From 772e1c003f57cdbc6258580cb2059999aa51b4f2 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 24 May 2018 21:06:11 -0700 Subject: [PATCH 1/2] Add some digest support --- openssl-sys/src/lib.rs | 7 +++++++ openssl/src/hash.rs | 31 ++++++++++++++++++++++++++++--- openssl/src/nid.rs | 28 ++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index fda47fd0..e7bd046e 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1453,6 +1453,10 @@ pub unsafe fn BIO_set_retry_write(b: *mut BIO) { BIO_set_flags(b, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY) } +pub unsafe fn EVP_get_digestbynid(type_: c_int) -> *const EVP_MD { + EVP_get_digestbyname(OBJ_nid2sn(type_)) +} + // EVP_PKEY_CTX_ctrl macros pub unsafe fn EVP_PKEY_CTX_set_rsa_padding(ctx: *mut EVP_PKEY_CTX, pad: c_int) -> c_int { EVP_PKEY_CTX_ctrl( @@ -2103,6 +2107,8 @@ extern "C" { no_name: c_int, ) -> c_int; pub fn OBJ_nid2sn(nid: c_int) -> *const c_char; + pub fn OBJ_find_sigid_algs(signid: c_int, pdig_nid: *mut c_int, ppkey_nid: *mut c_int) + -> c_int; pub fn OCSP_BASICRESP_new() -> *mut OCSP_BASICRESP; pub fn OCSP_BASICRESP_free(r: *mut OCSP_BASICRESP); @@ -2840,6 +2846,7 @@ extern "C" { ); pub fn EVP_MD_size(md: *const EVP_MD) -> c_int; + pub fn EVP_get_digestbyname(name: *const c_char) -> *const EVP_MD; pub fn EVP_get_cipherbyname(name: *const c_char) -> *const EVP_CIPHER; pub fn SSL_set_connect_state(s: *mut SSL); diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 582a2ada..49797df8 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -4,6 +4,10 @@ use std::io; use std::io::prelude::*; use std::ops::{Deref, DerefMut}; +use error::ErrorStack; +use nid::Nid; +use {cvt, cvt_p}; + cfg_if! { if #[cfg(ossl110)] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; @@ -12,9 +16,6 @@ cfg_if! { } } -use error::ErrorStack; -use {cvt, cvt_p}; - #[derive(Copy, Clone)] pub struct MessageDigest(*const ffi::EVP_MD); @@ -23,6 +24,22 @@ impl MessageDigest { MessageDigest(x) } + /// Returns the `MessageDigest` corresponding to an `Nid`. + /// + /// This corresponds to [`EVP_get_digestbynid`]. + /// + /// [`EVP_get_digestbynid`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html + pub fn from_nid(type_: Nid) -> Option { + unsafe { + let ptr = ffi::EVP_get_digestbynid(type_.as_raw()); + if ptr.is_null() { + None + } else { + Some(MessageDigest(ptr)) + } + } + } + pub fn md5() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_md5()) } } @@ -405,4 +422,12 @@ mod tests { hash_test(MessageDigest::ripemd160(), test); } } + + #[test] + fn from_nid() { + assert_eq!( + MessageDigest::from_nid(Nid::SHA256).unwrap().as_ptr(), + MessageDigest::sha256().as_ptr() + ); + } } diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index 7c041236..78ffac96 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1,6 +1,7 @@ //! A collection of numerical identifiers for OpenSSL objects. use ffi; use libc::c_int; +use std::ptr; /// A numerical identifier for an OpenSSL object. /// @@ -42,6 +43,20 @@ impl Nid { self.0 } + /// Returns the `Nid` of the digest algorithm associated with a signature ID. + /// + /// This corresponds to `OBJ_find_sigid_algs`. + pub fn digest_algorithm(&self) -> Option { + unsafe { + let mut digest = 0; + if ffi::OBJ_find_sigid_algs(self.0, &mut digest, ptr::null_mut()) == 1 { + Some(Nid(digest)) + } else { + None + } + } + } + pub const UNDEF: Nid = Nid(ffi::NID_undef); pub const ITU_T: Nid = Nid(ffi::NID_itu_t); pub const CCITT: Nid = Nid(ffi::NID_ccitt); @@ -991,3 +1006,16 @@ impl Nid { pub const AES_192_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_192_cbc_hmac_sha1); pub const AES_256_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_256_cbc_hmac_sha1); } + +#[cfg(test)] +mod test { + use super::Nid; + + #[test] + fn signature_digest() { + assert_eq!( + Nid::SHA256WITHRSAENCRYPTION.digest_algorithm(), + Some(Nid::SHA256) + ); + } +} From a774c0c5f2867b33735bec9e1cb6c9870a5ece08 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 24 May 2018 20:35:06 -0700 Subject: [PATCH 2/2] Rename X509Ref::fingerprint to X509Ref::digest and avoid allocating --- openssl/src/hash.rs | 4 ++-- openssl/src/pkcs12.rs | 27 ++++++++++++++------------- openssl/src/ssl/test.rs | 12 ++++++------ openssl/src/x509/mod.rs | 30 +++++++++++++++++++++--------- openssl/src/x509/tests.rs | 8 ++++---- 5 files changed, 47 insertions(+), 34 deletions(-) diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 49797df8..dd4d136c 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -251,8 +251,8 @@ impl Drop for Hasher { /// store the digest data. #[derive(Copy)] pub struct DigestBytes { - buf: [u8; ffi::EVP_MAX_MD_SIZE as usize], - len: usize, + pub(crate) buf: [u8; ffi::EVP_MAX_MD_SIZE as usize], + pub(crate) len: usize, } impl Clone for DigestBytes { diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index d71a1d82..b98848c8 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -3,15 +3,15 @@ use ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::c_int; -use std::ptr; use std::ffi::CString; +use std::ptr; -use {cvt, cvt_p}; -use pkey::{HasPrivate, PKey, PKeyRef, Private}; use error::ErrorStack; -use x509::{X509, X509Ref}; -use stack::Stack; use nid::Nid; +use pkey::{HasPrivate, PKey, PKeyRef, Private}; +use stack::Stack; +use x509::{X509, X509Ref}; +use {cvt, cvt_p}; foreign_type_and_impl_send_sync! { type CType = ffi::PKCS12; @@ -172,7 +172,8 @@ impl Pkcs12Builder { let friendly_name = CString::new(friendly_name).unwrap(); let pkey = pkey.as_ptr(); let cert = cert.as_ptr(); - let ca = self.ca + let ca = self + .ca .as_ref() .map(|ca| ca.as_ptr()) .unwrap_or(ptr::null_mut()); @@ -206,11 +207,11 @@ mod test { use hex; use asn1::Asn1Time; - use rsa::Rsa; - use pkey::PKey; use nid::Nid; - use x509::{X509, X509Name}; + use pkey::PKey; + use rsa::Rsa; use x509::extension::KeyUsage; + use x509::{X509, X509Name}; use super::*; @@ -221,14 +222,14 @@ mod test { let parsed = pkcs12.parse("mypass").unwrap(); assert_eq!( - hex::encode(parsed.cert.fingerprint(MessageDigest::sha1()).unwrap()), + hex::encode(parsed.cert.digest(MessageDigest::sha1()).unwrap()), "59172d9313e84459bcff27f967e79e6e9217e584" ); let chain = parsed.chain.unwrap(); assert_eq!(chain.len(), 1); assert_eq!( - hex::encode(chain[0].fingerprint(MessageDigest::sha1()).unwrap()), + hex::encode(chain[0].digest(MessageDigest::sha1()).unwrap()), "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875" ); } @@ -279,8 +280,8 @@ mod test { let parsed = pkcs12.parse("mypass").unwrap(); assert_eq!( - parsed.cert.fingerprint(MessageDigest::sha1()).unwrap(), - cert.fingerprint(MessageDigest::sha1()).unwrap() + &*parsed.cert.digest(MessageDigest::sha1()).unwrap(), + &*cert.digest(MessageDigest::sha1()).unwrap() ); assert!(parsed.pkey.public_eq(&pkey)); } diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs index 0d418d2c..f5ec7b29 100644 --- a/openssl/src/ssl/test.rs +++ b/openssl/src/ssl/test.rs @@ -295,8 +295,8 @@ run_test!(verify_callback_data, |method, stream| { match cert { None => false, Some(cert) => { - let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap(); - fingerprint == node_id + let fingerprint = cert.digest(MessageDigest::sha1()).unwrap(); + node_id == &*fingerprint } } }); @@ -323,8 +323,8 @@ run_test!(ssl_verify_callback, |method, stream| { match x509.current_cert() { None => false, Some(cert) => { - let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap(); - fingerprint == node_id + let fingerprint = cert.digest(MessageDigest::sha1()).unwrap(); + node_id == &*fingerprint } } }); @@ -424,10 +424,10 @@ run_test!(get_peer_certificate, |method, stream| { let ctx = SslContext::builder(method).unwrap(); let stream = Ssl::new(&ctx.build()).unwrap().connect(stream).unwrap(); let cert = stream.ssl().peer_certificate().unwrap(); - let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap(); + let fingerprint = cert.digest(MessageDigest::sha1()).unwrap(); let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584"; let node_id = Vec::from_hex(node_hash_str).unwrap(); - assert_eq!(node_id, fingerprint) + assert_eq!(node_id, &*fingerprint) }); #[test] diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 19760f25..5c1bb23f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -25,7 +25,7 @@ use bio::MemBioSlice; use conf::ConfRef; use error::ErrorStack; use ex_data::Index; -use hash::MessageDigest; +use hash::{DigestBytes, MessageDigest}; use nid::Nid; use pkey::{HasPrivate, HasPublic, PKey, PKeyRef, Public}; use ssl::SslRef; @@ -447,23 +447,35 @@ impl X509Ref { } } - /// Returns certificate fingerprint calculated using provided hash - pub fn fingerprint(&self, hash_type: MessageDigest) -> Result, ErrorStack> { + /// Returns a digest of the DER representation of the certificate. + /// + /// This corresponds to [`X509_digest`]. + /// + /// [`X509_digest`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_digest.html + pub fn digest(&self, hash_type: MessageDigest) -> Result { unsafe { - let evp = hash_type.as_ptr(); + let mut digest = DigestBytes { + buf: [0; ffi::EVP_MAX_MD_SIZE as usize], + len: ffi::EVP_MAX_MD_SIZE as usize, + }; let mut len = ffi::EVP_MAX_MD_SIZE; - let mut buf = vec![0u8; len as usize]; cvt(ffi::X509_digest( self.as_ptr(), - evp, - buf.as_mut_ptr() as *mut _, + hash_type.as_ptr(), + digest.buf.as_mut_ptr() as *mut _, &mut len, ))?; - buf.truncate(len as usize); - Ok(buf) + digest.len = len as usize; + + Ok(digest) } } + #[deprecated(since = "0.10.9", note = "renamed to digest")] + pub fn fingerprint(&self, hash_type: MessageDigest) -> Result, ErrorStack> { + self.digest(hash_type).map(|b| b.to_vec()) + } + /// Returns the certificate's Not After validity period. pub fn not_after(&self) -> &Asn1TimeRef { unsafe { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index a3c66e0c..42859c97 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -23,12 +23,12 @@ fn pkey() -> PKey { fn test_cert_loading() { let cert = include_bytes!("../../test/cert.pem"); let cert = X509::from_pem(cert).ok().expect("Failed to load PEM"); - let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap(); + let fingerprint = cert.digest(MessageDigest::sha1()).unwrap(); let hash_str = "59172d9313e84459bcff27f967e79e6e9217e584"; let hash_vec = Vec::from_hex(hash_str).unwrap(); - assert_eq!(fingerprint, hash_vec); + assert_eq!(hash_vec, &*fingerprint); } #[test] @@ -250,11 +250,11 @@ fn test_stack_from_pem() { assert_eq!(certs.len(), 2); assert_eq!( - hex::encode(certs[0].fingerprint(MessageDigest::sha1()).unwrap()), + hex::encode(certs[0].digest(MessageDigest::sha1()).unwrap()), "59172d9313e84459bcff27f967e79e6e9217e584" ); assert_eq!( - hex::encode(certs[1].fingerprint(MessageDigest::sha1()).unwrap()), + hex::encode(certs[1].digest(MessageDigest::sha1()).unwrap()), "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875" ); }