spki: make SubjectPublicKeyInfo own the public key (#790)

Co-authored-by: Tony Arcieri <[email protected]>

Author: baloo

pkcs1/src/traits.rs

@@ -16,7 +16,10 @@ use {
 };
 
 #[cfg(feature = "pkcs8")]
-use crate::{ALGORITHM_ID, ALGORITHM_OID};
+use {
+    crate::{ALGORITHM_ID, ALGORITHM_OID},
+    der::asn1::BitStringRef,
+};
 
 #[cfg(feature = "std")]
 use std::path::Path;
@@ -186,12 +189,12 @@ where
 #[cfg_attr(docsrs, doc(cfg(feature = "pkcs8")))]
 impl<T: pkcs8::DecodePublicKey> DecodeRsaPublicKey for T
 where
-    T: for<'a> TryFrom<pkcs8::SubjectPublicKeyInfo<'a>, Error = pkcs8::Error>,
+    T: for<'a> TryFrom<pkcs8::SubjectPublicKeyInfoRef<'a>, Error = pkcs8::Error>,
 {
     fn from_pkcs1_der(public_key: &[u8]) -> Result<Self> {
-        Ok(Self::try_from(pkcs8::SubjectPublicKeyInfo {
+        Ok(Self::try_from(pkcs8::SubjectPublicKeyInfoRef {
             algorithm: ALGORITHM_ID,
-            subject_public_key: public_key,
+            subject_public_key: BitStringRef::from_bytes(public_key)?,
         })?)
     }
 }
@@ -212,8 +215,8 @@ impl<T: pkcs8::EncodePrivateKey> EncodeRsaPrivateKey for T {
 impl<T: pkcs8::EncodePublicKey> EncodeRsaPublicKey for T {
     fn to_pkcs1_der(&self) -> Result<Document> {
         let doc = self.to_public_key_der()?;
-        let spki = pkcs8::SubjectPublicKeyInfo::from_der(doc.as_bytes())?;
+        let spki = pkcs8::SubjectPublicKeyInfoRef::from_der(doc.as_bytes())?;
         spki.algorithm.assert_algorithm_oid(ALGORITHM_OID)?;
-        RsaPublicKey::from_der(spki.subject_public_key)?.try_into()
+        RsaPublicKey::from_der(spki.subject_public_key.raw_bytes())?.try_into()
     }
 }

pkcs8/src/lib.rs

@@ -83,7 +83,9 @@ pub use crate::{
     version::Version,
 };
 pub use der::{self, asn1::ObjectIdentifier, oid::AssociatedOid};
-pub use spki::{self, AlgorithmIdentifierRef, DecodePublicKey, SubjectPublicKeyInfo};
+pub use spki::{
+    self, AlgorithmIdentifierRef, DecodePublicKey, SubjectPublicKeyInfo, SubjectPublicKeyInfoRef,
+};
 
 #[cfg(feature = "alloc")]
 #[cfg_attr(docsrs, doc(cfg(feature = "alloc")))]

spki/src/lib.rs

@@ -43,13 +43,16 @@ mod fingerprint;
 pub use crate::{
     algorithm::{AlgorithmIdentifier, AlgorithmIdentifierRef},
     error::{Error, Result},
-    spki::SubjectPublicKeyInfo,
+    spki::{SubjectPublicKeyInfo, SubjectPublicKeyInfoRef},
     traits::DecodePublicKey,
 };
 pub use der::{self, asn1::ObjectIdentifier};
 
 #[cfg(feature = "alloc")]
-pub use {crate::traits::EncodePublicKey, der::Document};
+pub use {
+    crate::{spki::SubjectPublicKeyInfoOwned, traits::EncodePublicKey},
+    der::Document,
+};
 
 #[cfg(feature = "fingerprint")]
 pub use crate::fingerprint::FingerprintBytes;

spki/src/spki.rs

@@ -1,22 +1,30 @@
 //! X.509 `SubjectPublicKeyInfo`
 
-use crate::{AlgorithmIdentifierRef, Error, Result};
+use crate::{AlgorithmIdentifier, Error, Result};
 use core::cmp::Ordering;
 use der::{
-    asn1::BitStringRef, Decode, DecodeValue, DerOrd, Encode, Header, Reader, Sequence, ValueOrd,
+    asn1::{AnyRef, BitStringRef},
+    Choice, Decode, DecodeValue, DerOrd, Encode, FixedTag, Header, Reader, Sequence, ValueOrd,
 };
 
 #[cfg(feature = "alloc")]
-use der::Document;
+use der::{
+    asn1::{Any, BitString},
+    Document,
+};
 
 #[cfg(feature = "fingerprint")]
 use crate::{fingerprint, FingerprintBytes};
 
 #[cfg(feature = "pem")]
 use der::pem::PemLabel;
 
-#[cfg(doc)]
-use crate::AlgorithmIdentifier;
+/// [`SubjectPublicKeyInfo`] with [`AnyRef`] algorithm parameters, and [`BitStringRef`] params.
+pub type SubjectPublicKeyInfoRef<'a> = SubjectPublicKeyInfo<AnyRef<'a>, BitStringRef<'a>>;
+
+/// [`SubjectPublicKeyInfo`] with [`Any`] algorithm parameters, and [`BitString`] params.
+#[cfg(feature = "alloc")]
+pub type SubjectPublicKeyInfoOwned = SubjectPublicKeyInfo<Any, BitString>;
 
 /// X.509 `SubjectPublicKeyInfo` (SPKI) as defined in [RFC 5280 § 4.1.2.7].
 ///
@@ -30,16 +38,22 @@ use crate::AlgorithmIdentifier;
 /// ```
 ///
 /// [RFC 5280 § 4.1.2.7]: https://tools.ietf.org/html/rfc5280#section-4.1.2.7
-#[derive(Copy, Clone, Debug, Eq, PartialEq)]
-pub struct SubjectPublicKeyInfo<'a> {
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct SubjectPublicKeyInfo<Params, Key> {
     /// X.509 [`AlgorithmIdentifier`] for the public key type
-    pub algorithm: AlgorithmIdentifierRef<'a>,
+    pub algorithm: AlgorithmIdentifier<Params>,
 
     /// Public key data
-    pub subject_public_key: &'a [u8],
+    pub subject_public_key: Key,
 }
 
-impl<'a> SubjectPublicKeyInfo<'a> {
+impl<'a, Params, Key> SubjectPublicKeyInfo<Params, Key>
+where
+    Params: Choice<'a> + Encode,
+    // TODO: replace FixedTag with FixedTag<TAG = { Tag::BitString }> once
+    // https://github.com/rust-lang/rust/issues/92827 is fixed
+    Key: Decode<'a> + Encode + FixedTag,
+{
     /// Calculate the SHA-256 fingerprint of this [`SubjectPublicKeyInfo`] and
     /// encode it as a Base64 string.
     ///
@@ -69,74 +83,93 @@ impl<'a> SubjectPublicKeyInfo<'a> {
         self.encode(&mut builder)?;
         Ok(builder.finish())
     }
-
-    /// Get a [`BitString`] representing the `subject_public_key`
-    fn bitstring(&self) -> der::Result<BitStringRef<'a>> {
-        BitStringRef::from_bytes(self.subject_public_key)
-    }
 }
 
-impl<'a> DecodeValue<'a> for SubjectPublicKeyInfo<'a> {
+impl<'a: 'k, 'k, Params, Key: 'k> DecodeValue<'a> for SubjectPublicKeyInfo<Params, Key>
+where
+    Params: Choice<'a> + Encode,
+    Key: Decode<'a>,
+{
     fn decode_value<R: Reader<'a>>(reader: &mut R, header: Header) -> der::Result<Self> {
         reader.read_nested(header.length, |reader| {
             Ok(Self {
                 algorithm: reader.decode()?,
-                subject_public_key: BitStringRef::decode(reader)?
-                    .as_bytes()
-                    .ok_or_else(|| der::Tag::BitString.value_error())?,
+                subject_public_key: Key::decode(reader)?,
             })
         })
     }
 }
 
-impl<'a> Sequence<'a> for SubjectPublicKeyInfo<'a> {
+impl<'a, Params, Key> Sequence<'a> for SubjectPublicKeyInfo<Params, Key>
+where
+    Params: Choice<'a> + Encode,
+    Key: Decode<'a> + Encode + FixedTag,
+{
     fn fields<F, T>(&self, f: F) -> der::Result<T>
     where
         F: FnOnce(&[&dyn Encode]) -> der::Result<T>,
     {
-        f(&[&self.algorithm, &self.bitstring()?])
+        f(&[&self.algorithm, &self.subject_public_key])
     }
 }
 
-impl<'a> TryFrom<&'a [u8]> for SubjectPublicKeyInfo<'a> {
+impl<'a, Params, Key> TryFrom<&'a [u8]> for SubjectPublicKeyInfo<Params, Key>
+where
+    Params: Choice<'a> + Encode,
+    Key: Decode<'a> + Encode + FixedTag,
+{
     type Error = Error;
 
     fn try_from(bytes: &'a [u8]) -> Result<Self> {
         Ok(Self::from_der(bytes)?)
     }
 }
 
-impl ValueOrd for SubjectPublicKeyInfo<'_> {
+impl<'a, Params, Key> ValueOrd for SubjectPublicKeyInfo<Params, Key>
+where
+    Params: Choice<'a> + DerOrd + Encode,
+    Key: ValueOrd,
+{
     fn value_cmp(&self, other: &Self) -> der::Result<Ordering> {
         match self.algorithm.der_cmp(&other.algorithm)? {
-            Ordering::Equal => self.bitstring()?.der_cmp(&other.bitstring()?),
+            Ordering::Equal => self.subject_public_key.value_cmp(&other.subject_public_key),
             other => Ok(other),
         }
     }
 }
 
 #[cfg(feature = "alloc")]
 #[cfg_attr(docsrs, doc(cfg(feature = "alloc")))]
-impl TryFrom<SubjectPublicKeyInfo<'_>> for Document {
+impl<'a: 'k, 'k, Params, Key: 'k> TryFrom<SubjectPublicKeyInfo<Params, Key>> for Document
+where
+    Params: Choice<'a> + Encode,
+    Key: Decode<'a> + Encode + FixedTag,
+    BitStringRef<'a>: From<&'k Key>,
+{
     type Error = Error;
 
-    fn try_from(spki: SubjectPublicKeyInfo<'_>) -> Result<Document> {
+    fn try_from(spki: SubjectPublicKeyInfo<Params, Key>) -> Result<Document> {
         Self::try_from(&spki)
     }
 }
 
 #[cfg(feature = "alloc")]
 #[cfg_attr(docsrs, doc(cfg(feature = "alloc")))]
-impl TryFrom<&SubjectPublicKeyInfo<'_>> for Document {
+impl<'a: 'k, 'k, Params, Key: 'k> TryFrom<&SubjectPublicKeyInfo<Params, Key>> for Document
+where
+    Params: Choice<'a> + Encode,
+    Key: Decode<'a> + Encode + FixedTag,
+    BitStringRef<'a>: From<&'k Key>,
+{
     type Error = Error;
 
-    fn try_from(spki: &SubjectPublicKeyInfo<'_>) -> Result<Document> {
+    fn try_from(spki: &SubjectPublicKeyInfo<Params, Key>) -> Result<Document> {
         Ok(Self::encode_msg(spki)?)
     }
 }
 
 #[cfg(feature = "pem")]
 #[cfg_attr(docsrs, doc(cfg(feature = "pem")))]
-impl PemLabel for SubjectPublicKeyInfo<'_> {
+impl<Params, Key> PemLabel for SubjectPublicKeyInfo<Params, Key> {
     const PEM_LABEL: &'static str = "PUBLIC KEY";
 }

spki/src/traits.rs

@@ -1,6 +1,6 @@
 //! Traits for encoding/decoding SPKI public keys.
 
-use crate::{Error, Result, SubjectPublicKeyInfo};
+use crate::{Error, Result, SubjectPublicKeyInfoRef};
 
 #[cfg(feature = "alloc")]
 use der::Document;
@@ -14,6 +14,9 @@ use {
 #[cfg(feature = "std")]
 use std::path::Path;
 
+#[cfg(doc)]
+use crate::SubjectPublicKeyInfo;
+
 /// Parse a public key object from an encoded SPKI document.
 pub trait DecodePublicKey: Sized {
     /// Deserialize object from ASN.1 DER-encoded [`SubjectPublicKeyInfo`]
@@ -31,7 +34,7 @@ pub trait DecodePublicKey: Sized {
     #[cfg_attr(docsrs, doc(cfg(feature = "pem")))]
     fn from_public_key_pem(s: &str) -> Result<Self> {
         let (label, doc) = Document::from_pem(s)?;
-        SubjectPublicKeyInfo::validate_pem_label(label)?;
+        SubjectPublicKeyInfoRef::validate_pem_label(label)?;
         Self::from_public_key_der(doc.as_bytes())
     }
 
@@ -49,17 +52,17 @@ pub trait DecodePublicKey: Sized {
     #[cfg_attr(docsrs, doc(cfg(all(feature = "pem", feature = "std"))))]
     fn read_public_key_pem_file(path: impl AsRef<Path>) -> Result<Self> {
         let (label, doc) = Document::read_pem_file(path)?;
-        SubjectPublicKeyInfo::validate_pem_label(&label)?;
+        SubjectPublicKeyInfoRef::validate_pem_label(&label)?;
         Self::from_public_key_der(doc.as_bytes())
     }
 }
 
 impl<T> DecodePublicKey for T
 where
-    T: for<'a> TryFrom<SubjectPublicKeyInfo<'a>, Error = Error>,
+    T: for<'a> TryFrom<SubjectPublicKeyInfoRef<'a>, Error = Error>,
 {
     fn from_public_key_der(bytes: &[u8]) -> Result<Self> {
-        Self::try_from(SubjectPublicKeyInfo::try_from(bytes)?)
+        Self::try_from(SubjectPublicKeyInfoRef::try_from(bytes)?)
     }
 }
 
@@ -75,7 +78,7 @@ pub trait EncodePublicKey {
     #[cfg_attr(docsrs, doc(cfg(feature = "pem")))]
     fn to_public_key_pem(&self, line_ending: LineEnding) -> Result<String> {
         let doc = self.to_public_key_der()?;
-        Ok(doc.to_pem(SubjectPublicKeyInfo::PEM_LABEL, line_ending)?)
+        Ok(doc.to_pem(SubjectPublicKeyInfoRef::PEM_LABEL, line_ending)?)
     }
 
     /// Write ASN.1 DER-encoded public key to the given path
@@ -94,6 +97,6 @@ pub trait EncodePublicKey {
         line_ending: LineEnding,
     ) -> Result<()> {
         let doc = self.to_public_key_der()?;
-        Ok(doc.write_pem_file(path, SubjectPublicKeyInfo::PEM_LABEL, line_ending)?)
+        Ok(doc.write_pem_file(path, SubjectPublicKeyInfoRef::PEM_LABEL, line_ending)?)
     }
 }