From ea22440767854966ab9d2ae32447a33c52f54f65 Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Wed, 5 Jun 2024 19:00:23 -0600 Subject: [PATCH] pkcs8: use `pbes2::Parameters::recommended` When encrypting private keys, uses the recommended set of parameters from the `pbes2` crate. This uses scrypt with parameters explicitly selected to be compatible with OpenSSL so it's capable of decrypting keys encrypted using the `pkcs8` crate. Closes #429 --- pkcs8/Cargo.toml | 2 +- pkcs8/src/encrypted_private_key_info.rs | 15 +++------------ pkcs8/src/private_key_info.rs | 7 ++----- pkcs8/src/traits.rs | 9 +++------ 4 files changed, 9 insertions(+), 24 deletions(-) diff --git a/pkcs8/Cargo.toml b/pkcs8/Cargo.toml index aa1dc46aa..43606ee3f 100644 --- a/pkcs8/Cargo.toml +++ b/pkcs8/Cargo.toml @@ -22,7 +22,7 @@ spki = { version = "=0.8.0-pre.0" } # optional dependencies rand_core = { version = "0.6", optional = true, default-features = false } -pkcs5 = { version = "=0.8.0-pre.0", optional = true } +pkcs5 = { version = "=0.8.0-pre.0", optional = true, features = ["rand_core"] } subtle = { version = "2", optional = true, default-features = false } [dev-dependencies] diff --git a/pkcs8/src/encrypted_private_key_info.rs b/pkcs8/src/encrypted_private_key_info.rs index 12fafdf21..19575bf2f 100644 --- a/pkcs8/src/encrypted_private_key_info.rs +++ b/pkcs8/src/encrypted_private_key_info.rs @@ -12,10 +12,7 @@ use pkcs5::EncryptionScheme; use der::SecretDocument; #[cfg(feature = "encryption")] -use { - pkcs5::pbes2, - rand_core::{CryptoRng, RngCore}, -}; +use {pkcs5::pbes2, rand_core::CryptoRngCore}; #[cfg(feature = "pem")] use der::pem::PemLabel; @@ -64,17 +61,11 @@ impl<'a> EncryptedPrivateKeyInfo<'a> { /// derived from the provided password. #[cfg(feature = "encryption")] pub(crate) fn encrypt( - mut rng: impl CryptoRng + RngCore, + rng: &mut impl CryptoRngCore, password: impl AsRef<[u8]>, doc: &[u8], ) -> Result { - let mut salt = [0u8; 16]; - rng.fill_bytes(&mut salt); - - let mut iv = [0u8; 16]; - rng.fill_bytes(&mut iv); - - let pbes2_params = pbes2::Parameters::scrypt_aes256cbc(Default::default(), &salt, iv)?; + let pbes2_params = pbes2::Parameters::recommended(rng); EncryptedPrivateKeyInfo::encrypt_with(pbes2_params, password, doc) } diff --git a/pkcs8/src/private_key_info.rs b/pkcs8/src/private_key_info.rs index b3550d619..03b7ca162 100644 --- a/pkcs8/src/private_key_info.rs +++ b/pkcs8/src/private_key_info.rs @@ -13,10 +13,7 @@ use der::SecretDocument; #[cfg(feature = "encryption")] use { - crate::EncryptedPrivateKeyInfo, - der::zeroize::Zeroizing, - pkcs5::pbes2, - rand_core::{CryptoRng, RngCore}, + crate::EncryptedPrivateKeyInfo, der::zeroize::Zeroizing, pkcs5::pbes2, rand_core::CryptoRngCore, }; #[cfg(feature = "pem")] @@ -137,7 +134,7 @@ impl<'a> PrivateKeyInfo<'a> { #[cfg(feature = "encryption")] pub fn encrypt( &self, - rng: impl CryptoRng + RngCore, + rng: &mut impl CryptoRngCore, password: impl AsRef<[u8]>, ) -> Result { let der = Zeroizing::new(self.to_der()?); diff --git a/pkcs8/src/traits.rs b/pkcs8/src/traits.rs index 9cd4116d6..a38a78e6d 100644 --- a/pkcs8/src/traits.rs +++ b/pkcs8/src/traits.rs @@ -6,10 +6,7 @@ use crate::{Error, PrivateKeyInfo, Result}; use der::SecretDocument; #[cfg(feature = "encryption")] -use { - crate::EncryptedPrivateKeyInfo, - rand_core::{CryptoRng, RngCore}, -}; +use {crate::EncryptedPrivateKeyInfo, rand_core::CryptoRngCore}; #[cfg(feature = "pem")] use { @@ -106,7 +103,7 @@ pub trait EncodePrivateKey { #[cfg(feature = "encryption")] fn to_pkcs8_encrypted_der( &self, - rng: impl CryptoRng + RngCore, + rng: &mut impl CryptoRngCore, password: impl AsRef<[u8]>, ) -> Result { EncryptedPrivateKeyInfo::encrypt(rng, password, self.to_pkcs8_der()?.as_bytes()) @@ -124,7 +121,7 @@ pub trait EncodePrivateKey { #[cfg(all(feature = "encryption", feature = "pem"))] fn to_pkcs8_encrypted_pem( &self, - rng: impl CryptoRng + RngCore, + rng: &mut impl CryptoRngCore, password: impl AsRef<[u8]>, line_ending: LineEnding, ) -> Result> {