Switch to ring for crypto

Cargo.lock

@@ -423,6 +423,7 @@ dependencies = [
  "pin-project-lite",
  "quanta",
  "rand",
+ "ring",
  "rsa",
  "rsa-magic-public-key",
  "ructe",
@@ -1460,9 +1461,9 @@ dependencies = [
 
 [[package]]
 name = "http-signature-normalization-actix"
-version = "0.10.0"
+version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7978cadb8c73ab0d7115a4260e8a64188212ce44d11f0b0109c4beebc6bbb5c9"
+checksum = "f16b1af0de27fe75ea5c1da8da1ce826274cc623bda49eb5e9395aa4ea0b34d4"
 dependencies = [
  "actix-http",
  "actix-rt",
@@ -1471,7 +1472,7 @@ dependencies = [
  "base64 0.13.1",
  "futures-util",
  "http-signature-normalization",
- "sha2",
+ "ring",
  "thiserror",
  "tokio",
  "tracing",
@@ -2743,7 +2744,6 @@ dependencies = [
  "pkcs1",
  "pkcs8",
  "rand_core",
- "sha2",
  "signature",
  "spki",
  "subtle",

Cargo.toml

@@ -55,7 +55,8 @@ opentelemetry-otlp = "0.12"
 pin-project-lite = "0.2.9"
 quanta = "0.11.0"
 rand = "0.8"
-rsa = { version = "0.9", features = ["sha2"] }
+ring = "0.16.20"
+rsa = { version = "0.9" }
 rsa-magic-public-key = "0.8.0"
 rustls = "0.20.7"
 rustls-pemfile = "1.0.1"
@@ -89,9 +90,9 @@ default-features = false
 features = ["background-jobs-actix", "error-logging"]
 
 [dependencies.http-signature-normalization-actix]
-version = "0.10.0"
+version = "0.10.1"
 default-features = false
-features = ["client", "server", "sha-2"]
+features = ["client", "server", "ring"]
 
 [dependencies.tracing-actix-web]
 version = "0.7.5"

src/config.rs

@@ -11,8 +11,7 @@ use activitystreams::{
     },
 };
 use config::Environment;
-use http_signature_normalization_actix::prelude::VerifyDigest;
-use rsa::sha2::{Digest, Sha256};
+use http_signature_normalization_actix::{digest::ring::Sha256, prelude::VerifyDigest};
 use rustls::{Certificate, PrivateKey};
 use std::{
     io::BufReader,

src/error.rs

@@ -81,6 +81,9 @@ pub(crate) enum ErrorKind {
     #[error("Couldn't encode public key, {0}")]
     Spki(#[from] rsa::pkcs8::spki::Error),
 
+    #[error("Couldn't sign request")]
+    SignRequest,
+
     #[error("Couldn't parse IRI, {0}")]
     ParseIri(#[from] activitystreams::iri_string::validate::Error),
 
@@ -105,11 +108,11 @@ pub(crate) enum ErrorKind {
     #[error("Couldn't sign digest")]
     Signature(#[from] rsa::signature::Error),
 
-    #[error("Couldn't read signature")]
-    ReadSignature(rsa::signature::Error),
-
     #[error("Couldn't verify signature")]
-    VerifySignature(rsa::signature::Error),
+    VerifySignature,
+
+    #[error("Failed to encode key der")]
+    DerEncode,
 
     #[error("Couldn't parse the signature header")]
     HeaderValidation(#[from] actix_web::http::header::InvalidHeaderValue),

src/middleware/verifier.rs

@@ -8,10 +8,7 @@ use crate::{
 use activitystreams::{base::BaseExt, iri, iri_string::types::IriString};
 use base64::{engine::general_purpose::STANDARD, Engine};
 use http_signature_normalization_actix::{prelude::*, verify::DeprecatedAlgorithm, Spawn};
-use rsa::{
-    pkcs1v15::Signature, pkcs1v15::VerifyingKey, pkcs8::DecodePublicKey, sha2::Sha256,
-    signature::Verifier, RsaPublicKey,
-};
+use rsa::{pkcs1::EncodeRsaPublicKey, pkcs8::DecodePublicKey, RsaPublicKey};
 use std::{future::Future, pin::Pin};
 
 #[derive(Clone, Debug)]
@@ -128,19 +125,23 @@ async fn do_verify(
     signing_string: String,
 ) -> Result<(), Error> {
     let public_key = RsaPublicKey::from_public_key_pem(public_key.trim())?;
+    let public_key_der = public_key
+        .to_pkcs1_der()
+        .map_err(|_| ErrorKind::DerEncode)?;
+    let public_key = ring::signature::UnparsedPublicKey::new(
+        &ring::signature::RSA_PKCS1_2048_8192_SHA256,
+        public_key_der,
+    );
 
     let span = tracing::Span::current();
     spawner
         .spawn_blocking(move || {
             span.in_scope(|| {
                 let decoded = STANDARD.decode(signature)?;
-                let signature =
-                    Signature::try_from(decoded.as_slice()).map_err(ErrorKind::ReadSignature)?;
 
-                let verifying_key = VerifyingKey::<Sha256>::new(public_key);
-                verifying_key
-                    .verify(signing_string.as_bytes(), &signature)
-                    .map_err(ErrorKind::VerifySignature)?;
+                public_key
+                    .verify(signing_string.as_bytes(), decoded.as_slice())
+                    .map_err(|_| ErrorKind::VerifySignature)?;
 
                 Ok(()) as Result<(), Error>
             })

src/requests.rs

@@ -8,14 +8,12 @@ use actix_web::http::header::Date;
 use awc::{error::SendRequestError, Client, ClientResponse, Connector};
 use base64::{engine::general_purpose::STANDARD, Engine};
 use dashmap::DashMap;
-use http_signature_normalization_actix::prelude::*;
-use rand::thread_rng;
-use rsa::{
-    pkcs1v15::SigningKey,
-    sha2::{Digest, Sha256},
-    signature::{RandomizedSigner, SignatureEncoding},
-    RsaPrivateKey,
+use http_signature_normalization_actix::{digest::ring::Sha256, prelude::*};
+use ring::{
+    rand::SystemRandom,
+    signature::{RsaKeyPair, RSA_PKCS1_SHA256},
 };
+use rsa::{pkcs1::EncodeRsaPrivateKey, RsaPrivateKey};
 use std::{
     sync::Arc,
     time::{Duration, SystemTime},
@@ -145,7 +143,8 @@ pub(crate) struct Requests {
     client: Client,
     key_id: String,
     user_agent: String,
-    private_key: RsaPrivateKey,
+    private_key: Arc<RsaKeyPair>,
+    rng: SystemRandom,
     config: Config<Spawner>,
     breakers: Breakers,
     last_online: Arc<LastOnline>,
@@ -196,12 +195,16 @@ impl Requests {
         timeout_seconds: u64,
         spawner: Spawner,
     ) -> Self {
+        let private_key_der = private_key.to_pkcs1_der().expect("Can encode der");
+        let private_key = ring::signature::RsaKeyPair::from_der(private_key_der.as_bytes())
+            .expect("Key is valid");
         Requests {
             pool_size,
             client: build_client(&user_agent, pool_size, timeout_seconds),
             key_id,
             user_agent,
-            private_key,
+            private_key: Arc::new(private_key),
+            rng: SystemRandom::new(),
             config: Config::new().mastodon_compat().spawner(spawner),
             breakers,
             last_online,
@@ -407,19 +410,29 @@ impl Requests {
     fn signer(&self) -> Signer {
         Signer {
             private_key: self.private_key.clone(),
+            rng: self.rng.clone(),
         }
     }
 }
 
 struct Signer {
-    private_key: RsaPrivateKey,
+    private_key: Arc<RsaKeyPair>,
+    rng: SystemRandom,
 }
 
 impl Signer {
     fn sign(&self, signing_string: &str) -> Result<String, Error> {
-        let signing_key = SigningKey::<Sha256>::new(self.private_key.clone());
-        let signature =
-            signing_key.try_sign_with_rng(&mut thread_rng(), signing_string.as_bytes())?;
-        Ok(STANDARD.encode(signature.to_bytes().as_ref()))
+        let mut signature = vec![0; self.private_key.public_modulus_len()];
+
+        self.private_key
+            .sign(
+                &RSA_PKCS1_SHA256,
+                &self.rng,
+                signing_string.as_bytes(),
+                &mut signature,
+            )
+            .map_err(|_| ErrorKind::SignRequest)?;
+
+        Ok(STANDARD.encode(&signature))
     }
 }