Enum apple_codesign::cryptography::InMemoryPrivateKey

pub enum InMemoryPrivateKey {
    EcdsaP256(InMemoryEcdsaKey<NistP256>),
    Ed25519(InMemoryEd25519Key),
    Rsa(InMemoryRsaKey),
}

Holds a private key in memory.

Variants

EcdsaP256(InMemoryEcdsaKey<NistP256>)

ECDSA private key using Nist P256 curve.

Ed25519(InMemoryEd25519Key)

ED25519 private key.

Rsa(InMemoryRsaKey)

RSA private key.

Implementations

impl InMemoryPrivateKey

pub fn from_pkcs1_der(
    data: impl AsRef<[u8]>
) -> Result<Self, AppleCodesignError>

Construct an instance by parsing PKCS#1 DER data.

Examples found in repository

src/cli.rs (line 610)

fn collect_certificates_from_args(
    args: &ArgMatches,
    scan_smartcard: bool,
) -> Result<(Vec<Box<dyn PrivateKey>>, Vec<CapturedX509Certificate>), AppleCodesignError> {
    let mut keys: Vec<Box<dyn PrivateKey>> = vec![];
    let mut certs = vec![];

    if let Some(p12_path) = args.get_one::<String>("p12_path") {
        let p12_data = std::fs::read(p12_path)?;

        let p12_password = if let Some(password) = args.get_one::<String>("p12_password") {
            password.to_string()
        } else if let Some(path) = args.get_one::<String>("p12_password_file") {
            std::fs::read_to_string(path)?
                .lines()
                .next()
                .expect("should get a single line")
                .to_string()
        } else {
            dialoguer::Password::new()
                .with_prompt("Please enter password for p12 file")
                .interact()?
        };

        let (cert, key) = parse_pfx_data(&p12_data, &p12_password)?;

        keys.push(Box::new(key));
        certs.push(cert);
    }

    if let Some(values) = args.get_many::<String>("pem_source") {
        for pem_source in values {
            warn!("reading PEM data from {}", pem_source);
            let pem_data = std::fs::read(pem_source)?;

            for pem in pem::parse_many(pem_data).map_err(AppleCodesignError::CertificatePem)? {
                match pem.tag.as_str() {
                    "CERTIFICATE" => {
                        certs.push(CapturedX509Certificate::from_der(pem.contents)?);
                    }
                    "PRIVATE KEY" => {
                        keys.push(Box::new(InMemoryPrivateKey::from_pkcs8_der(&pem.contents)?));
                    }
                    "RSA PRIVATE KEY" => {
                        keys.push(Box::new(InMemoryPrivateKey::from_pkcs1_der(&pem.contents)?));
                    }
                    tag => warn!("(unhandled PEM tag {}; ignoring)", tag),
                }
            }
        }
    }

    if let Some(values) = args.get_many::<String>("der_source") {
        for der_source in values {
            warn!("reading DER file {}", der_source);
            let der_data = std::fs::read(der_source)?;

            certs.push(CapturedX509Certificate::from_der(der_data)?);
        }
    }

    find_certificates_in_keychain(args, &mut keys, &mut certs)?;

    if scan_smartcard {
        if let Some(slot) = args.get_one::<String>("smartcard_slot") {
            let pin_env_var = args.get_one::<String>("smartcard_pin_env");
            handle_smartcard_sign_slot(slot, pin_env_var.map(|x| &**x), &mut keys, &mut certs)?;
        }
    }

    let remote_signing_url = if args.get_flag("remote_signer") {
        args.get_one::<String>("remote_signing_url")
    } else {
        None
    };

    if let Some(remote_signing_url) = remote_signing_url {
        let initiator = get_remote_signing_initiator(args)?;

        let client = UnjoinedSigningClient::new_initiator(
            remote_signing_url,
            initiator,
            Some(print_session_join),
        )?;

        // As part of the handshake we obtained the public certificates from the signer.
        // So make them the canonical set.
        if !certs.is_empty() {
            warn!(
                "ignoring {} local certificates and using remote signer's certificate(s)",
                certs.len()
            );
        }

        certs = vec![client.signing_certificate().clone()];
        certs.extend(client.certificate_chain().iter().cloned());

        // The client implements Sign, so we just use it as the private key.
        keys = vec![Box::new(client)];
    }

    Ok((keys, certs))
}

pub fn from_pkcs8_der(
    data: impl AsRef<[u8]>
) -> Result<Self, AppleCodesignError>

Construct an instance by parsing PKCS#8 DER data.

Examples found in repository

src/cli.rs (line 607)

fn collect_certificates_from_args(
    args: &ArgMatches,
    scan_smartcard: bool,
) -> Result<(Vec<Box<dyn PrivateKey>>, Vec<CapturedX509Certificate>), AppleCodesignError> {
    let mut keys: Vec<Box<dyn PrivateKey>> = vec![];
    let mut certs = vec![];

    if let Some(p12_path) = args.get_one::<String>("p12_path") {
        let p12_data = std::fs::read(p12_path)?;

        let p12_password = if let Some(password) = args.get_one::<String>("p12_password") {
            password.to_string()
        } else if let Some(path) = args.get_one::<String>("p12_password_file") {
            std::fs::read_to_string(path)?
                .lines()
                .next()
                .expect("should get a single line")
                .to_string()
        } else {
            dialoguer::Password::new()
                .with_prompt("Please enter password for p12 file")
                .interact()?
        };

        let (cert, key) = parse_pfx_data(&p12_data, &p12_password)?;

        keys.push(Box::new(key));
        certs.push(cert);
    }

    if let Some(values) = args.get_many::<String>("pem_source") {
        for pem_source in values {
            warn!("reading PEM data from {}", pem_source);
            let pem_data = std::fs::read(pem_source)?;

            for pem in pem::parse_many(pem_data).map_err(AppleCodesignError::CertificatePem)? {
                match pem.tag.as_str() {
                    "CERTIFICATE" => {
                        certs.push(CapturedX509Certificate::from_der(pem.contents)?);
                    }
                    "PRIVATE KEY" => {
                        keys.push(Box::new(InMemoryPrivateKey::from_pkcs8_der(&pem.contents)?));
                    }
                    "RSA PRIVATE KEY" => {
                        keys.push(Box::new(InMemoryPrivateKey::from_pkcs1_der(&pem.contents)?));
                    }
                    tag => warn!("(unhandled PEM tag {}; ignoring)", tag),
                }
            }
        }
    }

    if let Some(values) = args.get_many::<String>("der_source") {
        for der_source in values {
            warn!("reading DER file {}", der_source);
            let der_data = std::fs::read(der_source)?;

            certs.push(CapturedX509Certificate::from_der(der_data)?);
        }
    }

    find_certificates_in_keychain(args, &mut keys, &mut certs)?;

    if scan_smartcard {
        if let Some(slot) = args.get_one::<String>("smartcard_slot") {
            let pin_env_var = args.get_one::<String>("smartcard_pin_env");
            handle_smartcard_sign_slot(slot, pin_env_var.map(|x| &**x), &mut keys, &mut certs)?;
        }
    }

    let remote_signing_url = if args.get_flag("remote_signer") {
        args.get_one::<String>("remote_signing_url")
    } else {
        None
    };

    if let Some(remote_signing_url) = remote_signing_url {
        let initiator = get_remote_signing_initiator(args)?;

        let client = UnjoinedSigningClient::new_initiator(
            remote_signing_url,
            initiator,
            Some(print_session_join),
        )?;

        // As part of the handshake we obtained the public certificates from the signer.
        // So make them the canonical set.
        if !certs.is_empty() {
            warn!(
                "ignoring {} local certificates and using remote signer's certificate(s)",
                certs.len()
            );
        }

        certs = vec![client.signing_certificate().clone()];
        certs.extend(client.certificate_chain().iter().cloned());

        // The client implements Sign, so we just use it as the private key.
        keys = vec![Box::new(client)];
    }

    Ok((keys, certs))
}

src/cryptography.rs (line 568)

pub fn parse_pfx_data(
    data: &[u8],
    password: &str,
) -> Result<(CapturedX509Certificate, InMemoryPrivateKey), AppleCodesignError> {
    let pfx = p12::PFX::parse(data).map_err(|e| {
        AppleCodesignError::PfxParseError(format!("data does not appear to be PFX: {e:?}"))
    })?;

    if !pfx.verify_mac(password) {
        return Err(AppleCodesignError::PfxBadPassword);
    }

    // Apple's certificate export format consists of regular data content info
    // with inner ContentInfo components holding the key and certificate.
    let data = match pfx.auth_safe {
        p12::ContentInfo::Data(data) => data,
        _ => {
            return Err(AppleCodesignError::PfxParseError(
                "unexpected PFX content info".to_string(),
            ));
        }
    };

    let content_infos = yasna::parse_der(&data, |reader| {
        reader.collect_sequence_of(p12::ContentInfo::parse)
    })
    .map_err(|e| {
        AppleCodesignError::PfxParseError(format!("failed parsing inner ContentInfo: {e:?}"))
    })?;

    let bmp_password = bmp_string(password);

    let mut certificate = None;
    let mut signing_key = None;

    for content in content_infos {
        let bags_data = match content {
            p12::ContentInfo::Data(inner) => inner,
            p12::ContentInfo::EncryptedData(encrypted) => {
                encrypted.data(&bmp_password).ok_or_else(|| {
                    AppleCodesignError::PfxParseError(
                        "failed decrypting inner EncryptedData".to_string(),
                    )
                })?
            }
            p12::ContentInfo::OtherContext(_) => {
                return Err(AppleCodesignError::PfxParseError(
                    "unexpected OtherContent content in inner PFX data".to_string(),
                ));
            }
        };

        let bags = yasna::parse_ber(&bags_data, |reader| {
            reader.collect_sequence_of(p12::SafeBag::parse)
        })
        .map_err(|e| {
            AppleCodesignError::PfxParseError(format!(
                "failed parsing SafeBag within inner Data: {e:?}"
            ))
        })?;

        for bag in bags {
            match bag.bag {
                p12::SafeBagKind::CertBag(cert_bag) => match cert_bag {
                    p12::CertBag::X509(cert_data) => {
                        certificate = Some(CapturedX509Certificate::from_der(cert_data)?);
                    }
                    p12::CertBag::SDSI(_) => {
                        return Err(AppleCodesignError::PfxParseError(
                            "unexpected SDSI certificate data".to_string(),
                        ));
                    }
                },
                p12::SafeBagKind::Pkcs8ShroudedKeyBag(key_bag) => {
                    let decrypted = key_bag.decrypt(&bmp_password).ok_or_else(|| {
                        AppleCodesignError::PfxParseError(
                            "error decrypting PKCS8 shrouded key bag; is the password correct?"
                                .to_string(),
                        )
                    })?;

                    signing_key = Some(InMemoryPrivateKey::from_pkcs8_der(decrypted)?);
                }
                p12::SafeBagKind::OtherBagKind(_) => {
                    return Err(AppleCodesignError::PfxParseError(
                        "unexpected bag type in inner PFX content".to_string(),
                    ));
                }
            }
        }
    }

    match (certificate, signing_key) {
        (Some(certificate), Some(signing_key)) => Ok((certificate, signing_key)),
        (None, Some(_)) => Err(AppleCodesignError::PfxParseError(
            "failed to find x509 certificate in PFX data".to_string(),
        )),
        (_, None) => Err(AppleCodesignError::PfxParseError(
            "failed to find signing key in PFX data".to_string(),
        )),
    }
}

Trait Implementations

impl Clone for InMemoryPrivateKey

fn clone(&self) -> InMemoryPrivateKey

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for InMemoryPrivateKey

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl EncodePrivateKey for InMemoryPrivateKey

fn to_pkcs8_der(&self) -> Result<SecretDocument>

Serialize a SecretDocument containing a PKCS#8-encoded private key.

fn to_pkcs8_pem(
    &self,
    line_ending: LineEnding
) -> Result<Zeroizing<String>, Error>

Serialize this private key as PEM-encoded PKCS#8 with the given [LineEnding].

fn write_pkcs8_der_file(&self, path: impl AsRef<Path>) -> Result<(), Error>

Write ASN.1 DER-encoded PKCS#8 private key to the given path

fn write_pkcs8_pem_file(
    &self,
    path: impl AsRef<Path>,
    line_ending: LineEnding
) -> Result<(), Error>

Write ASN.1 DER-encoded PKCS#8 private key to the given path

impl PrivateKey for InMemoryPrivateKey

fn as_key_info_signer(&self) -> &dyn KeyInfoSigner

fn to_public_key_peer_decrypt(
    &self
) -> Result<Box<dyn PublicKeyPeerDecrypt>, AppleCodesignError>

fn finish(&self) -> Result<(), AppleCodesignError>

Signals the end of operations on the private key.

impl PublicKeyPeerDecrypt for InMemoryPrivateKey

fn decrypt(&self, ciphertext: &[u8]) -> Result<Vec<u8>, RemoteSignError>

Decrypt an encrypted message.

impl Sign for InMemoryPrivateKey

fn sign(
    &self,
    message: &[u8]
) -> Result<(Vec<u8>, SignatureAlgorithm), X509CertificateError>

👎Deprecated since 0.13.0: use the signature::Signer trait instead

Create a cyrptographic signature over a message.

fn key_algorithm(&self) -> Option<KeyAlgorithm>

Obtain the algorithm of the private key.

fn public_key_data(&self) -> Bytes

Obtain the raw bytes constituting the public key of the signing certificate.

fn signature_algorithm(
    &self
) -> Result<SignatureAlgorithm, X509CertificateError>

Obtain the SignatureAlgorithm that this signer will use.

fn private_key_data(&self) -> Option<Vec<u8>>

Obtain the raw private key data.

fn rsa_primes(&self) -> Result<Option<(Vec<u8>, Vec<u8>)>, X509CertificateError>

Obtain RSA key primes p and q, if available.

impl Signer<Signature> for InMemoryPrivateKey

fn try_sign(&self, msg: &[u8]) -> Result<Signature, Error>

Attempt to sign the given message, returning a digital signature on success, or an error if something went wrong.

fn sign(&self, msg: &[u8]) -> S

Sign the given message and return a digital signature

impl TryFrom<InMemoryPrivateKey> for InMemorySigningKeyPair

type Error = AppleCodesignError

The type returned in the event of a conversion error.

fn try_from(key: InMemoryPrivateKey) -> Result<Self, Self::Error>

Performs the conversion.

impl<'a> TryFrom<PrivateKeyInfo<'a>> for InMemoryPrivateKey

type Error = Error

The type returned in the event of a conversion error.

fn try_from(value: PrivateKeyInfo<'a>) -> Result<Self, Self::Error>

Performs the conversion.

impl KeyInfoSigner for InMemoryPrivateKey