@@ -86,13 +86,15 @@ impl aead::NonceSequence for OneNonceSequence {
8686 }
8787}
8888
89+ type Key = [ u8 ; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH ] ;
90+
8991/// Convenience struct for passing an encryption key as an argument.
9092#[ derive( PartialEq ) ]
91- pub ( crate ) struct EncryptionKey ( pub ( crate ) [ u8 ; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH ] ) ;
93+ pub ( crate ) struct EncryptionKey ( pub ( crate ) Key ) ;
9294
9395/// Convenience struct for passing a decryption key as an argument.
9496#[ derive( PartialEq ) ]
95- pub ( crate ) struct DecryptionKey ( pub ( crate ) [ u8 ; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH ] ) ;
97+ pub ( crate ) struct DecryptionKey ( pub ( crate ) Key ) ;
9698
9799/// Implementation of Authenticated Encryption with Associated Data (AEAD).
98100///
@@ -234,57 +236,62 @@ impl KeyNegotiator {
234236 ) -> anyhow:: Result < ( EncryptionKey , DecryptionKey ) > {
235237 let type_ = self . type_ . clone ( ) ;
236238 let self_public_key = self . public_key ( ) . context ( "Couldn't get self public key" ) ?;
237- let ( encryption_key, decryption_key) = agreement:: agree_ephemeral (
238- self . private_key ,
239- & agreement:: UnparsedPublicKey :: new ( KEY_AGREEMENT_ALGORITHM , peer_public_key) ,
240- anyhow ! ( "Couldn't derive session keys" ) ,
241- |key_material| {
242- let key_material = key_material
243- . try_into ( )
244- . map_err ( anyhow:: Error :: msg)
245- . context ( format ! (
246- "Incorrect key material length, expected {}, found {}" ,
247- KEY_AGREEMENT_ALGORITHM_KEY_LENGTH ,
248- key_material. len( )
249- ) ) ?;
250- let peer_public_key = * peer_public_key;
251- match type_ {
252- // On the server side `self_public_key` is the server key.
253- KeyNegotiatorType :: Server => {
254- let encryption_key = Self :: key_derivation_function (
255- key_material,
256- SERVER_KEY_PURPOSE ,
257- & self_public_key,
258- & peer_public_key,
259- ) ;
260- let decryption_key = Self :: key_derivation_function (
261- key_material,
262- CLIENT_KEY_PURPOSE ,
263- & self_public_key,
264- & peer_public_key,
265- ) ;
266- Ok ( ( encryption_key, decryption_key) )
267- }
268- // On the client side `peer_public_key` is the server key.
269- KeyNegotiatorType :: Client => {
270- let encryption_key = Self :: key_derivation_function (
271- key_material,
272- CLIENT_KEY_PURPOSE ,
273- & peer_public_key,
274- & self_public_key,
275- ) ;
276- let decryption_key = Self :: key_derivation_function (
277- key_material,
278- SERVER_KEY_PURPOSE ,
279- & peer_public_key,
280- & self_public_key,
281- ) ;
282- Ok ( ( encryption_key, decryption_key) )
239+ let ( encryption_key, decryption_key) =
240+ agreement:: agree_ephemeral (
241+ self . private_key ,
242+ & agreement:: UnparsedPublicKey :: new ( KEY_AGREEMENT_ALGORITHM , peer_public_key) ,
243+ |key_material| -> Result <
244+ ( Result < Key , anyhow:: Error > , Result < Key , anyhow:: Error > ) ,
245+ anyhow:: Error ,
246+ > {
247+ let key_material = key_material
248+ . try_into ( )
249+ . map_err ( anyhow:: Error :: msg)
250+ . context ( format ! (
251+ "Incorrect key material length, expected {}, found {}" ,
252+ KEY_AGREEMENT_ALGORITHM_KEY_LENGTH ,
253+ key_material. len( )
254+ ) ) ?;
255+ let peer_public_key = * peer_public_key;
256+ match type_ {
257+ // On the server side `self_public_key` is the server key.
258+ KeyNegotiatorType :: Server => {
259+ let encryption_key = Self :: key_derivation_function (
260+ key_material,
261+ SERVER_KEY_PURPOSE ,
262+ & self_public_key,
263+ & peer_public_key,
264+ ) ;
265+ let decryption_key = Self :: key_derivation_function (
266+ key_material,
267+ CLIENT_KEY_PURPOSE ,
268+ & self_public_key,
269+ & peer_public_key,
270+ ) ;
271+ Ok ( ( encryption_key, decryption_key) )
272+ }
273+ // On the client side `peer_public_key` is the server key.
274+ KeyNegotiatorType :: Client => {
275+ let encryption_key = Self :: key_derivation_function (
276+ key_material,
277+ CLIENT_KEY_PURPOSE ,
278+ & peer_public_key,
279+ & self_public_key,
280+ ) ;
281+ let decryption_key = Self :: key_derivation_function (
282+ key_material,
283+ SERVER_KEY_PURPOSE ,
284+ & peer_public_key,
285+ & self_public_key,
286+ ) ;
287+ Ok ( ( encryption_key, decryption_key) )
288+ }
283289 }
284- }
285- } ,
286- )
287- . context ( "Couldn't agree on session keys" ) ?;
290+ } ,
291+ )
292+ . map_err ( anyhow:: Error :: msg)
293+ . context ( "Couldn't derive session keys" ) ?
294+ . context ( "Couldn't agree on session keys" ) ?;
288295 Ok ( (
289296 EncryptionKey ( encryption_key. context ( "Couldn't derive encryption key" ) ?) ,
290297 DecryptionKey ( decryption_key. context ( "Couldn't derive decryption key" ) ?) ,
@@ -351,8 +358,9 @@ impl Signer {
351358 let rng = ring:: rand:: SystemRandom :: new ( ) ;
352359 let key_pair_pkcs8 = EcdsaKeyPair :: generate_pkcs8 ( SIGNING_ALGORITHM , & rng)
353360 . map_err ( |error| anyhow ! ( "Couldn't generate PKCS#8 key pair: {:?}" , error) ) ?;
354- let key_pair = EcdsaKeyPair :: from_pkcs8 ( SIGNING_ALGORITHM , key_pair_pkcs8. as_ref ( ) )
355- . map_err ( |error| anyhow ! ( "Couldn't parse generated key pair: {:?}" , error) ) ?;
361+ let key_pair =
362+ EcdsaKeyPair :: from_pkcs8 ( SIGNING_ALGORITHM , key_pair_pkcs8. as_ref ( ) , & rng)
363+ . map_err ( |error| anyhow ! ( "Couldn't parse generated key pair: {:?}" , error) ) ?;
356364
357365 Ok ( Self { key_pair } )
358366 }
0 commit comments