Invert KeyPair/SigningKey hierarchy

djc · djc · commit 5f7af2864271 · 2025-04-22T12:08:35.000+02:00
diff --git a/rcgen/src/certificate.rs b/rcgen/src/certificate.rs
@@ -18,7 +18,7 @@ use crate::ENCODE_CONFIG;
 use crate::{
 	oid, write_distinguished_name, write_dt_utc_or_generalized,
 	write_x509_authority_key_identifier, write_x509_extension, DistinguishedName, Error, Issuer,
-	KeyIdMethod, KeyPair, KeyUsagePurpose, SanType, SerialNumber,
+	KeyIdMethod, KeyUsagePurpose, SanType, SerialNumber, SigningKey,
 };
 
 /// An issued certificate together with the parameters used to generate it.
@@ -159,7 +159,7 @@ impl CertificateParams {
 		self,
 		public_key: &impl PublicKeyData,
 		issuer: &Certificate,
-		issuer_key: &KeyPair,
+		issuer_key: &impl SigningKey,
 	) -> Result<Certificate, Error> {
 		let issuer = Issuer {
 			distinguished_name: &issuer.params.distinguished_name,
@@ -180,7 +180,7 @@ impl CertificateParams {
 	///
 	/// The returned [`Certificate`] may be serialized using [`Certificate::der`] and
 	/// [`Certificate::pem`].
-	pub fn self_signed(self, key_pair: &KeyPair) -> Result<Certificate, Error> {
+	pub fn self_signed(self, key_pair: &impl SigningKey) -> Result<Certificate, Error> {
 		let issuer = Issuer {
 			distinguished_name: &self.distinguished_name,
 			key_identifier_method: &self.key_identifier_method,
@@ -210,7 +210,7 @@ impl CertificateParams {
 	///
 	/// This function is only of use if you have an existing CA certificate
 	/// you would like to use to sign a certificate generated by `rcgen`.
-	/// By providing the constructed [`CertificateParams`] and the [`KeyPair`]
+	/// By providing the constructed [`CertificateParams`] and the [`SigningKey`]
 	/// associated with your existing `ca_cert` you can use [`CertificateParams::signed_by()`]
 	/// or [`crate::CertificateSigningRequestParams::signed_by()`] to issue new certificates
 	/// using the CA cert.
@@ -541,7 +541,7 @@ impl CertificateParams {
 	/// same output.
 	pub fn serialize_request(
 		&self,
-		subject_key: &KeyPair,
+		subject_key: &impl SigningKey,
 	) -> Result<CertificateSigningRequest, Error> {
 		self.serialize_request_with_attributes(subject_key, Vec::new())
 	}
@@ -559,7 +559,7 @@ impl CertificateParams {
 	/// [RFC 2986]: <https://datatracker.ietf.org/doc/html/rfc2986#section-4>
 	pub fn serialize_request_with_attributes(
 		&self,
-		subject_key: &KeyPair,
+		subject_key: &impl SigningKey,
 		attrs: Vec<Attribute>,
 	) -> Result<CertificateSigningRequest, Error> {
 		// No .. pattern, we use this to ensure every field is used
@@ -643,7 +643,7 @@ impl CertificateParams {
 	pub(crate) fn serialize_der_with_signer<K: PublicKeyData>(
 		&self,
 		pub_key: &K,
-		issuer: Issuer<'_>,
+		issuer: Issuer<'_, impl SigningKey>,
 	) -> Result<CertificateDer<'static>, Error> {
 		let der = sign_der(issuer.key_pair, |writer| {
 			let pub_key_spki = pub_key.subject_public_key_info();
@@ -669,7 +669,7 @@ impl CertificateParams {
 				}
 			};
 			// Write signature algorithm
-			issuer.key_pair.alg.write_alg_ident(writer.next());
+			issuer.key_pair.algorithm().write_alg_ident(writer.next());
 			// Write issuer name
 			write_distinguished_name(writer.next(), &issuer.distinguished_name);
 			// Write validity
@@ -1233,6 +1233,8 @@ pub enum BasicConstraints {
 mod tests {
 	#[cfg(feature = "pem")]
 	use super::*;
+	#[cfg(feature = "crypto")]
+	use crate::KeyPair;
 
 	#[cfg(feature = "crypto")]
 	#[test]
diff --git a/rcgen/src/crl.rs b/rcgen/src/crl.rs
@@ -11,7 +11,7 @@ use crate::ENCODE_CONFIG;
 use crate::{
 	oid, write_distinguished_name, write_dt_utc_or_generalized,
 	write_x509_authority_key_identifier, write_x509_extension, Certificate, Error, Issuer,
-	KeyIdMethod, KeyPair, KeyUsagePurpose, PublicKeyData, SerialNumber,
+	KeyIdMethod, KeyUsagePurpose, SerialNumber, SigningKey,
 };
 
 /// A certificate revocation list (CRL)
@@ -192,7 +192,7 @@ impl CertificateRevocationListParams {
 	pub fn signed_by(
 		self,
 		issuer: &Certificate,
-		issuer_key: &KeyPair,
+		issuer_key: &impl SigningKey,
 	) -> Result<CertificateRevocationList, Error> {
 		if self.next_update.le(&self.this_update) {
 			return Err(Error::InvalidCrlNextUpdate);
@@ -210,12 +210,12 @@ impl CertificateRevocationListParams {
 		}
 
 		Ok(CertificateRevocationList {
-			der: self.serialize_der(issuer)?.into(),
+			der: self.serialize_der(&issuer)?.into(),
 			params: self,
 		})
 	}
 
-	fn serialize_der(&self, issuer: Issuer) -> Result<Vec<u8>, Error> {
+	fn serialize_der(&self, issuer: &Issuer<'_, impl SigningKey>) -> Result<Vec<u8>, Error> {
 		sign_der(issuer.key_pair, |writer| {
 			// Write CRL version.
 			// RFC 5280 §5.1.2.1:
@@ -232,7 +232,7 @@ impl CertificateRevocationListParams {
 			// RFC 5280 §5.1.2.2:
 			//   This field MUST contain the same algorithm identifier as the
 			//   signatureAlgorithm field in the sequence CertificateList
-			issuer.key_pair.alg.write_alg_ident(writer.next());
+			issuer.key_pair.algorithm().write_alg_ident(writer.next());
 
 			// Write issuer.
 			// RFC 5280 §5.1.2.3:
diff --git a/rcgen/src/csr.rs b/rcgen/src/csr.rs
@@ -7,7 +7,7 @@ use pki_types::CertificateSigningRequestDer;
 #[cfg(feature = "pem")]
 use crate::ENCODE_CONFIG;
 use crate::{
-	Certificate, CertificateParams, Error, Issuer, KeyPair, PublicKeyData, SignatureAlgorithm,
+	Certificate, CertificateParams, Error, Issuer, PublicKeyData, SignatureAlgorithm, SigningKey,
 };
 #[cfg(feature = "x509-parser")]
 use crate::{DistinguishedName, SanType};
@@ -203,7 +203,7 @@ impl CertificateSigningRequestParams {
 	pub fn signed_by(
 		self,
 		issuer: &Certificate,
-		issuer_key: &KeyPair,
+		issuer_key: &impl SigningKey,
 	) -> Result<Certificate, Error> {
 		let issuer = Issuer {
 			distinguished_name: &issuer.params.distinguished_name,
diff --git a/rcgen/src/key_pair.rs b/rcgen/src/key_pair.rs
@@ -1,3 +1,4 @@
+#[cfg(feature = "crypto")]
 use std::fmt;
 
 #[cfg(feature = "pem")]
@@ -29,30 +30,23 @@ use crate::{sign_algo::SignatureAlgorithm, Error};
 
 /// A key pair variant
 #[allow(clippy::large_enum_variant)]
+#[cfg(feature = "crypto")]
 pub(crate) enum KeyPairKind {
 	/// A Ecdsa key pair
-	#[cfg(feature = "crypto")]
 	Ec(EcdsaKeyPair),
 	/// A Ed25519 key pair
-	#[cfg(feature = "crypto")]
 	Ed(Ed25519KeyPair),
 	/// A RSA key pair
-	#[cfg(feature = "crypto")]
 	Rsa(RsaKeyPair, &'static dyn RsaEncoding),
-	/// A remote key pair
-	Remote(Box<dyn SigningKey + Send + Sync>),
 }
 
+#[cfg(feature = "crypto")]
 impl fmt::Debug for KeyPairKind {
 	fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
 		match self {
-			#[cfg(feature = "crypto")]
 			Self::Ec(key_pair) => write!(f, "{:?}", key_pair),
-			#[cfg(feature = "crypto")]
 			Self::Ed(key_pair) => write!(f, "{:?}", key_pair),
-			#[cfg(feature = "crypto")]
 			Self::Rsa(key_pair, _) => write!(f, "{:?}", key_pair),
-			Self::Remote(_) => write!(f, "Box<dyn RemotePrivateKey>"),
 		}
 	}
 }
@@ -64,12 +58,14 @@ impl fmt::Debug for KeyPairKind {
 /// `openssl genrsa` doesn't work. See ring's [documentation](ring::signature::RsaKeyPair::from_pkcs8)
 /// for how to generate RSA keys in the wanted format
 /// and conversion between the formats.
+#[cfg(feature = "crypto")]
 pub struct KeyPair {
 	pub(crate) kind: KeyPairKind,
 	pub(crate) alg: &'static SignatureAlgorithm,
 	pub(crate) serialized_der: Vec<u8>,
 }
 
+#[cfg(feature = "crypto")]
 impl fmt::Debug for KeyPair {
 	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
 		f.debug_struct("KeyPair")
@@ -80,6 +76,7 @@ impl fmt::Debug for KeyPair {
 	}
 }
 
+#[cfg(feature = "crypto")]
 impl KeyPair {
 	/// Generate a new random [`PKCS_ECDSA_P256_SHA256`] key pair
 	#[cfg(feature = "crypto")]
@@ -187,15 +184,6 @@ impl KeyPair {
 		Self::try_from(private_key.contents())
 	}
 
-	/// Obtains the key pair from a raw public key and a remote private key
-	pub fn from_remote(key_pair: Box<dyn SigningKey + Send + Sync>) -> Result<Self, Error> {
-		Ok(Self {
-			alg: key_pair.algorithm(),
-			kind: KeyPairKind::Remote(key_pair),
-			serialized_der: Vec::new(),
-		})
-	}
-
 	/// Obtains the key pair from a DER formatted key
 	/// using the specified [`SignatureAlgorithm`]
 	///
@@ -422,11 +410,6 @@ impl KeyPair {
 	///
 	/// Panics if called on a remote key pair.
 	pub fn serialize_der(&self) -> Vec<u8> {
-		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
-		if let KeyPairKind::Remote(_) = self.kind {
-			panic!("Serializing a remote key pair is not supported")
-		}
-
 		self.serialized_der.clone()
 	}
 
@@ -435,24 +418,9 @@ impl KeyPair {
 	///
 	/// Panics if called on a remote key pair.
 	pub fn serialized_der(&self) -> &[u8] {
-		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
-		if let KeyPairKind::Remote(_) = self.kind {
-			panic!("Serializing a remote key pair is not supported")
-		}
-
 		&self.serialized_der
 	}
 
-	/// Access the remote key pair if it is a remote one
-	pub fn as_remote(&self) -> Option<&(dyn SigningKey + Send + Sync)> {
-		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
-		if let KeyPairKind::Remote(remote) = &self.kind {
-			Some(remote.as_ref())
-		} else {
-			None
-		}
-	}
-
 	/// Serializes the key pair (including the private key) in PKCS#8 format in PEM
 	#[cfg(feature = "pem")]
 	pub fn serialize_pem(&self) -> String {
@@ -479,21 +447,17 @@ impl SigningKey for KeyPair {
 					._err()?;
 				signature
 			},
-			KeyPairKind::Remote(kp) => kp.sign(msg)?,
 		})
 	}
 }
 
+#[cfg(feature = "crypto")]
 impl PublicKeyData for KeyPair {
 	fn der_bytes(&self) -> &[u8] {
 		match &self.kind {
-			#[cfg(feature = "crypto")]
 			KeyPairKind::Ec(kp) => kp.public_key().as_ref(),
-			#[cfg(feature = "crypto")]
 			KeyPairKind::Ed(kp) => kp.public_key().as_ref(),
-			#[cfg(feature = "crypto")]
 			KeyPairKind::Rsa(kp, _) => kp.public_key().as_ref(),
-			KeyPairKind::Remote(kp) => kp.der_bytes(),
 		}
 	}
 
@@ -647,9 +611,6 @@ pub(crate) fn sign_der(
 }
 
 /// A private key that is not directly accessible, but can be used to sign messages
-///
-/// Trait objects based on this trait can be passed to the [`KeyPair::from_remote`] function for generating certificates
-/// from a remote and raw private key, for example an HSM.
 pub trait SigningKey: PublicKeyData {
 	/// Signs `msg` using the selected algorithm
 	fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, Error>;
diff --git a/rcgen/src/lib.rs b/rcgen/src/lib.rs
@@ -57,10 +57,12 @@ pub use crl::{
 };
 pub use csr::{CertificateSigningRequest, CertificateSigningRequestParams, PublicKey};
 pub use error::{Error, InvalidAsn1String};
+#[cfg(feature = "crypto")]
+pub use key_pair::KeyPair;
 pub use key_pair::PublicKeyData;
 #[cfg(all(feature = "crypto", feature = "aws_lc_rs"))]
 pub use key_pair::RsaKeySize;
-pub use key_pair::{KeyPair, SigningKey, SubjectPublicKeyInfo};
+pub use key_pair::{SigningKey, SubjectPublicKeyInfo};
 #[cfg(feature = "crypto")]
 use ring_like::digest;
 pub use sign_algo::algo::*;
@@ -84,11 +86,11 @@ mod string_types;
 pub type RcgenError = Error;
 
 /// An issued certificate, together with the subject keypair.
-pub struct CertifiedKey {
+pub struct CertifiedKey<S: SigningKey> {
 	/// An issued certificate.
 	pub cert: Certificate,
 	/// The certificate's subject key pair.
-	pub key_pair: KeyPair,
+	pub key_pair: S,
 }
 
 /**
@@ -123,17 +125,17 @@ println!("{}", key_pair.serialize_pem());
 )]
 pub fn generate_simple_self_signed(
 	subject_alt_names: impl Into<Vec<String>>,
-) -> Result<CertifiedKey, Error> {
+) -> Result<CertifiedKey<KeyPair>, Error> {
 	let key_pair = KeyPair::generate()?;
 	let cert = CertificateParams::new(subject_alt_names)?.self_signed(&key_pair)?;
 	Ok(CertifiedKey { cert, key_pair })
 }
 
-struct Issuer<'a> {
+struct Issuer<'a, S> {
 	distinguished_name: &'a DistinguishedName,
 	key_identifier_method: &'a KeyIdMethod,
 	key_usages: &'a [KeyUsagePurpose],
-	key_pair: &'a KeyPair,
+	key_pair: &'a S,
 }
 
 // https://tools.ietf.org/html/rfc5280#section-4.1.1
diff --git a/rcgen/tests/webpki.rs b/rcgen/tests/webpki.rs
@@ -52,12 +52,12 @@ fn sign_msg_rsa(key_pair: &KeyPair, msg: &[u8], encoding: &'static dyn RsaEncodi
 	signature
 }
 
-fn check_cert<'a, 'b>(
+fn check_cert<'a, 'b, S: SigningKey + 'a>(
 	cert_der: &CertificateDer<'_>,
 	cert: &'a Certificate,
-	cert_key: &'a KeyPair,
+	cert_key: &'a S,
 	alg: &dyn SignatureVerificationAlgorithm,
-	sign_fn: impl FnOnce(&'a KeyPair, &'b [u8]) -> Vec<u8>,
+	sign_fn: impl FnOnce(&'a S, &'b [u8]) -> Vec<u8>,
 ) {
 	#[cfg(feature = "pem")]
 	{
@@ -66,13 +66,13 @@ fn check_cert<'a, 'b>(
 	check_cert_ca(cert_der, cert_key, cert_der, alg, alg, sign_fn);
 }
 
-fn check_cert_ca<'a, 'b>(
+fn check_cert_ca<'a, 'b, S: SigningKey + 'a>(
 	cert_der: &CertificateDer<'_>,
-	cert_key: &'a KeyPair,
+	cert_key: &'a S,
 	ca_der: &CertificateDer<'_>,
 	cert_alg: &dyn SignatureVerificationAlgorithm,
 	ca_alg: &dyn SignatureVerificationAlgorithm,
-	sign_fn: impl FnOnce(&'a KeyPair, &'b [u8]) -> Vec<u8>,
+	sign_fn: impl FnOnce(&'a S, &'b [u8]) -> Vec<u8>,
 ) {
 	let trust_anchor = anchor_from_trusted_cert(ca_der).unwrap();
 	let trust_anchor_list = &[trust_anchor];
@@ -352,7 +352,7 @@ fn from_remote() {
 		&rng,
 	)
 	.unwrap();
-	let remote = KeyPair::from_remote(Box::new(Remote(remote))).unwrap();
+	let remote = Remote(remote);
 
 	let (params, _) = util::default_params();
 	let cert = params.self_signed(&remote).unwrap();
