From 52c7868bb615b04feb01be88cd1f47af866f12ad Mon Sep 17 00:00:00 2001 From: Benjamin Fry Date: Sun, 22 Jan 2017 21:27:31 -0800 Subject: [PATCH 1/4] add pkcs12_create and to_der funcs --- openssl-sys/src/lib.rs | 12 ++++ openssl/src/pkcs12.rs | 129 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 139 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 0cbd0da7..0af15251 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1951,7 +1951,19 @@ extern { pub fn i2d_RSAPrivateKey(k: *const RSA, buf: *mut *mut u8) -> c_int; pub fn d2i_RSAPrivateKey(k: *mut *mut RSA, buf: *mut *const u8, len: c_long) -> *mut RSA; + pub fn i2d_PKCS12_bio(b: *mut BIO, a: *mut PKCS12) -> c_int; + pub fn i2d_PKCS12(a: *mut PKCS12, buf: *mut *mut u8) -> c_int; pub fn d2i_PKCS12(a: *mut *mut PKCS12, pp: *mut *const u8, length: c_long) -> *mut PKCS12; + pub fn PKCS12_create(pass: *const c_char, + friendly_name: *const c_char, + pkey: *const EVP_PKEY, + cert: *const X509, + ca: *const stack_st_X509, + nid_key: c_int, + nid_cert: c_int, + iter: c_int, + mac_iter: c_int, + keytype: c_int) -> *mut PKCS12; pub fn PKCS12_parse(p12: *mut PKCS12, pass: *const c_char, pkey: *mut *mut EVP_PKEY, diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index ee9ae124..c248df2e 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -1,19 +1,23 @@ //! PKCS #12 archives. use ffi; +use libc::c_int; use std::ptr; use std::ffi::CString; use cvt; -use pkey::PKey; +use pkey::{PKey, PKeyRef}; use error::ErrorStack; use x509::X509; use types::{OpenSslType, OpenSslTypeRef}; -use stack::Stack; +use stack::{Stack, StackRef}; +use nid; type_!(Pkcs12, Pkcs12Ref, ffi::PKCS12, ffi::PKCS12_free); impl Pkcs12Ref { + to_der!(ffi::i2d_PKCS12); + /// Extracts the contents of the `Pkcs12`. // FIXME should take an &[u8] pub fn parse(&self, pass: &str) -> Result { @@ -53,11 +57,107 @@ pub struct ParsedPkcs12 { pub chain: Stack, } +pub struct Pkcs12Builder<'a, 'b, 'c, 'd> { + password: &'a str, + friendly_name: &'b str, + pkey: &'c PKeyRef, + cert: &'d X509, + chain: Option>, + nid_key: nid::Nid, + nid_cert: nid::Nid, + iter: usize, + mac_iter: usize, +} + +impl<'a, 'b, 'c, 'd> Pkcs12Builder<'a, 'b, 'c, 'd> { + /// Creates a new builder for a protected pkcs12 certificate. + /// + /// This uses the defaults from the OpenSSL library: + /// + /// * `nid_key` - `nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC` + /// * `nid_cert` - `nid::PBE_WITHSHA1AND40BITRC2_CBC` + /// * `iter` - `2048` + /// * `mac_iter` - `2048` + pub fn new(password: &'a str, + friendly_name: &'b str, + pkey: &'c PKeyRef, + cert: &'d X509) -> Self { + Pkcs12Builder { + password: password, + friendly_name: friendly_name, + pkey: pkey, + cert: cert, + chain: None, + nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC, + nid_cert: nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC, + iter: 0, // 2048 + mac_iter: 0, // 2048 + } + } + + /// The encryption algorithm that should be used for the key + pub fn nid_key(&mut self, nid: nid::Nid) { + self.nid_key = nid; + } + + /// The encryption algorithm that should be used for the cert + pub fn nid_cert(&mut self, nid: nid::Nid) { + self.nid_cert = nid; + } + + pub fn iter(&mut self, iter: usize) { + self.iter = iter; + } + + pub fn mac_iter(&mut self, mac_iter: usize) { + self.mac_iter = mac_iter; + } + + pub fn build(self) -> Result { + unsafe { + let pass = CString::new(self.password).unwrap(); + let friendly_name = CString::new(self.friendly_name).unwrap(); + let pkey = self.pkey.as_ptr(); + let cert = self.cert.as_ptr(); + let ca = self.chain.map(|ca| ca.as_ptr()).unwrap_or(ptr::null_mut()); + let nid_key = self.nid_key.as_raw(); + let nid_cert = self.nid_cert.as_raw(); + + // According to the OpenSSL docs, keytype is a non-standard extension for MSIE, + // It's values are KEY_SIG or KEY_EX, see the OpenSSL docs for more information: + // https://www.openssl.org/docs/man1.0.2/crypto/PKCS12_create.html + let keytype = 0; + + let pkcs12_ptr = ffi::PKCS12_create(pass.as_ptr(), + friendly_name.as_ptr(), + pkey, + cert, + ca, + nid_key, + nid_cert, + self.iter as c_int, + self.mac_iter as c_int, + keytype); + + if pkcs12_ptr.is_null() { + Err(ErrorStack::get()) + } else { + Ok(Pkcs12::from_ptr(pkcs12_ptr)) + } + } + } +} + #[cfg(test)] mod test { use hash::MessageDigest; use hex::ToHex; + use ::rsa::Rsa; + use ::pkey::*; + use ::x509::*; + use ::x509::extension::*; + use super::*; #[test] @@ -73,4 +173,29 @@ mod test { assert_eq!(parsed.chain[0].fingerprint(MessageDigest::sha1()).unwrap().to_hex(), "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875"); } + + #[test] + fn create() { + let subject_name = "ns.example.com"; + let rsa = Rsa::generate(2048).unwrap(); + let pkey = PKey::from_rsa(rsa).unwrap(); + + let gen = X509Generator::new() + .set_valid_period(365*2) + .add_name("CN".to_owned(), subject_name.to_string()) + .set_sign_hash(MessageDigest::sha256()) + .add_extension(Extension::KeyUsage(vec![KeyUsageOption::DigitalSignature])); + + let cert = gen.sign(&pkey).unwrap(); + + let pkcs12_builder = Pkcs12Builder::new("mypass", subject_name, &pkey, &cert); + let pkcs12 = pkcs12_builder.build().unwrap(); + let der = pkcs12.to_der().unwrap(); + + let pkcs12 = Pkcs12::from_der(&der).unwrap(); + let parsed = pkcs12.parse("mypass").unwrap(); + + assert_eq!(parsed.cert.fingerprint(MessageDigest::sha1()).unwrap(), cert.fingerprint(MessageDigest::sha1()).unwrap()); + assert!(parsed.pkey.public_eq(&pkey)); + } } From fbfecd63aeb0cd1ee24d017df2d89078a53bf0fe Mon Sep 17 00:00:00 2001 From: Benjamin Fry Date: Sun, 22 Jan 2017 22:23:21 -0800 Subject: [PATCH 2/4] add some documentation --- openssl-sys/src/lib.rs | 1 + openssl/src/pkcs12.rs | 67 ++++++++++++++++++++++++++---------------- 2 files changed, 42 insertions(+), 26 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 0af15251..cf158601 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1097,6 +1097,7 @@ pub const OCSP_RESPONSE_STATUS_SIGREQUIRED: c_int = 5; pub const OCSP_RESPONSE_STATUS_UNAUTHORIZED: c_int = 6; pub const PKCS5_SALT_LEN: c_int = 8; +pub const PKCS12_DEFAULT_ITER: c_int = 2048; pub const RSA_F4: c_long = 0x10001; diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index c248df2e..fecef27a 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -49,6 +49,40 @@ impl Pkcs12Ref { impl Pkcs12 { from_der!(Pkcs12, ffi::d2i_PKCS12); + + /// Creates a new builder for a protected pkcs12 certificate. + /// + /// This uses the defaults from the OpenSSL library: + /// + /// * `nid_key` - `nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC` + /// * `nid_cert` - `nid::PBE_WITHSHA1AND40BITRC2_CBC` + /// * `iter` - `2048` + /// * `mac_iter` - `2048` + /// + /// # Arguments + /// + /// * `password` - the password used to encrypt the key and certificate + /// * `friendly_name` - user defined name for the certificate + /// * `pkey` - key to store + /// * `cert` - certificate to store + pub fn builder<'a, 'b, 'c, 'd>(password: &'a str, + friendly_name: &'b str, + pkey: &'c PKeyRef, + cert: &'d X509) -> Pkcs12Builder<'a, 'b, 'c, 'd> { + ffi::init(); + + Pkcs12Builder { + password: password, + friendly_name: friendly_name, + pkey: pkey, + cert: cert, + chain: None, + nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC, + nid_cert: nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC, + iter: ffi::PKCS12_DEFAULT_ITER as usize, // 2048 + mac_iter: ffi::PKCS12_DEFAULT_ITER as usize, // 2048 + } + } } pub struct ParsedPkcs12 { @@ -69,32 +103,8 @@ pub struct Pkcs12Builder<'a, 'b, 'c, 'd> { mac_iter: usize, } +// TODO: add chain option impl<'a, 'b, 'c, 'd> Pkcs12Builder<'a, 'b, 'c, 'd> { - /// Creates a new builder for a protected pkcs12 certificate. - /// - /// This uses the defaults from the OpenSSL library: - /// - /// * `nid_key` - `nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC` - /// * `nid_cert` - `nid::PBE_WITHSHA1AND40BITRC2_CBC` - /// * `iter` - `2048` - /// * `mac_iter` - `2048` - pub fn new(password: &'a str, - friendly_name: &'b str, - pkey: &'c PKeyRef, - cert: &'d X509) -> Self { - Pkcs12Builder { - password: password, - friendly_name: friendly_name, - pkey: pkey, - cert: cert, - chain: None, - nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC, - nid_cert: nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC, - iter: 0, // 2048 - mac_iter: 0, // 2048 - } - } - /// The encryption algorithm that should be used for the key pub fn nid_key(&mut self, nid: nid::Nid) { self.nid_key = nid; @@ -105,10 +115,15 @@ impl<'a, 'b, 'c, 'd> Pkcs12Builder<'a, 'b, 'c, 'd> { self.nid_cert = nid; } + /// Key iteration count, default is 2048 as of this writing pub fn iter(&mut self, iter: usize) { self.iter = iter; } + /// Mac iteration count, default is the same as key_iter default. + /// + /// Old implementation don't understand mac iterations greater than 1, (pre 1.0.1?), if such + /// compatibility is required this should be set to 1 pub fn mac_iter(&mut self, mac_iter: usize) { self.mac_iter = mac_iter; } @@ -188,7 +203,7 @@ mod test { let cert = gen.sign(&pkey).unwrap(); - let pkcs12_builder = Pkcs12Builder::new("mypass", subject_name, &pkey, &cert); + let pkcs12_builder = Pkcs12::builder("mypass", subject_name, &pkey, &cert); let pkcs12 = pkcs12_builder.build().unwrap(); let der = pkcs12.to_der().unwrap(); From 540387d5ee074a22a686da704a8f0bac85e02fa5 Mon Sep 17 00:00:00 2001 From: Benjamin Fry Date: Sun, 22 Jan 2017 22:43:27 -0800 Subject: [PATCH 3/4] fix ptr types --- openssl-sys/src/lib.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index f12e1f2d..7413be10 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1977,9 +1977,9 @@ extern { pub fn d2i_PKCS12(a: *mut *mut PKCS12, pp: *mut *const u8, length: c_long) -> *mut PKCS12; pub fn PKCS12_create(pass: *const c_char, friendly_name: *const c_char, - pkey: *const EVP_PKEY, - cert: *const X509, - ca: *const stack_st_X509, + pkey: *mut EVP_PKEY, + cert: *mut X509, + ca: *mut stack_st_X509, nid_key: c_int, nid_cert: c_int, iter: c_int, From 591022a7fa4b43d152154fd95bb67fce5ecfa28e Mon Sep 17 00:00:00 2001 From: Benjamin Fry Date: Mon, 23 Jan 2017 22:12:11 -0800 Subject: [PATCH 4/4] fix multi-version compat --- openssl-sys/src/lib.rs | 11 ------- openssl-sys/src/libressl.rs | 12 +++++++ openssl-sys/src/ossl10x.rs | 12 +++++++ openssl-sys/src/ossl110.rs | 12 +++++++ openssl/src/pkcs12.rs | 62 ++++++++++++++++--------------------- 5 files changed, 63 insertions(+), 46 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 7413be10..01be1b23 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -55,7 +55,6 @@ pub enum X509_REQ {} pub enum X509_STORE {} pub enum X509_STORE_CTX {} pub enum bio_st {} -pub enum PKCS12 {} pub enum DH_METHOD {} pub enum RSA_METHOD {} pub enum BN_MONT_CTX {} @@ -1975,16 +1974,6 @@ extern { pub fn i2d_PKCS12_bio(b: *mut BIO, a: *mut PKCS12) -> c_int; pub fn i2d_PKCS12(a: *mut PKCS12, buf: *mut *mut u8) -> c_int; pub fn d2i_PKCS12(a: *mut *mut PKCS12, pp: *mut *const u8, length: c_long) -> *mut PKCS12; - pub fn PKCS12_create(pass: *const c_char, - friendly_name: *const c_char, - pkey: *mut EVP_PKEY, - cert: *mut X509, - ca: *mut stack_st_X509, - nid_key: c_int, - nid_cert: c_int, - iter: c_int, - mac_iter: c_int, - keytype: c_int) -> *mut PKCS12; pub fn PKCS12_parse(p12: *mut PKCS12, pass: *const c_char, pkey: *mut *mut EVP_PKEY, diff --git a/openssl-sys/src/libressl.rs b/openssl-sys/src/libressl.rs index c1411e60..2862a47e 100644 --- a/openssl-sys/src/libressl.rs +++ b/openssl-sys/src/libressl.rs @@ -508,6 +508,7 @@ pub struct X509_VERIFY_PARAM { } pub enum X509_VERIFY_PARAM_ID {} +pub enum PKCS12 {} pub const SSL_CTRL_OPTIONS: c_int = 32; pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; @@ -637,6 +638,17 @@ extern { pub fn OCSP_cert_to_id(dgst: *const ::EVP_MD, subject: *mut ::X509, issuer: *mut ::X509) -> *mut ::OCSP_CERTID; + pub fn PKCS12_create(pass: *mut c_char, + friendly_name: *mut c_char, + pkey: *mut EVP_PKEY, + cert: *mut X509, + ca: *mut stack_st_X509, + nid_key: c_int, + nid_cert: c_int, + iter: c_int, + mac_iter: c_int, + keytype: c_int) -> *mut PKCS12; + pub fn SSL_library_init() -> c_int; pub fn SSL_load_error_strings(); pub fn OPENSSL_add_all_algorithms_noconf(); diff --git a/openssl-sys/src/ossl10x.rs b/openssl-sys/src/ossl10x.rs index f721daaa..14b7c414 100644 --- a/openssl-sys/src/ossl10x.rs +++ b/openssl-sys/src/ossl10x.rs @@ -653,6 +653,7 @@ pub struct X509_VERIFY_PARAM { #[cfg(not(ossl101))] pub enum X509_VERIFY_PARAM_ID {} +pub enum PKCS12 {} pub const SSL_CTRL_OPTIONS: c_int = 32; pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; @@ -782,6 +783,17 @@ extern { pub fn OCSP_cert_to_id(dgst: *const ::EVP_MD, subject: *mut ::X509, issuer: *mut ::X509) -> *mut ::OCSP_CERTID; + pub fn PKCS12_create(pass: *mut c_char, + friendly_name: *mut c_char, + pkey: *mut EVP_PKEY, + cert: *mut X509, + ca: *mut stack_st_X509, + nid_key: c_int, + nid_cert: c_int, + iter: c_int, + mac_iter: c_int, + keytype: c_int) -> *mut PKCS12; + pub fn SSL_library_init() -> c_int; pub fn SSL_load_error_strings(); pub fn OPENSSL_add_all_algorithms_noconf(); diff --git a/openssl-sys/src/ossl110.rs b/openssl-sys/src/ossl110.rs index 75c6253e..b7fdebab 100644 --- a/openssl-sys/src/ossl110.rs +++ b/openssl-sys/src/ossl110.rs @@ -11,6 +11,7 @@ pub enum EVP_MD_CTX {} pub enum EVP_PKEY {} pub enum HMAC_CTX {} pub enum OPENSSL_STACK {} +pub enum PKCS12 {} pub enum RSA {} pub enum SSL {} pub enum SSL_CTX {} @@ -179,4 +180,15 @@ extern { pub fn OPENSSL_sk_free(st: *mut ::OPENSSL_STACK); pub fn OPENSSL_sk_pop_free(st: *mut ::OPENSSL_STACK, free: Option); pub fn OPENSSL_sk_pop(st: *mut ::OPENSSL_STACK) -> *mut c_void; + + pub fn PKCS12_create(pass: *const c_char, + friendly_name: *const c_char, + pkey: *mut EVP_PKEY, + cert: *mut X509, + ca: *mut stack_st_X509, + nid_key: c_int, + nid_cert: c_int, + iter: c_int, + mac_iter: c_int, + keytype: c_int) -> *mut PKCS12; } diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index fecef27a..1b847bb6 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -10,7 +10,7 @@ use pkey::{PKey, PKeyRef}; use error::ErrorStack; use x509::X509; use types::{OpenSslType, OpenSslTypeRef}; -use stack::{Stack, StackRef}; +use stack::Stack; use nid; type_!(Pkcs12, Pkcs12Ref, ffi::PKCS12, ffi::PKCS12_free); @@ -58,25 +58,10 @@ impl Pkcs12 { /// * `nid_cert` - `nid::PBE_WITHSHA1AND40BITRC2_CBC` /// * `iter` - `2048` /// * `mac_iter` - `2048` - /// - /// # Arguments - /// - /// * `password` - the password used to encrypt the key and certificate - /// * `friendly_name` - user defined name for the certificate - /// * `pkey` - key to store - /// * `cert` - certificate to store - pub fn builder<'a, 'b, 'c, 'd>(password: &'a str, - friendly_name: &'b str, - pkey: &'c PKeyRef, - cert: &'d X509) -> Pkcs12Builder<'a, 'b, 'c, 'd> { + pub fn builder() -> Pkcs12Builder { ffi::init(); Pkcs12Builder { - password: password, - friendly_name: friendly_name, - pkey: pkey, - cert: cert, - chain: None, nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC, nid_cert: nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC, iter: ffi::PKCS12_DEFAULT_ITER as usize, // 2048 @@ -91,20 +76,15 @@ pub struct ParsedPkcs12 { pub chain: Stack, } -pub struct Pkcs12Builder<'a, 'b, 'c, 'd> { - password: &'a str, - friendly_name: &'b str, - pkey: &'c PKeyRef, - cert: &'d X509, - chain: Option>, +// TODO: add ca chain +pub struct Pkcs12Builder { nid_key: nid::Nid, nid_cert: nid::Nid, iter: usize, mac_iter: usize, } -// TODO: add chain option -impl<'a, 'b, 'c, 'd> Pkcs12Builder<'a, 'b, 'c, 'd> { +impl Pkcs12Builder { /// The encryption algorithm that should be used for the key pub fn nid_key(&mut self, nid: nid::Nid) { self.nid_key = nid; @@ -128,13 +108,25 @@ impl<'a, 'b, 'c, 'd> Pkcs12Builder<'a, 'b, 'c, 'd> { self.mac_iter = mac_iter; } - pub fn build(self) -> Result { + /// Builds the pkcs12 object + /// + /// # Arguments + /// + /// * `password` - the password used to encrypt the key and certificate + /// * `friendly_name` - user defined name for the certificate + /// * `pkey` - key to store + /// * `cert` - certificate to store + pub fn build(self, + password: &str, + friendly_name: &str, + pkey: &PKeyRef, + cert: &X509) -> Result { unsafe { - let pass = CString::new(self.password).unwrap(); - let friendly_name = CString::new(self.friendly_name).unwrap(); - let pkey = self.pkey.as_ptr(); - let cert = self.cert.as_ptr(); - let ca = self.chain.map(|ca| ca.as_ptr()).unwrap_or(ptr::null_mut()); + let pass = CString::new(password).unwrap(); + let friendly_name = CString::new(friendly_name).unwrap(); + let pkey = pkey.as_ptr(); + let cert = cert.as_ptr(); + let ca = ptr::null_mut(); // TODO: should allow for a chain to be set in the builder let nid_key = self.nid_key.as_raw(); let nid_cert = self.nid_cert.as_raw(); @@ -143,8 +135,8 @@ impl<'a, 'b, 'c, 'd> Pkcs12Builder<'a, 'b, 'c, 'd> { // https://www.openssl.org/docs/man1.0.2/crypto/PKCS12_create.html let keytype = 0; - let pkcs12_ptr = ffi::PKCS12_create(pass.as_ptr(), - friendly_name.as_ptr(), + let pkcs12_ptr = ffi::PKCS12_create(pass.as_ptr() as *const _ as *mut _, + friendly_name.as_ptr() as *const _ as *mut _, pkey, cert, ca, @@ -203,8 +195,8 @@ mod test { let cert = gen.sign(&pkey).unwrap(); - let pkcs12_builder = Pkcs12::builder("mypass", subject_name, &pkey, &cert); - let pkcs12 = pkcs12_builder.build().unwrap(); + let pkcs12_builder = Pkcs12::builder(); + let pkcs12 = pkcs12_builder.build("mypass", subject_name, &pkey, &cert).unwrap(); let der = pkcs12.to_der().unwrap(); let pkcs12 = Pkcs12::from_der(&der).unwrap();