Merge pull request #563 from bluejekyll/master
Adding pkcs12_create bindings
This commit is contained in:
Steven Fackler
GitHub
commit
0f31df2fc3
|
|
@ -55,7 +55,6 @@ pub enum X509_REQ {}
|
|||
pub enum X509_STORE {}
|
||||
pub enum X509_STORE_CTX {}
|
||||
pub enum bio_st {}
|
||||
pub enum PKCS12 {}
|
||||
pub enum DH_METHOD {}
|
||||
pub enum RSA_METHOD {}
|
||||
pub enum BN_MONT_CTX {}
|
||||
|
|
@ -1112,6 +1111,7 @@ pub const OCSP_RESPONSE_STATUS_UNAUTHORIZED: c_int = 6;
|
|||
pub const OPENSSL_EC_NAMED_CURVE: c_int = 1;
|
||||
|
||||
pub const PKCS5_SALT_LEN: c_int = 8;
|
||||
pub const PKCS12_DEFAULT_ITER: c_int = 2048;
|
||||
|
||||
pub const RSA_F4: c_long = 0x10001;
|
||||
|
||||
|
|
@ -1971,6 +1971,8 @@ extern {
|
|||
pub fn i2d_RSAPrivateKey(k: *const RSA, buf: *mut *mut u8) -> c_int;
|
||||
pub fn d2i_RSAPrivateKey(k: *mut *mut RSA, buf: *mut *const u8, len: c_long) -> *mut RSA;
|
||||
|
||||
pub fn i2d_PKCS12_bio(b: *mut BIO, a: *mut PKCS12) -> c_int;
|
||||
pub fn i2d_PKCS12(a: *mut PKCS12, buf: *mut *mut u8) -> c_int;
|
||||
pub fn d2i_PKCS12(a: *mut *mut PKCS12, pp: *mut *const u8, length: c_long) -> *mut PKCS12;
|
||||
pub fn PKCS12_parse(p12: *mut PKCS12,
|
||||
pass: *const c_char,
|
||||
|
|
|
|||
|
|
@ -508,6 +508,7 @@ pub struct X509_VERIFY_PARAM {
|
|||
}
|
||||
|
||||
pub enum X509_VERIFY_PARAM_ID {}
|
||||
pub enum PKCS12 {}
|
||||
|
||||
pub const SSL_CTRL_OPTIONS: c_int = 32;
|
||||
pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77;
|
||||
|
|
@ -637,6 +638,17 @@ extern {
|
|||
|
||||
pub fn OCSP_cert_to_id(dgst: *const ::EVP_MD, subject: *mut ::X509, issuer: *mut ::X509) -> *mut ::OCSP_CERTID;
|
||||
|
||||
pub fn PKCS12_create(pass: *mut c_char,
|
||||
friendly_name: *mut c_char,
|
||||
pkey: *mut EVP_PKEY,
|
||||
cert: *mut X509,
|
||||
ca: *mut stack_st_X509,
|
||||
nid_key: c_int,
|
||||
nid_cert: c_int,
|
||||
iter: c_int,
|
||||
mac_iter: c_int,
|
||||
keytype: c_int) -> *mut PKCS12;
|
||||
|
||||
pub fn SSL_library_init() -> c_int;
|
||||
pub fn SSL_load_error_strings();
|
||||
pub fn OPENSSL_add_all_algorithms_noconf();
|
||||
|
|
|
|||
|
|
@ -653,6 +653,7 @@ pub struct X509_VERIFY_PARAM {
|
|||
|
||||
#[cfg(not(ossl101))]
|
||||
pub enum X509_VERIFY_PARAM_ID {}
|
||||
pub enum PKCS12 {}
|
||||
|
||||
pub const SSL_CTRL_OPTIONS: c_int = 32;
|
||||
pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77;
|
||||
|
|
@ -782,6 +783,17 @@ extern {
|
|||
|
||||
pub fn OCSP_cert_to_id(dgst: *const ::EVP_MD, subject: *mut ::X509, issuer: *mut ::X509) -> *mut ::OCSP_CERTID;
|
||||
|
||||
pub fn PKCS12_create(pass: *mut c_char,
|
||||
friendly_name: *mut c_char,
|
||||
pkey: *mut EVP_PKEY,
|
||||
cert: *mut X509,
|
||||
ca: *mut stack_st_X509,
|
||||
nid_key: c_int,
|
||||
nid_cert: c_int,
|
||||
iter: c_int,
|
||||
mac_iter: c_int,
|
||||
keytype: c_int) -> *mut PKCS12;
|
||||
|
||||
pub fn SSL_library_init() -> c_int;
|
||||
pub fn SSL_load_error_strings();
|
||||
pub fn OPENSSL_add_all_algorithms_noconf();
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ pub enum EVP_MD_CTX {}
|
|||
pub enum EVP_PKEY {}
|
||||
pub enum HMAC_CTX {}
|
||||
pub enum OPENSSL_STACK {}
|
||||
pub enum PKCS12 {}
|
||||
pub enum RSA {}
|
||||
pub enum SSL {}
|
||||
pub enum SSL_CTX {}
|
||||
|
|
@ -179,4 +180,15 @@ extern {
|
|||
pub fn OPENSSL_sk_free(st: *mut ::OPENSSL_STACK);
|
||||
pub fn OPENSSL_sk_pop_free(st: *mut ::OPENSSL_STACK, free: Option<unsafe extern "C" fn (*mut c_void)>);
|
||||
pub fn OPENSSL_sk_pop(st: *mut ::OPENSSL_STACK) -> *mut c_void;
|
||||
|
||||
pub fn PKCS12_create(pass: *const c_char,
|
||||
friendly_name: *const c_char,
|
||||
pkey: *mut EVP_PKEY,
|
||||
cert: *mut X509,
|
||||
ca: *mut stack_st_X509,
|
||||
nid_key: c_int,
|
||||
nid_cert: c_int,
|
||||
iter: c_int,
|
||||
mac_iter: c_int,
|
||||
keytype: c_int) -> *mut PKCS12;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,19 +1,23 @@
|
|||
//! PKCS #12 archives.
|
||||
|
||||
use ffi;
|
||||
use libc::c_int;
|
||||
use std::ptr;
|
||||
use std::ffi::CString;
|
||||
|
||||
use cvt;
|
||||
use pkey::PKey;
|
||||
use pkey::{PKey, PKeyRef};
|
||||
use error::ErrorStack;
|
||||
use x509::X509;
|
||||
use types::{OpenSslType, OpenSslTypeRef};
|
||||
use stack::Stack;
|
||||
use nid;
|
||||
|
||||
type_!(Pkcs12, Pkcs12Ref, ffi::PKCS12, ffi::PKCS12_free);
|
||||
|
||||
impl Pkcs12Ref {
|
||||
to_der!(ffi::i2d_PKCS12);
|
||||
|
||||
/// Extracts the contents of the `Pkcs12`.
|
||||
// FIXME should take an &[u8]
|
||||
pub fn parse(&self, pass: &str) -> Result<ParsedPkcs12, ErrorStack> {
|
||||
|
|
@ -45,6 +49,25 @@ impl Pkcs12Ref {
|
|||
|
||||
impl Pkcs12 {
|
||||
from_der!(Pkcs12, ffi::d2i_PKCS12);
|
||||
|
||||
/// Creates a new builder for a protected pkcs12 certificate.
|
||||
///
|
||||
/// This uses the defaults from the OpenSSL library:
|
||||
///
|
||||
/// * `nid_key` - `nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC`
|
||||
/// * `nid_cert` - `nid::PBE_WITHSHA1AND40BITRC2_CBC`
|
||||
/// * `iter` - `2048`
|
||||
/// * `mac_iter` - `2048`
|
||||
pub fn builder() -> Pkcs12Builder {
|
||||
ffi::init();
|
||||
|
||||
Pkcs12Builder {
|
||||
nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC,
|
||||
nid_cert: nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC,
|
||||
iter: ffi::PKCS12_DEFAULT_ITER as usize, // 2048
|
||||
mac_iter: ffi::PKCS12_DEFAULT_ITER as usize, // 2048
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub struct ParsedPkcs12 {
|
||||
|
|
@ -53,11 +76,95 @@ pub struct ParsedPkcs12 {
|
|||
pub chain: Stack<X509>,
|
||||
}
|
||||
|
||||
// TODO: add ca chain
|
||||
pub struct Pkcs12Builder {
|
||||
nid_key: nid::Nid,
|
||||
nid_cert: nid::Nid,
|
||||
iter: usize,
|
||||
mac_iter: usize,
|
||||
}
|
||||
|
||||
impl Pkcs12Builder {
|
||||
/// The encryption algorithm that should be used for the key
|
||||
pub fn nid_key(&mut self, nid: nid::Nid) {
|
||||
self.nid_key = nid;
|
||||
}
|
||||
|
||||
/// The encryption algorithm that should be used for the cert
|
||||
pub fn nid_cert(&mut self, nid: nid::Nid) {
|
||||
self.nid_cert = nid;
|
||||
}
|
||||
|
||||
/// Key iteration count, default is 2048 as of this writing
|
||||
pub fn iter(&mut self, iter: usize) {
|
||||
self.iter = iter;
|
||||
}
|
||||
|
||||
/// Mac iteration count, default is the same as key_iter default.
|
||||
///
|
||||
/// Old implementation don't understand mac iterations greater than 1, (pre 1.0.1?), if such
|
||||
/// compatibility is required this should be set to 1
|
||||
pub fn mac_iter(&mut self, mac_iter: usize) {
|
||||
self.mac_iter = mac_iter;
|
||||
}
|
||||
|
||||
/// Builds the pkcs12 object
|
||||
///
|
||||
/// # Arguments
|
||||
///
|
||||
/// * `password` - the password used to encrypt the key and certificate
|
||||
/// * `friendly_name` - user defined name for the certificate
|
||||
/// * `pkey` - key to store
|
||||
/// * `cert` - certificate to store
|
||||
pub fn build(self,
|
||||
password: &str,
|
||||
friendly_name: &str,
|
||||
pkey: &PKeyRef,
|
||||
cert: &X509) -> Result<Pkcs12, ErrorStack> {
|
||||
unsafe {
|
||||
let pass = CString::new(password).unwrap();
|
||||
let friendly_name = CString::new(friendly_name).unwrap();
|
||||
let pkey = pkey.as_ptr();
|
||||
let cert = cert.as_ptr();
|
||||
let ca = ptr::null_mut(); // TODO: should allow for a chain to be set in the builder
|
||||
let nid_key = self.nid_key.as_raw();
|
||||
let nid_cert = self.nid_cert.as_raw();
|
||||
|
||||
// According to the OpenSSL docs, keytype is a non-standard extension for MSIE,
|
||||
// It's values are KEY_SIG or KEY_EX, see the OpenSSL docs for more information:
|
||||
// https://www.openssl.org/docs/man1.0.2/crypto/PKCS12_create.html
|
||||
let keytype = 0;
|
||||
|
||||
let pkcs12_ptr = ffi::PKCS12_create(pass.as_ptr() as *const _ as *mut _,
|
||||
friendly_name.as_ptr() as *const _ as *mut _,
|
||||
pkey,
|
||||
cert,
|
||||
ca,
|
||||
nid_key,
|
||||
nid_cert,
|
||||
self.iter as c_int,
|
||||
self.mac_iter as c_int,
|
||||
keytype);
|
||||
|
||||
if pkcs12_ptr.is_null() {
|
||||
Err(ErrorStack::get())
|
||||
} else {
|
||||
Ok(Pkcs12::from_ptr(pkcs12_ptr))
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod test {
|
||||
use hash::MessageDigest;
|
||||
use hex::ToHex;
|
||||
|
||||
use ::rsa::Rsa;
|
||||
use ::pkey::*;
|
||||
use ::x509::*;
|
||||
use ::x509::extension::*;
|
||||
|
||||
use super::*;
|
||||
|
||||
#[test]
|
||||
|
|
@ -73,4 +180,29 @@ mod test {
|
|||
assert_eq!(parsed.chain[0].fingerprint(MessageDigest::sha1()).unwrap().to_hex(),
|
||||
"c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn create() {
|
||||
let subject_name = "ns.example.com";
|
||||
let rsa = Rsa::generate(2048).unwrap();
|
||||
let pkey = PKey::from_rsa(rsa).unwrap();
|
||||
|
||||
let gen = X509Generator::new()
|
||||
.set_valid_period(365*2)
|
||||
.add_name("CN".to_owned(), subject_name.to_string())
|
||||
.set_sign_hash(MessageDigest::sha256())
|
||||
.add_extension(Extension::KeyUsage(vec![KeyUsageOption::DigitalSignature]));
|
||||
|
||||
let cert = gen.sign(&pkey).unwrap();
|
||||
|
||||
let pkcs12_builder = Pkcs12::builder();
|
||||
let pkcs12 = pkcs12_builder.build("mypass", subject_name, &pkey, &cert).unwrap();
|
||||
let der = pkcs12.to_der().unwrap();
|
||||
|
||||
let pkcs12 = Pkcs12::from_der(&der).unwrap();
|
||||
let parsed = pkcs12.parse("mypass").unwrap();
|
||||
|
||||
assert_eq!(parsed.cert.fingerprint(MessageDigest::sha1()).unwrap(), cert.fingerprint(MessageDigest::sha1()).unwrap());
|
||||
assert!(parsed.pkey.public_eq(&pkey));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue