chore: replace Ring with RustCrypto in pki.rs

Signed-off-by: Richard Zak <[email protected]>

Cargo.toml

@@ -19,6 +19,9 @@ ring = { version = "0.16.20", features = ["std"] }
 zeroize = { version = "^1.5.2", features = ["alloc"] }
 flagset = "0.4.3"
 sgx = { version = "0.5.0" }
+p256 = { version = "0.11", features = ["ecdsa"] }
+p384 = { version = "0.11", features = ["ecdsa"] }
+rand = { version = "0.8", features = ["std"] }
 
 tracing-subscriber = { version="^0.3.15", features = ["env-filter", "json"] }
 tower-http = { version = "^0.3.0", features = ["trace"] }

deny.toml

@@ -16,6 +16,7 @@ allow = [
     "AGPL-3.0",
     "Apache-2.0",
     "Unicode-DFS-2016",
+    "BSD-3-Clause",
 ]
 
 [[licenses.clarify]]

src/crypto/pki.rs

@@ -2,10 +2,10 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 
 use anyhow::{anyhow, bail, Result};
-use pkcs8::{ObjectIdentifier, PrivateKeyInfo, SubjectPublicKeyInfo};
+use pkcs8::{EncodePrivateKey, ObjectIdentifier, PrivateKeyInfo, SubjectPublicKeyInfo};
 use zeroize::Zeroizing;
 
-use der::{Decode, Encode};
+use der::Decode;
 use sec1::EcPrivateKey;
 use spki::AlgorithmIdentifier;
 
@@ -50,23 +50,21 @@ pub trait PrivateKeyInfoExt {
 
 impl<'a> PrivateKeyInfoExt for PrivateKeyInfo<'a> {
     fn generate(oid: ObjectIdentifier) -> Result<Zeroizing<Vec<u8>>> {
-        let rand = ring::rand::SystemRandom::new();
+        let rand = rand::thread_rng();
 
         let doc = match oid {
-            P256 => {
-                use ring::signature::{EcdsaKeyPair, ECDSA_P256_SHA256_ASN1_SIGNING as ALG};
-                EcdsaKeyPair::generate_pkcs8(&ALG, &rand)?
-            }
+            P256 => p256::SecretKey::random(rand)
+                .to_pkcs8_der()
+                .map_err(|e| anyhow!("{:?}", e))?,
 
-            P384 => {
-                use ring::signature::{EcdsaKeyPair, ECDSA_P384_SHA384_ASN1_SIGNING as ALG};
-                EcdsaKeyPair::generate_pkcs8(&ALG, &rand)?
-            }
+            P384 => p384::SecretKey::random(rand)
+                .to_pkcs8_der()
+                .map_err(|e| anyhow!("{:?}", e))?,
 
             _ => bail!("unsupported"),
         };
 
-        Ok(doc.as_ref().to_vec().into())
+        Ok(doc.to_bytes())
     }
 
     fn public_key(&self) -> Result<SubjectPublicKeyInfo<'_>> {
@@ -92,18 +90,20 @@ impl<'a> PrivateKeyInfoExt for PrivateKeyInfo<'a> {
     }
 
     fn sign(&self, body: &[u8], algo: AlgorithmIdentifier<'_>) -> Result<Vec<u8>> {
-        let rng = ring::rand::SystemRandom::new();
+        let ec = EcPrivateKey::from_der(self.private_key)?;
         match (self.algorithm.oids()?, algo) {
             ((ECPK, Some(P256)), ES256) => {
-                use ring::signature::{EcdsaKeyPair, ECDSA_P256_SHA256_ASN1_SIGNING as ALG};
-                let kp = EcdsaKeyPair::from_pkcs8(&ALG, &self.to_vec()?)?;
-                Ok(kp.sign(&rng, body)?.as_ref().to_vec())
+                use p256::ecdsa::signature::Signer;
+                let private_key = p256::SecretKey::from_be_bytes(ec.private_key)?;
+                let sign_key = p256::ecdsa::SigningKey::from(private_key);
+                Ok(sign_key.sign(body).to_der().as_bytes().to_vec())
             }
 
             ((ECPK, Some(P384)), ES384) => {
-                use ring::signature::{EcdsaKeyPair, ECDSA_P384_SHA384_ASN1_SIGNING as ALG};
-                let kp = EcdsaKeyPair::from_pkcs8(&ALG, &self.to_vec()?)?;
-                Ok(kp.sign(&rng, body)?.as_ref().to_vec())
+                use p384::ecdsa::signature::Signer;
+                let private_key = p384::SecretKey::from_be_bytes(ec.private_key)?;
+                let sign_key = p384::ecdsa::SigningKey::from(private_key);
+                Ok(sign_key.sign(body).to_der().as_bytes().to_vec())
             }
 
             _ => bail!("unsupported"),