From 5baac337ef90745dfd5a555d668468628d0b1ca2 Mon Sep 17 00:00:00 2001 From: Joe Birr-Pixton Date: Mon, 23 Dec 2024 12:36:29 +0000 Subject: [PATCH 1/6] Migrate `AlgorithmIdentifier` values from rustls-webpki Any downstream crate defining a custom `rustls::CryptoProvider` currently needs to take a dependency on `rustls-webpki` to reuse these values (alternatively they can redefine these values, but meh.) Moving them here removes that need. --- src/alg_id.rs | 76 ++++++++++++++++++++++++++++++ src/data/README.md | 21 +++++++++ src/data/alg-ecdsa-p256.der | 1 + src/data/alg-ecdsa-p384.der | Bin 0 -> 16 bytes src/data/alg-ecdsa-p521.der | Bin 0 -> 16 bytes src/data/alg-ecdsa-sha256.der | 1 + src/data/alg-ecdsa-sha384.der | 1 + src/data/alg-ecdsa-sha512.der | 1 + src/data/alg-ed25519.der | 1 + src/data/alg-rsa-encryption.der | Bin 0 -> 13 bytes src/data/alg-rsa-pkcs1-sha256.der | Bin 0 -> 13 bytes src/data/alg-rsa-pkcs1-sha384.der | Bin 0 -> 13 bytes src/data/alg-rsa-pkcs1-sha512.der | Bin 0 -> 13 bytes src/data/alg-rsa-pss-sha256.der | Bin 0 -> 65 bytes src/data/alg-rsa-pss-sha384.der | Bin 0 -> 65 bytes src/data/alg-rsa-pss-sha512.der | Bin 0 -> 65 bytes src/lib.rs | 1 + 17 files changed, 103 insertions(+) create mode 100644 src/alg_id.rs create mode 100644 src/data/README.md create mode 100644 src/data/alg-ecdsa-p256.der create mode 100644 src/data/alg-ecdsa-p384.der create mode 100644 src/data/alg-ecdsa-p521.der create mode 100644 src/data/alg-ecdsa-sha256.der create mode 100644 src/data/alg-ecdsa-sha384.der create mode 100644 src/data/alg-ecdsa-sha512.der create mode 100644 src/data/alg-ed25519.der create mode 100644 src/data/alg-rsa-encryption.der create mode 100644 src/data/alg-rsa-pkcs1-sha256.der create mode 100644 src/data/alg-rsa-pkcs1-sha384.der create mode 100644 src/data/alg-rsa-pkcs1-sha512.der create mode 100644 src/data/alg-rsa-pss-sha256.der create mode 100644 src/data/alg-rsa-pss-sha384.der create mode 100644 src/data/alg-rsa-pss-sha512.der diff --git a/src/alg_id.rs b/src/alg_id.rs new file mode 100644 index 0000000..2e4d5b8 --- /dev/null +++ b/src/alg_id.rs @@ -0,0 +1,76 @@ +//! Encodings of the PKIX AlgorithmIdentifier type. +//! +//! This module contains a set of common values, and exists to keep the +//! names of these separate from the actual algorithm implementations. + +use super::AlgorithmIdentifier; + +// See src/data/README.md. + +/// AlgorithmIdentifier for `id-ecPublicKey` with named curve `secp256r1`. +pub const ECDSA_P256: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-p256.der")); + +/// AlgorithmIdentifier for `id-ecPublicKey` with named curve `secp384r1`. +pub const ECDSA_P384: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-p384.der")); + +/// AlgorithmIdentifier for `id-ecPublicKey` with named curve `secp521r1`. +pub const ECDSA_P521: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-p521.der")); + +/// AlgorithmIdentifier for `ecdsa-with-SHA256`. +pub const ECDSA_SHA256: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-sha256.der")); + +/// AlgorithmIdentifier for `ecdsa-with-SHA384`. +pub const ECDSA_SHA384: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-sha384.der")); + +/// AlgorithmIdentifier for `ecdsa-with-SHA512`. +pub const ECDSA_SHA512: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-sha512.der")); + +/// AlgorithmIdentifier for `rsaEncryption`. +pub const RSA_ENCRYPTION: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-encryption.der")); + +/// AlgorithmIdentifier for `sha256WithRSAEncryption`. +pub const RSA_PKCS1_SHA256: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-pkcs1-sha256.der")); + +/// AlgorithmIdentifier for `sha384WithRSAEncryption`. +pub const RSA_PKCS1_SHA384: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-pkcs1-sha384.der")); + +/// AlgorithmIdentifier for `sha512WithRSAEncryption`. +pub const RSA_PKCS1_SHA512: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-pkcs1-sha512.der")); + +/// AlgorithmIdentifier for `rsassaPss` with: +/// +/// - hashAlgorithm: sha256 +/// - maskGenAlgorithm: mgf1 with sha256 +/// - saltLength: 32 +pub const RSA_PSS_SHA256: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-pss-sha256.der")); + +/// AlgorithmIdentifier for `rsassaPss` with: +/// +/// - hashAlgorithm: sha384 +/// - maskGenAlgorithm: mgf1 with sha384 +/// - saltLength: 48 +pub const RSA_PSS_SHA384: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-pss-sha384.der")); + +/// AlgorithmIdentifier for `rsassaPss` with: +/// +/// - hashAlgorithm: sha512 +/// - maskGenAlgorithm: mgf1 with sha512 +/// - saltLength: 64 +pub const RSA_PSS_SHA512: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-pss-sha512.der")); + +/// AlgorithmIdentifier for `ED25519`. +pub const ED25519: AlgorithmIdentifier = + AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ed25519.der")); diff --git a/src/data/README.md b/src/data/README.md new file mode 100644 index 0000000..78fc778 --- /dev/null +++ b/src/data/README.md @@ -0,0 +1,21 @@ +These files contain the binary DER encoding of the *values* of some +ASN.1 [`AlgorithmIdentifier`]s, without the outer `SEQUENCE` tag or the outer +length component. + +These files were encoded with the help of [der-ascii]. They can be decoded +using: + +```sh +go get github.com/google/der-ascii/cmd/der2ascii +der2ascii -i -o .ascii +``` + +New or modified der-ascii files can be encoded using: + +```sh +go get github.com/google/der-ascii/cmd/ascii2der +ascii2der i .ascii -o +``` + +[`AlgorithmIdentifier`]: https://tools.ietf.org/html/rfc5280#section-4.1.1.2] +[der-ascii]: https://github.com/google/der-ascii diff --git a/src/data/alg-ecdsa-p256.der b/src/data/alg-ecdsa-p256.der new file mode 100644 index 0000000..d49c30d --- /dev/null +++ b/src/data/alg-ecdsa-p256.der @@ -0,0 +1 @@ +*†HÎ=*†HÎ= \ No newline at end of file diff --git a/src/data/alg-ecdsa-p384.der b/src/data/alg-ecdsa-p384.der new file mode 100644 index 0000000000000000000000000000000000000000..8b24916caf9bfaeaecb98407738772aa659fc65e GIT binary patch literal 16 XcmZQ$*J|@PXUoLM#;V=O!k`2I8~OtA literal 0 HcmV?d00001 diff --git a/src/data/alg-ecdsa-p521.der b/src/data/alg-ecdsa-p521.der new file mode 100644 index 0000000000000000000000000000000000000000..9ad544c2c77f2fd26eac3b783622069507ecb806 GIT binary patch literal 16 XcmZQ$*J|@PXUoLM#;V=O!k`QQ8~XzC literal 0 HcmV?d00001 diff --git a/src/data/alg-ecdsa-sha256.der b/src/data/alg-ecdsa-sha256.der new file mode 100644 index 0000000..b2ee128 --- /dev/null +++ b/src/data/alg-ecdsa-sha256.der @@ -0,0 +1 @@ +*†HÎ= \ No newline at end of file diff --git a/src/data/alg-ecdsa-sha384.der b/src/data/alg-ecdsa-sha384.der new file mode 100644 index 0000000..7c61d3a --- /dev/null +++ b/src/data/alg-ecdsa-sha384.der @@ -0,0 +1 @@ +*†HÎ= \ No newline at end of file diff --git a/src/data/alg-ecdsa-sha512.der b/src/data/alg-ecdsa-sha512.der new file mode 100644 index 0000000..d87b899 --- /dev/null +++ b/src/data/alg-ecdsa-sha512.der @@ -0,0 +1 @@ +*†HÎ= \ No newline at end of file diff --git a/src/data/alg-ed25519.der b/src/data/alg-ed25519.der new file mode 100644 index 0000000..7ca46fd --- /dev/null +++ b/src/data/alg-ed25519.der @@ -0,0 +1 @@ ++ep \ No newline at end of file diff --git a/src/data/alg-rsa-encryption.der b/src/data/alg-rsa-encryption.der new file mode 100644 index 0000000000000000000000000000000000000000..77d159a1c6fcc68fac95281029ab0c6ce52bb58f GIT binary patch literal 13 UcmZSM)N1o+`_9YA$jHh702QtRng9R* literal 0 HcmV?d00001 diff --git a/src/data/alg-rsa-pkcs1-sha256.der b/src/data/alg-rsa-pkcs1-sha256.der new file mode 100644 index 0000000000000000000000000000000000000000..ab52bcd80b62813edb30a9ab628a5530b2ada8eb GIT binary patch literal 13 UcmZSM)N1o+`_9YA$j! Date: Mon, 23 Dec 2024 13:26:24 +0000 Subject: [PATCH 2/6] alg_ids.rs: adjust head comment --- src/alg_id.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/alg_id.rs b/src/alg_id.rs index 2e4d5b8..6c39b19 100644 --- a/src/alg_id.rs +++ b/src/alg_id.rs @@ -1,7 +1,7 @@ -//! Encodings of the PKIX AlgorithmIdentifier type. +//! Common values of the PKIX [`AlgorithmIdentifier`] type. //! -//! This module contains a set of common values, and exists to keep the -//! names of these separate from the actual algorithm implementations. +//! If you need to use an [`AlgorithmIdentifier`] not defined here, +//! you can define it locally. use super::AlgorithmIdentifier; From 955b2dc7bd69d384afa2df91bd02a0c83f9a9cbb Mon Sep 17 00:00:00 2001 From: Joe Birr-Pixton Date: Mon, 23 Dec 2024 12:42:05 +0000 Subject: [PATCH 3/6] src/data/README: update go instructions > 'go get' is no longer supported outside a module. > To build and install a command, use 'go install' with a version, > like 'go install example.com/cmd@latest' --- src/data/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/data/README.md b/src/data/README.md index 78fc778..45cf697 100644 --- a/src/data/README.md +++ b/src/data/README.md @@ -6,14 +6,14 @@ These files were encoded with the help of [der-ascii]. They can be decoded using: ```sh -go get github.com/google/der-ascii/cmd/der2ascii +go install github.com/google/der-ascii/cmd/der2ascii@latest der2ascii -i -o .ascii ``` New or modified der-ascii files can be encoded using: ```sh -go get github.com/google/der-ascii/cmd/ascii2der +go install github.com/google/der-ascii/cmd/ascii2der@latest ascii2der i .ascii -o ``` From 47ee59877fbedc36b58295a17f7107f51b94d7c2 Mon Sep 17 00:00:00 2001 From: Joe Birr-Pixton Date: Mon, 23 Dec 2024 13:01:32 +0000 Subject: [PATCH 4/6] alg_id: include der2ascii output in docs The intention here is to make it easy to cross-reference these values with other sources of information, and to "lift the veil" on what these things actually are and are not. Some of these are trivial (ed25519) while others reveal their true horror (RSA-PSS). For the latter, include a reference to their defining RFC, and decorate the context-specific fields with their name in comments. --- src/alg_id.rs | 195 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 195 insertions(+) diff --git a/src/alg_id.rs b/src/alg_id.rs index 6c39b19..637027d 100644 --- a/src/alg_id.rs +++ b/src/alg_id.rs @@ -8,42 +8,122 @@ use super::AlgorithmIdentifier; // See src/data/README.md. /// AlgorithmIdentifier for `id-ecPublicKey` with named curve `secp256r1`. +/// +/// This is: +/// +/// ```text +/// # ecPublicKey +/// OBJECT_IDENTIFIER { 1.2.840.10045.2.1 } +/// # secp256r1 +/// OBJECT_IDENTIFIER { 1.2.840.10045.3.1.7 } +/// ``` pub const ECDSA_P256: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-p256.der")); /// AlgorithmIdentifier for `id-ecPublicKey` with named curve `secp384r1`. +/// +/// This is: +/// +/// ```text +/// # ecPublicKey +/// OBJECT_IDENTIFIER { 1.2.840.10045.2.1 } +/// # secp384r1 +/// OBJECT_IDENTIFIER { 1.3.132.0.34 } +/// ``` pub const ECDSA_P384: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-p384.der")); /// AlgorithmIdentifier for `id-ecPublicKey` with named curve `secp521r1`. +/// +/// This is: +/// +/// ```text +/// # ecPublicKey +/// OBJECT_IDENTIFIER { 1.2.840.10045.2.1 } +/// # secp521r1 +/// OBJECT_IDENTIFIER { 1.3.132.0.35 } +/// ``` pub const ECDSA_P521: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-p521.der")); /// AlgorithmIdentifier for `ecdsa-with-SHA256`. +/// +/// This is: +/// +/// ```text +/// # ecdsa-with-SHA256 +/// OBJECT_IDENTIFIER { 1.2.840.10045.4.3.2 } +/// ``` pub const ECDSA_SHA256: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-sha256.der")); /// AlgorithmIdentifier for `ecdsa-with-SHA384`. +/// +/// This is: +/// +/// ```text +/// # ecdsa-with-SHA384 +/// OBJECT_IDENTIFIER { 1.2.840.10045.4.3.3 } +/// ``` pub const ECDSA_SHA384: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-sha384.der")); /// AlgorithmIdentifier for `ecdsa-with-SHA512`. +/// +/// This is: +/// +/// ```text +/// # ecdsa-with-SHA512 +/// OBJECT_IDENTIFIER { 1.2.840.10045.4.3.4 } +/// ``` pub const ECDSA_SHA512: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-sha512.der")); /// AlgorithmIdentifier for `rsaEncryption`. +/// +/// This is: +/// +/// ```text +/// # rsaEncryption +/// OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 } +/// NULL {} +/// ``` pub const RSA_ENCRYPTION: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-encryption.der")); /// AlgorithmIdentifier for `sha256WithRSAEncryption`. +/// +/// This is: +/// +/// ```text +/// # sha256WithRSAEncryption +/// OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 } +/// NULL {} +/// ``` pub const RSA_PKCS1_SHA256: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-pkcs1-sha256.der")); /// AlgorithmIdentifier for `sha384WithRSAEncryption`. +/// +/// This is: +/// +/// ```text +/// # sha384WithRSAEncryption +/// OBJECT_IDENTIFIER { 1.2.840.113549.1.1.12 } +/// NULL {} +/// ``` pub const RSA_PKCS1_SHA384: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-pkcs1-sha384.der")); /// AlgorithmIdentifier for `sha512WithRSAEncryption`. +/// +/// This is: +/// +/// ```text +/// # sha512WithRSAEncryption +/// OBJECT_IDENTIFIER { 1.2.840.113549.1.1.13 } +/// NULL {} +/// ``` pub const RSA_PKCS1_SHA512: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-pkcs1-sha512.der")); @@ -52,6 +132,42 @@ pub const RSA_PKCS1_SHA512: AlgorithmIdentifier = /// - hashAlgorithm: sha256 /// - maskGenAlgorithm: mgf1 with sha256 /// - saltLength: 32 +/// +/// This is: +/// +/// ```text +/// # rsassa-pss +/// OBJECT_IDENTIFIER { 1.2.840.113549.1.1.10 } +/// SEQUENCE { +/// # hashAlgorithm: +/// [0] { +/// SEQUENCE { +/// # sha256 +/// OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.1 } +/// NULL {} +/// } +/// } +/// # maskGenAlgorithm: +/// [1] { +/// SEQUENCE { +/// # mgf1 +/// OBJECT_IDENTIFIER { 1.2.840.113549.1.1.8 } +/// SEQUENCE { +/// # sha256 +/// OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.1 } +/// NULL {} +/// } +/// } +/// } +/// # saltLength: +/// [2] { +/// INTEGER { 32 } +/// } +/// } +/// ``` +/// +/// See for +/// the meaning of the context-specific tags. pub const RSA_PSS_SHA256: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-pss-sha256.der")); @@ -60,6 +176,42 @@ pub const RSA_PSS_SHA256: AlgorithmIdentifier = /// - hashAlgorithm: sha384 /// - maskGenAlgorithm: mgf1 with sha384 /// - saltLength: 48 +/// +/// This is: +/// +/// ```text +/// # rsassa-pss +/// OBJECT_IDENTIFIER { 1.2.840.113549.1.1.10 } +/// SEQUENCE { +/// # hashAlgorithm: +/// [0] { +/// SEQUENCE { +/// # sha384 +/// OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.2 } +/// NULL {} +/// } +/// } +/// # maskGenAlgorithm: +/// [1] { +/// SEQUENCE { +/// # mgf1 +/// OBJECT_IDENTIFIER { 1.2.840.113549.1.1.8 } +/// SEQUENCE { +/// # sha384 +/// OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.2 } +/// NULL {} +/// } +/// } +/// } +/// # saltLength: +/// [2] { +/// INTEGER { 48 } +/// } +/// } +/// ``` +/// +/// See for +/// the meaning of the context-specific tags. pub const RSA_PSS_SHA384: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-pss-sha384.der")); @@ -68,9 +220,52 @@ pub const RSA_PSS_SHA384: AlgorithmIdentifier = /// - hashAlgorithm: sha512 /// - maskGenAlgorithm: mgf1 with sha512 /// - saltLength: 64 +/// +/// This is: +/// +/// ```text +/// # rsassa-pss +/// OBJECT_IDENTIFIER { 1.2.840.113549.1.1.10 } +/// SEQUENCE { +/// # hashAlgorithm: +/// [0] { +/// SEQUENCE { +/// # sha512 +/// OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.3 } +/// NULL {} +/// } +/// } +/// # maskGenAlgorithm: +/// [1] { +/// SEQUENCE { +/// # mgf1 +/// OBJECT_IDENTIFIER { 1.2.840.113549.1.1.8 } +/// SEQUENCE { +/// # sha512 +/// OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.3 } +/// NULL {} +/// } +/// } +/// } +/// # saltLength: +/// [2] { +/// INTEGER { 64 } +/// } +/// } +/// ``` +/// +/// See for +/// the meaning of the context-specific tags. pub const RSA_PSS_SHA512: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-pss-sha512.der")); /// AlgorithmIdentifier for `ED25519`. +/// +/// This is: +/// +/// ```text +/// # ed25519 +/// OBJECT_IDENTIFIER { 1.3.101.112 } +/// ``` pub const ED25519: AlgorithmIdentifier = AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ed25519.der")); From 68053793570ac8934a08d39301922cc73eeeeaaf Mon Sep 17 00:00:00 2001 From: Joe Birr-Pixton Date: Mon, 23 Dec 2024 13:19:14 +0000 Subject: [PATCH 5/6] Bump version to 1.11.0 --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 051e55f..fc645d1 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "rustls-pki-types" -version = "1.10.1" +version = "1.11.0" edition = "2021" rust-version = "1.60" license = "MIT OR Apache-2.0" From c5cb7efa75475d6691df5051fcd12031e6edf3d5 Mon Sep 17 00:00:00 2001 From: Joe Birr-Pixton Date: Mon, 23 Dec 2024 13:30:11 +0000 Subject: [PATCH 6/6] AlgorithmIdentifier: cross-reference to alg_id module --- src/lib.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/lib.rs b/src/lib.rs index 335e0e9..358abd8 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -915,7 +915,8 @@ pub struct InvalidSignature; /// The outer sequence encoding is *not included*, so this is the DER encoding /// of an OID for `algorithm` plus the `parameters` value. /// -/// For example, this is the `rsaEncryption` algorithm: +/// For example, this is the `rsaEncryption` algorithm (but prefer to use the constant +/// [`alg_id::RSA_ENCRYPTION`] instead): /// /// ``` /// let rsa_encryption = rustls_pki_types::AlgorithmIdentifier::from_slice( @@ -926,7 +927,10 @@ pub struct InvalidSignature; /// 0x05, 0x00 /// ] /// ); +/// assert_eq!(rustls_pki_types::alg_id::RSA_ENCRYPTION, rsa_encryption); /// ``` +/// +/// Common values for this type are provided in the [`alg_id`] module. #[derive(Clone, Copy, PartialEq, Eq)] pub struct AlgorithmIdentifier(&'static [u8]);