RSA Key Generation and OAEP Support

aws-lc-rs/src/cbb.rs

@@ -7,6 +7,14 @@ use std::mem::MaybeUninit;
 pub(crate) struct LcCBB(CBB);
 
 impl LcCBB {
+    pub(crate) fn new(initial_capacity: usize) -> LcCBB {
+        let mut cbb = MaybeUninit::<CBB>::uninit();
+        unsafe {
+            CBB_init(cbb.as_mut_ptr(), initial_capacity);
+        }
+        Self(unsafe { cbb.assume_init() })
+    }
+
     pub(crate) fn as_mut_ptr(&mut self) -> *mut CBB {
         &mut self.0
     }
@@ -19,11 +27,3 @@ impl Drop for LcCBB {
         }
     }
 }
-
-#[inline]
-#[allow(non_snake_case)]
-pub(crate) unsafe fn build_CBB(initial_capacity: usize) -> LcCBB {
-    let mut cbb = MaybeUninit::<CBB>::uninit();
-    CBB_init(cbb.as_mut_ptr(), initial_capacity);
-    LcCBB(cbb.assume_init())
-}

aws-lc-rs/src/evp_pkey.rs

@@ -1,17 +1,17 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
+use crate::cbb::LcCBB;
+use crate::cbs;
 use crate::ec::PKCS8_DOCUMENT_MAX_LEN;
 use crate::error::{KeyRejected, Unspecified};
 use crate::pkcs8::{Document, Version};
 use crate::ptr::LcPtr;
-use crate::{cbb, cbs};
 use aws_lc::{
     CBB_finish, EVP_PKEY_bits, EVP_PKEY_get1_EC_KEY, EVP_PKEY_get1_RSA, EVP_PKEY_id,
     EVP_marshal_private_key, EVP_marshal_private_key_v2, EVP_parse_private_key, EC_KEY, EVP_PKEY,
     RSA,
 };
-use std::mem::MaybeUninit;
 use std::os::raw::c_int;
 use std::ptr::null_mut;
 
@@ -85,38 +85,30 @@ impl LcPtr<EVP_PKEY> {
     }
 
     pub(crate) fn marshall_private_key(&self, version: Version) -> Result<Document, Unspecified> {
-        unsafe {
-            let mut cbb = cbb::build_CBB(PKCS8_DOCUMENT_MAX_LEN);
+        let mut cbb = LcCBB::new(PKCS8_DOCUMENT_MAX_LEN);
 
-            match version {
-                Version::V1 => {
-                    if 1 != EVP_marshal_private_key(cbb.as_mut_ptr(), **self) {
-                        return Err(Unspecified);
-                    }
+        match version {
+            Version::V1 => {
+                if 1 != unsafe { EVP_marshal_private_key(cbb.as_mut_ptr(), **self) } {
+                    return Err(Unspecified);
                 }
-                Version::V2 => {
-                    if 1 != EVP_marshal_private_key_v2(cbb.as_mut_ptr(), **self) {
-                        return Err(Unspecified);
-                    }
+            }
+            Version::V2 => {
+                if 1 != unsafe { EVP_marshal_private_key_v2(cbb.as_mut_ptr(), **self) } {
+                    return Err(Unspecified);
                 }
             }
+        }
 
-            let mut pkcs8_bytes_ptr = null_mut::<u8>();
-            let mut out_len = MaybeUninit::<usize>::uninit();
-            if 1 != CBB_finish(cbb.as_mut_ptr(), &mut pkcs8_bytes_ptr, out_len.as_mut_ptr()) {
-                return Err(Unspecified);
-            }
-            let pkcs8_bytes_ptr = LcPtr::new(pkcs8_bytes_ptr)?;
-            let out_len = out_len.assume_init();
+        let mut pkcs8_bytes_ptr = null_mut::<u8>();
+        let mut out_len: usize = 0;
+        if 1 != unsafe { CBB_finish(cbb.as_mut_ptr(), &mut pkcs8_bytes_ptr, &mut out_len) } {
+            return Err(Unspecified);
+        }
 
-            let bytes_slice = pkcs8_bytes_ptr.as_slice(out_len);
-            let mut pkcs8_bytes = [0u8; PKCS8_DOCUMENT_MAX_LEN];
-            pkcs8_bytes[0..out_len].copy_from_slice(bytes_slice);
+        let pkcs8_bytes_ptr = LcPtr::new(pkcs8_bytes_ptr)?;
+        let bytes = Vec::from(unsafe { pkcs8_bytes_ptr.as_slice(out_len) }).into_boxed_slice();
 
-            Ok(Document {
-                bytes: pkcs8_bytes,
-                len: out_len,
-            })
-        }
+        Ok(Document::new(bytes))
     }
 }

aws-lc-rs/src/pkcs8.rs

@@ -7,25 +7,29 @@
 //!
 //! [RFC 5208]: https://tools.ietf.org/html/rfc5208.
 
-use crate::ec;
 use zeroize::Zeroize;
 
 /// A generated PKCS#8 document.
 pub struct Document {
-    pub(crate) bytes: [u8; ec::PKCS8_DOCUMENT_MAX_LEN],
-    pub(crate) len: usize,
+    bytes: Box<[u8]>,
+}
+
+impl Document {
+    pub(crate) fn new(bytes: Box<[u8]>) -> Self {
+        Self { bytes }
+    }
 }
 
 impl AsRef<[u8]> for Document {
     #[inline]
     fn as_ref(&self) -> &[u8] {
-        &self.bytes[..self.len]
+        &self.bytes
     }
 }
 
 impl Drop for Document {
     fn drop(&mut self) {
-        self.bytes.zeroize();
+        self.bytes.as_mut().zeroize();
     }
 }
 

aws-lc-rs/src/ptr.rs

@@ -40,6 +40,11 @@ impl<P: Pointer> ManagedPointer<P> {
     pub unsafe fn as_slice(&self, len: usize) -> &[P::T] {
         std::slice::from_raw_parts(self.pointer.as_const_ptr(), len)
     }
+
+    #[allow(clippy::mut_from_ref)]
+    pub unsafe fn as_slice_mut(&self, len: usize) -> &mut [P::T] {
+        std::slice::from_raw_parts_mut(self.pointer.as_mut_ptr(), len)
+    }
 }
 
 impl<P: Pointer> Drop for ManagedPointer<P> {
@@ -160,6 +165,7 @@ pub(crate) trait Pointer {
 
     fn free(&mut self);
     fn as_const_ptr(&self) -> *const Self::T;
+    fn as_mut_ptr(&self) -> *mut Self::T;
 }
 
 pub(crate) trait IntoPointer<P> {
@@ -190,9 +196,15 @@ macro_rules! create_pointer {
                 }
             }
 
+            #[inline]
             fn as_const_ptr(&self) -> *const Self::T {
                 self.cast()
             }
+
+            #[inline]
+            fn as_mut_ptr(&self) -> *mut Self::T {
+                *self
+            }
         }
     };
 }

aws-lc-rs/src/rsa.rs

@@ -11,11 +11,18 @@
 // components.
 
 pub(crate) mod key;
+mod oaep;
 pub(crate) mod signature;
 
-pub use self::key::{KeyPair, PublicKey, PublicKeyComponents};
 #[allow(clippy::module_name_repetitions)]
 pub use self::signature::RsaParameters;
+pub use self::{
+    key::{KeyPair, PublicKey, PublicKeyComponents},
+    oaep::{
+        EncryptionAlgorithm, EncryptionAlgorithmId, PrivateDecryptingKey, PublicEncryptingKey,
+        OAEP_SHA1_MGF1SHA1, OAEP_SHA256_MGF1SHA256, OAEP_SHA384_MGF1SHA384, OAEP_SHA512_MGF1SHA512,
+    },
+};
 
 pub(crate) use self::signature::RsaVerificationAlgorithmId;