Migrate parsing of private keys to Rust

[alex]

No description provided.

[alex]

paramiko failures are due to paramiko/paramiko#2490 (probably)

[alex]

test cases needed to coverage:

• pkcs8 envelope with invalid version
• pkcs8 envelope with unknown OID
• pkcs8 envelope with EC key where the inner params don't match the outer params
• PKCS#1 EC key with missing params
• EC key (either format) where public key isn't serialization
• PKCS#1 DSA key with invalid version
• PKCS#1 RSA key with invalid version
• PKSC#1 RSA key that's multi-prime
• EC key (with version) with invalid version
• EC key with inner and outer params that do match

[alex]

Test cases we need:

• Encrypted PKCS#8, PBES2 with 3DES-CBC
• Encrypted PKCS#8, PBES2 with unknown encryption algorithm
• Encrypted PKCS#8, PBES2 PBKDF2 with unknown PRF algorithm
• Encrypted PKCS#8, PBES2 with unknown KDF
• Encrypted PEM with no DEK-Info
• Encrypted PEM with DEK-Info that doesn't have two, comma separated components
• Encrypted PEM with DEK-Info where the IV isn't valid hex
• Unit tests for hex_decode

Copilot reviewed 6 out of 18 changed files in this pull request and generated no comments.

Files not reviewed (12)

• .github/downstream.d/paramiko.sh: Language not supported
• tests/hazmat/primitives/test_serialization.py: Evaluated as low risk
• tests/hazmat/primitives/test_dsa.py: Evaluated as low risk
• tests/hazmat/primitives/test_rsa.py: Evaluated as low risk
• src/rust/cryptography-x509/src/pkcs8.rs: Evaluated as low risk
• tests/hazmat/backends/test_openssl.py: Evaluated as low risk
• src/rust/cryptography-key-parsing/src/lib.rs: Evaluated as low risk
• tests/hazmat/primitives/test_ec.py: Evaluated as low risk
• src/rust/src/backend/ec.rs: Evaluated as low risk
• src/rust/src/error.rs: Evaluated as low risk
• src/rust/cryptography-key-parsing/Cargo.toml: Evaluated as low risk
• src/rust/cryptography-key-parsing/src/rsa.rs: Evaluated as low risk

Comments suppressed due to low confidence (6)

src/rust/cryptography-key-parsing/src/pkcs8.rs:111

• [nitpick] The error message for unsupported key types might not be clear enough for the user to understand what went wrong. It should provide more context about the unsupported key type.

Err(KeyParsingError::UnsupportedKeyType(k.algorithm.oid().clone()))

src/rust/cryptography-key-parsing/src/pkcs8.rs:21

• The function parse_private_key handles various algorithm parameters, but there is no indication that each case is covered by tests. Ensure that test cases exist for each algorithm parameter handled in this function.

pub fn parse_private_key(data: &[u8]) -> KeyParsingResult<openssl::pkey::PKey<openssl::pkey::Private>> {

src/rust/src/backend/keys.rs:100

• Ensure that similar errors are handled consistently throughout the code.

return Err(CryptographyError::from(pyo3::exceptions::PyTypeError::new_err("Password was not given but private key is encrypted")));

src/rust/src/backend/keys.rs:78

• [nitpick] Avoid redundant clone operations to improve performance.

let tag = p.tag().to_string();

src/rust/src/backend/keys.rs:112

• Ensure that all possible ciphers are covered or that the error message provides enough information for debugging.

return Err(CryptographyError::from(pyo3::exceptions::PyValueError::new_err("Key encrypted with unknown cipher.")));

src/rust/cryptography-key-parsing/src/dsa.rs:17

• [nitpick] The function name parse_pkcs1_private_key is misleading as PKCS#1 is typically associated with RSA keys, not DSA keys. Consider renaming it to parse_dsa_private_key.

pub fn parse_pkcs1_private_key(