instant-labs
/
instant-acme
mirror of https://github.com/instant-labs/instant-acme.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Stop storing private key bytes in Key type

This commit is contained in:
Dirkjan Ochtman 2023-08-01 10:58:12 +02:00
parent 803e302442
commit 3d87755f30
1 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/lib.rs
View File

@ -15,9 +15,9 @@ use hyper::client::HttpConnector;
use hyper::header::{CONTENT_TYPE, LOCATION}; use hyper::header::{CONTENT_TYPE, LOCATION};
use hyper::{Body, Method, Request, Response, StatusCode}; use hyper::{Body, Method, Request, Response, StatusCode};
use ring::digest::{digest, SHA256}; use ring::digest::{digest, SHA256};
use ring::hmac;
use ring::rand::SystemRandom; use ring::rand::SystemRandom;
use ring::signature::{EcdsaKeyPair, ECDSA_P256_SHA256_FIXED_SIGNING}; use ring::signature::{EcdsaKeyPair, ECDSA_P256_SHA256_FIXED_SIGNING};
use ring::{hmac, pkcs8};
use serde::de::DeserializeOwned; use serde::de::DeserializeOwned;
use serde::Serialize; use serde::Serialize;
@ -286,7 +286,7 @@ impl Account {
client: Client, client: Client,
server_url: &str, server_url: &str,
) -> Result<(Account, AccountCredentials), Error> { ) -> Result<(Account, AccountCredentials), Error> {
let key = Key::generate()?; let (key, key_pkcs8) = Key::generate()?;
let payload = NewAccountPayload { let payload = NewAccountPayload {
new_account: account, new_account: account,
external_account_binding: external_account external_account_binding: external_account
@ -315,7 +315,7 @@ impl Account {
let id = account_url.ok_or("failed to get account URL")?; let id = account_url.ok_or("failed to get account URL")?;
let credentials = AccountCredentials { let credentials = AccountCredentials {
id: id.clone(), id: id.clone(),
key_pkcs8: BASE64_URL_SAFE_NO_PAD.encode(&key.pkcs8_der), key_pkcs8: BASE64_URL_SAFE_NO_PAD.encode(key_pkcs8.as_ref()),
directory: Some(server_url.to_owned()), directory: Some(server_url.to_owned()),
// We support deserializing URLs for compatibility with versions pre 0.4, // We support deserializing URLs for compatibility with versions pre 0.4,
// but we prefer to get fresh URLs from the `server_url` for newer credentials. // but we prefer to get fresh URLs from the `server_url` for newer credentials.
@ -501,24 +501,25 @@ struct Key {
rng: SystemRandom, rng: SystemRandom,
signing_algorithm: SigningAlgorithm, signing_algorithm: SigningAlgorithm,
inner: EcdsaKeyPair, inner: EcdsaKeyPair,
pkcs8_der: Vec<u8>,
thumb: String, thumb: String,
} }
impl Key { impl Key {
fn generate() -> Result<Self, Error> { fn generate() -> Result<(Self, pkcs8::Document), Error> {
let rng = SystemRandom::new(); let rng = SystemRandom::new();
let pkcs8 = EcdsaKeyPair::generate_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, &rng)?; let pkcs8 = EcdsaKeyPair::generate_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, &rng)?;
let key = EcdsaKeyPair::from_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, pkcs8.as_ref())?; let key = EcdsaKeyPair::from_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, pkcs8.as_ref())?;
let thumb = BASE64_URL_SAFE_NO_PAD.encode(Jwk::thumb_sha256(&key)?); let thumb = BASE64_URL_SAFE_NO_PAD.encode(Jwk::thumb_sha256(&key)?);
Ok(Self { Ok((
rng, Self {
signing_algorithm: SigningAlgorithm::Es256, rng,
inner: key, signing_algorithm: SigningAlgorithm::Es256,
pkcs8_der: pkcs8.as_ref().to_vec(), inner: key,
thumb, thumb,
}) },
pkcs8,
))
} }
fn from_pkcs8_der(pkcs8_der: Vec<u8>) -> Result<Self, Error> { fn from_pkcs8_der(pkcs8_der: Vec<u8>) -> Result<Self, Error> {
@ -529,7 +530,6 @@ impl Key {
rng: SystemRandom::new(), rng: SystemRandom::new(),
signing_algorithm: SigningAlgorithm::Es256, signing_algorithm: SigningAlgorithm::Es256,
inner: key, inner: key,
pkcs8_der,
thumb, thumb,
}) })
} }