Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleanup EVP_PKEY serialization #669

Merged
merged 14 commits into from
Feb 1, 2025
Merged

Cleanup EVP_PKEY serialization #669

merged 14 commits into from
Feb 1, 2025

Conversation

justsmth
Copy link
Contributor

@justsmth justsmth commented Jan 22, 2025
edited
Loading

Description of changes:

  • Remove duplicated logic around usage of EVP_marshal_private_key, EVP_parse_private_key, EVP_marshal_public_key and EVP_parse_public_key.
  • Change all usage of EC_GROUP* to const.
  • Consolidate EC SEC1 and RFC 5915 parsing/marshaling into ec:encoding module.

Call-outs:

N/A

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@codecov-commenter
Copy link

codecov-commenter commented Jan 22, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 75.71429% with 102 lines in your changes missing coverage. Please review.

Project coverage is 92.87%. Comparing base (c358484) to head (10c07e9).
Report is 158 commits behind head on main.

Files with missing lines Patch % Lines
aws-lc-rs/src/ec/encoding.rs 80.32% 14 Missing and 22 partials ⚠️
aws-lc-rs/src/agreement.rs 43.33% 4 Missing and 13 partials ⚠️
aws-lc-rs/src/ed25519.rs 29.41% 0 Missing and 12 partials ⚠️
aws-lc-rs/src/evp_pkey.rs 90.75% 8 Missing and 3 partials ⚠️
aws-lc-rs/src/ec/key_pair.rs 33.33% 1 Missing and 7 partials ⚠️
aws-lc-rs/src/ec/signature.rs 33.33% 0 Missing and 4 partials ⚠️
aws-lc-rs/src/rsa/key.rs 60.00% 0 Missing and 4 partials ⚠️
aws-lc-rs/src/ec.rs 70.00% 3 Missing ⚠️
aws-lc-rs/src/rsa/encoding.rs 50.00% 0 Missing and 2 partials ⚠️
aws-lc-rs/src/rsa/encryption.rs 77.77% 0 Missing and 2 partials ⚠️
... and 3 more
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #669      +/-   ##
==========================================
- Coverage   95.80%   92.87%   -2.93%     
==========================================
  Files          61       69       +8     
  Lines        8143     9539    +1396     
  Branches        0     9539    +9539     
==========================================
+ Hits         7801     8859    +1058     
- Misses        342      399      +57     
- Partials        0      281     +281

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@justsmth justsmth force-pushed the cleanup-serialization branch 3 times, most recently from d22622c to eca53dc Compare January 23, 2025 19:36
@justsmth justsmth changed the title [DRAFT} Cleanup EVP_PKEY serialization [DRAFT] Cleanup EVP_PKEY serialization Jan 23, 2025
@justsmth justsmth changed the title [DRAFT] Cleanup EVP_PKEY serialization Cleanup EVP_PKEY serialization Jan 23, 2025
@justsmth justsmth marked this pull request as ready for review January 23, 2025 19:45
@justsmth justsmth requested a review from a team as a code owner January 23, 2025 19:45
@justsmth justsmth force-pushed the cleanup-serialization branch from eca53dc to 7141306 Compare January 24, 2025 16:36
@justsmth justsmth requested a review from skmcgrail January 24, 2025 22:06
skmcgrail
skmcgrail reviewed Jan 27, 2025
View reviewed changes
aws-lc-rs/src/ec/key_pair.rs Outdated Show resolved Hide resolved
aws-lc-rs/src/ec/key_pair.rs Outdated Show resolved Hide resolved
aws-lc-rs/src/evp_pkey.rs Outdated Show resolved Hide resolved
skmcgrail
skmcgrail previously approved these changes Jan 27, 2025
View reviewed changes
@justsmth justsmth force-pushed the cleanup-serialization branch from 10c07e9 to e52f8ee Compare January 28, 2025 22:06
@justsmth justsmth requested a review from skmcgrail January 28, 2025 22:06
@justsmth justsmth mentioned this pull request Jan 31, 2025
Closed
samuel40791765
samuel40791765 approved these changes Feb 1, 2025
View reviewed changes
Copy link
Contributor

@samuel40791765 samuel40791765 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a minor non-blocking comment about placing the encoding functions in the same file/module, but awesome change overall.

aws-lc-rs/src/evp_pkey.rs
Comment on lines +91 to 153
pub(crate) fn marshal_rfc5280_public_key(&self) -> Result<Vec<u8>, Unspecified> {
// Data shows that the SubjectPublicKeyInfo is roughly 356% to 375% increase in size compared to the RSA key
// size in bytes for keys ranging from 2048-bit to 4096-bit. So size the initial capacity to be roughly
// 500% as a conservative estimate to avoid needing to reallocate for any key in that range.
let mut cbb = LcCBB::new(self.key_size_bytes() * 5);
if 1 != unsafe { EVP_marshal_public_key(cbb.as_mut_ptr(), *self.as_const()) } {
return Err(Unspecified);
};
cbb.into_vec()
}

let out_len = {
let mut cbb = LcCBB::new_fixed(<&mut [u8; PKCS8_DOCUMENT_MAX_LEN]>::try_from(
buffer.as_mut_slice(),
)?);
pub(crate) fn parse_rfc5280_public_key(
bytes: &[u8],
evp_pkey_type: c_int,
) -> Result<Self, KeyRejected> {
let mut cbs = cbs::build_CBS(bytes);
// Also checks the validity of the key
let evp_pkey = LcPtr::new(unsafe { EVP_parse_public_key(&mut cbs) })
.map_err(|()| KeyRejected::invalid_encoding())?;
evp_pkey
.id()
.eq(&evp_pkey_type)
.then_some(evp_pkey)
.ok_or(KeyRejected::wrong_algorithm())
}

match version {
Version::V1 => {
if 1 != unsafe { EVP_marshal_private_key(cbb.as_mut_ptr(), *self.as_const()) } {
return Err(Unspecified);
}
pub(crate) fn marshal_rfc5208_private_key(
&self,
version: Version,
) -> Result<Vec<u8>, Unspecified> {
let key_size_bytes = TryInto::<usize>::try_into(unsafe { EVP_PKEY_bits(*self.as_const()) })
.expect("fit in usize")
/ 8;
let mut cbb = LcCBB::new(key_size_bytes * 5);
match version {
Version::V1 => {
if 1 != unsafe { EVP_marshal_private_key(cbb.as_mut_ptr(), *self.as_const()) } {
return Err(Unspecified);
}
Version::V2 => {
if 1 != unsafe {
EVP_marshal_private_key_v2(cbb.as_mut_ptr(), *self.as_const())
} {
return Err(Unspecified);
}
}
Version::V2 => {
if 1 != unsafe { EVP_marshal_private_key_v2(cbb.as_mut_ptr(), *self.as_const()) } {
return Err(Unspecified);
}
}
cbb.finish()?
};

buffer.truncate(out_len);
}
cbb.into_vec()
}

Ok(buffer.into_boxed_slice())
pub(crate) fn parse_rfc5208_private_key(
bytes: &[u8],
evp_pkey_type: c_int,
) -> Result<Self, KeyRejected> {
let mut cbs = cbs::build_CBS(bytes);
// Also checks the validity of the key
let evp_pkey = LcPtr::new(unsafe { EVP_parse_private_key(&mut cbs) })
.map_err(|()| KeyRejected::invalid_encoding())?;
evp_pkey
.id()
.eq(&evp_pkey_type)
.then_some(evp_pkey)
.ok_or(KeyRejected::wrong_algorithm())
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we consider following the same pattern as mod sec and mod rfc5915 and move these functions to another mod rfc5208 in encoding.rs? It seems like they belong in the same realm at first glance, but I do see how this makes things handy for EVP_PKEY.

@justsmth justsmth merged commit 82c61a7 into aws:main Feb 1, 2025
258 of 263 checks passed
@justsmth justsmth deleted the cleanup-serialization branch February 1, 2025 05:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skmcgrail skmcgrail skmcgrail approved these changes

@samuel40791765 samuel40791765 samuel40791765 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@justsmth @codecov-commenter @skmcgrail @samuel40791765