pkcs8: split EncryptedPrivateKeyInfo

Signed-off-by: Arthur Gautier <[email protected]>

Author: baloo

pkcs8/src/encrypted_private_key_info.rs

@@ -9,7 +9,7 @@ use der::{
 use pkcs5::EncryptionScheme;
 
 #[cfg(feature = "alloc")]
-use der::SecretDocument;
+use {alloc::boxed::Box, der::SecretDocument};
 
 #[cfg(feature = "encryption")]
 use {pkcs5::pbes2, rand_core::CryptoRngCore};
@@ -37,23 +37,26 @@ use der::pem::PemLabel;
 ///
 /// [RFC 5208 Section 6]: https://tools.ietf.org/html/rfc5208#section-6
 #[derive(Clone, Eq, PartialEq)]
-pub struct EncryptedPrivateKeyInfo<'a> {
+pub struct EncryptedPrivateKeyInfo<Data> {
     /// Algorithm identifier describing a password-based symmetric encryption
     /// scheme used to encrypt the `encrypted_data` field.
     pub encryption_algorithm: EncryptionScheme,
 
     /// Private key data
-    pub encrypted_data: &'a [u8],
+    pub encrypted_data: Data,
 }
 
-impl<'a> EncryptedPrivateKeyInfo<'a> {
+impl<'a, Data> EncryptedPrivateKeyInfo<Data>
+where
+    Data: AsRef<[u8]> + From<&'a [u8]>,
+{
     /// Attempt to decrypt this encrypted private key using the provided
     /// password to derive an encryption key.
     #[cfg(feature = "encryption")]
     pub fn decrypt(&self, password: impl AsRef<[u8]>) -> Result<SecretDocument> {
         Ok(self
             .encryption_algorithm
-            .decrypt(password, self.encrypted_data)?
+            .decrypt(password, self.encrypted_data.as_ref())?
             .try_into()?)
     }
 
@@ -66,7 +69,7 @@ impl<'a> EncryptedPrivateKeyInfo<'a> {
         doc: &[u8],
     ) -> Result<SecretDocument> {
         let pbes2_params = pbes2::Parameters::recommended(rng);
-        EncryptedPrivateKeyInfo::encrypt_with(pbes2_params, password, doc)
+        EncryptedPrivateKeyInfoOwned::encrypt_with(pbes2_params, password, doc)
     }
 
     /// Encrypt this private key using a symmetric encryption key derived
@@ -81,52 +84,61 @@ impl<'a> EncryptedPrivateKeyInfo<'a> {
 
         EncryptedPrivateKeyInfo {
             encryption_algorithm: pbes2_params.into(),
-            encrypted_data: &encrypted_data,
+            encrypted_data,
         }
         .try_into()
     }
 }
 
-impl<'a> DecodeValue<'a> for EncryptedPrivateKeyInfo<'a> {
+impl<'a, Data> DecodeValue<'a> for EncryptedPrivateKeyInfo<Data>
+where
+    Data: From<&'a [u8]>,
+{
     type Error = der::Error;
 
-    fn decode_value<R: Reader<'a>>(
-        reader: &mut R,
-        header: Header,
-    ) -> der::Result<EncryptedPrivateKeyInfo<'a>> {
+    fn decode_value<R: Reader<'a>>(reader: &mut R, header: Header) -> der::Result<Self> {
         reader.read_nested(header.length, |reader| {
             Ok(Self {
                 encryption_algorithm: reader.decode()?,
-                encrypted_data: OctetStringRef::decode(reader)?.as_bytes(),
+                encrypted_data: OctetStringRef::decode(reader)?.as_bytes().into(),
             })
         })
     }
 }
 
-impl EncodeValue for EncryptedPrivateKeyInfo<'_> {
+impl<Data> EncodeValue for EncryptedPrivateKeyInfo<Data>
+where
+    Data: AsRef<[u8]>,
+{
     fn value_len(&self) -> der::Result<Length> {
         self.encryption_algorithm.encoded_len()?
-            + OctetStringRef::new(self.encrypted_data)?.encoded_len()?
+            + OctetStringRef::new(self.encrypted_data.as_ref())?.encoded_len()?
     }
 
     fn encode_value(&self, writer: &mut impl Writer) -> der::Result<()> {
         self.encryption_algorithm.encode(writer)?;
-        OctetStringRef::new(self.encrypted_data)?.encode(writer)?;
+        OctetStringRef::new(self.encrypted_data.as_ref())?.encode(writer)?;
         Ok(())
     }
 }
 
-impl<'a> Sequence<'a> for EncryptedPrivateKeyInfo<'a> {}
+impl<'a, Data> Sequence<'a> for EncryptedPrivateKeyInfo<Data> where
+    Data: AsRef<[u8]> + From<&'a [u8]>
+{
+}
 
-impl<'a> TryFrom<&'a [u8]> for EncryptedPrivateKeyInfo<'a> {
+impl<'a, Data> TryFrom<&'a [u8]> for EncryptedPrivateKeyInfo<Data>
+where
+    Data: AsRef<[u8]> + From<&'a [u8]> + 'a,
+{
     type Error = Error;
 
     fn try_from(bytes: &'a [u8]) -> Result<Self> {
         Ok(Self::from_der(bytes)?)
     }
 }
 
-impl<'a> fmt::Debug for EncryptedPrivateKeyInfo<'a> {
+impl<Data> fmt::Debug for EncryptedPrivateKeyInfo<Data> {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         f.debug_struct("EncryptedPrivateKeyInfo")
             .field("encryption_algorithm", &self.encryption_algorithm)
@@ -135,24 +147,37 @@ impl<'a> fmt::Debug for EncryptedPrivateKeyInfo<'a> {
 }
 
 #[cfg(feature = "alloc")]
-impl TryFrom<EncryptedPrivateKeyInfo<'_>> for SecretDocument {
+impl<'a, Data> TryFrom<EncryptedPrivateKeyInfo<Data>> for SecretDocument
+where
+    Data: AsRef<[u8]> + From<&'a [u8]>,
+{
     type Error = Error;
 
-    fn try_from(encrypted_private_key: EncryptedPrivateKeyInfo<'_>) -> Result<SecretDocument> {
+    fn try_from(encrypted_private_key: EncryptedPrivateKeyInfo<Data>) -> Result<SecretDocument> {
         SecretDocument::try_from(&encrypted_private_key)
     }
 }
 
 #[cfg(feature = "alloc")]
-impl TryFrom<&EncryptedPrivateKeyInfo<'_>> for SecretDocument {
+impl<'a, Data> TryFrom<&EncryptedPrivateKeyInfo<Data>> for SecretDocument
+where
+    Data: AsRef<[u8]> + From<&'a [u8]>,
+{
     type Error = Error;
 
-    fn try_from(encrypted_private_key: &EncryptedPrivateKeyInfo<'_>) -> Result<SecretDocument> {
+    fn try_from(encrypted_private_key: &EncryptedPrivateKeyInfo<Data>) -> Result<SecretDocument> {
         Ok(Self::encode_msg(encrypted_private_key)?)
     }
 }
 
 #[cfg(feature = "pem")]
-impl PemLabel for EncryptedPrivateKeyInfo<'_> {
+impl<Data> PemLabel for EncryptedPrivateKeyInfo<Data> {
     const PEM_LABEL: &'static str = "ENCRYPTED PRIVATE KEY";
 }
+
+/// [`EncryptedPrivateKeyInfo`] with `&[u8]` encrypted data.
+pub type EncryptedPrivateKeyInfoRef<'a> = EncryptedPrivateKeyInfo<&'a [u8]>;
+
+#[cfg(feature = "alloc")]
+/// [`EncryptedPrivateKeyInfo`] with `Box<[u8]>` encrypted data.
+pub type EncryptedPrivateKeyInfoOwned = EncryptedPrivateKeyInfo<Box<[u8]>>;

pkcs8/src/lib.rs

@@ -104,8 +104,13 @@ pub use {
 #[cfg(feature = "pem")]
 pub use der::pem::LineEnding;
 
+#[cfg(all(feature = "alloc", feature = "pkcs5"))]
+pub use encrypted_private_key_info::EncryptedPrivateKeyInfoOwned;
 #[cfg(feature = "pkcs5")]
-pub use {encrypted_private_key_info::EncryptedPrivateKeyInfo, pkcs5};
+pub use {
+    encrypted_private_key_info::{EncryptedPrivateKeyInfo, EncryptedPrivateKeyInfoRef},
+    pkcs5,
+};
 
 #[cfg(feature = "rand_core")]
 pub use rand_core;

pkcs8/src/private_key_info.rs

@@ -17,7 +17,8 @@ use {
 
 #[cfg(feature = "encryption")]
 use {
-    crate::EncryptedPrivateKeyInfo, der::zeroize::Zeroizing, pkcs5::pbes2, rand_core::CryptoRngCore,
+    crate::EncryptedPrivateKeyInfoRef, der::zeroize::Zeroizing, pkcs5::pbes2,
+    rand_core::CryptoRngCore,
 };
 
 #[cfg(feature = "pem")]
@@ -129,7 +130,7 @@ impl<Params, Key> PrivateKeyInfoInner<Params, Key> {
 impl<'a, Params, Key> PrivateKeyInfoInner<Params, Key>
 where
     Params: der::Choice<'a, Error = der::Error> + Encode,
-    Key: From<&'a [u8]> + AsRef<[u8]>,
+    Key: From<&'a [u8]> + AsRef<[u8]> + 'a,
 {
     /// Encrypt this private key using a symmetric encryption key derived
     /// from the provided password.
@@ -147,7 +148,7 @@ where
         password: impl AsRef<[u8]>,
     ) -> Result<SecretDocument> {
         let der = Zeroizing::new(self.to_der()?);
-        EncryptedPrivateKeyInfo::encrypt(rng, password, der.as_ref())
+        EncryptedPrivateKeyInfoRef::encrypt(rng, password, der.as_ref())
     }
 
     /// Encrypt this private key using a symmetric encryption key derived
@@ -159,7 +160,7 @@ where
         password: impl AsRef<[u8]>,
     ) -> Result<SecretDocument> {
         let der = Zeroizing::new(self.to_der()?);
-        EncryptedPrivateKeyInfo::encrypt_with(pbes2_params, password, der.as_ref())
+        EncryptedPrivateKeyInfoRef::encrypt_with(pbes2_params, password, der.as_ref())
     }
 }
 

pkcs8/src/traits.rs

@@ -6,7 +6,7 @@ use crate::{Error, PrivateKeyInfo, Result};
 use der::SecretDocument;
 
 #[cfg(feature = "encryption")]
-use {crate::EncryptedPrivateKeyInfo, rand_core::CryptoRngCore};
+use {crate::EncryptedPrivateKeyInfoRef, rand_core::CryptoRngCore};
 
 #[cfg(feature = "pem")]
 use {
@@ -31,7 +31,7 @@ pub trait DecodePrivateKey: Sized {
     /// (binary format) and attempt to decrypt it using the provided password.
     #[cfg(feature = "encryption")]
     fn from_pkcs8_encrypted_der(bytes: &[u8], password: impl AsRef<[u8]>) -> Result<Self> {
-        let doc = EncryptedPrivateKeyInfo::try_from(bytes)?.decrypt(password)?;
+        let doc = EncryptedPrivateKeyInfoRef::try_from(bytes)?.decrypt(password)?;
         Self::from_pkcs8_der(doc.as_bytes())
     }
 
@@ -63,7 +63,7 @@ pub trait DecodePrivateKey: Sized {
     #[cfg(all(feature = "encryption", feature = "pem"))]
     fn from_pkcs8_encrypted_pem(s: &str, password: impl AsRef<[u8]>) -> Result<Self> {
         let (label, doc) = SecretDocument::from_pem(s)?;
-        EncryptedPrivateKeyInfo::validate_pem_label(label)?;
+        EncryptedPrivateKeyInfoRef::validate_pem_label(label)?;
         Self::from_pkcs8_encrypted_der(doc.as_bytes(), password)
     }
 
@@ -106,7 +106,7 @@ pub trait EncodePrivateKey {
         rng: &mut impl CryptoRngCore,
         password: impl AsRef<[u8]>,
     ) -> Result<SecretDocument> {
-        EncryptedPrivateKeyInfo::encrypt(rng, password, self.to_pkcs8_der()?.as_bytes())
+        EncryptedPrivateKeyInfoRef::encrypt(rng, password, self.to_pkcs8_der()?.as_bytes())
     }
 
     /// Serialize this private key as PEM-encoded PKCS#8 with the given [`LineEnding`].
@@ -126,7 +126,7 @@ pub trait EncodePrivateKey {
         line_ending: LineEnding,
     ) -> Result<Zeroizing<String>> {
         let doc = self.to_pkcs8_encrypted_der(rng, password)?;
-        Ok(doc.to_pem(EncryptedPrivateKeyInfo::PEM_LABEL, line_ending)?)
+        Ok(doc.to_pem(EncryptedPrivateKeyInfoRef::PEM_LABEL, line_ending)?)
     }
 
     /// Write ASN.1 DER-encoded PKCS#8 private key to the given path

pkcs8/tests/encrypted_private_key.rs

@@ -3,7 +3,7 @@
 #![cfg(feature = "pkcs5")]
 
 use hex_literal::hex;
-use pkcs8::{pkcs5::pbes2, EncryptedPrivateKeyInfo, PrivateKeyInfo};
+use pkcs8::{pkcs5::pbes2, EncryptedPrivateKeyInfoRef, PrivateKeyInfo};
 
 #[cfg(feature = "alloc")]
 use der::Encode;
@@ -101,7 +101,7 @@ const PASSWORD: &[u8] = b"hunter42"; // Bad password; don't actually use outside
 
 #[test]
 fn decode_ed25519_encpriv_aes128_pbkdf2_sha1_der() {
-    let pk = EncryptedPrivateKeyInfo::try_from(ED25519_DER_AES128_PBKDF2_SHA1_EXAMPLE).unwrap();
+    let pk = EncryptedPrivateKeyInfoRef::try_from(ED25519_DER_AES128_PBKDF2_SHA1_EXAMPLE).unwrap();
 
     assert_eq!(
         pk.encryption_algorithm.oid(),
@@ -133,7 +133,8 @@ fn decode_ed25519_encpriv_aes128_pbkdf2_sha1_der() {
 
 #[test]
 fn decode_ed25519_encpriv_aes256_pbkdf2_sha256_der() {
-    let pk = EncryptedPrivateKeyInfo::try_from(ED25519_DER_AES256_PBKDF2_SHA256_EXAMPLE).unwrap();
+    let pk =
+        EncryptedPrivateKeyInfoRef::try_from(ED25519_DER_AES256_PBKDF2_SHA256_EXAMPLE).unwrap();
 
     assert_eq!(
         pk.encryption_algorithm.oid(),
@@ -167,15 +168,15 @@ fn decode_ed25519_encpriv_aes256_pbkdf2_sha256_der() {
 #[test]
 fn decrypt_ed25519_der_encpriv_aes256_pbkdf2_sha256() {
     let enc_pk =
-        EncryptedPrivateKeyInfo::try_from(ED25519_DER_AES256_PBKDF2_SHA256_EXAMPLE).unwrap();
+        EncryptedPrivateKeyInfoRef::try_from(ED25519_DER_AES256_PBKDF2_SHA256_EXAMPLE).unwrap();
     let pk = enc_pk.decrypt(PASSWORD).unwrap();
     assert_eq!(pk.as_bytes(), ED25519_DER_PLAINTEXT_EXAMPLE);
 }
 
 #[cfg(feature = "encryption")]
 #[test]
 fn decrypt_ed25519_der_encpriv_aes256_scrypt() {
-    let enc_pk = EncryptedPrivateKeyInfo::try_from(ED25519_DER_AES256_SCRYPT_EXAMPLE).unwrap();
+    let enc_pk = EncryptedPrivateKeyInfoRef::try_from(ED25519_DER_AES256_SCRYPT_EXAMPLE).unwrap();
     let pk = enc_pk.decrypt(PASSWORD).unwrap();
     assert_eq!(pk.as_bytes(), ED25519_DER_PLAINTEXT_EXAMPLE);
 }
@@ -280,7 +281,8 @@ fn encrypt_ed25519_der_encpriv_aes256_scrypt() {
 #[test]
 #[cfg(feature = "alloc")]
 fn encode_ed25519_encpriv_aes256_pbkdf2_sha256_der() {
-    let pk = EncryptedPrivateKeyInfo::try_from(ED25519_DER_AES256_PBKDF2_SHA256_EXAMPLE).unwrap();
+    let pk =
+        EncryptedPrivateKeyInfoRef::try_from(ED25519_DER_AES256_PBKDF2_SHA256_EXAMPLE).unwrap();
     assert_eq!(
         ED25519_DER_AES256_PBKDF2_SHA256_EXAMPLE,
         &pk.to_der().unwrap()
@@ -290,7 +292,8 @@ fn encode_ed25519_encpriv_aes256_pbkdf2_sha256_der() {
 #[test]
 #[cfg(feature = "pem")]
 fn encode_ed25519_encpriv_aes256_pbkdf2_sha256_pem() {
-    let pk = EncryptedPrivateKeyInfo::try_from(ED25519_DER_AES256_PBKDF2_SHA256_EXAMPLE).unwrap();
+    let pk =
+        EncryptedPrivateKeyInfoRef::try_from(ED25519_DER_AES256_PBKDF2_SHA256_EXAMPLE).unwrap();
     assert_eq!(
         ED25519_PEM_AES256_PBKDF2_SHA256_EXAMPLE,
         pk.to_pem(Default::default()).unwrap()
@@ -300,15 +303,17 @@ fn encode_ed25519_encpriv_aes256_pbkdf2_sha256_pem() {
 #[test]
 #[cfg(feature = "3des")]
 fn decrypt_ed25519_der_encpriv_des3_pbkdf2_sha256() {
-    let enc_pk = EncryptedPrivateKeyInfo::try_from(ED25519_DER_DES3_PBKDF2_SHA256_EXAMPLE).unwrap();
+    let enc_pk =
+        EncryptedPrivateKeyInfoRef::try_from(ED25519_DER_DES3_PBKDF2_SHA256_EXAMPLE).unwrap();
     let pk = enc_pk.decrypt(PASSWORD).unwrap();
     assert_eq!(pk.as_bytes(), ED25519_DER_PLAINTEXT_EXAMPLE);
 }
 
 #[test]
 #[cfg(feature = "des-insecure")]
 fn decrypt_ed25519_der_encpriv_des_pbkdf2_sha256() {
-    let enc_pk = EncryptedPrivateKeyInfo::try_from(ED25519_DER_DES_PBKDF2_SHA256_EXAMPLE).unwrap();
+    let enc_pk =
+        EncryptedPrivateKeyInfoRef::try_from(ED25519_DER_DES_PBKDF2_SHA256_EXAMPLE).unwrap();
     let pk = enc_pk.decrypt(PASSWORD).unwrap();
     assert_eq!(pk.as_bytes(), ED25519_DER_PLAINTEXT_EXAMPLE);
 }