ssl, public_key: Add possiblity to provide customize options to key signing fun

IngelaAndin · IngelaAndin · commit c4e270407a94 · 2023-11-27T11:44:28.000+01:00
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
@@ -145,6 +145,14 @@
       </desc>
     </datatype>
 
+     <datatype>
+      <name name="custom_key_opts"/>
+      <desc>
+	<p>Can be provided together with a custom private key, that specifies a key fun,
+	to provide additional options understood by the fun.</p>
+      </desc>
+    </datatype>
+
     <datatype>
       <name name="ed_oid_name"/>
       <desc>
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
@@ -124,6 +124,7 @@
                                  ed_private_key() |
                                  #{algorithm := eddsa | rsa_pss_pss | ecdsa | rsa | dsa,
                                    sign_fun => fun()} .
+-type custom_key_opts()      :: [term()].
 -type rsa_public_key()       ::  #'RSAPublicKey'{}.
 -type rsa_private_key()      ::  #'RSAPrivateKey'{} | #{algorithm := rsa,
                                                         encrypt_fun => fun()}.
@@ -646,7 +647,7 @@ encrypt_private(PlainText, Key) ->
 			     CipherText
                                  when  PlainText :: binary(),
                                        Key :: rsa_private_key(),
-                                       Options :: crypto:pk_encrypt_decrypt_opts(),
+                                       Options :: crypto:pk_encrypt_decrypt_opts() | custom_key_opts(),
                                        CipherText :: binary() .
 encrypt_private(PlainText, Key, Options)
   when is_binary(PlainText),
@@ -842,7 +843,7 @@ sign(DigestOrPlainText, DigestType, Key) ->
                   Signature when Msg ::  binary() | {digest,binary()},
                                  DigestType :: digest_type(),
                                  Key :: private_key(),
-                                 Options :: crypto:pk_sign_verify_opts(),
+                                 Options :: crypto:pk_sign_verify_opts() | custom_key_opts(),
                                  Signature :: binary() .
 sign(Digest, none, Key = #'DSAPrivateKey'{}, Options) when is_binary(Digest) ->
     %% Backwards compatible
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
@@ -345,7 +345,7 @@
       <desc>
 	
 	<p>The user's private key. The map formats referring to a
-	crypto engine/provider (with key reference information) or Erlang fun,
+	crypto engine/provider (with key reference information) or Erlang fun (with possible custom options),
 	can both be used for customized signing with
 	for instance hardware security modules (HSM) or trusted
 	platform modules (TPM). </p>
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
@@ -355,7 +355,9 @@
                                        password => crypto:password()} |
                                      #{algorithm := sign_algo(),
                                        sign_fun := fun(),
-                                       encrypt_fun => fun() %% Only TLS-1.0, TLS-1.1 and rsa-key
+                                       sign_opts => list(),
+                                       encrypt_fun => fun(), %% Only TLS-1.0, TLS-1.1 and rsa-key
+                                       encrypt_opts => list()
                                       }. % exported
 -type key_pem()                   :: file:filename().
 -type key_pem_password()          :: iodata() | fun(() -> iodata()).
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
@@ -2152,13 +2152,15 @@ do_digitally_signed(Version, Msg, HashAlgo, {#'RSAPrivateKey'{} = Key,
                                              #'RSASSA-PSS-params'{}}, SignAlgo) when ?TLS_GTE(Version, ?TLS_1_2) ->
     Options = signature_options(SignAlgo, HashAlgo),
     public_key:sign(Msg, HashAlgo, Key, Options);
-do_digitally_signed(Version, {digest, Digest}, _HashAlgo, #'RSAPrivateKey'{} = Key, rsa) 
+do_digitally_signed(Version, {digest, Digest}, _HashAlgo, #'RSAPrivateKey'{} = Key, rsa)
   when ?TLS_LTE(Version, ?TLS_1_1) ->
     public_key:encrypt_private(Digest, Key,
 			       [{rsa_pad, rsa_pkcs1_padding}]);
-do_digitally_signed(Version, {digest, Digest}, _HashAlgo, #{algorithm := rsa, encrypt_fun := _} = Key, rsa) 
+do_digitally_signed(Version, {digest, Digest}, _HashAlgo, #{algorithm := rsa, encrypt_fun := Fun} = Key0, rsa)
   when ?TLS_LTE(Version, ?TLS_1_1) ->
-    public_key:encrypt_private(Digest, Key, [{rsa_pad, rsa_pkcs1_padding}]);
+    CustomOpts = maps:get(encrypt_opts, Key0, []),
+    Key = #{algorithm => rsa, encrypt_fun => Fun},
+    public_key:encrypt_private(Digest, Key, CustomOpts ++ [{rsa_pad, rsa_pkcs1_padding}]);
 do_digitally_signed(Version, {digest, Digest}, _,
                     #{algorithm := rsa, engine := _} = Engine, rsa) when ?TLS_LTE(Version, ?TLS_1_1) ->
     crypto:private_encrypt(rsa, Digest, maps:remove(algorithm, Engine),
@@ -2168,6 +2170,11 @@ do_digitally_signed(_, Msg, HashAlgo, #{algorithm := Alg, engine := _} = Engine,
     crypto:sign(Alg, HashAlgo, Msg, maps:remove(algorithm, Engine), Options);
 do_digitally_signed(Version, {digest, _} = Msg , HashAlgo, Key, _) when ?TLS_LTE(Version,?TLS_1_1) ->
     public_key:sign(Msg, HashAlgo, Key);
+do_digitally_signed(_, Msg, HashAlgo, #{algorithm := SignAlgo, sign_fun := Fun} = Key0, SignAlgo) ->
+    CustomOpts = maps:get(sign_opts, Key0, []),
+    Options = signature_options(SignAlgo, HashAlgo),
+    Key = #{algorithm => SignAlgo, sign_fun => Fun},
+    public_key:sign(Msg, HashAlgo, Key, CustomOpts ++ Options);
 do_digitally_signed(_, Msg, HashAlgo, Key, SignAlgo) ->
     Options = signature_options(SignAlgo, HashAlgo),
     public_key:sign(Msg, HashAlgo, Key, Options).
