1use alloc::boxed::Box;
2use alloc::string::ToString;
3use alloc::vec::Vec;
4use alloc::{format, vec};
5use core::fmt::{self, Debug, Formatter};
6
7use aws_lc_rs::rand::SystemRandom;
8use aws_lc_rs::signature::{self, EcdsaKeyPair, Ed25519KeyPair, KeyPair, RsaKeyPair};
9use pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer, SubjectPublicKeyInfoDer, alg_id};
10
11#[cfg(any(test, bench))]
12use crate::crypto::CryptoProvider;
13use crate::crypto::enums::SignatureScheme;
14use crate::crypto::signer::{Signer, SigningKey, public_key_to_spki};
15use crate::error::Error;
16use crate::sync::Arc;
17
18pub(super) struct RsaSigningKey {
20 key: Arc<RsaKeyPair>,
21}
22
23impl RsaSigningKey {
24 fn to_signer(&self, scheme: SignatureScheme) -> RsaSigner {
25 let encoding: &dyn signature::RsaEncoding = match scheme {
26 SignatureScheme::RSA_PKCS1_SHA256 => &signature::RSA_PKCS1_SHA256,
27 SignatureScheme::RSA_PKCS1_SHA384 => &signature::RSA_PKCS1_SHA384,
28 SignatureScheme::RSA_PKCS1_SHA512 => &signature::RSA_PKCS1_SHA512,
29 SignatureScheme::RSA_PSS_SHA256 => &signature::RSA_PSS_SHA256,
30 SignatureScheme::RSA_PSS_SHA384 => &signature::RSA_PSS_SHA384,
31 SignatureScheme::RSA_PSS_SHA512 => &signature::RSA_PSS_SHA512,
32 _ => unreachable!(),
33 };
34
35 RsaSigner {
36 key: self.key.clone(),
37 scheme,
38 encoding,
39 }
40 }
41
42 const SCHEMES: &[SignatureScheme] = &[
43 SignatureScheme::RSA_PSS_SHA512,
44 SignatureScheme::RSA_PSS_SHA384,
45 SignatureScheme::RSA_PSS_SHA256,
46 SignatureScheme::RSA_PKCS1_SHA512,
47 SignatureScheme::RSA_PKCS1_SHA384,
48 SignatureScheme::RSA_PKCS1_SHA256,
49 ];
50}
51
52impl SigningKey for RsaSigningKey {
53 fn choose_scheme(&self, offered: &[SignatureScheme]) -> Option<Box<dyn Signer>> {
54 Self::SCHEMES
55 .iter()
56 .find(|scheme| offered.contains(scheme))
57 .map(|&scheme| Box::new(self.to_signer(scheme)) as Box<dyn Signer>)
58 }
59
60 fn public_key(&self) -> Option<SubjectPublicKeyInfoDer<'_>> {
61 Some(public_key_to_spki(
62 &alg_id::RSA_ENCRYPTION,
63 self.key.public_key(),
64 ))
65 }
66}
67
68impl TryFrom<&PrivateKeyDer<'_>> for RsaSigningKey {
69 type Error = Error;
70
71 fn try_from(der: &PrivateKeyDer<'_>) -> Result<Self, Self::Error> {
74 let key_pair = match der {
75 PrivateKeyDer::Pkcs1(pkcs1) => RsaKeyPair::from_der(pkcs1.secret_pkcs1_der()),
76 PrivateKeyDer::Pkcs8(pkcs8) => RsaKeyPair::from_pkcs8(pkcs8.secret_pkcs8_der()),
77 _ => {
78 return Err(Error::General(
79 "failed to parse RSA private key as either PKCS#1 or PKCS#8".into(),
80 ));
81 }
82 }
83 .map_err(|key_rejected| {
84 Error::General(format!("failed to parse RSA private key: {key_rejected}"))
85 })?;
86
87 Ok(Self {
88 key: Arc::new(key_pair),
89 })
90 }
91}
92
93impl Debug for RsaSigningKey {
94 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
95 f.debug_struct("RsaSigningKey").finish()
96 }
97}
98
99struct RsaSigner {
100 key: Arc<RsaKeyPair>,
101 scheme: SignatureScheme,
102 encoding: &'static dyn signature::RsaEncoding,
103}
104
105impl RsaSigner {
106 fn sign(&self, message: &[u8]) -> Result<Vec<u8>, Error> {
107 let mut sig = vec![0; self.key.public_modulus_len()];
108
109 let rng = SystemRandom::new();
110 self.key
111 .sign(self.encoding, &rng, message, &mut sig)
112 .map(|_| sig)
113 .map_err(|_| Error::General("signing failed".to_string()))
114 }
115}
116
117impl Signer for RsaSigner {
118 fn sign(self: Box<Self>, message: &[u8]) -> Result<Vec<u8>, Error> {
119 (*self).sign(message)
120 }
121
122 fn scheme(&self) -> SignatureScheme {
123 self.scheme
124 }
125}
126
127impl Debug for RsaSigner {
128 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
129 f.debug_struct("RsaSigner")
130 .field("scheme", &self.scheme)
131 .finish()
132 }
133}
134
135#[derive(Clone)]
140pub(super) struct EcdsaSigner {
141 key: Arc<EcdsaKeyPair>,
142 scheme: SignatureScheme,
143}
144
145impl EcdsaSigner {
146 fn new(
149 der: &PrivateKeyDer<'_>,
150 scheme: SignatureScheme,
151 sigalg: &'static signature::EcdsaSigningAlgorithm,
152 ) -> Result<Self, ()> {
153 let key_pair = match der {
154 PrivateKeyDer::Sec1(sec1) => {
155 EcdsaKeyPair::from_private_key_der(sigalg, sec1.secret_sec1_der())
156 .map_err(|_| ())?
157 }
158 PrivateKeyDer::Pkcs8(pkcs8) => {
159 EcdsaKeyPair::from_pkcs8(sigalg, pkcs8.secret_pkcs8_der()).map_err(|_| ())?
160 }
161 _ => return Err(()),
162 };
163
164 Ok(Self {
165 key: Arc::new(key_pair),
166 scheme,
167 })
168 }
169
170 fn sign(&self, message: &[u8]) -> Result<Vec<u8>, Error> {
171 let rng = SystemRandom::new();
172 self.key
173 .sign(&rng, message)
174 .map_err(|_| Error::General("signing failed".into()))
175 .map(|sig| sig.as_ref().into())
176 }
177}
178
179impl SigningKey for EcdsaSigner {
180 fn choose_scheme(&self, offered: &[SignatureScheme]) -> Option<Box<dyn Signer>> {
181 if offered.contains(&self.scheme) {
182 Some(Box::new(self.clone()))
183 } else {
184 None
185 }
186 }
187
188 fn public_key(&self) -> Option<SubjectPublicKeyInfoDer<'_>> {
189 let id = match self.scheme {
190 SignatureScheme::ECDSA_NISTP256_SHA256 => alg_id::ECDSA_P256,
191 SignatureScheme::ECDSA_NISTP384_SHA384 => alg_id::ECDSA_P384,
192 SignatureScheme::ECDSA_NISTP521_SHA512 => alg_id::ECDSA_P521,
193 _ => unreachable!(),
194 };
195
196 Some(public_key_to_spki(&id, self.key.public_key()))
197 }
198}
199
200impl Signer for EcdsaSigner {
201 fn sign(self: Box<Self>, message: &[u8]) -> Result<Vec<u8>, Error> {
202 (*self).sign(message)
203 }
204
205 fn scheme(&self) -> SignatureScheme {
206 self.scheme
207 }
208}
209
210impl TryFrom<&PrivateKeyDer<'_>> for EcdsaSigner {
211 type Error = Error;
212
213 fn try_from(der: &PrivateKeyDer<'_>) -> Result<Self, Error> {
218 if let Ok(ecdsa_p256) = Self::new(
219 der,
220 SignatureScheme::ECDSA_NISTP256_SHA256,
221 &signature::ECDSA_P256_SHA256_ASN1_SIGNING,
222 ) {
223 return Ok(ecdsa_p256);
224 }
225
226 if let Ok(ecdsa_p384) = Self::new(
227 der,
228 SignatureScheme::ECDSA_NISTP384_SHA384,
229 &signature::ECDSA_P384_SHA384_ASN1_SIGNING,
230 ) {
231 return Ok(ecdsa_p384);
232 }
233
234 if let Ok(ecdsa_p521) = Self::new(
235 der,
236 SignatureScheme::ECDSA_NISTP521_SHA512,
237 &signature::ECDSA_P521_SHA512_ASN1_SIGNING,
238 ) {
239 return Ok(ecdsa_p521);
240 }
241
242 Err(Error::General(
243 "failed to parse ECDSA private key as PKCS#8 or SEC1".into(),
244 ))
245 }
246}
247
248impl Debug for EcdsaSigner {
249 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
250 f.debug_struct("EcdsaSigner")
251 .field("scheme", &self.scheme)
252 .finish()
253 }
254}
255
256#[derive(Clone)]
261pub(super) struct Ed25519Signer {
262 key: Arc<Ed25519KeyPair>,
263 scheme: SignatureScheme,
264}
265
266impl Ed25519Signer {
267 fn sign(&self, message: &[u8]) -> Result<Vec<u8>, Error> {
268 Ok(self.key.sign(message).as_ref().into())
269 }
270}
271
272impl SigningKey for Ed25519Signer {
273 fn choose_scheme(&self, offered: &[SignatureScheme]) -> Option<Box<dyn Signer>> {
274 if offered.contains(&self.scheme) {
275 Some(Box::new(self.clone()))
276 } else {
277 None
278 }
279 }
280
281 fn public_key(&self) -> Option<SubjectPublicKeyInfoDer<'_>> {
282 Some(public_key_to_spki(&alg_id::ED25519, self.key.public_key()))
283 }
284}
285
286impl Signer for Ed25519Signer {
287 fn sign(self: Box<Self>, message: &[u8]) -> Result<Vec<u8>, Error> {
288 (*self).sign(message)
289 }
290
291 fn scheme(&self) -> SignatureScheme {
292 self.scheme
293 }
294}
295
296impl TryFrom<&PrivatePkcs8KeyDer<'_>> for Ed25519Signer {
297 type Error = Error;
298
299 fn try_from(der: &PrivatePkcs8KeyDer<'_>) -> Result<Self, Error> {
306 match Ed25519KeyPair::from_pkcs8_maybe_unchecked(der.secret_pkcs8_der()) {
307 Ok(key_pair) => Ok(Self {
308 key: Arc::new(key_pair),
309 scheme: SignatureScheme::ED25519,
310 }),
311 Err(e) => Err(Error::General(format!(
312 "failed to parse Ed25519 private key: {e}"
313 ))),
314 }
315 }
316}
317
318impl Debug for Ed25519Signer {
319 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
320 f.debug_struct("Ed25519Signer")
321 .field("scheme", &self.scheme)
322 .finish()
323 }
324}
325
326#[cfg(any(test, bench))]
327fn load_key(
328 provider: &CryptoProvider,
329 der: PrivateKeyDer<'static>,
330) -> Result<Box<dyn SigningKey>, Error> {
331 provider
332 .key_provider
333 .load_private_key(der)
334}
335
336#[cfg(test)]
337mod tests {
338 use alloc::format;
339
340 use pki_types::{PrivatePkcs1KeyDer, PrivateSec1KeyDer};
341
342 use super::*;
343 use crate::crypto::aws_lc_rs::DEFAULT_PROVIDER;
344
345 #[test]
346 fn can_load_ecdsa_nistp256_pkcs8() {
347 let key =
348 PrivatePkcs8KeyDer::from(&include_bytes!("../../testdata/nistp256key.pkcs8.der")[..]);
349 assert!(Ed25519Signer::try_from(&key).is_err());
350 let key = PrivateKeyDer::Pkcs8(key);
351 assert!(load_key(&DEFAULT_PROVIDER, key.clone_key()).is_ok());
352 assert!(EcdsaSigner::try_from(&key).is_ok());
353 }
354
355 #[test]
356 fn can_load_ecdsa_nistp256_sec1() {
357 let key = PrivateKeyDer::Sec1(PrivateSec1KeyDer::from(
358 &include_bytes!("../../testdata/nistp256key.der")[..],
359 ));
360 assert!(load_key(&DEFAULT_PROVIDER, key.clone_key()).is_ok());
361 assert!(EcdsaSigner::try_from(&key).is_ok());
362 }
363
364 #[test]
365 fn can_sign_ecdsa_nistp256() {
366 let key = PrivateKeyDer::Sec1(PrivateSec1KeyDer::from(
367 &include_bytes!("../../testdata/nistp256key.der")[..],
368 ));
369
370 let k = load_key(&DEFAULT_PROVIDER, key.clone_key()).unwrap();
371 assert_eq!(
372 format!("{k:?}"),
373 "EcdsaSigner { scheme: ECDSA_NISTP256_SHA256 }"
374 );
375
376 assert!(
377 k.choose_scheme(&[SignatureScheme::RSA_PKCS1_SHA256])
378 .is_none()
379 );
380 assert!(
381 k.choose_scheme(&[SignatureScheme::ECDSA_NISTP384_SHA384])
382 .is_none()
383 );
384 let s = k
385 .choose_scheme(&[SignatureScheme::ECDSA_NISTP256_SHA256])
386 .unwrap();
387 assert_eq!(
388 format!("{s:?}"),
389 "EcdsaSigner { scheme: ECDSA_NISTP256_SHA256 }"
390 );
391 assert_eq!(s.scheme(), SignatureScheme::ECDSA_NISTP256_SHA256);
392 assert!(
394 s.sign(b"hello")
395 .unwrap()
396 .starts_with(&[0x30])
397 );
398 }
399
400 #[test]
401 fn can_load_ecdsa_nistp384_pkcs8() {
402 let key =
403 PrivatePkcs8KeyDer::from(&include_bytes!("../../testdata/nistp384key.pkcs8.der")[..]);
404 assert!(Ed25519Signer::try_from(&key).is_err());
405 let key = PrivateKeyDer::Pkcs8(key);
406 assert!(load_key(&DEFAULT_PROVIDER, key.clone_key()).is_ok());
407 assert!(EcdsaSigner::try_from(&key).is_ok());
408 }
409
410 #[test]
411 fn can_load_ecdsa_nistp384_sec1() {
412 let key = PrivateKeyDer::Sec1(PrivateSec1KeyDer::from(
413 &include_bytes!("../../testdata/nistp384key.der")[..],
414 ));
415 assert!(load_key(&DEFAULT_PROVIDER, key.clone_key()).is_ok());
416 assert!(EcdsaSigner::try_from(&key).is_ok());
417 }
418
419 #[test]
420 fn can_sign_ecdsa_nistp384() {
421 let key = PrivateKeyDer::Sec1(PrivateSec1KeyDer::from(
422 &include_bytes!("../../testdata/nistp384key.der")[..],
423 ));
424
425 let k = load_key(&DEFAULT_PROVIDER, key.clone_key()).unwrap();
426 assert_eq!(
427 format!("{k:?}"),
428 "EcdsaSigner { scheme: ECDSA_NISTP384_SHA384 }"
429 );
430
431 assert!(
432 k.choose_scheme(&[SignatureScheme::RSA_PKCS1_SHA256])
433 .is_none()
434 );
435 assert!(
436 k.choose_scheme(&[SignatureScheme::ECDSA_NISTP256_SHA256])
437 .is_none()
438 );
439 let s = k
440 .choose_scheme(&[SignatureScheme::ECDSA_NISTP384_SHA384])
441 .unwrap();
442 assert_eq!(
443 format!("{s:?}"),
444 "EcdsaSigner { scheme: ECDSA_NISTP384_SHA384 }"
445 );
446 assert_eq!(s.scheme(), SignatureScheme::ECDSA_NISTP384_SHA384);
447 assert!(
449 s.sign(b"hello")
450 .unwrap()
451 .starts_with(&[0x30])
452 );
453 }
454
455 #[test]
456 fn can_load_ecdsa_nistp521_pkcs8() {
457 let key =
458 PrivatePkcs8KeyDer::from(&include_bytes!("../../testdata/nistp521key.pkcs8.der")[..]);
459 assert!(Ed25519Signer::try_from(&key).is_err());
460 let key = PrivateKeyDer::Pkcs8(key);
461 assert!(load_key(&DEFAULT_PROVIDER, key.clone_key()).is_ok());
462 assert!(EcdsaSigner::try_from(&key).is_ok());
463 }
464
465 #[test]
466 fn can_load_ecdsa_nistp521_sec1() {
467 let key = PrivateKeyDer::Sec1(PrivateSec1KeyDer::from(
468 &include_bytes!("../../testdata/nistp521key.der")[..],
469 ));
470 assert!(load_key(&DEFAULT_PROVIDER, key.clone_key()).is_ok());
471 assert!(EcdsaSigner::try_from(&key).is_ok());
472 }
473
474 #[test]
475 fn can_sign_ecdsa_nistp521() {
476 let key = PrivateKeyDer::Sec1(PrivateSec1KeyDer::from(
477 &include_bytes!("../../testdata/nistp521key.der")[..],
478 ));
479
480 let k = load_key(&DEFAULT_PROVIDER, key.clone_key()).unwrap();
481 assert_eq!(
482 format!("{k:?}"),
483 "EcdsaSigner { scheme: ECDSA_NISTP521_SHA512 }"
484 );
485
486 assert!(
487 k.choose_scheme(&[SignatureScheme::RSA_PKCS1_SHA256])
488 .is_none()
489 );
490 assert!(
491 k.choose_scheme(&[SignatureScheme::ECDSA_NISTP256_SHA256])
492 .is_none()
493 );
494 assert!(
495 k.choose_scheme(&[SignatureScheme::ECDSA_NISTP384_SHA384])
496 .is_none()
497 );
498 let s = k
499 .choose_scheme(&[SignatureScheme::ECDSA_NISTP521_SHA512])
500 .unwrap();
501 assert_eq!(
502 format!("{s:?}"),
503 "EcdsaSigner { scheme: ECDSA_NISTP521_SHA512 }"
504 );
505 assert_eq!(s.scheme(), SignatureScheme::ECDSA_NISTP521_SHA512);
506 assert!(
508 s.sign(b"hello")
509 .unwrap()
510 .starts_with(&[0x30])
511 );
512 }
513
514 #[test]
515 fn can_load_eddsa_pkcs8() {
516 let key = PrivatePkcs8KeyDer::from(&include_bytes!("../../testdata/eddsakey.der")[..]);
517 assert!(Ed25519Signer::try_from(&key).is_ok());
518 let key = PrivateKeyDer::Pkcs8(key);
519 assert!(load_key(&DEFAULT_PROVIDER, key.clone_key()).is_ok());
520 assert!(EcdsaSigner::try_from(&key).is_err());
521 }
522
523 #[test]
524 fn can_sign_eddsa() {
525 let key = PrivatePkcs8KeyDer::from(&include_bytes!("../../testdata/eddsakey.der")[..]);
526
527 let k = Ed25519Signer::try_from(&key).unwrap();
528 assert_eq!(format!("{k:?}"), "Ed25519Signer { scheme: ED25519 }");
529
530 assert!(
531 k.choose_scheme(&[SignatureScheme::RSA_PKCS1_SHA256])
532 .is_none()
533 );
534 assert!(
535 k.choose_scheme(&[SignatureScheme::ECDSA_NISTP256_SHA256])
536 .is_none()
537 );
538 let s = k
539 .choose_scheme(&[SignatureScheme::ED25519])
540 .unwrap();
541 assert_eq!(format!("{s:?}"), "Ed25519Signer { scheme: ED25519 }");
542 assert_eq!(s.scheme(), SignatureScheme::ED25519);
543 assert_eq!(s.sign(b"hello").unwrap().len(), 64);
544 }
545
546 #[test]
547 fn can_load_rsa2048_pkcs8() {
548 let key =
549 PrivatePkcs8KeyDer::from(&include_bytes!("../../testdata/rsa2048key.pkcs8.der")[..]);
550 assert!(Ed25519Signer::try_from(&key).is_err());
551 let key = PrivateKeyDer::Pkcs8(key);
552 assert!(load_key(&DEFAULT_PROVIDER, key.clone_key()).is_ok());
553 assert!(EcdsaSigner::try_from(&key).is_err());
554 }
555
556 #[test]
557 fn can_load_rsa2048_pkcs1() {
558 let key = PrivateKeyDer::Pkcs1(PrivatePkcs1KeyDer::from(
559 &include_bytes!("../../testdata/rsa2048key.pkcs1.der")[..],
560 ));
561 assert!(load_key(&DEFAULT_PROVIDER, key.clone_key()).is_ok());
562 assert!(EcdsaSigner::try_from(&key).is_err());
563 }
564
565 #[test]
566 fn can_sign_rsa2048() {
567 let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
568 &include_bytes!("../../testdata/rsa2048key.pkcs8.der")[..],
569 ));
570
571 let k = load_key(&DEFAULT_PROVIDER, key.clone_key()).unwrap();
572 assert_eq!(format!("{k:?}"), "RsaSigningKey");
573
574 assert!(
575 k.choose_scheme(&[SignatureScheme::ECDSA_NISTP256_SHA256])
576 .is_none()
577 );
578 assert!(
579 k.choose_scheme(&[SignatureScheme::ED25519])
580 .is_none()
581 );
582
583 let s = k
584 .choose_scheme(&[SignatureScheme::RSA_PSS_SHA256])
585 .unwrap();
586 assert_eq!(format!("{s:?}"), "RsaSigner { scheme: RSA_PSS_SHA256 }");
587 assert_eq!(s.scheme(), SignatureScheme::RSA_PSS_SHA256);
588 assert_eq!(s.sign(b"hello").unwrap().len(), 256);
589
590 for scheme in &[
591 SignatureScheme::RSA_PKCS1_SHA256,
592 SignatureScheme::RSA_PKCS1_SHA384,
593 SignatureScheme::RSA_PKCS1_SHA512,
594 SignatureScheme::RSA_PSS_SHA256,
595 SignatureScheme::RSA_PSS_SHA384,
596 SignatureScheme::RSA_PSS_SHA512,
597 ] {
598 k.choose_scheme(&[*scheme]).unwrap();
599 }
600 }
601
602 #[test]
603 fn cannot_load_invalid_pkcs8_encoding() {
604 let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(&b"invalid"[..]));
605 assert_eq!(
606 load_key(&DEFAULT_PROVIDER, key.clone_key()).err(),
607 Some(Error::General(
608 "failed to parse private key as RSA, ECDSA, or EdDSA".into()
609 ))
610 );
611 assert_eq!(
612 EcdsaSigner::try_from(&key).err(),
613 Some(Error::General(
614 "failed to parse ECDSA private key as PKCS#8 or SEC1".into()
615 ))
616 );
617 assert_eq!(
618 RsaSigningKey::try_from(&key).err(),
619 Some(Error::General(
620 "failed to parse RSA private key: InvalidEncoding".into()
621 ))
622 );
623 }
624}
625
626#[cfg(bench)]
627mod benchmarks {
628 use super::*;
629 use crate::crypto::aws_lc_rs::DEFAULT_PROVIDER;
630
631 #[bench]
632 fn bench_rsa2048_pkcs1_sha256(b: &mut test::Bencher) {
633 let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
634 &include_bytes!("../../testdata/rsa2048key.pkcs8.der")[..],
635 ));
636
637 let signer = RsaSigningKey::try_from(&key)
638 .unwrap()
639 .to_signer(SignatureScheme::RSA_PKCS1_SHA256);
640
641 b.iter(|| {
642 test::black_box(
643 signer
644 .sign(SAMPLE_TLS13_MESSAGE)
645 .unwrap(),
646 );
647 });
648 }
649
650 #[bench]
651 fn bench_rsa2048_pss_sha256(b: &mut test::Bencher) {
652 let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
653 &include_bytes!("../../testdata/rsa2048key.pkcs8.der")[..],
654 ));
655
656 let signer = RsaSigningKey::try_from(&key)
657 .unwrap()
658 .to_signer(SignatureScheme::RSA_PSS_SHA256);
659
660 b.iter(|| {
661 test::black_box(
662 signer
663 .sign(SAMPLE_TLS13_MESSAGE)
664 .unwrap(),
665 );
666 });
667 }
668
669 #[bench]
670 fn bench_eddsa(b: &mut test::Bencher) {
671 let key = PrivatePkcs8KeyDer::from(&include_bytes!("../../testdata/eddsakey.der")[..]);
672 let signer = Ed25519Signer::try_from(&key).unwrap();
673
674 b.iter(|| {
675 test::black_box(
676 signer
677 .sign(SAMPLE_TLS13_MESSAGE)
678 .unwrap(),
679 );
680 });
681 }
682
683 #[bench]
684 fn bench_ecdsa_p256_sha256(b: &mut test::Bencher) {
685 let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
686 &include_bytes!("../../testdata/nistp256key.pkcs8.der")[..],
687 ));
688
689 let signer = EcdsaSigner::try_from(&key).unwrap();
690 b.iter(|| {
691 test::black_box(
692 signer
693 .sign(SAMPLE_TLS13_MESSAGE)
694 .unwrap(),
695 );
696 });
697 }
698
699 #[bench]
700 fn bench_ecdsa_p384_sha384(b: &mut test::Bencher) {
701 let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
702 &include_bytes!("../../testdata/nistp384key.pkcs8.der")[..],
703 ));
704
705 let signer = EcdsaSigner::try_from(&key).unwrap();
706 b.iter(|| {
707 test::black_box(
708 signer
709 .sign(SAMPLE_TLS13_MESSAGE)
710 .unwrap(),
711 );
712 });
713 }
714
715 #[bench]
716 fn bench_ecdsa_p521_sha512(b: &mut test::Bencher) {
717 let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
718 &include_bytes!("../../testdata/nistp521key.pkcs8.der")[..],
719 ));
720
721 let signer = EcdsaSigner::try_from(&key).unwrap();
722 b.iter(|| {
723 test::black_box(
724 signer
725 .sign(SAMPLE_TLS13_MESSAGE)
726 .unwrap(),
727 );
728 });
729 }
730
731 #[bench]
732 fn bench_load_and_validate_rsa2048(b: &mut test::Bencher) {
733 let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
734 &include_bytes!("../../testdata/rsa2048key.pkcs8.der")[..],
735 ));
736
737 b.iter(|| {
738 test::black_box(load_key(&DEFAULT_PROVIDER, key.clone_key()).unwrap());
739 });
740 }
741
742 #[bench]
743 fn bench_load_and_validate_rsa4096(b: &mut test::Bencher) {
744 let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
745 &include_bytes!("../../testdata/rsa4096key.pkcs8.der")[..],
746 ));
747
748 b.iter(|| {
749 test::black_box(load_key(&DEFAULT_PROVIDER, key.clone_key()).unwrap());
750 });
751 }
752
753 #[bench]
754 fn bench_load_and_validate_p256(b: &mut test::Bencher) {
755 let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
756 &include_bytes!("../../testdata/nistp256key.pkcs8.der")[..],
757 ));
758
759 b.iter(|| {
760 test::black_box(EcdsaSigner::try_from(&key).unwrap());
761 });
762 }
763
764 #[bench]
765 fn bench_load_and_validate_p384(b: &mut test::Bencher) {
766 let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
767 &include_bytes!("../../testdata/nistp384key.pkcs8.der")[..],
768 ));
769
770 b.iter(|| {
771 test::black_box(EcdsaSigner::try_from(&key).unwrap());
772 });
773 }
774
775 #[bench]
776 fn bench_load_and_validate_p521(b: &mut test::Bencher) {
777 let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
778 &include_bytes!("../../testdata/nistp521key.pkcs8.der")[..],
779 ));
780
781 b.iter(|| {
782 test::black_box(EcdsaSigner::try_from(&key).unwrap());
783 });
784 }
785
786 #[bench]
787 fn bench_load_and_validate_eddsa(b: &mut test::Bencher) {
788 let key = PrivatePkcs8KeyDer::from(&include_bytes!("../../testdata/eddsakey.der")[..]);
789
790 b.iter(|| {
791 test::black_box(Ed25519Signer::try_from(&key).unwrap());
792 });
793 }
794
795 const SAMPLE_TLS13_MESSAGE: &[u8] = &[
796 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
797 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
798 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
799 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
800 0x20, 0x20, 0x20, 0x20, 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c, 0x20, 0x73, 0x65,
801 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
802 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x00, 0x04, 0xca, 0xc4, 0x48, 0x0e, 0x70, 0xf2,
803 0x1b, 0xa9, 0x1c, 0x16, 0xca, 0x90, 0x48, 0xbe, 0x28, 0x2f, 0xc7, 0xf8, 0x9b, 0x87, 0x72,
804 0x93, 0xda, 0x4d, 0x2f, 0x80, 0x80, 0x60, 0x1a, 0xd3, 0x08, 0xe2, 0xb7, 0x86, 0x14, 0x1b,
805 0x54, 0xda, 0x9a, 0xc9, 0x6d, 0xe9, 0x66, 0xb4, 0x9f, 0xe2, 0x2c,
806 ];
807}