Invert KeyPair/SigningKey hierarchy

Author: djc

rcgen/src/certificate.rs

@@ -18,7 +18,7 @@ use crate::ENCODE_CONFIG;
 use crate::{
 	oid, write_distinguished_name, write_dt_utc_or_generalized,
 	write_x509_authority_key_identifier, write_x509_extension, DistinguishedName, Error, Issuer,
-	KeyIdMethod, KeyPair, KeyUsagePurpose, SanType, SerialNumber,
+	KeyIdMethod, KeyUsagePurpose, SanType, SerialNumber, SigningKey,
 };
 
 /// An issued certificate together with the parameters used to generate it.
@@ -141,7 +141,7 @@ impl CertificateParams {
 		&self,
 		public_key: &impl PublicKeyData,
 		issuer: &CertificateParams,
-		issuer_key: &KeyPair,
+		issuer_key: &impl SigningKey,
 	) -> Result<Certificate, Error> {
 		let issuer = Issuer {
 			distinguished_name: &issuer.distinguished_name,
@@ -158,7 +158,7 @@ impl CertificateParams {
 	///
 	/// The returned [`Certificate`] may be serialized using [`Certificate::der`] and
 	/// [`Certificate::pem`].
-	pub fn self_signed(&self, key_pair: &KeyPair) -> Result<Certificate, Error> {
+	pub fn self_signed(&self, key_pair: &impl SigningKey) -> Result<Certificate, Error> {
 		let issuer = Issuer {
 			distinguished_name: &self.distinguished_name,
 			key_identifier_method: &self.key_identifier_method,
@@ -514,7 +514,7 @@ impl CertificateParams {
 	/// same output.
 	pub fn serialize_request(
 		&self,
-		subject_key: &KeyPair,
+		subject_key: &impl SigningKey,
 	) -> Result<CertificateSigningRequest, Error> {
 		self.serialize_request_with_attributes(subject_key, Vec::new())
 	}
@@ -532,7 +532,7 @@ impl CertificateParams {
 	/// [RFC 2986]: <https://datatracker.ietf.org/doc/html/rfc2986#section-4>
 	pub fn serialize_request_with_attributes(
 		&self,
-		subject_key: &KeyPair,
+		subject_key: &impl SigningKey,
 		attrs: Vec<Attribute>,
 	) -> Result<CertificateSigningRequest, Error> {
 		// No .. pattern, we use this to ensure every field is used
@@ -616,9 +616,9 @@ impl CertificateParams {
 	pub(crate) fn serialize_der_with_signer<K: PublicKeyData>(
 		&self,
 		pub_key: &K,
-		issuer: Issuer<'_>,
+		issuer: Issuer<'_, impl SigningKey>,
 	) -> Result<CertificateDer<'static>, Error> {
-		let der = sign_der(&issuer.key_pair, |writer| {
+		let der = sign_der(issuer.key_pair, |writer| {
 			let pub_key_spki =
 				yasna::construct_der(|writer| serialize_public_key_der(pub_key, writer));
 			// Write version
@@ -643,7 +643,7 @@ impl CertificateParams {
 				}
 			};
 			// Write signature algorithm
-			issuer.key_pair.alg.write_alg_ident(writer.next());
+			issuer.key_pair.algorithm().write_alg_ident(writer.next());
 			// Write issuer name
 			write_distinguished_name(writer.next(), &issuer.distinguished_name);
 			// Write validity
@@ -1207,6 +1207,7 @@ pub enum BasicConstraints {
 mod tests {
 	#[cfg(feature = "pem")]
 	use super::*;
+	use crate::KeyPair;
 
 	#[cfg(feature = "crypto")]
 	#[test]

rcgen/src/crl.rs

@@ -7,11 +7,12 @@ use yasna::Tag;
 
 use crate::key_pair::sign_der;
 use crate::CertificateParams;
+use crate::SigningKey;
 #[cfg(feature = "pem")]
 use crate::ENCODE_CONFIG;
 use crate::{
 	oid, write_distinguished_name, write_dt_utc_or_generalized,
-	write_x509_authority_key_identifier, write_x509_extension, Error, Issuer, KeyIdMethod, KeyPair,
+	write_x509_authority_key_identifier, write_x509_extension, Error, Issuer, KeyIdMethod,
 	KeyUsagePurpose, SerialNumber,
 };
 
@@ -193,7 +194,7 @@ impl CertificateRevocationListParams {
 	pub fn signed_by(
 		self,
 		issuer: &CertificateParams,
-		issuer_key: &KeyPair,
+		issuer_key: &impl SigningKey,
 	) -> Result<CertificateRevocationList, Error> {
 		if self.next_update.le(&self.this_update) {
 			return Err(Error::InvalidCrlNextUpdate);
@@ -216,8 +217,8 @@ impl CertificateRevocationListParams {
 		})
 	}
 
-	fn serialize_der(&self, issuer: Issuer) -> Result<Vec<u8>, Error> {
-		sign_der(&issuer.key_pair, |writer| {
+	fn serialize_der(&self, issuer: Issuer<'_, impl SigningKey>) -> Result<Vec<u8>, Error> {
+		sign_der(issuer.key_pair, |writer| {
 			// Write CRL version.
 			// RFC 5280 §5.1.2.1:
 			//   This optional field describes the version of the encoded CRL.  When
@@ -233,7 +234,7 @@ impl CertificateRevocationListParams {
 			// RFC 5280 §5.1.2.2:
 			//   This field MUST contain the same algorithm identifier as the
 			//   signatureAlgorithm field in the sequence CertificateList
-			issuer.key_pair.alg.write_alg_ident(writer.next());
+			issuer.key_pair.algorithm().write_alg_ident(writer.next());
 
 			// Write issuer.
 			// RFC 5280 §5.1.2.3:

rcgen/src/csr.rs

@@ -7,7 +7,7 @@ use pki_types::CertificateSigningRequestDer;
 #[cfg(feature = "pem")]
 use crate::ENCODE_CONFIG;
 use crate::{
-	Certificate, CertificateParams, Error, Issuer, KeyPair, PublicKeyData, SignatureAlgorithm,
+	Certificate, CertificateParams, Error, Issuer, PublicKeyData, SignatureAlgorithm, SigningKey,
 };
 #[cfg(feature = "x509-parser")]
 use crate::{DistinguishedName, SanType};
@@ -203,7 +203,7 @@ impl CertificateSigningRequestParams {
 	pub fn signed_by(
 		&self,
 		issuer: &CertificateParams,
-		issuer_key: &KeyPair,
+		issuer_key: &impl SigningKey,
 	) -> Result<Certificate, Error> {
 		let issuer = Issuer {
 			distinguished_name: &issuer.distinguished_name,

rcgen/src/key_pair.rs

@@ -1,3 +1,4 @@
+#[cfg(feature = "crypto")]
 use std::fmt;
 
 #[cfg(feature = "pem")]
@@ -29,30 +30,23 @@ use crate::{sign_algo::SignatureAlgorithm, Error};
 
 /// A key pair variant
 #[allow(clippy::large_enum_variant)]
+#[cfg(feature = "crypto")]
 pub(crate) enum KeyPairKind {
 	/// A Ecdsa key pair
-	#[cfg(feature = "crypto")]
 	Ec(EcdsaKeyPair),
 	/// A Ed25519 key pair
-	#[cfg(feature = "crypto")]
 	Ed(Ed25519KeyPair),
 	/// A RSA key pair
-	#[cfg(feature = "crypto")]
 	Rsa(RsaKeyPair, &'static dyn RsaEncoding),
-	/// A remote key pair
-	Remote(Box<dyn SigningKey + Send + Sync>),
 }
 
+#[cfg(feature = "crypto")]
 impl fmt::Debug for KeyPairKind {
 	fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
 		match self {
-			#[cfg(feature = "crypto")]
 			Self::Ec(key_pair) => write!(f, "{:?}", key_pair),
-			#[cfg(feature = "crypto")]
 			Self::Ed(key_pair) => write!(f, "{:?}", key_pair),
-			#[cfg(feature = "crypto")]
 			Self::Rsa(key_pair, _) => write!(f, "{:?}", key_pair),
-			Self::Remote(_) => write!(f, "Box<dyn RemotePrivateKey>"),
 		}
 	}
 }
@@ -64,12 +58,14 @@ impl fmt::Debug for KeyPairKind {
 /// `openssl genrsa` doesn't work. See ring's [documentation](ring::signature::RsaKeyPair::from_pkcs8)
 /// for how to generate RSA keys in the wanted format
 /// and conversion between the formats.
+#[cfg(feature = "crypto")]
 pub struct KeyPair {
 	pub(crate) kind: KeyPairKind,
 	pub(crate) alg: &'static SignatureAlgorithm,
 	pub(crate) serialized_der: Vec<u8>,
 }
 
+#[cfg(feature = "crypto")]
 impl fmt::Debug for KeyPair {
 	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
 		f.debug_struct("KeyPair")
@@ -80,6 +76,7 @@ impl fmt::Debug for KeyPair {
 	}
 }
 
+#[cfg(feature = "crypto")]
 impl KeyPair {
 	/// Generate a new random [`PKCS_ECDSA_P256_SHA256`] key pair
 	#[cfg(feature = "crypto")]
@@ -187,15 +184,6 @@ impl KeyPair {
 		Self::try_from(private_key.contents())
 	}
 
-	/// Obtains the key pair from a raw public key and a remote private key
-	pub fn from_remote(key_pair: Box<dyn SigningKey + Send + Sync>) -> Result<Self, Error> {
-		Ok(Self {
-			alg: key_pair.algorithm(),
-			kind: KeyPairKind::Remote(key_pair),
-			serialized_der: Vec::new(),
-		})
-	}
-
 	/// Obtains the key pair from a DER formatted key
 	/// using the specified [`SignatureAlgorithm`]
 	///
@@ -399,43 +387,12 @@ impl KeyPair {
 		std::iter::once(self.alg)
 	}
 
-	pub(crate) fn sign(&self, msg: &[u8], writer: DERWriter) -> Result<(), Error> {
-		match &self.kind {
-			#[cfg(feature = "crypto")]
-			KeyPairKind::Ec(kp) => {
-				let system_random = SystemRandom::new();
-				let signature = kp.sign(&system_random, msg)._err()?;
-				let sig = &signature.as_ref();
-				writer.write_bitvec_bytes(sig, &sig.len() * 8);
-			},
-			#[cfg(feature = "crypto")]
-			KeyPairKind::Ed(kp) => {
-				let signature = kp.sign(msg);
-				let sig = &signature.as_ref();
-				writer.write_bitvec_bytes(sig, &sig.len() * 8);
-			},
-			#[cfg(feature = "crypto")]
-			KeyPairKind::Rsa(kp, padding_alg) => {
-				let system_random = SystemRandom::new();
-				let mut signature = vec![0; rsa_key_pair_public_modulus_len(kp)];
-				kp.sign(*padding_alg, &system_random, msg, &mut signature)
-					._err()?;
-				let sig = &signature.as_ref();
-				writer.write_bitvec_bytes(sig, &sig.len() * 8);
-			},
-			KeyPairKind::Remote(kp) => {
-				let signature = kp.sign(msg)?;
-				writer.write_bitvec_bytes(&signature, &signature.len() * 8);
-			},
-		}
-		Ok(())
-	}
-
 	/// Return the key pair's public key in DER format
 	///
 	/// The key is formatted according to the SubjectPublicKeyInfo struct of
 	/// X.509.
 	/// See [RFC 5280 section 4.1](https://tools.ietf.org/html/rfc5280#section-4.1).
+	#[cfg(feature = "crypto")]
 	pub fn public_key_der(&self) -> Vec<u8> {
 		yasna::construct_der(|writer| serialize_public_key_der(self, writer))
 	}
@@ -454,11 +411,6 @@ impl KeyPair {
 	///
 	/// Panics if called on a remote key pair.
 	pub fn serialize_der(&self) -> Vec<u8> {
-		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
-		if let KeyPairKind::Remote(_) = self.kind {
-			panic!("Serializing a remote key pair is not supported")
-		}
-
 		self.serialized_der.clone()
 	}
 
@@ -467,24 +419,9 @@ impl KeyPair {
 	///
 	/// Panics if called on a remote key pair.
 	pub fn serialized_der(&self) -> &[u8] {
-		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
-		if let KeyPairKind::Remote(_) = self.kind {
-			panic!("Serializing a remote key pair is not supported")
-		}
-
 		&self.serialized_der
 	}
 
-	/// Access the remote key pair if it is a remote one
-	pub fn as_remote(&self) -> Option<&(dyn SigningKey + Send + Sync)> {
-		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
-		if let KeyPairKind::Remote(remote) = &self.kind {
-			Some(remote.as_ref())
-		} else {
-			None
-		}
-	}
-
 	/// Serializes the key pair (including the private key) in PKCS#8 format in PEM
 	#[cfg(feature = "pem")]
 	pub fn serialize_pem(&self) -> String {
@@ -494,16 +431,34 @@ impl KeyPair {
 	}
 }
 
+#[cfg(feature = "crypto")]
+impl SigningKey for KeyPair {
+	fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, Error> {
+		Ok(match &self.kind {
+			KeyPairKind::Ec(kp) => {
+				let system_random = SystemRandom::new();
+				let signature = kp.sign(&system_random, msg)._err()?;
+				signature.as_ref().to_owned()
+			},
+			KeyPairKind::Ed(kp) => kp.sign(msg).as_ref().to_owned(),
+			KeyPairKind::Rsa(kp, padding_alg) => {
+				let system_random = SystemRandom::new();
+				let mut signature = vec![0; rsa_key_pair_public_modulus_len(kp)];
+				kp.sign(*padding_alg, &system_random, msg, &mut signature)
+					._err()?;
+				signature
+			},
+		})
+	}
+}
+
+#[cfg(feature = "crypto")]
 impl PublicKeyData for KeyPair {
 	fn public_key_der(&self) -> &[u8] {
 		match &self.kind {
-			#[cfg(feature = "crypto")]
 			KeyPairKind::Ec(kp) => kp.public_key().as_ref(),
-			#[cfg(feature = "crypto")]
 			KeyPairKind::Ed(kp) => kp.public_key().as_ref(),
-			#[cfg(feature = "crypto")]
 			KeyPairKind::Rsa(kp, _) => kp.public_key().as_ref(),
-			KeyPairKind::Remote(kp) => kp.public_key_der(),
 		}
 	}
 
@@ -635,7 +590,7 @@ pub enum RsaKeySize {
 }
 
 pub(crate) fn sign_der(
-	key: &KeyPair,
+	key: &impl SigningKey,
 	f: impl FnOnce(&mut DERWriterSeq<'_>) -> Result<(), Error>,
 ) -> Result<Vec<u8>, Error> {
 	yasna::try_construct_der(|writer| {
@@ -644,20 +599,19 @@ pub(crate) fn sign_der(
 			writer.next().write_der(&data);
 
 			// Write signatureAlgorithm
-			key.alg.write_alg_ident(writer.next());
+			key.algorithm().write_alg_ident(writer.next());
 
 			// Write signature
-			key.sign(&data, writer.next())?;
+			let sig = key.sign(&data)?;
+			let writer = writer.next();
+			writer.write_bitvec_bytes(&sig, sig.len() * 8);
 
 			Ok(())
 		})
 	})
 }
 
 /// A private key that is not directly accessible, but can be used to sign messages
-///
-/// Trait objects based on this trait can be passed to the [`KeyPair::from_remote`] function for generating certificates
-/// from a remote and raw private key, for example an HSM.
 pub trait SigningKey: PublicKeyData {
 	/// Signs `msg` using the selected algorithm
 	fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, Error>;