PKCS1 support for RSA-PSS (on top of PKCS8 which was already supported)

gasbytes · gasbytes · commit 0776339cb944 · 2025-02-18T15:41:42.000+01:00
diff --git a/rustls-wolfcrypt-provider/src/sign/rsapkcs1.rs b/rustls-wolfcrypt-provider/src/sign/rsapkcs1.rs
@@ -38,6 +38,8 @@ impl TryFrom<&PrivateKeyDer<'_>> for RsaPkcs1PrivateKey {
     fn try_from(value: &PrivateKeyDer<'_>) -> Result<Self, Self::Error> {
         match value {
             PrivateKeyDer::Pkcs1(der) => {
+                log::info!("Converting PKCS1 to RSAPKCS1");
+
                 let pkcs1: &[u8] = der.secret_pkcs1_der();
                 let pkcs1_sz: word32 = pkcs1.len() as word32;
                 let mut ret;
diff --git a/rustls-wolfcrypt-provider/src/sign/rsapss.rs b/rustls-wolfcrypt-provider/src/sign/rsapss.rs
@@ -39,6 +39,8 @@ impl TryFrom<&PrivateKeyDer<'_>> for RsaPssPrivateKey {
     fn try_from(value: &PrivateKeyDer<'_>) -> Result<Self, Self::Error> {
         match value {
             PrivateKeyDer::Pkcs8(der) => {
+                log::info!("Converting PKCS8 to RSAPSS");
+
                 let pkcs8: &[u8] = der.secret_pkcs8_der();
                 let pkcs8_sz: word32 = pkcs8.len() as word32;
                 let mut ret;
@@ -62,6 +64,37 @@ impl TryFrom<&PrivateKeyDer<'_>> for RsaPssPrivateKey {
                 check_if_zero(ret)
                     .map_err(|_| rustls::Error::General("FFI function failed".into()))?;
 
+                Ok(Self {
+                    key: Arc::new(rsa_key_object),
+                    algo: SignatureAlgorithm::RSA,
+                })
+            },
+            PrivateKeyDer::Pkcs1(der) => {
+                log::info!("Converting PKCS1 key to RSAPSS key");
+
+                let pkcs1: &[u8] = der.secret_pkcs1_der();
+                let pkcs1_sz: word32 = pkcs1.len() as word32;
+                let mut ret;
+                let rsa_key_box = Box::new(unsafe { mem::zeroed::<RsaKey>() });
+                let rsa_key_ptr = Box::into_raw(rsa_key_box);
+                let rsa_key_object = unsafe { RsaKeyObject::from_ptr(rsa_key_ptr) };
+
+                ret = unsafe { wc_InitRsaKey(rsa_key_object.as_ptr(), ptr::null_mut()) };
+                check_if_zero(ret).unwrap();
+
+                let mut idx: u32 = 0;
+
+                ret = unsafe {
+                    wc_RsaPrivateKeyDecode(
+                        pkcs1.as_ptr() as *mut u8,
+                        &mut idx,
+                        rsa_key_object.as_ptr(),
+                        pkcs1_sz,
+                    )
+                };
+                check_if_zero(ret)
+                    .map_err(|_| rustls::Error::General("FFI function failed".into()))?;
+
                 Ok(Self {
                     key: Arc::new(rsa_key_object),
                     algo: SignatureAlgorithm::RSA,
diff --git a/rustls-wolfcrypt-provider/tests/e2e.rs b/rustls-wolfcrypt-provider/tests/e2e.rs
@@ -578,6 +578,8 @@ mod tests {
     fn rsa_pss_sign_and_verify() {
         init_thread_pool();
 
+        env_logger::init();
+
         let wolfcrypt_default_provider = rustls_wolfcrypt_provider::provider();
         let schemes = [
             SignatureScheme::RSA_PSS_SHA256,
@@ -591,13 +593,19 @@ mod tests {
             .collect();
 
         test_cases.par_iter().for_each(|&(scheme, key_size)| {
-            generate_and_test_pss_key(&wolfcrypt_default_provider, scheme, key_size).expect(
+            generate_and_test_rsa_pkcs8_key(&wolfcrypt_default_provider, scheme, key_size).expect(
+                &format!("Failed for scheme {:?} with key size {}", scheme, key_size),
+            );
+        });
+
+        test_cases.par_iter().for_each(|&(scheme, key_size)| {
+            generate_and_test_rsa_pkcs1_key(&wolfcrypt_default_provider, scheme, key_size).expect(
                 &format!("Failed for scheme {:?} with key size {}", scheme, key_size),
             );
         });
     }
 
-    fn generate_and_test_pss_key(
+    fn generate_and_test_rsa_pkcs8_key(
         provider: &CryptoProvider,
         scheme: SignatureScheme,
         key_size: usize,
@@ -663,6 +671,8 @@ mod tests {
     fn rsa_pkcs1_sign_and_verify() {
         init_thread_pool();
 
+        env_logger::init();
+
         let wolfcrypt_default_provider = rustls_wolfcrypt_provider::provider();
         let test_cases: Vec<_> = [
             SignatureScheme::RSA_PKCS1_SHA256,
@@ -674,13 +684,13 @@ mod tests {
         .collect();
 
         test_cases.par_iter().for_each(|&(scheme, key_size)| {
-            generate_and_test_pkcs1_key(&wolfcrypt_default_provider, scheme, key_size).expect(
+            generate_and_test_rsa_pkcs1_key(&wolfcrypt_default_provider, scheme, key_size).expect(
                 &format!("Failed for scheme {:?} with key size {}", scheme, key_size),
             );
         });
     }
 
-    fn generate_and_test_pkcs1_key(
+    fn generate_and_test_rsa_pkcs1_key(
         provider: &CryptoProvider,
         scheme: SignatureScheme,
         key_size: usize,
