foster/denoland-deno
1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-11-21 15:04:11 -05:00
Code Issues Packages 1 Wiki Activity

chore(ext/crypto): update webcrypto deps (#14452)

Browse source
This commit is contained in:
Divy Srivastava 2022-06-20 16:53:57 +05:30 committed by GitHub
parent 3d6fa64f19
commit 4cbb2567b5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 603 additions and 765 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

662
Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

29
ext/crypto/Cargo.toml
View file

@ -14,26 +14,31 @@ description = "Web Cryptography API implementation for Deno"
path = "lib.rs"
[dependencies]
aes = "0.7.5"
aes-gcm = "0.9.4"
aes-kw = { version = "0.1", features = ["alloc"] }
aes = "0.8.1"
# TODO(@littledivy): Move to stable release
# https://github.com/RustCrypto/AEADs/issues/411
aes-gcm = "0.10.0-pre"
aes-kw = { version = "0.2.1", features = ["alloc"] }
base64 = "0.13.0"
block-modes = "0.8.1"
ctr = "0.8.0"
block-modes = "0.9.1"
cbc = { version = "0.1.2", features = ["alloc"] }
const-oid = "0.9.0"
ctr = "0.9.1"
deno_core = { version = "0.139.0", path = "../../core" }
deno_web = { version = "0.88.0", path = "../web" }
elliptic-curve = { version = "0.10.6", features = ["std", "pem"] }
elliptic-curve = { version = "0.12.1", features = ["std", "pem"] }
num-traits = "0.2.14"
once_cell = "1.10.0"
p256 = { version = "0.9.0", features = ["ecdh"] }
p384 = "0.8.0"
p256 = { version = "0.11.1", features = ["ecdh"] }
p384 = "0.11.1"
rand = "0.8.4"
ring = { version = "0.16.20", features = ["std"] }
rsa = { version = "0.5.0", default-features = false, features = ["std"] }
rsa = { version = "0.7.0-pre", default-features = false, features = ["std"] }
sec1 = "0.3.0"
serde = { version = "1.0.129", features = ["derive"] }
serde_bytes = "0.11"
sha-1 = "0.9.7"
sha2 = "0.9.5"
spki = "0.4.1"
sha-1 = "0.10.0"
sha2 = "0.10.2"
spki = "0.6.0"
tokio = { version = "1.17", features = ["full"] }
uuid = { version = "1.0.0", features = ["v4"] }

78
ext/crypto/decrypt.rs
View file

@ -1,6 +1,7 @@
use crate::shared::*;
use aes::BlockEncrypt;
use aes::NewBlockCipher;
use aes::cipher::block_padding::Pkcs7;
use aes::cipher::BlockDecryptMut;
use aes::cipher::KeyIvInit;
use aes_gcm::aead::generic_array::typenum::U12;
use aes_gcm::aead::generic_array::typenum::U16;
use aes_gcm::aead::generic_array::ArrayLength;
@ -10,20 +11,16 @@ use aes_gcm::aes::Aes256;
use aes_gcm::AeadInPlace;
use aes_gcm::NewAead;
use aes_gcm::Nonce;
use block_modes::BlockMode;
use ctr::cipher::NewCipher;
use ctr::cipher::StreamCipher;
use ctr::flavors::Ctr128BE;
use ctr::flavors::Ctr32BE;
use ctr::flavors::Ctr64BE;
use ctr::flavors::CtrFlavor;
use ctr::Ctr;
use ctr::Ctr128BE;
use ctr::Ctr32BE;
use ctr::Ctr64BE;
use deno_core::error::custom_error;
use deno_core::error::type_error;
use deno_core::error::AnyError;
use deno_core::op;
use deno_core::ZeroCopyBuf;
use rsa::pkcs1::FromRsaPrivateKey;
use rsa::pkcs1::DecodeRsaPrivateKey;
use rsa::PaddingScheme;
use serde::Deserialize;
use sha1::Digest;
@ -153,11 +150,15 @@ fn decrypt_aes_cbc(
let plaintext = match length {
128 => {
// Section 10.3 Step 2 of RFC 2315 https://www.rfc-editor.org/rfc/rfc2315
type Aes128Cbc =
block_modes::Cbc<aes::Aes128, block_modes::block_padding::Pkcs7>;
let cipher = Aes128Cbc::new_from_slices(key, &iv)?;
type Aes128CbcDec = cbc::Decryptor<aes::Aes128>;
let cipher = Aes128CbcDec::new_from_slices(key, &iv).map_err(|_| {
custom_error(
"DOMExceptionOperationError",
"Invalid key or iv".to_string(),
)
})?;
cipher.decrypt_vec(data).map_err(|_| {
cipher.decrypt_padded_vec_mut::<Pkcs7>(data).map_err(|_| {
custom_error(
"DOMExceptionOperationError",
"Decryption failed".to_string(),
@ -166,11 +167,15 @@ fn decrypt_aes_cbc(
}
192 => {
// Section 10.3 Step 2 of RFC 2315 https://www.rfc-editor.org/rfc/rfc2315
type Aes192Cbc =
block_modes::Cbc<aes::Aes192, block_modes::block_padding::Pkcs7>;
let cipher = Aes192Cbc::new_from_slices(key, &iv)?;
type Aes192CbcDec = cbc::Decryptor<aes::Aes192>;
let cipher = Aes192CbcDec::new_from_slices(key, &iv).map_err(|_| {
custom_error(
"DOMExceptionOperationError",
"Invalid key or iv".to_string(),
)
})?;
cipher.decrypt_vec(data).map_err(|_| {
cipher.decrypt_padded_vec_mut::<Pkcs7>(data).map_err(|_| {
custom_error(
"DOMExceptionOperationError",
"Decryption failed".to_string(),
@ -179,11 +184,15 @@ fn decrypt_aes_cbc(
}
256 => {
// Section 10.3 Step 2 of RFC 2315 https://www.rfc-editor.org/rfc/rfc2315
type Aes256Cbc =
block_modes::Cbc<aes::Aes256, block_modes::block_padding::Pkcs7>;
let cipher = Aes256Cbc::new_from_slices(key, &iv)?;
type Aes256CbcDec = cbc::Decryptor<aes::Aes256>;
let cipher = Aes256CbcDec::new_from_slices(key, &iv).map_err(|_| {
custom_error(
"DOMExceptionOperationError",
"Invalid key or iv".to_string(),
)
})?;
cipher.decrypt_vec(data).map_err(|_| {
cipher.decrypt_padded_vec_mut::<Pkcs7>(data).map_err(|_| {
custom_error(
"DOMExceptionOperationError",
"Decryption failed".to_string(),
@ -197,16 +206,15 @@ fn decrypt_aes_cbc(
Ok(plaintext)
}
fn decrypt_aes_ctr_gen<B, F>(
fn decrypt_aes_ctr_gen<B>(
key: &[u8],
counter: &[u8],
data: &[u8],
) -> Result<Vec<u8>, AnyError>
where
B: BlockEncrypt + NewBlockCipher,
F: CtrFlavor<B::BlockSize>,
B: KeyIvInit + StreamCipher,
{
let mut cipher = Ctr::<B, F>::new(key.into(), counter.into());
let mut cipher = B::new(key.into(), counter.into());
let mut plaintext = data.to_vec();
cipher
@ -279,21 +287,21 @@ fn decrypt_aes_ctr(
match ctr_length {
32 => match key_length {
128 => decrypt_aes_ctr_gen::<aes::Aes128, Ctr32BE>(key, counter, data),
192 => decrypt_aes_ctr_gen::<aes::Aes192, Ctr32BE>(key, counter, data),
256 => decrypt_aes_ctr_gen::<aes::Aes256, Ctr32BE>(key, counter, data),
128 => decrypt_aes_ctr_gen::<Ctr32BE<aes::Aes128>>(key, counter, data),
192 => decrypt_aes_ctr_gen::<Ctr32BE<aes::Aes192>>(key, counter, data),
256 => decrypt_aes_ctr_gen::<Ctr32BE<aes::Aes256>>(key, counter, data),
_ => Err(type_error("invalid length")),
},
64 => match key_length {
128 => decrypt_aes_ctr_gen::<aes::Aes128, Ctr64BE>(key, counter, data),
192 => decrypt_aes_ctr_gen::<aes::Aes192, Ctr64BE>(key, counter, data),
256 => decrypt_aes_ctr_gen::<aes::Aes256, Ctr64BE>(key, counter, data),
128 => decrypt_aes_ctr_gen::<Ctr64BE<aes::Aes128>>(key, counter, data),
192 => decrypt_aes_ctr_gen::<Ctr64BE<aes::Aes192>>(key, counter, data),
256 => decrypt_aes_ctr_gen::<Ctr64BE<aes::Aes256>>(key, counter, data),
_ => Err(type_error("invalid length")),
},
128 => match key_length {
128 => decrypt_aes_ctr_gen::<aes::Aes128, Ctr128BE>(key, counter, data),
192 => decrypt_aes_ctr_gen::<aes::Aes192, Ctr128BE>(key, counter, data),
256 => decrypt_aes_ctr_gen::<aes::Aes256, Ctr128BE>(key, counter, data),
128 => decrypt_aes_ctr_gen::<Ctr128BE<aes::Aes128>>(key, counter, data),
192 => decrypt_aes_ctr_gen::<Ctr128BE<aes::Aes192>>(key, counter, data),
256 => decrypt_aes_ctr_gen::<Ctr128BE<aes::Aes256>>(key, counter, data),
_ => Err(type_error("invalid length")),
},
_ => Err(type_error(

148
ext/crypto/ec_key.rs
View file

@ -1,148 +0,0 @@
use deno_core::error::AnyError;
use elliptic_curve::AlgorithmParameters;
use elliptic_curve::pkcs8;
use elliptic_curve::pkcs8::der;
use elliptic_curve::pkcs8::der::asn1::*;
use elliptic_curve::pkcs8::der::Decodable as Pkcs8Decodable;
use elliptic_curve::pkcs8::der::Encodable;
use elliptic_curve::pkcs8::der::TagNumber;
use elliptic_curve::pkcs8::AlgorithmIdentifier;
use elliptic_curve::pkcs8::ObjectIdentifier;
use elliptic_curve::pkcs8::PrivateKeyDocument;
use elliptic_curve::pkcs8::PrivateKeyInfo;
use elliptic_curve::zeroize::Zeroizing;
use crate::shared::*;
const VERSION: u8 = 1;
const PUBLIC_KEY_TAG: TagNumber = TagNumber::new(1);
pub struct ECPrivateKey<'a, C: elliptic_curve::Curve> {
pub algorithm: AlgorithmIdentifier<'a>,
pub private_d: elliptic_curve::FieldBytes<C>,
pub encoded_point: &'a [u8],
}
impl<'a, C> ECPrivateKey<'a, C>
where
C: elliptic_curve::Curve + AlgorithmParameters,
{
/// Create a new ECPrivateKey from a serialized private scalar and encoded public key
pub fn from_private_and_public_bytes(
private_d: elliptic_curve::FieldBytes<C>,
encoded_point: &'a [u8],
) -> Self {
Self {
private_d,
encoded_point,
algorithm: C::algorithm_identifier(),
}
}
pub fn named_curve_oid(&self) -> Result<ObjectIdentifier, AnyError> {
let parameters = self
.algorithm
.parameters
.ok_or_else(|| data_error("malformed parameters"))?;
Ok(parameters.oid().unwrap())
}
fn internal_to_pkcs8_der(&self) -> der::Result<Vec<u8>> {
// Shamelessly copied from pkcs8 crate and modified so as
// to not require Arithmetic trait currently missing from p384
let secret_key_field = OctetString::new(&self.private_d)?;
let public_key_bytes = &self.encoded_point;
let public_key_field = ContextSpecific {
tag_number: PUBLIC_KEY_TAG,
value: BitString::new(public_key_bytes)?.into(),
};
let der_message_fields: &[&dyn Encodable] =
&[&VERSION, &secret_key_field, &public_key_field];
let encoded_len =
der::message::encoded_len(der_message_fields)?.try_into()?;
let mut der_message = Zeroizing::new(vec![0u8; encoded_len]);
let mut encoder = der::Encoder::new(&mut der_message);
encoder.message(der_message_fields)?;
encoder.finish()?;
Ok(der_message.to_vec())
}
pub fn to_pkcs8_der(&self) -> Result<PrivateKeyDocument, AnyError> {
let pkcs8_der = self
.internal_to_pkcs8_der()
.map_err(|_| data_error("expected valid PKCS#8 data"))?;
let pki =
pkcs8::PrivateKeyInfo::new(C::algorithm_identifier(), pkcs8_der.as_ref());
Ok(pki.to_der())
}
}
impl<'a, C: elliptic_curve::Curve> TryFrom<&'a [u8]> for ECPrivateKey<'a, C> {
type Error = AnyError;
fn try_from(bytes: &'a [u8]) -> Result<ECPrivateKey<C>, AnyError> {
let pk_info = PrivateKeyInfo::from_der(bytes)
.map_err(|_| data_error("expected valid PKCS#8 data"))?;
Self::try_from(pk_info)
}
}
impl<'a, C: elliptic_curve::Curve> TryFrom<PrivateKeyInfo<'a>>
for ECPrivateKey<'a, C>
{
type Error = AnyError;
fn try_from(
pk_info: PrivateKeyInfo<'a>,
) -> Result<ECPrivateKey<'a, C>, AnyError> {
let any = der::asn1::Any::from_der(pk_info.private_key).map_err(|_| {
data_error("expected valid PrivateKeyInfo private_key der")
})?;
if pk_info.algorithm.oid != elliptic_curve::ALGORITHM_OID {
return Err(data_error("unsupported algorithm"));
}
any
.sequence(|decoder| {
// ver
if decoder.uint8()? != VERSION {
return Err(der::Tag::Integer.value_error());
}
// private_key
let priv_key = decoder.octet_string()?.as_bytes();
let mut private_d = elliptic_curve::FieldBytes::<C>::default();
if priv_key.len() != private_d.len() {
return Err(der::Tag::Sequence.value_error());
};
private_d.copy_from_slice(priv_key);
let public_key = decoder
.context_specific(PUBLIC_KEY_TAG)?
.ok_or_else(|| {
der::Tag::ContextSpecific(PUBLIC_KEY_TAG).value_error()
})?
.bit_string()?;
Ok(Self {
private_d,
encoded_point: public_key.as_bytes(),
algorithm: pk_info.algorithm,
})
})
.map_err(|_| data_error("expected valid PrivateKeyInfo private_key der"))
}
}

72
ext/crypto/encrypt.rs
View file

@ -1,8 +1,9 @@
use crate::shared::*;
use aes::cipher::NewCipher;
use aes::BlockEncrypt;
use aes::NewBlockCipher;
use aes::cipher::block_padding::Pkcs7;
use aes::cipher::BlockEncryptMut;
use aes::cipher::KeyIvInit;
use aes::cipher::StreamCipher;
use aes_gcm::aead::generic_array::typenum::U12;
use aes_gcm::aead::generic_array::typenum::U16;
use aes_gcm::aead::generic_array::ArrayLength;
@ -12,21 +13,15 @@ use aes_gcm::aes::Aes256;
use aes_gcm::AeadInPlace;
use aes_gcm::NewAead;
use aes_gcm::Nonce;
use ctr::Ctr;
use deno_core::op;
use block_modes::BlockMode;
use ctr::cipher::StreamCipher;
use ctr::flavors::Ctr128BE;
use ctr::flavors::Ctr32BE;
use ctr::flavors::Ctr64BE;
use ctr::flavors::CtrFlavor;
use ctr::Ctr128BE;
use ctr::Ctr32BE;
use ctr::Ctr64BE;
use deno_core::error::type_error;
use deno_core::error::AnyError;
use deno_core::op;
use deno_core::ZeroCopyBuf;
use rand::rngs::OsRng;
use rsa::pkcs1::FromRsaPublicKey;
use rsa::pkcs1::DecodeRsaPublicKey;
use rsa::PaddingScheme;
use rsa::PublicKey;
use serde::Deserialize;
@ -156,27 +151,27 @@ fn encrypt_aes_cbc(
let ciphertext = match length {
128 => {
// Section 10.3 Step 2 of RFC 2315 https://www.rfc-editor.org/rfc/rfc2315
type Aes128Cbc =
block_modes::Cbc<aes::Aes128, block_modes::block_padding::Pkcs7>;
type Aes128CbcEnc = cbc::Encryptor<aes::Aes128>;
let cipher = Aes128Cbc::new_from_slices(key, &iv)?;
cipher.encrypt_vec(data)
let cipher = Aes128CbcEnc::new_from_slices(key, &iv)
.map_err(|_| operation_error("invalid key or iv".to_string()))?;
cipher.encrypt_padded_vec_mut::<Pkcs7>(data)
}
192 => {
// Section 10.3 Step 2 of RFC 2315 https://www.rfc-editor.org/rfc/rfc2315
type Aes192Cbc =
block_modes::Cbc<aes::Aes192, block_modes::block_padding::Pkcs7>;
type Aes192CbcEnc = cbc::Encryptor<aes::Aes192>;
let cipher = Aes192Cbc::new_from_slices(key, &iv)?;
cipher.encrypt_vec(data)
let cipher = Aes192CbcEnc::new_from_slices(key, &iv)
.map_err(|_| operation_error("invalid key or iv".to_string()))?;
cipher.encrypt_padded_vec_mut::<Pkcs7>(data)
}
256 => {
// Section 10.3 Step 2 of RFC 2315 https://www.rfc-editor.org/rfc/rfc2315
type Aes256Cbc =
block_modes::Cbc<aes::Aes256, block_modes::block_padding::Pkcs7>;
type Aes256CbcEnc = cbc::Encryptor<aes::Aes256>;
let cipher = Aes256Cbc::new_from_slices(key, &iv)?;
cipher.encrypt_vec(data)
let cipher = Aes256CbcEnc::new_from_slices(key, &iv)
.map_err(|_| operation_error("invalid key or iv".to_string()))?;
cipher.encrypt_padded_vec_mut::<Pkcs7>(data)
}
_ => return Err(type_error("invalid length")),
};
@ -260,16 +255,15 @@ fn encrypt_aes_gcm(
Ok(ciphertext)
}
fn encrypt_aes_ctr_gen<B, F>(
fn encrypt_aes_ctr_gen<B>(
key: &[u8],
counter: &[u8],
data: &[u8],
) -> Result<Vec<u8>, AnyError>
where
B: BlockEncrypt + NewBlockCipher,
F: CtrFlavor<B::BlockSize>,
B: KeyIvInit + StreamCipher,
{
let mut cipher = Ctr::<B, F>::new(key.into(), counter.into());
let mut cipher = B::new(key.into(), counter.into());
let mut ciphertext = data.to_vec();
cipher
@ -290,21 +284,21 @@ fn encrypt_aes_ctr(
match ctr_length {
32 => match key_length {
128 => encrypt_aes_ctr_gen::<aes::Aes128, Ctr32BE>(key, counter, data),
192 => encrypt_aes_ctr_gen::<aes::Aes192, Ctr32BE>(key, counter, data),
256 => encrypt_aes_ctr_gen::<aes::Aes256, Ctr32BE>(key, counter, data),
128 => encrypt_aes_ctr_gen::<Ctr32BE<aes::Aes128>>(key, counter, data),
192 => encrypt_aes_ctr_gen::<Ctr32BE<aes::Aes192>>(key, counter, data),
256 => encrypt_aes_ctr_gen::<Ctr32BE<aes::Aes256>>(key, counter, data),
_ => Err(type_error("invalid length")),
},
64 => match key_length {
128 => encrypt_aes_ctr_gen::<aes::Aes128, Ctr64BE>(key, counter, data),
192 => encrypt_aes_ctr_gen::<aes::Aes192, Ctr64BE>(key, counter, data),
256 => encrypt_aes_ctr_gen::<aes::Aes256, Ctr64BE>(key, counter, data),
128 => encrypt_aes_ctr_gen::<Ctr64BE<aes::Aes128>>(key, counter, data),
192 => encrypt_aes_ctr_gen::<Ctr64BE<aes::Aes192>>(key, counter, data),
256 => encrypt_aes_ctr_gen::<Ctr64BE<aes::Aes256>>(key, counter, data),
_ => Err(type_error("invalid length")),
},
128 => match key_length {
128 => encrypt_aes_ctr_gen::<aes::Aes128, Ctr128BE>(key, counter, data),
192 => encrypt_aes_ctr_gen::<aes::Aes192, Ctr128BE>(key, counter, data),
256 => encrypt_aes_ctr_gen::<aes::Aes256, Ctr128BE>(key, counter, data),
128 => encrypt_aes_ctr_gen::<Ctr128BE<aes::Aes128>>(key, counter, data),
192 => encrypt_aes_ctr_gen::<Ctr128BE<aes::Aes192>>(key, counter, data),
256 => encrypt_aes_ctr_gen::<Ctr128BE<aes::Aes256>>(key, counter, data),
_ => Err(type_error("invalid length")),
},
_ => Err(type_error(

62
ext/crypto/export_key.rs
View file

@ -1,18 +1,19 @@
use crate::shared::*;
use const_oid::AssociatedOid;
use const_oid::ObjectIdentifier;
use deno_core::error::custom_error;
use deno_core::error::AnyError;
use deno_core::op;
use deno_core::ZeroCopyBuf;
use rsa::pkcs1::UIntBytes;
use elliptic_curve::sec1::ToEncodedPoint;
use p256::pkcs8::DecodePrivateKey;
use rsa::pkcs1::UIntRef;
use serde::Deserialize;
use serde::Serialize;
use spki::der::asn1;
use spki::der::Decodable;
use spki::der::Encodable;
use spki::der::Decode;
use spki::der::Encode;
use spki::AlgorithmIdentifier;
use spki::ObjectIdentifier;
use crate::ec_key::ECPrivateKey;
use crate::shared::*;
#[derive(Deserialize)]
#[serde(rename_all = "camelCase")]
@ -105,7 +106,7 @@ pub fn op_crypto_export_key(
}
}
fn uint_to_b64(bytes: UIntBytes) -> String {
fn uint_to_b64(bytes: UIntRef) -> String {
base64::encode_config(bytes.as_bytes(), base64::URL_SAFE_NO_PAD)
}
@ -125,10 +126,10 @@ fn export_key_rsa(
let key_info = spki::SubjectPublicKeyInfo {
algorithm: spki::AlgorithmIdentifier {
// rsaEncryption(1)
oid: spki::ObjectIdentifier::new("1.2.840.113549.1.1.1"),
oid: const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.1"),
// parameters field should not be ommited (None).
// It MUST have ASN.1 type NULL.
parameters: Some(asn1::Any::from(asn1::Null)),
parameters: Some(asn1::AnyRef::from(asn1::Null)),
},
subject_public_key,
};
@ -150,14 +151,13 @@ fn export_key_rsa(
// version is 0 when publickey is None
let pk_info = rsa::pkcs8::PrivateKeyInfo {
attributes: None,
public_key: None,
algorithm: rsa::pkcs8::AlgorithmIdentifier {
// rsaEncryption(1)
oid: rsa::pkcs8::ObjectIdentifier::new("1.2.840.113549.1.1.1"),
oid: rsa::pkcs8::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.1"),
// parameters field should not be ommited (None).
// It MUST have ASN.1 type NULL as per defined in RFC 3279 Section 2.3.1
parameters: Some(asn1::Any::from(asn1::Null)),
parameters: Some(asn1::AnyRef::from(asn1::Null)),
},
private_key,
};
@ -266,14 +266,22 @@ fn export_key_ec(
};
let alg_id = match named_curve {
EcNamedCurve::P256 => <p256::NistP256 as p256::elliptic_curve::AlgorithmParameters>::algorithm_identifier(),
EcNamedCurve::P384 => <p384::NistP384 as p384::elliptic_curve::AlgorithmParameters>::algorithm_identifier(),
EcNamedCurve::P521 => return Err(data_error("Unsupported named curve"))
EcNamedCurve::P256 => AlgorithmIdentifier {
oid: elliptic_curve::ALGORITHM_OID,
parameters: Some((&p256::NistP256::OID).into()),
},
EcNamedCurve::P384 => AlgorithmIdentifier {
oid: elliptic_curve::ALGORITHM_OID,
parameters: Some((&p384::NistP384::OID).into()),
},
EcNamedCurve::P521 => {
return Err(data_error("Unsupported named curve"))
}
};
let alg_id = match algorithm {
ExportKeyAlgorithm::Ecdh { .. } => AlgorithmIdentifier {
oid: ObjectIdentifier::new("1.3.132.1.12"),
oid: ObjectIdentifier::new_unwrap("1.3.132.1.12"),
parameters: alg_id.parameters,
},
_ => alg_id,
@ -339,24 +347,22 @@ fn export_key_ec(
match named_curve {
EcNamedCurve::P256 => {
let ec_key = ECPrivateKey::<p256::NistP256>::try_from(private_key)
.map_err(|_| {
let ec_key =
p256::SecretKey::from_pkcs8_der(private_key).map_err(|_| {
custom_error(
"DOMExceptionOperationError",
"failed to decode private key",
)
})?;
let point = p256::EncodedPoint::from_bytes(&ec_key.encoded_point)
.map_err(|_| data_error("expected valid public EC key"))?;
let point = ec_key.public_key().to_encoded_point(false);
if let elliptic_curve::sec1::Coordinates::Uncompressed { x, y } =
point.coordinates()
{
Ok(ExportKeyResult::JwkPrivateEc {
x: bytes_to_b64(x),
y: bytes_to_b64(y),
d: bytes_to_b64(&ec_key.private_d),
d: bytes_to_b64(&ec_key.to_be_bytes()),
})
} else {
Err(data_error("expected valid public EC key"))
@ -364,24 +370,22 @@ fn export_key_ec(
}
EcNamedCurve::P384 => {
let ec_key = ECPrivateKey::<p384::NistP384>::try_from(private_key)
.map_err(|_| {
let ec_key =
p384::SecretKey::from_pkcs8_der(private_key).map_err(|_| {
custom_error(
"DOMExceptionOperationError",
"failed to decode private key",
)
})?;
let point = p384::EncodedPoint::from_bytes(&ec_key.encoded_point)
.map_err(|_| data_error("expected valid public EC key"))?;
let point = ec_key.public_key().to_encoded_point(false);
if let elliptic_curve::sec1::Coordinates::Uncompressed { x, y } =
point.coordinates()
{
Ok(ExportKeyResult::JwkPrivateEc {
x: bytes_to_b64(x),
y: bytes_to_b64(y),
d: bytes_to_b64(&ec_key.private_d),
d: bytes_to_b64(&ec_key.to_be_bytes()),
})
} else {
Err(data_error("expected valid public EC key"))

4
ext/crypto/generate_key.rs
View file

@ -7,7 +7,7 @@ use num_traits::FromPrimitive;
use once_cell::sync::Lazy;
use ring::rand::SecureRandom;
use ring::signature::EcdsaKeyPair;
use rsa::pkcs1::ToRsaPrivateKey;
use rsa::pkcs1::EncodeRsaPrivateKey;
use rsa::BigUint;
use rsa::RsaPrivateKey;
use serde::Deserialize;
@ -76,7 +76,7 @@ fn generate_key_rsa(
.to_pkcs1_der()
.map_err(|_| operation_error("Failed to serialize RSA key"))?;
Ok(private_key.as_ref().to_vec())
Ok(private_key.as_bytes().to_vec())
}
fn generate_key_ec(named_curve: EcNamedCurve) -> Result<Vec<u8>, AnyError> {

115
ext/crypto/import_key.rs
View file

@ -1,20 +1,18 @@
use deno_core::error::AnyError;
use deno_core::op;
use deno_core::ZeroCopyBuf;
use elliptic_curve::pkcs8::der::Decodable as Pkcs8Decodable;
use elliptic_curve::pkcs8::PrivateKeyInfo;
use ring::signature::EcdsaKeyPair;
use rsa::pkcs1::UIntBytes;
use rsa::pkcs8::AlgorithmIdentifier;
use serde::Deserialize;
use serde::Serialize;
use spki::der::Encodable;
use crate::ec_key::ECPrivateKey;
use crate::key::CryptoNamedCurve;
use crate::shared::*;
use crate::OaepPrivateKeyParameters;
use crate::PssPrivateKeyParameters;
use deno_core::error::AnyError;
use deno_core::op;
use deno_core::ZeroCopyBuf;
use elliptic_curve::pkcs8::PrivateKeyInfo;
use p256::pkcs8::EncodePrivateKey;
use ring::signature::EcdsaKeyPair;
use rsa::pkcs1::UIntRef;
use serde::Deserialize;
use serde::Serialize;
use spki::der::Decode;
use spki::der::Encode;
#[derive(Deserialize)]
#[serde(rename_all = "camelCase")]
@ -114,7 +112,7 @@ macro_rules! jwt_b64_int_or_err {
($name:ident, $b64:expr, $err:expr) => {
let bytes = base64::decode_config($b64, URL_SAFE_FORGIVING)
.map_err(|_| data_error($err))?;
let $name = UIntBytes::new(&bytes).map_err(|_| data_error($err))?;
let $name = UIntRef::new(&bytes).map_err(|_| data_error($err))?;
};
}
@ -164,7 +162,6 @@ fn import_key_rsa_jwk(
jwt_b64_int_or_err!(coefficient, &qi, "invalid CRT coefficient");
let private_key = rsa::pkcs1::RsaPrivateKey {
version: rsa::pkcs1::Version::TwoPrime,
modulus,
public_exponent,
private_exponent,
@ -173,6 +170,7 @@ fn import_key_rsa_jwk(
exponent1,
exponent2,
coefficient,
other_prime_infos: None,
};
let data = private_key
@ -193,28 +191,6 @@ fn import_key_rsa_jwk(
}
}
fn validate_mask_gen(
mask_gen_algorithm: &AlgorithmIdentifier,
hash_algorithm: &AlgorithmIdentifier,
) -> Result<(), deno_core::anyhow::Error> {
if mask_gen_algorithm.oid != ID_MFG1 {
return Err(not_supported_error("unsupported mask gen algorithm"));
}
let parameters = mask_gen_algorithm
.parameters_any()
.map_err(|_| not_supported_error("unsupported parameters"))?;
let mgf1_hash_identifier = AlgorithmIdentifier::try_from(parameters)
.map_err(|_| not_supported_error("unsupported parameters"))?;
// The hash function on which MGF1 is based.
mgf1_hash_identifier
.assert_algorithm_oid(hash_algorithm.oid)
.map_err(|_| not_supported_error("unsupported parameters"))?;
Ok(())
}
fn import_key_rsassa(
key_data: KeyData,
hash: ShaHash,
@ -383,7 +359,6 @@ fn import_key_rsapss(
return Err(not_supported_error("unsupported hash algorithm"));
}
validate_mask_gen(&params.mask_gen_algorithm, &hash_alg)?;
hash
}
_ => return Err(data_error("unsupported algorithm")),
@ -446,7 +421,7 @@ fn import_key_rsapss(
.map_err(|_| not_supported_error("malformed parameters"))?;
let hash_alg = params.hash_algorithm;
let hash = match hash_alg.oid {
match hash_alg.oid {
// id-sha1
ID_SHA1_OID => Some(ShaHash::Sha1),
// id-sha256
@ -456,10 +431,7 @@ fn import_key_rsapss(
// id-sha256
ID_SHA512_OID => Some(ShaHash::Sha512),
_ => return Err(data_error("unsupported hash algorithm")),
};
validate_mask_gen(&params.mask_gen_algorithm, &hash_alg)?;
hash
}
}
_ => return Err(data_error("unsupported algorithm")),
};
@ -532,7 +504,7 @@ fn import_key_rsaoaep(
.map_err(|_| data_error("malformed parameters"))?;
let hash_alg = params.hash_algorithm;
let hash = match hash_alg.oid {
match hash_alg.oid {
// id-sha1
ID_SHA1_OID => Some(ShaHash::Sha1),
// id-sha256
@ -542,10 +514,7 @@ fn import_key_rsaoaep(
// id-sha256
ID_SHA512_OID => Some(ShaHash::Sha512),
_ => return Err(data_error("unsupported hash algorithm")),
};
validate_mask_gen(&params.mask_gen_algorithm, &hash_alg)?;
hash
}
}
_ => return Err(data_error("unsupported algorithm")),
};
@ -607,7 +576,7 @@ fn import_key_rsaoaep(
.map_err(|_| not_supported_error("malformed parameters"))?;
let hash_alg = params.hash_algorithm;
let hash = match hash_alg.oid {
match hash_alg.oid {
// id-sha1
ID_SHA1_OID => Some(ShaHash::Sha1),
// id-sha256
@ -617,9 +586,7 @@ fn import_key_rsaoaep(
// id-sha256
ID_SHA512_OID => Some(ShaHash::Sha512),
_ => return Err(data_error("unsupported hash algorithm")),
};
validate_mask_gen(&params.mask_gen_algorithm, &hash_alg)?;
hash
}
}
_ => return Err(data_error("unsupported algorithm")),
};
@ -716,30 +683,18 @@ fn import_key_ec_jwk(
})
}
KeyData::JwkPrivateEc { d, x, y } => {
let point_bytes = import_key_ec_jwk_to_point(x, y, named_curve)?;
jwt_b64_int_or_err!(private_d, &d, "invalid JWK private key");
let point_bytes = import_key_ec_jwk_to_point(x, y, named_curve)?;
let pkcs8_der = match named_curve {
EcNamedCurve::P256 => {
let d = decode_b64url_to_field_bytes::<p256::NistP256>(&d)?;
let pk =
ECPrivateKey::<p256::NistP256>::from_private_and_public_bytes(
d,
&point_bytes,
);
let pk = p256::SecretKey::from_be_bytes(&d)?;
pk.to_pkcs8_der()?
}
EcNamedCurve::P384 => {
let d = decode_b64url_to_field_bytes::<p384::NistP384>(&d)?;
let pk =
ECPrivateKey::<p384::NistP384>::from_private_and_public_bytes(
d,
&point_bytes,
);
let pk = p384::SecretKey::from_be_bytes(&d)?;
pk.to_pkcs8_der()?
}
@ -764,7 +719,7 @@ fn import_key_ec_jwk(
);
Ok(ImportKeyResult::Ec {
raw_data: RawKeyData::Private(pkcs8_der.as_ref().to_vec().into()),
raw_data: RawKeyData::Private(pkcs8_der.as_bytes().to_vec().into()),
})
}
_ => unreachable!(),
@ -775,11 +730,11 @@ pub struct ECParametersSpki {
pub named_curve_alg: spki::der::asn1::ObjectIdentifier,
}
impl<'a> TryFrom<spki::der::asn1::Any<'a>> for ECParametersSpki {
impl<'a> TryFrom<spki::der::asn1::AnyRef<'a>> for ECParametersSpki {
type Error = spki::der::Error;
fn try_from(
any: spki::der::asn1::Any<'a>,
any: spki::der::asn1::AnyRef<'a>,
) -> spki::der::Result<ECParametersSpki> {
let x = any.oid()?;
@ -824,15 +779,14 @@ fn import_key_ec(
// 2-7
// Deserialize PKCS8 - validate structure, extracts named_curve
let named_curve_alg = match named_curve {
EcNamedCurve::P256 => {
let pk = ECPrivateKey::<p256::NistP256>::try_from(data.as_ref())?;
pk.named_curve_oid().unwrap()
}
EcNamedCurve::P384 => {
let pk = ECPrivateKey::<p384::NistP384>::try_from(data.as_ref())?;
pk.named_curve_oid().unwrap()
EcNamedCurve::P256 | EcNamedCurve::P384 => {
let pk = PrivateKeyInfo::from_der(data.as_ref())
.map_err(|_| data_error("expected valid PKCS#8 data"))?;
pk.algorithm
.parameters
.ok_or_else(|| data_error("malformed parameters"))?
.oid()
.unwrap()
}
EcNamedCurve::P521 => {
return Err(data_error("Unsupported named curve"))
@ -922,7 +876,6 @@ fn import_key_ec(
p256::EncodedPoint::from_bytes(&*encoded_key).map_err(|_| {
data_error("invalid P-256 eliptic curve SPKI data")
})?;
if point.is_identity() {
return Err(data_error("invalid P-256 eliptic curve point"));
}
@ -957,7 +910,7 @@ fn import_key_ec(
}
Ok(ImportKeyResult::Ec {
raw_data: RawKeyData::Public(encoded_key.to_vec().into()),
raw_data: RawKeyData::Public(encoded_key.into()),
})
}
KeyData::JwkPublicEc { .. } | KeyData::JwkPrivateEc { .. } => {

111
ext/crypto/lib.rs
View file

@ -17,10 +17,8 @@ use deno_core::ZeroCopyBuf;
use serde::Deserialize;
use shared::operation_error;
use std::num::NonZeroU32;
use p256::elliptic_curve::sec1::FromEncodedPoint;
use p256::pkcs8::FromPrivateKey;
use p256::pkcs8::DecodePrivateKey;
use rand::rngs::OsRng;
use rand::rngs::StdRng;
use rand::thread_rng;
@ -37,10 +35,10 @@ use ring::signature::EcdsaSigningAlgorithm;
use ring::signature::EcdsaVerificationAlgorithm;
use ring::signature::KeyPair;
use rsa::padding::PaddingScheme;
use rsa::pkcs1::der::Decodable;
use rsa::pkcs1::der::Encodable;
use rsa::pkcs1::FromRsaPrivateKey;
use rsa::pkcs1::FromRsaPublicKey;
use rsa::pkcs1::der::Decode;
use rsa::pkcs1::der::Encode;
use rsa::pkcs1::DecodeRsaPrivateKey;
use rsa::pkcs1::DecodeRsaPublicKey;
use rsa::pkcs8::der::asn1;
use rsa::PublicKey;
use rsa::RsaPrivateKey;
@ -51,12 +49,12 @@ use sha2::Sha256;
use sha2::Sha384;
use sha2::Sha512;
use std::convert::TryFrom;
use std::num::NonZeroU32;
use std::path::PathBuf;
pub use rand; // Re-export rand
mod decrypt;
mod ec_key;
mod encrypt;
mod export_key;
mod generate_key;
@ -537,11 +535,10 @@ pub async fn op_crypto_derive_bits(
type_error("Unexpected error decoding private key")
})?;
let pk: Option<p256::PublicKey> =
p256::PublicKey::from_encoded_point(&point);
if let Some(pk) = pk {
pk
let pk = p256::PublicKey::from_encoded_point(&point);
// pk is a constant time Option.
if pk.is_some().into() {
pk.unwrap()
} else {
return Err(type_error(
"Unexpected error decoding private key",
@ -552,11 +549,12 @@ pub async fn op_crypto_derive_bits(
};
let shared_secret = p256::elliptic_curve::ecdh::diffie_hellman(
secret_key.to_secret_scalar(),
secret_key.to_nonzero_scalar(),
public_key.as_affine(),
);
Ok(shared_secret.as_bytes().to_vec().into())
// raw serialized x-coordinate of the computed point
Ok(shared_secret.raw_secret_bytes().to_vec().into())
}
// TODO(@littledivy): support for P384
// https://github.com/RustCrypto/elliptic-curves/issues/240
@ -654,7 +652,7 @@ static SHA1_HASH_ALGORITHM: Lazy<rsa::pkcs8::AlgorithmIdentifier<'static>> =
// id-sha1
oid: ID_SHA1_OID,
// NULL
parameters: Some(asn1::Any::from(asn1::Null)),
parameters: Some(asn1::AnyRef::from(asn1::Null)),
}
});
@ -675,7 +673,7 @@ static MGF1_SHA1_MASK_ALGORITHM: Lazy<
oid: ID_MFG1,
// sha1
parameters: Some(
asn1::Any::from_der(&ENCODED_SHA1_HASH_ALGORITHM).unwrap(),
asn1::AnyRef::from_der(&ENCODED_SHA1_HASH_ALGORITHM).unwrap(),
),
}
});
@ -695,33 +693,51 @@ static P_SPECIFIED_EMPTY: Lazy<rsa::pkcs8::AlgorithmIdentifier<'static>> =
// id-pSpecified
oid: ID_P_SPECIFIED,
// EncodingParameters
parameters: Some(asn1::Any::from(asn1::OctetString::new(b"").unwrap())),
parameters: Some(asn1::AnyRef::from(
asn1::OctetStringRef::new(b"").unwrap(),
)),
}
});
impl<'a> TryFrom<rsa::pkcs8::der::asn1::Any<'a>>
fn decode_content_tag<'a, T>(
decoder: &mut rsa::pkcs8::der::SliceReader<'a>,
tag: rsa::pkcs8::der::TagNumber,
) -> rsa::pkcs8::der::Result<Option<T>>
where
T: rsa::pkcs8::der::Decode<'a>,
{
Ok(
rsa::pkcs8::der::asn1::ContextSpecific::<T>::decode_explicit(decoder, tag)?
.map(|field| field.value),
)
}
impl<'a> TryFrom<rsa::pkcs8::der::asn1::AnyRef<'a>>
for PssPrivateKeyParameters<'a>
{
type Error = rsa::pkcs8::der::Error;
fn try_from(
any: rsa::pkcs8::der::asn1::Any<'a>,
) -> rsa::pkcs8::der::Result<PssPrivateKeyParameters> {
any: rsa::pkcs8::der::asn1::AnyRef<'a>,
) -> rsa::pkcs8::der::Result<PssPrivateKeyParameters<'a>> {
any.sequence(|decoder| {
let hash_algorithm = decoder
.context_specific(HASH_ALGORITHM_TAG)?
let hash_algorithm =
decode_content_tag::<rsa::pkcs8::AlgorithmIdentifier>(
decoder,
HASH_ALGORITHM_TAG,
)?
.map(TryInto::try_into)
.transpose()?
.unwrap_or(*SHA1_HASH_ALGORITHM);
let mask_gen_algorithm = decoder
.context_specific(MASK_GEN_ALGORITHM_TAG)?
.map(TryInto::try_into)
.transpose()?
.unwrap_or(*MGF1_SHA1_MASK_ALGORITHM);
let mask_gen_algorithm = decode_content_tag::<
rsa::pkcs8::AlgorithmIdentifier,
>(decoder, MASK_GEN_ALGORITHM_TAG)?
.map(TryInto::try_into)
.transpose()?
.unwrap_or(*MGF1_SHA1_MASK_ALGORITHM);
let salt_length = decoder
.context_specific(SALT_LENGTH_TAG)?
let salt_length = decode_content_tag::<u32>(decoder, SALT_LENGTH_TAG)?
.map(TryInto::try_into)
.transpose()?
.unwrap_or(20);
@ -749,32 +765,37 @@ pub struct OaepPrivateKeyParameters<'a> {
pub p_source_algorithm: rsa::pkcs8::AlgorithmIdentifier<'a>,
}
impl<'a> TryFrom<rsa::pkcs8::der::asn1::Any<'a>>
impl<'a> TryFrom<rsa::pkcs8::der::asn1::AnyRef<'a>>
for OaepPrivateKeyParameters<'a>
{
type Error = rsa::pkcs8::der::Error;
fn try_from(
any: rsa::pkcs8::der::asn1::Any<'a>,
) -> rsa::pkcs8::der::Result<OaepPrivateKeyParameters> {
any: rsa::pkcs8::der::asn1::AnyRef<'a>,
) -> rsa::pkcs8::der::Result<OaepPrivateKeyParameters<'a>> {
any.sequence(|decoder| {
let hash_algorithm = decoder
.context_specific(HASH_ALGORITHM_TAG)?
let hash_algorithm =
decode_content_tag::<rsa::pkcs8::AlgorithmIdentifier>(
decoder,
HASH_ALGORITHM_TAG,
)?
.map(TryInto::try_into)
.transpose()?
.unwrap_or(*SHA1_HASH_ALGORITHM);
let mask_gen_algorithm = decoder
.context_specific(MASK_GEN_ALGORITHM_TAG)?
.map(TryInto::try_into)
.transpose()?
.unwrap_or(*MGF1_SHA1_MASK_ALGORITHM);
let mask_gen_algorithm = decode_content_tag::<
rsa::pkcs8::AlgorithmIdentifier,
>(decoder, MASK_GEN_ALGORITHM_TAG)?
.map(TryInto::try_into)
.transpose()?
.unwrap_or(*MGF1_SHA1_MASK_ALGORITHM);
let p_source_algorithm = decoder
.context_specific(P_SOURCE_ALGORITHM_TAG)?
.map(TryInto::try_into)
.transpose()?
.unwrap_or(*P_SPECIFIED_EMPTY);
let p_source_algorithm = decode_content_tag::<
rsa::pkcs8::AlgorithmIdentifier,
>(decoder, P_SOURCE_ALGORITHM_TAG)?
.map(TryInto::try_into)
.transpose()?
.unwrap_or(*P_SPECIFIED_EMPTY);
Ok(Self {
hash_algorithm,

87
ext/crypto/shared.rs
View file

@ -5,48 +5,46 @@ use deno_core::error::type_error;
use deno_core::error::AnyError;
use deno_core::ZeroCopyBuf;
use elliptic_curve::sec1::ToEncodedPoint;
use p256::pkcs8::FromPrivateKey;
use rsa::pkcs1::FromRsaPrivateKey;
use rsa::pkcs1::ToRsaPublicKey;
use rsa::pkcs1::DecodeRsaPrivateKey;
use rsa::pkcs1::EncodeRsaPublicKey;
use rsa::pkcs8::DecodePrivateKey;
use rsa::RsaPrivateKey;
use serde::Deserialize;
use serde::Serialize;
use crate::ec_key::ECPrivateKey;
pub const RSA_ENCRYPTION_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.1");
pub const SHA1_RSA_ENCRYPTION_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.5");
pub const SHA256_RSA_ENCRYPTION_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.11");
pub const SHA384_RSA_ENCRYPTION_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.12");
pub const SHA512_RSA_ENCRYPTION_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.13");
pub const RSASSA_PSS_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.10");
pub const ID_SHA1_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.3.14.3.2.26");
pub const ID_SHA256_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("2.16.840.1.101.3.4.2.1");
pub const ID_SHA384_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("2.16.840.1.101.3.4.2.2");
pub const ID_SHA512_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("2.16.840.1.101.3.4.2.3");
pub const ID_MFG1: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.8");
pub const RSAES_OAEP_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.7");
pub const ID_P_SPECIFIED: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.9");
pub const RSA_ENCRYPTION_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.2.840.113549.1.1.1");
pub const SHA1_RSA_ENCRYPTION_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.2.840.113549.1.1.5");
pub const SHA256_RSA_ENCRYPTION_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.2.840.113549.1.1.11");
pub const SHA384_RSA_ENCRYPTION_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.2.840.113549.1.1.12");
pub const SHA512_RSA_ENCRYPTION_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.2.840.113549.1.1.13");
pub const RSASSA_PSS_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.2.840.113549.1.1.10");
pub const ID_SHA1_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.3.14.3.2.26");
pub const ID_SHA256_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("2.16.840.1.101.3.4.2.1");
pub const ID_SHA384_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("2.16.840.1.101.3.4.2.2");
pub const ID_SHA512_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("2.16.840.1.101.3.4.2.3");
pub const ID_MFG1: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.2.840.113549.1.1.8");
pub const RSAES_OAEP_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.2.840.113549.1.1.7");
pub const ID_P_SPECIFIED: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.2.840.113549.1.1.9");
pub const ID_SECP256R1_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.2.840.10045.3.1.7");
pub const ID_SECP384R1_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.3.132.0.34");
pub const ID_SECP521R1_OID: rsa::pkcs8::ObjectIdentifier =
rsa::pkcs8::ObjectIdentifier::new("1.3.132.0.35");
pub const ID_SECP256R1_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.2.840.10045.3.1.7");
pub const ID_SECP384R1_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.3.132.0.34");
pub const ID_SECP521R1_OID: const_oid::ObjectIdentifier =
const_oid::ObjectIdentifier::new_unwrap("1.3.132.0.35");
#[derive(Serialize, Deserialize, Copy, Clone, PartialEq)]
pub enum ShaHash {
@ -91,7 +89,7 @@ impl RawKeyData {
.to_pkcs1_der()
.map_err(|_| type_error("expected valid public key"))?;
Ok(Cow::Owned(public_key_doc.as_der().into()))
Ok(Cow::Owned(public_key_doc.as_bytes().into()))
}
_ => Err(type_error("expected public key")),
}
@ -136,16 +134,9 @@ impl RawKeyData {
.map_err(|_| type_error("expected valid public EC key"))
}
RawKeyData::Private(data) => {
let ec_key = ECPrivateKey::<p384::NistP384>::try_from(&**data)
.map_err(|_| {
custom_error(
"DOMExceptionOperationError",
"failed to decode private key",
)
})?;
let point = p384::EncodedPoint::from_bytes(&ec_key.encoded_point)
.map_err(|_| data_error("expected valid public EC key"))?;
Ok(point)
let signing_key = p384::SecretKey::from_pkcs8_der(data)
.map_err(|_| type_error("expected valid private EC key"))?;
Ok(signing_key.public_key().to_encoded_point(false))
}
// Should never reach here.
RawKeyData::Secret(_) => unreachable!(),