Use rust-asn1 for PKCS#1 private key serialization (#13620)

* Use rust-asn1 for PKCS#1 private key serialization

Replace OpenSSL's private_key_to_der() with rust-asn1 serialization
for RSA, DSA, and EC private keys in Traditional OpenSSL format.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* put this in a vector

---------

Co-authored-by: Claude <[email protected]>

Author: alex

docs/development/test-vectors.rst

@@ -294,6 +294,8 @@ Custom asymmetric vectors
   encrypted with a 20 byte salt with the password ``password``.
 * ``asymmetric/PKCS8/wrong-pem-delimiter-rsa.pem`` - A PKCS8 encoded RSA key
   with the wrong PEM delimiter.
+* ``asymmetric/EC/high-bit-set.pem`` - A PKCS#1 encoded EC key the private key
+  value has its high bit set.
 
 Key exchange
 ~~~~~~~~~~~~

src/rust/cryptography-key-parsing/src/dsa.rs

@@ -2,9 +2,9 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
-use crate::KeyParsingResult;
+use crate::{KeyParsingResult, KeySerializationResult};
 
-#[derive(asn1::Asn1Read)]
+#[derive(asn1::Asn1Read, asn1::Asn1Write)]
 struct DsaPrivateKey<'a> {
     version: u8,
     p: asn1::BigUint<'a>,
@@ -14,6 +14,26 @@ struct DsaPrivateKey<'a> {
     priv_key: asn1::BigUint<'a>,
 }
 
+pub fn serialize_pkcs1_private_key(
+    dsa: &openssl::dsa::DsaRef<openssl::pkey::Private>,
+) -> KeySerializationResult<Vec<u8>> {
+    let p_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(dsa.p())?;
+    let q_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(dsa.q())?;
+    let g_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(dsa.g())?;
+    let pub_key_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(dsa.pub_key())?;
+    let priv_key_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(dsa.priv_key())?;
+
+    let key = DsaPrivateKey {
+        version: 0,
+        p: asn1::BigUint::new(&p_bytes).unwrap(),
+        q: asn1::BigUint::new(&q_bytes).unwrap(),
+        g: asn1::BigUint::new(&g_bytes).unwrap(),
+        pub_key: asn1::BigUint::new(&pub_key_bytes).unwrap(),
+        priv_key: asn1::BigUint::new(&priv_key_bytes).unwrap(),
+    };
+    Ok(asn1::write_single(&key)?)
+}
+
 pub fn parse_pkcs1_private_key(
     data: &[u8],
 ) -> KeyParsingResult<openssl::pkey::PKey<openssl::pkey::Private>> {

src/rust/cryptography-key-parsing/src/ec.rs

@@ -5,10 +5,10 @@
 use cryptography_x509::common::EcParameters;
 use cryptography_x509::ec_constants;
 
-use crate::{KeyParsingError, KeyParsingResult};
+use crate::{KeyParsingError, KeyParsingResult, KeySerializationResult};
 
 // From RFC 5915 Section 3
-#[derive(asn1::Asn1Read)]
+#[derive(asn1::Asn1Read, asn1::Asn1Write)]
 pub(crate) struct EcPrivateKey<'a> {
     pub(crate) version: u8,
     pub(crate) private_key: &'a [u8],
@@ -18,6 +18,37 @@ pub(crate) struct EcPrivateKey<'a> {
     pub(crate) public_key: Option<asn1::BitString<'a>>,
 }
 
+pub(crate) fn group_to_curve_oid(
+    group: &openssl::ec::EcGroupRef,
+) -> Option<asn1::ObjectIdentifier> {
+    let nid = group.curve_name()?;
+    match nid {
+        openssl::nid::Nid::X9_62_PRIME192V1 => Some(cryptography_x509::oid::EC_SECP192R1),
+        openssl::nid::Nid::SECP224R1 => Some(cryptography_x509::oid::EC_SECP224R1),
+        openssl::nid::Nid::X9_62_PRIME256V1 => Some(cryptography_x509::oid::EC_SECP256R1),
+        openssl::nid::Nid::SECP384R1 => Some(cryptography_x509::oid::EC_SECP384R1),
+        openssl::nid::Nid::SECP521R1 => Some(cryptography_x509::oid::EC_SECP521R1),
+        openssl::nid::Nid::SECP256K1 => Some(cryptography_x509::oid::EC_SECP256K1),
+        openssl::nid::Nid::SECT233R1 => Some(cryptography_x509::oid::EC_SECT233R1),
+        openssl::nid::Nid::SECT283R1 => Some(cryptography_x509::oid::EC_SECT283R1),
+        openssl::nid::Nid::SECT409R1 => Some(cryptography_x509::oid::EC_SECT409R1),
+        openssl::nid::Nid::SECT571R1 => Some(cryptography_x509::oid::EC_SECT571R1),
+        openssl::nid::Nid::SECT163R2 => Some(cryptography_x509::oid::EC_SECT163R2),
+        openssl::nid::Nid::SECT163K1 => Some(cryptography_x509::oid::EC_SECT163K1),
+        openssl::nid::Nid::SECT233K1 => Some(cryptography_x509::oid::EC_SECT233K1),
+        openssl::nid::Nid::SECT283K1 => Some(cryptography_x509::oid::EC_SECT283K1),
+        openssl::nid::Nid::SECT409K1 => Some(cryptography_x509::oid::EC_SECT409K1),
+        openssl::nid::Nid::SECT571K1 => Some(cryptography_x509::oid::EC_SECT571K1),
+        #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
+        openssl::nid::Nid::BRAINPOOL_P256R1 => Some(cryptography_x509::oid::EC_BRAINPOOLP256R1),
+        #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
+        openssl::nid::Nid::BRAINPOOL_P384R1 => Some(cryptography_x509::oid::EC_BRAINPOOLP384R1),
+        #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
+        openssl::nid::Nid::BRAINPOOL_P512R1 => Some(cryptography_x509::oid::EC_BRAINPOOLP512R1),
+        _ => None,
+    }
+}
+
 pub(crate) fn ec_params_to_group(
     params: &EcParameters<'_>,
 ) -> KeyParsingResult<openssl::ec::EcGroup> {
@@ -88,6 +119,29 @@ pub(crate) fn ec_params_to_group(
     }
 }
 
+pub fn serialize_pkcs1_private_key(
+    ec: &openssl::ec::EcKeyRef<openssl::pkey::Private>,
+) -> KeySerializationResult<Vec<u8>> {
+    let curve_oid = group_to_curve_oid(ec.group()).expect("Unknown curve");
+
+    let private_key_bytes = ec.private_key().to_vec();
+
+    let mut bn_ctx = openssl::bn::BigNumContext::new()?;
+    let public_key_bytes = ec.public_key().to_bytes(
+        ec.group(),
+        openssl::ec::PointConversionForm::UNCOMPRESSED,
+        &mut bn_ctx,
+    )?;
+
+    let key = EcPrivateKey {
+        version: 1,
+        private_key: &private_key_bytes,
+        parameters: Some(EcParameters::NamedCurve(curve_oid)),
+        public_key: Some(asn1::BitString::new(&public_key_bytes, 0).unwrap()),
+    };
+    Ok(asn1::write_single(&key)?)
+}
+
 pub fn parse_pkcs1_private_key(
     data: &[u8],
     ec_params: Option<EcParameters<'_>>,

src/rust/cryptography-key-parsing/src/rsa.rs

@@ -11,7 +11,7 @@ pub struct Pkcs1RsaPublicKey<'a> {
 }
 
 // RFC 8017, Section A.1.2
-#[derive(asn1::Asn1Read)]
+#[derive(asn1::Asn1Read, asn1::Asn1Write)]
 pub(crate) struct RsaPrivateKey<'a> {
     pub(crate) version: u8,
     pub(crate) n: asn1::BigUint<'a>,
@@ -51,6 +51,33 @@ pub fn serialize_pkcs1_public_key(
     Ok(asn1::write_single(&key)?)
 }
 
+pub fn serialize_pkcs1_private_key(
+    rsa: &openssl::rsa::RsaRef<openssl::pkey::Private>,
+) -> KeySerializationResult<Vec<u8>> {
+    let n_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(rsa.n())?;
+    let e_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(rsa.e())?;
+    let d_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(rsa.d())?;
+    let p_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(rsa.p().unwrap())?;
+    let q_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(rsa.q().unwrap())?;
+    let dmp1_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(rsa.dmp1().unwrap())?;
+    let dmq1_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(rsa.dmq1().unwrap())?;
+    let iqmp_bytes = cryptography_openssl::utils::bn_to_big_endian_bytes(rsa.iqmp().unwrap())?;
+
+    let key = RsaPrivateKey {
+        version: 0,
+        n: asn1::BigUint::new(&n_bytes).unwrap(),
+        e: asn1::BigUint::new(&e_bytes).unwrap(),
+        d: asn1::BigUint::new(&d_bytes).unwrap(),
+        p: asn1::BigUint::new(&p_bytes).unwrap(),
+        q: asn1::BigUint::new(&q_bytes).unwrap(),
+        dmp1: asn1::BigUint::new(&dmp1_bytes).unwrap(),
+        dmq1: asn1::BigUint::new(&dmq1_bytes).unwrap(),
+        iqmp: asn1::BigUint::new(&iqmp_bytes).unwrap(),
+        other_prime_infos: None,
+    };
+    Ok(asn1::write_single(&key)?)
+}
+
 pub fn parse_pkcs1_private_key(
     data: &[u8],
 ) -> KeyParsingResult<openssl::pkey::PKey<openssl::pkey::Private>> {

src/rust/cryptography-key-parsing/src/spki.rs

@@ -150,32 +150,7 @@ pub fn serialize_public_key(
         let pkcs1_der = crate::rsa::serialize_pkcs1_public_key(&rsa)?;
         (AlgorithmParameters::Rsa(Some(())), pkcs1_der)
     } else if let Ok(ec) = pkey.ec_key() {
-        let curve_nid = ec.group().curve_name();
-        let curve_oid = match curve_nid {
-            Some(openssl::nid::Nid::X9_62_PRIME192V1) => cryptography_x509::oid::EC_SECP192R1,
-            Some(openssl::nid::Nid::SECP224R1) => cryptography_x509::oid::EC_SECP224R1,
-            Some(openssl::nid::Nid::X9_62_PRIME256V1) => cryptography_x509::oid::EC_SECP256R1,
-            Some(openssl::nid::Nid::SECP384R1) => cryptography_x509::oid::EC_SECP384R1,
-            Some(openssl::nid::Nid::SECP521R1) => cryptography_x509::oid::EC_SECP521R1,
-            Some(openssl::nid::Nid::SECP256K1) => cryptography_x509::oid::EC_SECP256K1,
-            Some(openssl::nid::Nid::SECT233R1) => cryptography_x509::oid::EC_SECT233R1,
-            Some(openssl::nid::Nid::SECT283R1) => cryptography_x509::oid::EC_SECT283R1,
-            Some(openssl::nid::Nid::SECT409R1) => cryptography_x509::oid::EC_SECT409R1,
-            Some(openssl::nid::Nid::SECT571R1) => cryptography_x509::oid::EC_SECT571R1,
-            Some(openssl::nid::Nid::SECT163R2) => cryptography_x509::oid::EC_SECT163R2,
-            Some(openssl::nid::Nid::SECT163K1) => cryptography_x509::oid::EC_SECT163K1,
-            Some(openssl::nid::Nid::SECT233K1) => cryptography_x509::oid::EC_SECT233K1,
-            Some(openssl::nid::Nid::SECT283K1) => cryptography_x509::oid::EC_SECT283K1,
-            Some(openssl::nid::Nid::SECT409K1) => cryptography_x509::oid::EC_SECT409K1,
-            Some(openssl::nid::Nid::SECT571K1) => cryptography_x509::oid::EC_SECT571K1,
-            #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
-            Some(openssl::nid::Nid::BRAINPOOL_P256R1) => cryptography_x509::oid::EC_BRAINPOOLP256R1,
-            #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
-            Some(openssl::nid::Nid::BRAINPOOL_P384R1) => cryptography_x509::oid::EC_BRAINPOOLP384R1,
-            #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
-            Some(openssl::nid::Nid::BRAINPOOL_P512R1) => cryptography_x509::oid::EC_BRAINPOOLP512R1,
-            _ => unimplemented!("Unknown curve"),
-        };
+        let curve_oid = crate::ec::group_to_curve_oid(ec.group()).expect("Unknown curve");
 
         let mut bn_ctx = openssl::bn::BigNumContext::new()?;
         let point_bytes = ec.public_key().to_bytes(

src/rust/src/backend/utils.rs

@@ -138,8 +138,8 @@ pub(crate) fn pkey_private_bytes<'p>(
             ));
         }
         if let Ok(rsa) = pkey.rsa() {
+            let der_bytes = cryptography_key_parsing::rsa::serialize_pkcs1_private_key(&rsa)?;
             if encoding.is(&types::ENCODING_PEM.get(py)?) {
-                let der_bytes = rsa.private_key_to_der()?;
                 let pem_bytes = cryptography_key_parsing::pem::encrypt_pem(
                     "RSA PRIVATE KEY",
                     &der_bytes,
@@ -155,12 +155,11 @@ pub(crate) fn pkey_private_bytes<'p>(
                     ));
                 }
 
-                let der_bytes = rsa.private_key_to_der()?;
                 return Ok(pyo3::types::PyBytes::new(py, &der_bytes));
             }
         } else if let Ok(dsa) = pkey.dsa() {
+            let der_bytes = cryptography_key_parsing::dsa::serialize_pkcs1_private_key(&dsa)?;
             if encoding.is(&types::ENCODING_PEM.get(py)?) {
-                let der_bytes = dsa.private_key_to_der()?;
                 let pem_bytes = cryptography_key_parsing::pem::encrypt_pem(
                     "DSA PRIVATE KEY",
                     &der_bytes,
@@ -176,12 +175,11 @@ pub(crate) fn pkey_private_bytes<'p>(
                     ));
                 }
 
-                let der_bytes = dsa.private_key_to_der()?;
                 return Ok(pyo3::types::PyBytes::new(py, &der_bytes));
             }
         } else if let Ok(ec) = pkey.ec_key() {
+            let der_bytes = cryptography_key_parsing::ec::serialize_pkcs1_private_key(&ec)?;
             if encoding.is(&types::ENCODING_PEM.get(py)?) {
-                let der_bytes = ec.private_key_to_der()?;
                 let pem_bytes = cryptography_key_parsing::pem::encrypt_pem(
                     "EC PRIVATE KEY",
                     &der_bytes,
@@ -197,7 +195,6 @@ pub(crate) fn pkey_private_bytes<'p>(
                     ));
                 }
 
-                let der_bytes = ec.private_key_to_der()?;
                 return Ok(pyo3::types::PyBytes::new(py, &der_bytes));
             }
         }

tests/hazmat/primitives/test_ec.py

@@ -1212,6 +1212,31 @@ def test_load_private_key_invalid_version(self):
         with pytest.raises(ValueError):
             serialization.load_pem_private_key(data, password=None)
 
+    def test_private_bytes_high_private_key_bit_set(self):
+        data = load_vectors_from_file(
+            os.path.join("asymmetric", "EC", "high-bit-set.pem"),
+            lambda f: f.read(),
+            mode="rb",
+        )
+
+        key = serialization.load_pem_private_key(data, password=None)
+        assert isinstance(key, ec.EllipticCurvePrivateKey)
+        # The high bit is set in the private key. Ensure that it's not
+        # serialized with an additional leading 0, as you would if serializing
+        # an ASN.1 integer.
+        expected_private_key = (
+            0xA07AB72DF25722849DF17FCE9AF1D2AC02EFA32C3251D8E075C29EA868D9E2A2
+        )
+        assert key.private_numbers().private_value == expected_private_key
+        assert (
+            key.private_bytes(
+                serialization.Encoding.PEM,
+                serialization.PrivateFormat.TraditionalOpenSSL,
+                serialization.NoEncryption(),
+            )
+            == data
+        )
+
 
 class TestEllipticCurvePEMPublicKeySerialization:
     @pytest.mark.parametrize(

vectors/cryptography_vectors/asymmetric/EC/high-bit-set.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKB6ty3yVyKEnfF/zprx0qwC76MsMlHY4HXCnqho2eKioAoGCCqGSM49
+AwEHoUQDQgAElI9mbdlaS+T9nHxY/59lFnn80EEecZDBHq4gLpccY8Mge5ZTMiMD
+ADRvOqQ5R98Sxst765CAqXmRtz8vwoD96g==
+-----END EC PRIVATE KEY-----