Stop storing private key bytes in Key type

2023-08-01 10:58:12 +02:00 · 2023-08-01 10:58:12 +02:00 · 3d87755f30
parent 803e302442
commit 3d87755f30
1 changed files with 13 additions and 13 deletions
--- a/src/lib.rs
+++ b/src/lib.rs
@ -15,9 +15,9 @@ use hyper::client::HttpConnector;
 use hyper::header::{CONTENT_TYPE, LOCATION};
 use hyper::{Body, Method, Request, Response, StatusCode};
 use ring::digest::{digest, SHA256};
-use ring::hmac;
 use ring::rand::SystemRandom;
 use ring::signature::{EcdsaKeyPair, ECDSA_P256_SHA256_FIXED_SIGNING};
+use ring::{hmac, pkcs8};
 use serde::de::DeserializeOwned;
 use serde::Serialize;

@ -286,7 +286,7 @@ impl Account {
        client: Client,
        server_url: &str,
    ) -> Result<(Account, AccountCredentials), Error> {
-        let key = Key::generate()?;
+        let (key, key_pkcs8) = Key::generate()?;
        let payload = NewAccountPayload {
            new_account: account,
            external_account_binding: external_account
@ -315,7 +315,7 @@ impl Account {
        let id = account_url.ok_or("failed to get account URL")?;
        let credentials = AccountCredentials {
            id: id.clone(),
-            key_pkcs8: BASE64_URL_SAFE_NO_PAD.encode(&key.pkcs8_der),
+            key_pkcs8: BASE64_URL_SAFE_NO_PAD.encode(key_pkcs8.as_ref()),
            directory: Some(server_url.to_owned()),
            // We support deserializing URLs for compatibility with versions pre 0.4,
            // but we prefer to get fresh URLs from the `server_url` for newer credentials.
@ -501,24 +501,25 @@ struct Key {
    rng: SystemRandom,
    signing_algorithm: SigningAlgorithm,
    inner: EcdsaKeyPair,
-    pkcs8_der: Vec<u8>,
    thumb: String,
 }

 impl Key {
-    fn generate() -> Result<Self, Error> {
+    fn generate() -> Result<(Self, pkcs8::Document), Error> {
        let rng = SystemRandom::new();
        let pkcs8 = EcdsaKeyPair::generate_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, &rng)?;
        let key = EcdsaKeyPair::from_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, pkcs8.as_ref())?;
        let thumb = BASE64_URL_SAFE_NO_PAD.encode(Jwk::thumb_sha256(&key)?);

-        Ok(Self {
+        Ok((
+            Self {
                rng,
                signing_algorithm: SigningAlgorithm::Es256,
                inner: key,
-            pkcs8_der: pkcs8.as_ref().to_vec(),
                thumb,
-        })
+            },
+            pkcs8,
+        ))
    }

    fn from_pkcs8_der(pkcs8_der: Vec<u8>) -> Result<Self, Error> {
@ -529,7 +530,6 @@ impl Key {
            rng: SystemRandom::new(),
            signing_algorithm: SigningAlgorithm::Es256,
            inner: key,
-            pkcs8_der,
            thumb,
        })
    }