Use AWS-LC (via openssl-rs) to implement SubtleCrypto RSA (#36374)

GitOrigin-RevId: e849cd89bd627d6b7b23920fc89ceb576e69a41e

Author: goffrie

Cargo.lock

@@ -99,6 +99,7 @@ native-tls = "^0.2.10"
 num_cpus = "1.16.0"
 oauth2 = { version = "5", default-features = false, features = [ "reqwest" ] }
 openidconnect = { git = "https://github.com/get-convex/openidconnect-rs", rev = "f21c7999356bd374a683d13378bd2a6c0ebdbf11", default-features = false, features = [ "accept-rfc3339-timestamps", "timing-resistant-secret-traits", "reqwest" ] }
+openssl = { version = "0.10.72", features = [ "aws-lc" ] }
 parking_lot = { version = "0.12", features = [ "hardware-lock-elision" ] }
 paste = { version = "1.0.12" }
 phf = { version = "0.11.2", features = [ "macros" ] }

Cargo.toml

@@ -50,11 +50,14 @@ mime = { workspace = true }
 model = { path = "../model" }
 multer = { workspace = true }
 must-let = { workspace = true, optional = true }
+openssl = { workspace = true }
 p256 = { workspace = true }
 p384 = { workspace = true }
 parking_lot = { workspace = true }
 pb = { path = "../pb" }
 phf = { workspace = true }
+pkcs1 = "0.7.5"
+pkcs8 = "0.10.2"
 prometheus = { workspace = true }
 proptest = { workspace = true, optional = true }
 proptest-derive = { workspace = true, optional = true }
@@ -63,7 +66,6 @@ rand = { workspace = true }
 rand_chacha = { workspace = true }
 regex = { workspace = true }
 ring = { workspace = true }
-rsa = { workspace = true }
 runtime = { path = "../runtime" }
 search = { path = "../search" }
 semver = { workspace = true }

crates/isolate/Cargo.toml

@@ -13,9 +13,4 @@ impl CryptoRng {
     pub fn ring(&self) -> ring::rand::SystemRandom {
         ring::rand::SystemRandom::new()
     }
-
-    /// Returns an `rsa`-compatible random number generator
-    pub fn rsa(&self) -> rsa::rand_core::OsRng {
-        rsa::rand_core::OsRng
-    }
 }

crates/isolate/src/environment/crypto_rng.rs

@@ -14,6 +14,7 @@ use spki::{
         Decode,
         Encode,
     },
+    AlgorithmIdentifierRef,
     SubjectPublicKeyInfo,
 };
 
@@ -104,9 +105,9 @@ impl CryptoOps {
 
     pub fn export_pkcs8_ed25519(pkey: &[u8]) -> Result<ToJsBuffer, AnyError> {
         // This should probably use OneAsymmetricKey instead
-        let pk_info = rsa::pkcs8::PrivateKeyInfo {
+        let pk_info = PrivateKeyInfo {
             public_key: None,
-            algorithm: rsa::pkcs8::AlgorithmIdentifierRef {
+            algorithm: AlgorithmIdentifierRef {
                 // id-Ed25519
                 oid: ED25519_OID,
                 parameters: None,

crates/isolate/src/ops/crypto/ed25519.rs

@@ -8,21 +8,20 @@ use const_oid::{
 use deno_core::ToJsBuffer;
 use elliptic_curve::sec1::ToEncodedPoint;
 use p256::pkcs8::DecodePrivateKey;
-use rsa::{
-    pkcs1::der::Decode,
-    pkcs8::der::{
-        asn1::UintRef,
-        Encode,
-    },
-};
+use pkcs1::UintRef;
 use serde::{
     Deserialize,
     Serialize,
 };
 use spki::{
     der::{
-        asn1,
-        asn1::BitString,
+        self,
+        asn1::{
+            self,
+            BitString,
+        },
+        Decode as _,
+        Encode as _,
     },
     AlgorithmIdentifier,
     AlgorithmIdentifierOwned,
@@ -176,16 +175,14 @@ fn export_key_rsa(
 
             // version is 0 when publickey is None
 
-            let pk_info = rsa::pkcs8::PrivateKeyInfo {
+            let pk_info = pkcs8::PrivateKeyInfo {
                 public_key: None,
-                algorithm: rsa::pkcs8::AlgorithmIdentifierRef {
+                algorithm: pkcs8::AlgorithmIdentifierRef {
                     // rsaEncryption(1)
-                    oid: rsa::pkcs8::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.1"),
+                    oid: pkcs8::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.1"),
                     // parameters field should not be omitted (None).
                     // It MUST have ASN.1 type NULL as per defined in RFC 3279 Section 2.3.1
-                    parameters: Some(rsa::pkcs8::der::asn1::AnyRef::from(
-                        rsa::pkcs8::der::asn1::Null,
-                    )),
+                    parameters: Some(der::asn1::AnyRef::from(der::asn1::Null)),
                 },
                 private_key,
             };
@@ -198,7 +195,7 @@ fn export_key_rsa(
         },
         ExportKeyFormat::JwkPublic => {
             let public_key = key_data.as_rsa_public_key()?;
-            let public_key = rsa::pkcs1::RsaPublicKey::from_der(&public_key).map_err(|_| {
+            let public_key = pkcs1::RsaPublicKey::from_der(&public_key).map_err(|_| {
                 custom_error("DOMExceptionOperationError", "failed to decode public key")
             })?;
 
@@ -209,7 +206,7 @@ fn export_key_rsa(
         },
         ExportKeyFormat::JwkPrivate => {
             let private_key = key_data.as_rsa_private_key()?;
-            let private_key = rsa::pkcs1::RsaPrivateKey::from_der(private_key).map_err(|_| {
+            let private_key = pkcs1::RsaPrivateKey::from_der(private_key).map_err(|_| {
                 custom_error("DOMExceptionOperationError", "failed to decode private key")
             })?;
 

crates/isolate/src/ops/crypto/export_key.rs

@@ -1,5 +1,9 @@
 use anyhow::Context as _;
 use deno_core::ToJsBuffer;
+use openssl::{
+    bn::BigNum,
+    rsa::Rsa,
+};
 use ring::{
     rand::SecureRandom,
     signature::{
@@ -8,10 +12,6 @@ use ring::{
         KeyPair,
     },
 };
-use rsa::pkcs1::{
-    EncodeRsaPrivateKey,
-    EncodeRsaPublicKey,
-};
 
 use super::{
     shared::RustRawKeyData,
@@ -35,16 +35,17 @@ impl CryptoOps {
                 modulus_length,
                 public_exponent,
             } => {
-                let exp = rsa::BigUint::from_bytes_be(&public_exponent);
-                let private_key =
-                    rsa::RsaPrivateKey::new_with_exp(&mut rng.rsa(), modulus_length, &exp)?;
-                let public_key = private_key.to_public_key();
+                let exp = BigNum::from_slice(&public_exponent)?;
+                let private_key = Rsa::generate_with_e(
+                    modulus_length.try_into().context("bad modulus length")?,
+                    &exp,
+                )?;
                 Ok(GeneratedKeypair {
                     private_raw_data: GeneratedKey::KeyData(RustRawKeyData::Private(
-                        private_key.to_pkcs1_der()?.as_bytes().to_vec().into(),
+                        private_key.private_key_to_der()?.into(),
                     )),
                     public_raw_data: GeneratedKey::KeyData(RustRawKeyData::Public(
-                        public_key.to_pkcs1_der()?.into_vec().into(),
+                        private_key.public_key_to_der_pkcs1()?.into(),
                     )),
                 })
             },

crates/isolate/src/ops/crypto/generate_key.rs

@@ -5,18 +5,18 @@ use anyhow::Context as _;
 use deno_core::ToJsBuffer;
 use elliptic_curve::pkcs8::PrivateKeyInfo;
 use p256::pkcs8::EncodePrivateKey;
+use pkcs1::UintRef;
 use ring::signature::EcdsaKeyPair;
-use rsa::{
-    pkcs1::UintRef,
-    pkcs8::der::Decode as RsaDecode,
-};
 use serde::{
     Deserialize,
     Serialize,
 };
 use serde_bytes::ByteBuf;
 use spki::{
-    der::Encode as SpkiEncode,
+    der::{
+        Decode as _,
+        Encode as SpkiEncode,
+    },
     SubjectPublicKeyInfoRef,
 };
 
@@ -142,7 +142,7 @@ fn import_key_rsa_jwk(key_data: KeyData) -> anyhow::Result<ImportKeyResult> {
             jwt_b64_int_or_err!(modulus, &n, "invalid modulus");
             jwt_b64_int_or_err!(public_exponent, &e, "invalid public exponent");
 
-            let public_key = rsa::pkcs1::RsaPublicKey {
+            let public_key = pkcs1::RsaPublicKey {
                 modulus,
                 public_exponent,
             };
@@ -179,7 +179,7 @@ fn import_key_rsa_jwk(key_data: KeyData) -> anyhow::Result<ImportKeyResult> {
             jwt_b64_int_or_err!(exponent2, &dq, "invalid second CRT exponent");
             jwt_b64_int_or_err!(coefficient, &qi, "invalid CRT coefficient");
 
-            let private_key = rsa::pkcs1::RsaPrivateKey {
+            let private_key = pkcs1::RsaPrivateKey {
                 modulus,
                 public_exponent,
                 private_exponent,
@@ -227,9 +227,8 @@ fn import_key_rsassa(key_data: KeyData) -> anyhow::Result<ImportKeyResult> {
             }
 
             // 8-9.
-            let public_key =
-                rsa::pkcs1::RsaPublicKey::from_der(pk_info.subject_public_key.raw_bytes())
-                    .map_err(|e| data_error(e.to_string()))?;
+            let public_key = pkcs1::RsaPublicKey::from_der(pk_info.subject_public_key.raw_bytes())
+                .map_err(|e| data_error(e.to_string()))?;
 
             let bytes_consumed = public_key
                 .encoded_len()
@@ -264,7 +263,7 @@ fn import_key_rsassa(key_data: KeyData) -> anyhow::Result<ImportKeyResult> {
             }
 
             // 8-9.
-            let private_key = rsa::pkcs1::RsaPrivateKey::from_der(pk_info.private_key)
+            let private_key = pkcs1::RsaPrivateKey::from_der(pk_info.private_key)
                 .map_err(|e| data_error(e.to_string()))?;
 
             let bytes_consumed = private_key
@@ -308,9 +307,8 @@ fn import_key_rsapss(key_data: KeyData) -> anyhow::Result<ImportKeyResult> {
             }
 
             // 8-9.
-            let public_key =
-                rsa::pkcs1::RsaPublicKey::from_der(pk_info.subject_public_key.raw_bytes())
-                    .map_err(|e| data_error(e.to_string()))?;
+            let public_key = pkcs1::RsaPublicKey::from_der(pk_info.subject_public_key.raw_bytes())
+                .map_err(|e| data_error(e.to_string()))?;
 
             let bytes_consumed = public_key
                 .encoded_len()
@@ -345,7 +343,7 @@ fn import_key_rsapss(key_data: KeyData) -> anyhow::Result<ImportKeyResult> {
             }
 
             // 8-9.
-            let private_key = rsa::pkcs1::RsaPrivateKey::from_der(pk_info.private_key)
+            let private_key = pkcs1::RsaPrivateKey::from_der(pk_info.private_key)
                 .map_err(|e| data_error(e.to_string()))?;
 
             let bytes_consumed = private_key
@@ -389,9 +387,8 @@ fn import_key_rsaoaep(key_data: KeyData) -> Result<ImportKeyResult, anyhow::Erro
             }
 
             // 8-9.
-            let public_key =
-                rsa::pkcs1::RsaPublicKey::from_der(pk_info.subject_public_key.raw_bytes())
-                    .map_err(|e| data_error(e.to_string()))?;
+            let public_key = pkcs1::RsaPublicKey::from_der(pk_info.subject_public_key.raw_bytes())
+                .map_err(|e| data_error(e.to_string()))?;
 
             let bytes_consumed = public_key
                 .encoded_len()
@@ -426,7 +423,7 @@ fn import_key_rsaoaep(key_data: KeyData) -> Result<ImportKeyResult, anyhow::Erro
             }
 
             // 8-9.
-            let private_key = rsa::pkcs1::RsaPrivateKey::from_der(pk_info.private_key)
+            let private_key = pkcs1::RsaPrivateKey::from_der(pk_info.private_key)
                 .map_err(|e| data_error(e.to_string()))?;
 
             let bytes_consumed = private_key