purecrypto 0.5.1

A pure-Rust cryptography toolkit with no foreign-code dependencies, from constant-time primitives up to keys, X.509 and TLS.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

//! Server-side ECH key material: an [`EchKeyPair`] (one HPKE recipient
//! key bound to one `ECHConfig`) and an [`EchKeyRing`] (a small
//! ordered list of pairs the server tries in turn against the
//! incoming `config_id`).

use super::config::{
    EchConfig, EchConfigContents, EchConfigList, HpkeKeyConfig, HpkeSymCipherSuite,
};
use crate::hpke::{HpkeAead, HpkeKdf, HpkeKem};
use crate::rng::RngCore;
use crate::tls::Error;
use alloc::vec::Vec;

/// One server-side HPKE recipient key paired with the `ECHConfig`
/// the matching client will use.
#[derive(Clone, Debug)]
pub struct EchKeyPair {
    /// HPKE KEM choice for this key.
    pub(crate) kem: HpkeKem,
    /// Raw HPKE private-key bytes (`Nsk(kem)` bytes long).
    pub(crate) private_key: Vec<u8>,
    /// The published `ECHConfig` referring to this key. `config_id`,
    /// `public_key`, `kem_id`, and the announced symmetric cipher
    /// suites all come from this struct.
    pub(crate) config: EchConfig,
}

impl EchKeyPair {
    /// Generate a fresh ECH key pair and the matching `ECHConfig`.
    ///
    /// `public_name` is the SNI the outer CH will carry — the
    /// certificate the server actually presents on outer-CH handshakes
    /// (or on ECH reject) must cover this name. `cipher_suites` is the
    /// non-empty list of `(kdf, aead)` symmetric pairs the server is
    /// willing to accept; the client picks one for its CH.
    /// `maximum_name_length` is the longest inner SNI byte length the
    /// publisher commits to padding shorter names up to.
    /// `config_id` is the 8-bit lookup byte.
    pub fn generate<R: RngCore>(
        rng: &mut R,
        kem: HpkeKem,
        config_id: u8,
        public_name: &[u8],
        maximum_name_length: u8,
        cipher_suites: Vec<HpkeSymCipherSuite>,
    ) -> Result<Self, Error> {
        if public_name.is_empty() || public_name.len() > 255 {
            return Err(Error::EchDecodeError);
        }
        if cipher_suites.is_empty() {
            return Err(Error::EchDecodeError);
        }
        let (sk, pk) = kem
            .generate_key_pair(rng)
            .map_err(|_| Error::EchDecodeError)?;
        let key_config = HpkeKeyConfig {
            config_id,
            kem_id: kem.id(),
            public_key: pk,
            cipher_suites,
        };
        let contents = EchConfigContents {
            key_config,
            maximum_name_length,
            public_name: public_name.to_vec(),
            extensions: Vec::new(),
        };
        let config = EchConfig::new(contents);
        Ok(Self {
            kem,
            private_key: sk,
            config,
        })
    }

    /// The `config_id` byte clients echo to select this key.
    pub fn config_id(&self) -> u8 {
        // Safe by construction: only built via `generate` and only at
        // a supported version.
        self.config
            .contents
            .as_ref()
            .map(|c| c.key_config.config_id)
            .unwrap_or(0)
    }

    /// The `ECHConfig` this key pair publishes.
    pub fn config(&self) -> &EchConfig {
        &self.config
    }

    /// The HPKE KEM this key is bound to.
    pub fn kem(&self) -> HpkeKem {
        self.kem
    }

    /// Raw HPKE private-key bytes — kept opaque outside the ECH module.
    pub(crate) fn private_key_bytes(&self) -> &[u8] {
        &self.private_key
    }

    /// True if `(kdf_id, aead_id)` is in this key's announced suite list.
    pub(crate) fn accepts(&self, kdf: HpkeKdf, aead: HpkeAead) -> bool {
        let contents = match self.config.contents.as_ref() {
            Some(c) => c,
            None => return false,
        };
        contents
            .key_config
            .cipher_suites
            .iter()
            .any(|s| s.kdf_id == kdf.id() && s.aead_id == aead.id())
    }
}

/// An ordered ring of server-side ECH keys. Each incoming outer-CH ECH
/// extension carries a `config_id`; the server picks the first
/// matching pair to attempt decryption with. Multiple keys exist to
/// support key rotation without breaking in-flight clients that may
/// still hold an older config.
#[derive(Clone, Debug)]
pub struct EchKeyRing {
    pub(crate) pairs: Vec<EchKeyPair>,
}

impl EchKeyRing {
    /// Empty ring — no keys to decrypt with.
    pub fn new() -> Self {
        Self { pairs: Vec::new() }
    }

    /// Build a ring from an existing list of pairs (order preserved).
    pub fn from_pairs(pairs: Vec<EchKeyPair>) -> Self {
        Self { pairs }
    }

    /// Append a key pair.
    pub fn push(&mut self, pair: EchKeyPair) {
        self.pairs.push(pair);
    }

    /// Find the first pair with this `config_id`.
    pub(crate) fn find_by_config_id(&self, config_id: u8) -> Option<&EchKeyPair> {
        self.pairs.iter().find(|p| p.config_id() == config_id)
    }

    /// Publish the keys as an `ECHConfigList` clients can use to seal.
    pub fn to_config_list(&self) -> EchConfigList {
        EchConfigList::new(self.pairs.iter().map(|p| p.config.clone()).collect())
    }
}

impl Default for EchKeyRing {
    fn default() -> Self {
        Self::new()
    }
}