Support loading DER-encoded certificates and private keys

[Mark-Simulacrum]

Security issue notifications

If you discover a potential security issue in s2n we ask that you notify
AWS Security via our vulnerability reporting page. Please do not create a public github issue.

Problem:

The Rust and C APIs for s2n do not allow a caller to pass a DER-encoded certificate, which means that callers need to convert DER to PEM before calling s2n. This isn't that much hassle, but does force taking on extra dependencies (e.g., base64 conversion) and potentially making decisions (e.g., which delimiter to use -- "EC PRIVATE KEY" or ...).

(APIs in C: https://github.com/aws/s2n-tls/blob/main/api/s2n.h#L639-L684)

Solution:

Either an API would get added to convert DER-encoded certificates and private keys to PEM (encoding them to base64 and framing them), or s2n would gain additional load_... APIs taking DER-encoded data.

• Does this change what S2N sends over the wire? no
• Does this change any public APIs? yes (new APIs)
• Which versions of TLS will this impact? none/all

Requirements / Acceptance Criteria:

What must a solution address in order to solve the problem? How do we know the solution is complete?

• RFC links: https://www.rfc-editor.org/rfc/rfc7468 (describing PEM), sort of
• Related Issues: n/a
• Will the Usage Guide or other documentation need to be updated? potentially
• Testing: New tests for DER APIs having equivalent end state to PEM.
  • Will this change trigger SAW changes? No.
  • Should this change be fuzz tested? Yes, DER inputs should probably be fuzz tested, though it's not necessarily untrusted input. Note that the underlying parser in s2n already must handle the hard details -- the DER format is mostly just base64-decoded PEM.

Out of scope:

Is there anything the solution will intentionally NOT address?