feat: implement AssociatedAlgorithmIdentifier for PKCS1v15 and PSS keys

Allow getting the algorithm identifiers for signing keys Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
RustCrypto · Mar 27, 2023 · 5afefd7 · 5afefd7
1 parent 933bbdf
commit 5afefd7
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 3 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -23,11 +23,16 @@ subtle = { version = "2.1.1", default-features = false }
 digest = { version = "0.10.5", default-features = false, features = ["alloc", "oid"] }
 pkcs1 = { version = "0.7.1", default-features = false, features = ["alloc", "pkcs8"] }
 pkcs8 = { version = "0.10", default-features = false, features = ["alloc"] }
-serde = { version = "1.0.103", optional = true, default-features = false, features = ["derive"] }
-sha2 = { version = "0.10.6", optional = true, default-features = false, features = ["oid"] }
 signature = { version = "2", default-features = false , features = ["digest", "rand_core"] }
 zeroize = { version = "1", features = ["alloc"] }
 
+# optional dependencies
+const-oid = { version = "0.9", optional = true }
+serde = { version = "1.0.103", optional = true, default-features = false, features = ["derive"] }
+sha1 = { version = "0.10.5", optional = true, default-features = false, features = ["oid"] }
+sha2 = { version = "0.10.6", optional = true, default-features = false, features = ["oid"] }
+spki = { version = "0.7.0", optional = true, default-features = false }
+
 [dev-dependencies]
 base64ct = { version = "1", features = ["alloc"] }
 hex-literal = "0.3.3"
@@ -52,9 +57,10 @@ std = ["digest/std", "pkcs1/std", "pkcs8/std", "rand_core/std", "signature/std"]
 pem = ["pkcs1/pem", "pkcs8/pem"]
 pkcs5 = ["pkcs8/encryption"]
 getrandom = ["rand_core/getrandom"]
+algoid = ["spki/alloc", "const-oid"]
 
 [package.metadata.docs.rs]
-features = ["std", "pem", "serde", "expose-internals", "sha2"]
+features = ["std", "pem", "serde", "expose-internals", "sha2", "algoid"]
 rustdoc-args = ["--cfg", "docsrs"]
 
 [profile.dev]

diff --git a/src/pkcs1v15.rs b/src/pkcs1v15.rs
@@ -436,6 +436,26 @@ where
     }
 }
 
+#[cfg(all(feature = "algoid", feature = "sha1"))]
+impl spki::AssociatedAlgorithmIdentifier for SigningKey<sha1::Sha1> {
+    fn get_algo_id(&self) -> spki::AlgorithmIdentifierOwned {
+        spki::AlgorithmIdentifierOwned {
+            oid: const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.5"),
+            parameters: None,
+        }
+    }
+}
+
+#[cfg(all(feature = "algoid", feature = "sha2"))]
+impl spki::AssociatedAlgorithmIdentifier for SigningKey<sha2::Sha256> {
+    fn get_algo_id(&self) -> spki::AlgorithmIdentifierOwned {
+        spki::AlgorithmIdentifierOwned {
+            oid: const_oid::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.11"),
+            parameters: None,
+        }
+    }
+}
+
 impl<D> From<RsaPrivateKey> for SigningKey<D>
 where
     D: Digest,

diff --git a/src/pss.rs b/src/pss.rs
@@ -23,6 +23,18 @@ use signature::{
 };
 use subtle::ConstantTimeEq;
 
+#[cfg(feature = "algoid")]
+use const_oid::{AssociatedOid, ObjectIdentifier};
+#[cfg(feature = "algoid")]
+use pkcs1::RsaPssParams;
+#[cfg(feature = "algoid")]
+use pkcs8::der::{Decode, Encode};
+#[cfg(feature = "algoid")]
+use spki::{
+    AlgorithmIdentifier, AlgorithmIdentifierOwned, AlgorithmIdentifierRef,
+    AssociatedAlgorithmIdentifier,
+};
+
 use crate::algorithms::{mgf1_xor, mgf1_xor_digest};
 use crate::errors::{Error, Result};
 use crate::key::{PrivateKey, PublicKey};
@@ -684,6 +696,54 @@ where
     }
 }
 
+#[cfg(feature = "algoid")]
+fn get_pss_algo_id<D>(salt_len: Option<usize>) -> spki::AlgorithmIdentifierOwned
+where
+    D: Digest + AssociatedOid,
+{
+    const ID_MGF_1: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.8");
+    const ID_RSASSA_PSS: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.10");
+
+    let salt_len = salt_len.map_or(RsaPssParams::SALT_LEN_DEFAULT, |l| l as u8);
+
+    /*
+     * We do not expect that any of this functions fails, unless the library is broken, so it
+     * is safe to use unwrap()
+     */
+    let pss_params = RsaPssParams {
+        hash: AlgorithmIdentifierRef {
+            oid: D::OID,
+            parameters: None,
+        },
+        mask_gen: AlgorithmIdentifier {
+            oid: ID_MGF_1,
+            parameters: Some(AlgorithmIdentifierRef {
+                oid: D::OID,
+                parameters: None,
+            }),
+        },
+        salt_len,
+        trailer_field: Default::default(),
+    }
+    .to_der()
+    .unwrap();
+
+    AlgorithmIdentifierOwned {
+        oid: ID_RSASSA_PSS,
+        parameters: Some(pkcs8::der::Any::from_der(&pss_params).unwrap()),
+    }
+}
+
+#[cfg(feature = "algoid")]
+impl<D> AssociatedAlgorithmIdentifier for SigningKey<D>
+where
+    D: Digest + AssociatedOid,
+{
+    fn get_algo_id(&self) -> AlgorithmIdentifierOwned {
+        get_pss_algo_id::<D>(self.salt_len)
+    }
+}
+
 impl<D> From<RsaPrivateKey> for SigningKey<D>
 where
     D: Digest,
@@ -820,6 +880,16 @@ where
     }
 }
 
+#[cfg(feature = "algoid")]
+impl<D> AssociatedAlgorithmIdentifier for BlindedSigningKey<D>
+where
+    D: Digest + AssociatedOid,
+{
+    fn get_algo_id(&self) -> AlgorithmIdentifierOwned {
+        get_pss_algo_id::<D>(self.salt_len)
+    }
+}
+
 impl<D> From<RsaPrivateKey> for BlindedSigningKey<D>
 where
     D: Digest,