Invert KeyPair/SigningKey hierarchy

Author: djc

rcgen/src/certificate.rs

@@ -18,7 +18,7 @@ use crate::ENCODE_CONFIG;
 use crate::{
 	oid, write_distinguished_name, write_dt_utc_or_generalized,
 	write_x509_authority_key_identifier, write_x509_extension, DistinguishedName, Error, Issuer,
-	KeyIdMethod, KeyPair, KeyUsagePurpose, SanType, SerialNumber,
+	KeyIdMethod, KeyPair, KeyUsagePurpose, SanType, SerialNumber, SigningKey,
 };
 
 /// An issued certificate together with the parameters used to generate it.
@@ -158,7 +158,7 @@ impl CertificateParams {
 	///
 	/// The returned [`Certificate`] may be serialized using [`Certificate::der`] and
 	/// [`Certificate::pem`].
-	pub fn self_signed(&self, key_pair: &KeyPair) -> Result<Certificate, Error> {
+	pub fn self_signed(&self, key_pair: &impl SigningKey) -> Result<Certificate, Error> {
 		let issuer = Issuer {
 			distinguished_name: &self.distinguished_name,
 			key_identifier_method: &self.key_identifier_method,
@@ -616,9 +616,9 @@ impl CertificateParams {
 	pub(crate) fn serialize_der_with_signer<K: PublicKeyData>(
 		&self,
 		pub_key: &K,
-		issuer: Issuer<'_>,
+		issuer: Issuer<'_, impl SigningKey>,
 	) -> Result<CertificateDer<'static>, Error> {
-		let der = sign_der(&issuer.key_pair, |writer| {
+		let der = sign_der(issuer.key_pair, |writer| {
 			let pub_key_spki =
 				yasna::construct_der(|writer| serialize_public_key_der(pub_key, writer));
 			// Write version
@@ -643,7 +643,7 @@ impl CertificateParams {
 				}
 			};
 			// Write signature algorithm
-			issuer.key_pair.alg.write_alg_ident(writer.next());
+			issuer.key_pair.algorithm().write_alg_ident(writer.next());
 			// Write issuer name
 			write_distinguished_name(writer.next(), &issuer.distinguished_name);
 			// Write validity

rcgen/src/crl.rs

@@ -7,6 +7,7 @@ use yasna::Tag;
 
 use crate::key_pair::sign_der;
 use crate::CertificateParams;
+use crate::SigningKey;
 #[cfg(feature = "pem")]
 use crate::ENCODE_CONFIG;
 use crate::{
@@ -216,8 +217,8 @@ impl CertificateRevocationListParams {
 		})
 	}
 
-	fn serialize_der(&self, issuer: Issuer) -> Result<Vec<u8>, Error> {
-		sign_der(&issuer.key_pair, |writer| {
+	fn serialize_der(&self, issuer: Issuer<'_, impl SigningKey>) -> Result<Vec<u8>, Error> {
+		sign_der(issuer.key_pair, |writer| {
 			// Write CRL version.
 			// RFC 5280 §5.1.2.1:
 			//   This optional field describes the version of the encoded CRL.  When
@@ -233,7 +234,7 @@ impl CertificateRevocationListParams {
 			// RFC 5280 §5.1.2.2:
 			//   This field MUST contain the same algorithm identifier as the
 			//   signatureAlgorithm field in the sequence CertificateList
-			issuer.key_pair.alg.write_alg_ident(writer.next());
+			issuer.key_pair.algorithm().write_alg_ident(writer.next());
 
 			// Write issuer.
 			// RFC 5280 §5.1.2.3:

rcgen/src/key_pair.rs

@@ -39,8 +39,6 @@ pub(crate) enum KeyPairKind {
 	/// A RSA key pair
 	#[cfg(feature = "crypto")]
 	Rsa(RsaKeyPair, &'static dyn RsaEncoding),
-	/// A remote key pair
-	Remote(Box<dyn SigningKey + Send + Sync>),
 }
 
 impl fmt::Debug for KeyPairKind {
@@ -52,7 +50,6 @@ impl fmt::Debug for KeyPairKind {
 			Self::Ed(key_pair) => write!(f, "{:?}", key_pair),
 			#[cfg(feature = "crypto")]
 			Self::Rsa(key_pair, _) => write!(f, "{:?}", key_pair),
-			Self::Remote(_) => write!(f, "Box<dyn RemotePrivateKey>"),
 		}
 	}
 }
@@ -187,15 +184,6 @@ impl KeyPair {
 		Self::try_from(private_key.contents())
 	}
 
-	/// Obtains the key pair from a raw public key and a remote private key
-	pub fn from_remote(key_pair: Box<dyn SigningKey + Send + Sync>) -> Result<Self, Error> {
-		Ok(Self {
-			alg: key_pair.algorithm(),
-			kind: KeyPairKind::Remote(key_pair),
-			serialized_der: Vec::new(),
-		})
-	}
-
 	/// Obtains the key pair from a DER formatted key
 	/// using the specified [`SignatureAlgorithm`]
 	///
@@ -399,38 +387,6 @@ impl KeyPair {
 		std::iter::once(self.alg)
 	}
 
-	pub(crate) fn sign(&self, msg: &[u8], writer: DERWriter) -> Result<(), Error> {
-		match &self.kind {
-			#[cfg(feature = "crypto")]
-			KeyPairKind::Ec(kp) => {
-				let system_random = SystemRandom::new();
-				let signature = kp.sign(&system_random, msg)._err()?;
-				let sig = &signature.as_ref();
-				writer.write_bitvec_bytes(sig, &sig.len() * 8);
-			},
-			#[cfg(feature = "crypto")]
-			KeyPairKind::Ed(kp) => {
-				let signature = kp.sign(msg);
-				let sig = &signature.as_ref();
-				writer.write_bitvec_bytes(sig, &sig.len() * 8);
-			},
-			#[cfg(feature = "crypto")]
-			KeyPairKind::Rsa(kp, padding_alg) => {
-				let system_random = SystemRandom::new();
-				let mut signature = vec![0; rsa_key_pair_public_modulus_len(kp)];
-				kp.sign(*padding_alg, &system_random, msg, &mut signature)
-					._err()?;
-				let sig = &signature.as_ref();
-				writer.write_bitvec_bytes(sig, &sig.len() * 8);
-			},
-			KeyPairKind::Remote(kp) => {
-				let signature = kp.sign(msg)?;
-				writer.write_bitvec_bytes(&signature, &signature.len() * 8);
-			},
-		}
-		Ok(())
-	}
-
 	/// Return the key pair's public key in DER format
 	///
 	/// The key is formatted according to the SubjectPublicKeyInfo struct of
@@ -454,11 +410,6 @@ impl KeyPair {
 	///
 	/// Panics if called on a remote key pair.
 	pub fn serialize_der(&self) -> Vec<u8> {
-		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
-		if let KeyPairKind::Remote(_) = self.kind {
-			panic!("Serializing a remote key pair is not supported")
-		}
-
 		self.serialized_der.clone()
 	}
 
@@ -467,24 +418,9 @@ impl KeyPair {
 	///
 	/// Panics if called on a remote key pair.
 	pub fn serialized_der(&self) -> &[u8] {
-		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
-		if let KeyPairKind::Remote(_) = self.kind {
-			panic!("Serializing a remote key pair is not supported")
-		}
-
 		&self.serialized_der
 	}
 
-	/// Access the remote key pair if it is a remote one
-	pub fn as_remote(&self) -> Option<&(dyn SigningKey + Send + Sync)> {
-		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
-		if let KeyPairKind::Remote(remote) = &self.kind {
-			Some(remote.as_ref())
-		} else {
-			None
-		}
-	}
-
 	/// Serializes the key pair (including the private key) in PKCS#8 format in PEM
 	#[cfg(feature = "pem")]
 	pub fn serialize_pem(&self) -> String {
@@ -494,6 +430,29 @@ impl KeyPair {
 	}
 }
 
+impl SigningKey for KeyPair {
+	fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, Error> {
+		Ok(match &self.kind {
+			#[cfg(feature = "crypto")]
+			KeyPairKind::Ec(kp) => {
+				let system_random = SystemRandom::new();
+				let signature = kp.sign(&system_random, msg)._err()?;
+				signature.as_ref().to_owned()
+			},
+			#[cfg(feature = "crypto")]
+			KeyPairKind::Ed(kp) => kp.sign(msg).as_ref().to_owned(),
+			#[cfg(feature = "crypto")]
+			KeyPairKind::Rsa(kp, padding_alg) => {
+				let system_random = SystemRandom::new();
+				let mut signature = vec![0; rsa_key_pair_public_modulus_len(kp)];
+				kp.sign(*padding_alg, &system_random, msg, &mut signature)
+					._err()?;
+				signature
+			},
+		})
+	}
+}
+
 impl PublicKeyData for KeyPair {
 	fn public_key_der(&self) -> &[u8] {
 		match &self.kind {
@@ -503,7 +462,6 @@ impl PublicKeyData for KeyPair {
 			KeyPairKind::Ed(kp) => kp.public_key().as_ref(),
 			#[cfg(feature = "crypto")]
 			KeyPairKind::Rsa(kp, _) => kp.public_key().as_ref(),
-			KeyPairKind::Remote(kp) => kp.public_key_der(),
 		}
 	}
 
@@ -635,7 +593,7 @@ pub enum RsaKeySize {
 }
 
 pub(crate) fn sign_der(
-	key: &KeyPair,
+	key: &impl SigningKey,
 	f: impl FnOnce(&mut DERWriterSeq<'_>) -> Result<(), Error>,
 ) -> Result<Vec<u8>, Error> {
 	yasna::try_construct_der(|writer| {
@@ -644,20 +602,19 @@ pub(crate) fn sign_der(
 			writer.next().write_der(&data);
 
 			// Write signatureAlgorithm
-			key.alg.write_alg_ident(writer.next());
+			key.algorithm().write_alg_ident(writer.next());
 
 			// Write signature
-			key.sign(&data, writer.next())?;
+			let sig = key.sign(&data)?;
+			let writer = writer.next();
+			writer.write_bitvec_bytes(&sig, sig.len() * 8);
 
 			Ok(())
 		})
 	})
 }
 
 /// A private key that is not directly accessible, but can be used to sign messages
-///
-/// Trait objects based on this trait can be passed to the [`KeyPair::from_remote`] function for generating certificates
-/// from a remote and raw private key, for example an HSM.
 pub trait SigningKey: PublicKeyData {
 	/// Signs `msg` using the selected algorithm
 	fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, Error>;

rcgen/src/lib.rs

@@ -129,11 +129,11 @@ pub fn generate_simple_self_signed(
 	Ok(CertifiedKey { cert, key_pair })
 }
 
-struct Issuer<'a> {
+struct Issuer<'a, S> {
 	distinguished_name: &'a DistinguishedName,
 	key_identifier_method: &'a KeyIdMethod,
 	key_usages: &'a [KeyUsagePurpose],
-	key_pair: &'a KeyPair,
+	key_pair: &'a S,
 }
 
 // https://tools.ietf.org/html/rfc5280#section-4.1.1

rcgen/tests/webpki.rs

@@ -52,12 +52,12 @@ fn sign_msg_rsa(key_pair: &KeyPair, msg: &[u8], encoding: &'static dyn RsaEncodi
 	signature
 }
 
-fn check_cert<'a, 'b>(
+fn check_cert<'a, 'b, S: SigningKey + 'a>(
 	cert_der: &CertificateDer<'_>,
 	cert: &'a Certificate,
-	cert_key: &'a KeyPair,
+	cert_key: &'a S,
 	alg: &dyn SignatureVerificationAlgorithm,
-	sign_fn: impl FnOnce(&'a KeyPair, &'b [u8]) -> Vec<u8>,
+	sign_fn: impl FnOnce(&'a S, &'b [u8]) -> Vec<u8>,
 ) {
 	#[cfg(feature = "pem")]
 	{
@@ -66,13 +66,13 @@ fn check_cert<'a, 'b>(
 	check_cert_ca(cert_der, cert_key, cert_der, alg, alg, sign_fn);
 }
 
-fn check_cert_ca<'a, 'b>(
+fn check_cert_ca<'a, 'b, S: SigningKey + 'a>(
 	cert_der: &CertificateDer<'_>,
-	cert_key: &'a KeyPair,
+	cert_key: &'a S,
 	ca_der: &CertificateDer<'_>,
 	cert_alg: &dyn SignatureVerificationAlgorithm,
 	ca_alg: &dyn SignatureVerificationAlgorithm,
-	sign_fn: impl FnOnce(&'a KeyPair, &'b [u8]) -> Vec<u8>,
+	sign_fn: impl FnOnce(&'a S, &'b [u8]) -> Vec<u8>,
 ) {
 	let trust_anchor = anchor_from_trusted_cert(ca_der).unwrap();
 	let trust_anchor_list = &[trust_anchor];
@@ -352,7 +352,7 @@ fn from_remote() {
 		&rng,
 	)
 	.unwrap();
-	let remote = KeyPair::from_remote(Box::new(Remote(remote))).unwrap();
+	let remote = Remote(remote);
 
 	let (params, _) = util::default_params();
 	let cert = params.self_signed(&remote).unwrap();