RustCrypto implementation of DPE crypto. #287
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds a RustCrypto implementation as an alternative to openssl. Openssl is set as the default, and for platform/simulator the two are mutually exclusive. For the Cryto trait impl, I generally did not use generics across curves even though it is possible, because the trait bounds needed were often longer than the actual shared logic. There is some shared logic with the openssl impl using the hkdf crate, which I've moved into a shared module.
Most builds/test run with default openssl, but the full rustcrypto impl is exercised with the verification tests. The cfg_if usage means rustcrypto and openssl are no longer mututally exclusive for the default platform.
jhand2
approved these changes
Dec 14, 2023
zhalvorsen
reviewed
Dec 14, 2023
|
|
||
| #[cfg(feature = "openssl")] | ||
| pub use crate::openssl::*; | ||
| pub use signer::*; | ||
|
|
||
| #[cfg(feature = "rustcrypto")] | ||
| pub use crate::rustcrypto::*; | ||
| pub use signer::*; |
There was a problem hiding this comment.
nit: this line is duplicated
Suggested change
| pub use signer::*; |
Comment on lines
+37
to
+79
| impl DefaultPlatform { | ||
| cfg_if! { | ||
| if #[cfg(feature = "openssl")] { | ||
| fn parse_issuer_name() -> Vec<u8> { | ||
| X509::from_pem(TEST_CERT_PEM) | ||
| .unwrap() | ||
| .subject_name() | ||
| .to_der() | ||
| .unwrap() | ||
| }} else if #[cfg(feature = "rustcrypto")] { | ||
| fn parse_issuer_name() -> Vec<u8> { | ||
| Certificate::from_pem(TEST_CERT_PEM) | ||
| .unwrap() | ||
| .tbs_certificate | ||
| .subject | ||
| .to_der() | ||
| .unwrap() | ||
| } | ||
| }} | ||
|
|
||
| cfg_if! { | ||
| if #[cfg(feature = "openssl")] { | ||
| fn parse_issuer_sn() -> Vec<u8> { | ||
| X509::from_pem(TEST_CERT_PEM) | ||
| .unwrap() | ||
| .serial_number() | ||
| .to_bn() | ||
| .unwrap() | ||
| .to_vec() | ||
| } | ||
| } else if #[cfg(feature = "rustcrypto")] { | ||
| fn parse_issuer_sn() -> Vec<u8> { | ||
| Certificate::from_pem(TEST_CERT_PEM) | ||
| .unwrap() | ||
| .tbs_certificate | ||
| .serial_number | ||
| .as_bytes() | ||
| .to_vec() | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
optional: this might just be personal preference, but I think if they are separated into distinct modules it might be a little more readable.
Suggested change
| impl DefaultPlatform { | |
| cfg_if! { | |
| if #[cfg(feature = "openssl")] { | |
| fn parse_issuer_name() -> Vec<u8> { | |
| X509::from_pem(TEST_CERT_PEM) | |
| .unwrap() | |
| .subject_name() | |
| .to_der() | |
| .unwrap() | |
| }} else if #[cfg(feature = "rustcrypto")] { | |
| fn parse_issuer_name() -> Vec<u8> { | |
| Certificate::from_pem(TEST_CERT_PEM) | |
| .unwrap() | |
| .tbs_certificate | |
| .subject | |
| .to_der() | |
| .unwrap() | |
| } | |
| }} | |
| cfg_if! { | |
| if #[cfg(feature = "openssl")] { | |
| fn parse_issuer_sn() -> Vec<u8> { | |
| X509::from_pem(TEST_CERT_PEM) | |
| .unwrap() | |
| .serial_number() | |
| .to_bn() | |
| .unwrap() | |
| .to_vec() | |
| } | |
| } else if #[cfg(feature = "rustcrypto")] { | |
| fn parse_issuer_sn() -> Vec<u8> { | |
| Certificate::from_pem(TEST_CERT_PEM) | |
| .unwrap() | |
| .tbs_certificate | |
| .serial_number | |
| .as_bytes() | |
| .to_vec() | |
| } | |
| } | |
| } | |
| } | |
| pub use default::DefaultPlatform | |
| #[cfg(feature = "openssl")] | |
| mod default { | |
| use super::*; | |
| use openssl::x509::X509; | |
| pub struct DefaultPlatform; | |
| impl DefaultPlatform { | |
| pub fn parse_issuer_name() -> Vec<u8> { | |
| X509::from_pem(TEST_CERT_PEM) | |
| .unwrap() | |
| .subject_name() | |
| .to_der() | |
| .unwrap() | |
| } | |
| pub fn parse_issuer_sn() -> Vec<u8> { | |
| X509::from_pem(TEST_CERT_PEM) | |
| .unwrap() | |
| .serial_number() | |
| .to_bn() | |
| .unwrap() | |
| .to_vec() | |
| } | |
| } | |
| } | |
| #[cfg(feature = "rustcrypto")] | |
| mod default { | |
| use super::*; | |
| use x509_cert::{ | |
| certificate::Certificate, | |
| der::{DecodePem, Encode}, | |
| }; | |
| impl DefaultPlatform { | |
| pub fn parse_issuer_name() -> Vec<u8> { | |
| Certificate::from_pem(TEST_CERT_PEM) | |
| .unwrap() | |
| .tbs_certificate | |
| .subject | |
| .to_der() | |
| .unwrap() | |
| } | |
| pub fn parse_issuer_sn() -> Vec<u8> { | |
| Certificate::from_pem(TEST_CERT_PEM) | |
| .unwrap() | |
| .tbs_certificate | |
| .serial_number | |
| .as_bytes() | |
| .to_vec() | |
| } | |
| } | |
| } |
There was a problem hiding this comment.
Sent #288 (left cfg_if in to allow clippy/fmt to run on both impls by default)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a RustCrypto implementation as an alternative to openssl. Openssl is set as the default, and for platform/simulator the two are mutually exclusive.
For the Crypto trait impl, I generally did not use generics across curves even though it is possible, because the trait bounds needed were often longer than the actual shared logic.
There is some shared logic with the openssl impl using the hkdf crate, which I've moved into a shared module.