From 53def53c326d711d692726341bc2be2dca293d95 Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Fri, 11 Jul 2025 00:05:33 +0000
Subject: [PATCH] refactor(meshtls-rustls): use generalized key type

---
 Cargo.toml                                |  1 -
 linkerd/meshtls/rustls/src/creds.rs       |  9 ----
 linkerd/meshtls/rustls/src/creds/store.rs | 60 +++++------------------
 3 files changed, 12 insertions(+), 58 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 458fc8fd2..5ff2ef2f3 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -115,7 +115,6 @@ prost = { version = "0.13" }
 prost-build = { version = "0.13", default-features = false }
 prost-types = { version = "0.13" }
 tokio-rustls = { version = "0.26", default-features = false, features = [
-    "ring",
     "logging",
 ] }
 tonic = { version = "0.12", default-features = false }
diff --git a/linkerd/meshtls/rustls/src/creds.rs b/linkerd/meshtls/rustls/src/creds.rs
index 112ed8d30..af6e06be9 100644
--- a/linkerd/meshtls/rustls/src/creds.rs
+++ b/linkerd/meshtls/rustls/src/creds.rs
@@ -8,17 +8,12 @@ pub use self::{receiver::Receiver, store::Store};
 use linkerd_dns_name as dns;
 use linkerd_error::Result;
 use linkerd_identity as id;
-use ring::error::KeyRejected;
 use std::sync::Arc;
 use thiserror::Error;
 use tokio::sync::watch;
 use tokio_rustls::rustls::{self, crypto::CryptoProvider};
 use tracing::warn;
 
-#[derive(Debug, Error)]
-#[error("{0}")]
-pub struct InvalidKey(#[source] KeyRejected);
-
 #[derive(Debug, Error)]
 #[error("invalid trust roots")]
 pub struct InvalidTrustRoots(());
@@ -118,12 +113,8 @@ mod params {
     use tokio_rustls::rustls::{self, crypto::WebPkiSupportedAlgorithms};
 
     // These must be kept in sync:
-    pub static SIGNATURE_ALG_RING_SIGNING: &ring::signature::EcdsaSigningAlgorithm =
-        &ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING;
     pub const SIGNATURE_ALG_RUSTLS_SCHEME: rustls::SignatureScheme =
         rustls::SignatureScheme::ECDSA_NISTP256_SHA256;
-    pub const SIGNATURE_ALG_RUSTLS_ALGORITHM: rustls::SignatureAlgorithm =
-        rustls::SignatureAlgorithm::ECDSA;
     pub static SUPPORTED_SIG_ALGS: &WebPkiSupportedAlgorithms = backend::SUPPORTED_SIG_ALGS;
     pub static TLS_VERSIONS: &[&rustls::SupportedProtocolVersion] = &[&rustls::version::TLS13];
     pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] =
diff --git a/linkerd/meshtls/rustls/src/creds/store.rs b/linkerd/meshtls/rustls/src/creds/store.rs
index ee1f686a4..26d01e7ea 100644
--- a/linkerd/meshtls/rustls/src/creds/store.rs
+++ b/linkerd/meshtls/rustls/src/creds/store.rs
@@ -1,12 +1,16 @@
-use super::{default_provider, params::*, InvalidKey};
+use super::{default_provider, params::*};
 use linkerd_dns_name as dns;
 use linkerd_error::Result;
 use linkerd_identity as id;
 use linkerd_meshtls_verifier as verifier;
-use ring::{rand, signature::EcdsaKeyPair};
 use std::{convert::TryFrom, sync::Arc};
 use tokio::sync::watch;
-use tokio_rustls::rustls::{self, pki_types::UnixTime, server::WebPkiClientVerifier};
+use tokio_rustls::rustls::{
+    self,
+    pki_types::{PrivatePkcs8KeyDer, UnixTime},
+    server::WebPkiClientVerifier,
+    sign::CertifiedKey,
+};
 use tracing::debug;
 
 pub struct Store {
@@ -16,12 +20,8 @@ pub struct Store {
     server_name: dns::Name,
     client_tx: watch::Sender<Arc<rustls::ClientConfig>>,
     server_tx: watch::Sender<Arc<rustls::ServerConfig>>,
-    random: ring::rand::SystemRandom,
 }
 
-#[derive(Clone, Debug)]
-struct Key(Arc<EcdsaKeyPair>);
-
 #[derive(Clone, Debug)]
 struct CertResolver(Arc<rustls::sign::CertifiedKey>);
 
@@ -90,7 +90,6 @@ impl Store {
             server_name,
             client_tx,
             server_tx,
-            random: ring::rand::SystemRandom::new(),
         }
     }
 
@@ -147,13 +146,11 @@ impl id::Credentials for Store {
         // Use the client's verifier to validate the certificate for our local name.
         self.validate(&chain)?;
 
-        let key = EcdsaKeyPair::from_pkcs8(SIGNATURE_ALG_RING_SIGNING, &key, &self.random)
-            .map_err(InvalidKey)?;
-
-        let resolver = Arc::new(CertResolver(Arc::new(rustls::sign::CertifiedKey::new(
-            chain,
-            Arc::new(Key(Arc::new(key))),
-        ))));
+        let key_der = PrivatePkcs8KeyDer::from(key);
+        let provider = rustls::crypto::CryptoProvider::get_default()
+            .expect("Failed to get default crypto provider");
+        let key = CertifiedKey::from_der(chain, key_der.into(), provider)?;
+        let resolver = Arc::new(CertResolver(Arc::new(key)));
 
         // Build new client and server TLS configs.
         let client = self.client_config(resolver.clone());
@@ -167,39 +164,6 @@ impl id::Credentials for Store {
     }
 }
 
-// === impl Key ===
-
-impl rustls::sign::SigningKey for Key {
-    fn choose_scheme(
-        &self,
-        offered: &[rustls::SignatureScheme],
-    ) -> Option<Box<dyn rustls::sign::Signer>> {
-        if !offered.contains(&SIGNATURE_ALG_RUSTLS_SCHEME) {
-            return None;
-        }
-
-        Some(Box::new(self.clone()))
-    }
-
-    fn algorithm(&self) -> rustls::SignatureAlgorithm {
-        SIGNATURE_ALG_RUSTLS_ALGORITHM
-    }
-}
-
-impl rustls::sign::Signer for Key {
-    fn sign(&self, message: &[u8]) -> Result<Vec<u8>, rustls::Error> {
-        let rng = rand::SystemRandom::new();
-        self.0
-            .sign(&rng, message)
-            .map(|signature| signature.as_ref().to_owned())
-            .map_err(|ring::error::Unspecified| rustls::Error::General("Signing Failed".to_owned()))
-    }
-
-    fn scheme(&self) -> rustls::SignatureScheme {
-        SIGNATURE_ALG_RUSTLS_SCHEME
-    }
-}
-
 // === impl CertResolver ===
 
 impl CertResolver {