crypto: use rsa crate for generating keys

Turns out the performance problems are mostly limited to debug builds, which is fine.
2023-01-26 22:31:13 +01:00 · 2023-01-26 22:31:13 +01:00 · 816a87f873
commit 816a87f873
parent f349ae99c7
1 changed files with 6 additions and 10 deletions
--- a/src/util/crypto.rs
+++ b/src/util/crypto.rs
@ -109,22 +109,18 @@ impl PubKey {
 impl PrivKey {
    /// Generate a new private key.
    pub fn new() -> Result<PrivKey> {
-        // The rsa crate takes like two orders of magnitude longer to generate a key,
-        // so until they get that under control we'll use the raw OpenSSL bindings to
-        // generate a key, encode it to PKCS#1 DER, and load it again.
-        let pkey = openssl::rsa::Rsa::generate(DEFAULT_KEY_SIZE as u32).unwrap();
-        let pkcs1_der = pkey.private_key_to_der().unwrap();
-        let pkey =
-            <RsaPrivateKey as pkcs1::DecodeRsaPrivateKey>::from_pkcs1_der(pkcs1_der.as_slice())
-                .map_err(Error::from)?;
-        let der = pkey.to_pkcs8_der().map_err(Error::from)?;
-        let der = Vec::from(der.as_bytes());
+        let pkey = RsaPrivateKey::new(&mut OsRng, DEFAULT_KEY_SIZE).map_err(Error::from)?;
+        let der = pkey.to_public_key_der().map_err(Error::from)?.into_vec();
        Ok(PrivKey {
            pkey: OnceCell::from(pkey),
            der,
        })
    }

+    /// Construct a new private key from a DER encoded PKCS#8 key **without validity checks**.
+    /// This function is not `unsafe` because if the data is not valid DER, all operations will
+    /// simply fail instead of resulting in undefined behaviour.  Furthermore, this function
+    /// will only be called from keys stored directly in the database, so it should be fine.
    pub fn from_der_unchecked(der: Vec<u8>) -> PrivKey {
        PrivKey {
            pkey: OnceCell::new(),