Use PrivatePkcs8KeyDer consistently in API

Author: djc

src/account.rs

@@ -233,7 +233,7 @@ impl Account {
             old_key: Jwk,
         }
 
-        let (new_key, new_key_pkcs8) = Key::generate()?;
+        let (new_key, new_key_pkcs8) = Key::generate_pkcs8()?;
         let mut header = new_key.header(Some("nonce"), new_key_url);
         header.nonce = None;
         let payload = NewKey {
@@ -359,10 +359,7 @@ impl AccountInner {
     ) -> Result<Self, Error> {
         Ok(Self {
             id: credentials.id,
-            key: match credentials.key_pkcs8 {
-                PrivateKeyDer::Pkcs8(inner) => Key::from_pkcs8_der(inner)?,
-                _ => return Err("unsupported key format, expected PKCS#8".into()),
-            },
+            key: Key::from_pkcs8_der(credentials.key_pkcs8)?,
             client: Arc::new(match (credentials.directory, credentials.urls) {
                 (Some(directory_url), _) => Client::new(directory_url, http).await?,
                 (None, Some(directory)) => Client {
@@ -441,7 +438,7 @@ impl AccountBuilder {
         directory_url: String,
         external_account: Option<&ExternalAccountKey>,
     ) -> Result<(Account, AccountCredentials), Error> {
-        let (key, key_pkcs8) = Key::generate()?;
+        let (key, key_pkcs8) = Key::generate_pkcs8()?;
         Self::create_inner(
             account,
             (key, key_pkcs8),
@@ -468,7 +465,10 @@ impl AccountBuilder {
                 terms_of_service_agreed: true,
                 only_return_existing: true,
             },
-            key,
+            match key {
+                (key, PrivateKeyDer::Pkcs8(pkcs8)) => (key, pkcs8),
+                _ => return Err("unsupported key format, expected PKCS#8".into()),
+            },
             None,
             Client::new(directory_url, self.http).await?,
         )
@@ -497,7 +497,7 @@ impl AccountBuilder {
 
     async fn create_inner(
         account: &NewAccount<'_>,
-        (key, key_pkcs8): (Key, PrivateKeyDer<'static>),
+        (key, key_pkcs8): (Key, PrivatePkcs8KeyDer<'static>),
         external_account: Option<&ExternalAccountKey>,
         client: Client,
     ) -> Result<(Account, AccountCredentials), Error> {
@@ -562,14 +562,21 @@ pub struct Key {
 
 impl Key {
     /// Generate a new ECDSA P-256 key pair
+    #[deprecated(since = "0.8.3", note = "use `generate_pkcs8()` instead")]
     pub fn generate() -> Result<(Self, PrivateKeyDer<'static>), Error> {
+        let (key, pkcs8) = Self::generate_pkcs8()?;
+        Ok((key, PrivateKeyDer::Pkcs8(pkcs8)))
+    }
+
+    /// Generate a new ECDSA P-256 key pair
+    pub fn generate_pkcs8() -> Result<(Self, PrivatePkcs8KeyDer<'static>), Error> {
         let rng = crypto::SystemRandom::new();
         let pkcs8 =
             crypto::EcdsaKeyPair::generate_pkcs8(&crypto::ECDSA_P256_SHA256_FIXED_SIGNING, &rng)
                 .map_err(|_| Error::Crypto)?;
         Ok((
             Self::new(pkcs8.as_ref(), rng)?,
-            PrivatePkcs8KeyDer::from(pkcs8.as_ref().to_vec()).into(),
+            PrivatePkcs8KeyDer::from(pkcs8.as_ref().to_vec()),
         ))
     }
 

src/types.rs

@@ -6,7 +6,7 @@ use std::time::Instant;
 
 use base64::prelude::{BASE64_URL_SAFE_NO_PAD, Engine};
 use bytes::Bytes;
-use rustls_pki_types::{CertificateDer, Der, PrivateKeyDer};
+use rustls_pki_types::{CertificateDer, Der, PrivatePkcs8KeyDer};
 use serde::de::{self, DeserializeOwned};
 use serde::ser::SerializeMap;
 use serde::{Deserialize, Serialize};
@@ -90,7 +90,7 @@ pub struct AccountCredentials {
     pub(crate) id: String,
     /// Stored in DER, serialized as base64
     #[serde(with = "pkcs8_serde")]
-    pub(crate) key_pkcs8: PrivateKeyDer<'static>,
+    pub(crate) key_pkcs8: PrivatePkcs8KeyDer<'static>,
     pub(crate) directory: Option<String>,
     /// We never serialize `urls` by default, but we support deserializing them
     /// in order to support serialized data from older versions of the library.
@@ -102,37 +102,32 @@ mod pkcs8_serde {
     use std::fmt;
 
     use base64::prelude::{BASE64_URL_SAFE_NO_PAD, Engine};
-    use rustls_pki_types::PrivateKeyDer;
+    use rustls_pki_types::PrivatePkcs8KeyDer;
     use serde::{Deserializer, Serializer, de};
 
     pub(crate) fn serialize<S: Serializer>(
-        key_pkcs8: &PrivateKeyDer<'_>,
+        key_pkcs8: &PrivatePkcs8KeyDer<'_>,
         serializer: S,
     ) -> Result<S::Ok, S::Error> {
-        let encoded = BASE64_URL_SAFE_NO_PAD.encode(key_pkcs8.secret_der());
+        let encoded = BASE64_URL_SAFE_NO_PAD.encode(key_pkcs8.secret_pkcs8_der());
         serializer.serialize_str(&encoded)
     }
 
     pub(crate) fn deserialize<'de, D: Deserializer<'de>>(
         deserializer: D,
-    ) -> Result<PrivateKeyDer<'static>, D::Error> {
+    ) -> Result<PrivatePkcs8KeyDer<'static>, D::Error> {
         struct Visitor;
 
         impl de::Visitor<'_> for Visitor {
-            type Value = PrivateKeyDer<'static>;
+            type Value = PrivatePkcs8KeyDer<'static>;
 
             fn expecting(&self, formatter: &mut fmt::Formatter<'_>) -> fmt::Result {
                 formatter.write_str("a base64-encoded PKCS#8 private key")
             }
 
             fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
-                let bytes = match BASE64_URL_SAFE_NO_PAD.decode(v) {
-                    Ok(bytes) => bytes,
-                    Err(err) => return Err(de::Error::custom(err)),
-                };
-
-                match PrivateKeyDer::try_from(bytes) {
-                    Ok(key) => Ok(key),
+                match BASE64_URL_SAFE_NO_PAD.decode(v) {
+                    Ok(bytes) => Ok(PrivatePkcs8KeyDer::from(bytes)),
                     Err(err) => Err(de::Error::custom(err)),
                 }
             }