Merge pull request #381 from blackbeam/pkcs8

Add pkcs8 and sec1 keys support for rustls TLS backend.
blackbeam · May 20, 2024 · 6156511 · 6156511
2 parents 5f3053d + 4f5f0d4
commit 6156511
Show file tree

Hide file tree

Showing 5 changed files with 105 additions and 5 deletions.
diff --git a/src/conn/opts/rustls_opts.rs b/src/conn/opts/rustls_opts.rs
@@ -1,7 +1,7 @@
 #![cfg(feature = "rustls-tls")]
 
 use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs1KeyDer};
-use rustls_pemfile::{certs, rsa_private_keys};
+use rustls_pemfile::{certs, ec_private_keys, pkcs8_private_keys, rsa_private_keys};
 
 use std::{borrow::Cow, path::Path};
 
@@ -70,13 +70,84 @@ impl ClientIdentity {
         }
 
         let mut priv_key = None;
-        for key in rsa_private_keys(&mut &*key_data).into_iter().take(1) {
+
+        for key in rsa_private_keys(&mut &*key_data).take(1) {
             priv_key = Some(PrivateKeyDer::Pkcs1(key?.clone_key()));
         }
 
-        let priv_key =
-            priv_key.unwrap_or_else(|| PrivateKeyDer::Pkcs1(PrivatePkcs1KeyDer::from(key_data)));
+        if priv_key.is_none() {
+            for key in pkcs8_private_keys(&mut &*key_data).take(1) {
+                priv_key = Some(PrivateKeyDer::Pkcs8(key?.clone_key()))
+            }
+        }
+
+        if priv_key.is_none() {
+            for key in ec_private_keys(&mut &*key_data).take(1) {
+                priv_key = Some(PrivateKeyDer::Sec1(key?.clone_key()))
+            }
+        }
+
+        if let Some(priv_key) = priv_key {
+            return Ok((cert_chain, dbg!(priv_key)));
+        }
+
+        match PrivateKeyDer::try_from(key_data.as_slice()) {
+            Ok(key) => Ok((cert_chain, key.clone_key())),
+            Err(_) => Ok((
+                cert_chain,
+                PrivateKeyDer::Pkcs1(PrivatePkcs1KeyDer::from(key_data)),
+            )),
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use std::path::Path;
+
+    use rustls::pki_types::PrivateKeyDer;
+
+    use crate::ClientIdentity;
+
+    #[test]
+    fn load_pkcs1() {
+        let (_certs, key_pem) = ClientIdentity::new(
+            Path::new("tests/client.crt"),
+            Path::new("tests/client-key.pem"),
+        )
+        .load()
+        .unwrap();
+        assert!(matches!(key_pem, PrivateKeyDer::Pkcs1(_)));
+
+        let (_certs, key_der) = ClientIdentity::new(
+            Path::new("tests/client.crt"),
+            Path::new("tests/client-key.pem"),
+        )
+        .load()
+        .unwrap();
+        assert!(matches!(key_der, PrivateKeyDer::Pkcs1(_)));
+
+        assert_eq!(key_der, key_pem);
+    }
+
+    #[test]
+    fn load_pkcs8() {
+        let (_certs, key_der) = ClientIdentity::new(
+            Path::new("tests/client.crt"),
+            Path::new("tests/client-key.pkcs8.der"),
+        )
+        .load()
+        .unwrap();
+        assert!(matches!(key_der, PrivateKeyDer::Pkcs8(_)));
+
+        let (_certs, key_pem) = ClientIdentity::new(
+            Path::new("tests/client.crt"),
+            Path::new("tests/client-key.pkcs8.pem"),
+        )
+        .load()
+        .unwrap();
+        assert!(matches!(key_pem, PrivateKeyDer::Pkcs8(_)));
 
-        Ok((cert_chain, priv_key))
+        assert_eq!(key_der, key_pem);
     }
 }
diff --git a/src/lib.rs b/src/lib.rs
@@ -879,6 +879,7 @@
 //!
 
 #![cfg_attr(feature = "nightly", feature(test))]
+#![cfg_attr(docsrs, feature(doc_cfg))]
 #[cfg(feature = "nightly")]
 extern crate test;
 

diff --git a/tests/client-key.der b/tests/client-key.der
diff --git a/tests/client-key.pkcs8.der b/tests/client-key.pkcs8.der
diff --git a/tests/client-key.pkcs8.pem b/tests/client-key.pkcs8.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCgcITynCAG+50L
+jeUPc/5BuqUfrouuNvUwnyuRL7gkgVJooi9XfYch5caGTehpDoIaj4TydKJOg/ju
+z0a82TzoAYUum8xtBVKWI/GUQauaJVw/LKyYL0WYdoRbrxdApIzG3B/j80MLWCwj
+CdPiN+bMXxUtpNAIsP0o+v6j/BpGXdwcvc/WoyeC61iwaayWljlf1Fb0LQDCQ//5
+1Jea5wVbsFq4r5/06Vc4qWhkrDXcFjRqNPevPoMn4sr+pgC8AzQWOXnCN9VEaqg5
+M3POLGZsoup0B23y/NeaoBCYzL6DpbgLZmv6ChDmrmY+u89JxLi67CItvukJSo+B
+r32vKJCLAgMBAAECggEAYlx5dY/4Jq/N2U6V90JiyANYxrKpGhbBfZyoBiveVise
+zd1Y7uebmFGZw68x5G6rnwMMO+T7uO06CZb0REVfDNIZx7hmvRP9TOUeb4lPXoK3
+KlgGPIsGvPE0Nk2DEPORBz3fI055dRQKgzS8PT2Odw94GXKoxBtWKfCvevPNXAOo
+iKiNODGir0zJHZr9spCTL3htC9zSo6kGf7NG1S+5bazhkYZ/QFYgZZpJOinShzXq
+6VILKHvVZRRUgunYliADcmDxvuOR2RmbKl7Uqkh93Nqf1hS1eSRrtLiQesSztbwr
+7IdGQMJ46SxC7HuVuQfVu2/GK4SJHQJSKDRvryIGeQKBgQDSdl7wj1byAD9G6jrF
+yiOjCmQKFEVvsk81zF/hHI5eO+zPTy/WTbioXNyi4nMg2HS0pxFgKbQeKc2DUId2
+lIalIEJ5WKsC3dA/KiOViKp5VjcZiJDRRbmFskNUHupff2k4b16DIZCkiuI0cjuI
+qRudhbzXL3cy5lU7RDqwhkWKxwKBgQDDJ1q85KlfqiP4yF4x90TFfsXim+8yTW/U
+GyiOtP9TuACQESu653acoAfujqwsF2yaKghP/5Lh0R8M0z5hlK8EWLoOuufVeVUb
+JF5GiklnWq6ix4MNUBsq9TY5xpIBKWiItBniiaD/qcvZj82UcEqCpAhb+lGln+M+
+56xSwOFoHQKBgE5nuMDHta1cODaUBicvQg14ToKOwLt24xl4tPNpLwSeMH+e0YR1
+2egnCC9KS3eeDARNBSUdBDQEgMJ92qlrdanIldsdFEByICWX7j/D9TZUzxwdC05b
+Ol07ZufMyKWhErLqknwpofgaoWDGebVUwqvxacOEtFRrCK+WoIKo0vl7AoGAIC8F
+T9GF/TjZ5dVlc2gL92YIzG5a7DjJEHnKHn7K/MuDjD7Ir3IspXfe1wDAdCUIzAPS
+ix7i4krSjBLqXr1ef6ECThuU0CfKWUeOJKP5pwnVcxLkEfX8BQGbh7uvqHFjw+ev
+vSRlYMRn0eFdTfWW1CSpHEIT5PSRTXZ3fM5CXiECgYB6/B1y143ycw7OkdejtxjY
+f1MaKYqWyjCDauJZhYked2eZKgCA1goX6XafdQBtqjAI1G2VAY0UEktmaq9Ju7Wu
+4/ZLbRl9YFWbdYUQ1KmDiBzBP5jS0HxenauNB/EXMhjkYvOEg+rt4CDQhdahn4CQ
+Nt8w3vB4qGR07wWFu4V/DA==
+-----END PRIVATE KEY-----