sad_rsa/pss/
signing_key.rs

1use super::{sign_digest, Signature, VerifyingKey};
2use crate::{Result, RsaPrivateKey};
3use core::marker::PhantomData;
4use digest::{Digest, FixedOutputReset, Update};
5use rand_core::{CryptoRng, TryCryptoRng};
6use signature::{
7    hazmat::RandomizedPrehashSigner, Keypair, RandomizedDigestSigner, RandomizedMultipartSigner,
8    RandomizedSigner,
9};
10use zeroize::ZeroizeOnDrop;
11
12#[cfg(feature = "serde")]
13use {
14    pkcs8::DecodePrivateKey,
15    serdect::serde::{de, ser, Deserialize, Serialize},
16};
17
18#[cfg(feature = "encoding")]
19use {
20    super::get_pss_signature_algo_id,
21    crate::encoding::verify_algorithm_id,
22    const_oid::AssociatedOid,
23    pkcs8::{EncodePrivateKey, SecretDocument},
24    spki::{
25        der::AnyRef, AlgorithmIdentifierOwned, AlgorithmIdentifierRef,
26        AssociatedAlgorithmIdentifier, DynSignatureAlgorithmIdentifier,
27    },
28};
29
30#[cfg(feature = "getrandom")]
31use {
32    getrandom::SysRng,
33    signature::{hazmat::PrehashSigner, MultipartSigner, Signer},
34};
35
36/// Signing key for producing RSASSA-PSS signatures as described in
37/// [RFC8017 § 8.1].
38///
39/// [RFC8017 § 8.1]: https://datatracker.ietf.org/doc/html/rfc8017#section-8.1
40#[derive(Debug, Clone)]
41pub struct SigningKey<D>
42where
43    D: Digest,
44{
45    inner: RsaPrivateKey,
46    salt_len: usize,
47    phantom: PhantomData<D>,
48}
49
50impl<D> SigningKey<D>
51where
52    D: Digest,
53{
54    /// Create a new RSASSA-PSS signing key.
55    /// Digest output size is used as a salt length.
56    pub fn new(key: RsaPrivateKey) -> Self {
57        Self::new_with_salt_len(key, <D as Digest>::output_size())
58    }
59
60    /// Create a new RSASSA-PSS signing key with a salt of the given length.
61    pub fn new_with_salt_len(key: RsaPrivateKey, salt_len: usize) -> Self {
62        Self {
63            inner: key,
64            salt_len,
65            phantom: Default::default(),
66        }
67    }
68
69    /// Generate a new random RSASSA-PSS signing key.
70    /// Digest output size is used as a salt length.
71    pub fn random<R: CryptoRng + ?Sized>(rng: &mut R, bit_size: usize) -> Result<Self> {
72        Self::random_with_salt_len(rng, bit_size, <D as Digest>::output_size())
73    }
74
75    /// Generate a new random RSASSA-PSS signing key with a salt of the given length.
76    pub fn random_with_salt_len<R: CryptoRng + ?Sized>(
77        rng: &mut R,
78        bit_size: usize,
79        salt_len: usize,
80    ) -> Result<Self> {
81        Ok(Self {
82            inner: RsaPrivateKey::new(rng, bit_size)?,
83            salt_len,
84            phantom: Default::default(),
85        })
86    }
87
88    /// Return specified salt length for this key
89    pub fn salt_len(&self) -> usize {
90        self.salt_len
91    }
92}
93
94//
95// `*Signer` trait impls
96//
97
98impl<D> RandomizedDigestSigner<D, Signature> for SigningKey<D>
99where
100    D: Digest + FixedOutputReset + Update,
101{
102    fn try_sign_digest_with_rng<
103        R: TryCryptoRng + ?Sized,
104        F: Fn(&mut D) -> signature::Result<()>,
105    >(
106        &self,
107        rng: &mut R,
108        f: F,
109    ) -> signature::Result<Signature> {
110        let mut digest = D::new();
111        f(&mut digest)?;
112        sign_digest::<_, D>(rng, false, &self.inner, &digest.finalize(), self.salt_len)?
113            .as_slice()
114            .try_into()
115    }
116}
117
118impl<D> RandomizedSigner<Signature> for SigningKey<D>
119where
120    D: Digest + FixedOutputReset + Update,
121{
122    fn try_sign_with_rng<R: TryCryptoRng + ?Sized>(
123        &self,
124        rng: &mut R,
125        msg: &[u8],
126    ) -> signature::Result<Signature> {
127        self.try_sign_digest_with_rng(rng, |digest: &mut D| {
128            Update::update(digest, msg);
129            Ok(())
130        })
131    }
132}
133
134impl<D> RandomizedMultipartSigner<Signature> for SigningKey<D>
135where
136    D: Digest + FixedOutputReset + Update,
137{
138    fn try_multipart_sign_with_rng<R: TryCryptoRng + ?Sized>(
139        &self,
140        rng: &mut R,
141        msg: &[&[u8]],
142    ) -> signature::Result<Signature> {
143        self.try_sign_digest_with_rng(rng, |digest: &mut D| {
144            msg.iter().for_each(|slice| Update::update(digest, slice));
145            Ok(())
146        })
147    }
148}
149
150impl<D> RandomizedPrehashSigner<Signature> for SigningKey<D>
151where
152    D: Digest + FixedOutputReset + Update,
153{
154    fn sign_prehash_with_rng<R: TryCryptoRng + ?Sized>(
155        &self,
156        rng: &mut R,
157        prehash: &[u8],
158    ) -> signature::Result<Signature> {
159        sign_digest::<_, D>(rng, false, &self.inner, prehash, self.salt_len)?
160            .as_slice()
161            .try_into()
162    }
163}
164
165#[cfg(feature = "getrandom")]
166impl<D> PrehashSigner<Signature> for SigningKey<D>
167where
168    D: Digest + FixedOutputReset,
169{
170    fn sign_prehash(&self, prehash: &[u8]) -> signature::Result<Signature> {
171        self.sign_prehash_with_rng(&mut SysRng, prehash)
172    }
173}
174
175#[cfg(feature = "getrandom")]
176impl<D> Signer<Signature> for SigningKey<D>
177where
178    D: Digest + FixedOutputReset,
179{
180    fn try_sign(&self, msg: &[u8]) -> signature::Result<Signature> {
181        self.try_sign_with_rng(&mut SysRng, msg)
182    }
183}
184
185#[cfg(feature = "getrandom")]
186impl<D> MultipartSigner<Signature> for SigningKey<D>
187where
188    D: Digest + FixedOutputReset,
189{
190    fn try_multipart_sign(&self, msg: &[&[u8]]) -> signature::Result<Signature> {
191        self.try_multipart_sign_with_rng(&mut SysRng, msg)
192    }
193}
194
195//
196// Other trait impls
197//
198
199impl<D> AsRef<RsaPrivateKey> for SigningKey<D>
200where
201    D: Digest,
202{
203    fn as_ref(&self) -> &RsaPrivateKey {
204        &self.inner
205    }
206}
207
208#[cfg(feature = "encoding")]
209impl<D> AssociatedAlgorithmIdentifier for SigningKey<D>
210where
211    D: Digest,
212{
213    type Params = AnyRef<'static>;
214
215    const ALGORITHM_IDENTIFIER: AlgorithmIdentifierRef<'static> = pkcs1::ALGORITHM_ID;
216}
217
218#[cfg(feature = "encoding")]
219impl<D> DynSignatureAlgorithmIdentifier for SigningKey<D>
220where
221    D: Digest + AssociatedOid,
222{
223    fn signature_algorithm_identifier(&self) -> spki::Result<AlgorithmIdentifierOwned> {
224        get_pss_signature_algo_id::<D>(self.salt_len as u8)
225    }
226}
227
228#[cfg(feature = "encoding")]
229impl<D> EncodePrivateKey for SigningKey<D>
230where
231    D: Digest,
232{
233    fn to_pkcs8_der(&self) -> pkcs8::Result<SecretDocument> {
234        self.inner.to_pkcs8_der()
235    }
236}
237
238impl<D> From<RsaPrivateKey> for SigningKey<D>
239where
240    D: Digest,
241{
242    fn from(key: RsaPrivateKey) -> Self {
243        Self::new(key)
244    }
245}
246
247impl<D> From<SigningKey<D>> for RsaPrivateKey
248where
249    D: Digest,
250{
251    fn from(key: SigningKey<D>) -> Self {
252        key.inner
253    }
254}
255
256impl<D> Keypair for SigningKey<D>
257where
258    D: Digest,
259{
260    type VerifyingKey = VerifyingKey<D>;
261    fn verifying_key(&self) -> Self::VerifyingKey {
262        VerifyingKey {
263            inner: self.inner.to_public_key(),
264            salt_len: Some(self.salt_len),
265            phantom: Default::default(),
266        }
267    }
268}
269
270#[cfg(feature = "encoding")]
271impl<D> TryFrom<pkcs8::PrivateKeyInfoRef<'_>> for SigningKey<D>
272where
273    D: Digest + AssociatedOid,
274{
275    type Error = pkcs8::Error;
276
277    fn try_from(private_key_info: pkcs8::PrivateKeyInfoRef<'_>) -> pkcs8::Result<Self> {
278        verify_algorithm_id(&private_key_info.algorithm)?;
279        RsaPrivateKey::try_from(private_key_info).map(Self::new)
280    }
281}
282
283impl<D> ZeroizeOnDrop for SigningKey<D> where D: Digest {}
284
285impl<D> PartialEq for SigningKey<D>
286where
287    D: Digest,
288{
289    fn eq(&self, other: &Self) -> bool {
290        self.inner == other.inner && self.salt_len == other.salt_len
291    }
292}
293
294#[cfg(feature = "serde")]
295impl<D> Serialize for SigningKey<D>
296where
297    D: Digest,
298{
299    fn serialize<S>(&self, serializer: S) -> core::result::Result<S::Ok, S::Error>
300    where
301        S: serdect::serde::Serializer,
302    {
303        let der = self.to_pkcs8_der().map_err(ser::Error::custom)?;
304        serdect::slice::serialize_hex_lower_or_bin(&der.as_bytes(), serializer)
305    }
306}
307
308#[cfg(feature = "serde")]
309impl<'de, D> Deserialize<'de> for SigningKey<D>
310where
311    D: Digest + AssociatedOid,
312{
313    fn deserialize<De>(deserializer: De) -> core::result::Result<Self, De::Error>
314    where
315        De: serdect::serde::Deserializer<'de>,
316    {
317        let der_bytes = serdect::slice::deserialize_hex_or_bin_vec(deserializer)?;
318        Self::from_pkcs8_der(&der_bytes).map_err(de::Error::custom)
319    }
320}
321
322#[cfg(test)]
323mod tests {
324    #[test]
325    #[cfg(all(feature = "hazmat", feature = "serde"))]
326    fn test_serde() {
327        use super::*;
328        use crate::RsaPrivateKey;
329        use rand::rngs::ChaCha8Rng;
330        use rand_core::SeedableRng;
331        use serde_test::{assert_tokens, Configure, Token};
332        use sha2::Sha256;
333
334        let mut rng = ChaCha8Rng::from_seed([42; 32]);
335        let priv_key = RsaPrivateKey::new_unchecked(&mut rng, 64).expect("failed to generate key");
336        let signing_key = SigningKey::<Sha256>::new(priv_key);
337
338        let tokens = [Token::Str(concat!(
339            "3056020100300d06092a864886f70d010101050004423040020100020900ab240c",
340            "3361d02e370203010001020811e54a15259d22f9020500ceff5cf3020500d3a7aa",
341            "ad020500ccaddf17020500cb529d3d020500bb526d6f"
342        ))];
343
344        assert_tokens(&signing_key.readable(), &tokens);
345    }
346}