Skip to content

Implement From<KeyPair> for PrivateKeyDer<'static> #403

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
LebedevRI wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Implement From<KeyPair> for PrivateKeyDer<'static> #403

LebedevRI wants to merge 1 commit into from

Conversation

@LebedevRI
Copy link

@LebedevRI LebedevRI commented Dec 24, 2025

I've stumbled into this when trying to write a simple rustls-driven server with self-signed cert.

The "obvious" and safe way to go from KeyPair to PrivateKeyDer seems to round-tripping via PEM:

rustls::pki_types::PrivateKeyDer::from_pem_slice(
            signing_key.serialize_pem().as_bytes(),
        )

But rcgen::key_pair::KeyPair::serialized_der() is

/// Returns a reference to the serialized key pair (including the private key)
/// in PKCS#8 format in DER

and PrivateKeyDer can be constructed from such a input.
This avoids memory allocation and PEM roundtripping,
both of which are optional features anyways,
and this conversion is non-failing.

Perhaps it makes sense to provide this QOL interface?

@LebedevRI LebedevRI force-pushed the PrivateKeyDer-from-KeyPair branch from 9a630fb to 2de3e3c Compare December 24, 2025 18:24
@djc
Copy link
Member

djc commented Dec 29, 2025

What is your use case for this exactly? We typically prefer not to use shared (immutable) references to propagate private key material, instead transferring it by ownership only. The current rcgen is not so strict in this regard, but I'd prefer not to make it worse, and it seems like you can already do what you need today (I think the easier route would be PrivatePkcs8KeyDer::from(key.serialized_der()).to_owned().

@LebedevRI
Copy link
Author

LebedevRI commented Dec 29, 2025

What is your use case for this exactly?

        let rcgen::CertifiedKey { cert, signing_key } =
            Self::generate_tls_key()?;

        let certs = vec![cert.der().clone()];

// \/
        let key = rustls::pki_types::PrivateKeyDer::from_pem_slice(
            signing_key.serialize_pem().as_bytes(),
        )?;

        let config = rustls::ServerConfig::builder()
            .with_no_client_auth()
            .with_single_cert(certs, key)?;
// /\

We typically prefer not to use shared (immutable) references to propagate private key material, instead transferring it by ownership only. The current rcgen is not so strict in this regard, but I'd prefer not to make it worse, and it seems like you can already do what you need today (I think the easier route would be PrivatePkcs8KeyDer::from(key.serialized_der()).to_owned().

Well, if this is intentional, then okay i guess. But this really seems odd from the outside.

@djc
Copy link
Member

djc commented Dec 29, 2025

I would be open to taking a From<KeyPair> for PrivateKeyDer<'static>.

@LebedevRI
Copy link
Author

LebedevRI commented Dec 29, 2025
edited
Loading

I would be open to taking a From<KeyPair> for PrivateKeyDer<'static>.

Okay, is this what you had in mind?

@LebedevRI LebedevRI changed the title Implement From<&'a KeyPair> for PrivateKeyDer<'a> Implement From<KeyPair> for PrivateKeyDer<'static> Dec 29, 2025
djc
djc reviewed Dec 29, 2025
View reviewed changes
@LebedevRI
Copy link
Author

LebedevRI commented Dec 29, 2025

@djc thank you for taking a look!

@djc
Copy link
Member

djc commented Dec 29, 2025

(We're using the merge queue to rebase, so we'll need all the commits to be squashed into a single one.)

@LebedevRI
Implement From<KeyPair> for PrivateKeyDer<'static>
46bf626 
The "obvious" and safe way to go from `KeyPair` to `PrivateKeyDer`
seems to round-tripping via PEM:
```
rustls::pki_types::PrivateKeyDer::from_pem_slice(
            signing_key.serialize_pem().as_bytes(),
        )
```

But `rcgen::key_pair::KeyPair::serialized_der()` is
```
/// Returns a reference to the serialized key pair (including the private key)
/// in PKCS#8 format in DER
```
and `PrivateKeyDer` can be constructed from such a input.
This avoids memory allocation and PEM roundtripping,
both of which are optional features anyways,
and this conversion is non-failing.
@LebedevRI LebedevRI force-pushed the PrivateKeyDer-from-KeyPair branch from 7db82fb to 46bf626 Compare December 29, 2025 16:22
@djc djc requested review from cpu and est31 December 29, 2025 16:24
@LebedevRI
Copy link
Author

LebedevRI commented Dec 29, 2025

@djc thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djc djc djc approved these changes

@cpu cpu cpu approved these changes

@est31 est31 Awaiting requested review from est31

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LebedevRI @djc @cpu