bump rcgen to 0.14.2

Recent versions of rcgen contain nice features, so I decided to bump the
crate and fix all breaking changes first before our usage of it is
expanded by the pkcs11 create key PR.

Relevant features:
- `0.13.0`
	- P521 support
	- only supports RSA PKCS#1 v1.5, which is vulnerable to [Marvin
	Attack](https://people.redhat.com/~hkario/marvin/), new versions of
	`rcgen` might have RSA PSS signatures added in the future
	- The API used to create/issue key pairs, certificates, certificate
	signing requests (CSRs), and certificate revocation lists (CRLs) has
	been restructured to emphasize consistency and avoid common errors
	with serialization. (better to fix breaking changes ASAP)
	- Support for using `aws-lc-rs` in `fips` mode
- `0.13.1`
	- Several improvements to the capabilities available when working
	with certificate signing requests
		- Enable signing without private key
- `0.14.0`
	- better remote signing API (`RemoteKeyPair` changed to
	`SigningKey`)

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>

Author: Bravo555

Cargo.lock

@@ -159,7 +159,7 @@ quote = "1"
 rand = "0.8"
 rasn = "0.18" # Not using the latest version which requires rust 1.85
 rasn-cms = "0.18" # Not using the latest version which requires rust 1.85
-rcgen = { version = "0.12", features = ["pem", "zeroize"] }
+rcgen = { version = "0.14", features = ["pem", "zeroize"] }
 regex = "1.4"
 reqwest = { version = "0.12", default-features = false }
 ron = "0.8"

Cargo.toml

@@ -175,9 +175,7 @@ mod tests {
         let permitted_certificate =
             rcgen::generate_simple_self_signed(vec!["not-my-client".into()]).unwrap();
         let mut roots = RootCertStore::empty();
-        roots
-            .add(permitted_certificate.serialize_der().unwrap().into())
-            .unwrap();
+        roots.add(permitted_certificate.cert.der().clone()).unwrap();
         let server = Server::with_trusted_roots(roots);
         let client = Client::builder()
             .add_root_certificate(server.certificate.clone())
@@ -198,9 +196,7 @@ mod tests {
         let permitted_certificate =
             rcgen::generate_simple_self_signed(vec!["not-my-client".into()]).unwrap();
         let mut roots = RootCertStore::empty();
-        roots
-            .add(permitted_certificate.serialize_der().unwrap().into())
-            .unwrap();
+        roots.add(permitted_certificate.cert.der().clone()).unwrap();
         let server = Server::with_trusted_roots(roots);
         let client = Client::builder()
             .add_root_certificate(server.certificate.clone())
@@ -223,9 +219,8 @@ mod tests {
         let client_cert = rcgen::generate_simple_self_signed(["my-client".into()]).unwrap();
         let identity = identity_from(&client_cert);
         let mut cert_store = RootCertStore::empty();
-        cert_store.add_parsable_certificates([CertificateDer::from(
-            client_cert.serialize_der().unwrap(),
-        )]);
+        cert_store
+            .add_parsable_certificates([CertificateDer::from(client_cert.cert.der().as_ref())]);
 
         let server = Server::with_trusted_roots(cert_store);
         let client = Client::builder()
@@ -253,9 +248,9 @@ mod tests {
         identity_from(&client_cert)
     }
 
-    fn identity_from(cert: &rcgen::Certificate) -> Identity {
-        let mut pem = cert.serialize_private_key_pem().into_bytes();
-        pem.append(&mut cert.serialize_pem().unwrap().into_bytes());
+    fn identity_from(cert: &rcgen::CertifiedKey<rcgen::KeyPair>) -> Identity {
+        let mut pem = cert.signing_key.serialize_pem().into_bytes();
+        pem.append(&mut cert.cert.pem().into_bytes());
         Identity::from_pem(&pem).unwrap()
     }
 
@@ -293,9 +288,9 @@ mod tests {
                 port += 1;
             };
             let certificate = rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
-            let certificate_der = CertificateDer::from(certificate.serialize_der().unwrap());
+            let certificate_der = certificate.cert.der().clone();
             let private_key_der =
-                PrivateKeyDer::from_pem_slice(certificate.serialize_private_key_pem().as_bytes())
+                PrivateKeyDer::from_pem_slice(certificate.signing_key.serialize_pem().as_bytes())
                     .unwrap();
             let certificate = reqwest::Certificate::from_der(&certificate_der).unwrap();
             let config = ssl_config(vec![certificate_der], private_key_der, trusted_roots).unwrap();

crates/common/axum_tls/src/acceptor.rs

@@ -49,8 +49,8 @@ use yansi::Paint;
 /// use tedge_config::{OptionalConfig, TEdgeConfig};
 ///
 /// let cert = rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
-/// let cert_pem = cert.serialize_pem().unwrap();
-/// let key_pem = cert.serialize_private_key_pem();
+/// let cert_pem = cert.cert.pem();
+/// let key_pem = cert.signing_key.serialize_pem();
 ///
 /// let config = load_ssl_config(
 ///     OptionalConfig::present(InjectedValue(cert_pem), "http.cert_path"),
@@ -147,7 +147,7 @@ pub trait TrustStoreLoader {
 /// use axum_tls::config::InjectedValue;
 /// use axum_tls::load_cert;
 /// let cert = rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
-/// let pem_data = cert.serialize_pem().unwrap();
+/// let pem_data = cert.cert.pem();
 ///
 /// let loaded_chain = load_cert(&InjectedValue(pem_data)).unwrap();
 ///

crates/common/axum_tls/src/config.rs

@@ -1,7 +1,6 @@
 use anyhow::Context;
 use camino::Utf8Path;
 use device_id::DeviceIdError;
-use rcgen::Certificate;
 use rcgen::CertificateParams;
 use rcgen::KeyPair;
 use sha1::Digest;
@@ -224,17 +223,17 @@ pub struct RemoteKeyPair {
     algorithm: &'static rcgen::SignatureAlgorithm,
 }
 
-impl RemoteKeyPair {
-    pub fn to_key_pair(&self) -> Result<KeyPair, CertificateError> {
-        Ok(KeyPair::from_remote(Box::new(self.clone()))?)
+impl rcgen::PublicKeyData for RemoteKeyPair {
+    fn der_bytes(&self) -> &[u8] {
+        &self.public_key_raw
     }
-}
 
-impl rcgen::RemoteKeyPair for RemoteKeyPair {
-    fn public_key(&self) -> &[u8] {
-        &self.public_key_raw
+    fn algorithm(&self) -> &'static rcgen::SignatureAlgorithm {
+        self.algorithm
     }
+}
 
+impl rcgen::SigningKey for RemoteKeyPair {
     fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, rcgen::Error> {
         // the error here is not PEM-related, but we need to return a foreign error type, and there
         // are no other better variants that could let us return context, so we'll have to use this
@@ -245,14 +244,43 @@ impl rcgen::RemoteKeyPair for RemoteKeyPair {
             .sign(msg)
             .map_err(|e| rcgen::Error::PemError(e.to_string()))
     }
+}
+
+pub struct KeyCertPair {
+    certificate: rcgen::Certificate,
+    // in rcgen 0.14 params are necessary to generate the CSR
+    params: rcgen::CertificateParams,
+    signing_key: SigningKeyWrapper,
+}
+
+enum SigningKeyWrapper {
+    Local(Zeroizing<rcgen::KeyPair>),
+    Remote(RemoteKeyPair),
+}
+
+impl rcgen::PublicKeyData for SigningKeyWrapper {
+    fn der_bytes(&self) -> &[u8] {
+        match self {
+            Self::Local(k) => k.der_bytes(),
+            Self::Remote(k) => k.der_bytes(),
+        }
+    }
 
     fn algorithm(&self) -> &'static rcgen::SignatureAlgorithm {
-        self.algorithm
+        match self {
+            Self::Local(k) => k.algorithm(),
+            Self::Remote(k) => k.algorithm(),
+        }
     }
 }
 
-pub struct KeyCertPair {
-    certificate: Zeroizing<rcgen::Certificate>,
+impl rcgen::SigningKey for SigningKeyWrapper {
+    fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, rcgen::Error> {
+        match self {
+            Self::Local(k) => k.sign(msg),
+            Self::Remote(k) => k.sign(msg),
+        }
+    }
 }
 
 impl KeyCertPair {
@@ -263,11 +291,13 @@ impl KeyCertPair {
     ) -> Result<KeyCertPair, CertificateError> {
         let today = OffsetDateTime::now_utc();
         let not_before = today - Duration::days(1); // Ensure the certificate is valid today
-        let params =
+        let (params, signing_key) =
             Self::create_selfsigned_certificate_parameters(config, id, key_kind, not_before)?;
 
         Ok(KeyCertPair {
-            certificate: Zeroizing::new(Certificate::from_params(params)?),
+            certificate: params.self_signed(&signing_key)?,
+            signing_key,
+            params,
         })
     }
 
@@ -278,11 +308,14 @@ impl KeyCertPair {
     ) -> Result<KeyCertPair, CertificateError> {
         // Create Certificate without `not_before` and `not_after` fields
         // as rcgen library will not parse it for certificate signing request
-        let params = Self::create_csr_parameters(config, id, key_kind)?;
+        let (params, signing_key) = Self::create_csr_parameters(config, id, key_kind)?;
+        let issuer = rcgen::Issuer::from_params(&params, &signing_key);
         Ok(KeyCertPair {
-            certificate: Zeroizing::new(
-                Certificate::from_params(params).context("Failed to create CSR")?,
-            ),
+            certificate: params
+                .signed_by(&signing_key, &issuer)
+                .context("Failed to create CSR")?,
+            signing_key,
+            params,
         })
     }
 
@@ -291,8 +324,8 @@ impl KeyCertPair {
         id: &str,
         key_kind: &KeyKind,
         not_before: OffsetDateTime,
-    ) -> Result<CertificateParams, CertificateError> {
-        let mut params = Self::create_csr_parameters(config, id, key_kind)?;
+    ) -> Result<(CertificateParams, SigningKeyWrapper), CertificateError> {
+        let (mut params, signing_key) = Self::create_csr_parameters(config, id, key_kind)?;
 
         let not_after = not_before + Duration::days(config.validity_period_days.into());
         params.not_before = not_before;
@@ -301,14 +334,14 @@ impl KeyCertPair {
         // IsCa::SelfSignedOnly is rejected by C8Y with "422 Unprocessable Entity"
         params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);
 
-        Ok(params)
+        Ok((params, signing_key))
     }
 
     fn create_csr_parameters(
         config: &CsrTemplate,
         id: &str,
         key_kind: &KeyKind,
-    ) -> Result<CertificateParams, CertificateError> {
+    ) -> Result<(CertificateParams, SigningKeyWrapper), CertificateError> {
         KeyCertPair::check_identifier(id, config.max_cn_size)?;
         let mut distinguished_name = rcgen::DistinguishedName::new();
         distinguished_name.push(rcgen::DnType::CommonName, id);
@@ -321,38 +354,38 @@ impl KeyCertPair {
         let mut params = CertificateParams::default();
         params.distinguished_name = distinguished_name;
 
-        match key_kind {
+        let signing_key: SigningKeyWrapper = match key_kind {
             KeyKind::New => {
                 // ECDSA signing using the P-256 curves and SHA-256 hashing as per RFC 5758
-                params.alg = &rcgen::PKCS_ECDSA_P256_SHA256;
+                SigningKeyWrapper::Local(Zeroizing::new(KeyPair::generate_for(
+                    &rcgen::PKCS_ECDSA_P256_SHA256,
+                )?))
             }
             KeyKind::Reuse { keypair_pem } => {
                 // Use the same signing algorithm as the existing key
                 // Failing to do so leads to an error telling the algorithm is not compatible
-                let key_pair = KeyPair::from_pem(keypair_pem)?;
-                params.alg = key_pair.algorithm();
-                params.key_pair = Some(key_pair);
-            }
-            KeyKind::ReuseRemote(key_pair) => {
-                let key_pair = key_pair.to_key_pair()?;
-                params.alg = key_pair.algorithm();
-                params.key_pair = Some(key_pair)
+                SigningKeyWrapper::Local(Zeroizing::new(KeyPair::from_pem(keypair_pem)?))
             }
-        }
+            KeyKind::ReuseRemote(remote) => SigningKeyWrapper::Remote(remote.clone()),
+        };
 
-        Ok(params)
+        Ok((params, signing_key))
     }
 
     pub fn certificate_pem_string(&self) -> Result<String, CertificateError> {
-        Ok(self.certificate.serialize_pem()?)
+        Ok(self.certificate.pem())
     }
 
     pub fn private_key_pem_string(&self) -> Result<Zeroizing<String>, CertificateError> {
-        Ok(Zeroizing::new(self.certificate.serialize_private_key_pem()))
+        if let SigningKeyWrapper::Local(keypair) = &self.signing_key {
+            Ok(Zeroizing::new(keypair.serialize_pem()))
+        } else {
+            Err(anyhow::anyhow!("Can't serialize private key PEM for remote private key").into())
+        }
     }
 
     pub fn certificate_signing_request_string(&self) -> Result<String, CertificateError> {
-        Ok(self.certificate.serialize_request_pem()?)
+        Ok(self.params.serialize_request(&self.signing_key)?.pem()?)
     }
 
     fn check_identifier(id: &str, max_cn_size: usize) -> Result<(), CertificateError> {
@@ -555,7 +588,7 @@ mod tests {
         let id = "some-id";
         let birthdate = datetime!(2021-03-31 16:39:57 +01:00);
 
-        let params = KeyCertPair::create_selfsigned_certificate_parameters(
+        let (params, signing_key) = KeyCertPair::create_selfsigned_certificate_parameters(
             &config,
             id,
             &KeyKind::New,
@@ -564,9 +597,11 @@ mod tests {
         .expect("Fail to get a certificate parameters");
 
         let keypair = KeyCertPair {
-            certificate: Zeroizing::new(
-                Certificate::from_params(params).expect("Fail to create a certificate"),
-            ),
+            certificate: params
+                .self_signed(&signing_key)
+                .expect("Fail to create a certificate"),
+            params,
+            signing_key,
         };
 
         // Check the not_before date
@@ -587,7 +622,7 @@ mod tests {
         let id = "some-id";
         let birthdate = datetime!(2021-03-31 16:39:57 +01:00);
 
-        let params = KeyCertPair::create_selfsigned_certificate_parameters(
+        let (params, signing_key) = KeyCertPair::create_selfsigned_certificate_parameters(
             &config,
             id,
             &KeyKind::New,
@@ -596,9 +631,11 @@ mod tests {
         .expect("Fail to get a certificate parameters");
 
         let keypair = KeyCertPair {
-            certificate: Zeroizing::new(
-                Certificate::from_params(params).expect("Fail to create a certificate"),
-            ),
+            certificate: params
+                .self_signed(&signing_key)
+                .expect("Fail to create a certificate"),
+            params,
+            signing_key,
         };
 
         // Check the not_after date
@@ -613,13 +650,16 @@ mod tests {
         let config = CsrTemplate::default();
         let id = "some-id";
 
-        let params = KeyCertPair::create_csr_parameters(&config, id, &KeyKind::New)
+        let (params, signing_key) = KeyCertPair::create_csr_parameters(&config, id, &KeyKind::New)
             .expect("Fail to get a certificate parameters");
 
+        let issuer = rcgen::Issuer::from_params(&params, &signing_key);
         let keypair = KeyCertPair {
-            certificate: Zeroizing::new(
-                Certificate::from_params(params).expect("Fail to create a certificate"),
-            ),
+            certificate: params
+                .signed_by(&signing_key, &issuer)
+                .expect("Fail to create a certificate"),
+            params,
+            signing_key,
         };
 
         // Check the subject

crates/common/certificate/src/lib.rs

@@ -466,7 +466,6 @@ mod tests {
     use axum::Router;
     use hyper::header::AUTHORIZATION;
     use rustls::pki_types::pem::PemObject;
-    use rustls::pki_types::CertificateDer;
     use rustls::pki_types::PrivateKeyDer;
     use rustls::RootCertStore;
     use std::io::Write;
@@ -970,8 +969,8 @@ mod tests {
         let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
         let port = listener.local_addr().unwrap().port();
         let server_cert = rcgen::generate_simple_self_signed(["localhost".into()]).unwrap();
-        let cert = CertificateDer::from(server_cert.serialize_der().unwrap());
-        let key = PrivateKeyDer::from_pem_slice(server_cert.serialize_private_key_pem().as_bytes())
+        let cert = server_cert.cert.der().clone();
+        let key = PrivateKeyDer::from_pem_slice(server_cert.signing_key.serialize_pem().as_bytes())
             .unwrap();
         let mut accepted_certs = RootCertStore::empty();
         accepted_certs.add(cert.clone()).unwrap();