pem: use local PEM parser and generator, strict is strict

Author: karalabe

Cargo.lock

@@ -20,10 +20,10 @@ argon2 = ["dep:argon2"]
 async = ["dep:futures"]
 cbor = ["dep:thiserror"]
 cose = ["cbor", "xhpke"]
-eddsa = ["dep:ed25519-dalek", "dep:sha2", "dep:signature"]
+eddsa = ["pem", "dep:ed25519-dalek", "dep:sha2", "dep:signature"]
 hkdf = ["dep:hkdf", "dep:sha2"]
 mldsa = ["pem", "dep:der", "dep:ml-dsa", "dep:pkcs8", "dep:sha2", "dep:spki", "dep:subtle", "dep:zeroize"]
-pem = ["dep:pem"]
+pem = ["dep:base64"]
 rand = []
 rsa = ["pem", "dep:rsa", "dep:signature"]
 stream = ["dep:age-core", "dep:chacha20poly1305", "dep:pin-project", "dep:zeroize"]
@@ -34,6 +34,7 @@ xhpke = ["pem", "xdsa", "dep:generic-array", "dep:hpke", "dep:rand", "dep:rand_c
 [dependencies]
 age-core = { version = "0.11.0", optional = true }
 argon2 = { version = "0.5.3", optional = true }
+base64 = { version = "0.22.1", optional = true }
 bcder = { version = "0.7.5", optional = true }
 bytes = { version = "1.10.1", optional = true }
 chacha20poly1305 = { version = "0.10.1", optional = true }
@@ -47,7 +48,6 @@ hkdf = { version = "0.12.4", optional = true }
 getrandom02 = { package = "getrandom", version = "0.2", features = ["js"] }
 getrandom = { version = "0.3.3", features = ["wasm_js"] }
 hpke = { version = "0.13.0", features = ["std"], optional = true }
-pem = { version = "3.0.5", optional = true }
 pin-project = { version = "1.1.9", optional = true }
 pkcs8 = { version = "0.10.2", features = ["std"], optional = true }
 rand = { version = "0.9.2", optional = true }

Cargo.toml

@@ -9,12 +9,13 @@
 //! https://datatracker.ietf.org/doc/html/rfc8032
 
 use ed25519_dalek::ed25519::signature::rand_core::OsRng;
-use ed25519_dalek::pkcs8::spki::der::pem::LineEnding;
 use ed25519_dalek::pkcs8::{DecodePrivateKey, DecodePublicKey, EncodePrivateKey, EncodePublicKey};
 use ed25519_dalek::{Signature, SignatureError, Signer, Verifier};
 use sha2::Digest;
 use std::error::Error;
 
+use crate::pem;
+
 /// SecretKey contains an Ed25519 private key usable for signing.
 #[derive(Clone)]
 pub struct SecretKey {
@@ -44,9 +45,12 @@ impl SecretKey {
     }
 
     /// from_pem parses a PEM string into a private key.
-    pub fn from_pem(pem: &str) -> Result<Self, Box<dyn Error>> {
-        let inner = ed25519_dalek::SigningKey::from_pkcs8_pem(pem)?;
-        Ok(Self { inner })
+    pub fn from_pem(pem_str: &str) -> Result<Self, Box<dyn Error>> {
+        let (kind, data) = pem::decode(pem_str.as_bytes())?;
+        if kind != "PRIVATE KEY" {
+            return Err(format!("invalid PEM tag {}", kind).into());
+        }
+        Self::from_der(&data)
     }
 
     /// to_bytes converts a private key into a 32-byte array.
@@ -61,7 +65,7 @@ impl SecretKey {
 
     /// to_pem serializes a private key into a PEM string.
     pub fn to_pem(&self) -> String {
-        self.inner.to_pkcs8_pem(LineEnding::LF).unwrap().to_string()
+        pem::encode("PRIVATE KEY", &self.to_der())
     }
 
     /// public_key retrieves the public counterpart of the secret key.
@@ -103,9 +107,12 @@ impl PublicKey {
     }
 
     /// from_pem parses a PEM string into a public key.
-    pub fn from_pem(pem: &str) -> Result<Self, Box<dyn Error>> {
-        let inner = ed25519_dalek::VerifyingKey::from_public_key_pem(pem)?;
-        Ok(Self { inner })
+    pub fn from_pem(pem_str: &str) -> Result<Self, Box<dyn Error>> {
+        let (kind, data) = pem::decode(pem_str.as_bytes())?;
+        if kind != "PUBLIC KEY" {
+            return Err(format!("invalid PEM tag {}", kind).into());
+        }
+        Self::from_der(&data)
     }
 
     /// to_bytes converts a public key into a 32-byte array.
@@ -120,10 +127,7 @@ impl PublicKey {
 
     /// to_pem serializes a public key into a PEM string.
     pub fn to_pem(&self) -> String {
-        self.inner
-            .to_public_key_pem(LineEnding::LF)
-            .unwrap()
-            .to_string()
+        pem::encode("PUBLIC KEY", &self.to_der())
     }
 
     /// fingerprint returns a 256bit unique identified for this key. For Ed25519,

src/eddsa/mod.rs

@@ -24,11 +24,12 @@ pub mod cose;
 #[cfg(feature = "eddsa")]
 pub mod eddsa;
 
-pub(crate) mod internal;
-
 #[cfg(feature = "mldsa")]
 pub mod mldsa;
 
+#[cfg(feature = "pem")]
+pub mod pem;
+
 #[cfg(feature = "rsa")]
 pub mod rsa;
 

src/internal/mod.rs

@@ -20,6 +20,8 @@ use std::error::Error;
 use subtle::ConstantTimeEq;
 use zeroize::Zeroize;
 
+use crate::pem;
+
 /// OpenSSL ML-DSA-65 private key inner structure.
 #[derive(Clone, Debug, Eq, PartialEq, Sequence)]
 struct MlDsa65PrivateKeyInner {
@@ -94,12 +96,12 @@ impl SecretKey {
     /// from_pem parses a PEM string into a private key.
     pub fn from_pem(pem_str: &str) -> Result<Self, Box<dyn Error>> {
         // Crack open the PEM to get to the private key info
-        let res = crate::internal::pem::parse(pem_str)?;
-        if res.tag() != "PRIVATE KEY" {
-            return Err(format!("invalid PEM tag {}", res.tag()).into());
+        let (kind, data) = pem::decode(pem_str.as_bytes())?;
+        if kind != "PRIVATE KEY" {
+            return Err(format!("invalid PEM tag {}", kind).into());
         }
         // Parse the DER content
-        Self::from_der(res.contents())
+        Self::from_der(&data)
     }
 
     /// to_bytes returns the 32-byte seed of the private key.
@@ -136,11 +138,7 @@ impl SecretKey {
 
     /// to_pem serializes a private key into a PEM string.
     pub fn to_pem(&self) -> String {
-        let der = self.to_der();
-        pem::encode_config(
-            &pem::Pem::new("PRIVATE KEY", der),
-            pem::EncodeConfig::new().set_line_ending(pem::LineEnding::LF),
-        )
+        pem::encode("PRIVATE KEY", &self.to_der())
     }
 
     /// public_key retrieves the public counterpart of the secret key.
@@ -200,11 +198,11 @@ impl PublicKey {
 
     /// from_pem parses a PEM string into a public key.
     pub fn from_pem(pem_str: &str) -> Result<Self, Box<dyn Error>> {
-        let res = crate::internal::pem::parse(pem_str)?;
-        if res.tag() != "PUBLIC KEY" {
-            return Err(format!("invalid PEM tag {}", res.tag()).into());
+        let (kind, data) = pem::decode(pem_str.as_bytes())?;
+        if kind != "PUBLIC KEY" {
+            return Err(format!("invalid PEM tag {}", kind).into());
         }
-        Self::from_der(res.contents())
+        Self::from_der(&data)
     }
 
     /// to_bytes converts a public key into a 1952-byte array.
@@ -233,11 +231,7 @@ impl PublicKey {
 
     /// to_pem serializes a public key into a PEM string.
     pub fn to_pem(&self) -> String {
-        let der = self.to_der();
-        pem::encode_config(
-            &pem::Pem::new("PUBLIC KEY", der),
-            pem::EncodeConfig::new().set_line_ending(pem::LineEnding::LF),
-        )
+        pem::encode("PUBLIC KEY", &self.to_der())
     }
 
     /// fingerprint returns a 256bit unique identified for this key. For ML-DSA,