| <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Source of the Rust file `/root/.cargo/git/checkouts/incubator-teaclave-crates-c8106113f74feefc/ede1f68/rustls-0.19.1/rustls/src/sign.rs`."><meta name="keywords" content="rust, rustlang, rust-lang"><title>sign.rs - source</title><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceSerif4-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../FiraSans-Regular.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../FiraSans-Medium.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceCodePro-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceSerif4-Bold.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceCodePro-Semibold.ttf.woff2"><link rel="stylesheet" href="../../normalize.css"><link rel="stylesheet" href="../../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" href="../../ayu.css" disabled><link rel="stylesheet" href="../../dark.css" disabled><link rel="stylesheet" href="../../light.css" id="themeStyle"><script id="default-settings" ></script><script src="../../storage.js"></script><script defer src="../../source-script.js"></script><script defer src="../../source-files.js"></script><script defer src="../../main.js"></script><noscript><link rel="stylesheet" href="../../noscript.css"></noscript><link rel="alternate icon" type="image/png" href="../../favicon-16x16.png"><link rel="alternate icon" type="image/png" href="../../favicon-32x32.png"><link rel="icon" type="image/svg+xml" href="../../favicon.svg"></head><body class="rustdoc source"><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"><a class="sidebar-logo" href="../../rustls/index.html"><div class="logo-container"><img class="rust-logo" src="../../rust-logo.svg" alt="logo"></div></a></nav><main><div class="width-limiter"><nav class="sub"><a class="sub-logo-container" href="../../rustls/index.html"><img class="rust-logo" src="../../rust-logo.svg" alt="logo"></a><form class="search-form"><div class="search-container"><span></span><input class="search-input" name="search" autocomplete="off" spellcheck="false" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><div id="help-button" title="help" tabindex="-1"><a href="../../help.html">?</a></div><div id="settings-menu" tabindex="-1"><a href="../../settings.html" title="settings"><img width="22" height="22" alt="Change settings" src="../../wheel.svg"></a></div></div></form></nav><section id="main-content" class="content"><div class="example-wrap"><pre class="src-line-numbers"><span id="1">1</span> |
| <span id="2">2</span> |
| <span id="3">3</span> |
| <span id="4">4</span> |
| <span id="5">5</span> |
| <span id="6">6</span> |
| <span id="7">7</span> |
| <span id="8">8</span> |
| <span id="9">9</span> |
| <span id="10">10</span> |
| <span id="11">11</span> |
| <span id="12">12</span> |
| <span id="13">13</span> |
| <span id="14">14</span> |
| <span id="15">15</span> |
| <span id="16">16</span> |
| <span id="17">17</span> |
| <span id="18">18</span> |
| <span id="19">19</span> |
| <span id="20">20</span> |
| <span id="21">21</span> |
| <span id="22">22</span> |
| <span id="23">23</span> |
| <span id="24">24</span> |
| <span id="25">25</span> |
| <span id="26">26</span> |
| <span id="27">27</span> |
| <span id="28">28</span> |
| <span id="29">29</span> |
| <span id="30">30</span> |
| <span id="31">31</span> |
| <span id="32">32</span> |
| <span id="33">33</span> |
| <span id="34">34</span> |
| <span id="35">35</span> |
| <span id="36">36</span> |
| <span id="37">37</span> |
| <span id="38">38</span> |
| <span id="39">39</span> |
| <span id="40">40</span> |
| <span id="41">41</span> |
| <span id="42">42</span> |
| <span id="43">43</span> |
| <span id="44">44</span> |
| <span id="45">45</span> |
| <span id="46">46</span> |
| <span id="47">47</span> |
| <span id="48">48</span> |
| <span id="49">49</span> |
| <span id="50">50</span> |
| <span id="51">51</span> |
| <span id="52">52</span> |
| <span id="53">53</span> |
| <span id="54">54</span> |
| <span id="55">55</span> |
| <span id="56">56</span> |
| <span id="57">57</span> |
| <span id="58">58</span> |
| <span id="59">59</span> |
| <span id="60">60</span> |
| <span id="61">61</span> |
| <span id="62">62</span> |
| <span id="63">63</span> |
| <span id="64">64</span> |
| <span id="65">65</span> |
| <span id="66">66</span> |
| <span id="67">67</span> |
| <span id="68">68</span> |
| <span id="69">69</span> |
| <span id="70">70</span> |
| <span id="71">71</span> |
| <span id="72">72</span> |
| <span id="73">73</span> |
| <span id="74">74</span> |
| <span id="75">75</span> |
| <span id="76">76</span> |
| <span id="77">77</span> |
| <span id="78">78</span> |
| <span id="79">79</span> |
| <span id="80">80</span> |
| <span id="81">81</span> |
| <span id="82">82</span> |
| <span id="83">83</span> |
| <span id="84">84</span> |
| <span id="85">85</span> |
| <span id="86">86</span> |
| <span id="87">87</span> |
| <span id="88">88</span> |
| <span id="89">89</span> |
| <span id="90">90</span> |
| <span id="91">91</span> |
| <span id="92">92</span> |
| <span id="93">93</span> |
| <span id="94">94</span> |
| <span id="95">95</span> |
| <span id="96">96</span> |
| <span id="97">97</span> |
| <span id="98">98</span> |
| <span id="99">99</span> |
| <span id="100">100</span> |
| <span id="101">101</span> |
| <span id="102">102</span> |
| <span id="103">103</span> |
| <span id="104">104</span> |
| <span id="105">105</span> |
| <span id="106">106</span> |
| <span id="107">107</span> |
| <span id="108">108</span> |
| <span id="109">109</span> |
| <span id="110">110</span> |
| <span id="111">111</span> |
| <span id="112">112</span> |
| <span id="113">113</span> |
| <span id="114">114</span> |
| <span id="115">115</span> |
| <span id="116">116</span> |
| <span id="117">117</span> |
| <span id="118">118</span> |
| <span id="119">119</span> |
| <span id="120">120</span> |
| <span id="121">121</span> |
| <span id="122">122</span> |
| <span id="123">123</span> |
| <span id="124">124</span> |
| <span id="125">125</span> |
| <span id="126">126</span> |
| <span id="127">127</span> |
| <span id="128">128</span> |
| <span id="129">129</span> |
| <span id="130">130</span> |
| <span id="131">131</span> |
| <span id="132">132</span> |
| <span id="133">133</span> |
| <span id="134">134</span> |
| <span id="135">135</span> |
| <span id="136">136</span> |
| <span id="137">137</span> |
| <span id="138">138</span> |
| <span id="139">139</span> |
| <span id="140">140</span> |
| <span id="141">141</span> |
| <span id="142">142</span> |
| <span id="143">143</span> |
| <span id="144">144</span> |
| <span id="145">145</span> |
| <span id="146">146</span> |
| <span id="147">147</span> |
| <span id="148">148</span> |
| <span id="149">149</span> |
| <span id="150">150</span> |
| <span id="151">151</span> |
| <span id="152">152</span> |
| <span id="153">153</span> |
| <span id="154">154</span> |
| <span id="155">155</span> |
| <span id="156">156</span> |
| <span id="157">157</span> |
| <span id="158">158</span> |
| <span id="159">159</span> |
| <span id="160">160</span> |
| <span id="161">161</span> |
| <span id="162">162</span> |
| <span id="163">163</span> |
| <span id="164">164</span> |
| <span id="165">165</span> |
| <span id="166">166</span> |
| <span id="167">167</span> |
| <span id="168">168</span> |
| <span id="169">169</span> |
| <span id="170">170</span> |
| <span id="171">171</span> |
| <span id="172">172</span> |
| <span id="173">173</span> |
| <span id="174">174</span> |
| <span id="175">175</span> |
| <span id="176">176</span> |
| <span id="177">177</span> |
| <span id="178">178</span> |
| <span id="179">179</span> |
| <span id="180">180</span> |
| <span id="181">181</span> |
| <span id="182">182</span> |
| <span id="183">183</span> |
| <span id="184">184</span> |
| <span id="185">185</span> |
| <span id="186">186</span> |
| <span id="187">187</span> |
| <span id="188">188</span> |
| <span id="189">189</span> |
| <span id="190">190</span> |
| <span id="191">191</span> |
| <span id="192">192</span> |
| <span id="193">193</span> |
| <span id="194">194</span> |
| <span id="195">195</span> |
| <span id="196">196</span> |
| <span id="197">197</span> |
| <span id="198">198</span> |
| <span id="199">199</span> |
| <span id="200">200</span> |
| <span id="201">201</span> |
| <span id="202">202</span> |
| <span id="203">203</span> |
| <span id="204">204</span> |
| <span id="205">205</span> |
| <span id="206">206</span> |
| <span id="207">207</span> |
| <span id="208">208</span> |
| <span id="209">209</span> |
| <span id="210">210</span> |
| <span id="211">211</span> |
| <span id="212">212</span> |
| <span id="213">213</span> |
| <span id="214">214</span> |
| <span id="215">215</span> |
| <span id="216">216</span> |
| <span id="217">217</span> |
| <span id="218">218</span> |
| <span id="219">219</span> |
| <span id="220">220</span> |
| <span id="221">221</span> |
| <span id="222">222</span> |
| <span id="223">223</span> |
| <span id="224">224</span> |
| <span id="225">225</span> |
| <span id="226">226</span> |
| <span id="227">227</span> |
| <span id="228">228</span> |
| <span id="229">229</span> |
| <span id="230">230</span> |
| <span id="231">231</span> |
| <span id="232">232</span> |
| <span id="233">233</span> |
| <span id="234">234</span> |
| <span id="235">235</span> |
| <span id="236">236</span> |
| <span id="237">237</span> |
| <span id="238">238</span> |
| <span id="239">239</span> |
| <span id="240">240</span> |
| <span id="241">241</span> |
| <span id="242">242</span> |
| <span id="243">243</span> |
| <span id="244">244</span> |
| <span id="245">245</span> |
| <span id="246">246</span> |
| <span id="247">247</span> |
| <span id="248">248</span> |
| <span id="249">249</span> |
| <span id="250">250</span> |
| <span id="251">251</span> |
| <span id="252">252</span> |
| <span id="253">253</span> |
| <span id="254">254</span> |
| <span id="255">255</span> |
| <span id="256">256</span> |
| <span id="257">257</span> |
| <span id="258">258</span> |
| <span id="259">259</span> |
| <span id="260">260</span> |
| <span id="261">261</span> |
| <span id="262">262</span> |
| <span id="263">263</span> |
| <span id="264">264</span> |
| <span id="265">265</span> |
| <span id="266">266</span> |
| <span id="267">267</span> |
| <span id="268">268</span> |
| <span id="269">269</span> |
| <span id="270">270</span> |
| <span id="271">271</span> |
| <span id="272">272</span> |
| <span id="273">273</span> |
| <span id="274">274</span> |
| <span id="275">275</span> |
| <span id="276">276</span> |
| <span id="277">277</span> |
| <span id="278">278</span> |
| <span id="279">279</span> |
| <span id="280">280</span> |
| <span id="281">281</span> |
| <span id="282">282</span> |
| <span id="283">283</span> |
| <span id="284">284</span> |
| <span id="285">285</span> |
| <span id="286">286</span> |
| <span id="287">287</span> |
| <span id="288">288</span> |
| <span id="289">289</span> |
| <span id="290">290</span> |
| <span id="291">291</span> |
| <span id="292">292</span> |
| <span id="293">293</span> |
| <span id="294">294</span> |
| <span id="295">295</span> |
| <span id="296">296</span> |
| <span id="297">297</span> |
| <span id="298">298</span> |
| <span id="299">299</span> |
| <span id="300">300</span> |
| <span id="301">301</span> |
| <span id="302">302</span> |
| <span id="303">303</span> |
| <span id="304">304</span> |
| <span id="305">305</span> |
| <span id="306">306</span> |
| <span id="307">307</span> |
| <span id="308">308</span> |
| <span id="309">309</span> |
| <span id="310">310</span> |
| <span id="311">311</span> |
| <span id="312">312</span> |
| <span id="313">313</span> |
| <span id="314">314</span> |
| <span id="315">315</span> |
| <span id="316">316</span> |
| <span id="317">317</span> |
| <span id="318">318</span> |
| <span id="319">319</span> |
| <span id="320">320</span> |
| <span id="321">321</span> |
| <span id="322">322</span> |
| <span id="323">323</span> |
| <span id="324">324</span> |
| <span id="325">325</span> |
| <span id="326">326</span> |
| <span id="327">327</span> |
| <span id="328">328</span> |
| <span id="329">329</span> |
| <span id="330">330</span> |
| <span id="331">331</span> |
| <span id="332">332</span> |
| <span id="333">333</span> |
| <span id="334">334</span> |
| <span id="335">335</span> |
| <span id="336">336</span> |
| <span id="337">337</span> |
| <span id="338">338</span> |
| <span id="339">339</span> |
| <span id="340">340</span> |
| <span id="341">341</span> |
| <span id="342">342</span> |
| <span id="343">343</span> |
| <span id="344">344</span> |
| <span id="345">345</span> |
| <span id="346">346</span> |
| <span id="347">347</span> |
| <span id="348">348</span> |
| <span id="349">349</span> |
| <span id="350">350</span> |
| <span id="351">351</span> |
| <span id="352">352</span> |
| <span id="353">353</span> |
| <span id="354">354</span> |
| <span id="355">355</span> |
| <span id="356">356</span> |
| <span id="357">357</span> |
| <span id="358">358</span> |
| <span id="359">359</span> |
| <span id="360">360</span> |
| <span id="361">361</span> |
| <span id="362">362</span> |
| <span id="363">363</span> |
| <span id="364">364</span> |
| <span id="365">365</span> |
| <span id="366">366</span> |
| <span id="367">367</span> |
| <span id="368">368</span> |
| <span id="369">369</span> |
| <span id="370">370</span> |
| <span id="371">371</span> |
| <span id="372">372</span> |
| <span id="373">373</span> |
| <span id="374">374</span> |
| <span id="375">375</span> |
| <span id="376">376</span> |
| <span id="377">377</span> |
| <span id="378">378</span> |
| <span id="379">379</span> |
| <span id="380">380</span> |
| <span id="381">381</span> |
| <span id="382">382</span> |
| <span id="383">383</span> |
| <span id="384">384</span> |
| <span id="385">385</span> |
| <span id="386">386</span> |
| <span id="387">387</span> |
| <span id="388">388</span> |
| <span id="389">389</span> |
| <span id="390">390</span> |
| <span id="391">391</span> |
| <span id="392">392</span> |
| <span id="393">393</span> |
| <span id="394">394</span> |
| <span id="395">395</span> |
| <span id="396">396</span> |
| <span id="397">397</span> |
| <span id="398">398</span> |
| <span id="399">399</span> |
| <span id="400">400</span> |
| <span id="401">401</span> |
| <span id="402">402</span> |
| <span id="403">403</span> |
| <span id="404">404</span> |
| <span id="405">405</span> |
| <span id="406">406</span> |
| <span id="407">407</span> |
| <span id="408">408</span> |
| <span id="409">409</span> |
| <span id="410">410</span> |
| <span id="411">411</span> |
| <span id="412">412</span> |
| <span id="413">413</span> |
| <span id="414">414</span> |
| <span id="415">415</span> |
| <span id="416">416</span> |
| </pre><pre class="rust"><code><span class="kw">use </span><span class="kw">crate</span>::error::TLSError; |
| <span class="kw">use </span><span class="kw">crate</span>::key; |
| <span class="kw">use </span><span class="kw">crate</span>::msgs::enums::{SignatureAlgorithm, SignatureScheme}; |
| |
| <span class="kw">use </span>ring::{ |
| <span class="self">self</span>, |
| signature::{<span class="self">self</span>, EcdsaKeyPair, Ed25519KeyPair, RsaKeyPair}, |
| }; |
| <span class="kw">use </span>webpki; |
| |
| <span class="kw">use </span>std::mem; |
| <span class="kw">use </span>std::sync::Arc; |
| |
| <span class="doccomment">/// An abstract signing key. |
| </span><span class="kw">pub trait </span>SigningKey: Send + Sync { |
| <span class="doccomment">/// Choose a `SignatureScheme` from those offered. |
| /// |
| /// Expresses the choice by returning something that implements `Signer`, |
| /// using the chosen scheme. |
| </span><span class="kw">fn </span>choose_scheme(<span class="kw-2">&</span><span class="self">self</span>, offered: <span class="kw-2">&</span>[SignatureScheme]) -> <span class="prelude-ty">Option</span><Box<<span class="kw">dyn </span>Signer>>; |
| |
| <span class="doccomment">/// What kind of key we have. |
| </span><span class="kw">fn </span>algorithm(<span class="kw-2">&</span><span class="self">self</span>) -> SignatureAlgorithm; |
| } |
| |
| <span class="doccomment">/// A thing that can sign a message. |
| </span><span class="kw">pub trait </span>Signer: Send + Sync { |
| <span class="doccomment">/// Signs `message` using the selected scheme. |
| </span><span class="kw">fn </span>sign(<span class="kw-2">&</span><span class="self">self</span>, message: <span class="kw-2">&</span>[u8]) -> <span class="prelude-ty">Result</span><Vec<u8>, TLSError>; |
| |
| <span class="doccomment">/// Reveals which scheme will be used when you call `sign()`. |
| </span><span class="kw">fn </span>get_scheme(<span class="kw-2">&</span><span class="self">self</span>) -> SignatureScheme; |
| } |
| |
| <span class="doccomment">/// A packaged-together certificate chain, matching `SigningKey` and |
| /// optional stapled OCSP response and/or SCT list. |
| </span><span class="attribute">#[derive(Clone)] |
| </span><span class="kw">pub struct </span>CertifiedKey { |
| <span class="doccomment">/// The certificate chain. |
| </span><span class="kw">pub </span>cert: Vec<key::Certificate>, |
| |
| <span class="doccomment">/// The certified key. |
| </span><span class="kw">pub </span>key: Arc<Box<<span class="kw">dyn </span>SigningKey>>, |
| |
| <span class="doccomment">/// An optional OCSP response from the certificate issuer, |
| /// attesting to its continued validity. |
| </span><span class="kw">pub </span>ocsp: <span class="prelude-ty">Option</span><Vec<u8>>, |
| |
| <span class="doccomment">/// An optional collection of SCTs from CT logs, proving the |
| /// certificate is included on those logs. This must be |
| /// a `SignedCertificateTimestampList` encoding; see RFC6962. |
| </span><span class="kw">pub </span>sct_list: <span class="prelude-ty">Option</span><Vec<u8>>, |
| } |
| |
| <span class="kw">impl </span>CertifiedKey { |
| <span class="doccomment">/// Make a new CertifiedKey, with the given chain and key. |
| /// |
| /// The cert chain must not be empty. The first certificate in the chain |
| /// must be the end-entity certificate. |
| </span><span class="kw">pub fn </span>new(cert: Vec<key::Certificate>, key: Arc<Box<<span class="kw">dyn </span>SigningKey>>) -> CertifiedKey { |
| CertifiedKey { |
| cert, |
| key, |
| ocsp: <span class="prelude-val">None</span>, |
| sct_list: <span class="prelude-val">None</span>, |
| } |
| } |
| |
| <span class="doccomment">/// The end-entity certificate. |
| </span><span class="kw">pub fn </span>end_entity_cert(<span class="kw-2">&</span><span class="self">self</span>) -> <span class="prelude-ty">Result</span><<span class="kw-2">&</span>key::Certificate, ()> { |
| <span class="self">self</span>.cert.get(<span class="number">0</span>).ok_or(()) |
| } |
| |
| <span class="doccomment">/// Steal ownership of the certificate chain. |
| </span><span class="kw">pub fn </span>take_cert(<span class="kw-2">&mut </span><span class="self">self</span>) -> Vec<key::Certificate> { |
| mem::replace(<span class="kw-2">&mut </span><span class="self">self</span>.cert, Vec::new()) |
| } |
| |
| <span class="doccomment">/// Return true if there's an OCSP response. |
| </span><span class="kw">pub fn </span>has_ocsp(<span class="kw-2">&</span><span class="self">self</span>) -> bool { |
| <span class="self">self</span>.ocsp.is_some() |
| } |
| |
| <span class="doccomment">/// Steal ownership of the OCSP response. |
| </span><span class="kw">pub fn </span>take_ocsp(<span class="kw-2">&mut </span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><Vec<u8>> { |
| mem::replace(<span class="kw-2">&mut </span><span class="self">self</span>.ocsp, <span class="prelude-val">None</span>) |
| } |
| |
| <span class="doccomment">/// Return true if there's an SCT list. |
| </span><span class="kw">pub fn </span>has_sct_list(<span class="kw-2">&</span><span class="self">self</span>) -> bool { |
| <span class="self">self</span>.sct_list.is_some() |
| } |
| |
| <span class="doccomment">/// Steal ownership of the SCT list. |
| </span><span class="kw">pub fn </span>take_sct_list(<span class="kw-2">&mut </span><span class="self">self</span>) -> <span class="prelude-ty">Option</span><Vec<u8>> { |
| mem::replace(<span class="kw-2">&mut </span><span class="self">self</span>.sct_list, <span class="prelude-val">None</span>) |
| } |
| |
| <span class="doccomment">/// Check the certificate chain for validity: |
| /// - it should be non-empty list |
| /// - the first certificate should be parsable as a x509v3, |
| /// - the first certificate should quote the given server name |
| /// (if provided) |
| /// |
| /// These checks are not security-sensitive. They are the |
| /// *server* attempting to detect accidental misconfiguration. |
| </span><span class="kw">pub fn </span>cross_check_end_entity_cert( |
| <span class="kw-2">&</span><span class="self">self</span>, |
| name: <span class="prelude-ty">Option</span><webpki::DNSNameRef>, |
| ) -> <span class="prelude-ty">Result</span><(), TLSError> { |
| <span class="comment">// Always reject an empty certificate chain. |
| </span><span class="kw">let </span>end_entity_cert = <span class="self">self</span>.end_entity_cert().map_err(|()| { |
| TLSError::General(<span class="string">"No end-entity certificate in certificate chain"</span>.to_string()) |
| })<span class="question-mark">?</span>; |
| |
| <span class="comment">// Reject syntactically-invalid end-entity certificates. |
| </span><span class="kw">let </span>end_entity_cert = |
| webpki::EndEntityCert::from(end_entity_cert.as_ref()).map_err(|<span class="kw">_</span>| { |
| TLSError::General( |
| <span class="string">"End-entity certificate in certificate \ |
| chain is syntactically invalid" |
| </span>.to_string(), |
| ) |
| })<span class="question-mark">?</span>; |
| |
| <span class="kw">if let </span><span class="prelude-val">Some</span>(name) = name { |
| <span class="comment">// If SNI was offered then the certificate must be valid for |
| // that hostname. Note that this doesn't fully validate that the |
| // certificate is valid; it only validates that the name is one |
| // that the certificate is valid for, if the certificate is |
| // valid. |
| </span><span class="kw">if </span>end_entity_cert |
| .verify_is_valid_for_dns_name(name) |
| .is_err() |
| { |
| <span class="kw">return </span><span class="prelude-val">Err</span>(TLSError::General( |
| <span class="string">"The server certificate is not \ |
| valid for the given name" |
| </span>.to_string(), |
| )); |
| } |
| } |
| |
| <span class="prelude-val">Ok</span>(()) |
| } |
| } |
| |
| <span class="doccomment">/// Parse `der` as any supported key encoding/type, returning |
| /// the first which works. |
| </span><span class="kw">pub fn </span>any_supported_type(der: <span class="kw-2">&</span>key::PrivateKey) -> <span class="prelude-ty">Result</span><Box<<span class="kw">dyn </span>SigningKey>, ()> { |
| <span class="kw">if let </span><span class="prelude-val">Ok</span>(rsa) = RSASigningKey::new(der) { |
| <span class="prelude-val">Ok</span>(Box::new(rsa)) |
| } <span class="kw">else if let </span><span class="prelude-val">Ok</span>(ecdsa) = any_ecdsa_type(der) { |
| <span class="prelude-val">Ok</span>(ecdsa) |
| } <span class="kw">else </span>{ |
| any_eddsa_type(der) |
| } |
| } |
| |
| <span class="doccomment">/// Parse `der` as any ECDSA key type, returning the first which works. |
| </span><span class="kw">pub fn </span>any_ecdsa_type(der: <span class="kw-2">&</span>key::PrivateKey) -> <span class="prelude-ty">Result</span><Box<<span class="kw">dyn </span>SigningKey>, ()> { |
| <span class="kw">if let </span><span class="prelude-val">Ok</span>(ecdsa_p256) = ECDSASigningKey::new( |
| der, |
| SignatureScheme::ECDSA_NISTP256_SHA256, |
| <span class="kw-2">&</span>signature::ECDSA_P256_SHA256_ASN1_SIGNING, |
| ) { |
| <span class="kw">return </span><span class="prelude-val">Ok</span>(Box::new(ecdsa_p256)); |
| } |
| |
| <span class="kw">if let </span><span class="prelude-val">Ok</span>(ecdsa_p384) = ECDSASigningKey::new( |
| der, |
| SignatureScheme::ECDSA_NISTP384_SHA384, |
| <span class="kw-2">&</span>signature::ECDSA_P384_SHA384_ASN1_SIGNING, |
| ) { |
| <span class="kw">return </span><span class="prelude-val">Ok</span>(Box::new(ecdsa_p384)); |
| } |
| |
| <span class="prelude-val">Err</span>(()) |
| } |
| |
| <span class="doccomment">/// Parse `der` as any EdDSA key type, returning the first which works. |
| </span><span class="kw">pub fn </span>any_eddsa_type(der: <span class="kw-2">&</span>key::PrivateKey) -> <span class="prelude-ty">Result</span><Box<<span class="kw">dyn </span>SigningKey>, ()> { |
| <span class="kw">if let </span><span class="prelude-val">Ok</span>(ed25519) = Ed25519SigningKey::new(der, SignatureScheme::ED25519) { |
| <span class="kw">return </span><span class="prelude-val">Ok</span>(Box::new(ed25519)); |
| } |
| |
| <span class="comment">// TODO: Add support for Ed448 |
| |
| </span><span class="prelude-val">Err</span>(()) |
| } |
| |
| <span class="doccomment">/// A `SigningKey` for RSA-PKCS1 or RSA-PSS |
| </span><span class="kw">pub struct </span>RSASigningKey { |
| key: Arc<RsaKeyPair>, |
| } |
| |
| <span class="kw">static </span>ALL_RSA_SCHEMES: <span class="kw-2">&</span>[SignatureScheme] = <span class="kw-2">&</span>[ |
| SignatureScheme::RSA_PSS_SHA512, |
| SignatureScheme::RSA_PSS_SHA384, |
| SignatureScheme::RSA_PSS_SHA256, |
| SignatureScheme::RSA_PKCS1_SHA512, |
| SignatureScheme::RSA_PKCS1_SHA384, |
| SignatureScheme::RSA_PKCS1_SHA256, |
| ]; |
| |
| <span class="kw">impl </span>RSASigningKey { |
| <span class="doccomment">/// Make a new `RSASigningKey` from a DER encoding, in either |
| /// PKCS#1 or PKCS#8 format. |
| </span><span class="kw">pub fn </span>new(der: <span class="kw-2">&</span>key::PrivateKey) -> <span class="prelude-ty">Result</span><RSASigningKey, ()> { |
| RsaKeyPair::from_der(<span class="kw-2">&</span>der.<span class="number">0</span>) |
| .or_else(|<span class="kw">_</span>| RsaKeyPair::from_pkcs8(<span class="kw-2">&</span>der.<span class="number">0</span>)) |
| .map(|s| RSASigningKey { key: Arc::new(s) }) |
| .map_err(|<span class="kw">_</span>| ()) |
| } |
| } |
| |
| <span class="kw">impl </span>SigningKey <span class="kw">for </span>RSASigningKey { |
| <span class="kw">fn </span>choose_scheme(<span class="kw-2">&</span><span class="self">self</span>, offered: <span class="kw-2">&</span>[SignatureScheme]) -> <span class="prelude-ty">Option</span><Box<<span class="kw">dyn </span>Signer>> { |
| ALL_RSA_SCHEMES |
| .iter() |
| .filter(|scheme| offered.contains(scheme)) |
| .nth(<span class="number">0</span>) |
| .map(|scheme| RSASigner::new(<span class="self">self</span>.key.clone(), <span class="kw-2">*</span>scheme)) |
| } |
| |
| <span class="kw">fn </span>algorithm(<span class="kw-2">&</span><span class="self">self</span>) -> SignatureAlgorithm { |
| SignatureAlgorithm::RSA |
| } |
| } |
| |
| <span class="kw">struct </span>RSASigner { |
| key: Arc<RsaKeyPair>, |
| scheme: SignatureScheme, |
| encoding: <span class="kw-2">&</span><span class="lifetime">'static </span><span class="kw">dyn </span>signature::RsaEncoding, |
| } |
| |
| <span class="kw">impl </span>RSASigner { |
| <span class="kw">fn </span>new(key: Arc<RsaKeyPair>, scheme: SignatureScheme) -> Box<<span class="kw">dyn </span>Signer> { |
| <span class="kw">let </span>encoding: <span class="kw-2">&</span><span class="kw">dyn </span>signature::RsaEncoding = <span class="kw">match </span>scheme { |
| SignatureScheme::RSA_PKCS1_SHA256 => <span class="kw-2">&</span>signature::RSA_PKCS1_SHA256, |
| SignatureScheme::RSA_PKCS1_SHA384 => <span class="kw-2">&</span>signature::RSA_PKCS1_SHA384, |
| SignatureScheme::RSA_PKCS1_SHA512 => <span class="kw-2">&</span>signature::RSA_PKCS1_SHA512, |
| SignatureScheme::RSA_PSS_SHA256 => <span class="kw-2">&</span>signature::RSA_PSS_SHA256, |
| SignatureScheme::RSA_PSS_SHA384 => <span class="kw-2">&</span>signature::RSA_PSS_SHA384, |
| SignatureScheme::RSA_PSS_SHA512 => <span class="kw-2">&</span>signature::RSA_PSS_SHA512, |
| <span class="kw">_ </span>=> <span class="macro">unreachable!</span>(), |
| }; |
| |
| Box::new(RSASigner { |
| key, |
| scheme, |
| encoding, |
| }) |
| } |
| } |
| |
| <span class="kw">impl </span>Signer <span class="kw">for </span>RSASigner { |
| <span class="kw">fn </span>sign(<span class="kw-2">&</span><span class="self">self</span>, message: <span class="kw-2">&</span>[u8]) -> <span class="prelude-ty">Result</span><Vec<u8>, TLSError> { |
| <span class="kw">let </span><span class="kw-2">mut </span>sig = <span class="macro">vec!</span>[<span class="number">0</span>; <span class="self">self</span>.key.public_modulus_len()]; |
| |
| <span class="kw">let </span>rng = ring::rand::SystemRandom::new(); |
| <span class="self">self</span>.key |
| .sign(<span class="self">self</span>.encoding, <span class="kw-2">&</span>rng, message, <span class="kw-2">&mut </span>sig) |
| .map(|<span class="kw">_</span>| sig) |
| .map_err(|<span class="kw">_</span>| TLSError::General(<span class="string">"signing failed"</span>.to_string())) |
| } |
| |
| <span class="kw">fn </span>get_scheme(<span class="kw-2">&</span><span class="self">self</span>) -> SignatureScheme { |
| <span class="self">self</span>.scheme |
| } |
| } |
| |
| <span class="doccomment">/// A SigningKey that uses exactly one TLS-level SignatureScheme |
| /// and one ring-level signature::SigningAlgorithm. |
| /// |
| /// Compare this to RSASigningKey, which for a particular key is |
| /// willing to sign with several algorithms. This is quite poor |
| /// cryptography practice, but is necessary because a given RSA key |
| /// is expected to work in TLS1.2 (PKCS#1 signatures) and TLS1.3 |
| /// (PSS signatures) -- nobody is willing to obtain certificates for |
| /// different protocol versions. |
| /// |
| /// Currently this is only implemented for ECDSA keys. |
| </span><span class="kw">struct </span>ECDSASigningKey { |
| key: Arc<EcdsaKeyPair>, |
| scheme: SignatureScheme, |
| } |
| |
| <span class="kw">impl </span>ECDSASigningKey { |
| <span class="doccomment">/// Make a new `ECDSASigningKey` from a DER encoding in PKCS#8 format, |
| /// expecting a key usable with precisely the given signature scheme. |
| </span><span class="kw">pub fn </span>new( |
| der: <span class="kw-2">&</span>key::PrivateKey, |
| scheme: SignatureScheme, |
| sigalg: <span class="kw-2">&</span><span class="lifetime">'static </span>signature::EcdsaSigningAlgorithm, |
| ) -> <span class="prelude-ty">Result</span><ECDSASigningKey, ()> { |
| EcdsaKeyPair::from_pkcs8(sigalg, <span class="kw-2">&</span>der.<span class="number">0</span>) |
| .map(|kp| ECDSASigningKey { |
| key: Arc::new(kp), |
| scheme, |
| }) |
| .map_err(|<span class="kw">_</span>| ()) |
| } |
| } |
| |
| <span class="kw">impl </span>SigningKey <span class="kw">for </span>ECDSASigningKey { |
| <span class="kw">fn </span>choose_scheme(<span class="kw-2">&</span><span class="self">self</span>, offered: <span class="kw-2">&</span>[SignatureScheme]) -> <span class="prelude-ty">Option</span><Box<<span class="kw">dyn </span>Signer>> { |
| <span class="kw">if </span>offered.contains(<span class="kw-2">&</span><span class="self">self</span>.scheme) { |
| <span class="prelude-val">Some</span>(Box::new(ECDSASigner { |
| key: <span class="self">self</span>.key.clone(), |
| scheme: <span class="self">self</span>.scheme, |
| })) |
| } <span class="kw">else </span>{ |
| <span class="prelude-val">None |
| </span>} |
| } |
| |
| <span class="kw">fn </span>algorithm(<span class="kw-2">&</span><span class="self">self</span>) -> SignatureAlgorithm { |
| <span class="kw">use </span><span class="kw">crate</span>::msgs::handshake::DecomposedSignatureScheme; |
| <span class="self">self</span>.scheme.sign() |
| } |
| } |
| |
| <span class="kw">struct </span>ECDSASigner { |
| key: Arc<EcdsaKeyPair>, |
| scheme: SignatureScheme, |
| } |
| |
| <span class="kw">impl </span>Signer <span class="kw">for </span>ECDSASigner { |
| <span class="kw">fn </span>sign(<span class="kw-2">&</span><span class="self">self</span>, message: <span class="kw-2">&</span>[u8]) -> <span class="prelude-ty">Result</span><Vec<u8>, TLSError> { |
| <span class="kw">let </span>rng = ring::rand::SystemRandom::new(); |
| <span class="self">self</span>.key |
| .sign(<span class="kw-2">&</span>rng, message) |
| .map_err(|<span class="kw">_</span>| TLSError::General(<span class="string">"signing failed"</span>.into())) |
| .map(|sig| sig.as_ref().into()) |
| } |
| |
| <span class="kw">fn </span>get_scheme(<span class="kw-2">&</span><span class="self">self</span>) -> SignatureScheme { |
| <span class="self">self</span>.scheme |
| } |
| } |
| |
| <span class="doccomment">/// A SigningKey that uses exactly one TLS-level SignatureScheme |
| /// and one ring-level signature::SigningAlgorithm. |
| /// |
| /// Compare this to RSASigningKey, which for a particular key is |
| /// willing to sign with several algorithms. This is quite poor |
| /// cryptography practice, but is necessary because a given RSA key |
| /// is expected to work in TLS1.2 (PKCS#1 signatures) and TLS1.3 |
| /// (PSS signatures) -- nobody is willing to obtain certificates for |
| /// different protocol versions. |
| /// |
| /// Currently this is only implemented for Ed25519 keys. |
| </span><span class="kw">struct </span>Ed25519SigningKey { |
| key: Arc<Ed25519KeyPair>, |
| scheme: SignatureScheme, |
| } |
| |
| <span class="kw">impl </span>Ed25519SigningKey { |
| <span class="doccomment">/// Make a new `Ed25519SigningKey` from a DER encoding in PKCS#8 format, |
| /// expecting a key usable with precisely the given signature scheme. |
| </span><span class="kw">pub fn </span>new(der: <span class="kw-2">&</span>key::PrivateKey, scheme: SignatureScheme) -> <span class="prelude-ty">Result</span><Ed25519SigningKey, ()> { |
| Ed25519KeyPair::from_pkcs8_maybe_unchecked(<span class="kw-2">&</span>der.<span class="number">0</span>) |
| .map(|kp| Ed25519SigningKey { |
| key: Arc::new(kp), |
| scheme, |
| }) |
| .map_err(|<span class="kw">_</span>| ()) |
| } |
| } |
| |
| <span class="kw">impl </span>SigningKey <span class="kw">for </span>Ed25519SigningKey { |
| <span class="kw">fn </span>choose_scheme(<span class="kw-2">&</span><span class="self">self</span>, offered: <span class="kw-2">&</span>[SignatureScheme]) -> <span class="prelude-ty">Option</span><Box<<span class="kw">dyn </span>Signer>> { |
| <span class="kw">if </span>offered.contains(<span class="kw-2">&</span><span class="self">self</span>.scheme) { |
| <span class="prelude-val">Some</span>(Box::new(Ed25519Signer { |
| key: <span class="self">self</span>.key.clone(), |
| scheme: <span class="self">self</span>.scheme, |
| })) |
| } <span class="kw">else </span>{ |
| <span class="prelude-val">None |
| </span>} |
| } |
| |
| <span class="kw">fn </span>algorithm(<span class="kw-2">&</span><span class="self">self</span>) -> SignatureAlgorithm { |
| <span class="kw">use </span><span class="kw">crate</span>::msgs::handshake::DecomposedSignatureScheme; |
| <span class="self">self</span>.scheme.sign() |
| } |
| } |
| |
| <span class="kw">struct </span>Ed25519Signer { |
| key: Arc<Ed25519KeyPair>, |
| scheme: SignatureScheme, |
| } |
| |
| <span class="kw">impl </span>Signer <span class="kw">for </span>Ed25519Signer { |
| <span class="kw">fn </span>sign(<span class="kw-2">&</span><span class="self">self</span>, message: <span class="kw-2">&</span>[u8]) -> <span class="prelude-ty">Result</span><Vec<u8>, TLSError> { |
| <span class="prelude-val">Ok</span>(<span class="self">self</span>.key.sign(message).as_ref().into()) |
| } |
| |
| <span class="kw">fn </span>get_scheme(<span class="kw-2">&</span><span class="self">self</span>) -> SignatureScheme { |
| <span class="self">self</span>.scheme |
| } |
| } |
| |
| <span class="doccomment">/// The set of schemes we support for signatures and |
| /// that are allowed for TLS1.3. |
| </span><span class="kw">pub fn </span>supported_sign_tls13() -> <span class="kw-2">&</span><span class="lifetime">'static </span>[SignatureScheme] { |
| <span class="kw-2">&</span>[ |
| SignatureScheme::ECDSA_NISTP384_SHA384, |
| SignatureScheme::ECDSA_NISTP256_SHA256, |
| SignatureScheme::RSA_PSS_SHA512, |
| SignatureScheme::RSA_PSS_SHA384, |
| SignatureScheme::RSA_PSS_SHA256, |
| SignatureScheme::ED25519, |
| ] |
| } |
| </code></pre></div> |
| </section></div></main><div id="rustdoc-vars" data-root-path="../../" data-current-crate="rustls" data-themes="ayu,dark,light" data-resource-suffix="" data-rustdoc-version="1.66.0-nightly (5c8bff74b 2022-10-21)" ></div></body></html> |
