Refactor dependencies and update cryptographic implementations

- Updated dependencies in Cargo.toml, replacing `rsa` with `rsa_098` and `signature` with `signature_220`.
- Enhanced error handling in HMAC and key exchange implementations to provide clearer error messages.
- Removed deprecated SecP521R1 key exchange implementation and replaced it with a feature-gated version.
- Adjusted X448 key exchange to improve random byte generation and error handling.
- Refactored signing logic to improve clarity and maintainability, including changes to the GenericSigner struct.
- Updated ECDSA signing key extraction to streamline the process and improve error handling.
- Modified AEAD implementations for TLS 1.2 and TLS 1.3 to ensure proper nonce and tag handling.
- Updated test files to reflect changes in dependencies and ensure compatibility with new signing and key exchange implementations.

Author: stevefan1999-personal

Cargo.lock

@@ -62,12 +62,15 @@ paste = "1.0.15"
 [dev-dependencies]
 bytes = { version = "1.10.1", default-features = false }
 itertools = { version = "0.14.0", default-features = false }
-rsa = { version = "0.10.0-rc.6", default-features = false, features = ["sha2"] }
+rsa_098 = { package = "rsa", version = "0.9.8", features = ["sha2"] }
+signature_220 = { package = "signature", version = "2.2.0" }
 rustls = { version = "0.23.31", default-features = false, features = ["std"] }
 spki = { version = "0.8.0-rc.4", default-features = false, features = ["alloc"] }
 x509-cert = { version = "0.2.5", default-features = false, features = [
-    "builder", "hazmat"
+    "builder"
 ] }
+rand_core_064 = { package = "rand_core", version = "0.6.4" }
+p256_0132 = { package = "p256", version = "0.13.2" }
 
 [features]
 default = ["std", "tls12", "zeroize", "full", "fast"]
@@ -223,7 +226,7 @@ aes-ccm = ["aes", "ccm"]
 aes-gcm = ["dep:aes-gcm", "aes", "gcm"]
 ccm = ["dep:ccm"]
 chacha20poly1305 = ["dep:chacha20poly1305"]
-elliptic-curve = ["dep:elliptic-curve"]
+elliptic-curve = ["dep:elliptic-curve", "elliptic-curve/ecdh", "elliptic-curve/sec1"]
 gcm = []
 rand = ["dep:rand_core", "signature?/rand_core", "x25519-dalek?/os_rng"]
 signature = ["dep:signature"]

Cargo.toml

@@ -21,7 +21,7 @@ macro_rules! impl_hmac {
             impl Hmac for #hmac_type_name {
                 fn with_key(&self, key: &[u8]) -> Box<dyn Key> {
                     Box::new(#hmac_key_type_name(
-                        ::hmac::Hmac::<$ty>::new_from_slice(key).unwrap(),
+                        ::hmac::Hmac::<$ty>::new_from_slice(key).expect("Invalid key length for HMAC"),
                     ))
                 }
 

src/hmac.rs

@@ -26,7 +26,7 @@ macro_rules! impl_kx {
                 }
 
                 fn start(&self) -> Result<Box<dyn crypto::ActiveKeyExchange>, rustls::Error> {
-                    let priv_key = $secret::try_from_rng(&mut rand_core::OsRng).unwrap();
+                    let priv_key = $secret::try_from_rng(&mut rand_core::OsRng).map_err(|_| rustls::Error::General("Failed to generate private key".into()))?;
                     let pub_key: $public_key = (&priv_key).into();
                     Ok(Box::new(#key_exchange {
                         priv_key,
@@ -74,46 +74,5 @@ impl_kx! {SecP256R1, rustls::NamedGroup::secp256r1, ::p256::ecdh::EphemeralSecre
 #[cfg(feature = "kx-p384")]
 impl_kx! {SecP384R1, rustls::NamedGroup::secp384r1, ::p384::ecdh::EphemeralSecret, ::p384::PublicKey}
 
-#[derive(Debug)]
-#[allow(non_camel_case_types)]
-pub struct SecP521R1;
-
-impl crypto::SupportedKxGroup for SecP521R1 {
-    fn name(&self) -> rustls::NamedGroup {
-        rustls::NamedGroup::secp521r1
-    }
-    fn start(&self) -> Result<Box<dyn crypto::ActiveKeyExchange>, rustls::Error> {
-        let priv_key = ::p521::ecdh::EphemeralSecret::try_from_rng(&mut rand_core::OsRng).unwrap();
-        let pub_key: ::p521::PublicKey = (&priv_key).into();
-        Ok(Box::new(SecP521R1KeyExchange {
-            priv_key,
-            pub_key: pub_key.to_sec1_bytes(),
-        }))
-    }
-}
-#[allow(non_camel_case_types)]
-pub struct SecP521R1KeyExchange {
-    priv_key: ::p521::ecdh::EphemeralSecret,
-    pub_key: Box<[u8]>,
-}
-impl crypto::ActiveKeyExchange for SecP521R1KeyExchange {
-    fn complete(
-        self: Box<SecP521R1KeyExchange>,
-        peer: &[u8],
-    ) -> Result<SharedSecret, rustls::Error> {
-        let their_pub = ::p521::PublicKey::from_sec1_bytes(peer)
-            .map_err(|_| rustls::Error::from(rustls::PeerMisbehaved::InvalidKeyShare))?;
-        Ok(self
-            .priv_key
-            .diffie_hellman(&their_pub)
-            .raw_secret_bytes()
-            .as_slice()
-            .into())
-    }
-    fn pub_key(&self) -> &[u8] {
-        &self.pub_key
-    }
-    fn group(&self) -> rustls::NamedGroup {
-        SecP521R1.name()
-    }
-}
+#[cfg(feature = "kx-p521")]
+impl_kx! {SecP521R1, rustls::NamedGroup::secp521r1, ::p521::ecdh::EphemeralSecret, ::p521::PublicKey}

src/kx/nist.rs

@@ -2,7 +2,7 @@
 use alloc::boxed::Box;
 
 use crypto::{SharedSecret, SupportedKxGroup};
-use rand_core::{RngCore, TryRngCore};
+use rand_core::TryRngCore;
 use rustls::crypto::{self, ActiveKeyExchange};
 
 #[derive(Debug)]
@@ -14,15 +14,13 @@ impl crypto::SupportedKxGroup for X448 {
     }
 
     fn start(&self) -> Result<Box<dyn ActiveKeyExchange>, rustls::Error> {
-
-        let priv_key = x448::Secret::from({
-            let mut bytes = [0u8; 56];
-            rand_core::OsRng.try_fill_bytes(&mut bytes).unwrap();
-            bytes
-        });
+        let mut priv_key = [0u8; 56];
+        rand_core::OsRng
+            .try_fill_bytes(&mut priv_key)
+            .map_err(|_| rustls::Error::FailedToGetRandomBytes)?;
+        let priv_key: x448::Secret = priv_key.into();
         let pub_key = x448::PublicKey::from(&priv_key);
 
-
         Ok(Box::new(X448KeyExchange { priv_key, pub_key }))
     }
 }
@@ -34,14 +32,16 @@ pub struct X448KeyExchange {
 
 impl ActiveKeyExchange for X448KeyExchange {
     fn complete(self: Box<X448KeyExchange>, peer: &[u8]) -> Result<SharedSecret, rustls::Error> {
-        let pub_key = x448::PublicKey::from_bytes(peer).unwrap();
-
-        self.priv_key.as_diffie_hellman(&pub_key).unwrap();
-
-        // let peer_public: x448::PublicKey = peer
-        //     .try_into()
-        //     .map_err(|_| rustls::Error::from(rustls::PeerMisbehaved::InvalidKeyShare))?;
-        Ok(self.priv_key.as_diffie_hellman(&pub_key).unwrap().as_bytes().as_ref().into())
+        Ok(self
+            .priv_key
+            .as_diffie_hellman(
+                &x448::PublicKey::from_bytes(peer)
+                    .ok_or(rustls::PeerMisbehaved::InvalidKeyShare)?,
+            )
+            .ok_or(rustls::PeerMisbehaved::InvalidKeyShare)?
+            .as_bytes()
+            .as_ref()
+            .into())
     }
 
     fn pub_key(&self) -> &[u8] {

src/kx/x448.rs

@@ -1,108 +1,108 @@
-#[cfg(feature = "alloc")]
-use alloc::{sync::Arc, vec::Vec};
-use core::marker::PhantomData;
-
-use pki_types::PrivateKeyDer;
-use rustls::sign::{Signer, SigningKey};
-use rustls::{Error, SignatureScheme};
-use signature::SignatureEncoding;
-
-#[derive(Debug)]
-pub struct GenericSigner<S, T>
-where
-    S: SignatureEncoding,
-    T: signature::Signer<S>,
-{
-    _marker: PhantomData<S>,
-    key: Arc<T>,
-    scheme: SignatureScheme,
-}
-
-impl<S, T> Signer for GenericSigner<S, T>
-where
-    S: SignatureEncoding + Send + Sync + core::fmt::Debug,
-    T: signature::Signer<S> + Send + Sync + core::fmt::Debug,
-{
-    fn sign(&self, message: &[u8]) -> Result<Vec<u8>, Error> {
-        self.key
-            .try_sign(message)
-            .map_err(|_| rustls::Error::General("signing failed".into()))
-            .map(|sig: S| sig.to_vec())
-    }
-
-    fn scheme(&self) -> SignatureScheme {
-        self.scheme
-    }
-}
-
-/// Extract any supported key from the given DER input.
-///
-/// # Errors
-///
-/// Returns an error if the key couldn't be decoded.
-#[allow(unused_variables)]
-pub fn any_supported_type(der: &PrivateKeyDer<'_>) -> Result<Arc<dyn SigningKey>, rustls::Error> {
-    #[cfg(feature = "sign-rsa")]
-    if let Ok(key) = rsa::RsaSigningKey::try_from(der) {
-        return Ok(Arc::new(key) as _);
-    }
-
-    #[cfg(feature = "sign-ecdsa-nist")]
-    if let Ok(key) = any_ecdsa_type(der) {
-        return Ok(key);
-    }
-
-    #[cfg(feature = "sign-eddsa")]
-    if let Ok(key) = any_eddsa_type(der) {
-        return Ok(key);
-    }
-
-    Err(rustls::Error::General("not supported".into()))
-}
-
-/// Extract any supported ECDSA key from the given DER input.
-///
-/// # Errors
-///
-/// Returns an error if the key couldn't be decoded.
-#[allow(unused_variables)]
-#[cfg(feature = "sign-ecdsa-nist")]
-pub fn any_ecdsa_type(der: &PrivateKeyDer<'_>) -> Result<Arc<dyn SigningKey>, rustls::Error> {
-    #[cfg(all(feature = "der", feature = "ecdsa-p256"))]
-    if let Ok(key) = ecdsa::nist::EcdsaSigningKeyP256::try_from(der) {
-        return Ok(Arc::new(key) as _);
-    }
-    #[cfg(all(feature = "der", feature = "ecdsa-p384"))]
-    if let Ok(key) = ecdsa::nist::EcdsaSigningKeyP384::try_from(der) {
-        return Ok(Arc::new(key) as _);
-    }
-
-    Err(rustls::Error::General("not supported".into()))
-}
-
-/// Extract any supported EDDSA key from the given DER input.
-///
-/// # Errors
-///
-/// Returns an error if the key couldn't be decoded.
-#[allow(unused_variables)]
-#[cfg(feature = "sign-eddsa")]
-pub fn any_eddsa_type(der: &PrivateKeyDer<'_>) -> Result<Arc<dyn SigningKey>, rustls::Error> {
-    // TODO: Add support for Ed448
-    #[cfg(all(feature = "der", feature = "eddsa-ed25519"))]
-    if let Ok(key) = eddsa::ed25519::Ed25519SigningKey::try_from(der) {
-        return Ok(Arc::new(key) as _);
-    }
-
-    Err(rustls::Error::General("not supported".into()))
-}
-
-#[cfg(feature = "ecdsa")]
-pub mod ecdsa;
-#[cfg(feature = "eddsa")]
-pub mod eddsa;
-#[cfg(feature = "rsa")]
-pub mod rsa;
-
-#[cfg(feature = "rand")]
-pub mod rand;
+#[cfg(feature = "alloc")]
+use alloc::{sync::Arc, vec::Vec};
+use core::marker::PhantomData;
+
+use pki_types::PrivateKeyDer;
+use rustls::sign::{Signer, SigningKey};
+use rustls::{Error, SignatureScheme};
+use signature::SignatureEncoding;
+
+#[derive(Debug)]
+pub struct GenericSigner<S, T>
+where
+    S: SignatureEncoding,
+    T: signature::Signer<S>,
+{
+    _marker: PhantomData<S>,
+    key: Arc<T>,
+    scheme: SignatureScheme,
+}
+
+impl<S, T> Signer for GenericSigner<S, T>
+where
+    S: SignatureEncoding + Send + Sync + core::fmt::Debug,
+    T: signature::Signer<S> + Send + Sync + core::fmt::Debug,
+{
+    fn sign(&self, message: &[u8]) -> Result<Vec<u8>, Error> {
+        self.key
+            .try_sign(message)
+            .map_err(|_| rustls::Error::General("signing failed".into()))
+            .map(|sig: S| sig.to_vec())
+    }
+
+    fn scheme(&self) -> SignatureScheme {
+        self.scheme
+    }
+}
+
+/// Extract any supported key from the given DER input.
+///
+/// # Errors
+///
+/// Returns an error if the key couldn't be decoded.
+#[allow(unused_variables)]
+pub fn any_supported_type(der: &PrivateKeyDer<'_>) -> Result<Arc<dyn SigningKey>, rustls::Error> {
+    #[cfg(feature = "sign-rsa")]
+    if let Ok(key) = rsa::RsaSigningKey::try_from(der) {
+        return Ok(Arc::new(key) as _);
+    }
+
+    #[cfg(feature = "sign-ecdsa-nist")]
+    if let Ok(key) = any_ecdsa_type(der) {
+        return Ok(key);
+    }
+
+    #[cfg(feature = "sign-eddsa")]
+    if let Ok(key) = any_eddsa_type(der) {
+        return Ok(key);
+    }
+
+    Err(rustls::Error::General("not supported".into()))
+}
+
+/// Extract any supported ECDSA key from the given DER input.
+///
+/// # Errors
+///
+/// Returns an error if the key couldn't be decoded.
+#[allow(unused_variables)]
+#[cfg(feature = "sign-ecdsa-nist")]
+pub fn any_ecdsa_type(der: &PrivateKeyDer<'_>) -> Result<Arc<dyn SigningKey>, rustls::Error> {
+    #[cfg(all(feature = "der", feature = "ecdsa-p256"))]
+    if let Ok(key) = ecdsa::nist::EcdsaSigningKeyP256::try_from(der) {
+        return Ok(Arc::new(key) as _);
+    }
+    #[cfg(all(feature = "der", feature = "ecdsa-p384"))]
+    if let Ok(key) = ecdsa::nist::EcdsaSigningKeyP384::try_from(der) {
+        return Ok(Arc::new(key) as _);
+    }
+
+    Err(rustls::Error::General("not supported".into()))
+}
+
+/// Extract any supported EDDSA key from the given DER input.
+///
+/// # Errors
+///
+/// Returns an error if the key couldn't be decoded.
+#[allow(unused_variables)]
+#[cfg(feature = "sign-eddsa")]
+pub fn any_eddsa_type(der: &PrivateKeyDer<'_>) -> Result<Arc<dyn SigningKey>, rustls::Error> {
+    // TODO: Add support for Ed448
+    #[cfg(all(feature = "der", feature = "eddsa-ed25519"))]
+    if let Ok(key) = eddsa::ed25519::Ed25519SigningKey::try_from(der) {
+        return Ok(Arc::new(key) as _);
+    }
+
+    Err(rustls::Error::General("not supported".into()))
+}
+
+#[cfg(feature = "ecdsa")]
+pub mod ecdsa;
+#[cfg(feature = "eddsa")]
+pub mod eddsa;
+#[cfg(feature = "rsa")]
+pub mod rsa;
+
+#[cfg(feature = "rand")]
+pub mod rand;