@@ -86,13 +86,15 @@ impl aead::NonceSequence for OneNonceSequence {
86
86
}
87
87
}
88
88
89
+ type Key = [ u8 ; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH ] ;
90
+
89
91
/// Convenience struct for passing an encryption key as an argument.
90
92
#[ derive( PartialEq ) ]
91
- pub ( crate ) struct EncryptionKey ( pub ( crate ) [ u8 ; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH ] ) ;
93
+ pub ( crate ) struct EncryptionKey ( pub ( crate ) Key ) ;
92
94
93
95
/// Convenience struct for passing a decryption key as an argument.
94
96
#[ derive( PartialEq ) ]
95
- pub ( crate ) struct DecryptionKey ( pub ( crate ) [ u8 ; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH ] ) ;
97
+ pub ( crate ) struct DecryptionKey ( pub ( crate ) Key ) ;
96
98
97
99
/// Implementation of Authenticated Encryption with Associated Data (AEAD).
98
100
///
@@ -234,57 +236,62 @@ impl KeyNegotiator {
234
236
) -> anyhow:: Result < ( EncryptionKey , DecryptionKey ) > {
235
237
let type_ = self . type_ . clone ( ) ;
236
238
let self_public_key = self . public_key ( ) . context ( "Couldn't get self public key" ) ?;
237
- let ( encryption_key, decryption_key) = agreement:: agree_ephemeral (
238
- self . private_key ,
239
- & agreement:: UnparsedPublicKey :: new ( KEY_AGREEMENT_ALGORITHM , peer_public_key) ,
240
- anyhow ! ( "Couldn't derive session keys" ) ,
241
- |key_material| {
242
- let key_material = key_material
243
- . try_into ( )
244
- . map_err ( anyhow:: Error :: msg)
245
- . context ( format ! (
246
- "Incorrect key material length, expected {}, found {}" ,
247
- KEY_AGREEMENT_ALGORITHM_KEY_LENGTH ,
248
- key_material. len( )
249
- ) ) ?;
250
- let peer_public_key = * peer_public_key;
251
- match type_ {
252
- // On the server side `self_public_key` is the server key.
253
- KeyNegotiatorType :: Server => {
254
- let encryption_key = Self :: key_derivation_function (
255
- key_material,
256
- SERVER_KEY_PURPOSE ,
257
- & self_public_key,
258
- & peer_public_key,
259
- ) ;
260
- let decryption_key = Self :: key_derivation_function (
261
- key_material,
262
- CLIENT_KEY_PURPOSE ,
263
- & self_public_key,
264
- & peer_public_key,
265
- ) ;
266
- Ok ( ( encryption_key, decryption_key) )
267
- }
268
- // On the client side `peer_public_key` is the server key.
269
- KeyNegotiatorType :: Client => {
270
- let encryption_key = Self :: key_derivation_function (
271
- key_material,
272
- CLIENT_KEY_PURPOSE ,
273
- & peer_public_key,
274
- & self_public_key,
275
- ) ;
276
- let decryption_key = Self :: key_derivation_function (
277
- key_material,
278
- SERVER_KEY_PURPOSE ,
279
- & peer_public_key,
280
- & self_public_key,
281
- ) ;
282
- Ok ( ( encryption_key, decryption_key) )
239
+ let ( encryption_key, decryption_key) =
240
+ agreement:: agree_ephemeral (
241
+ self . private_key ,
242
+ & agreement:: UnparsedPublicKey :: new ( KEY_AGREEMENT_ALGORITHM , peer_public_key) ,
243
+ |key_material| -> Result <
244
+ ( Result < Key , anyhow:: Error > , Result < Key , anyhow:: Error > ) ,
245
+ anyhow:: Error ,
246
+ > {
247
+ let key_material = key_material
248
+ . try_into ( )
249
+ . map_err ( anyhow:: Error :: msg)
250
+ . context ( format ! (
251
+ "Incorrect key material length, expected {}, found {}" ,
252
+ KEY_AGREEMENT_ALGORITHM_KEY_LENGTH ,
253
+ key_material. len( )
254
+ ) ) ?;
255
+ let peer_public_key = * peer_public_key;
256
+ match type_ {
257
+ // On the server side `self_public_key` is the server key.
258
+ KeyNegotiatorType :: Server => {
259
+ let encryption_key = Self :: key_derivation_function (
260
+ key_material,
261
+ SERVER_KEY_PURPOSE ,
262
+ & self_public_key,
263
+ & peer_public_key,
264
+ ) ;
265
+ let decryption_key = Self :: key_derivation_function (
266
+ key_material,
267
+ CLIENT_KEY_PURPOSE ,
268
+ & self_public_key,
269
+ & peer_public_key,
270
+ ) ;
271
+ Ok ( ( encryption_key, decryption_key) )
272
+ }
273
+ // On the client side `peer_public_key` is the server key.
274
+ KeyNegotiatorType :: Client => {
275
+ let encryption_key = Self :: key_derivation_function (
276
+ key_material,
277
+ CLIENT_KEY_PURPOSE ,
278
+ & peer_public_key,
279
+ & self_public_key,
280
+ ) ;
281
+ let decryption_key = Self :: key_derivation_function (
282
+ key_material,
283
+ SERVER_KEY_PURPOSE ,
284
+ & peer_public_key,
285
+ & self_public_key,
286
+ ) ;
287
+ Ok ( ( encryption_key, decryption_key) )
288
+ }
283
289
}
284
- }
285
- } ,
286
- )
287
- . context ( "Couldn't agree on session keys" ) ?;
290
+ } ,
291
+ )
292
+ . map_err ( anyhow:: Error :: msg)
293
+ . context ( "Couldn't derive session keys" ) ?
294
+ . context ( "Couldn't agree on session keys" ) ?;
288
295
Ok ( (
289
296
EncryptionKey ( encryption_key. context ( "Couldn't derive encryption key" ) ?) ,
290
297
DecryptionKey ( decryption_key. context ( "Couldn't derive decryption key" ) ?) ,
@@ -351,8 +358,9 @@ impl Signer {
351
358
let rng = ring:: rand:: SystemRandom :: new ( ) ;
352
359
let key_pair_pkcs8 = EcdsaKeyPair :: generate_pkcs8 ( SIGNING_ALGORITHM , & rng)
353
360
. map_err ( |error| anyhow ! ( "Couldn't generate PKCS#8 key pair: {:?}" , error) ) ?;
354
- let key_pair = EcdsaKeyPair :: from_pkcs8 ( SIGNING_ALGORITHM , key_pair_pkcs8. as_ref ( ) )
355
- . map_err ( |error| anyhow ! ( "Couldn't parse generated key pair: {:?}" , error) ) ?;
361
+ let key_pair =
362
+ EcdsaKeyPair :: from_pkcs8 ( SIGNING_ALGORITHM , key_pair_pkcs8. as_ref ( ) , & rng)
363
+ . map_err ( |error| anyhow ! ( "Couldn't parse generated key pair: {:?}" , error) ) ?;
356
364
357
365
Ok ( Self { key_pair } )
358
366
}
0 commit comments