Struct KeyPair
pub struct KeyPair { /* private fields */ }
Expand description
A key pair used to sign certificates and CSRs
Note that ring, the underlying library to handle RSA keys
requires them to be in a special format, meaning that
openssl genrsa
doesn’t work. See ring’s documentation
for how to generate RSA keys in the wanted format
and conversion between the formats.
Implementations§
§impl KeyPair
impl KeyPair
pub fn generate() -> Result<KeyPair, Error>
pub fn generate() -> Result<KeyPair, Error>
Generate a new random PKCS_ECDSA_P256_SHA256
key pair
pub fn generate_for(alg: &'static SignatureAlgorithm) -> Result<KeyPair, Error>
pub fn generate_for(alg: &'static SignatureAlgorithm) -> Result<KeyPair, Error>
Generate a new random key pair for the specified signature algorithm
If you’re not sure which algorithm to use, PKCS_ECDSA_P256_SHA256
is a good choice.
If passed an RSA signature algorithm, it depends on the backend whether we return
a generated key or an error for key generation being unavailable.
Currently, only aws-lc-rs
supports RSA key generation.
pub fn algorithm(&self) -> &'static SignatureAlgorithm
pub fn algorithm(&self) -> &'static SignatureAlgorithm
Returns the key pair’s signature algorithm
pub fn from_pem(pem_str: &str) -> Result<KeyPair, Error>
pub fn from_pem(pem_str: &str) -> Result<KeyPair, Error>
Parses the key pair from the ASCII PEM format
If aws_lc_rs
feature is used, then the key must be a DER-encoded plaintext private key; as specified in PKCS #8/RFC 5958, SEC1/RFC 5915, or PKCS#1/RFC 3447;
Appears as “PRIVATE KEY”, “RSA PRIVATE KEY”, or “EC PRIVATE KEY” in PEM files.
Otherwise if the ring
feature is used, then the key must be a DER-encoded plaintext private key; as specified in PKCS #8/RFC 5958;
Appears as “PRIVATE KEY” in PEM files.
pub fn from_remote(
key_pair: Box<dyn RemoteKeyPair + Sync + Send>,
) -> Result<KeyPair, Error>
pub fn from_remote( key_pair: Box<dyn RemoteKeyPair + Sync + Send>, ) -> Result<KeyPair, Error>
Obtains the key pair from a raw public key and a remote private key
pub fn from_pkcs8_pem_and_sign_algo(
pem_str: &str,
alg: &'static SignatureAlgorithm,
) -> Result<KeyPair, Error>
pub fn from_pkcs8_pem_and_sign_algo( pem_str: &str, alg: &'static SignatureAlgorithm, ) -> Result<KeyPair, Error>
Obtains the key pair from a DER formatted key
using the specified SignatureAlgorithm
The key must be a DER-encoded plaintext private key; as specified in PKCS #8/RFC 5958;
Appears as “PRIVATE KEY” in PEM files Same as from_pkcs8_pem_and_sign_algo.
pub fn from_pkcs8_der_and_sign_algo(
pkcs8: &PrivatePkcs8KeyDer<'_>,
alg: &'static SignatureAlgorithm,
) -> Result<KeyPair, Error>
pub fn from_pkcs8_der_and_sign_algo( pkcs8: &PrivatePkcs8KeyDer<'_>, alg: &'static SignatureAlgorithm, ) -> Result<KeyPair, Error>
Obtains the key pair from a DER formatted key using the specified SignatureAlgorithm
If you have a PrivatePkcs8KeyDer
, you can usually rely on the TryFrom
implementation
to obtain a KeyPair
– it will determine the correct SignatureAlgorithm
for you.
However, sometimes multiple signature algorithms fit for the same DER key. In those instances,
you can use this function to precisely specify the SignatureAlgorithm
.
rustls_pemfile::private_key()
is often used to obtain a PrivateKeyDer
from PEM
input. If the obtained PrivateKeyDer
is a Pkcs8
variant, you can use its contents
as input for this function. Alternatively, if you already have a byte slice containing DER,
it can trivially be converted into PrivatePkcs8KeyDer
using the Into
trait.
pub fn from_pem_and_sign_algo(
pem_str: &str,
alg: &'static SignatureAlgorithm,
) -> Result<KeyPair, Error>
pub fn from_pem_and_sign_algo( pem_str: &str, alg: &'static SignatureAlgorithm, ) -> Result<KeyPair, Error>
Obtains the key pair from a PEM formatted key
using the specified SignatureAlgorithm
If aws_lc_rs
feature is used, then the key must be a DER-encoded plaintext private key; as specified in PKCS #8/RFC 5958, SEC1/RFC 5915, or PKCS#1/RFC 3447;
Appears as “PRIVATE KEY”, “RSA PRIVATE KEY”, or “EC PRIVATE KEY” in PEM files.
Otherwise if the ring
feature is used, then the key must be a DER-encoded plaintext private key; as specified in PKCS #8/RFC 5958;
Appears as “PRIVATE KEY” in PEM files.
Same as from_pem_and_sign_algo.
pub fn from_der_and_sign_algo(
key: &PrivateKeyDer<'_>,
alg: &'static SignatureAlgorithm,
) -> Result<KeyPair, Error>
pub fn from_der_and_sign_algo( key: &PrivateKeyDer<'_>, alg: &'static SignatureAlgorithm, ) -> Result<KeyPair, Error>
Obtains the key pair from a DER formatted key
using the specified SignatureAlgorithm
Note that using the ring
feature, this function only support PrivateKeyDer::Pkcs8
variant.
Consider using the aws_lc_rs
features to support PrivateKeyDer
fully.
If you have a PrivateKeyDer
, you can usually rely on the TryFrom
implementation
to obtain a KeyPair
– it will determine the correct SignatureAlgorithm
for you.
However, sometimes multiple signature algorithms fit for the same DER key. In those instances,
you can use this function to precisely specify the SignatureAlgorithm
.
You can use rustls_pemfile::private_key
to get the key
input. If
you have already a byte slice, just calling try_into()
will convert it to a PrivateKeyDer
.
pub fn public_key_raw(&self) -> &[u8] ⓘ
pub fn public_key_raw(&self) -> &[u8] ⓘ
Get the raw public key of this key pair
The key is in raw format, as how [ring::signature::KeyPair::public_key
]
would output, and how [ring::signature::UnparsedPublicKey::verify
]
would accept.
pub fn is_compatible(&self, signature_algorithm: &SignatureAlgorithm) -> bool
pub fn is_compatible(&self, signature_algorithm: &SignatureAlgorithm) -> bool
Check if this key pair can be used with the given signature algorithm
pub fn compatible_algs(
&self,
) -> impl Iterator<Item = &'static SignatureAlgorithm>
pub fn compatible_algs( &self, ) -> impl Iterator<Item = &'static SignatureAlgorithm>
Returns (possibly multiple) compatible SignatureAlgorithm
’s
that the key can be used with
pub fn public_key_der(&self) -> Vec<u8> ⓘ
pub fn public_key_der(&self) -> Vec<u8> ⓘ
Return the key pair’s public key in DER format
The key is formatted according to the SubjectPublicKeyInfo struct of X.509. See RFC 5280 section 4.1.
pub fn public_key_pem(&self) -> String
pub fn public_key_pem(&self) -> String
Return the key pair’s public key in PEM format
The returned string can be interpreted with openssl pkey --inform PEM -pubout -pubin -text
pub fn serialize_der(&self) -> Vec<u8> ⓘ
pub fn serialize_der(&self) -> Vec<u8> ⓘ
Serializes the key pair (including the private key) in PKCS#8 format in DER
Panics if called on a remote key pair.
pub fn serialized_der(&self) -> &[u8] ⓘ
pub fn serialized_der(&self) -> &[u8] ⓘ
Returns a reference to the serialized key pair (including the private key) in PKCS#8 format in DER
Panics if called on a remote key pair.
pub fn as_remote(&self) -> Option<&(dyn RemoteKeyPair + Sync + Send)>
pub fn as_remote(&self) -> Option<&(dyn RemoteKeyPair + Sync + Send)>
Access the remote key pair if it is a remote one
pub fn serialize_pem(&self) -> String
pub fn serialize_pem(&self) -> String
Serializes the key pair (including the private key) in PKCS#8 format in PEM
Trait Implementations§
§impl TryFrom<&PrivateKeyDer<'_>> for KeyPair
impl TryFrom<&PrivateKeyDer<'_>> for KeyPair
§impl TryFrom<&PrivatePkcs8KeyDer<'_>> for KeyPair
impl TryFrom<&PrivatePkcs8KeyDer<'_>> for KeyPair
Auto Trait Implementations§
impl Freeze for KeyPair
impl !RefUnwindSafe for KeyPair
impl Send for KeyPair
impl Sync for KeyPair
impl Unpin for KeyPair
impl !UnwindSafe for KeyPair
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
§impl<T> Conv for T
impl<T> Conv for T
§impl<T> FmtForward for T
impl<T> FmtForward for T
§fn fmt_binary(self) -> FmtBinary<Self>where
Self: Binary,
fn fmt_binary(self) -> FmtBinary<Self>where
Self: Binary,
self
to use its Binary
implementation when Debug
-formatted.§fn fmt_display(self) -> FmtDisplay<Self>where
Self: Display,
fn fmt_display(self) -> FmtDisplay<Self>where
Self: Display,
self
to use its Display
implementation when
Debug
-formatted.§fn fmt_lower_exp(self) -> FmtLowerExp<Self>where
Self: LowerExp,
fn fmt_lower_exp(self) -> FmtLowerExp<Self>where
Self: LowerExp,
self
to use its LowerExp
implementation when
Debug
-formatted.§fn fmt_lower_hex(self) -> FmtLowerHex<Self>where
Self: LowerHex,
fn fmt_lower_hex(self) -> FmtLowerHex<Self>where
Self: LowerHex,
self
to use its LowerHex
implementation when
Debug
-formatted.§fn fmt_octal(self) -> FmtOctal<Self>where
Self: Octal,
fn fmt_octal(self) -> FmtOctal<Self>where
Self: Octal,
self
to use its Octal
implementation when Debug
-formatted.§fn fmt_pointer(self) -> FmtPointer<Self>where
Self: Pointer,
fn fmt_pointer(self) -> FmtPointer<Self>where
Self: Pointer,
self
to use its Pointer
implementation when
Debug
-formatted.§fn fmt_upper_exp(self) -> FmtUpperExp<Self>where
Self: UpperExp,
fn fmt_upper_exp(self) -> FmtUpperExp<Self>where
Self: UpperExp,
self
to use its UpperExp
implementation when
Debug
-formatted.§fn fmt_upper_hex(self) -> FmtUpperHex<Self>where
Self: UpperHex,
fn fmt_upper_hex(self) -> FmtUpperHex<Self>where
Self: UpperHex,
self
to use its UpperHex
implementation when
Debug
-formatted.§fn fmt_list(self) -> FmtList<Self>where
&'a Self: for<'a> IntoIterator,
fn fmt_list(self) -> FmtList<Self>where
&'a Self: for<'a> IntoIterator,
§impl<T> FutureExt for T
impl<T> FutureExt for T
§fn with_context(self, otel_cx: Context) -> WithContext<Self> ⓘ
fn with_context(self, otel_cx: Context) -> WithContext<Self> ⓘ
§fn with_current_context(self) -> WithContext<Self> ⓘ
fn with_current_context(self) -> WithContext<Self> ⓘ
§impl<T> Instrument for T
impl<T> Instrument for T
§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
source§impl<T> IntoEither for T
impl<T> IntoEither for T
source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left
is true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read moresource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left(&self)
returns true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read more§impl<T> Pipe for Twhere
T: ?Sized,
impl<T> Pipe for Twhere
T: ?Sized,
§fn pipe<R>(self, func: impl FnOnce(Self) -> R) -> Rwhere
Self: Sized,
fn pipe<R>(self, func: impl FnOnce(Self) -> R) -> Rwhere
Self: Sized,
§fn pipe_ref<'a, R>(&'a self, func: impl FnOnce(&'a Self) -> R) -> Rwhere
R: 'a,
fn pipe_ref<'a, R>(&'a self, func: impl FnOnce(&'a Self) -> R) -> Rwhere
R: 'a,
self
and passes that borrow into the pipe function. Read more§fn pipe_ref_mut<'a, R>(&'a mut self, func: impl FnOnce(&'a mut Self) -> R) -> Rwhere
R: 'a,
fn pipe_ref_mut<'a, R>(&'a mut self, func: impl FnOnce(&'a mut Self) -> R) -> Rwhere
R: 'a,
self
and passes that borrow into the pipe function. Read more§fn pipe_borrow<'a, B, R>(&'a self, func: impl FnOnce(&'a B) -> R) -> R
fn pipe_borrow<'a, B, R>(&'a self, func: impl FnOnce(&'a B) -> R) -> R
§fn pipe_borrow_mut<'a, B, R>(
&'a mut self,
func: impl FnOnce(&'a mut B) -> R,
) -> R
fn pipe_borrow_mut<'a, B, R>( &'a mut self, func: impl FnOnce(&'a mut B) -> R, ) -> R
§fn pipe_as_ref<'a, U, R>(&'a self, func: impl FnOnce(&'a U) -> R) -> R
fn pipe_as_ref<'a, U, R>(&'a self, func: impl FnOnce(&'a U) -> R) -> R
self
, then passes self.as_ref()
into the pipe function.§fn pipe_as_mut<'a, U, R>(&'a mut self, func: impl FnOnce(&'a mut U) -> R) -> R
fn pipe_as_mut<'a, U, R>(&'a mut self, func: impl FnOnce(&'a mut U) -> R) -> R
self
, then passes self.as_mut()
into the pipe
function.§fn pipe_deref<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R
fn pipe_deref<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R
self
, then passes self.deref()
into the pipe function.§impl<T> Pointable for T
impl<T> Pointable for T
§impl<T> PolicyExt for Twhere
T: ?Sized,
impl<T> PolicyExt for Twhere
T: ?Sized,
§fn and<S, P, B, E>(self, other: P) -> And<T, P>
fn and<S, P, B, E>(self, other: P) -> And<T, P>
Policy
that returns Action::Follow
only if self
and other
return
Action::Follow
. Read more§impl<T> Tap for T
impl<T> Tap for T
§fn tap_borrow<B>(self, func: impl FnOnce(&B)) -> Self
fn tap_borrow<B>(self, func: impl FnOnce(&B)) -> Self
Borrow<B>
of a value. Read more§fn tap_borrow_mut<B>(self, func: impl FnOnce(&mut B)) -> Self
fn tap_borrow_mut<B>(self, func: impl FnOnce(&mut B)) -> Self
BorrowMut<B>
of a value. Read more§fn tap_ref<R>(self, func: impl FnOnce(&R)) -> Self
fn tap_ref<R>(self, func: impl FnOnce(&R)) -> Self
AsRef<R>
view of a value. Read more§fn tap_ref_mut<R>(self, func: impl FnOnce(&mut R)) -> Self
fn tap_ref_mut<R>(self, func: impl FnOnce(&mut R)) -> Self
AsMut<R>
view of a value. Read more§fn tap_deref<T>(self, func: impl FnOnce(&T)) -> Self
fn tap_deref<T>(self, func: impl FnOnce(&T)) -> Self
Deref::Target
of a value. Read more§fn tap_deref_mut<T>(self, func: impl FnOnce(&mut T)) -> Self
fn tap_deref_mut<T>(self, func: impl FnOnce(&mut T)) -> Self
Deref::Target
of a value. Read more§fn tap_dbg(self, func: impl FnOnce(&Self)) -> Self
fn tap_dbg(self, func: impl FnOnce(&Self)) -> Self
.tap()
only in debug builds, and is erased in release builds.§fn tap_mut_dbg(self, func: impl FnOnce(&mut Self)) -> Self
fn tap_mut_dbg(self, func: impl FnOnce(&mut Self)) -> Self
.tap_mut()
only in debug builds, and is erased in release
builds.§fn tap_borrow_dbg<B>(self, func: impl FnOnce(&B)) -> Self
fn tap_borrow_dbg<B>(self, func: impl FnOnce(&B)) -> Self
.tap_borrow()
only in debug builds, and is erased in release
builds.§fn tap_borrow_mut_dbg<B>(self, func: impl FnOnce(&mut B)) -> Self
fn tap_borrow_mut_dbg<B>(self, func: impl FnOnce(&mut B)) -> Self
.tap_borrow_mut()
only in debug builds, and is erased in release
builds.§fn tap_ref_dbg<R>(self, func: impl FnOnce(&R)) -> Self
fn tap_ref_dbg<R>(self, func: impl FnOnce(&R)) -> Self
.tap_ref()
only in debug builds, and is erased in release
builds.§fn tap_ref_mut_dbg<R>(self, func: impl FnOnce(&mut R)) -> Self
fn tap_ref_mut_dbg<R>(self, func: impl FnOnce(&mut R)) -> Self
.tap_ref_mut()
only in debug builds, and is erased in release
builds.§fn tap_deref_dbg<T>(self, func: impl FnOnce(&T)) -> Self
fn tap_deref_dbg<T>(self, func: impl FnOnce(&T)) -> Self
.tap_deref()
only in debug builds, and is erased in release
builds.