diff options
| author | ojacobson <ojacobson@noreply.codeberg.org> | 2025-10-28 20:12:08 +0100 |
|---|---|---|
| committer | ojacobson <ojacobson@noreply.codeberg.org> | 2025-10-28 20:12:08 +0100 |
| commit | f866e480447746ce4958e5475d3c9e407812231f (patch) | |
| tree | fc97b7aa36a20a5af58a692e814cbd9fea0348cc /src/vapid/repo.rs | |
| parent | 4a91792e023a5877f8ac9b8a352e99c4486d698f (diff) | |
| parent | 11f4f36a689b6447c9898a2840418e581cb3eb11 (diff) | |
Use PKCS8 PEM, not raw SEC1 bytes, to store VAPID keys.
The `web-push` crate's VAPID signing support requires a private key. The `p256` crate is more than capable of generating one, but the easiest way to get a key from a `p256::ecdsa::SigningKey` to a `web_push::PartialVapidSignature` is via PKCS #8 PEM, not via the bytes. Since we'll need it in that form anyways, store it that way, so that we don't have to decode it using `p256`, re-encode to PEM, then decode to `PartialVapidSignature`.
The migration in this commit invalidates existing VAPID keys. We could include support for re-encoding them on read, but there's little point: this code is still in flux anyways, and only development deployments exist. By the time this is final, the schema will have settled.
Merges pem-stored-vapid into push-notify.
Diffstat (limited to 'src/vapid/repo.rs')
| -rw-r--r-- | src/vapid/repo.rs | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/src/vapid/repo.rs b/src/vapid/repo.rs index 4ac5286..98b3bae 100644 --- a/src/vapid/repo.rs +++ b/src/vapid/repo.rs @@ -1,4 +1,7 @@ -use p256::{NistP256, ecdsa::SigningKey, elliptic_curve::FieldBytes}; +use p256::{ + ecdsa::SigningKey, + pkcs8::{DecodePrivateKey as _, EncodePrivateKey as _, LineEnding}, +}; use sqlx::{Sqlite, SqliteConnection, Transaction}; use super::{ @@ -76,8 +79,8 @@ impl Vapid<'_> { } pub async fn store_signing_key(&mut self, key: &SigningKey) -> Result<(), Error> { - let key = key.to_bytes(); - let key = key.as_slice(); + let key = key.to_pkcs8_pem(LineEnding::CRLF)?; + let key = key.as_str(); sqlx::query!( r#" insert into vapid_signing_key (key) @@ -97,14 +100,13 @@ impl Vapid<'_> { select key.changed_at as "changed_at: DateTime", key.changed_sequence as "changed_sequence: Sequence", - signing.key as "key: Vec<u8>" + signing.key from vapid_key as key join vapid_signing_key as signing "# ) .map(|row| { - let key = FieldBytes::<NistP256>::from_slice(&row.key); - let key = SigningKey::from_bytes(key)?; + let key = SigningKey::from_pkcs8_pem(&row.key)?; let key = key.verifying_key().to_owned(); let changed = Instant::new(row.changed_at, row.changed_sequence); @@ -122,6 +124,7 @@ impl Vapid<'_> { #[error(transparent)] pub enum Error { Ecdsa(#[from] p256::ecdsa::Error), + Pkcs8(#[from] p256::pkcs8::Error), Database(#[from] sqlx::Error), } |