rustls · djc · Mar 17, 2024 · Mar 15, 2024 · Mar 15, 2024 · Mar 15, 2024
diff --git a/rcgen/Cargo.toml b/rcgen/Cargo.toml
@@ -50,7 +50,7 @@ features = ["x509-parser"]
 allowed_external_types = [
     "time::offset_date_time::OffsetDateTime",
     "zeroize::Zeroize",
-    "rustls_pki_types::*"
+    "rustls_pki_types::*",
 ]
 
 [dev-dependencies]

diff --git a/rcgen/src/certificate.rs b/rcgen/src/certificate.rs
@@ -42,8 +42,8 @@ impl Certificate {
 	}
 	/// Get the certificate in DER encoded format.
 	///
-	/// As the return type implements `Deref<Target = [u8]>`, in can easily be saved
-	/// to a file like a byte slice.
+	/// [`CertificateDer`] implements `Deref<Target = [u8]>` and `AsRef<[u8]>`, so you can easily
+	/// extract the DER bytes from the return value.
 	pub fn der(&self) -> &CertificateDer<'static> {
 		&self.der
 	}
@@ -198,11 +198,11 @@ impl CertificateParams {
 	/// for the presence of the `BasicConstraints` extension, or perform any other
 	/// validation.
 	///
-	/// You can use [`rustls_pemfile::certs`] to get the `ca_cert` input. If
-	/// you have already a byte slice, just calling `into()` and taking a reference
-	/// will convert it to [`CertificateDer`].
+	/// [`rustls_pemfile::certs()`] is often used to obtain a [`CertificateDer`] from PEM input.
+	/// If you already have a byte slice containing DER, it can trivially be converted into
+	/// [`CertificateDer`] using the [`Into`] trait.
 	///
-	/// [`rustls_pemfile::certs`]: https://docs.rs/rustls-pemfile/latest/rustls_pemfile/fn.certs.html
+	/// [`rustls_pemfile::certs()`]: https://docs.rs/rustls-pemfile/latest/rustls_pemfile/fn.certs.html
 	#[cfg(feature = "x509-parser")]
 	pub fn from_ca_cert_der(ca_cert: &CertificateDer<'_>) -> Result<Self, Error> {
 		let (_remainder, x509) = x509_parser::parse_x509_certificate(ca_cert)

diff --git a/rcgen/src/crl.rs b/rcgen/src/crl.rs
@@ -81,6 +81,9 @@ impl CertificateRevocationList {
 	}
 
 	/// Get the CRL in DER encoded format.
+	///
+	/// [`CertificateRevocationListDer`] implements `Deref<Target = [u8]>` and `AsRef<[u8]>`,
+	/// so you can easily extract the DER bytes from the return value.
 	pub fn der(&self) -> &CertificateRevocationListDer<'static> {
 		&self.der
 	}

diff --git a/rcgen/src/csr.rs b/rcgen/src/csr.rs
@@ -1,14 +1,14 @@
-use pki_types::CertificateSigningRequestDer;
-
 use std::hash::Hash;
 
+#[cfg(feature = "pem")]
+use pem::Pem;
+use pki_types::CertificateSigningRequestDer;
+
 #[cfg(feature = "pem")]
 use crate::ENCODE_CONFIG;
 use crate::{Certificate, CertificateParams, Error, KeyPair, PublicKeyData, SignatureAlgorithm};
 #[cfg(feature = "x509-parser")]
 use crate::{DistinguishedName, SanType};
-#[cfg(feature = "pem")]
-use pem::Pem;
 
 /// A public key, extracted from a CSR
 #[derive(Debug, PartialEq, Eq, Hash)]
@@ -40,6 +40,9 @@ impl CertificateSigningRequest {
 	}
 
 	/// Get the DER-encoded bytes of the certificate signing request.
+	///
+	/// [`CertificateSigningRequestDer`] implements `Deref<Target = [u8]>` and `AsRef<[u8]>`,
+	/// so you can easily extract the DER bytes from the return value.
 	pub fn der(&self) -> &CertificateSigningRequestDer<'static> {
 		&self.der
 	}
@@ -68,11 +71,11 @@ impl CertificateSigningRequestParams {
 	/// Currently, this only supports the `Subject Alternative Name` extension.
 	/// On encountering other extensions, this function will return an error.
 	///
-	/// You can use [`rustls_pemfile::csr`] to get the `csr` input. If
-	/// you have already a byte slice, just calling `into()` and taking a reference
-	/// will convert it to [`CertificateSigningRequestDer`].
+	/// [`rustls_pemfile::csr()`] is often used to obtain a [`CertificateSigningRequestDer`] from
+	/// PEM input. If you already have a byte slice containing DER, it can trivially be converted
+	/// into [`CertificateSigningRequestDer`] using the [`Into`] trait.
 	///
-	/// [`rustls_pemfile::csr`]: https://docs.rs/rustls-pemfile/latest/rustls_pemfile/fn.csr.html
+	/// [`rustls_pemfile::csr()`]: https://docs.rs/rustls-pemfile/latest/rustls_pemfile/fn.csr.html
 	#[cfg(feature = "x509-parser")]
 	pub fn from_der(csr: &CertificateSigningRequestDer<'_>) -> Result<Self, Error> {
 		use x509_parser::prelude::FromDer;

diff --git a/rcgen/src/key_pair.rs b/rcgen/src/key_pair.rs
@@ -1,8 +1,9 @@
+use std::fmt;
+
 #[cfg(feature = "pem")]
 use pem::Pem;
 #[cfg(feature = "crypto")]
 use pki_types::PrivatePkcs8KeyDer;
-use std::fmt;
 use yasna::{DERWriter, DERWriterSeq};
 
 #[cfg(any(feature = "crypto", feature = "pem"))]
@@ -157,20 +158,6 @@ impl KeyPair {
 		})
 	}
 
-	/// Parses the key pair from the DER format
-	///
-	/// Equivalent to using the [`TryFrom`] implementation.
-	///
-	/// You can use [`rustls_pemfile::private_key`] to get the `der` input. If
-	/// you have already a byte slice, just calling `into()` and taking a reference
-	/// will convert it to a [`PrivatePkcs8KeyDer`].
-	///
-	/// [`rustls_pemfile::private_key`]: https://docs.rs/rustls-pemfile/latest/rustls_pemfile/fn.private_key.html
-	#[cfg(feature = "crypto")]
-	pub fn from_der(der: &PrivatePkcs8KeyDer<'_>) -> Result<Self, Error> {
-		der.try_into()
-	}
-
 	/// Returns the key pair's signature algorithm
 	pub fn algorithm(&self) -> &'static SignatureAlgorithm {
 		self.alg
@@ -184,8 +171,7 @@ impl KeyPair {
 	#[cfg(all(feature = "pem", feature = "crypto"))]
 	pub fn from_pem(pem_str: &str) -> Result<Self, Error> {
 		let private_key = pem::parse(pem_str)._err()?;
-		let private_key_der: &[_] = private_key.contents();
-		Self::from_der(&private_key_der.into())
+		Self::try_from(&PrivatePkcs8KeyDer::from(private_key.contents()))
 	}
 
 	/// Obtains the key pair from a raw public key and a remote private key
@@ -214,21 +200,20 @@ impl KeyPair {
 		Self::from_der_and_sign_algo(&PrivatePkcs8KeyDer::from(private_key_der), alg)
 	}
 
-	/// Obtains the key pair from a DER formatted key
-	/// using the specified [`SignatureAlgorithm`]
+	/// Obtains the key pair from a DER formatted key using the specified [`SignatureAlgorithm`]
 	///
-	/// Usually, calling this function is not neccessary and you can just call
-	/// [`from_der`](Self::from_der) instead. That function will try to figure
-	/// out a fitting [`SignatureAlgorithm`] for the given
-	/// key pair. However, sometimes multiple signature algorithms fit for the
-	/// same der key. In that instance, you can use this function to precisely
-	/// specify the `SignatureAlgorithm`.
+	/// If you have a [`PrivatePkcs8KeyDer`], you can usually rely on the [`TryFrom`] implementation
+	/// to obtain a [`KeyPair`] -- it will determine the correct [`SignatureAlgorithm`] for you.
+	/// However, sometimes multiple signature algorithms fit for the same DER key. In those instances,
+	/// you can use this function to precisely specify the `SignatureAlgorithm`.
 	///
-	/// You can use [`rustls_pemfile::private_key`] to get the `pkcs8` input. If
-	/// you have already a byte slice, just calling `into()` and taking a reference
-	/// will convert it to a [`PrivatePkcs8KeyDer`].
+	/// [`rustls_pemfile::private_key()`] is often used to obtain a [`PrivateKeyDer`] from PEM
+	/// input. If the obtained [`PrivateKeyDer`] is a `Pkcs8` variant, you can use its contents
+	/// as input for this function. Alternatively, if you already have a byte slice containing DER,
+	/// it can trivially be converted into [`PrivatePkcs8KeyDer`] using the [`Into`] trait.
 	///
-	/// [`rustls_pemfile::private_key`]: https://docs.rs/rustls-pemfile/latest/rustls_pemfile/fn.private_key.html
+	/// [`rustls_pemfile::private_key()`]: https://docs.rs/rustls-pemfile/latest/rustls_pemfile/fn.private_key.html
+	/// [`PrivateKeyDer`]: https://docs.rs/rustls-pki-types/latest/rustls_pki_types/enum.PrivateKeyDer.html
 	#[cfg(feature = "crypto")]
 	pub fn from_der_and_sign_algo(
 		pkcs8: &PrivatePkcs8KeyDer<'_>,
@@ -276,11 +261,13 @@ impl KeyPair {
 
 	/// Parses the key pair from the DER format
 	///
-	/// You can use [`rustls_pemfile::private_key`] to get the `pkcs8` input. If
-	/// you have already a byte slice, just calling `into()` and taking a reference
-	/// will convert it to a [`PrivatePkcs8KeyDer`].
+	/// [`rustls_pemfile::private_key()`] is often used to obtain a [`PrivateKeyDer`] from PEM
+	/// input. If the obtained [`PrivateKeyDer`] is a `Pkcs8` variant, you can use its contents
+	/// as input for this function. Alternatively, if you already have a byte slice containing DER,
+	/// it can trivially be converted into [`PrivatePkcs8KeyDer`] using the [`Into`] trait.
 	///
-	/// [`rustls_pemfile::private_key`]: https://docs.rs/rustls-pemfile/latest/rustls_pemfile/fn.private_key.html
+	/// [`rustls_pemfile::private_key()`]: https://docs.rs/rustls-pemfile/latest/rustls_pemfile/fn.private_key.html
+	/// [`PrivateKeyDer`]: https://docs.rs/rustls-pki-types/latest/rustls_pki_types/enum.PrivateKeyDer.html
 	#[cfg(feature = "crypto")]
 	pub(crate) fn from_raw(
 		pkcs8: &PrivatePkcs8KeyDer,

diff --git a/rcgen/src/ring_like.rs b/rcgen/src/ring_like.rs
@@ -1,8 +1,7 @@
-#[cfg(all(feature = "crypto", feature = "ring"))]
-pub(crate) use ring::*;
-
 #[cfg(all(feature = "crypto", not(feature = "ring"), feature = "aws_lc_rs"))]
 pub(crate) use aws_lc_rs::*;
+#[cfg(all(feature = "crypto", feature = "ring"))]
+pub(crate) use ring::*;
 
 #[cfg(feature = "crypto")]
 use crate::error::ExternalError;

diff --git a/rcgen/src/sign_algo.rs b/rcgen/src/sign_algo.rs
@@ -1,5 +1,6 @@
 use std::fmt;
 use std::hash::{Hash, Hasher};
+
 use yasna::models::ObjectIdentifier;
 use yasna::DERWriter;
 use yasna::Tag;

diff --git a/rcgen/src/string_types.rs b/rcgen/src/string_types.rs
@@ -1,6 +1,7 @@
-use crate::{Error, InvalidAsn1String};
 use std::{fmt, str::FromStr};
 
+use crate::{Error, InvalidAsn1String};
+
 /// ASN.1 `PrintableString` type.
 ///
 /// Supports a subset of the ASCII printable characters (described below).

diff --git a/rcgen/tests/botan.rs b/rcgen/tests/botan.rs
@@ -1,10 +1,11 @@
 #![cfg(all(feature = "crypto", feature = "x509-parser"))]
 
+use time::{Duration, OffsetDateTime};
+
 use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa};
 use rcgen::{CertificateRevocationListParams, RevocationReason, RevokedCertParams};
 use rcgen::{DnValue, KeyPair};
 use rcgen::{KeyUsagePurpose, SerialNumber};
-use time::{Duration, OffsetDateTime};
 
 mod util;
 

diff --git a/rcgen/tests/openssl.rs b/rcgen/tests/openssl.rs
@@ -1,18 +1,21 @@
 #![cfg(feature = "pem")]
+
+use std::cell::RefCell;
+use std::io::{Error, ErrorKind, Read, Result as ioResult, Write};
+use std::rc::Rc;
+
 use openssl::asn1::{Asn1Integer, Asn1Time};
 use openssl::bn::BigNum;
 use openssl::pkey::PKey;
 use openssl::ssl::{HandshakeError, SslAcceptor, SslConnector, SslMethod};
 use openssl::stack::Stack;
 use openssl::x509::store::{X509Store, X509StoreBuilder};
 use openssl::x509::{CrlStatus, X509Crl, X509Req, X509StoreContext, X509};
+
 use rcgen::{
 	BasicConstraints, Certificate, CertificateParams, DnType, DnValue, GeneralSubtree, IsCa,
 	KeyPair, NameConstraints,
 };
-use std::cell::RefCell;
-use std::io::{Error, ErrorKind, Read, Result as ioResult, Write};
-use std::rc::Rc;
 
 mod util;
 

diff --git a/rcgen/tests/util.rs b/rcgen/tests/util.rs
@@ -1,12 +1,13 @@
 #![cfg(feature = "crypto")]
 
+use time::{Duration, OffsetDateTime};
+
 use rcgen::{BasicConstraints, Certificate, CertificateParams, KeyPair};
 use rcgen::{
 	CertificateRevocationList, CrlDistributionPoint, CrlIssuingDistributionPoint, CrlScope,
 };
 use rcgen::{CertificateRevocationListParams, DnType, IsCa, KeyIdMethod};
 use rcgen::{KeyUsagePurpose, RevocationReason, RevokedCertParams, SerialNumber};
-use time::{Duration, OffsetDateTime};
 
 // Generated by adding `println!("{}", cert.serialize_private_key_pem());`
 // to the test_webpki_25519 test and panicing explicitly.

diff --git a/rcgen/tests/webpki.rs b/rcgen/tests/webpki.rs
@@ -1,25 +1,25 @@
 #![cfg(feature = "crypto")]
 
+use std::time::Duration as StdDuration;
+
 use pki_types::{CertificateDer, ServerName, SignatureVerificationAlgorithm, UnixTime};
+use ring::rand::SystemRandom;
+use ring::signature::{self, EcdsaKeyPair, EcdsaSigningAlgorithm, Ed25519KeyPair, KeyPair as _};
+#[cfg(feature = "pem")]
+use ring::signature::{RsaEncoding, RsaKeyPair};
+use time::{Duration, OffsetDateTime};
+use webpki::{
+	anchor_from_trusted_cert, BorrowedCertRevocationList, CertRevocationList, EndEntityCert,
+	KeyUsage, RevocationOptionsBuilder,
+};
+
 use rcgen::{
 	BasicConstraints, Certificate, CertificateParams, DnType, Error, IsCa, KeyPair, RemoteKeyPair,
 };
 use rcgen::{CertificateRevocationListParams, RevocationReason, RevokedCertParams};
 #[cfg(feature = "x509-parser")]
 use rcgen::{CertificateSigningRequestParams, DnValue};
 use rcgen::{ExtendedKeyUsagePurpose, KeyUsagePurpose, SerialNumber};
-use webpki::{
-	anchor_from_trusted_cert, BorrowedCertRevocationList, CertRevocationList, EndEntityCert,
-	KeyUsage, RevocationOptionsBuilder,
-};
-
-use ring::rand::SystemRandom;
-use ring::signature::{self, EcdsaKeyPair, EcdsaSigningAlgorithm, Ed25519KeyPair, KeyPair as _};
-#[cfg(feature = "pem")]
-use ring::signature::{RsaEncoding, RsaKeyPair};
-
-use std::time::Duration as StdDuration;
-use time::{Duration, OffsetDateTime};
 
 mod util;
 

diff --git a/rustls-cert-gen/src/cert.rs b/rustls-cert-gen/src/cert.rs
@@ -1,9 +1,10 @@
+use std::{fmt, fs::File, io, path::Path};
+
 use bpaf::Bpaf;
 use rcgen::{
 	BasicConstraints, Certificate, CertificateParams, DistinguishedName, DnType,
 	DnValue::PrintableString, ExtendedKeyUsagePurpose, IsCa, KeyPair, KeyUsagePurpose, SanType,
 };
-use std::{fmt, fs::File, io, path::Path};
 
 #[derive(Debug, Clone)]
 /// PEM serialized Certificate and PEM serialized corresponding private key

diff --git a/rustls-cert-gen/src/main.rs b/rustls-cert-gen/src/main.rs
@@ -1,6 +1,7 @@
+use std::{net::IpAddr, path::PathBuf, str::FromStr};
+
 use bpaf::Bpaf;
 use rcgen::{Error, SanType};
-use std::{net::IpAddr, path::PathBuf, str::FromStr};
 
 mod cert;
 use cert::{key_pair_algorithm, CertificateBuilder, KeyPairAlgorithm};