min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #186 from manuels/set_raw_key 

Use raw keys and certs in SslContext
This commit is contained in:
Steven Fackler 2015-04-05 16:45:24 -07:00
parent ed97463346 7e88d8c277
commit 36f264551a
5 changed files with 160 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
openssl-sys/src/lib.rs
View File

@ -132,6 +132,8 @@ pub const SSL_CTRL_OPTIONS: c_int = 32;
pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77;
pub const SSL_CTRL_SET_TLSEXT_HOSTNAME: c_int = 55;
pub const SSL_CTRL_EXTRA_CHAIN_CERT: c_int = 14;
pub const SSL_ERROR_NONE: c_int = 0;
pub const SSL_ERROR_SSL: c_int = 1;
pub const SSL_ERROR_SYSCALL: c_int = 5;
@ -143,6 +145,7 @@ pub const SSL_ERROR_WANT_X509_LOOKUP: c_int = 4;
pub const SSL_ERROR_ZERO_RETURN: c_int = 6;
pub const SSL_VERIFY_NONE: c_int = 0;
pub const SSL_VERIFY_PEER: c_int = 1;
pub const SSL_VERIFY_FAIL_IF_NO_PEER_CERT: c_int = 2;
pub const TLSEXT_NAMETYPE_host_name: c_long = 0;
@ -275,6 +278,11 @@ pub unsafe fn SSL_CTX_clear_options(ssl: *mut SSL_CTX, op: c_long) -> c_long {
SSL_CTX_ctrl(ssl, SSL_CTRL_CLEAR_OPTIONS, (op), ptr::null_mut())
}
pub unsafe fn SSL_CTX_add_extra_chain_cert(ssl: *mut SSL_CTX, cert: *mut X509) -> c_long {
SSL_CTX_ctrl(ssl, SSL_CTRL_EXTRA_CHAIN_CERT, 0, cert)
}
// True functions
extern "C" {
pub fn ASN1_INTEGER_set(dest: *mut ASN1_INTEGER, value: c_long) -> c_int;
@ -434,6 +442,9 @@ extern "C" {
pub fn PEM_read_bio_X509(bio: *mut BIO, out: *mut *mut X509, callback: Option<PasswordCallback>,
user_data: *mut c_void) -> *mut X509;
pub fn PEM_read_bio_PrivateKey(bio: *mut BIO, out: *mut *mut EVP_PKEY, callback: Option<PasswordCallback>,
user_data: *mut c_void) -> *mut X509;
pub fn PEM_write_bio_PrivateKey(bio: *mut BIO, pkey: *mut EVP_PKEY, cipher: *const EVP_CIPHER,
kstr: *mut c_char, klen: c_int,
callback: Option<PasswordCallback>,
@ -509,7 +520,11 @@ extern "C" {
pub fn SSL_CTX_get_ex_data(ctx: *mut SSL_CTX, idx: c_int) -> *mut c_void;
pub fn SSL_CTX_use_certificate_file(ctx: *mut SSL_CTX, cert_file: *const c_char, file_type: c_int) -> c_int;
pub fn SSL_CTX_use_certificate(ctx: *mut SSL_CTX, cert: *mut X509) -> c_int;
pub fn SSL_CTX_use_PrivateKey_file(ctx: *mut SSL_CTX, key_file: *const c_char, file_type: c_int) -> c_int;
pub fn SSL_CTX_use_PrivateKey(ctx: *mut SSL_CTX, key: *mut EVP_PKEY) -> c_int;
pub fn SSL_CTX_check_private_key(ctx: *mut SSL_CTX) -> c_int;
pub fn SSL_CTX_set_cipher_list(ssl: *mut SSL_CTX, s: *const c_char) -> c_int;

29
openssl/src/crypto/pkey.rs
View File

@ -1,4 +1,5 @@
use libc::{c_int, c_uint, c_ulong};
use std::io;
use std::io::prelude::*;
use std::iter::repeat;
use std::mem;
@ -69,6 +70,22 @@ impl PKey {
}
}
/// Reads private key from PEM, takes ownership of handle
pub fn private_key_from_pem<R>(reader: &mut R) -> Result<PKey, SslError> where R: Read {
let mut mem_bio = try!(MemBio::new());
try!(io::copy(reader, &mut mem_bio).map_err(StreamError));
unsafe {
let evp = try_ssl_null!(ffi::PEM_read_bio_PrivateKey(mem_bio.get_handle(),
ptr::null_mut(),
None, ptr::null_mut()));
Ok(PKey {
evp: evp,
parts: Parts::Both,
})
}
}
fn _tostr(&self, f: unsafe extern "C" fn(*mut ffi::RSA, *const *mut u8) -> c_int) -> Vec<u8> {
unsafe {
let rsa = ffi::EVP_PKEY_get1_RSA(self.evp);
@ -335,6 +352,8 @@ impl Drop for PKey {
#[cfg(test)]
mod tests {
use std::path::Path;
use std::fs::File;
use crypto::hash::Type::{MD5, SHA1};
#[test]
@ -373,6 +392,16 @@ mod tests {
assert!(k1.can(super::Role::Sign));
}
#[test]
fn test_private_key_from_pem() {
let key_path = Path::new("test/key.pem");
let mut file = File::open(&key_path)
.ok()
.expect("Failed to open `test/key.pem`");
super::PKey::private_key_from_pem(&mut file).unwrap();
}
#[test]
fn test_encrypt() {
let mut k0 = super::PKey::new();

69
openssl/src/ssl/mod.rs
View File

@ -22,6 +22,7 @@ use bio::{MemBio};
use ffi;
use ssl::error::{SslError, SslSessionClosed, StreamError, OpenSslErrors};
use x509::{X509StoreContext, X509FileType, X509};
use crypto::pkey::PKey;
pub mod error;
#[cfg(test)]
@ -115,13 +116,16 @@ impl SslMethod {
}
/// Determines the type of certificate verification used
#[derive(Copy, Clone, Debug)]
#[repr(i32)]
pub enum SslVerifyMode {
/// Verify that the server's certificate is trusted
SslVerifyPeer = ffi::SSL_VERIFY_PEER,
/// Do not verify the server's certificate
SslVerifyNone = ffi::SSL_VERIFY_NONE
bitflags! {
flags SslVerifyMode: i32 {
/// Verify that the server's certificate is trusted
const SSL_VERIFY_PEER = ffi::SSL_VERIFY_PEER,
/// Do not verify the server's certificate
const SSL_VERIFY_NONE = ffi::SSL_VERIFY_NONE,
/// Terminate handshake if client did not return a certificate.
/// Use together with SSL_VERIFY_PEER.
const SSL_VERIFY_FAIL_IF_NO_PEER_CERT = ffi::SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
}
}
lazy_static! {
@ -296,11 +300,11 @@ pub type VerifyCallbackData<T> = fn(preverify_ok: bool,
// FIXME: macro may be instead of inlining?
#[inline]
fn wrap_ssl_result(res: c_int) -> Option<SslError> {
fn wrap_ssl_result(res: c_int) -> Result<(),SslError> {
if res == 0 {
Some(SslError::get())
Err(SslError::get())
} else {
None
Ok(())
}
}
@ -346,7 +350,7 @@ impl SslContext {
mem::transmute(verify));
let f: extern fn(c_int, *mut ffi::X509_STORE_CTX) -> c_int =
raw_verify;
ffi::SSL_CTX_set_verify(self.ctx, mode as c_int, Some(f));
ffi::SSL_CTX_set_verify(self.ctx, mode.bits as c_int, Some(f));
}
}
@ -366,7 +370,7 @@ impl SslContext {
mem::transmute(data));
let f: extern fn(c_int, *mut ffi::X509_STORE_CTX) -> c_int =
raw_verify_with_data::<T>;
ffi::SSL_CTX_set_verify(self.ctx, mode as c_int, Some(f));
ffi::SSL_CTX_set_verify(self.ctx, mode.bits as c_int, Some(f));
}
}
@ -379,7 +383,7 @@ impl SslContext {
#[allow(non_snake_case)]
/// Specifies the file that contains trusted CA certificates.
pub fn set_CA_file(&mut self, file: &Path) -> Option<SslError> {
pub fn set_CA_file(&mut self, file: &Path) -> Result<(),SslError> {
let file = CString::new(file.as_os_str().to_str().expect("invalid utf8")).unwrap();
wrap_ssl_result(
unsafe {
@ -389,7 +393,7 @@ impl SslContext {
/// Specifies the file that contains certificate
pub fn set_certificate_file(&mut self, file: &Path,
file_type: X509FileType) -> Option<SslError> {
file_type: X509FileType) -> Result<(),SslError> {
let file = CString::new(file.as_os_str().to_str().expect("invalid utf8")).unwrap();
wrap_ssl_result(
unsafe {
@ -397,9 +401,26 @@ impl SslContext {
})
}
/// Specifies the certificate
pub fn set_certificate(&mut self, cert: &X509) -> Result<(),SslError> {
wrap_ssl_result(
unsafe {
ffi::SSL_CTX_use_certificate(self.ctx, cert.get_handle())
})
}
/// Adds a certificate to the certificate chain presented together with the
/// certificate specified using set_certificate()
pub fn add_extra_chain_cert(&mut self, cert: &X509) -> Result<(),SslError> {
wrap_ssl_result(
unsafe {
ffi::SSL_CTX_add_extra_chain_cert(self.ctx, cert.get_handle()) as c_int
})
}
/// Specifies the file that contains private key
pub fn set_private_key_file(&mut self, file: &Path,
file_type: X509FileType) -> Option<SslError> {
file_type: X509FileType) -> Result<(),SslError> {
let file = CString::new(file.as_os_str().to_str().expect("invalid utf8")).unwrap();
wrap_ssl_result(
unsafe {
@ -407,7 +428,23 @@ impl SslContext {
})
}
pub fn set_cipher_list(&mut self, cipher_list: &str) -> Option<SslError> {
/// Specifies the private key
pub fn set_private_key(&mut self, key: &PKey) -> Result<(),SslError> {
wrap_ssl_result(
unsafe {
ffi::SSL_CTX_use_PrivateKey(self.ctx, key.get_handle())
})
}
/// Check consistency of private key and certificate
pub fn check_private_key(&mut self) -> Result<(),SslError> {
wrap_ssl_result(
unsafe {
ffi::SSL_CTX_check_private_key(self.ctx)
})
}
pub fn set_cipher_list(&mut self, cipher_list: &str) -> Result<(),SslError> {
wrap_ssl_result(
unsafe {
let cipher_list = CString::new(cipher_list.as_bytes()).unwrap();

94
openssl/src/ssl/tests.rs
View File

@ -7,15 +7,18 @@ use std::path::Path;
use std::net::TcpListener;
#[cfg(feature = "npn")]
use std::thread;
use std::fs::File;
use crypto::hash::Type::{SHA256};
use ssl;
use ssl::SslMethod::Sslv23;
use ssl::{SslContext, SslStream, VerifyCallback};
use ssl::SslVerifyMode::SslVerifyPeer;
use ssl::SSL_VERIFY_PEER;
use x509::X509StoreContext;
#[cfg(feature = "npn")]
use x509::X509FileType;
use x509::X509;
use crypto::pkey::PKey;
#[test]
fn test_new_ctx() {
@ -32,7 +35,7 @@ fn test_new_sslstream() {
fn test_verify_untrusted() {
let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, None);
ctx.set_verify(SSL_VERIFY_PEER, None);
match SslStream::new(&ctx, stream) {
Ok(_) => panic!("expected failure"),
Err(err) => println!("error {:?}", err)
@ -43,10 +46,10 @@ fn test_verify_untrusted() {
fn test_verify_trusted() {
let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, None);
ctx.set_verify(SSL_VERIFY_PEER, None);
match ctx.set_CA_file(&Path::new("test/cert.pem")) {
None => {}
Some(err) => panic!("Unexpected error {:?}", err)
Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err)
}
match SslStream::new(&ctx, stream) {
Ok(_) => (),
@ -61,7 +64,7 @@ fn test_verify_untrusted_callback_override_ok() {
}
let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));
ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
match SslStream::new(&ctx, stream) {
Ok(_) => (),
Err(err) => panic!("Expected success, got {:?}", err)
@ -75,7 +78,7 @@ fn test_verify_untrusted_callback_override_bad() {
}
let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));
ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
assert!(SslStream::new(&ctx, stream).is_err());
}
@ -86,10 +89,10 @@ fn test_verify_trusted_callback_override_ok() {
}
let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));
ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
match ctx.set_CA_file(&Path::new("test/cert.pem")) {
None => {}
Some(err) => panic!("Unexpected error {:?}", err)
Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err)
}
match SslStream::new(&ctx, stream) {
Ok(_) => (),
@ -104,10 +107,10 @@ fn test_verify_trusted_callback_override_bad() {
}
let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));
ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
match ctx.set_CA_file(&Path::new("test/cert.pem")) {
None => {}
Some(err) => panic!("Unexpected error {:?}", err)
Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err)
}
assert!(SslStream::new(&ctx, stream).is_err());
}
@ -120,7 +123,7 @@ fn test_verify_callback_load_certs() {
}
let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));
ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
assert!(SslStream::new(&ctx, stream).is_ok());
}
@ -132,10 +135,10 @@ fn test_verify_trusted_get_error_ok() {
}
let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));
ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
match ctx.set_CA_file(&Path::new("test/cert.pem")) {
None => {}
Some(err) => panic!("Unexpected error {:?}", err)
Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err)
}
assert!(SslStream::new(&ctx, stream).is_ok());
}
@ -148,7 +151,7 @@ fn test_verify_trusted_get_error_err() {
}
let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));
ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
assert!(SslStream::new(&ctx, stream).is_err());
}
@ -173,7 +176,7 @@ fn test_verify_callback_data() {
// Please update if "test/cert.pem" will ever change
let node_hash_str = "46e3f1a6d17a41ce70d0c66ef51cee2ab4ba67cac8940e23f10c1f944b49fb5c";
let node_id = node_hash_str.from_hex().unwrap();
ctx.set_verify_with_data(SslVerifyPeer, callback, node_id);
ctx.set_verify_with_data(SSL_VERIFY_PEER, callback, node_id);
ctx.set_verify_depth(1);
match SslStream::new(&ctx, stream) {
@ -182,6 +185,27 @@ fn test_verify_callback_data() {
}
}
#[test]
fn test_set_certificate_and_private_key() {
let key_path = Path::new("test/key.pem");
let cert_path = Path::new("test/cert.pem");
let mut key_file = File::open(&key_path)
.ok()
.expect("Failed to open `test/key.pem`");
let mut cert_file = File::open(&cert_path)
.ok()
.expect("Failed to open `test/cert.pem`");
let key = PKey::private_key_from_pem(&mut key_file).unwrap();
let cert = X509::from_pem(&mut cert_file).unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_private_key(&key).unwrap();
ctx.set_certificate(&cert).unwrap();
assert!(ctx.check_private_key().is_ok());
}
#[test]
fn test_get_ctx_options() {
let mut ctx = SslContext::new(Sslv23).unwrap();
@ -234,11 +258,11 @@ fn test_read() {
fn test_connect_with_unilateral_npn() {
let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, None);
ctx.set_verify(SSL_VERIFY_PEER, None);
ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]);
match ctx.set_CA_file(&Path::new("test/cert.pem")) {
None => {}
Some(err) => panic!("Unexpected error {:?}", err)
Ok(_)=> {}
Err(err) => panic!("Unexpected error {:?}", err)
}
let stream = match SslStream::new(&ctx, stream) {
Ok(stream) => stream,
@ -258,11 +282,11 @@ fn test_connect_with_npn_successful_multiple_matching() {
// NPN enabled.
let stream = TcpStream::connect("127.0.0.1:15419").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, None);
ctx.set_verify(SSL_VERIFY_PEER, None);
ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]);
match ctx.set_CA_file(&Path::new("test/cert.pem")) {
None => {}
Some(err) => panic!("Unexpected error {:?}", err)
Ok(_)=> {}
Err(err) => panic!("Unexpected error {:?}", err)
}
let stream = match SslStream::new(&ctx, stream) {
Ok(stream) => stream,
@ -283,11 +307,11 @@ fn test_connect_with_npn_successful_single_match() {
// NPN enabled.
let stream = TcpStream::connect("127.0.0.1:15419").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, None);
ctx.set_verify(SSL_VERIFY_PEER, None);
ctx.set_npn_protocols(&[b"spdy/3.1"]);
match ctx.set_CA_file(&Path::new("test/cert.pem")) {
None => {}
Some(err) => panic!("Unexpected error {:?}", err)
Ok(_)=> {}
Err(err) => panic!("Unexpected error {:?}", err)
}
let stream = match SslStream::new(&ctx, stream) {
Ok(stream) => stream,
@ -308,12 +332,12 @@ fn test_npn_server_advertise_multiple() {
// We create a different context instance for the server...
let listener_ctx = {
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, None);
ctx.set_verify(SSL_VERIFY_PEER, None);
ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]);
ctx.set_certificate_file(
&Path::new("test/cert.pem"), X509FileType::PEM);
assert!(ctx.set_certificate_file(
&Path::new("test/cert.pem"), X509FileType::PEM).is_ok());
ctx.set_private_key_file(
&Path::new("test/key.pem"), X509FileType::PEM);
&Path::new("test/key.pem"), X509FileType::PEM).unwrap();
ctx
};
// Have the listener wait on the connection in a different thread.
@ -323,11 +347,11 @@ fn test_npn_server_advertise_multiple() {
});
let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, None);
ctx.set_verify(SSL_VERIFY_PEER, None);
ctx.set_npn_protocols(&[b"spdy/3.1"]);
match ctx.set_CA_file(&Path::new("test/cert.pem")) {
None => {}
Some(err) => panic!("Unexpected error {:?}", err)
Ok(_)=> {}
Err(err) => panic!("Unexpected error {:?}", err)
}
// Now connect to the socket and make sure the protocol negotiation works...
let stream = TcpStream::connect(localhost).unwrap();

4
openssl/src/x509/mod.rs
View File

@ -393,6 +393,10 @@ impl<'ctx> X509<'ctx> {
}
}
pub fn get_handle(&self) -> *mut ffi::X509 {
self.handle
}
pub fn subject_name<'a>(&'a self) -> X509Name<'a> {
let name = unsafe { ffi::X509_get_subject_name(self.handle) };
X509Name { x509: self, name: name }