Remove PKCS#8 blanket impls for SEC1 private key traits (#1930)

tarcieri · web-flow · commit 04402d640850 · 2025-07-09T20:14:24.000-06:00
Companion PR to RustCrypto/formats#1927 which properly composes the PKCS#8 impl in terms of the SEC1 impl
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,3 +16,5 @@ members = [
 [patch.crates-io]
 digest = { path = "digest" }
 signature = { path = "signature" }
+
+sec1 = { git = "https://github.com/RustCrypto/formats/" }
diff --git a/elliptic-curve/Cargo.toml b/elliptic-curve/Cargo.toml
@@ -66,7 +66,7 @@ ecdh = ["arithmetic", "digest", "dep:hkdf"]
 group = ["dep:group", "ff"]
 jwk = ["dep:base64ct", "dep:serde_json", "alloc", "serde", "zeroize/alloc"]
 pkcs8 = ["dep:pkcs8", "sec1"]
-pem = ["dep:pem-rfc7468", "alloc", "arithmetic", "pkcs8", "sec1/pem"]
+pem = ["dep:pem-rfc7468", "alloc", "arithmetic", "pkcs8/pem", "sec1/pem"]
 serde = ["dep:serdect", "alloc", "pkcs8", "sec1/serde"]
 
 [package.metadata.docs.rs]
diff --git a/elliptic-curve/src/secret_key.rs b/elliptic-curve/src/secret_key.rs
@@ -32,7 +32,7 @@ use {
         FieldBytesSize,
         sec1::{EncodedPoint, ModulusSize, ValidatePublicKey},
     },
-    sec1::der::{self, oid::AssociatedOid},
+    sec1::der::{self, Decode, oid::AssociatedOid},
 };
 
 #[cfg(all(feature = "alloc", feature = "arithmetic", feature = "sec1"))]
@@ -363,6 +363,36 @@ where
     }
 }
 
+#[cfg(feature = "sec1")]
+impl<C> sec1::DecodeEcPrivateKey for SecretKey<C>
+where
+    C: AssociatedOid + Curve + ValidatePublicKey,
+    FieldBytesSize<C>: ModulusSize,
+{
+    fn from_sec1_der(bytes: &[u8]) -> sec1::Result<Self> {
+        Ok(sec1::EcPrivateKey::from_der(bytes)?.try_into()?)
+    }
+}
+
+#[cfg(all(feature = "alloc", feature = "arithmetic", feature = "sec1"))]
+impl<C> sec1::EncodeEcPrivateKey for SecretKey<C>
+where
+    C: AssociatedOid + CurveArithmetic,
+    AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
+    FieldBytesSize<C>: ModulusSize,
+{
+    fn to_sec1_der(&self) -> sec1::Result<der::SecretDocument> {
+        let private_key_bytes = Zeroizing::new(self.to_bytes());
+        let public_key_bytes = self.public_key().to_encoded_point(false);
+
+        Ok(der::SecretDocument::encode_msg(&sec1::EcPrivateKey {
+            private_key: &private_key_bytes,
+            parameters: None,
+            public_key: Some(public_key_bytes.as_bytes()),
+        })?)
+    }
+}
+
 #[cfg(feature = "sec1")]
 impl<C> TryFrom<sec1::EcPrivateKey<'_>> for SecretKey<C>
 where
diff --git a/elliptic-curve/src/secret_key/pkcs8.rs b/elliptic-curve/src/secret_key/pkcs8.rs
@@ -18,9 +18,8 @@ use {
     },
     pkcs8::{
         EncodePrivateKey,
-        der::{self, Encode, asn1::OctetStringRef},
+        der::{self, asn1::OctetStringRef},
     },
-    zeroize::Zeroizing,
 };
 
 // Imports for actual PEM support
@@ -72,18 +71,7 @@ where
             parameters: Some((&C::OID).into()),
         };
 
-        let private_key_bytes = Zeroizing::new(self.to_bytes());
-        let public_key_bytes = self.public_key().to_encoded_point(false);
-
-        // TODO(tarcieri): unify with `to_sec1_der()` by building an owned `EcPrivateKey`
-        let ec_private_key = Zeroizing::new(
-            EcPrivateKey {
-                private_key: &private_key_bytes,
-                parameters: None,
-                public_key: Some(public_key_bytes.as_bytes()),
-            }
-            .to_der()?,
-        );
+        let ec_private_key = self.to_sec1_der()?;
 
         let pkcs8_key = pkcs8::PrivateKeyInfoRef::new(
             algorithm_identifier,
