rustls · est31 · Mar 5, 2024 · Feb 28, 2024 · Mar 1, 2024 · djc
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/rcgen/Cargo.toml b/rcgen/Cargo.toml
@@ -26,7 +26,7 @@ name = "simple"
 required-features = ["crypto"]
 
 [dependencies]
-aws-lc-rs = { version = "1.0.0", optional = true }
+aws-lc-rs = { version = "1.6.0", optional = true }
 yasna = { version = "0.5.2", features = ["time", "std"] }
 ring = { workspace = true, optional = true }
 pem = { workspace = true, optional = true }

diff --git a/rcgen/src/key_pair.rs b/rcgen/src/key_pair.rs
@@ -5,6 +5,8 @@ use yasna::DERWriter;
 
 #[cfg(any(feature = "crypto", feature = "pem"))]
 use crate::error::ExternalError;
+#[cfg(all(feature = "crypto", feature = "aws_lc_rs", not(feature = "ring")))]
+use crate::ring_like::rsa::KeySize;
 #[cfg(feature = "crypto")]
 use crate::ring_like::{
 	error as ring_error,
@@ -74,6 +76,9 @@ impl KeyPair {
 	/// Generate a new random key pair for the specified signature algorithm
 	///
 	/// If you're not sure which algorithm to use, [`PKCS_ECDSA_P256_SHA256`] is a good choice.
+	/// If passed an RSA signature algorithm, it depends on the backend whether we return
+	/// a generated key or an error for key generation being unavailable.
+	/// Currently, only `aws-lc-rs` supports RSA key generation.
 	#[cfg(feature = "crypto")]
 	pub fn generate_for(alg: &'static SignatureAlgorithm) -> Result<Self, Error> {
 		let rng = &SystemRandom::new();
@@ -101,15 +106,55 @@ impl KeyPair {
 					serialized_der: key_pair_serialized,
 				})
 			},
+			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			SignAlgo::Rsa(sign_alg) => Self::generate_rsa_inner(alg, sign_alg, KeySize::Rsa2048),
 			// Ring doesn't have RSA key generation yet:
 			// https://github.com/briansmith/ring/issues/219
 			// https://github.com/briansmith/ring/pull/733
-			// Nor does aws-lc-rs:
-			// https://github.com/aws/aws-lc-rs/issues/296
-			SignAlgo::Rsa() => Err(Error::KeyGenerationUnavailable),
+			#[cfg(any(not(feature = "aws_lc_rs"), feature = "ring"))]
+			SignAlgo::Rsa(_sign_alg) => Err(Error::KeyGenerationUnavailable),
 		}
 	}
 
+	/// Generates a new random RSA key pair for the specified key size
+	///
+	/// If passed a signature algorithm that is not RSA, it will return
+	/// [`Error::KeyGenerationUnavailable`].
+	#[cfg(all(feature = "crypto", feature = "aws_lc_rs", not(feature = "ring")))]
+	pub fn generate_rsa_for(
+		alg: &'static SignatureAlgorithm,
+		key_size: RsaKeySize,
+	) -> Result<Self, Error> {
+		match alg.sign_alg {
+			SignAlgo::Rsa(sign_alg) => {
+				let key_size = match key_size {
+					RsaKeySize::_2048 => KeySize::Rsa2048,
+					RsaKeySize::_3072 => KeySize::Rsa3072,
+					RsaKeySize::_4096 => KeySize::Rsa4096,
+				};
+				Self::generate_rsa_inner(alg, sign_alg, key_size)
+			},
+			_ => Err(Error::KeyGenerationUnavailable),
+		}
+	}
+
+	#[cfg(all(feature = "crypto", feature = "aws_lc_rs", not(feature = "ring")))]
+	fn generate_rsa_inner(
+		alg: &'static SignatureAlgorithm,
+		sign_alg: &'static dyn RsaEncoding,
+		key_size: KeySize,
+	) -> Result<Self, Error> {
+		use aws_lc_rs::encoding::AsDer;
+		let key_pair = RsaKeyPair::generate(key_size)._err()?;
+		let key_pair_serialized = key_pair.as_der()._err()?.as_ref().to_vec();
+
+		Ok(KeyPair {
+			kind: KeyPairKind::Rsa(key_pair, sign_alg),
+			alg,
+			serialized_der: key_pair_serialized,
+		})
+	}
+
 	/// Parses the key pair from the DER format
 	///
 	/// Equivalent to using the [`TryFrom`] implementation.
@@ -377,6 +422,16 @@ impl TryFrom<Vec<u8>> for KeyPair {
 	}
 }
 
+/// The key size used for RSA key generation
+#[cfg(all(feature = "crypto", feature = "aws_lc_rs", not(feature = "ring")))]
+#[derive(Debug, Copy, Clone, PartialEq, Eq, Hash)]
+#[non_exhaustive]
+pub enum RsaKeySize {
+	_2048,
+	_3072,
+	_4096,
+}
+
 impl PublicKeyData for KeyPair {
 	fn alg(&self) -> &SignatureAlgorithm {
 		self.alg

diff --git a/rcgen/src/sign_algo.rs b/rcgen/src/sign_algo.rs
@@ -5,14 +5,14 @@ use yasna::DERWriter;
 use yasna::Tag;
 
 #[cfg(feature = "crypto")]
-use crate::ring_like::signature::{self, EcdsaSigningAlgorithm, EdDSAParameters};
+use crate::ring_like::signature::{self, EcdsaSigningAlgorithm, EdDSAParameters, RsaEncoding};
 use crate::Error;
 
 #[cfg(feature = "crypto")]
 pub(crate) enum SignAlgo {
 	EcDsa(&'static EcdsaSigningAlgorithm),
 	EdDsa(&'static EdDSAParameters),
-	Rsa(),
+	Rsa(&'static dyn RsaEncoding),
 }
 
 #[derive(PartialEq, Eq, Hash)]
@@ -111,7 +111,7 @@ pub mod algo {
 	pub static PKCS_RSA_SHA256: SignatureAlgorithm = SignatureAlgorithm {
 		oids_sign_alg: &[&OID_RSA_ENCRYPTION],
 		#[cfg(feature = "crypto")]
-		sign_alg: SignAlgo::Rsa(),
+		sign_alg: SignAlgo::Rsa(&signature::RSA_PKCS1_SHA256),
 		// sha256WithRSAEncryption in RFC 4055
 		oid_components: &[1, 2, 840, 113549, 1, 1, 11],
 		params: SignatureAlgorithmParams::Null,
@@ -121,7 +121,7 @@ pub mod algo {
 	pub static PKCS_RSA_SHA384: SignatureAlgorithm = SignatureAlgorithm {
 		oids_sign_alg: &[&OID_RSA_ENCRYPTION],
 		#[cfg(feature = "crypto")]
-		sign_alg: SignAlgo::Rsa(),
+		sign_alg: SignAlgo::Rsa(&signature::RSA_PKCS1_SHA384),
 		// sha384WithRSAEncryption in RFC 4055
 		oid_components: &[1, 2, 840, 113549, 1, 1, 12],
 		params: SignatureAlgorithmParams::Null,
@@ -131,7 +131,7 @@ pub mod algo {
 	pub static PKCS_RSA_SHA512: SignatureAlgorithm = SignatureAlgorithm {
 		oids_sign_alg: &[&OID_RSA_ENCRYPTION],
 		#[cfg(feature = "crypto")]
-		sign_alg: SignAlgo::Rsa(),
+		sign_alg: SignAlgo::Rsa(&signature::RSA_PKCS1_SHA512),
 		// sha512WithRSAEncryption in RFC 4055
 		oid_components: &[1, 2, 840, 113549, 1, 1, 13],
 		params: SignatureAlgorithmParams::Null,
@@ -148,7 +148,7 @@ pub mod algo {
 		// to use ID-RSASSA-PSS if possible.
 		oids_sign_alg: &[&OID_RSASSA_PSS],
 		#[cfg(feature = "crypto")]
-		sign_alg: SignAlgo::Rsa(),
+		sign_alg: SignAlgo::Rsa(&signature::RSA_PSS_SHA256),
 		oid_components: &OID_RSASSA_PSS, //&[1, 2, 840, 113549, 1, 1, 13],
 		// rSASSA-PSS-SHA256-Params in RFC 4055
 		params: SignatureAlgorithmParams::RsaPss {

diff --git a/rustls-cert-gen/src/cert.rs b/rustls-cert-gen/src/cert.rs
@@ -205,6 +205,7 @@ impl EndEntityBuilder {
 /// Supported Keypair Algorithms
 #[derive(Clone, Copy, Debug, Default, Bpaf, PartialEq)]
 pub enum KeyPairAlgorithm {
+	Rsa,
 	Ed25519,
 	#[default]
 	EcdsaP256,
@@ -214,6 +215,7 @@ pub enum KeyPairAlgorithm {
 impl fmt::Display for KeyPairAlgorithm {
 	fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
 		match self {
+			KeyPairAlgorithm::Rsa => write!(f, "rsa"),
 			KeyPairAlgorithm::Ed25519 => write!(f, "ed25519"),
 			KeyPairAlgorithm::EcdsaP256 => write!(f, "ecdsa-p256"),
 			KeyPairAlgorithm::EcdsaP384 => write!(f, "ecdsa-p384"),
@@ -225,6 +227,7 @@ impl KeyPairAlgorithm {
 	/// Return an `rcgen::KeyPair` for the given varient
 	fn to_key_pair(self) -> Result<rcgen::KeyPair, rcgen::Error> {
 		match self {
+			KeyPairAlgorithm::Rsa => rcgen::KeyPair::generate_for(&rcgen::PKCS_RSA_SHA256),
 			KeyPairAlgorithm::Ed25519 => {
 				use ring::signature::Ed25519KeyPair;