From 11f4f36a689b6447c9898a2840418e581cb3eb11 Mon Sep 17 00:00:00 2001 From: Owen Jacobson Date: Tue, 28 Oct 2025 14:10:48 -0400 Subject: Use PKCS8 PEM, not raw SEC1 bytes, to store VAPID keys. The `web-push` crate's VAPID signing support requires a private key. The `p256` crate is more than capable of generating one, but the easiest way to get a key from a `p256::ecdsa::SigningKey` to a `web_push::PartialVapidSignature` is via PKCS #8 PEM, not via the bytes. Since we'll need it in that form anyways, store it that way, so that we don't have to decode it using `p256`, re-encode to PEM, then decode to `PartialVapidSignature`. The migration in this commit invalidates existing VAPID keys. We could include support for re-encoding them on read, but there's little point: this code is still in flux anyways, and only development deployments exist. By the time this is final, the schema will have settled. --- src/vapid/app.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src/vapid/app.rs') diff --git a/src/vapid/app.rs b/src/vapid/app.rs index 5814ba0..b6e1bc5 100644 --- a/src/vapid/app.rs +++ b/src/vapid/app.rs @@ -86,11 +86,11 @@ impl<'a> Vapid<'a> { } #[derive(Debug, thiserror::Error)] +#[error(transparent)] pub enum Error { - #[error(transparent)] Database(#[from] sqlx::Error), - #[error(transparent)] Ecdsa(#[from] p256::ecdsa::Error), + Pkcs8(#[from] p256::pkcs8::Error), } impl From for Error { @@ -99,6 +99,7 @@ impl From for Error { match error { Error::Database(error) => error.into(), Error::Ecdsa(error) => error.into(), + Error::Pkcs8(error) => error.into(), } } } -- cgit v1.2.3