From 32722e18501b06fbd51a8871f8bea0cddb4b132c Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 29 Apr 2016 21:15:32 -0700 Subject: [PATCH] Add accessors for x509 subject alt names --- openssl-sys/src/lib.rs | 1 + openssl/src/x509/extension.rs | 38 ---------------- openssl/src/x509/mod.rs | 79 +++++++++++++++++++++++++++++++++- openssl/src/x509/tests.rs | 12 ++++++ openssl/test/alt_name_cert.pem | 25 +++++++++++ 5 files changed, 115 insertions(+), 40 deletions(-) create mode 100644 openssl/test/alt_name_cert.pem diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index b4b97ce2..573966ed 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -794,6 +794,7 @@ extern "C" { pub fn X509_sign(x: *mut X509, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int; pub fn X509_get_pubkey(x: *mut X509) -> *mut EVP_PKEY; pub fn X509_to_X509_REQ(x: *mut X509, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> *mut X509_REQ; + pub fn X509_get_ext_d2i(x: *mut X509, nid: c_int, crit: *mut c_int, idx: *mut c_int) -> *mut c_void; pub fn X509_EXTENSION_free(ext: *mut X509_EXTENSION); diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index c0b3bad4..7ff0c1ca 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -1,8 +1,4 @@ use std::fmt; -use std::marker::PhantomData; -use std::slice; -use std::str; -use ffi; use nid::Nid; @@ -223,37 +219,3 @@ impl fmt::Display for AltNameOption { }) } } - -pub struct GeneralName<'a> { - name: *const ffi::GENERAL_NAME, - m: PhantomData<&'a ()>, -} - -impl<'a> GeneralName<'a> { - pub fn dns(&self) -> Option<&str> { - unsafe { - if (*self.name).type_ != ffi::GEN_DNS { - return None; - } - - let ptr = ffi::ASN1_STRING_data((*self.name).d as *mut _); - let len = ffi::ASN1_STRING_length((*self.name).d as *mut _); - - let slice = slice::from_raw_parts(ptr as *const u8, len as usize); - Some(str::from_utf8_unchecked(slice)) - } - } - - pub fn ipadd(&self) -> Option<&[u8]> { - unsafe { - if (*self.name).type_ != ffi::GEN_IPADD { - return None; - } - - let ptr = ffi::ASN1_STRING_data((*self.name).d as *mut _); - let len = ffi::ASN1_STRING_length((*self.name).d as *mut _); - - Some(slice::from_raw_parts(ptr as *const u8, len as usize)) - } - } -} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index cb2c7494..cdd729aa 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -11,6 +11,7 @@ use std::fmt; use std::str; use std::slice; use std::collections::HashMap; +use std::marker::PhantomData; use asn1::Asn1Time; use bio::MemBio; @@ -21,7 +22,7 @@ use crypto::rand::rand_bytes; use ffi; use ffi_extras; use ssl::error::{SslError, StreamError}; -use nid; +use nid::Nid; pub mod extension; @@ -464,6 +465,23 @@ impl<'ctx> X509<'ctx> { } } + pub fn subject_alt_names<'a>(&'a self) -> Option> { + unsafe { + let stack = ffi::X509_get_ext_d2i(self.handle, + Nid::SubjectAltName as c_int, + ptr::null_mut(), + ptr::null_mut()); + if stack.is_null() { + return None; + } + + Some(GeneralNames { + stack: stack as *const _, + m: PhantomData, + }) + } + } + pub fn public_key(&self) -> PKey { let pkey = unsafe { ffi::X509_get_pubkey(self.handle) }; assert!(!pkey.is_null()); @@ -544,7 +562,7 @@ pub struct X509NameEntry<'x> { } impl<'x> X509Name<'x> { - pub fn text_by_nid(&self, nid: nid::Nid) -> Option { + pub fn text_by_nid(&self, nid: Nid) -> Option { unsafe { let loc = ffi::X509_NAME_get_index_by_NID(self.name, nid as c_int, -1); if loc == -1 { @@ -766,6 +784,63 @@ make_validation_error!(X509_V_OK, X509ApplicationVerification = X509_V_ERR_APPLICATION_VERIFICATION, ); +pub struct GeneralNames<'a> { + stack: *const ffi::stack_st_GENERAL_NAME, + m: PhantomData<&'a ()>, +} + +impl<'a> GeneralNames<'a> { + pub fn len(&self) -> usize { + unsafe { + (*self.stack).stack.num as usize + } + } + + pub fn get(&self, idx: usize) -> GeneralName<'a> { + unsafe { + assert!(idx < self.len()); + + GeneralName { + name: *(*self.stack).stack.data.offset(idx as isize) as *const ffi::GENERAL_NAME, + m: PhantomData, + } + } + } +} + +pub struct GeneralName<'a> { + name: *const ffi::GENERAL_NAME, + m: PhantomData<&'a ()>, +} + +impl<'a> GeneralName<'a> { + pub fn dns(&self) -> Option<&str> { + unsafe { + if (*self.name).type_ != ffi::GEN_DNS { + return None; + } + + let ptr = ffi::ASN1_STRING_data((*self.name).d as *mut _); + let len = ffi::ASN1_STRING_length((*self.name).d as *mut _); + + let slice = slice::from_raw_parts(ptr as *const u8, len as usize); + Some(str::from_utf8_unchecked(slice)) + } + } + + pub fn ipadd(&self) -> Option<&[u8]> { + unsafe { + if (*self.name).type_ != ffi::GEN_IPADD { + return None; + } + + let ptr = ffi::ASN1_STRING_data((*self.name).d as *mut _); + let len = ffi::ASN1_STRING_length((*self.name).d as *mut _); + + Some(slice::from_raw_parts(ptr as *const u8, len as usize)) + } + } +} #[test] fn test_negative_serial() { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 69ad37f8..5f4d432e 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -157,3 +157,15 @@ fn test_nid_uid_value() { }; assert_eq!(&cn as &str, "this is the userId"); } + +#[test] +fn test_subject_alt_name() { + let mut file = File::open("test/alt_name_cert.pem").unwrap(); + let cert = X509::from_pem(&mut file).unwrap(); + + let subject_alt_names = cert.subject_alt_names().unwrap(); + assert_eq!(3, subject_alt_names.len()); + assert_eq!(Some("foobar.com"), subject_alt_names.get(0).dns()); + assert_eq!(subject_alt_names.get(1).ipadd(), Some(&[127, 0, 0, 1][..])); + assert_eq!(subject_alt_names.get(2).ipadd(), Some(&b"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01"[..])); +} diff --git a/openssl/test/alt_name_cert.pem b/openssl/test/alt_name_cert.pem new file mode 100644 index 00000000..9f75f125 --- /dev/null +++ b/openssl/test/alt_name_cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEOjCCAyKgAwIBAgIJAJz42fzGUJGeMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFTATBgNVBAoM +DEV4YW1wbGUsIExMQzEYMBYGA1UEAwwPRXhhbXBsZSBDb21wYW55MR8wHQYJKoZI +hvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMB4XDTE2MDQzMDA0MDg1NloXDTE3MDQz +MDA0MDg1NlowfzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQHDAhO +ZXcgWW9yazEVMBMGA1UECgwMRXhhbXBsZSwgTExDMRgwFgYDVQQDDA9FeGFtcGxl +IENvbXBhbnkxHzAdBgkqhkiG9w0BCQEWEHRlc3RAZXhhbXBsZS5jb20wggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDggl2TbtO5Ewi/q8kV56xK6HBpwsj9 +wBoqGi6hkKm/8lhLTkuUG6WbEUepi7n9d7tjI9hwYN7MKtppAnS+d+Zh6sKMgLJn +hONkbQBJkYWwuIxRVXORCdyZDNzXP1rlb6ynmj6mItuPTRVNNMaZP+24fgXtwGk8 +P2nqA1ONbmyaP27txV+Rd8fmQvW3vSmq7iDob661TOtLZRqqVRpnLDGpLXTCptYz +dLN1nDWKjBUFpPGDxvfcSE3Yf9LaQM2uDHRygSgTFusbwarAGrAk8krsm/Tiaumx +Ls74MY6OEoLnPbEi5epWLqPmoE1nxrvYLtaWh3TTET3H72yL0+1PZTkpAgMBAAGj +gbgwgbUwHQYDVR0OBBYEFAIcHhTPUqVdK85u47vo8z0viJGPMB8GA1UdIwQYMBaA +FAIcHhTPUqVdK85u47vo8z0viJGPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMC0G +A1UdEQQmMCSCCmZvb2Jhci5jb22HBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwLAYJ +YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMA0GCSqG +SIb3DQEBCwUAA4IBAQDeYsuJaxbnxR2wDRSbxMpPp2b6fHPxC1vArKTSrQ/X+5s7 +YcQ29jkzD8FbET8iPsCOn/IECBiDKOpckkO6dBWM05ma9HHzWjQOJ7Lo6gEsvk4d ++M/jJz5IaJ7hOxp1hGqwNQ+PJQOZMmlruNcOzPU36qaWJ03+NYOKar5VpIrRxCNc +uehTArmJqDLQPfgETEhMYfpkqf3s/cGb1uyeCpzgIRPpf4Ki1Oys5cV/BqIn7n5g +7sUrhXboYL4+eYt5V4rcc4rLI5J5IP/a1Z+Z6UVH+Mbiyl0iD8aRr/bo9WvKih3C +2LBO0Apl0tkXUOMWp7G0UYHVEndwPjZnVoM42f11 +-----END CERTIFICATE-----