Remove bcder

Cargo.toml

@@ -24,7 +24,6 @@ build = "build.rs"
 backoff               = { version = "0.3.0", optional = true }
 base64                = "^0.13"
 basic-cookies         = { version = "^0.1", optional = true }
-bcder                 = "0.6.1"
 bytes                 = "1"
 chrono                = { version = "^0.4", features = ["serde"] }
 clap                  = "^2.33"

src/commons/crypto/error.rs

@@ -1,15 +1,13 @@
 use std::fmt;
 use std::fmt::Display;
 
-use bcder::decode;
-
 #[derive(Debug)]
 pub enum Error {
     KeyError(String),
     SigningError(String),
     KeyNotFound,
     SignerError(String),
-    DecodeError(decode::Error),
+    DecodeError(String),
 }
 
 impl fmt::Display for Error {
@@ -36,10 +34,8 @@ impl Error {
     pub fn signer(e: impl Display) -> Self {
         Error::SignerError(e.to_string())
     }
-}
 
-impl From<decode::Error> for Error {
-    fn from(e: decode::Error) -> Self {
-        Error::DecodeError(e)
+    pub fn decode(e: impl Display) -> Self {
+        Error::DecodeError(e.to_string())
     }
 }

src/commons/crypto/signing/dispatch/krillsigner.rs

@@ -249,7 +249,7 @@ impl KrillSigner {
         .map_err(crypto::Error::signing)?;
 
         // Decode the encoded CSR again to get a typed RpkiCaCsr
-        Ok(RpkiCaCsr::decode(signed_and_encoded_csr.as_slice())?)
+        RpkiCaCsr::decode(signed_and_encoded_csr.as_slice()).map_err(crypto::Error::signing)
     }
 
     pub fn sign_cert(&self, tbs: TbsCert, key_id: &KeyIdentifier) -> CryptoResult<Cert> {

src/commons/crypto/signing/signers/kmip/signer.rs

@@ -8,7 +8,6 @@ use std::{
 };
 
 use backoff::ExponentialBackoff;
-use bcder::encode::{PrimitiveContent, Values};
 use bytes::Bytes;
 use kmip::{
     client::{Client, ClientCertificate},
@@ -35,7 +34,6 @@ use crate::commons::{
         signers::{
             kmip::connpool::ConnectionManager,
             probe::{ProbeError, ProbeStatus, StatefulProbe},
-            util,
         },
         SignerError, SignerHandle,
     },
@@ -718,8 +716,7 @@ impl KmipSigner {
         Ok(public_key)
     }
 
-    /// Get the RSA public bytes for the given KMIP server public key.
-    fn get_rsa_public_key_bytes(&self, public_key_id: &str) -> Result<Bytes, SignerError> {
+    pub(super) fn get_public_key_from_id(&self, public_key_id: &str) -> Result<PublicKey, SignerError> {
         let response_payload = self.with_conn("get key", |conn| conn.get_key(public_key_id))?;
 
         if response_payload.object_type != ObjectType::PublicKey {
@@ -737,56 +734,43 @@ impl KmipSigner {
             }
         };
 
-        let rsa_public_key_bytes = match key_material {
-            KeyMaterial::Bytes(bytes) => bytes::Bytes::from(bytes),
+        match key_material {
+            KeyMaterial::Bytes(bytes) => {
+                PublicKey::rsa_from_bits_bytes(bytes::Bytes::from(bytes)).map_err(|e| {
+                    SignerError::KmipError(format!(
+                        "Failed to construct RSA Public for key with ID '{}'. Error: {}",
+                        public_key_id, e
+                    ))
+                })
+            }
             KeyMaterial::TransparentRSAPublicKey(pub_key) => {
-                util::rsa_public_key_bytes_from_parts(&pub_key.modulus, &pub_key.public_exponent)?
+                PublicKey::rsa_from_components(&pub_key.modulus, &pub_key.public_exponent).map_err(|e| {
+                    SignerError::KmipError(format!(
+                        "Failed to construct RSA Public for key with ID '{}'. Error: {}",
+                        public_key_id, e
+                    ))
+                })
             }
             KeyMaterial::TransparentRSAPrivateKey(priv_key) => {
                 if let Some(public_exponent) = priv_key.public_exponent {
-                    util::rsa_public_key_bytes_from_parts(&priv_key.modulus, &public_exponent)?
+                    PublicKey::rsa_from_components(&priv_key.modulus, &public_exponent).map_err(|e| {
+                        SignerError::KmipError(format!(
+                            "Failed to construct RSA Public for key with ID '{}'. Error: {}",
+                            public_key_id, e
+                        ))
+                    })
                 } else {
-                    return Err(SignerError::KmipError(format!(
+                    Err(SignerError::KmipError(format!(
                         "Failed to get key material: missing exponent in transparent RSA private key returned by KMIP Get operation for public key with ID '{}'",
-                        public_key_id)));
+                        public_key_id)))
                 }
             }
             _ => {
-                return Err(SignerError::KmipError(format!(
+                Err(SignerError::KmipError(format!(
                     "Failed to get key material: unsupported key material type {:?} returned by KMIP Get operation for public key with ID '{}'",
-                    key_material, public_key_id)));
+                    key_material, public_key_id)))
             }
-        };
-
-        Ok(rsa_public_key_bytes)
-    }
-
-    pub(super) fn get_public_key_from_id(&self, public_key_id: &str) -> Result<PublicKey, SignerError> {
-        let rsa_public_key_bytes = self.get_rsa_public_key_bytes(public_key_id)?;
-
-        let subject_public_key = bcder::BitString::new(0, rsa_public_key_bytes);
-
-        let subject_public_key_info =
-            bcder::encode::sequence((PublicKeyFormat::Rsa.encode(), subject_public_key.encode()));
-
-        let mut subject_public_key_info_source: Vec<u8> = Vec::new();
-        subject_public_key_info
-            .write_encoded(bcder::Mode::Der, &mut subject_public_key_info_source)
-            .map_err(|err| {
-                SignerError::KmipError(format!(
-                    "Failed to create DER encoded SubjectPublicKeyInfo from constituent parts: {}",
-                    err
-                ))
-            })?;
-
-        let public_key = PublicKey::decode(subject_public_key_info_source.as_slice()).map_err(|err| {
-            SignerError::KmipError(format!(
-                "Failed to create public key from the DER encoded SubjectPublicKeyInfo: {}",
-                err
-            ))
-        })?;
-
-        Ok(public_key)
+        }
     }
 
     pub(super) fn sign_with_key<Alg: SignatureAlgorithm>(

src/commons/crypto/signing/signers/mod.rs

@@ -8,9 +8,6 @@ pub mod pkcs11;
 
 pub mod softsigner;
 
-#[cfg(feature = "hsm")]
-pub mod util;
-
 #[cfg(feature = "hsm")]
 pub mod probe;
 

src/commons/crypto/signing/signers/pkcs11/signer.rs

@@ -8,7 +8,6 @@ use std::{
 
 use backoff::ExponentialBackoff;
 
-use bcder::encode::{PrimitiveContent, Values};
 use bytes::Bytes;
 use cryptoki::{
     context::Info,
@@ -35,7 +34,6 @@ use crate::commons::crypto::{
             session::Pkcs11Session,
         },
         probe::{ProbeError, ProbeStatus, StatefulProbe},
-        util,
     },
     SignerError, SignerHandle,
 };
@@ -722,50 +720,33 @@ impl Pkcs11Signer {
         Ok((public_key, pub_handle, priv_handle, hex::encode(cka_id)))
     }
 
-    fn get_rsa_public_key_bytes(&self, pub_handle: ObjectHandle) -> Result<Bytes, SignerError> {
+    pub(super) fn get_public_key_from_handle(&self, pub_handle: ObjectHandle) -> Result<PublicKey, SignerError> {
         let res = self.with_conn("get key pair parts", |conn| {
             conn.get_attributes(pub_handle, &[AttributeType::Modulus, AttributeType::PublicExponent])
         })?;
 
         if res.len() == 2 {
             if let (Attribute::Modulus(m), Attribute::PublicExponent(e)) = (&res[0], &res[1]) {
-                return util::rsa_public_key_bytes_from_parts(m, e);
+                PublicKey::rsa_from_components(m, e).map_err(|e| {
+                    SignerError::Pkcs11Error(format!(
+                        "Failed to construct RSA Public for key '{:?}'. Error: {}",
+                        pub_handle, e
+                    ))
+                })
+            } else {
+                Err(SignerError::Pkcs11Error(format!(
+                    "Unable to obtain modulus and public exponent for key {:?}. Got two different attribute types: {} and {}",
+                    pub_handle,
+                    res[0].attribute_type(),
+                    res[1].attribute_type(),
+                )))
             }
+        } else {
+            Err(SignerError::Pkcs11Error(format!(
+                "Unable to obtain modulus and public exponent attributes for key {:?}",
+                pub_handle
+            )))
         }
-
-        Err(SignerError::Pkcs11Error(format!(
-            "Unable to obtain modulus and public exponent for key {:?}",
-            pub_handle
-        )))
-    }
-
-    // TODO: This is almost identical to the equivalent fn in KmipSigner. Factor out the common code.
-    pub(super) fn get_public_key_from_handle(&self, pub_handle: ObjectHandle) -> Result<PublicKey, SignerError> {
-        let rsa_public_key_bytes = self.get_rsa_public_key_bytes(pub_handle)?;
-
-        let subject_public_key = bcder::BitString::new(0, rsa_public_key_bytes);
-
-        let subject_public_key_info =
-            bcder::encode::sequence((PublicKeyFormat::Rsa.encode(), subject_public_key.encode()));
-
-        let mut subject_public_key_info_source: Vec<u8> = Vec::new();
-        subject_public_key_info
-            .write_encoded(bcder::Mode::Der, &mut subject_public_key_info_source)
-            .map_err(|err| {
-                SignerError::Pkcs11Error(format!(
-                    "Failed to create DER encoded SubjectPublicKeyInfo from constituent parts: {}",
-                    err
-                ))
-            })?;
-
-        let public_key = PublicKey::decode(subject_public_key_info_source.as_slice()).map_err(|err| {
-            SignerError::Pkcs11Error(format!(
-                "Failed to create public key from the DER encoded SubjectPublicKeyInfo: {}",
-                err
-            ))
-        })?;
-
-        Ok(public_key)
     }
 
     pub(super) fn sign_with_key<Alg: SignatureAlgorithm>(

src/daemon/ca/publishing.rs

@@ -654,7 +654,7 @@ impl ResourceClassObjects {
 
     fn reissue(&mut self, timing: &IssuanceTimingConfig, signer: &KrillSigner) -> KrillResult<()> {
         match self.keys.borrow_mut() {
-            ResourceClassKeyState::Current(state) => state.current_set.reissue(timing, signer),
+            ResourceClassKeyState::Current(state) => state.current_set.reissue_set(timing, signer),
             ResourceClassKeyState::Staging(state) => {
                 state.staging_set.reissue_set(timing, signer)?;
                 state.current_set.reissue(timing, signer)

src/daemon/http/tls_keys.rs

@@ -2,7 +2,6 @@
 //! in case they are not provided
 use std::{fmt, path::Path, path::PathBuf};
 
-use bcder::decode;
 use bytes::Bytes;
 
 use openssl::{
@@ -129,8 +128,8 @@ impl HttpsSigner {
                 .public_key_to_der()
                 .map_err(Error::OpenSslError)?,
         );
-        let pk = PublicKey::decode(&mut b).map_err(Error::DecodeError)?;
-        Ok(pk)
+
+        PublicKey::decode(&mut b).map_err(Error::decode)
     }
 
     // See OpenSslSigner::sign_with_key for reference.
@@ -173,7 +172,7 @@ impl HttpsSigner {
 pub enum Error {
     IoError(KrillIoError),
     OpenSslError(openssl::error::ErrorStack),
-    DecodeError(decode::Error),
+    DecodeError(String),
     BuildError,
     EmptyCertStack,
     Pkcs12(String),
@@ -185,6 +184,10 @@ impl Error {
     pub fn signer(e: impl fmt::Display) -> Self {
         Error::SignerError(e.to_string())
     }
+
+    pub fn decode(e: impl fmt::Display) -> Self {
+        Error::DecodeError(e.to_string())
+    }
 }
 
 impl fmt::Display for Error {

src/lib.rs

@@ -1,7 +1,5 @@
 #![allow(clippy::upper_case_acronyms)]
 extern crate base64;
-extern crate bcder;
-// #[macro_use]
 extern crate bytes;
 extern crate chrono;
 extern crate clap;