Support SEC1-format EC keys via PKCS8 conversion

rustls/src/sign.rs

@@ -1,7 +1,9 @@
 use crate::error::Error;
 use crate::key;
 use crate::msgs::enums::{SignatureAlgorithm, SignatureScheme};
+use crate::x509::{wrap_in_asn1_len, wrap_in_sequence};
 
+use ring::io::der;
 use ring::signature::{self, EcdsaKeyPair, Ed25519KeyPair, RsaKeyPair};
 
 use std::convert::TryFrom;
@@ -133,6 +135,9 @@ pub fn any_supported_type(der: &key::PrivateKey) -> Result<Arc<dyn SigningKey>,
 }
 
 /// Parse `der` as any ECDSA key type, returning the first which works.
+///
+/// Both SEC1 (PEM section starting with 'BEGIN EC PRIVATE KEY') and PKCS8
+/// (PEM section starting with 'BEGIN PRIVATE KEY') encodings are supported.
 pub fn any_ecdsa_type(der: &key::PrivateKey) -> Result<Arc<dyn SigningKey>, SignError> {
     if let Ok(ecdsa_p256) = EcdsaSigningKey::new(
         der,
@@ -270,22 +275,72 @@ struct EcdsaSigningKey {
 }
 
 impl EcdsaSigningKey {
-    /// Make a new `ECDSASigningKey` from a DER encoding in PKCS#8 format,
-    /// expecting a key usable with precisely the given signature scheme.
+    /// Make a new `ECDSASigningKey` from a DER encoding in PKCS#8 or SEC1
+    /// format, expecting a key usable with precisely the given signature
+    /// scheme.
     fn new(
         der: &key::PrivateKey,
         scheme: SignatureScheme,
         sigalg: &'static signature::EcdsaSigningAlgorithm,
     ) -> Result<Self, ()> {
         EcdsaKeyPair::from_pkcs8(sigalg, &der.0)
+            .map_err(|_| ())
+            .or_else(|_| Self::convert_sec1_to_pkcs8(scheme, sigalg, &der.0))
             .map(|kp| Self {
                 key: Arc::new(kp),
                 scheme,
             })
-            .map_err(|_| ())
+    }
+
+    /// Convert a SEC1 encoding to PKCS8, and ask ring to parse it.  This
+    /// can be removed once https://github.com/briansmith/ring/pull/1456
+    /// (or equivalent) is landed.
+    fn convert_sec1_to_pkcs8(
+        scheme: SignatureScheme,
+        sigalg: &'static signature::EcdsaSigningAlgorithm,
+        maybe_sec1_der: &[u8],
+    ) -> Result<EcdsaKeyPair, ()> {
+        let pkcs8_prefix = match scheme {
+            SignatureScheme::ECDSA_NISTP256_SHA256 => &PKCS8_PREFIX_ECDSA_NISTP256,
+            SignatureScheme::ECDSA_NISTP384_SHA384 => &PKCS8_PREFIX_ECDSA_NISTP384,
+            _ => unreachable!(), // all callers are in this file
+        };
+
+        // wrap sec1 encoding in an OCTET STRING
+        let mut sec1_wrap = Vec::with_capacity(maybe_sec1_der.len() + 8);
+        sec1_wrap.extend_from_slice(maybe_sec1_der);
+        wrap_in_asn1_len(&mut sec1_wrap);
+        sec1_wrap.insert(0, der::Tag::OctetString as u8);
+
+        let mut pkcs8 = Vec::with_capacity(pkcs8_prefix.len() + sec1_wrap.len() + 4);
+        pkcs8.extend_from_slice(pkcs8_prefix);
+        pkcs8.extend_from_slice(&sec1_wrap);
+        wrap_in_sequence(&mut pkcs8);
+
+        EcdsaKeyPair::from_pkcs8(sigalg, &pkcs8).map_err(|_| ())
     }
 }
 
+// This is (line-by-line):
+// - INTEGER Version = 0
+// - SEQUENCE (privateKeyAlgorithm)
+//   - id-ecPublicKey OID
+//   - prime256v1 OID
+const PKCS8_PREFIX_ECDSA_NISTP256: &[u8] = b"\x02\x01\x00\
+      \x30\x13\
+      \x06\x07\x2a\x86\x48\xce\x3d\x02\x01\
+      \x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07";
+
+// This is (line-by-line):
+// - INTEGER Version = 0
+// - SEQUENCE (privateKeyAlgorithm)
+//   - id-ecPublicKey OID
+//   - secp384r1 OID
+const PKCS8_PREFIX_ECDSA_NISTP384: &[u8] = b"\x02\x01\x00\
+     \x30\x10\
+     \x06\x07\x2a\x86\x48\xce\x3d\x02\x01\
+     \x06\x05\x2b\x81\x04\x00\x22";
+
 impl SigningKey for EcdsaSigningKey {
     fn choose_scheme(&self, offered: &[SignatureScheme]) -> Option<Box<dyn Signer>> {
         if offered.contains(&self.scheme) {
@@ -409,3 +464,59 @@ impl fmt::Display for SignError {
 }
 
 impl StdError for SignError {}
+
+#[test]
+fn can_load_ecdsa_nistp256_pkcs8() {
+    let key = key::PrivateKey(include_bytes!("testdata/nistp256key.pkcs8.der").to_vec());
+    assert!(any_supported_type(&key).is_ok());
+    assert!(any_ecdsa_type(&key).is_ok());
+    assert!(any_eddsa_type(&key).is_err());
+}
+
+#[test]
+fn can_load_ecdsa_nistp256_sec1() {
+    let key = key::PrivateKey(include_bytes!("testdata/nistp256key.der").to_vec());
+    assert!(any_supported_type(&key).is_ok());
+    assert!(any_ecdsa_type(&key).is_ok());
+    assert!(any_eddsa_type(&key).is_err());
+}
+
+#[test]
+fn can_load_ecdsa_nistp384_pkcs8() {
+    let key = key::PrivateKey(include_bytes!("testdata/nistp384key.pkcs8.der").to_vec());
+    assert!(any_supported_type(&key).is_ok());
+    assert!(any_ecdsa_type(&key).is_ok());
+    assert!(any_eddsa_type(&key).is_err());
+}
+
+#[test]
+fn can_load_ecdsa_nistp384_sec1() {
+    let key = key::PrivateKey(include_bytes!("testdata/nistp384key.der").to_vec());
+    assert!(any_supported_type(&key).is_ok());
+    assert!(any_ecdsa_type(&key).is_ok());
+    assert!(any_eddsa_type(&key).is_err());
+}
+
+#[test]
+fn can_load_eddsa_pkcs8() {
+    let key = key::PrivateKey(include_bytes!("testdata/eddsakey.der").to_vec());
+    assert!(any_supported_type(&key).is_ok());
+    assert!(any_eddsa_type(&key).is_ok());
+    assert!(any_ecdsa_type(&key).is_err());
+}
+
+#[test]
+fn can_load_rsa2048_pkcs8() {
+    let key = key::PrivateKey(include_bytes!("testdata/rsa2048key.pkcs8.der").to_vec());
+    assert!(any_supported_type(&key).is_ok());
+    assert!(any_eddsa_type(&key).is_err());
+    assert!(any_ecdsa_type(&key).is_err());
+}
+
+#[test]
+fn can_load_rsa2048_pkcs1() {
+    let key = key::PrivateKey(include_bytes!("testdata/rsa2048key.pkcs1.der").to_vec());
+    assert!(any_supported_type(&key).is_ok());
+    assert!(any_eddsa_type(&key).is_err());
+    assert!(any_ecdsa_type(&key).is_err());
+}

rustls/src/x509.rs

@@ -2,7 +2,7 @@
 
 use ring::io::der;
 
-fn wrap_in_asn1_len(bytes: &mut Vec<u8>) {
+pub(crate) fn wrap_in_asn1_len(bytes: &mut Vec<u8>) {
     let len = bytes.len();
 
     if len <= 0x7f {