Use Issuer in the public API

Author: djc

rcgen/examples/sign-leaf-with-ca.rs

@@ -1,13 +1,13 @@
 use rcgen::{
 	BasicConstraints, Certificate, CertificateParams, DnType, DnValue::PrintableString,
-	ExtendedKeyUsagePurpose, IsCa, KeyPair, KeyUsagePurpose,
+	ExtendedKeyUsagePurpose, IsCa, Issuer, KeyPair, KeyUsagePurpose,
 };
 use time::{Duration, OffsetDateTime};
 
 /// Example demonstrating signing end-entity certificate with ca
 fn main() {
-	let (ca_params, ca, ca_key) = new_ca();
-	let end_entity = new_end_entity(&ca_params, &ca_key);
+	let (ca, issuer) = new_ca();
+	let end_entity = new_end_entity(&issuer);
 
 	let end_entity_pem = end_entity.pem();
 	println!("directly signed end-entity certificate: {end_entity_pem}");
@@ -16,7 +16,7 @@ fn main() {
 	println!("ca certificate: {ca_cert_pem}");
 }
 
-fn new_ca() -> (CertificateParams, Certificate, KeyPair) {
+fn new_ca() -> (Certificate, Issuer<'static, KeyPair>) {
 	let mut params =
 		CertificateParams::new(Vec::default()).expect("empty subject alt name can't produce error");
 	let (yesterday, tomorrow) = validity_period();
@@ -37,10 +37,10 @@ fn new_ca() -> (CertificateParams, Certificate, KeyPair) {
 
 	let key_pair = KeyPair::generate().unwrap();
 	let cert = params.self_signed(&key_pair).unwrap();
-	(params, cert, key_pair)
+	(cert, Issuer::new(params, key_pair))
 }
 
-fn new_end_entity(ca: &CertificateParams, ca_key: &KeyPair) -> Certificate {
+fn new_end_entity(issuer: &Issuer<'static, KeyPair>) -> Certificate {
 	let name = "entity.other.host";
 	let mut params = CertificateParams::new(vec![name.into()]).expect("we know the name is valid");
 	let (yesterday, tomorrow) = validity_period();
@@ -54,7 +54,7 @@ fn new_end_entity(ca: &CertificateParams, ca_key: &KeyPair) -> Certificate {
 	params.not_after = tomorrow;
 
 	let key_pair = KeyPair::generate().unwrap();
-	params.signed_by(&key_pair, ca, ca_key).unwrap()
+	params.signed_by(&key_pair, issuer).unwrap()
 }
 
 fn validity_period() -> (OffsetDateTime, OffsetDateTime) {

rcgen/src/certificate.rs

@@ -140,10 +140,8 @@ impl CertificateParams {
 	pub fn signed_by(
 		&self,
 		public_key: &impl PublicKeyData,
-		issuer: &CertificateParams,
-		issuer_key: &impl SigningKey,
+		issuer: &Issuer<'_, impl SigningKey>,
 	) -> Result<Certificate, Error> {
-		let issuer = Issuer::from_params(issuer, issuer_key);
 		Ok(Certificate {
 			der: self.serialize_der_with_signer(public_key, issuer)?,
 		})
@@ -156,7 +154,7 @@ impl CertificateParams {
 	pub fn self_signed(&self, signing_key: &impl SigningKey) -> Result<Certificate, Error> {
 		let issuer = Issuer::from_params(self, signing_key);
 		Ok(Certificate {
-			der: self.serialize_der_with_signer(signing_key, issuer)?,
+			der: self.serialize_der_with_signer(signing_key, &issuer)?,
 		})
 	}
 
@@ -427,9 +425,9 @@ impl CertificateParams {
 	pub(crate) fn serialize_der_with_signer<K: PublicKeyData>(
 		&self,
 		pub_key: &K,
-		issuer: Issuer<'_, impl SigningKey>,
+		issuer: &Issuer<'_, impl SigningKey>,
 	) -> Result<CertificateDer<'static>, Error> {
-		let der = sign_der(issuer.signing_key, |writer| {
+		let der = sign_der(&*issuer.signing_key, |writer| {
 			let pub_key_spki = pub_key.subject_public_key_info();
 			// Write version
 			writer.next().write_tagged(Tag::context(0), |writer| {
@@ -484,8 +482,7 @@ impl CertificateParams {
 			}
 
 			writer.next().write_tagged(Tag::context(3), |writer| {
-				writer
-					.write_sequence(|writer| self.write_extensions(writer, &pub_key_spki, &issuer))
+				writer.write_sequence(|writer| self.write_extensions(writer, &pub_key_spki, issuer))
 			})?;
 
 			Ok(())
@@ -1412,12 +1409,13 @@ PITGdT9dgN88nHPCle0B1+OY+OZ5
 					.unwrap()
 			);
 
+			let issuer = Issuer::new(params, ca_kp);
 			let ee_key = KeyPair::generate().unwrap();
 			let ee_params = CertificateParams {
 				use_authority_key_identifier_extension: true,
 				..CertificateParams::default()
 			};
-			let ee_cert = ee_params.signed_by(&ee_key, &params, &ee_key).unwrap();
+			let ee_cert = ee_params.signed_by(&ee_key, &issuer).unwrap();
 
 			let (_, x509_ee) = x509_parser::parse_x509_certificate(ee_cert.der()).unwrap();
 			assert_eq!(

rcgen/src/crl.rs

@@ -10,8 +10,8 @@ use crate::key_pair::sign_der;
 use crate::ENCODE_CONFIG;
 use crate::{
 	oid, write_distinguished_name, write_dt_utc_or_generalized,
-	write_x509_authority_key_identifier, write_x509_extension, CertificateParams, Error, Issuer,
-	KeyIdMethod, KeyUsagePurpose, SerialNumber, SigningKey,
+	write_x509_authority_key_identifier, write_x509_extension, Error, Issuer, KeyIdMethod,
+	KeyUsagePurpose, SerialNumber, SigningKey,
 };
 
 /// A certificate revocation list (CRL)
@@ -43,7 +43,8 @@ use crate::{
 /// let key_pair = KeyPair::generate().unwrap();
 /// #[cfg(not(feature = "crypto"))]
 /// let key_pair = MyKeyPair { public_key: vec![] };
-/// let issuer = issuer_params.self_signed(&key_pair).unwrap();
+/// let issuer = Issuer::new(issuer_params, key_pair);
+///
 /// // Describe a revoked certificate.
 /// let revoked_cert = RevokedCertParams{
 ///   serial_number: SerialNumber::from(9999),
@@ -62,7 +63,7 @@ use crate::{
 ///   key_identifier_method: KeyIdMethod::Sha256,
 ///   #[cfg(not(feature = "crypto"))]
 ///   key_identifier_method: KeyIdMethod::PreSpecified(vec![]),
-/// }.signed_by(&issuer_params, &key_pair).unwrap();
+/// }.signed_by(&issuer).unwrap();
 ///# }
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub struct CertificateRevocationList {
@@ -186,14 +187,12 @@ impl CertificateRevocationListParams {
 	/// Including a signature from the issuing certificate authority's key.
 	pub fn signed_by(
 		&self,
-		issuer: &CertificateParams,
-		issuer_key: &impl SigningKey,
+		issuer: &Issuer<'_, impl SigningKey>,
 	) -> Result<CertificateRevocationList, Error> {
 		if self.next_update.le(&self.this_update) {
 			return Err(Error::InvalidCrlNextUpdate);
 		}
 
-		let issuer = Issuer::from_params(issuer, issuer_key);
 		if !issuer.key_usages.is_empty() && !issuer.key_usages.contains(&KeyUsagePurpose::CrlSign) {
 			return Err(Error::IssuerNotCrlSigner);
 		}
@@ -203,8 +202,8 @@ impl CertificateRevocationListParams {
 		})
 	}
 
-	fn serialize_der(&self, issuer: Issuer<'_, impl SigningKey>) -> Result<Vec<u8>, Error> {
-		sign_der(issuer.signing_key, |writer| {
+	fn serialize_der(&self, issuer: &Issuer<'_, impl SigningKey>) -> Result<Vec<u8>, Error> {
+		sign_der(&*issuer.signing_key, |writer| {
 			// Write CRL version.
 			// RFC 5280 §5.1.2.1:
 			//   This optional field describes the version of the encoded CRL.  When

rcgen/src/csr.rs

@@ -200,12 +200,7 @@ impl CertificateSigningRequestParams {
 	///
 	/// The returned [`Certificate`] may be serialized using [`Certificate::der`] and
 	/// [`Certificate::pem`].
-	pub fn signed_by(
-		&self,
-		issuer: &CertificateParams,
-		issuer_key: &impl SigningKey,
-	) -> Result<Certificate, Error> {
-		let issuer = Issuer::from_params(issuer, issuer_key);
+	pub fn signed_by(&self, issuer: &Issuer<impl SigningKey>) -> Result<Certificate, Error> {
 		Ok(Certificate {
 			der: self
 				.params

rcgen/src/lib.rs

@@ -39,6 +39,7 @@ use std::hash::Hash;
 use std::net::IpAddr;
 #[cfg(feature = "x509-parser")]
 use std::net::{Ipv4Addr, Ipv6Addr};
+use std::ops::Deref;
 
 use time::{OffsetDateTime, Time};
 use yasna::models::ObjectIdentifier;
@@ -133,22 +134,41 @@ pub fn generate_simple_self_signed(
 	Ok(CertifiedKey { cert, signing_key })
 }
 
-struct Issuer<'a, S> {
+/// An issuer that can sign certificates.
+///
+/// Encapsulates the distinguished name, key identifier method, key usages and signing key
+/// of the issuing certificate.
+pub struct Issuer<'a, S> {
 	distinguished_name: Cow<'a, DistinguishedName>,
 	key_identifier_method: Cow<'a, KeyIdMethod>,
 	key_usages: Cow<'a, [KeyUsagePurpose]>,
-	signing_key: &'a S,
+	signing_key: MaybeOwned<'a, S>,
 }
 
 impl<'a, S: SigningKey> Issuer<'a, S> {
+	/// Create a new issuer from the given parameters and signing key.
+	pub fn new(params: CertificateParams, signing_key: S) -> Self {
+		Self {
+			distinguished_name: Cow::Owned(params.distinguished_name),
+			key_identifier_method: Cow::Owned(params.key_identifier_method),
+			key_usages: Cow::Owned(params.key_usages),
+			signing_key: MaybeOwned::Owned(signing_key),
+		}
+	}
+
 	fn from_params(params: &'a CertificateParams, signing_key: &'a S) -> Self {
 		Self {
 			distinguished_name: Cow::Borrowed(&params.distinguished_name),
 			key_identifier_method: Cow::Borrowed(&params.key_identifier_method),
 			key_usages: Cow::Borrowed(&params.key_usages),
-			signing_key,
+			signing_key: MaybeOwned::Borrowed(signing_key),
 		}
 	}
+
+	/// Yield a reference to the signing key.
+	pub fn key(&self) -> &S {
+		&self.signing_key
+	}
 }
 
 impl<'a, S: SigningKey> fmt::Debug for Issuer<'a, S> {
@@ -171,6 +191,22 @@ impl<'a, S: SigningKey> fmt::Debug for Issuer<'a, S> {
 	}
 }
 
+enum MaybeOwned<'a, T> {
+	Owned(T),
+	Borrowed(&'a T),
+}
+
+impl<T> Deref for MaybeOwned<'_, T> {
+	type Target = T;
+
+	fn deref(&self) -> &Self::Target {
+		match self {
+			MaybeOwned::Owned(t) => t,
+			MaybeOwned::Borrowed(t) => t,
+		}
+	}
+}
+
 // https://tools.ietf.org/html/rfc5280#section-4.1.1
 
 // Example certs usable as reference:

rcgen/tests/botan.rs

@@ -2,7 +2,7 @@
 
 use time::{Duration, OffsetDateTime};
 
-use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa};
+use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa, Issuer};
 use rcgen::{CertificateRevocationListParams, RevocationReason, RevokedCertParams};
 use rcgen::{DnValue, KeyPair};
 use rcgen::{KeyUsagePurpose, SerialNumber};
@@ -143,7 +143,8 @@ fn test_botan_separate_ca() {
 	params.not_after = rcgen::date_time_ymd(3016, 1, 1);
 
 	let key_pair = KeyPair::generate().unwrap();
-	let cert = params.signed_by(&key_pair, &ca_params, &ca_key).unwrap();
+	let ca = Issuer::new(ca_params, ca_key);
+	let cert = params.signed_by(&key_pair, &ca).unwrap();
 	check_cert_ca(cert.der(), &cert, ca_cert.der());
 }
 
@@ -169,9 +170,8 @@ fn test_botan_imported_ca() {
 	params.not_after = rcgen::date_time_ymd(3016, 1, 1);
 
 	let key_pair = KeyPair::generate().unwrap();
-	let cert = params
-		.signed_by(&key_pair, &imported_ca_cert_params, &ca_key)
-		.unwrap();
+	let ca = Issuer::new(imported_ca_cert_params, ca_key);
+	let cert = params.signed_by(&key_pair, &ca).unwrap();
 	check_cert_ca(cert.der(), &cert, ca_cert_der);
 }
 
@@ -200,9 +200,8 @@ fn test_botan_imported_ca_with_printable_string() {
 	// Botan has a sanity check that enforces a maximum expiration date
 	params.not_after = rcgen::date_time_ymd(3016, 1, 1);
 	let key_pair = KeyPair::generate().unwrap();
-	let cert = params
-		.signed_by(&key_pair, &imported_ca_cert_params, &imported_ca_key)
-		.unwrap();
+	let ca = Issuer::new(imported_ca_cert_params, imported_ca_key);
+	let cert = params.signed_by(&key_pair, &ca).unwrap();
 
 	check_cert_ca(cert.der(), &cert, ca_cert_der);
 }
@@ -219,6 +218,7 @@ fn test_botan_crl_parse() {
 		KeyUsagePurpose::CrlSign,
 	];
 	let issuer_key = KeyPair::generate_for(alg).unwrap();
+	let ca = Issuer::new(issuer, issuer_key);
 
 	// Create an end entity cert issued by the issuer.
 	let (mut ee, _) = util::default_params();
@@ -227,7 +227,7 @@ fn test_botan_crl_parse() {
 	// Botan has a sanity check that enforces a maximum expiration date
 	ee.not_after = rcgen::date_time_ymd(3016, 1, 1);
 	let ee_key = KeyPair::generate_for(alg).unwrap();
-	let ee_cert = ee.signed_by(&ee_key, &issuer, &issuer_key).unwrap();
+	let ee_cert = ee.signed_by(&ee_key, &ca).unwrap();
 	let botan_ee = botan::Certificate::load(ee_cert.der()).unwrap();
 
 	// Generate a CRL with the issuer that revokes the EE cert.
@@ -246,7 +246,7 @@ fn test_botan_crl_parse() {
 		key_identifier_method: rcgen::KeyIdMethod::Sha256,
 	};
 
-	let crl = crl.signed_by(&issuer, &issuer_key).unwrap();
+	let crl = crl.signed_by(&ca).unwrap();
 
 	// We should be able to load the CRL in both serializations.
 	botan::CRL::load(crl.pem().unwrap().as_ref()).unwrap();

rcgen/tests/openssl.rs

@@ -14,7 +14,7 @@ use openssl::x509::{CrlStatus, X509Crl, X509Req, X509StoreContext, X509};
 
 use rcgen::{
 	BasicConstraints, Certificate, CertificateParams, DnType, DnValue, GeneralSubtree, IsCa,
-	KeyPair, NameConstraints,
+	Issuer, KeyPair, NameConstraints,
 };
 
 mod util;
@@ -312,6 +312,7 @@ fn test_openssl_separate_ca() {
 	ca_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
 	let ca_cert = ca_params.self_signed(&ca_key).unwrap();
 	let ca_cert_pem = ca_cert.pem();
+	let ca = Issuer::new(ca_params, ca_key);
 
 	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
@@ -321,7 +322,7 @@ fn test_openssl_separate_ca() {
 		.distinguished_name
 		.push(DnType::CommonName, "Dev domain");
 	let cert_key = KeyPair::generate().unwrap();
-	let cert = params.signed_by(&cert_key, &ca_params, &ca_key).unwrap();
+	let cert = params.signed_by(&cert_key, &ca).unwrap();
 	let key = cert_key.serialize_der();
 
 	verify_cert_ca(&cert.pem(), &key, &ca_cert_pem);
@@ -345,7 +346,8 @@ fn test_openssl_separate_ca_with_printable_string() {
 		.distinguished_name
 		.push(DnType::CommonName, "Dev domain");
 	let cert_key = KeyPair::generate().unwrap();
-	let cert = params.signed_by(&cert_key, &ca_params, &ca_key).unwrap();
+	let ca = Issuer::new(ca_params, ca_key);
+	let cert = params.signed_by(&cert_key, &ca).unwrap();
 	let key = cert_key.serialize_der();
 
 	verify_cert_ca(&cert.pem(), &key, &ca_cert.pem());
@@ -357,6 +359,7 @@ fn test_openssl_separate_ca_with_other_signing_alg() {
 	ca_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
 	let ca_key = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
 	let ca_cert = ca_params.self_signed(&ca_key).unwrap();
+	let ca = Issuer::new(ca_params, ca_key);
 
 	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
@@ -366,7 +369,7 @@ fn test_openssl_separate_ca_with_other_signing_alg() {
 		.distinguished_name
 		.push(DnType::CommonName, "Dev domain");
 	let cert_key = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P384_SHA384).unwrap();
-	let cert = params.signed_by(&cert_key, &ca_params, &ca_key).unwrap();
+	let cert = params.signed_by(&cert_key, &ca).unwrap();
 	let key = cert_key.serialize_der();
 
 	verify_cert_ca(&cert.pem(), &key, &ca_cert.pem());
@@ -387,6 +390,7 @@ fn test_openssl_separate_ca_name_constraints() {
 		excluded_subtrees: Vec::new(),
 	});
 	let ca_cert = ca_params.self_signed(&ca_key).unwrap();
+	let ca = Issuer::new(ca_params, ca_key);
 
 	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
@@ -396,7 +400,7 @@ fn test_openssl_separate_ca_name_constraints() {
 		.distinguished_name
 		.push(DnType::CommonName, "Dev domain");
 	let cert_key = KeyPair::generate().unwrap();
-	let cert = params.signed_by(&cert_key, &ca_params, &ca_key).unwrap();
+	let cert = params.signed_by(&cert_key, &ca).unwrap();
 	let key = cert_key.serialize_der();
 
 	verify_cert_ca(&cert.pem(), &key, &ca_cert.pem());