rustls · cpu · Apr 9, 2024 · Mar 28, 2024 · Apr 7, 2024 · Apr 7, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -89,7 +89,7 @@ base64 = "0.22"
 bencher = "0.1.5"
 bzip2 = "0.4.4"
 once_cell = "1.17.2"
-rcgen = { version = "0.12.0" }
+rcgen = { version = "0.13", default-features = false, features = ["aws_lc_rs"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 

diff --git a/benches/benchmark.rs b/benches/benchmark.rs
@@ -1,11 +1,12 @@
 use bencher::{benchmark_group, benchmark_main, Bencher};
 use once_cell::sync::Lazy;
 use rcgen::{
-    date_time_ymd, BasicConstraints, Certificate, CertificateParams, CertificateRevocationList,
-    CertificateRevocationListParams, IsCa, KeyIdMethod, KeyUsagePurpose, RevocationReason,
-    RevokedCertParams, SerialNumber, PKCS_ECDSA_P256_SHA256,
+    date_time_ymd, BasicConstraints, CertificateParams, CertificateRevocationListParams,
+    CertifiedKey, IsCa, KeyIdMethod, KeyPair, KeyUsagePurpose, RevocationReason, RevokedCertParams,
+    SerialNumber, PKCS_ECDSA_P256_SHA256,
 };
 
+use pki_types::CertificateRevocationListDer;
 use std::fs::File;
 use std::hint::black_box;
 use std::io::{ErrorKind, Read, Write};
@@ -16,15 +17,18 @@ use webpki::{BorrowedCertRevocationList, CertRevocationList, OwnedCertRevocation
 
 /// Lazy initialized CRL issuer to be used when generating CRL data. Includes
 /// `KeyUsagePurpose::CrlSign` key usage bit.
-static CRL_ISSUER: Lazy<Mutex<Certificate>> = Lazy::new(|| {
-    let mut issuer_params = CertificateParams::new(vec!["crl.issuer.example.com".to_string()]);
+static CRL_ISSUER: Lazy<Mutex<CertifiedKey>> = Lazy::new(|| {
+    let mut issuer_params =
+        CertificateParams::new(vec!["crl.issuer.example.com".to_string()]).unwrap();
     issuer_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
     issuer_params.key_usages = vec![
         KeyUsagePurpose::KeyCertSign,
         KeyUsagePurpose::DigitalSignature,
         KeyUsagePurpose::CrlSign,
     ];
-    Mutex::new(Certificate::from_params(issuer_params).unwrap())
+    let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap();
+    let cert = issuer_params.self_signed(&key_pair).unwrap();
+    Mutex::new(CertifiedKey { cert, key_pair })
 });
 
 /// Number of revoked certificates to include in the small benchmark CRL. Produces a CRL roughly
@@ -44,12 +48,15 @@ const FAKE_SERIAL: &[u8] = &[0xC0, 0xFF, 0xEE];
 /// Try to load a DER bytes from `crl_path`. If that file path does not exist, generate a CRL
 /// with `revoked_count` revoked certificates, write the DER encoding to `crl_path` and return the
 /// newly created DER bytes.
-fn load_or_generate(crl_path: impl AsRef<Path> + Copy, revoked_count: usize) -> Vec<u8> {
+fn load_or_generate(
+    crl_path: impl AsRef<Path> + Copy,
+    revoked_count: usize,
+) -> CertificateRevocationListDer<'static> {
     match File::open(crl_path) {
         Ok(mut crl_file) => {
             let mut crl_der = Vec::new();
             crl_file.read_to_end(&mut crl_der).unwrap();
-            crl_der
+            crl_der.into()
         }
         Err(e) => match e.kind() {
             ErrorKind::NotFound => match File::create(crl_path) {
@@ -68,7 +75,7 @@ fn load_or_generate(crl_path: impl AsRef<Path> + Copy, revoked_count: usize) ->
 }
 
 /// Create a new benchmark CRL with `revoked_count` revoked certificates.
-fn generate_crl(revoked_count: usize) -> Vec<u8> {
+fn generate_crl(revoked_count: usize) -> CertificateRevocationListDer<'static> {
     let mut revoked_certs = Vec::with_capacity(revoked_count);
     (0..revoked_count).for_each(|i| {
         revoked_certs.push(RevokedCertParams {
@@ -83,14 +90,14 @@ fn generate_crl(revoked_count: usize) -> Vec<u8> {
         this_update: date_time_ymd(2023, 6, 17),
         next_update: date_time_ymd(2024, 6, 17),
         crl_number: SerialNumber::from(1234),
-        alg: &PKCS_ECDSA_P256_SHA256,
         key_identifier_method: KeyIdMethod::Sha256,
         issuing_distribution_point: None,
         revoked_certs,
     };
-    let crl = CertificateRevocationList::from_params(crl).unwrap();
     let issuer = CRL_ISSUER.lock().unwrap();
-    crl.serialize_der_with_signer(&issuer).unwrap()
+    crl.signed_by(&issuer.cert, &issuer.key_pair)
+        .unwrap()
+        .into()
 }
 
 /// Benchmark parsing a small CRL file into a borrowed representation.

diff --git a/src/end_entity.rs b/src/end_entity.rs
@@ -186,6 +186,7 @@ impl<'a> Deref for EndEntityCert<'a> {
 mod tests {
     use super::*;
     use crate::test_utils;
+    use crate::test_utils::RCGEN_SIGNATURE_ALG;
     use std::prelude::v1::*;
 
     // This test reproduces https://github.com/rustls/webpki/issues/167 --- an
@@ -197,23 +198,26 @@ mod tests {
 
         let issuer = test_utils::make_issuer("Test");
 
-        let ee_cert_der = {
+        let ee_cert = {
             let mut params = test_utils::end_entity_params(vec![DNS_NAME.to_string()]);
             // construct a certificate that uses `PrintableString` as the
             // common name value, rather than `UTF8String`.
             params.distinguished_name.push(
                 rcgen::DnType::CommonName,
-                rcgen::DnValue::PrintableString("example.com".to_string()),
+                rcgen::DnValue::PrintableString(
+                    rcgen::PrintableString::try_from("example.com").unwrap(),
+                ),
             );
-            let cert = rcgen::Certificate::from_params(params)
-                .expect("failed to make ee cert (this is a test bug)");
-            let bytes = cert
-                .serialize_der_with_signer(&issuer)
-                .expect("failed to serialize signed ee cert (this is a test bug)");
-            CertificateDer::from(bytes)
+            params
+                .signed_by(
+                    &rcgen::KeyPair::generate_for(RCGEN_SIGNATURE_ALG).unwrap(),
+                    &issuer.cert,
+                    &issuer.key_pair,
+                )
+                .expect("failed to make ee cert (this is a test bug)")
         };
 
-        expect_dns_name(&ee_cert_der, DNS_NAME);
+        expect_dns_name(ee_cert.der(), DNS_NAME);
     }
 
     // This test reproduces https://github.com/rustls/webpki/issues/167 --- an

diff --git a/src/test_utils.rs b/src/test_utils.rs
@@ -1,20 +1,33 @@
 #![cfg(feature = "alloc")]
 use std::prelude::v1::*;
 
-use crate::types::CertificateDer;
-
-/// Signature algorithm used by certificates and parameters generated using the test utils helpers.
-static RCGEN_SIGNATURE_ALG: &rcgen::SignatureAlgorithm = &rcgen::PKCS_ECDSA_P256_SHA256;
+#[cfg_attr(not(feature = "ring"), allow(dead_code))]
+pub(crate) fn make_end_entity(
+    issuer: &rcgen::Certificate,
+    issuer_key: &rcgen::KeyPair,
+) -> rcgen::CertifiedKey {
+    let key_pair = rcgen::KeyPair::generate_for(RCGEN_SIGNATURE_ALG).unwrap();
+    rcgen::CertifiedKey {
+        cert: end_entity_params(vec!["example.com".into()])
+            .signed_by(&key_pair, issuer, issuer_key)
+            .unwrap(),
+        key_pair,
+    }
+}
 
-pub(crate) fn make_issuer(org_name: impl Into<String>) -> rcgen::Certificate {
-    rcgen::Certificate::from_params(issuer_params(org_name)).unwrap()
+pub(crate) fn make_issuer(org_name: impl Into<String>) -> rcgen::CertifiedKey {
+    let key_pair = rcgen::KeyPair::generate_for(RCGEN_SIGNATURE_ALG).unwrap();
+    rcgen::CertifiedKey {
+        cert: issuer_params(org_name).self_signed(&key_pair).unwrap(),
+        key_pair,
+    }
 }
 
 /// Populate a [CertificateParams] that describes an unconstrained issuer certificate capable
 /// of signing other certificates and CRLs, with the given `org_name` as an organization distinguished
 /// subject name.
 pub(crate) fn issuer_params(org_name: impl Into<String>) -> rcgen::CertificateParams {
-    let mut ca_params = rcgen::CertificateParams::new(Vec::new());
+    let mut ca_params = rcgen::CertificateParams::new(Vec::new()).unwrap();
     ca_params
         .distinguished_name
         .push(rcgen::DnType::OrganizationName, org_name);
@@ -24,23 +37,14 @@ pub(crate) fn issuer_params(org_name: impl Into<String>) -> rcgen::CertificatePa
         rcgen::KeyUsagePurpose::DigitalSignature,
         rcgen::KeyUsagePurpose::CrlSign,
     ];
-    ca_params.alg = RCGEN_SIGNATURE_ALG;
     ca_params
 }
 
-#[cfg_attr(not(feature = "ring"), allow(dead_code))]
-pub(crate) fn make_end_entity(issuer: &rcgen::Certificate) -> CertificateDer<'static> {
-    CertificateDer::from(
-        rcgen::Certificate::from_params(end_entity_params(vec!["example.com".into()]))
-            .unwrap()
-            .serialize_der_with_signer(issuer)
-            .unwrap(),
-    )
-}
-
 pub(crate) fn end_entity_params(subject_alt_names: Vec<String>) -> rcgen::CertificateParams {
-    let mut ee_params = rcgen::CertificateParams::new(subject_alt_names);
+    let mut ee_params = rcgen::CertificateParams::new(subject_alt_names).unwrap();
     ee_params.is_ca = rcgen::IsCa::ExplicitNoCa;
-    ee_params.alg = RCGEN_SIGNATURE_ALG;
     ee_params
 }
+
+/// Signature algorithm used by certificates and parameters generated using the test utils helpers.
+pub(crate) static RCGEN_SIGNATURE_ALG: &rcgen::SignatureAlgorithm = &rcgen::PKCS_ECDSA_P256_SHA256;