RSA PKCS8 support (#212)

DmitriyMusatkin · web-flow · commit ff8801488d58 · 2025-04-01T13:25:21.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -179,7 +179,7 @@ jobs:
     - name: Build ${{ env.PACKAGE_NAME }}
       run: |
         python -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder.pyz')"
-        AWS_TEST_FIPS=1 python builder.pyz build -p ${{ env.PACKAGE_NAME }} --variant=aws-lc-fips --cmake-extra=-DFIPS=ON --cmake-extra=-DPERL_EXECUTABLE=perl --cmake-extra=-DGO_EXECUTABLE=go
+        AWS_TEST_FIPS=1 python builder.pyz build -p ${{ env.PACKAGE_NAME }} --variant=aws-lc-fips --cmake-extra=-DFIPS=ON --cmake-extra=-DPERL_EXECUTABLE=perl --cmake-extra=-DGO_EXECUTABLE=go --cmake-extra=-DCMAKE_POLICY_VERSION_MINIMUM=3.5 
 
   windows:
     runs-on: windows-2022 # latest
diff --git a/include/aws/cal/exports.h b/include/aws/cal/exports.h
@@ -4,7 +4,7 @@
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0.
  */
-#if defined(AWS_C_RT_USE_WINDOWS_DLL_SEMANTICS) || defined(WIN32)
+#if defined(AWS_CRT_USE_WINDOWS_DLL_SEMANTICS) || defined(_WIN32)
 #    ifdef AWS_CAL_USE_IMPORT_EXPORT
 #        ifdef AWS_CAL_EXPORTS
 #            define AWS_CAL_API __declspec(dllexport)
@@ -15,14 +15,14 @@
 #        define AWS_CAL_API
 #    endif /* AWS_CAL_USE_IMPORT_EXPORT */
 
-#else /* defined (AWS_C_RT_USE_WINDOWS_DLL_SEMANTICS) || defined (WIN32) */
+#else /* defined (AWS_CRT_USE_WINDOWS_DLL_SEMANTICS) || defined (_WIN32) */
 
-#    if ((__GNUC__ >= 4) || defined(__clang__)) && defined(AWS_CAL_USE_IMPORT_EXPORT) && defined(AWS_CAL_EXPORTS)
+#    if defined(AWS_CAL_USE_IMPORT_EXPORT) && defined(AWS_CAL_EXPORTS)
 #        define AWS_CAL_API __attribute__((visibility("default")))
 #    else
 #        define AWS_CAL_API
-#    endif /* __GNUC__ >= 4 || defined(__clang__) */
+#    endif
 
-#endif /* defined (AWS_C_RT_USE_WINDOWS_DLL_SEMANTICS) || defined (WIN32) */
+#endif /* defined (AWS_CRT_USE_WINDOWS_DLL_SEMANTICS) || defined (_WIN32) */
 
 #endif /* AWS_CAL_EXPORTS_H */
diff --git a/include/aws/cal/rsa.h b/include/aws/cal/rsa.h
@@ -53,6 +53,15 @@ AWS_CAL_API struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_private_key_pkcs1
     struct aws_allocator *allocator,
     struct aws_byte_cursor key);
 
+/**
+ * Creates an RSA private key from PrivateKeyInfo as defined in rfc 5208 (aka PKCS8).
+ * Returns a new instance of aws_rsa_key_pair if the key was successfully built.
+ * Otherwise returns NULL.
+ */
+AWS_CAL_API struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_private_key_pkcs8(
+    struct aws_allocator *allocator,
+    struct aws_byte_cursor key);
+
 /**
  * Adds one to an RSA key pair's ref count.
  * Returns key_pair pointer.
diff --git a/source/rsa.c b/source/rsa.c
@@ -14,6 +14,9 @@ typedef struct aws_rsa_key_pair *(aws_rsa_key_pair_new_from_public_pkcs1_fn)(str
 typedef struct aws_rsa_key_pair *(aws_rsa_key_pair_new_from_private_pkcs1_fn)(struct aws_allocator *allocator,
                                                                               struct aws_byte_cursor private_key);
 
+typedef struct aws_rsa_key_pair *(aws_rsa_key_pair_new_from_private_pkcs8_fn)(struct aws_allocator *allocator,
+                                                                              struct aws_byte_cursor private_key);
+
 #ifndef BYO_CRYPTO
 
 extern struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_public_key_pkcs1_impl(
@@ -24,6 +27,10 @@ extern struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_private_key_pkcs1_impl
     struct aws_allocator *allocator,
     struct aws_byte_cursor private_key);
 
+struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_private_key_pkcs8_impl(
+    struct aws_allocator *allocator,
+    struct aws_byte_cursor private_key);
+
 #else  /* BYO_CRYPTO */
 
 struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_public_key_pkcs1_impl(
@@ -41,6 +48,14 @@ struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_private_key_pkcs1_impl(
     (void)private_key;
     abort();
 }
+
+struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_private_key_pkcs8_impl(
+    struct aws_allocator *allocator,
+    struct aws_byte_cursor private_key) {
+    (void)allocator;
+    (void)private_key;
+    abort();
+}
 #endif /* BYO_CRYPTO */
 
 static aws_rsa_key_pair_new_from_public_pkcs1_fn *s_rsa_key_pair_new_from_public_key_pkcs1_fn =
@@ -49,6 +64,9 @@ static aws_rsa_key_pair_new_from_public_pkcs1_fn *s_rsa_key_pair_new_from_public
 static aws_rsa_key_pair_new_from_private_pkcs1_fn *s_rsa_key_pair_new_from_private_key_pkcs1_fn =
     aws_rsa_key_pair_new_from_private_key_pkcs1_impl;
 
+static aws_rsa_key_pair_new_from_private_pkcs8_fn *s_rsa_key_pair_new_from_private_key_pkcs8_fn =
+    aws_rsa_key_pair_new_from_private_key_pkcs8_impl;
+
 struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_public_key_pkcs1(
     struct aws_allocator *allocator,
     struct aws_byte_cursor public_key) {
@@ -61,6 +79,12 @@ struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_private_key_pkcs1(
     return s_rsa_key_pair_new_from_private_key_pkcs1_fn(allocator, private_key);
 }
 
+AWS_CAL_API struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_private_key_pkcs8(
+    struct aws_allocator *allocator,
+    struct aws_byte_cursor key) {
+    return s_rsa_key_pair_new_from_private_key_pkcs8_fn(allocator, key);
+}
+
 void aws_rsa_key_pair_base_clean_up(struct aws_rsa_key_pair *key_pair) {
     aws_byte_buf_clean_up_secure(&key_pair->priv);
     aws_byte_buf_clean_up_secure(&key_pair->pub);
@@ -286,3 +310,107 @@ int is_valid_rsa_key_size(size_t key_size_in_bits) {
 
     return AWS_OP_SUCCESS;
 }
+
+#ifndef BYO_CRYPTO
+
+static uint8_t s_rsa_encryption_oid[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01};
+
+/**
+ * There are likely tens of algo specifiers for rsa out there.
+ * But in practice mostly everyone uses rsaEncryption oid for key at rest.
+ * So for now just support that and we can add other ones later if needed.
+ * Even though its technically encryption oid, most crypto libs are lax
+ * and allow the key to be used for all operations.
+ */
+static struct aws_byte_cursor s_rsa_encryption_oid_cur = {
+    .ptr = (s_rsa_encryption_oid),
+    .len = sizeof(s_rsa_encryption_oid),
+};
+
+/**
+ * Win and Mac dont provide native support for loading pkcs8 keys, so
+ * for simplicity and consistency just parse pkcs1 key from pkcs8 and
+ * use it with existing pkcs1 loader.
+ */
+struct aws_rsa_key_pair *aws_rsa_key_pair_new_from_private_key_pkcs8_impl(
+    struct aws_allocator *allocator,
+    struct aws_byte_cursor private_key) {
+
+    struct aws_der_decoder *decoder = aws_der_decoder_new(allocator, private_key);
+
+    if (decoder == NULL) {
+        return NULL;
+    }
+
+    /**
+     * Format of pkcs8 is as follows.
+     * PrivateKeyInfo ::= SEQUENCE {
+     *  version         Version,          -- INTEGER (0)
+     *  algorithm       AlgorithmIdentifier,
+     *  privateKey      OCTET STRING,     -- contains DER encoded key
+     *  attributes  [0] IMPLICIT SET OF Attribute OPTIONAL
+     * }
+     * AlgorithmIdentifier ::= SEQUENCE {
+     *  algorithm       OBJECT IDENTIFIER,
+     *  parameters      ANY DEFINED BY algorithm OPTIONAL
+     * }
+     */
+
+    struct aws_rsa_key_pair *key_pair = NULL;
+
+    if (!aws_der_decoder_next(decoder) || aws_der_decoder_tlv_type(decoder) != AWS_DER_SEQUENCE) {
+        aws_raise_error(AWS_ERROR_CAL_MALFORMED_ASN1_ENCOUNTERED);
+        goto on_done;
+    }
+
+    /* version */
+    struct aws_byte_cursor version_cur;
+    if (!aws_der_decoder_next(decoder) || aws_der_decoder_tlv_unsigned_integer(decoder, &version_cur)) {
+        aws_raise_error(AWS_ERROR_CAL_MALFORMED_ASN1_ENCOUNTERED);
+        goto on_done;
+    }
+
+    if (version_cur.len != 1 || version_cur.ptr[0] != 0) {
+        aws_raise_error(AWS_ERROR_CAL_UNSUPPORTED_KEY_FORMAT);
+        goto on_done;
+    }
+
+    /* oid */
+    struct aws_byte_cursor oid_cur;
+    if (!aws_der_decoder_next(decoder) || aws_der_decoder_tlv_type(decoder) != AWS_DER_SEQUENCE) {
+        aws_raise_error(AWS_ERROR_CAL_MALFORMED_ASN1_ENCOUNTERED);
+        goto on_done;
+    }
+
+    if (!aws_der_decoder_next(decoder) || aws_der_decoder_tlv_type(decoder) != AWS_DER_OBJECT_IDENTIFIER ||
+        aws_der_decoder_tlv_blob(decoder, &oid_cur)) {
+        aws_raise_error(AWS_ERROR_CAL_MALFORMED_ASN1_ENCOUNTERED);
+        goto on_done;
+    }
+
+    if (!aws_byte_cursor_eq(&s_rsa_encryption_oid_cur, &oid_cur)) {
+        aws_raise_error(AWS_ERROR_CAL_UNSUPPORTED_KEY_FORMAT);
+        goto on_done;
+    }
+
+    /* skip additional params */
+    if (!aws_der_decoder_next(decoder)) {
+        aws_raise_error(AWS_ERROR_CAL_MALFORMED_ASN1_ENCOUNTERED);
+        goto on_done;
+    }
+
+    /* key */
+    struct aws_byte_cursor key;
+    if (!aws_der_decoder_next(decoder) || aws_der_decoder_tlv_string(decoder, &key)) {
+        aws_raise_error(AWS_ERROR_CAL_MALFORMED_ASN1_ENCOUNTERED);
+        goto on_done;
+    }
+
+    key_pair = aws_rsa_key_pair_new_from_private_key_pkcs1(allocator, key);
+
+on_done:
+    aws_der_decoder_destroy(decoder);
+    return key_pair;
+}
+
+#endif
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -89,6 +89,7 @@ add_test_case(rsa_decrypt_oaep256)
 add_test_case(rsa_decrypt_oaep512)
 add_test_case(rsa_signing_mismatch_pkcs1_sha256)
 add_test_case(rsa_signing_mismatch_pkcs1_sha1)
+add_test_case(rsa_encryption_roundtrip_pkcs15_from_user_pkcs8)
 
 add_test_case(aes_cbc_NIST_CBCGFSbox256_case_1)
 add_test_case(aes_cbc_NIST_CBCVarKey256_case_254)
diff --git a/tests/rsa_test.c b/tests/rsa_test.c
@@ -102,6 +102,33 @@ static const char *TEST_PKCS1_RSA_PRIVATE_KEY_2048 = "MIIEpQIBAAKCAQEAnt/K3mvMgP
                                                      "tZI9TCH4Sq33MGEjf2MyW0XMXC56dA2VOPSTHGKaoKmyn7L9G4WfDFcYmCdvmLkR"
                                                      "7wAz2Dyxr6ImChSWD/y2ddz1U+H39uqRxwIkwJ7TbDflYNXgsAOOlUg=";
 
+static const char *TEST_PKCS8_RSA_PRIVATE_KEY_2048 = "MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDN0jYhXzsI1lSA"
+                                                     "j+3uxraUu/78uHJlCcTifQlVUftgEzJth7WNGvrJ8bDLUHwV04cTYSkydgsivjms"
+                                                     "XFgzuTCOLiHX0ik/RT1fOvOpk0gte2gCfPIACUAkTlGXKJ+v+1kqnWFmZFNvtkz2"
+                                                     "fmLIRq9ZrXWORVmySCeoSfvyygxkmfTUfGieFr8LMFSB6VoWKA/vOk0sMF/5PRxm"
+                                                     "JESS4pOMjWQ3QHpLdjsgUAnxsThLVMbaA5JXdHnFHlgkTbL/OSY06EUzuZ0dJpTU"
+                                                     "qSBbaz6qewlIO4eM9d2N+5d/mt5nn4rU7yuLGlJE/U9UpSutuvkCkqosST9yKBz7"
+                                                     "YUhK7WyPAgMBAAECggEAYrHEZyhFJK2yA5wA2hjLgHLNiN3hbPXMRVbz3MfdJGrQ"
+                                                     "KZmDw1AGpkORJU1I0yaFhRN4L8xO9rAE89OsL9FDqUoRzG3ofYB0N3ALW2tWlwiw"
+                                                     "DVFgsge9jCtKEJPYTwjV7wtcoz7Ei7L9IM3mDGdoujXlQv2aT1UuPxKLEBc27h3Q"
+                                                     "KZZL0QbA33SmO24BUx9Y741hIXsVvoce0MQM1TPwEGH18qYpffb3kCBTwFEySx+q"
+                                                     "JFwadZiK1JPQgpELrXZT0VuARD2Ze8Z7c0b6668wYiwJ2mmf4l0NTLk67mIIfG1w"
+                                                     "NNNzHme/UGQEjSjUU9TFWLVHU9enumPv5UeLx3wvgQKBgQD7k6pCk8kkUcjjq0sq"
+                                                     "92Coy1DMlZg9ictcusJ5pfe1ZdW01iX/S/88ZOxk1X27jTWcHarAeA+ci4LzDWPG"
+                                                     "I61Hy4kJFOJB6Sx3hDSnfNvuIC/7zrcWLNzvfAeDYmPhAqi1K4HYFN7Ipa/1+Uew"
+                                                     "kWVllcUHRz5zWU+oYVXDsjARrwKBgQDRcJowibhaG4UUMzRsyyEK1l/w+z75L8A7"
+                                                     "2ZA+wMqyUo9LPgJRYvEHHRQTHDGCzP81IUaAK2OfWrD5Jnn6r4Il7+cQ+xCHKiMD"
+                                                     "rBhnL9dG4lVAWgdZPyWXfrdT3mqpZ3UgfWysvph8s48QdLA3ku7PpTfchwtSdXQP"
+                                                     "cxhEItlrIQKBgQDTTB8AdCfIfXiA3+nuWH+yxbFDY5HOfeF0LNgSXDdFABcSH5si"
+                                                     "Za4mB44U0ssbr2qLiM9VgIF8NiDyCxj13hk359dc7VFrknBqoXuoANKnmhkzIVfd"
+                                                     "JCkca8vTqdvBrP4NzFDuL/k+BQtZSNnRjwze2X/2sPve3fBtt/LUvuBouQKBgQC9"
+                                                     "T1Cv6uxN1m410grjA8C8MQXLpu5HAxh5gLBXaKBPCz0mv8gMlKhUy73ngCZomq9b"
+                                                     "8NXu6ElGMw2gR10ecSHs9KohuS45XqcDnLz6GE44bkCsyDO4QdHS2+EN2A8FTNSc"
+                                                     "J4Lhqe3fWdZJA5B8yz09R5P0q8RaJnxfsqMOg4mOwQKBgQC+N5xLCRa/n1kJ11we"
+                                                     "rnOe2POS+zuThhi1aMn0LLPIDwVMktymV7F8JegbdYB5KjxyxzDPcpRDRKCXvAew"
+                                                     "QiaCZLRyigBqDpDP4l3uIp1OEzWLYuEAWwnErC7fuPm0TFAy5ecegxW7eXasDy2C"
+                                                     "dJJcK3yV8NRVOzr2voGRmr4d7w==";
+
 static int s_rsa_encryption_roundtrip_from_user(
     struct aws_allocator *allocator,
     enum aws_rsa_encryption_algorithm algo) {
@@ -122,6 +149,26 @@ static int s_rsa_encryption_roundtrip_from_user(
     return AWS_OP_SUCCESS;
 }
 
+static int s_rsa_encryption_roundtrip_from_user_pkcs8(
+    struct aws_allocator *allocator,
+    enum aws_rsa_encryption_algorithm algo) {
+    struct aws_byte_buf key_buf;
+    ASSERT_SUCCESS(s_byte_buf_decoded_from_base64_cur(
+        allocator, aws_byte_cursor_from_c_str(TEST_PKCS8_RSA_PRIVATE_KEY_2048), &key_buf));
+
+    struct aws_rsa_key_pair *key_pair =
+        aws_rsa_key_pair_new_from_private_key_pkcs8(allocator, aws_byte_cursor_from_buf(&key_buf));
+
+    ASSERT_NOT_NULL(key_pair);
+
+    s_rsa_encryption_roundtrip_helper(allocator, key_pair, algo);
+
+    aws_rsa_key_pair_release(key_pair);
+    aws_byte_buf_clean_up_secure(&key_buf);
+
+    return AWS_OP_SUCCESS;
+}
+
 static int s_rsa_encryption_roundtrip_pkcs1_from_user(struct aws_allocator *allocator, void *ctx) {
     (void)ctx;
 
@@ -135,6 +182,40 @@ static int s_rsa_encryption_roundtrip_pkcs1_from_user(struct aws_allocator *allo
 }
 AWS_TEST_CASE(rsa_encryption_roundtrip_pkcs1_from_user, s_rsa_encryption_roundtrip_pkcs1_from_user);
 
+static int s_rsa_encryption_roundtrip_pkcs15_from_user_pkcs8(struct aws_allocator *allocator, void *ctx) {
+    (void)ctx;
+
+    aws_cal_library_test_init(allocator);
+
+    ASSERT_SUCCESS(s_rsa_encryption_roundtrip_from_user_pkcs8(allocator, AWS_CAL_RSA_ENCRYPTION_PKCS1_5));
+
+    aws_cal_library_clean_up();
+
+    return AWS_OP_SUCCESS;
+}
+AWS_TEST_CASE(rsa_encryption_roundtrip_pkcs15_from_user_pkcs8, s_rsa_encryption_roundtrip_pkcs15_from_user_pkcs8);
+
+static int s_rsa_pkcs8_key_load_error(struct aws_allocator *allocator, void *ctx) {
+    (void)ctx;
+
+    aws_cal_library_test_init(allocator);
+
+    struct aws_byte_buf key_buf;
+    ASSERT_SUCCESS(s_byte_buf_decoded_from_base64_cur(
+        allocator, aws_byte_cursor_from_c_str(TEST_PKCS1_RSA_PRIVATE_KEY_2048), &key_buf));
+
+    struct aws_rsa_key_pair *key_pair =
+        aws_rsa_key_pair_new_from_private_key_pkcs8(allocator, aws_byte_cursor_from_buf(&key_buf));
+
+    ASSERT_NULL(key_pair);
+    ASSERT_INT_EQUALS(AWS_ERROR_CAL_MALFORMED_ASN1_ENCOUNTERED, aws_last_error());
+
+    aws_cal_library_clean_up();
+
+    return AWS_OP_SUCCESS;
+}
+AWS_TEST_CASE(rsa_pkcs8_key_load_error, s_rsa_pkcs8_key_load_error);
+
 static int s_rsa_encryption_roundtrip_oaep_sha256_from_user(struct aws_allocator *allocator, void *ctx) {
     (void)ctx;
 
