Updated to latest rustls head

Author: ancwrd1

examples/client.rs

@@ -7,8 +7,9 @@ use std::{
 
 use clap::Parser;
 use rustls::{
-    client::ResolvesClientCert, sign::CertifiedKey, ClientConfig, ClientConnection, RootCertStore,
-    SignatureScheme, Stream,
+    ClientConfig, ClientConnection, RootCertStore, SignatureScheme, Stream,
+    client::ResolvesClientCert,
+    sign::{CertifiedKey, CertifiedSigner},
 };
 use rustls_pki_types::{CertificateDer, ServerName};
 
@@ -49,20 +50,15 @@ impl ResolvesClientCert for ClientCertResolver {
         &self,
         _acceptable_issuers: &[&[u8]],
         sigschemes: &[SignatureScheme],
-    ) -> Option<Arc<CertifiedKey>> {
+    ) -> Option<CertifiedSigner> {
         println!("Server sig schemes: {sigschemes:#?}");
         let (chain, signing_key) = get_chain(&self.store, &self.cert_name).ok()?;
         if let Some(ref pin) = self.pin {
             signing_key.key().set_pin(pin).ok()?;
         }
-        for scheme in signing_key.supported_schemes() {
-            if sigschemes.contains(scheme) {
-                return CertifiedKey::new(chain, Arc::new(signing_key))
-                    .ok()
-                    .map(Arc::new);
-            }
-        }
-        None
+        CertifiedKey::new(chain.into(), Box::new(signing_key))
+            .ok()?
+            .signer(sigschemes)
     }
 
     fn has_certs(&self) -> bool {

examples/server.rs

@@ -9,9 +9,8 @@ use clap::Parser;
 use rustls::{
     RootCertStore, ServerConfig, ServerConnection, Stream,
     server::{ClientHello, ResolvesServerCert, WebPkiClientVerifier},
-    sign::CertifiedKey,
+    sign::{CertifiedKey, CertifiedSigner},
 };
-
 use rustls_cng::{
     signer::CngSigningKey,
     store::{CertStore, CertStoreType},
@@ -54,31 +53,39 @@ pub struct ServerCertResolver {
 }
 
 impl ResolvesServerCert for ServerCertResolver {
-    fn resolve(&self, client_hello: &ClientHello) -> Option<Arc<CertifiedKey>> {
+    fn resolve(&self, client_hello: &ClientHello) -> Result<CertifiedSigner, rustls::Error> {
         println!("Client hello server name: {:?}", client_hello.server_name());
-        let name = client_hello.server_name()?;
-
-        // look up certificate by subject
-        let contexts = self.store.find_by_subject_str(name).ok()?;
-
-        // attempt to acquire a private key and construct CngSigningKey
-        let (context, key) = contexts.into_iter().find_map(|ctx| {
-            let key = ctx.acquire_key(true).ok()?;
-            if let Some(ref pin) = self.pin {
-                key.set_pin(pin).ok()?;
-            }
-            CngSigningKey::new(key).ok().map(|key| (ctx, key))
-        })?;
+        let name = client_hello
+            .server_name()
+            .ok_or_else(|| rustls::Error::NoSuitableCertificate)?;
+
+        let contexts = self
+            .store
+            .find_by_subject_str(name)
+            .map_err(|_| rustls::Error::NoSuitableCertificate)?;
+
+        let (context, key) = contexts
+            .into_iter()
+            .find_map(|ctx| {
+                let key = ctx.acquire_key(true).ok()?;
+                if let Some(ref pin) = self.pin {
+                    key.set_pin(pin).ok()?;
+                }
+                CngSigningKey::new(key).ok().map(|key| (ctx, key))
+            })
+            .ok_or_else(|| rustls::Error::NoSuitableCertificate)?;
 
         println!("Key alg group: {:?}", key.key().algorithm_group());
         println!("Key alg: {:?}", key.key().algorithm());
 
-        // attempt to acquire a full certificate chain
-        let chain = context.as_chain_der().ok()?;
+        let chain = context
+            .as_chain_der()
+            .map_err(|_| rustls::Error::NoSuitableCertificate)?;
         let certs = chain.into_iter().map(Into::into).collect();
 
-        // return CertifiedKey instance
-        CertifiedKey::new(certs, Arc::new(key)).ok().map(Arc::new)
+        CertifiedKey::new(certs, Box::new(key))?
+            .signer(client_hello.signature_schemes())
+            .ok_or_else(|| rustls::Error::General("No common schemes".to_owned()))
     }
 }
 

src/cert.rs

@@ -4,7 +4,7 @@ use std::{mem, ptr, slice, sync::Arc};
 
 use windows_sys::Win32::Security::Cryptography::*;
 
-use crate::{error::CngError, key::NCryptKey, Result};
+use crate::{Result, error::CngError, key::NCryptKey};
 
 const HCCE_LOCAL_MACHINE: HCERTCHAINENGINE = 0x1 as HCERTCHAINENGINE;
 
@@ -168,8 +168,8 @@ impl CertContext {
     #[cfg(feature = "time")]
     pub fn timestamp(&self) -> Result<Option<time::UtcDateTime>> {
         use std::time::Duration;
+        use windows_sys::Win32::Foundation::{CRYPT_E_NOT_FOUND, FILETIME, GetLastError};
         use windows_sys::core::HRESULT;
-        use windows_sys::Win32::Foundation::{GetLastError, CRYPT_E_NOT_FOUND, FILETIME};
 
         // Duration between Windows epoch (1601-01-01) and Unix epoch (1970-01-01)
         const WINDOWS_TO_UNIX_EPOCH: Duration = Duration::from_secs(11_644_473_600);

src/error.rs

@@ -3,8 +3,8 @@
 use std::fmt;
 
 use windows_sys::{
+    Win32::Foundation::{ERROR_SUCCESS, GetLastError, WIN32_ERROR},
     core::HRESULT,
-    Win32::Foundation::{GetLastError, ERROR_SUCCESS, WIN32_ERROR},
 };
 
 /// Errors that may be returned in this crate

src/key.rs

@@ -3,11 +3,11 @@
 use std::{os::raw::c_void, ptr, str::FromStr, sync::Arc};
 
 use windows_sys::{
-    core::PCWSTR,
     Win32::Security::{Cryptography::*, OBJECT_SECURITY_INFORMATION},
+    core::PCWSTR,
 };
 
-use crate::{error::CngError, Result};
+use crate::{Result, error::CngError};
 
 /// Algorithm group of the CNG private key
 #[derive(Debug, Clone, Eq, PartialEq, PartialOrd)]

src/signer.rs

@@ -3,12 +3,12 @@
 use std::sync::Arc;
 
 use rustls::{
-    sign::{Signer, SigningKey},
     Error, OtherError, SignatureAlgorithm, SignatureScheme,
+    sign::{Signer, SigningKey},
 };
 use rustls_pki_types::SubjectPublicKeyInfoDer;
 use windows_sys::Win32::Security::Cryptography::{
-    BCryptHash, BCRYPT_SHA256_ALG_HANDLE, BCRYPT_SHA384_ALG_HANDLE, BCRYPT_SHA512_ALG_HANDLE,
+    BCRYPT_SHA256_ALG_HANDLE, BCRYPT_SHA384_ALG_HANDLE, BCRYPT_SHA512_ALG_HANDLE, BCryptHash,
 };
 
 use crate::key::{AlgorithmGroup, NCryptKey, SignaturePadding};
@@ -158,7 +158,7 @@ impl CngSigner {
 }
 
 impl Signer for CngSigner {
-    fn sign(&self, message: &[u8]) -> Result<Vec<u8>, Error> {
+    fn sign(self: Box<CngSigner>, message: &[u8]) -> Result<Vec<u8>, Error> {
         let (hash, padding) = self.hash(message)?;
         let signature = self
             .key
@@ -222,7 +222,9 @@ mod tests {
         let der = super::p1363_to_der(&p1363);
         assert_eq!(
             der,
-            [0x30, 0x0e, 0x02, 0x05, 0, 0x81, 2, 3, 4, 0x02, 0x05, 0, 0x85, 6, 7, 8]
+            [
+                0x30, 0x0e, 0x02, 0x05, 0, 0x81, 2, 3, 4, 0x02, 0x05, 0, 0x85, 6, 7, 8
+            ]
         )
     }
 }

src/store.rs

@@ -217,7 +217,8 @@ impl CertStore {
         unsafe {
             let mut cert: *mut CERT_CONTEXT = ptr::null_mut();
             let hash_blob = &*(find_param as *const CRYPT_INTEGER_BLOB);
-            let sha256_hash = std::slice::from_raw_parts(hash_blob.pbData, hash_blob.cbData as usize);
+            let sha256_hash =
+                std::slice::from_raw_parts(hash_blob.pbData, hash_blob.cbData as usize);
             loop {
                 cert = CertFindCertificateInStore(
                     self.0,

tests/test_client_server.rs

@@ -11,8 +11,9 @@ mod client {
     };
 
     use rustls::{
-        client::ResolvesClientCert, sign::CertifiedKey, ClientConfig, ClientConnection,
-        RootCertStore, SignatureScheme, Stream,
+        ClientConfig, ClientConnection, RootCertStore, SignatureScheme, Stream,
+        client::ResolvesClientCert,
+        sign::{CertifiedKey, CertifiedSigner},
     };
     use rustls_pki_types::CertificateDer;
 
@@ -44,17 +45,11 @@ mod client {
             &self,
             _acceptable_issuers: &[&[u8]],
             sigschemes: &[SignatureScheme],
-        ) -> Option<Arc<CertifiedKey>> {
+        ) -> Option<CertifiedSigner> {
             let (chain, signing_key) = get_chain(&self.0, &self.1).ok()?;
-            for scheme in signing_key.supported_schemes() {
-                if sigschemes.contains(scheme) {
-                    return Some(Arc::new(CertifiedKey::new_unchecked(
-                        chain,
-                        Arc::new(signing_key),
-                    )));
-                }
-            }
-            None
+            CertifiedKey::new(chain.into(), Box::new(signing_key))
+                .ok()?
+                .signer(sigschemes)
         }
 
         fn has_certs(&self) -> bool {
@@ -101,35 +96,46 @@ mod server {
     use std::{
         io::{Read, Write},
         net::{Shutdown, TcpListener, TcpStream},
-        sync::{mpsc::Sender, Arc},
+        sync::{Arc, mpsc::Sender},
     };
 
     use rustls::{
-        server::{ClientHello, ResolvesServerCert, WebPkiClientVerifier},
-        sign::CertifiedKey,
         RootCertStore, ServerConfig, ServerConnection, Stream,
+        server::{ClientHello, ResolvesServerCert, WebPkiClientVerifier},
+        sign::{CertifiedKey, CertifiedSigner},
     };
-
     use rustls_cng::{signer::CngSigningKey, store::CertStore};
 
     #[derive(Debug)]
     pub struct ServerCertResolver(CertStore);
 
     impl ResolvesServerCert for ServerCertResolver {
-        fn resolve(&self, client_hello: &ClientHello) -> Option<Arc<CertifiedKey>> {
-            let name = client_hello.server_name()?;
-
-            let contexts = self.0.find_by_subject_str(name).ok()?;
-
-            let (context, key) = contexts.into_iter().find_map(|ctx| {
-                let key = ctx.acquire_key(true).ok()?;
-                CngSigningKey::new(key).ok().map(|key| (ctx, key))
-            })?;
-
-            let chain = context.as_chain_der().ok()?;
+        fn resolve(&self, client_hello: &ClientHello) -> Result<CertifiedSigner, rustls::Error> {
+            let name = client_hello
+                .server_name()
+                .ok_or_else(|| rustls::Error::NoSuitableCertificate)?;
+
+            let contexts = self
+                .0
+                .find_by_subject_str(name)
+                .map_err(|_| rustls::Error::NoSuitableCertificate)?;
+
+            let (context, key) = contexts
+                .into_iter()
+                .find_map(|ctx| {
+                    let key = ctx.acquire_key(true).ok()?;
+                    CngSigningKey::new(key).ok().map(|key| (ctx, key))
+                })
+                .ok_or_else(|| rustls::Error::NoSuitableCertificate)?;
+
+            let chain = context
+                .as_chain_der()
+                .map_err(|_| rustls::Error::NoSuitableCertificate)?;
             let certs = chain.into_iter().map(Into::into).collect();
 
-            Some(Arc::new(CertifiedKey::new_unchecked(certs, Arc::new(key))))
+            CertifiedKey::new(certs, Box::new(key))?
+                .signer(client_hello.signature_schemes())
+                .ok_or_else(|| rustls::Error::General("No common schemes".to_owned()))
         }
     }
 

tests/test_sign.rs

@@ -1,4 +1,4 @@
-use rustls::{sign::SigningKey, SignatureAlgorithm, SignatureScheme};
+use rustls::{SignatureAlgorithm, SignatureScheme, sign::SigningKey};
 
 use rustls_cng::{signer::CngSigningKey, store::CertStore};