Detach sign_der() from KeyPair

Author: djc

rcgen/src/certificate.rs

@@ -10,15 +10,15 @@ use yasna::{DERWriter, Tag};
 
 use crate::crl::CrlDistributionPoint;
 use crate::csr::CertificateSigningRequest;
-use crate::key_pair::{serialize_public_key_der, PublicKeyData};
+use crate::key_pair::{serialize_public_key_der, sign_der, PublicKeyData};
 #[cfg(feature = "crypto")]
 use crate::ring_like::digest;
 #[cfg(feature = "pem")]
 use crate::ENCODE_CONFIG;
 use crate::{
 	oid, write_distinguished_name, write_dt_utc_or_generalized,
 	write_x509_authority_key_identifier, write_x509_extension, DistinguishedName, Error, Issuer,
-	KeyIdMethod, KeyPair, KeyUsagePurpose, SanType, SerialNumber,
+	KeyIdMethod, KeyUsagePurpose, SanType, SerialNumber, SigningKey,
 };
 
 /// An issued certificate together with the parameters used to generate it.
@@ -151,7 +151,7 @@ impl CertificateParams {
 		self,
 		public_key: &impl PublicKeyData,
 		issuer: &Certificate,
-		issuer_key: &KeyPair,
+		issuer_key: &impl SigningKey,
 	) -> Result<Certificate, Error> {
 		let issuer = Issuer {
 			distinguished_name: &issuer.params.distinguished_name,
@@ -168,7 +168,7 @@ impl CertificateParams {
 	///
 	/// The returned [`Certificate`] may be serialized using [`Certificate::der`] and
 	/// [`Certificate::pem`].
-	pub fn self_signed(self, key_pair: &KeyPair) -> Result<Certificate, Error> {
+	pub fn self_signed(self, key_pair: &impl SigningKey) -> Result<Certificate, Error> {
 		let issuer = Issuer {
 			distinguished_name: &self.distinguished_name,
 			key_identifier_method: &self.key_identifier_method,
@@ -531,7 +531,7 @@ impl CertificateParams {
 	/// same output.
 	pub fn serialize_request(
 		&self,
-		subject_key: &KeyPair,
+		subject_key: &impl SigningKey,
 	) -> Result<CertificateSigningRequest, Error> {
 		self.serialize_request_with_attributes(subject_key, Vec::new())
 	}
@@ -549,7 +549,7 @@ impl CertificateParams {
 	/// [RFC 2986]: <https://datatracker.ietf.org/doc/html/rfc2986#section-4>
 	pub fn serialize_request_with_attributes(
 		&self,
-		subject_key: &KeyPair,
+		subject_key: &impl SigningKey,
 		attrs: Vec<Attribute>,
 	) -> Result<CertificateSigningRequest, Error> {
 		// No .. pattern, we use this to ensure every field is used
@@ -597,7 +597,7 @@ impl CertificateParams {
 			|| !extended_key_usages.is_empty()
 			|| !custom_extensions.is_empty();
 
-		let der = subject_key.sign_der(|writer| {
+		let der = sign_der(subject_key, |writer| {
 			// Write version
 			writer.next().write_u8(0);
 			write_distinguished_name(writer.next(), distinguished_name);
@@ -633,9 +633,9 @@ impl CertificateParams {
 	pub(crate) fn serialize_der_with_signer<K: PublicKeyData>(
 		&self,
 		pub_key: &K,
-		issuer: Issuer<'_>,
+		issuer: Issuer<'_, impl SigningKey>,
 	) -> Result<CertificateDer<'static>, Error> {
-		let der = issuer.key_pair.sign_der(|writer| {
+		let der = sign_der(issuer.key_pair, |writer| {
 			let pub_key_spki = pub_key.subject_public_key_info();
 			// Write version
 			writer.next().write_tagged(Tag::context(0), |writer| {
@@ -659,7 +659,7 @@ impl CertificateParams {
 				}
 			};
 			// Write signature algorithm
-			issuer.key_pair.alg.write_alg_ident(writer.next());
+			issuer.key_pair.algorithm().write_alg_ident(writer.next());
 			// Write issuer name
 			write_distinguished_name(writer.next(), &issuer.distinguished_name);
 			// Write validity
@@ -1223,6 +1223,8 @@ pub enum BasicConstraints {
 mod tests {
 	#[cfg(feature = "pem")]
 	use super::*;
+	#[cfg(feature = "crypto")]
+	use crate::KeyPair;
 
 	#[cfg(feature = "crypto")]
 	#[test]

rcgen/src/crl.rs

@@ -5,12 +5,13 @@ use time::OffsetDateTime;
 use yasna::DERWriter;
 use yasna::Tag;
 
+use crate::key_pair::sign_der;
 #[cfg(feature = "pem")]
 use crate::ENCODE_CONFIG;
 use crate::{
 	oid, write_distinguished_name, write_dt_utc_or_generalized,
 	write_x509_authority_key_identifier, write_x509_extension, Certificate, Error, Issuer,
-	KeyIdMethod, KeyPair, KeyUsagePurpose, PublicKeyData, SerialNumber,
+	KeyIdMethod, KeyUsagePurpose, SerialNumber, SigningKey,
 };
 
 /// A certificate revocation list (CRL)
@@ -41,9 +42,7 @@ use crate::{
 /// #[cfg(feature = "crypto")]
 /// let key_pair = KeyPair::generate().unwrap();
 /// #[cfg(not(feature = "crypto"))]
-/// let remote_key_pair = MyKeyPair { public_key: vec![] };
-/// #[cfg(not(feature = "crypto"))]
-/// let key_pair = KeyPair::from_remote(Box::new(remote_key_pair)).unwrap();
+/// let key_pair = MyKeyPair { public_key: vec![] };
 /// let issuer = issuer_params.self_signed(&key_pair).unwrap();
 /// // Describe a revoked certificate.
 /// let revoked_cert = RevokedCertParams{
@@ -194,7 +193,7 @@ impl CertificateRevocationListParams {
 	pub fn signed_by(
 		self,
 		issuer: &Certificate,
-		issuer_key: &KeyPair,
+		issuer_key: &impl SigningKey,
 	) -> Result<CertificateRevocationList, Error> {
 		if self.next_update.le(&self.this_update) {
 			return Err(Error::InvalidCrlNextUpdate);
@@ -217,8 +216,8 @@ impl CertificateRevocationListParams {
 		})
 	}
 
-	fn serialize_der(&self, issuer: Issuer) -> Result<Vec<u8>, Error> {
-		issuer.key_pair.sign_der(|writer| {
+	fn serialize_der(&self, issuer: Issuer<'_, impl SigningKey>) -> Result<Vec<u8>, Error> {
+		sign_der(issuer.key_pair, |writer| {
 			// Write CRL version.
 			// RFC 5280 §5.1.2.1:
 			//   This optional field describes the version of the encoded CRL.  When
@@ -234,7 +233,7 @@ impl CertificateRevocationListParams {
 			// RFC 5280 §5.1.2.2:
 			//   This field MUST contain the same algorithm identifier as the
 			//   signatureAlgorithm field in the sequence CertificateList
-			issuer.key_pair.alg.write_alg_ident(writer.next());
+			issuer.key_pair.algorithm().write_alg_ident(writer.next());
 
 			// Write issuer.
 			// RFC 5280 §5.1.2.3:

rcgen/src/csr.rs

@@ -7,7 +7,7 @@ use pki_types::CertificateSigningRequestDer;
 #[cfg(feature = "pem")]
 use crate::ENCODE_CONFIG;
 use crate::{
-	Certificate, CertificateParams, Error, Issuer, KeyPair, PublicKeyData, SignatureAlgorithm,
+	Certificate, CertificateParams, Error, Issuer, PublicKeyData, SignatureAlgorithm, SigningKey,
 };
 #[cfg(feature = "x509-parser")]
 use crate::{DistinguishedName, SanType};
@@ -203,7 +203,7 @@ impl CertificateSigningRequestParams {
 	pub fn signed_by(
 		self,
 		issuer: &Certificate,
-		issuer_key: &KeyPair,
+		issuer_key: &impl SigningKey,
 	) -> Result<Certificate, Error> {
 		let issuer = Issuer {
 			distinguished_name: &issuer.params.distinguished_name,

rcgen/src/key_pair.rs

@@ -408,58 +408,6 @@ impl KeyPair {
 		std::iter::once(self.alg)
 	}
 
-	pub(crate) fn sign_der(
-		&self,
-		f: impl FnOnce(&mut DERWriterSeq<'_>) -> Result<(), Error>,
-	) -> Result<Vec<u8>, Error> {
-		yasna::try_construct_der(|writer| {
-			writer.write_sequence(|writer| {
-				let data = yasna::try_construct_der(|writer| writer.write_sequence(f))?;
-				writer.next().write_der(&data);
-
-				// Write signatureAlgorithm
-				self.alg.write_alg_ident(writer.next());
-
-				// Write signature
-				self.sign(&data, writer.next())?;
-
-				Ok(())
-			})
-		})
-	}
-
-	pub(crate) fn sign(&self, msg: &[u8], writer: DERWriter) -> Result<(), Error> {
-		match &self.kind {
-			#[cfg(feature = "crypto")]
-			KeyPairKind::Ec(kp) => {
-				let system_random = SystemRandom::new();
-				let signature = kp.sign(&system_random, msg)._err()?;
-				let sig = &signature.as_ref();
-				writer.write_bitvec_bytes(sig, &sig.len() * 8);
-			},
-			#[cfg(feature = "crypto")]
-			KeyPairKind::Ed(kp) => {
-				let signature = kp.sign(msg);
-				let sig = &signature.as_ref();
-				writer.write_bitvec_bytes(sig, &sig.len() * 8);
-			},
-			#[cfg(feature = "crypto")]
-			KeyPairKind::Rsa(kp, padding_alg) => {
-				let system_random = SystemRandom::new();
-				let mut signature = vec![0; rsa_key_pair_public_modulus_len(kp)];
-				kp.sign(*padding_alg, &system_random, msg, &mut signature)
-					._err()?;
-				let sig = &signature.as_ref();
-				writer.write_bitvec_bytes(sig, &sig.len() * 8);
-			},
-			KeyPairKind::Remote(kp) => {
-				let signature = kp.sign(msg)?;
-				writer.write_bitvec_bytes(&signature, &signature.len() * 8);
-			},
-		}
-		Ok(())
-	}
-
 	/// Return the key pair's public key in PEM format
 	///
 	/// The returned string can be interpreted with `openssl pkey --inform PEM -pubout -pubin -text`
@@ -514,6 +462,28 @@ impl KeyPair {
 	}
 }
 
+#[cfg(feature = "crypto")]
+impl SigningKey for KeyPair {
+	fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, Error> {
+		Ok(match &self.kind {
+			KeyPairKind::Ec(kp) => {
+				let system_random = SystemRandom::new();
+				let signature = kp.sign(&system_random, msg)._err()?;
+				signature.as_ref().to_owned()
+			},
+			KeyPairKind::Ed(kp) => kp.sign(msg).as_ref().to_owned(),
+			KeyPairKind::Rsa(kp, padding_alg) => {
+				let system_random = SystemRandom::new();
+				let mut signature = vec![0; rsa_key_pair_public_modulus_len(kp)];
+				kp.sign(*padding_alg, &system_random, msg, &mut signature)
+					._err()?;
+				signature
+			},
+			KeyPairKind::Remote(kp) => kp.sign(msg)?,
+		})
+	}
+}
+
 impl PublicKeyData for KeyPair {
 	fn der_bytes(&self) -> &[u8] {
 		match &self.kind {
@@ -654,6 +624,28 @@ pub enum RsaKeySize {
 	_4096,
 }
 
+pub(crate) fn sign_der(
+	key: &impl SigningKey,
+	f: impl FnOnce(&mut DERWriterSeq<'_>) -> Result<(), Error>,
+) -> Result<Vec<u8>, Error> {
+	yasna::try_construct_der(|writer| {
+		writer.write_sequence(|writer| {
+			let data = yasna::try_construct_der(|writer| writer.write_sequence(f))?;
+			writer.next().write_der(&data);
+
+			// Write signatureAlgorithm
+			key.algorithm().write_alg_ident(writer.next());
+
+			// Write signature
+			let sig = key.sign(&data)?;
+			let writer = writer.next();
+			writer.write_bitvec_bytes(&sig, sig.len() * 8);
+
+			Ok(())
+		})
+	})
+}
+
 /// A key that can be used to sign messages
 ///
 /// Trait objects based on this trait can be passed to the [`KeyPair::from_remote`] function for generating certificates

rcgen/src/lib.rs

@@ -130,11 +130,11 @@ pub fn generate_simple_self_signed(
 	Ok(CertifiedKey { cert, key_pair })
 }
 
-struct Issuer<'a> {
+struct Issuer<'a, S> {
 	distinguished_name: &'a DistinguishedName,
 	key_identifier_method: &'a KeyIdMethod,
 	key_usages: &'a [KeyUsagePurpose],
-	key_pair: &'a KeyPair,
+	key_pair: &'a S,
 }
 
 // https://tools.ietf.org/html/rfc5280#section-4.1.1