Extract ec_params_to_group from SPKI parsing (#12348)

alex · web-flow · commit 535f134411fa · 2025-01-27T06:43:17.000-08:00
To be used in #12296
diff --git a/src/rust/cryptography-key-parsing/src/ec.rs b/src/rust/cryptography-key-parsing/src/ec.rs
@@ -0,0 +1,53 @@
+// This file is dual licensed under the terms of the Apache License, Version
+// 2.0, and the BSD License. See the LICENSE file in the root of this repository
+// for complete details.
+
+use crate::{KeyParsingError, KeyParsingResult};
+
+use cryptography_x509::common::EcParameters;
+
+pub(crate) fn ec_params_to_group(
+    params: &EcParameters<'_>,
+) -> KeyParsingResult<openssl::ec::EcGroup> {
+    match params {
+        EcParameters::NamedCurve(curve_oid) => {
+            let curve_nid = match curve_oid {
+                &cryptography_x509::oid::EC_SECP192R1 => openssl::nid::Nid::X9_62_PRIME192V1,
+                &cryptography_x509::oid::EC_SECP224R1 => openssl::nid::Nid::SECP224R1,
+                &cryptography_x509::oid::EC_SECP256R1 => openssl::nid::Nid::X9_62_PRIME256V1,
+                &cryptography_x509::oid::EC_SECP384R1 => openssl::nid::Nid::SECP384R1,
+                &cryptography_x509::oid::EC_SECP521R1 => openssl::nid::Nid::SECP521R1,
+
+                &cryptography_x509::oid::EC_SECP256K1 => openssl::nid::Nid::SECP256K1,
+
+                &cryptography_x509::oid::EC_SECT233R1 => openssl::nid::Nid::SECT233R1,
+                &cryptography_x509::oid::EC_SECT283R1 => openssl::nid::Nid::SECT283R1,
+                &cryptography_x509::oid::EC_SECT409R1 => openssl::nid::Nid::SECT409R1,
+                &cryptography_x509::oid::EC_SECT571R1 => openssl::nid::Nid::SECT571R1,
+
+                &cryptography_x509::oid::EC_SECT163R2 => openssl::nid::Nid::SECT163R2,
+
+                &cryptography_x509::oid::EC_SECT163K1 => openssl::nid::Nid::SECT163K1,
+                &cryptography_x509::oid::EC_SECT233K1 => openssl::nid::Nid::SECT233K1,
+                &cryptography_x509::oid::EC_SECT283K1 => openssl::nid::Nid::SECT283K1,
+                &cryptography_x509::oid::EC_SECT409K1 => openssl::nid::Nid::SECT409K1,
+                &cryptography_x509::oid::EC_SECT571K1 => openssl::nid::Nid::SECT571K1,
+
+                #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
+                &cryptography_x509::oid::EC_BRAINPOOLP256R1 => openssl::nid::Nid::BRAINPOOL_P256R1,
+                #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
+                &cryptography_x509::oid::EC_BRAINPOOLP384R1 => openssl::nid::Nid::BRAINPOOL_P384R1,
+                #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
+                &cryptography_x509::oid::EC_BRAINPOOLP512R1 => openssl::nid::Nid::BRAINPOOL_P512R1,
+
+                _ => return Err(KeyParsingError::UnsupportedEllipticCurve(curve_oid.clone())),
+            };
+
+            Ok(openssl::ec::EcGroup::from_curve_name(curve_nid)
+                .map_err(|_| KeyParsingError::UnsupportedEllipticCurve(curve_oid.clone()))?)
+        }
+        EcParameters::ImplicitCurve(_) | EcParameters::SpecifiedCurve(_) => {
+            Err(KeyParsingError::ExplicitCurveUnsupported)
+        }
+    }
+}
diff --git a/src/rust/cryptography-key-parsing/src/lib.rs b/src/rust/cryptography-key-parsing/src/lib.rs
@@ -6,6 +6,7 @@
 #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)]
 #![allow(unknown_lints, clippy::result_large_err)]
 
+mod ec;
 pub mod rsa;
 pub mod spki;
 
diff --git a/src/rust/cryptography-key-parsing/src/spki.rs b/src/rust/cryptography-key-parsing/src/spki.rs
@@ -2,7 +2,7 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
-use cryptography_x509::common::{AlgorithmParameters, EcParameters, SubjectPublicKeyInfo};
+use cryptography_x509::common::{AlgorithmParameters, SubjectPublicKeyInfo};
 
 use crate::{KeyParsingError, KeyParsingResult};
 
@@ -12,62 +12,18 @@ pub fn parse_public_key(
     let k = asn1::parse_single::<SubjectPublicKeyInfo<'_>>(data)?;
 
     match k.algorithm.params {
-        AlgorithmParameters::Ec(ec_params) => match ec_params {
-            EcParameters::NamedCurve(curve_oid) => {
-                let curve_nid = match curve_oid {
-                    cryptography_x509::oid::EC_SECP192R1 => openssl::nid::Nid::X9_62_PRIME192V1,
-                    cryptography_x509::oid::EC_SECP224R1 => openssl::nid::Nid::SECP224R1,
-                    cryptography_x509::oid::EC_SECP256R1 => openssl::nid::Nid::X9_62_PRIME256V1,
-                    cryptography_x509::oid::EC_SECP384R1 => openssl::nid::Nid::SECP384R1,
-                    cryptography_x509::oid::EC_SECP521R1 => openssl::nid::Nid::SECP521R1,
-
-                    cryptography_x509::oid::EC_SECP256K1 => openssl::nid::Nid::SECP256K1,
-
-                    cryptography_x509::oid::EC_SECT233R1 => openssl::nid::Nid::SECT233R1,
-                    cryptography_x509::oid::EC_SECT283R1 => openssl::nid::Nid::SECT283R1,
-                    cryptography_x509::oid::EC_SECT409R1 => openssl::nid::Nid::SECT409R1,
-                    cryptography_x509::oid::EC_SECT571R1 => openssl::nid::Nid::SECT571R1,
-
-                    cryptography_x509::oid::EC_SECT163R2 => openssl::nid::Nid::SECT163R2,
-
-                    cryptography_x509::oid::EC_SECT163K1 => openssl::nid::Nid::SECT163K1,
-                    cryptography_x509::oid::EC_SECT233K1 => openssl::nid::Nid::SECT233K1,
-                    cryptography_x509::oid::EC_SECT283K1 => openssl::nid::Nid::SECT283K1,
-                    cryptography_x509::oid::EC_SECT409K1 => openssl::nid::Nid::SECT409K1,
-                    cryptography_x509::oid::EC_SECT571K1 => openssl::nid::Nid::SECT571K1,
-
-                    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
-                    cryptography_x509::oid::EC_BRAINPOOLP256R1 => {
-                        openssl::nid::Nid::BRAINPOOL_P256R1
-                    }
-                    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
-                    cryptography_x509::oid::EC_BRAINPOOLP384R1 => {
-                        openssl::nid::Nid::BRAINPOOL_P384R1
-                    }
-                    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
-                    cryptography_x509::oid::EC_BRAINPOOLP512R1 => {
-                        openssl::nid::Nid::BRAINPOOL_P512R1
-                    }
-
-                    _ => return Err(KeyParsingError::UnsupportedEllipticCurve(curve_oid)),
-                };
-
-                let group = openssl::ec::EcGroup::from_curve_name(curve_nid)
-                    .map_err(|_| KeyParsingError::UnsupportedEllipticCurve(curve_oid))?;
-                let mut bn_ctx = openssl::bn::BigNumContext::new()?;
-                let ec_point = openssl::ec::EcPoint::from_bytes(
-                    &group,
-                    k.subject_public_key.as_bytes(),
-                    &mut bn_ctx,
-                )
-                .map_err(|_| KeyParsingError::InvalidKey)?;
-                let ec_key = openssl::ec::EcKey::from_public_key(&group, &ec_point)?;
-                Ok(openssl::pkey::PKey::from_ec_key(ec_key)?)
-            }
-            EcParameters::ImplicitCurve(_) | EcParameters::SpecifiedCurve(_) => {
-                Err(KeyParsingError::ExplicitCurveUnsupported)
-            }
-        },
+        AlgorithmParameters::Ec(ec_params) => {
+            let group = crate::ec::ec_params_to_group(&ec_params)?;
+            let mut bn_ctx = openssl::bn::BigNumContext::new()?;
+            let ec_point = openssl::ec::EcPoint::from_bytes(
+                &group,
+                k.subject_public_key.as_bytes(),
+                &mut bn_ctx,
+            )
+            .map_err(|_| KeyParsingError::InvalidKey)?;
+            let ec_key = openssl::ec::EcKey::from_public_key(&group, &ec_point)?;
+            Ok(openssl::pkey::PKey::from_ec_key(ec_key)?)
+        }
         AlgorithmParameters::Ed25519 => Ok(openssl::pkey::PKey::public_key_from_raw_bytes(
             k.subject_public_key.as_bytes(),
             openssl::pkey::Id::ED25519,
