Invert KeyPair/SigningKey hierarchy

djc · djc · commit 2dd3590672cf · 2025-04-23T13:56:50.000Z
diff --git a/rcgen/src/certificate.rs b/rcgen/src/certificate.rs
@@ -200,7 +200,7 @@ impl CertificateParams {
 	///
 	/// This function is only of use if you have an existing CA certificate
 	/// you would like to use to sign a certificate generated by `rcgen`.
-	/// By providing the constructed [`CertificateParams`] and the [`KeyPair`]
+	/// By providing the constructed [`CertificateParams`] and the [`SigningKey`]
 	/// associated with your existing `ca_cert` you can use [`CertificateParams::signed_by()`]
 	/// or [`crate::CertificateSigningRequestParams::signed_by()`] to issue new certificates
 	/// using the CA cert.
diff --git a/rcgen/src/key_pair.rs b/rcgen/src/key_pair.rs
@@ -1,3 +1,4 @@
+#[cfg(feature = "crypto")]
 use std::fmt;
 
 #[cfg(feature = "pem")]
@@ -29,30 +30,23 @@ use crate::{sign_algo::SignatureAlgorithm, Error};
 
 /// A key pair variant
 #[allow(clippy::large_enum_variant)]
+#[cfg(feature = "crypto")]
 pub(crate) enum KeyPairKind {
 	/// A Ecdsa key pair
-	#[cfg(feature = "crypto")]
 	Ec(EcdsaKeyPair),
 	/// A Ed25519 key pair
-	#[cfg(feature = "crypto")]
 	Ed(Ed25519KeyPair),
 	/// A RSA key pair
-	#[cfg(feature = "crypto")]
 	Rsa(RsaKeyPair, &'static dyn RsaEncoding),
-	/// A remote key pair
-	Remote(Box<dyn SigningKey + Send + Sync>),
 }
 
+#[cfg(feature = "crypto")]
 impl fmt::Debug for KeyPairKind {
 	fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
 		match self {
-			#[cfg(feature = "crypto")]
 			Self::Ec(key_pair) => write!(f, "{:?}", key_pair),
-			#[cfg(feature = "crypto")]
 			Self::Ed(key_pair) => write!(f, "{:?}", key_pair),
-			#[cfg(feature = "crypto")]
 			Self::Rsa(key_pair, _) => write!(f, "{:?}", key_pair),
-			Self::Remote(_) => write!(f, "Box<dyn RemotePrivateKey>"),
 		}
 	}
 }
@@ -64,12 +58,14 @@ impl fmt::Debug for KeyPairKind {
 /// `openssl genrsa` doesn't work. See ring's [documentation](ring::signature::RsaKeyPair::from_pkcs8)
 /// for how to generate RSA keys in the wanted format
 /// and conversion between the formats.
+#[cfg(feature = "crypto")]
 pub struct KeyPair {
 	pub(crate) kind: KeyPairKind,
 	pub(crate) alg: &'static SignatureAlgorithm,
 	pub(crate) serialized_der: Vec<u8>,
 }
 
+#[cfg(feature = "crypto")]
 impl fmt::Debug for KeyPair {
 	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
 		f.debug_struct("KeyPair")
@@ -80,6 +76,7 @@ impl fmt::Debug for KeyPair {
 	}
 }
 
+#[cfg(feature = "crypto")]
 impl KeyPair {
 	/// Generate a new random [`PKCS_ECDSA_P256_SHA256`] key pair
 	#[cfg(feature = "crypto")]
@@ -187,15 +184,6 @@ impl KeyPair {
 		Self::try_from(private_key.contents())
 	}
 
-	/// Obtains the key pair from a raw public key and a remote private key
-	pub fn from_remote(key_pair: Box<dyn SigningKey + Send + Sync>) -> Result<Self, Error> {
-		Ok(Self {
-			alg: key_pair.algorithm(),
-			kind: KeyPairKind::Remote(key_pair),
-			serialized_der: Vec::new(),
-		})
-	}
-
 	/// Obtains the key pair from a DER formatted key
 	/// using the specified [`SignatureAlgorithm`]
 	///
@@ -419,40 +407,16 @@ impl KeyPair {
 	}
 
 	/// Serializes the key pair (including the private key) in PKCS#8 format in DER
-	///
-	/// Panics if called on a remote key pair.
 	pub fn serialize_der(&self) -> Vec<u8> {
-		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
-		if let KeyPairKind::Remote(_) = self.kind {
-			panic!("Serializing a remote key pair is not supported")
-		}
-
 		self.serialized_der.clone()
 	}
 
 	/// Returns a reference to the serialized key pair (including the private key)
 	/// in PKCS#8 format in DER
-	///
-	/// Panics if called on a remote key pair.
 	pub fn serialized_der(&self) -> &[u8] {
-		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
-		if let KeyPairKind::Remote(_) = self.kind {
-			panic!("Serializing a remote key pair is not supported")
-		}
-
 		&self.serialized_der
 	}
 
-	/// Access the remote key pair if it is a remote one
-	pub fn as_remote(&self) -> Option<&(dyn SigningKey + Send + Sync)> {
-		#[cfg_attr(not(feature = "crypto"), allow(irrefutable_let_patterns))]
-		if let KeyPairKind::Remote(remote) = &self.kind {
-			Some(remote.as_ref())
-		} else {
-			None
-		}
-	}
-
 	/// Serializes the key pair (including the private key) in PKCS#8 format in PEM
 	#[cfg(feature = "pem")]
 	pub fn serialize_pem(&self) -> String {
@@ -479,21 +443,17 @@ impl SigningKey for KeyPair {
 					._err()?;
 				signature
 			},
-			KeyPairKind::Remote(kp) => kp.sign(msg)?,
 		})
 	}
 }
 
+#[cfg(feature = "crypto")]
 impl PublicKeyData for KeyPair {
 	fn der_bytes(&self) -> &[u8] {
 		match &self.kind {
-			#[cfg(feature = "crypto")]
 			KeyPairKind::Ec(kp) => kp.public_key().as_ref(),
-			#[cfg(feature = "crypto")]
 			KeyPairKind::Ed(kp) => kp.public_key().as_ref(),
-			#[cfg(feature = "crypto")]
 			KeyPairKind::Rsa(kp, _) => kp.public_key().as_ref(),
-			KeyPairKind::Remote(kp) => kp.der_bytes(),
 		}
 	}
 
@@ -647,9 +607,6 @@ pub(crate) fn sign_der(
 }
 
 /// A key that can be used to sign messages
-///
-/// Trait objects based on this trait can be passed to the [`KeyPair::from_remote`] function for generating certificates
-/// from a remote and raw private key, for example an HSM.
 pub trait SigningKey: PublicKeyData {
 	/// Signs `msg` using the selected algorithm
 	fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, Error>;
diff --git a/rcgen/src/lib.rs b/rcgen/src/lib.rs
@@ -59,10 +59,12 @@ pub use crl::{
 };
 pub use csr::{CertificateSigningRequest, CertificateSigningRequestParams, PublicKey};
 pub use error::{Error, InvalidAsn1String};
+#[cfg(feature = "crypto")]
+pub use key_pair::KeyPair;
 pub use key_pair::PublicKeyData;
 #[cfg(all(feature = "crypto", feature = "aws_lc_rs"))]
 pub use key_pair::RsaKeySize;
-pub use key_pair::{KeyPair, SigningKey, SubjectPublicKeyInfo};
+pub use key_pair::{SigningKey, SubjectPublicKeyInfo};
 #[cfg(feature = "crypto")]
 use ring_like::digest;
 pub use sign_algo::algo::*;
@@ -85,11 +87,11 @@ pub mod string;
 pub type RcgenError = Error;
 
 /// An issued certificate, together with the subject keypair.
-pub struct CertifiedKey {
+pub struct CertifiedKey<S: SigningKey> {
 	/// An issued certificate.
 	pub cert: Certificate,
 	/// The certificate's subject key pair.
-	pub key_pair: KeyPair,
+	pub key_pair: S,
 }
 
 /**
@@ -124,7 +126,7 @@ println!("{}", key_pair.serialize_pem());
 )]
 pub fn generate_simple_self_signed(
 	subject_alt_names: impl Into<Vec<String>>,
-) -> Result<CertifiedKey, Error> {
+) -> Result<CertifiedKey<KeyPair>, Error> {
 	let key_pair = KeyPair::generate()?;
 	let cert = CertificateParams::new(subject_alt_names)?.self_signed(&key_pair)?;
 	Ok(CertifiedKey { cert, key_pair })
diff --git a/rcgen/tests/webpki.rs b/rcgen/tests/webpki.rs
@@ -52,12 +52,12 @@ fn sign_msg_rsa(key_pair: &KeyPair, msg: &[u8], encoding: &'static dyn RsaEncodi
 	signature
 }
 
-fn check_cert<'a, 'b>(
+fn check_cert<'a, 'b, S: SigningKey + 'a>(
 	cert_der: &CertificateDer<'_>,
 	cert: &'a Certificate,
-	cert_key: &'a KeyPair,
+	cert_key: &'a S,
 	alg: &dyn SignatureVerificationAlgorithm,
-	sign_fn: impl FnOnce(&'a KeyPair, &'b [u8]) -> Vec<u8>,
+	sign_fn: impl FnOnce(&'a S, &'b [u8]) -> Vec<u8>,
 ) {
 	#[cfg(feature = "pem")]
 	{
@@ -66,13 +66,13 @@ fn check_cert<'a, 'b>(
 	check_cert_ca(cert_der, cert_key, cert_der, alg, alg, sign_fn);
 }
 
-fn check_cert_ca<'a, 'b>(
+fn check_cert_ca<'a, 'b, S: SigningKey + 'a>(
 	cert_der: &CertificateDer<'_>,
-	cert_key: &'a KeyPair,
+	cert_key: &'a S,
 	ca_der: &CertificateDer<'_>,
 	cert_alg: &dyn SignatureVerificationAlgorithm,
 	ca_alg: &dyn SignatureVerificationAlgorithm,
-	sign_fn: impl FnOnce(&'a KeyPair, &'b [u8]) -> Vec<u8>,
+	sign_fn: impl FnOnce(&'a S, &'b [u8]) -> Vec<u8>,
 ) {
 	let trust_anchor = anchor_from_trusted_cert(ca_der).unwrap();
 	let trust_anchor_list = &[trust_anchor];
@@ -352,7 +352,7 @@ fn from_remote() {
 		&rng,
 	)
 	.unwrap();
-	let remote = KeyPair::from_remote(Box::new(Remote(remote))).unwrap();
+	let remote = Remote(remote);
 
 	let (params, _) = util::default_params();
 	let cert = params.self_signed(&remote).unwrap();
