Support RsaSubjectPublicKey to/from X509; Bump version (#742)

* Support RsaSubjectPublicKey to/from X509

* Remove redundant check

* Also bump the patch version

Author: justsmth

aws-lc-rs/Cargo.toml

@@ -1,9 +1,9 @@
 [package]
 name = "aws-lc-rs"
 authors = ["AWS-LibCrypto"]
-version = "1.12.6"
+version = "1.12.7"
 # this crate re-exports whatever sys crate that was selected
-links = "aws_lc_rs_1_12_6_sys"
+links = "aws_lc_rs_1_12_7_sys"
 edition = "2021"
 rust-version = "1.63.0"
 keywords = ["crypto", "cryptography", "security"]

aws-lc-rs/Makefile

@@ -4,6 +4,8 @@ UNAME_S := $(shell uname -s)
 
 AWS_LC_RS_COV_EXTRA_FEATURES := unstable
 
+export AWS_LC_RS_DISABLE_SLOW_TESTS := 1
+
 asan:
 # TODO: This build target produces linker error on Mac.
 # Run specific tests:

aws-lc-rs/src/rsa/encoding.rs

@@ -76,7 +76,7 @@ pub(in crate::rsa) mod rfc8017 {
 ///
 /// Encodings that use the `SubjectPublicKeyInfo` structure.
 pub(in crate::rsa) mod rfc5280 {
-    use crate::aws_lc::{EVP_PKEY, EVP_PKEY_RSA};
+    use crate::aws_lc::{EVP_PKEY, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS};
     use crate::buffer::Buffer;
     use crate::encoding::PublicKeyX509Der;
     use crate::error::{KeyRejected, Unspecified};
@@ -92,6 +92,9 @@ pub(in crate::rsa) mod rfc5280 {
     pub(in crate::rsa) fn decode_public_key_der(
         value: &[u8],
     ) -> Result<LcPtr<EVP_PKEY>, KeyRejected> {
-        LcPtr::<EVP_PKEY>::parse_rfc5280_public_key(value, EVP_PKEY_RSA)
+        LcPtr::<EVP_PKEY>::parse_rfc5280_public_key(value, EVP_PKEY_RSA).or(
+            // Does anyone encode with this OID?
+            LcPtr::<EVP_PKEY>::parse_rfc5280_public_key(value, EVP_PKEY_RSA_PSS),
+        )
     }
 }

aws-lc-rs/src/rsa/key.rs

@@ -12,7 +12,7 @@ use crate::aws_lc::{
 };
 #[cfg(feature = "ring-io")]
 use crate::aws_lc::{RSA_get0_e, RSA_get0_n};
-use crate::encoding::{AsDer, Pkcs8V1Der};
+use crate::encoding::{AsDer, Pkcs8V1Der, PublicKeyX509Der};
 use crate::error::{KeyRejected, Unspecified};
 #[cfg(feature = "ring-io")]
 use crate::io;
@@ -32,6 +32,7 @@ use core::ptr::null_mut;
 use std::os::raw::c_int;
 
 use crate::pkcs8::Version;
+use crate::rsa::encoding::{rfc5280, rfc8017};
 use crate::rsa::signature::configure_rsa_pkcs1_pss_padding;
 #[cfg(feature = "ring-io")]
 use untrusted::Input;
@@ -288,7 +289,7 @@ impl Drop for PublicKey {
 }
 
 impl PublicKey {
-    pub(super) fn new(evp_pkey: &LcPtr<EVP_PKEY>) -> Result<Self, Unspecified> {
+    pub(super) fn new(evp_pkey: &LcPtr<EVP_PKEY>) -> Result<Self, KeyRejected> {
         let key = encoding::rfc8017::encode_public_key_der(evp_pkey)?;
         #[cfg(feature = "ring-io")]
         {
@@ -307,6 +308,17 @@ impl PublicKey {
         #[cfg(not(feature = "ring-io"))]
         Ok(PublicKey { key })
     }
+
+    /// Parses an RSA public key from either RFC8017 or RFC5280
+    /// # Errors
+    /// `KeyRejected` if the encoding is not for a valid RSA key.
+    pub fn from_der(input: &[u8]) -> Result<Self, KeyRejected> {
+        // These both invoke `RSA_check_key`:
+        // https://github.com/aws/aws-lc/blob/4368aaa6975ba41bd76d3bb12fac54c4680247fb/crypto/rsa_extra/rsa_asn1.c#L105-L109
+        PublicKey::new(
+            &rfc8017::decode_public_key_der(input).or(rfc5280::decode_public_key_der(input))?,
+        )
+    }
 }
 
 impl Debug for PublicKey {
@@ -325,6 +337,14 @@ impl AsRef<[u8]> for PublicKey {
     }
 }
 
+impl AsDer<PublicKeyX509Der<'static>> for PublicKey {
+    fn as_der(&self) -> Result<PublicKeyX509Der<'static>, Unspecified> {
+        // TODO: refactor
+        let evp_pkey = rfc8017::decode_public_key_der(self.as_ref())?;
+        rfc5280::encode_public_key_der(&evp_pkey)
+    }
+}
+
 #[cfg(feature = "ring-io")]
 impl PublicKey {
     /// The public modulus (n).

aws-lc-rs/tests/rsa_test.rs

@@ -819,16 +819,33 @@ fn min_encrypt_key() {
     const PUBLIC_KEY: &[u8] = include_bytes!("data/rsa_test_public_key_2048.x509");
 
     let parsed_private_key = PrivateDecryptingKey::from_pkcs8(PRIVATE_KEY).expect("key supported");
+    let signing_priv_key = RsaKeyPair::from_pkcs8(PRIVATE_KEY).expect("key supported");
     let parsed_public_key = PublicEncryptingKey::from_der(PUBLIC_KEY).expect("key supported");
+    let parsed_signing_public_key =
+        RsaSubjectPublicKey::from_der(PUBLIC_KEY).expect("key supported");
 
-    let public_key = parsed_private_key.public_key();
+    let derived_public_key = parsed_private_key.public_key();
+    let derived_signing_public_key = signing_priv_key.public_key();
 
     let private_key_bytes =
         AsDer::<Pkcs8V1Der>::as_der(&parsed_private_key).expect("serializeable");
-    let public_key_bytes = AsDer::<PublicKeyX509Der>::as_der(&public_key).expect("serializeable");
+    let signing_private_key_bytes =
+        AsDer::<Pkcs8V1Der>::as_der(&signing_priv_key).expect("serializeable");
+    let parsed_public_key_bytes =
+        AsDer::<PublicKeyX509Der>::as_der(&parsed_public_key).expect("serializeable");
+    let parsed_signing_public_key_bytes =
+        AsDer::<PublicKeyX509Der>::as_der(&parsed_signing_public_key).expect("serializeable");
+    let derived_public_key_bytes =
+        AsDer::<PublicKeyX509Der>::as_der(&derived_public_key).expect("serializeable");
+    let derived_signing_public_key_bytes =
+        AsDer::<PublicKeyX509Der>::as_der(derived_signing_public_key).expect("serializeable");
 
     assert_eq!(PRIVATE_KEY, private_key_bytes.as_ref());
-    assert_eq!(PUBLIC_KEY, public_key_bytes.as_ref());
+    assert_eq!(PRIVATE_KEY, signing_private_key_bytes.as_ref());
+    assert_eq!(PUBLIC_KEY, parsed_public_key_bytes.as_ref());
+    assert_eq!(PUBLIC_KEY, parsed_signing_public_key_bytes.as_ref());
+    assert_eq!(PUBLIC_KEY, derived_public_key_bytes.as_ref());
+    assert_eq!(PUBLIC_KEY, derived_signing_public_key_bytes.as_ref());
 
     let oaep_parsed_private =
         OaepPrivateDecryptingKey::new(parsed_private_key.clone()).expect("supported key");