crypto: use rsa crate for generating keys

Turns out the performance problems are mostly
limited to debug builds, which is fine.
This commit is contained in:
anna 2023-01-26 22:31:13 +01:00
parent f349ae99c7
commit 816a87f873
Signed by: fef
GPG key ID: EC22E476DC2D3D84

View file

@ -109,22 +109,18 @@ impl PubKey {
impl PrivKey {
/// Generate a new private key.
pub fn new() -> Result<PrivKey> {
// The rsa crate takes like two orders of magnitude longer to generate a key,
// so until they get that under control we'll use the raw OpenSSL bindings to
// generate a key, encode it to PKCS#1 DER, and load it again.
let pkey = openssl::rsa::Rsa::generate(DEFAULT_KEY_SIZE as u32).unwrap();
let pkcs1_der = pkey.private_key_to_der().unwrap();
let pkey =
<RsaPrivateKey as pkcs1::DecodeRsaPrivateKey>::from_pkcs1_der(pkcs1_der.as_slice())
.map_err(Error::from)?;
let der = pkey.to_pkcs8_der().map_err(Error::from)?;
let der = Vec::from(der.as_bytes());
let pkey = RsaPrivateKey::new(&mut OsRng, DEFAULT_KEY_SIZE).map_err(Error::from)?;
let der = pkey.to_public_key_der().map_err(Error::from)?.into_vec();
Ok(PrivKey {
pkey: OnceCell::from(pkey),
der,
})
}
/// Construct a new private key from a DER encoded PKCS#8 key **without validity checks**.
/// This function is not `unsafe` because if the data is not valid DER, all operations will
/// simply fail instead of resulting in undefined behaviour. Furthermore, this function
/// will only be called from keys stored directly in the database, so it should be fine.
pub fn from_der_unchecked(der: Vec<u8>) -> PrivKey {
PrivKey {
pkey: OnceCell::new(),