Merge 3d7f1a804ced1479e9d3d7967185f08ebb3058ab into 3e7f09db626e46092181714ccd5cef1aba507daa

2025-03-15 00:36:33 +00:00 · 2025-03-12 14:12:17 +01:00 · 2025-03-12 14:12:17 +01:00 · 302bb0af65
commit 302bb0af65
parent 3e7f09db62 3d7f1a804c
4 changed files with 54 additions and 22 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -834,7 +834,6 @@ dependencies = [
 "diesel-async",
 "diesel_migrations",
 "dotenv",
- "elliptic-curve",
 "email_address",
 "futures",
 "futures-util",
@ -854,7 +853,6 @@ dependencies = [
 "mime_guess",
 "oauth2",
 "openidconnect",
- "p256",
 "pbjson-types",
 "pbkdf2",
 "pem",
@ -878,6 +876,7 @@ dependencies = [
 "rustls-native-certs 0.8.1",
 "rustls-pemfile",
 "scoped-futures",
+ "sec1",
 "serde",
 "serde_json",
 "serde_urlencoded",
--- a/chirpstack/Cargo.toml
+++ b/chirpstack/Cargo.toml
@ -120,8 +120,7 @@
  pem = "3.0"
  x509-parser = "0.16"
  rsa = "0.9"
-  elliptic-curve = { version = "0.13", features = ["pem"] }
-  p256 = "0.13"
+  sec1 = { version = "0.7.3", features = ["alloc", "pem", "pkcs8"] }
  rcgen = { version = "0.13.1", features = ["x509-parser"] }
  oauth2 = "5.0.0-alpha.4"
  openidconnect = { version = "4.0.0-alpha.2", features = [
--- a/chirpstack/src/helpers/tls.rs
+++ b/chirpstack/src/helpers/tls.rs
@ -68,17 +68,34 @@ pub fn private_key_to_pkcs8(pem: &str) -> Result<String> {
        let pkcs8_pem = pkey.to_pkcs8_pem(LineEnding::default())?;
        Ok(pkcs8_pem.as_str().to_owned())
    } else if pem.contains("EC PRIVATE KEY") {
-        use elliptic_curve::{
-            pkcs8::{EncodePrivateKey, LineEnding},
-            SecretKey,
+        use sec1::{
+            der::{Decode, Encode, EncodePem},
+            pkcs8::{AlgorithmIdentifierRef, PrivateKeyInfo},
+            EcPrivateKey, LineEnding,
        };

-        // We assume it is a P256 based secret-key, which is the most popular curve.
-        // Attempting to decode it as P256 is still better than just failing to read it.
-        let pkey: SecretKey<p256::NistP256> =
-            SecretKey::from_sec1_pem(pem).context("Read EC SEC1")?;
-        let pkcs8_pem = pkey.to_pkcs8_pem(LineEnding::default())?;
-        Ok(pkcs8_pem.as_str().to_owned())
+        // Get a SEC1 ECPrivateKey from the PEM string input
+        let pem = pem::parse(pem).context("Parse PEM string")?;
+        let pkey =
+            EcPrivateKey::from_der(pem.contents()).context("Decode PEM into SEC1 ECPrivateKey")?;
+
+        // Retrieve the curve name from the decoded private key's parameters
+        let params_oid = pkey.parameters.and_then(|params| params.named_curve());
+
+        // Get the proper types to construct a PKCS#8 PrivateKeyInfo
+        let private_key = &pkey.to_der()?;
+        let algorithm = AlgorithmIdentifierRef {
+            oid: sec1::ALGORITHM_OID,
+            parameters: params_oid.as_ref().map(Into::into),
+        };
+
+        let pkcs8 = PrivateKeyInfo {
+            algorithm,
+            private_key,
+            public_key: None,
+        };
+
+        Ok(pkcs8.to_pem(LineEnding::default())?)
    } else {
        Ok(pem.to_string())
    }
--- a/chirpstack/src/helpers/tls22.rs
+++ b/chirpstack/src/helpers/tls22.rs
@ -71,17 +71,34 @@ pub fn private_key_to_pkcs8(pem: &str) -> Result<String> {
        let pkcs8_pem = pkey.to_pkcs8_pem(LineEnding::default())?;
        Ok(pkcs8_pem.as_str().to_owned())
    } else if pem.contains("EC PRIVATE KEY") {
-        use elliptic_curve::{
-            pkcs8::{EncodePrivateKey, LineEnding},
-            SecretKey,
+        use sec1::{
+            der::{Decode, Encode, EncodePem},
+            pkcs8::{AlgorithmIdentifierRef, PrivateKeyInfo},
+            EcPrivateKey, LineEnding,
        };

-        // We assume it is a P256 based secret-key, which is the most popular curve.
-        // Attempting to decode it as P256 is still better than just failing to read it.
-        let pkey: SecretKey<p256::NistP256> =
-            SecretKey::from_sec1_pem(pem).context("Read EC SEC1")?;
-        let pkcs8_pem = pkey.to_pkcs8_pem(LineEnding::default())?;
-        Ok(pkcs8_pem.as_str().to_owned())
+        // Get a SEC1 ECPrivateKey from the PEM string input
+        let pem = pem::parse(pem).context("Parse PEM string")?;
+        let pkey =
+            EcPrivateKey::from_der(pem.contents()).context("Decode PEM into SEC1 ECPrivateKey")?;
+
+        // Retrieve the curve name from the decoded private key's parameters
+        let params_oid = pkey.parameters.and_then(|params| params.named_curve());
+
+        // Get the proper types to construct a PKCS#8 PrivateKeyInfo
+        let private_key = &pkey.to_der()?;
+        let algorithm = AlgorithmIdentifierRef {
+            oid: sec1::ALGORITHM_OID,
+            parameters: params_oid.as_ref().map(Into::into),
+        };
+
+        let pkcs8 = PrivateKeyInfo {
+            algorithm,
+            private_key,
+            public_key: None,
+        };
+
+        Ok(pkcs8.to_pem(LineEnding::default())?)
    } else {
        Ok(pem.to_string())
    }