use crate::{Error, Result};
use core::fmt;
use der::{asn1::OctetStringRef, Decode, DecodeValue, Encode, Header, Reader, Sequence};
use pkcs5::EncryptionScheme;
#[cfg(feature = "alloc")]
use der::SecretDocument;
#[cfg(feature = "encryption")]
use {
pkcs5::pbes2,
rand_core::{CryptoRng, RngCore},
};
#[cfg(feature = "pem")]
use der::pem::PemLabel;
#[cfg_attr(docsrs, doc(cfg(feature = "pkcs5")))]
#[derive(Clone, Eq, PartialEq)]
pub struct EncryptedPrivateKeyInfo<'a> {
pub encryption_algorithm: EncryptionScheme<'a>,
pub encrypted_data: &'a [u8],
}
impl<'a> EncryptedPrivateKeyInfo<'a> {
#[cfg(feature = "encryption")]
#[cfg_attr(docsrs, doc(cfg(feature = "encryption")))]
pub fn decrypt(&self, password: impl AsRef<[u8]>) -> Result<SecretDocument> {
Ok(self
.encryption_algorithm
.decrypt(password, self.encrypted_data)?
.try_into()?)
}
#[cfg(feature = "encryption")]
#[cfg_attr(docsrs, doc(cfg(feature = "encryption")))]
pub(crate) fn encrypt(
mut rng: impl CryptoRng + RngCore,
password: impl AsRef<[u8]>,
doc: &[u8],
) -> Result<SecretDocument> {
let mut salt = [0u8; 16];
rng.fill_bytes(&mut salt);
let mut iv = [0u8; 16];
rng.fill_bytes(&mut iv);
let pbes2_params = pbes2::Parameters::scrypt_aes256cbc(Default::default(), &salt, &iv)?;
EncryptedPrivateKeyInfo::encrypt_with(pbes2_params, password, doc)
}
#[cfg(feature = "encryption")]
#[cfg_attr(docsrs, doc(cfg(feature = "encryption")))]
pub(crate) fn encrypt_with(
pbes2_params: pbes2::Parameters<'a>,
password: impl AsRef<[u8]>,
doc: &[u8],
) -> Result<SecretDocument> {
let encrypted_data = pbes2_params.encrypt(password, doc)?;
EncryptedPrivateKeyInfo {
encryption_algorithm: pbes2_params.into(),
encrypted_data: &encrypted_data,
}
.try_into()
}
}
impl<'a> DecodeValue<'a> for EncryptedPrivateKeyInfo<'a> {
fn decode_value<R: Reader<'a>>(
reader: &mut R,
header: Header,
) -> der::Result<EncryptedPrivateKeyInfo<'a>> {
reader.read_nested(header.length, |reader| {
Ok(Self {
encryption_algorithm: reader.decode()?,
encrypted_data: OctetStringRef::decode(reader)?.as_bytes(),
})
})
}
}
impl<'a> Sequence<'a> for EncryptedPrivateKeyInfo<'a> {
fn fields<F, T>(&self, f: F) -> der::Result<T>
where
F: FnOnce(&[&dyn Encode]) -> der::Result<T>,
{
f(&[
&self.encryption_algorithm,
&OctetStringRef::new(self.encrypted_data)?,
])
}
}
impl<'a> TryFrom<&'a [u8]> for EncryptedPrivateKeyInfo<'a> {
type Error = Error;
fn try_from(bytes: &'a [u8]) -> Result<Self> {
Ok(Self::from_der(bytes)?)
}
}
impl<'a> fmt::Debug for EncryptedPrivateKeyInfo<'a> {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("EncryptedPrivateKeyInfo")
.field("encryption_algorithm", &self.encryption_algorithm)
.finish_non_exhaustive()
}
}
#[cfg(feature = "alloc")]
#[cfg_attr(docsrs, doc(cfg(all(feature = "alloc", feature = "pkcs5"))))]
impl TryFrom<EncryptedPrivateKeyInfo<'_>> for SecretDocument {
type Error = Error;
fn try_from(encrypted_private_key: EncryptedPrivateKeyInfo<'_>) -> Result<SecretDocument> {
SecretDocument::try_from(&encrypted_private_key)
}
}
#[cfg(feature = "alloc")]
#[cfg_attr(docsrs, doc(cfg(all(feature = "alloc", feature = "pkcs5"))))]
impl TryFrom<&EncryptedPrivateKeyInfo<'_>> for SecretDocument {
type Error = Error;
fn try_from(encrypted_private_key: &EncryptedPrivateKeyInfo<'_>) -> Result<SecretDocument> {
Ok(Self::encode_msg(encrypted_private_key)?)
}
}
#[cfg(feature = "pem")]
#[cfg_attr(docsrs, doc(cfg(feature = "pem")))]
impl PemLabel for EncryptedPrivateKeyInfo<'_> {
const PEM_LABEL: &'static str = "ENCRYPTED PRIVATE KEY";
}