diff --git a/aws-lc-rs/src/ec.rs b/aws-lc-rs/src/ec.rs index cfd7d667113..0fe51a0bbfa 100644 --- a/aws-lc-rs/src/ec.rs +++ b/aws-lc-rs/src/ec.rs @@ -14,13 +14,13 @@ use aws_lc::EC_KEY_check_fips; #[cfg(not(feature = "fips"))] use aws_lc::EC_KEY_check_key; use aws_lc::{ - d2i_PrivateKey, point_conversion_form_t, BN_bn2bin_padded, BN_num_bytes, CBS_init, - ECDSA_SIG_from_bytes, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, EC_GROUP_get_curve_name, - EC_GROUP_new_by_curve_name, EC_KEY_get0_group, EC_KEY_get0_private_key, EC_KEY_get0_public_key, - EC_KEY_new, EC_KEY_set_group, EC_KEY_set_private_key, EC_KEY_set_public_key, EC_POINT_mul, - EC_POINT_new, EC_POINT_oct2point, EC_POINT_point2oct, EVP_PKEY_CTX_new_id, + d2i_PrivateKey, point_conversion_form_t, BN_bn2bin_padded, BN_num_bytes, ECDSA_SIG_from_bytes, + ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, EC_GROUP_get_curve_name, EC_GROUP_new_by_curve_name, + EC_KEY_get0_group, EC_KEY_get0_private_key, EC_KEY_get0_public_key, EC_KEY_new, + EC_KEY_set_group, EC_KEY_set_private_key, EC_KEY_set_public_key, EC_POINT_mul, EC_POINT_new, + EC_POINT_oct2point, EC_POINT_point2oct, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_set_ec_paramgen_curve_nid, EVP_PKEY_assign_EC_KEY, EVP_PKEY_get0_EC_KEY, - EVP_PKEY_keygen, EVP_PKEY_keygen_init, EVP_PKEY_new, BIGNUM, CBS, EC_GROUP, EC_KEY, EC_POINT, + EVP_PKEY_keygen, EVP_PKEY_keygen_init, EVP_PKEY_new, BIGNUM, EC_GROUP, EC_KEY, EC_POINT, EVP_PKEY, EVP_PKEY_EC, }; diff --git a/aws-lc-rs/src/ec/key_pair.rs b/aws-lc-rs/src/ec/key_pair.rs index 63379a61c2b..8d237093d21 100644 --- a/aws-lc-rs/src/ec/key_pair.rs +++ b/aws-lc-rs/src/ec/key_pair.rs @@ -8,7 +8,7 @@ use core::fmt::{Debug, Formatter}; use core::mem::MaybeUninit; use core::ptr::{null, null_mut}; -use aws_lc::{EVP_DigestSign, EVP_DigestSignInit, EVP_PKEY_get0_EC_KEY, EVP_PKEY}; +use aws_lc::{EVP_DigestSign, EVP_DigestSignInit, EVP_PKEY_get0_EC_KEY, EVP_PKEY, EVP_PKEY_EC}; use crate::digest::digest_ctx::DigestContext; use crate::ec::evp_key_generate; @@ -92,7 +92,7 @@ impl EcdsaKeyPair { pkcs8: &[u8], ) -> Result { // Includes a call to `EC_KEY_check_key` - let evp_pkey = LcPtr::::parse_rfc5208_private_key(pkcs8)?; + let evp_pkey = LcPtr::::parse_rfc5208_private_key(pkcs8, EVP_PKEY_EC)?; #[cfg(not(feature = "fips"))] verify_evp_key_nid(&evp_pkey.as_const(), alg.id.nid())?; diff --git a/aws-lc-rs/src/ed25519.rs b/aws-lc-rs/src/ed25519.rs index f98dd928d3c..bd4f93ed469 100644 --- a/aws-lc-rs/src/ed25519.rs +++ b/aws-lc-rs/src/ed25519.rs @@ -5,7 +5,6 @@ use core::fmt; use core::fmt::{Debug, Formatter}; -use core::mem::MaybeUninit; use core::ptr::null_mut; use std::marker::PhantomData; @@ -13,10 +12,10 @@ use std::marker::PhantomData; use untrusted::Input; use aws_lc::{ - CBS_init, EVP_DigestSign, EVP_DigestSignInit, EVP_DigestVerify, EVP_DigestVerifyInit, - EVP_PKEY_CTX_new_id, EVP_PKEY_get_raw_private_key, EVP_PKEY_get_raw_public_key, EVP_PKEY_id, + EVP_DigestSign, EVP_DigestSignInit, EVP_DigestVerify, EVP_DigestVerifyInit, + EVP_PKEY_CTX_new_id, EVP_PKEY_get_raw_private_key, EVP_PKEY_get_raw_public_key, EVP_PKEY_keygen, EVP_PKEY_keygen_init, EVP_PKEY_new_raw_private_key, - EVP_PKEY_new_raw_public_key, CBS, EVP_PKEY, EVP_PKEY_ED25519, + EVP_PKEY_new_raw_public_key, EVP_PKEY, EVP_PKEY_ED25519, }; use crate::buffer::Buffer; @@ -430,7 +429,7 @@ impl Ed25519KeyPair { } fn parse_pkcs8(pkcs8: &[u8]) -> Result { - let evp_pkey = LcPtr::::parse_rfc5208_private_key(pkcs8)?; + let evp_pkey = LcPtr::::parse_rfc5208_private_key(pkcs8, EVP_PKEY_ED25519)?; evp_pkey.validate_as_ed25519()?; diff --git a/aws-lc-rs/src/evp_pkey.rs b/aws-lc-rs/src/evp_pkey.rs index 6e2c3ca8150..0963319f389 100644 --- a/aws-lc-rs/src/evp_pkey.rs +++ b/aws-lc-rs/src/evp_pkey.rs @@ -94,10 +94,10 @@ impl LcPtr { // Also checks the validity of the key let evp_pkey = LcPtr::new(unsafe { EVP_parse_public_key(&mut cbs) }) .map_err(|()| KeyRejected::invalid_encoding())?; - Ok(unsafe { EVP_PKEY_id(*evp_pkey.as_const()) } + unsafe { EVP_PKEY_id(*evp_pkey.as_const()) } .eq(&evp_pkey_type) .then_some(evp_pkey) - .ok_or(KeyRejected::wrong_algorithm())?) + .ok_or(KeyRejected::wrong_algorithm()) } pub(crate) fn marshall_rfc5208_private_key( @@ -123,11 +123,18 @@ impl LcPtr { cbb.into_vec() } - pub(crate) fn parse_rfc5208_private_key(bytes: &[u8]) -> Result { + pub(crate) fn parse_rfc5208_private_key( + bytes: &[u8], + evp_pkey_type: c_int, + ) -> Result { let mut cbs = cbs::build_CBS(bytes); // Also checks the validity of the key - LcPtr::new(unsafe { EVP_parse_private_key(&mut cbs) }) - .map_err(|()| KeyRejected::invalid_encoding()) + let evp_pkey = LcPtr::new(unsafe { EVP_parse_private_key(&mut cbs) }) + .map_err(|()| KeyRejected::invalid_encoding())?; + unsafe { EVP_PKEY_id(*evp_pkey.as_const()) } + .eq(&evp_pkey_type) + .then_some(evp_pkey) + .ok_or(KeyRejected::wrong_algorithm()) } #[allow(non_snake_case)] diff --git a/aws-lc-rs/src/rsa/encoding.rs b/aws-lc-rs/src/rsa/encoding.rs index 2f9fafc8833..ecf09273619 100644 --- a/aws-lc-rs/src/rsa/encoding.rs +++ b/aws-lc-rs/src/rsa/encoding.rs @@ -85,11 +85,9 @@ pub(in crate::rsa) mod rfc5280 { use crate::aws_lc::EVP_PKEY_RSA; use crate::buffer::Buffer; use crate::{ - cbs, encoding::PublicKeyX509Der, error::{KeyRejected, Unspecified}, ptr::LcPtr, - rsa::key::is_rsa_key, }; use aws_lc::EVP_PKEY; diff --git a/aws-lc-rs/src/rsa/encryption.rs b/aws-lc-rs/src/rsa/encryption.rs index c9e0f8962e5..bf85f7c99be 100644 --- a/aws-lc-rs/src/rsa/encryption.rs +++ b/aws-lc-rs/src/rsa/encryption.rs @@ -15,7 +15,7 @@ use crate::{ error::{KeyRejected, Unspecified}, ptr::LcPtr, }; -use aws_lc::EVP_PKEY; +use aws_lc::{EVP_PKEY, EVP_PKEY_RSA}; use core::fmt::Debug; /// RSA Encryption Algorithm Identifier @@ -92,8 +92,7 @@ impl PrivateDecryptingKey { /// # Errors /// * `Unspecified` for any error that occurs during deserialization of this key from PKCS#8. pub fn from_pkcs8(pkcs8: &[u8]) -> Result { - let key = LcPtr::::parse_rfc5208_private_key(pkcs8) - .map_err(|_| KeyRejected::invalid_encoding())?; + let key = LcPtr::::parse_rfc5208_private_key(pkcs8, EVP_PKEY_RSA)?; Ok(Self::new(key)?) } diff --git a/aws-lc-rs/src/rsa/key.rs b/aws-lc-rs/src/rsa/key.rs index cfe00f09e1c..0d75df35770 100644 --- a/aws-lc-rs/src/rsa/key.rs +++ b/aws-lc-rs/src/rsa/key.rs @@ -28,7 +28,7 @@ use aws_lc::RSA_check_fips; use aws_lc::{ EVP_DigestSignInit, EVP_PKEY_assign_RSA, EVP_PKEY_bits, EVP_PKEY_new, EVP_PKEY_size, RSA_generate_key_ex, RSA_generate_key_fips, RSA_new, RSA_set0_key, RSA_size, BIGNUM, EVP_PKEY, - EVP_PKEY_CTX, + EVP_PKEY_CTX, EVP_PKEY_RSA, }; #[cfg(feature = "ring-io")] use aws_lc::{RSA_get0_e, RSA_get0_n}; @@ -157,7 +157,7 @@ impl KeyPair { /// `error::KeyRejected` if bytes do not encode an RSA private key or if the key is otherwise /// not acceptable. pub fn from_pkcs8(pkcs8: &[u8]) -> Result { - let key = LcPtr::::parse_rfc5208_private_key(pkcs8)?; + let key = LcPtr::::parse_rfc5208_private_key(pkcs8, EVP_PKEY_RSA)?; Self::new(key) } diff --git a/aws-lc-rs/tests/data/rsa_from_pkcs8_tests.txt b/aws-lc-rs/tests/data/rsa_from_pkcs8_tests.txt index 15a28d544cc..1562d2fdd7b 100644 --- a/aws-lc-rs/tests/data/rsa_from_pkcs8_tests.txt +++ b/aws-lc-rs/tests/data/rsa_from_pkcs8_tests.txt @@ -65,7 +65,7 @@ Input = 3082054f020100300d06092a864886f70d01010105000482053930820535020100028201 # A valid ECC P-256 key. Input = 308187020100301306072a8648ce3d020106082a8648ce3d030107046d306b0201010420090460075f15d2a256248000fb02d83ad77593dde4ae59fc5e96142dffb2bd07a14403420004cf0d13a3a7577231ea1b66cf4021cd54f21f4ac4f5f2fdd28e05bc7d2bd099d1374cd08d2ef654d6f04498db462f73e0282058dd661a4c9b0437af3f7af6e724 -Error = Unspecified +Error = WrongAlgorithm # An RSAPrivateKey, but with an AlgorithmIdentifier of ecPublicKey w/ P-256. Input = 308189020100301306072A8648CE3D020106082A8648CE3D0301070500046d306b0201010420090460075f15d2a256248000fb02d83ad77593dde4ae59fc5e96142dffb2bd07a14403420004cf0d13a3a7577231ea1b66cf4021cd54f21f4ac4f5f2fdd28e05bc7d2bd099d1374cd08d2ef654d6f04498db462f73e0282058dd661a4c9b0437af3f7af6e724