blob: 3e3b8b66587f25722ffb938f2c3fdb0461f289e7 [file] [log] [blame]
//! Cryptographic structures and functions.
use data_encoding::HEXLOWER;
use ring;
use ring::digest::{self, SHA256};
use ring::rand::SystemRandom;
use ring::signature::{RSAKeyPair, RSASigningState, Ed25519KeyPair, ED25519,
RSA_PSS_2048_8192_SHA256, RSA_PSS_2048_8192_SHA512, RSA_PSS_SHA256,
use serde::de::{Deserialize, Deserializer, Error as DeserializeError};
use serde::ser::{Serialize, Serializer, SerializeTupleStruct, Error as SerializeError};
use std::collections::HashMap;
use std::fmt::{self, Debug, Display};
use std::str::FromStr;
use std::sync::Arc;
use untrusted::Input;
use Result;
use error::Error;
use rsa;
use shims;
static HASH_ALG_PREFS: &'static [HashAlgorithm] = &[HashAlgorithm::Sha512, HashAlgorithm::Sha256];
/// Given a map of hash algorithms and their values, get the prefered algorithm and the hash
/// calculated by it. Returns an `Err` if there is no match.
/// ```
/// use std::collections::HashMap;
/// use tuf::crypto::{hash_preference, HashValue, HashAlgorithm};
/// let mut map = HashMap::new();
/// assert!(hash_preference(&map).is_err());
/// let _ = map.insert(HashAlgorithm::Sha512, HashValue::from_hex("abcd").unwrap());
/// assert_eq!(hash_preference(&map).unwrap().0, &HashAlgorithm::Sha512);
/// let _ = map.insert(HashAlgorithm::Sha256, HashValue::from_hex("0123").unwrap());
/// assert_eq!(hash_preference(&map).unwrap().0, &HashAlgorithm::Sha512);
/// ```
pub fn hash_preference<'a>(
hashes: &'a HashMap<HashAlgorithm, HashValue>,
) -> Result<(&'static HashAlgorithm, &'a HashValue)> {
for alg in HASH_ALG_PREFS {
match hashes.get(alg) {
Some(v) => return Ok((alg, v)),
None => continue,
/// Calculate the given key's ID.
/// A `KeyId` is calculated as `sha256(public_key_bytes)`. The TUF spec says that it should be
/// `sha256(cjson(encoded(public_key_bytes)))`, but this is meaningless once the spec moves away
/// from using only JSON as the data interchange format.
pub fn calculate_key_id(public_key: &PublicKeyValue) -> KeyId {
let mut context = digest::Context::new(&SHA256);
/// Wrapper type for public key's ID.
#[derive(Clone, PartialEq, Eq, Hash, PartialOrd, Ord)]
pub struct KeyId(Vec<u8>);
impl KeyId {
/// Parse a key ID from a hex-lower string.
pub fn from_string(string: &str) -> Result<Self> {
if string.len() != 64 {
return Err(Error::IllegalArgument(
"Hex key ID must be 64 characters long".into(),
impl Debug for KeyId {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "KeyId {{ \"{}\" }}", HEXLOWER.encode(&self.0))
impl Serialize for KeyId {
fn serialize<S>(&self, ser: S) -> ::std::result::Result<S::Ok, S::Error>
S: Serializer,
let mut s = ser.serialize_tuple_struct("KeyId", 1)?;
impl<'de> Deserialize<'de> for KeyId {
fn deserialize<D: Deserializer<'de>>(de: D) -> ::std::result::Result<Self, D::Error> {
let string: String = Deserialize::deserialize(de)?;
KeyId::from_string(&string).map_err(|e| DeserializeError::custom(format!("{:?}", e)))
/// Cryptographic signature schemes.
#[derive(Debug, PartialEq)]
pub enum SignatureScheme {
/// [Ed25519](
/// [RSASSA-PSS]( calculated over SHA256
/// [RSASSA-PSS]( calculated over SHA512
impl ToString for SignatureScheme {
fn to_string(&self) -> String {
match self {
&SignatureScheme::Ed25519 => "ed25519",
&SignatureScheme::RsaSsaPssSha256 => "rsassa-pss-sha256",
&SignatureScheme::RsaSsaPssSha512 => "rsassa-pss-sha512",
impl FromStr for SignatureScheme {
type Err = Error;
fn from_str(s: &str) -> ::std::result::Result<Self, Self::Err> {
match s {
"ed25519" => Ok(SignatureScheme::Ed25519),
"rsassa-pss-sha256" => Ok(SignatureScheme::RsaSsaPssSha256),
"rsassa-pss-sha512" => Ok(SignatureScheme::RsaSsaPssSha512),
typ => Err(Error::Encoding(typ.into())),
impl Serialize for SignatureScheme {
fn serialize<S>(&self, ser: S) -> ::std::result::Result<S::Ok, S::Error>
S: Serializer,
impl<'de> Deserialize<'de> for SignatureScheme {
fn deserialize<D: Deserializer<'de>>(de: D) -> ::std::result::Result<Self, D::Error> {
let string: String = Deserialize::deserialize(de)?;
/// Wrapper type for the value of a cryptographic signature.
pub struct SignatureValue(Vec<u8>);
impl SignatureValue {
/// Create a new `SignatureValue` from the given bytes.
pub fn new(bytes: Vec<u8>) -> Self {
/// Create a new `SignatureValue` from the given hex-lower string.
pub fn from_string(string: &str) -> Result<Self> {
impl Debug for SignatureValue {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "SignatureValue {{ \"{}\" }}", HEXLOWER.encode(&self.0))
impl Serialize for SignatureValue {
fn serialize<S>(&self, ser: S) -> ::std::result::Result<S::Ok, S::Error>
S: Serializer,
let mut s = ser.serialize_tuple_struct("SignatureValue", 1)?;
impl<'de> Deserialize<'de> for SignatureValue {
fn deserialize<D: Deserializer<'de>>(de: D) -> ::std::result::Result<Self, D::Error> {
let string: String = Deserialize::deserialize(de)?;
SignatureValue::from_string(&string).map_err(|e| {
DeserializeError::custom(format!("Signature value was not valid hex lower: {:?}", e))
/// Types of public keys.
#[derive(Clone, PartialEq, Debug)]
pub enum KeyType {
/// [Ed25519](
/// [RSA](
impl FromStr for KeyType {
type Err = Error;
fn from_str(s: &str) -> ::std::result::Result<Self, Self::Err> {
match s {
"ed25519" => Ok(KeyType::Ed25519),
"rsa" => Ok(KeyType::Rsa),
typ => Err(Error::Encoding(typ.into())),
impl ToString for KeyType {
fn to_string(&self) -> String {
match self {
&KeyType::Ed25519 => "ed25519",
&KeyType::Rsa => "rsa",
impl Serialize for KeyType {
fn serialize<S>(&self, ser: S) -> ::std::result::Result<S::Ok, S::Error>
S: Serializer,
impl<'de> Deserialize<'de> for KeyType {
fn deserialize<D: Deserializer<'de>>(de: D) -> ::std::result::Result<Self, D::Error> {
let string: String = Deserialize::deserialize(de)?;
enum PrivateKeyType {
impl Debug for PrivateKeyType {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
let s = match self {
&PrivateKeyType::Ed25519(_) => "ed25519",
&PrivateKeyType::Rsa(_) => "rsa",
write!(f, "PrivateKeyType {{ \"{}\" }}", s)
/// A structure containing information about a public key.
pub struct PrivateKey {
private: PrivateKeyType,
impl PrivateKey {
/// Create an Ed25519 private key from PKCS#8v2 DER bytes.
pub fn ed25519_from_pkcs8(der_key: &[u8]) -> Result<Self> {
let key = Ed25519KeyPair::from_pkcs8(Input::from(der_key)).map_err(
|_| {
Error::Encoding("Could not parse key as PKCS#8v2".into())
Ok(PrivateKey { private: PrivateKeyType::Ed25519(key) })
/// Create an RSA private key from PKCS#8v2 DER bytes.
pub fn rsa_from_pkcs8(der_key: &[u8]) -> Result<Self> {
let key = RSAKeyPair::from_pkcs8(Input::from(der_key)).map_err(|_| {
Error::Encoding("Could not parse key as PKCS#8v2".into())
Ok(PrivateKey { private: PrivateKeyType::Rsa(Arc::new(key)) })
/// Sign a message with the given scheme.
pub fn sign(&self, msg: &[u8], scheme: &SignatureScheme) -> Result<SignatureValue> {
match (&self.private, scheme) {
(&PrivateKeyType::Rsa(ref rsa), &SignatureScheme::RsaSsaPssSha256) => {
let mut signing_state = RSASigningState::new(rsa.clone()).map_err(|_| {
Error::Opaque("Could not initialize RSA signing state.".into())
let rng = SystemRandom::new();
let mut buf = vec![0; signing_state.key_pair().public_modulus_len()];
.sign(&RSA_PSS_SHA256, &rng, msg, &mut buf)
.map_err(|_| Error::Opaque("Failed to sign message.".into()))?;
(&PrivateKeyType::Rsa(ref rsa), &SignatureScheme::RsaSsaPssSha512) => {
let mut signing_state = RSASigningState::new(rsa.clone()).map_err(|_| {
Error::Opaque("Could not initialize RSA signing state.".into())
let rng = SystemRandom::new();
let mut buf = vec![0; signing_state.key_pair().public_modulus_len()];
.sign(&RSA_PSS_SHA512, &rng, msg, &mut buf)
.map_err(|_| Error::Opaque("Failed to sign message.".into()))?;
(&PrivateKeyType::Ed25519(ref ed), &SignatureScheme::Ed25519) => {
(k, s) => Err(Error::IllegalArgument(
format!("Key {:?} can't be used with scheme {:?}", k, s),
/// A structure containing information about a public key.
#[derive(Clone, Debug, PartialEq)]
pub struct PublicKey {
typ: KeyType,
format: KeyFormat,
key_id: KeyId,
value: PublicKeyValue,
impl PublicKey {
/// Create a `PublicKey` from an Ed25519 `PublicKeyValue`.
pub fn from_ed25519(value: PublicKeyValue) -> Result<Self> {
if value.value().len() != 32 {
return Err(Error::Encoding(
"Ed25519 public key was not 32 bytes long".into(),
Ok(PublicKey {
typ: KeyType::Ed25519,
format: KeyFormat::HexLower,
key_id: calculate_key_id(&value),
value: value,
/// Create a `PublicKey` from an RSA `PublicKeyValue`, either SPKI or PKCS#1.
pub fn from_rsa(value: PublicKeyValue, format: KeyFormat) -> Result<Self> {
// TODO check n > 2048 bits (but this is ok because `ring` doesn't support less)
let key_id = calculate_key_id(&value);
let pkcs1_value = match format {
KeyFormat::Pkcs1 => {
let bytes = rsa::from_pkcs1(value.value()).ok_or_else(|| {
"Key claimed to be PKCS1 but could not be parsed.".into(),
KeyFormat::Spki => {
let bytes = rsa::from_spki(value.value()).ok_or_else(|| {
Error::IllegalArgument("Key claimed to be SPKI but could not be parsed.".into())
x => {
return Err(Error::IllegalArgument(
format!("RSA keys in format {:?} not supported.", x),
Ok(PublicKey {
typ: KeyType::Rsa,
format: format,
key_id: key_id,
value: pkcs1_value,
/// An immutable reference to the key's type.
pub fn typ(&self) -> &KeyType {
/// An immutable reference to the key's format.
pub fn format(&self) -> &KeyFormat {
/// An immutable reference to the key's ID.
pub fn key_id(&self) -> &KeyId {
/// An immutable reference to the key's public value.
pub fn value(&self) -> &PublicKeyValue {
/// Use this key and the given signature scheme to verify the message again a signature.
pub fn verify(&self, scheme: &SignatureScheme, msg: &[u8], sig: &SignatureValue) -> Result<()> {
let alg: &ring::signature::VerificationAlgorithm = match scheme {
&SignatureScheme::Ed25519 => &ED25519,
&SignatureScheme::RsaSsaPssSha256 => &RSA_PSS_2048_8192_SHA256,
&SignatureScheme::RsaSsaPssSha512 => &RSA_PSS_2048_8192_SHA512,
).map_err(|_: ring::error::Unspecified| Error::BadSignature)
impl Serialize for PublicKey {
fn serialize<S>(&self, ser: S) -> ::std::result::Result<S::Ok, S::Error>
S: Serializer,
.map_err(|e| SerializeError::custom(format!("{:?}", e)))?
impl<'de> Deserialize<'de> for PublicKey {
fn deserialize<D: Deserializer<'de>>(de: D) -> ::std::result::Result<Self, D::Error> {
let intermediate: shims::PublicKey = Deserialize::deserialize(de)?;
intermediate.try_into().map_err(|e| {
DeserializeError::custom(format!("{:?}", e))
/// Wrapper type for a decoded public key.
#[derive(Clone, Debug, PartialEq)]
pub struct PublicKeyValue(Vec<u8>);
impl PublicKeyValue {
/// Create a new `PublicKeyValue` from the given bytes.
pub fn new(bytes: Vec<u8>) -> Self {
/// An immutable reference to the public key's bytes.
pub fn value(&self) -> &[u8] {
/// Possible encoding/decoding formats for a public key.
#[derive(Clone, Debug, PartialEq)]
pub enum KeyFormat {
/// The key should be read/written as hex-lower bytes.
/// The key should be read/written as PKCS#1 PEM.
/// The key should be read/written as SPKI PEM.
/// A structure that contains a `Signature` and associated data for verifying it.
#[derive(Debug, Serialize, Deserialize)]
pub struct Signature {
key_id: KeyId,
scheme: SignatureScheme,
signature: SignatureValue,
impl Signature {
/// An immutable reference to the `KeyId` that produced the signature.
pub fn key_id(&self) -> &KeyId {
/// An immutable reference to the `SignatureScheme` used to create this signature.
pub fn scheme(&self) -> &SignatureScheme {
/// An immutable reference to the `SignatureValue`.
pub fn signature(&self) -> &SignatureValue {
/// The available hash algorithms.
#[derive(Debug, Clone, Hash, PartialEq, Eq, Serialize, Deserialize)]
pub enum HashAlgorithm {
/// SHA256 as describe in [RFC-6234](
#[serde(rename = "sha256")]
/// SHA512 as describe in [RFC-6234](
#[serde(rename = "sha512")]
/// Wrapper for the value of a hash digest.
#[derive(Clone, Eq, PartialEq, Hash, Serialize, Deserialize)]
pub struct HashValue(Vec<u8>);
impl HashValue {
/// Parse a hex-lower string and return a `HashValue`.
/// ```
/// use tuf::crypto::HashValue;
/// assert_eq!(HashValue::from_hex("abcd").unwrap().value(), &[0xab, 0xcd]);
/// ```
pub fn from_hex(s: &str) -> Result<Self> {
/// Create a new `HashValue` from the given digest bytes.
pub fn new(bytes: Vec<u8>) -> Self {
/// An immutable reference to the bytes of the hash value.
pub fn value(&self) -> &[u8] {
impl Debug for HashValue {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "HashValue {{ \"{}\" }}", HEXLOWER.encode(&self.0))
impl Display for HashValue {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "{}", HEXLOWER.encode(&self.0))
mod test {
use super::*;
fn rsa_2048_ead_pkcs8_and_sign() {
let der = include_bytes!("../tests/rsa/rsa-2048-private-key.pk8");
let key = PrivateKey::rsa_from_pkcs8(der.as_ref()).unwrap();
let msg = b"test";
let _ = key.sign(msg, &SignatureScheme::RsaSsaPssSha256).unwrap();
let _ = key.sign(msg, &SignatureScheme::RsaSsaPssSha512).unwrap();
assert!(key.sign(msg, &SignatureScheme::Ed25519).is_err());
fn rsa_4096_read_pkcs8_and_sign() {
let der = include_bytes!("../tests/rsa/rsa-4096-private-key.pk8");
let key = PrivateKey::rsa_from_pkcs8(der.as_ref()).unwrap();
let msg = b"test";
let _ = key.sign(msg, &SignatureScheme::RsaSsaPssSha256).unwrap();
let _ = key.sign(msg, &SignatureScheme::RsaSsaPssSha512).unwrap();
assert!(key.sign(msg, &SignatureScheme::Ed25519).is_err());
fn ed25519_read_pkcs8_and_sign() {
let der = include_bytes!("../tests/ed25519/ed25519-1.pk8");
let key = PrivateKey::ed25519_from_pkcs8(der.as_ref()).unwrap();
let msg = b"test";
let _ = key.sign(msg, &SignatureScheme::Ed25519).unwrap();
assert!(key.sign(msg, &SignatureScheme::RsaSsaPssSha256).is_err());
assert!(key.sign(msg, &SignatureScheme::RsaSsaPssSha512).is_err());