Cleanup; Expect a type for parse

aws-lc-rs/src/ec.rs

@@ -14,13 +14,13 @@ use aws_lc::EC_KEY_check_fips;
 #[cfg(not(feature = "fips"))]
 use aws_lc::EC_KEY_check_key;
 use aws_lc::{
-    d2i_PrivateKey, point_conversion_form_t, BN_bn2bin_padded, BN_num_bytes, CBS_init,
-    ECDSA_SIG_from_bytes, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, EC_GROUP_get_curve_name,
-    EC_GROUP_new_by_curve_name, EC_KEY_get0_group, EC_KEY_get0_private_key, EC_KEY_get0_public_key,
-    EC_KEY_new, EC_KEY_set_group, EC_KEY_set_private_key, EC_KEY_set_public_key, EC_POINT_mul,
-    EC_POINT_new, EC_POINT_oct2point, EC_POINT_point2oct, EVP_PKEY_CTX_new_id,
+    d2i_PrivateKey, point_conversion_form_t, BN_bn2bin_padded, BN_num_bytes, ECDSA_SIG_from_bytes,
+    ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, EC_GROUP_get_curve_name, EC_GROUP_new_by_curve_name,
+    EC_KEY_get0_group, EC_KEY_get0_private_key, EC_KEY_get0_public_key, EC_KEY_new,
+    EC_KEY_set_group, EC_KEY_set_private_key, EC_KEY_set_public_key, EC_POINT_mul, EC_POINT_new,
+    EC_POINT_oct2point, EC_POINT_point2oct, EVP_PKEY_CTX_new_id,
     EVP_PKEY_CTX_set_ec_paramgen_curve_nid, EVP_PKEY_assign_EC_KEY, EVP_PKEY_get0_EC_KEY,
-    EVP_PKEY_keygen, EVP_PKEY_keygen_init, EVP_PKEY_new, BIGNUM, CBS, EC_GROUP, EC_KEY, EC_POINT,
+    EVP_PKEY_keygen, EVP_PKEY_keygen_init, EVP_PKEY_new, BIGNUM, EC_GROUP, EC_KEY, EC_POINT,
     EVP_PKEY, EVP_PKEY_EC,
 };
 

aws-lc-rs/src/ec/key_pair.rs

@@ -8,7 +8,7 @@ use core::fmt::{Debug, Formatter};
 use core::mem::MaybeUninit;
 use core::ptr::{null, null_mut};
 
-use aws_lc::{EVP_DigestSign, EVP_DigestSignInit, EVP_PKEY_get0_EC_KEY, EVP_PKEY};
+use aws_lc::{EVP_DigestSign, EVP_DigestSignInit, EVP_PKEY_get0_EC_KEY, EVP_PKEY, EVP_PKEY_EC};
 
 use crate::digest::digest_ctx::DigestContext;
 use crate::ec::evp_key_generate;
@@ -92,7 +92,7 @@ impl EcdsaKeyPair {
         pkcs8: &[u8],
     ) -> Result<Self, KeyRejected> {
         // Includes a call to `EC_KEY_check_key`
-        let evp_pkey = LcPtr::<EVP_PKEY>::parse_rfc5208_private_key(pkcs8)?;
+        let evp_pkey = LcPtr::<EVP_PKEY>::parse_rfc5208_private_key(pkcs8, EVP_PKEY_EC)?;
 
         #[cfg(not(feature = "fips"))]
         verify_evp_key_nid(&evp_pkey.as_const(), alg.id.nid())?;

aws-lc-rs/src/ed25519.rs

@@ -5,18 +5,17 @@
 
 use core::fmt;
 use core::fmt::{Debug, Formatter};
-use core::mem::MaybeUninit;
 use core::ptr::null_mut;
 use std::marker::PhantomData;
 
 #[cfg(feature = "ring-sig-verify")]
 use untrusted::Input;
 
 use aws_lc::{
-    CBS_init, EVP_DigestSign, EVP_DigestSignInit, EVP_DigestVerify, EVP_DigestVerifyInit,
-    EVP_PKEY_CTX_new_id, EVP_PKEY_get_raw_private_key, EVP_PKEY_get_raw_public_key, EVP_PKEY_id,
+    EVP_DigestSign, EVP_DigestSignInit, EVP_DigestVerify, EVP_DigestVerifyInit,
+    EVP_PKEY_CTX_new_id, EVP_PKEY_get_raw_private_key, EVP_PKEY_get_raw_public_key,
     EVP_PKEY_keygen, EVP_PKEY_keygen_init, EVP_PKEY_new_raw_private_key,
-    EVP_PKEY_new_raw_public_key, CBS, EVP_PKEY, EVP_PKEY_ED25519,
+    EVP_PKEY_new_raw_public_key, EVP_PKEY, EVP_PKEY_ED25519,
 };
 
 use crate::buffer::Buffer;
@@ -430,7 +429,7 @@ impl Ed25519KeyPair {
     }
 
     fn parse_pkcs8(pkcs8: &[u8]) -> Result<Self, KeyRejected> {
-        let evp_pkey = LcPtr::<EVP_PKEY>::parse_rfc5208_private_key(pkcs8)?;
+        let evp_pkey = LcPtr::<EVP_PKEY>::parse_rfc5208_private_key(pkcs8, EVP_PKEY_ED25519)?;
 
         evp_pkey.validate_as_ed25519()?;
 

aws-lc-rs/src/evp_pkey.rs

@@ -94,10 +94,10 @@ impl LcPtr<EVP_PKEY> {
         // Also checks the validity of the key
         let evp_pkey = LcPtr::new(unsafe { EVP_parse_public_key(&mut cbs) })
             .map_err(|()| KeyRejected::invalid_encoding())?;
-        Ok(unsafe { EVP_PKEY_id(*evp_pkey.as_const()) }
+        unsafe { EVP_PKEY_id(*evp_pkey.as_const()) }
             .eq(&evp_pkey_type)
             .then_some(evp_pkey)
-            .ok_or(KeyRejected::wrong_algorithm())?)
+            .ok_or(KeyRejected::wrong_algorithm())
     }
 
     pub(crate) fn marshall_rfc5208_private_key(
@@ -123,11 +123,18 @@ impl LcPtr<EVP_PKEY> {
         cbb.into_vec()
     }
 
-    pub(crate) fn parse_rfc5208_private_key(bytes: &[u8]) -> Result<Self, KeyRejected> {
+    pub(crate) fn parse_rfc5208_private_key(
+        bytes: &[u8],
+        evp_pkey_type: c_int,
+    ) -> Result<Self, KeyRejected> {
         let mut cbs = cbs::build_CBS(bytes);
         // Also checks the validity of the key
-        LcPtr::new(unsafe { EVP_parse_private_key(&mut cbs) })
-            .map_err(|()| KeyRejected::invalid_encoding())
+        let evp_pkey = LcPtr::new(unsafe { EVP_parse_private_key(&mut cbs) })
+            .map_err(|()| KeyRejected::invalid_encoding())?;
+        unsafe { EVP_PKEY_id(*evp_pkey.as_const()) }
+            .eq(&evp_pkey_type)
+            .then_some(evp_pkey)
+            .ok_or(KeyRejected::wrong_algorithm())
     }
 
     #[allow(non_snake_case)]

aws-lc-rs/src/rsa/encoding.rs

@@ -85,11 +85,9 @@ pub(in crate::rsa) mod rfc5280 {
     use crate::aws_lc::EVP_PKEY_RSA;
     use crate::buffer::Buffer;
     use crate::{
-        cbs,
         encoding::PublicKeyX509Der,
         error::{KeyRejected, Unspecified},
         ptr::LcPtr,
-        rsa::key::is_rsa_key,
     };
     use aws_lc::EVP_PKEY;
 

aws-lc-rs/src/rsa/encryption.rs

@@ -15,7 +15,7 @@ use crate::{
     error::{KeyRejected, Unspecified},
     ptr::LcPtr,
 };
-use aws_lc::EVP_PKEY;
+use aws_lc::{EVP_PKEY, EVP_PKEY_RSA};
 use core::fmt::Debug;
 
 /// RSA Encryption Algorithm Identifier
@@ -92,8 +92,7 @@ impl PrivateDecryptingKey {
     /// # Errors
     /// * `Unspecified` for any error that occurs during deserialization of this key from PKCS#8.
     pub fn from_pkcs8(pkcs8: &[u8]) -> Result<Self, KeyRejected> {
-        let key = LcPtr::<EVP_PKEY>::parse_rfc5208_private_key(pkcs8)
-            .map_err(|_| KeyRejected::invalid_encoding())?;
+        let key = LcPtr::<EVP_PKEY>::parse_rfc5208_private_key(pkcs8, EVP_PKEY_RSA)?;
         Ok(Self::new(key)?)
     }
 

aws-lc-rs/src/rsa/key.rs

@@ -28,7 +28,7 @@ use aws_lc::RSA_check_fips;
 use aws_lc::{
     EVP_DigestSignInit, EVP_PKEY_assign_RSA, EVP_PKEY_bits, EVP_PKEY_new, EVP_PKEY_size,
     RSA_generate_key_ex, RSA_generate_key_fips, RSA_new, RSA_set0_key, RSA_size, BIGNUM, EVP_PKEY,
-    EVP_PKEY_CTX,
+    EVP_PKEY_CTX, EVP_PKEY_RSA,
 };
 #[cfg(feature = "ring-io")]
 use aws_lc::{RSA_get0_e, RSA_get0_n};
@@ -157,7 +157,7 @@ impl KeyPair {
     /// `error::KeyRejected` if bytes do not encode an RSA private key or if the key is otherwise
     /// not acceptable.
     pub fn from_pkcs8(pkcs8: &[u8]) -> Result<Self, KeyRejected> {
-        let key = LcPtr::<EVP_PKEY>::parse_rfc5208_private_key(pkcs8)?;
+        let key = LcPtr::<EVP_PKEY>::parse_rfc5208_private_key(pkcs8, EVP_PKEY_RSA)?;
         Self::new(key)
     }
 

aws-lc-rs/tests/data/rsa_from_pkcs8_tests.txt

@@ -65,7 +65,7 @@ Input = 3082054f020100300d06092a864886f70d01010105000482053930820535020100028201
 
 # A valid ECC P-256 key.
 Input = 308187020100301306072a8648ce3d020106082a8648ce3d030107046d306b0201010420090460075f15d2a256248000fb02d83ad77593dde4ae59fc5e96142dffb2bd07a14403420004cf0d13a3a7577231ea1b66cf4021cd54f21f4ac4f5f2fdd28e05bc7d2bd099d1374cd08d2ef654d6f04498db462f73e0282058dd661a4c9b0437af3f7af6e724
-Error = Unspecified
+Error = WrongAlgorithm
 
 # An RSAPrivateKey, but with an AlgorithmIdentifier of ecPublicKey w/ P-256.
 Input = 308189020100301306072A8648CE3D020106082A8648CE3D0301070500046d306b0201010420090460075f15d2a256248000fb02d83ad77593dde4ae59fc5e96142dffb2bd07a14403420004cf0d13a3a7577231ea1b66cf4021cd54f21f4ac4f5f2fdd28e05bc7d2bd099d1374cd08d2ef654d6f04498db462f73e0282058dd661a4c9b0437af3f7af6e724