use it. To that end, we don't
-/// mind too much that we need to do this.
+/// While generally speaking type-erasure has some nasty performance problems, we need the type-erasure for Hashable conformance.
 @usableFromInline
 internal struct AnyNIOSSLCustomPrivateKey: NIOSSLCustomPrivateKey, Hashable {
     @usableFromInline let _value: NIOSSLCustomPrivateKey
@@ -100,6 +107,10 @@ internal struct AnyNIOSSLCustomPrivateKey: NIOSSLCustomPrivateKey, Hashable {
         self._value.signatureAlgorithms
     }
 
+    @inlinable var derBytes: [UInt8] {
+        self._value.derBytes
+    }
+
     // This method does not need to be @inlinable for performance, but it needs to be _at least_
     // @usableFromInline as it's a protocol requirement on a @usableFromInline type.
     @inlinable func sign(
diff --git a/Sources/NIOSSL/SSLPrivateKey.swift b/Sources/NIOSSL/SSLPrivateKey.swift
@@ -404,6 +404,19 @@ extension NIOSSLPrivateKey {
             return customKey.signatureAlgorithms
         }
     }
+
+    /// Extracts the bytes of this private key in DER format.
+    /// - Returns: The DER-encoded bytes for this private key.
+    public var derBytes: [UInt8] {
+        get throws {
+            switch self.representation {
+            case .native(let evpKey):
+                return try Self.withUnsafeDERBuffer(of: evpKey) { Array($0) }
+            case .custom(let custom):
+                return custom.derBytes
+            }
+        }
+    }
 }
 
 extension NIOSSLPrivateKey: Equatable {
diff --git a/Tests/NIOSSLTests/CustomPrivateKeyTests.swift b/Tests/NIOSSLTests/CustomPrivateKeyTests.swift
@@ -257,6 +257,51 @@ private final class CustomKeyDelayedCompletion: NIOSSLCustomPrivateKey, Hashable
     }
 }
 
+private final class CustomKeyWithoutDERBytes: NIOSSLCustomPrivateKey, Hashable {
+    var signatureAlgorithms: [SignatureAlgorithm] { [] }
+
+    func sign(channel: Channel, algorithm: SignatureAlgorithm, data: ByteBuffer) -> EventLoopFuture<ByteBuffer> {
+        fatalError("Not implemented")
+    }
+
+    func decrypt(channel: Channel, data: ByteBuffer) -> EventLoopFuture<ByteBuffer> {
+        fatalError("Not implemented")
+    }
+
+    static func == (lhs: CustomKeyWithoutDERBytes, rhs: CustomKeyWithoutDERBytes) -> Bool {
+        lhs.signatureAlgorithms == rhs.signatureAlgorithms
+    }
+
+    func hash(into hasher: inout Hasher) {
+        hasher.combine(ObjectIdentifier(self))
+        hasher.combine(signatureAlgorithms)
+    }
+}
+
+private final class CustomKeyWithDERBytes: NIOSSLCustomPrivateKey, Hashable {
+    var signatureAlgorithms: [NIOSSL.SignatureAlgorithm] { [] }
+
+    var derBytes: [UInt8] { [42] }
+
+    func sign(channel: Channel, algorithm: SignatureAlgorithm, data: ByteBuffer) -> EventLoopFuture<ByteBuffer> {
+        fatalError("Not implemented")
+    }
+
+    func decrypt(channel: Channel, data: ByteBuffer) -> EventLoopFuture<ByteBuffer> {
+        fatalError("Not implemented")
+    }
+
+    static func == (lhs: CustomKeyWithDERBytes, rhs: CustomKeyWithDERBytes) -> Bool {
+        lhs.signatureAlgorithms == rhs.signatureAlgorithms && lhs.derBytes == rhs.derBytes
+    }
+
+    func hash(into hasher: inout Hasher) {
+        hasher.combine(ObjectIdentifier(self))
+        hasher.combine(signatureAlgorithms)
+        hasher.combine(derBytes)
+    }
+}
+
 final class CustomPrivateKeyTests: XCTestCase {
     fileprivate static let customECDSACertAndKey: (certificate: NIOSSLCertificate, key: CustomPKEY) = {
         let (cert, originalKey) = generateSelfSignedCert(keygenFunction: {
@@ -686,6 +731,20 @@ final class CustomPrivateKeyTests: XCTestCase {
             ])
         )
     }
+
+    func testDERBytes_DefaultImplementation_ReturnsEmptyArray() throws {
+        let customKey = CustomKeyWithoutDERBytes()
+        let key = NIOSSLPrivateKey(customPrivateKey: customKey)
+        let derBytes = try key.derBytes
+        XCTAssertEqual(derBytes, [])
+    }
+
+    func testDERBytes_ReturnsBytes() throws {
+        let customKey = CustomKeyWithDERBytes()
+        let key = NIOSSLPrivateKey(customPrivateKey: customKey)
+        let derBytes = try key.derBytes
+        XCTAssertEqual(derBytes, [42])
+    }
 }
 
 extension SignatureAlgorithm {
diff --git a/Tests/NIOSSLTests/SSLPrivateKeyTests.swift b/Tests/NIOSSLTests/SSLPrivateKeyTests.swift
@@ -338,4 +338,10 @@ class SSLPrivateKeyTest: XCTestCase {
         XCTAssertNotEqual(key1, key2)
         XCTAssertNotEqual(key1.hashValue, key2.hashValue)
     }
+
+    func testDERBytes() throws {
+        let key = try NIOSSLPrivateKey(bytes: .init(samplePemKey.utf8), format: .pem)
+        let derBytes = try key.derBytes
+        XCTAssertEqual(Data(derBytes), pemToDer(samplePemKey))
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -404,6 +404,19 @@ extension NIOSSLPrivateKey {`
`404`	`404`	`return customKey.signatureAlgorithms`
`405`	`405`	`}`
`406`	`406`	`}`
	`407`	`+`
	`408`	`+ /// Extracts the bytes of this private key in DER format.`
	`409`	`+ /// - Returns: The DER-encoded bytes for this private key.`
	`410`	`+ public var derBytes: [UInt8] {`
	`411`	`+ get throws {`
	`412`	`+ switch self.representation {`
	`413`	`+ case .native(let evpKey):`
	`414`	`+ return try Self.withUnsafeDERBuffer(of: evpKey) { Array($0) }`
	`415`	`+ case .custom(let custom):`
	`416`	`+ return custom.derBytes`
	`417`	`+ }`
	`418`	`+ }`
	`419`	`+ }`
`407`	`420`	`}`
`408`	`421`
`409`	`422`	`extension NIOSSLPrivateKey: Equatable {`
Original file line number	Diff line number	Diff line change
`@@ -338,4 +338,10 @@ class SSLPrivateKeyTest: XCTestCase {`
`338`	`338`	`XCTAssertNotEqual(key1, key2)`
`339`	`339`	`XCTAssertNotEqual(key1.hashValue, key2.hashValue)`
`340`	`340`	`}`
	`341`	`+`
	`342`	`+ func testDERBytes() throws {`
	`343`	`+ let key = try NIOSSLPrivateKey(bytes: .init(samplePemKey.utf8), format: .pem)`
	`344`	`+ let derBytes = try key.derBytes`
	`345`	`+ XCTAssertEqual(Data(derBytes), pemToDer(samplePemKey))`
	`346`	`+ }`
`341`	`347`	`}`