Merge pull request #934 from sfackler/digest-algo

Add some digest support

openssl-sys/src/lib.rs

@@ -1453,6 +1453,10 @@ pub unsafe fn BIO_set_retry_write(b: *mut BIO) {
     BIO_set_flags(b, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY)
 }
 
+pub unsafe fn EVP_get_digestbynid(type_: c_int) -> *const EVP_MD {
+    EVP_get_digestbyname(OBJ_nid2sn(type_))
+}
+
 // EVP_PKEY_CTX_ctrl macros
 pub unsafe fn EVP_PKEY_CTX_set_rsa_padding(ctx: *mut EVP_PKEY_CTX, pad: c_int) -> c_int {
     EVP_PKEY_CTX_ctrl(
@@ -2103,6 +2107,8 @@ extern "C" {
         no_name: c_int,
     ) -> c_int;
     pub fn OBJ_nid2sn(nid: c_int) -> *const c_char;
+    pub fn OBJ_find_sigid_algs(signid: c_int, pdig_nid: *mut c_int, ppkey_nid: *mut c_int)
+        -> c_int;
 
     pub fn OCSP_BASICRESP_new() -> *mut OCSP_BASICRESP;
     pub fn OCSP_BASICRESP_free(r: *mut OCSP_BASICRESP);
@@ -2840,6 +2846,7 @@ extern "C" {
     );
 
     pub fn EVP_MD_size(md: *const EVP_MD) -> c_int;
+    pub fn EVP_get_digestbyname(name: *const c_char) -> *const EVP_MD;
     pub fn EVP_get_cipherbyname(name: *const c_char) -> *const EVP_CIPHER;
 
     pub fn SSL_set_connect_state(s: *mut SSL);

openssl/src/hash.rs

@@ -4,6 +4,10 @@ use std::io;
 use std::io::prelude::*;
 use std::ops::{Deref, DerefMut};
 
+use error::ErrorStack;
+use nid::Nid;
+use {cvt, cvt_p};
+
 cfg_if! {
     if #[cfg(ossl110)] {
         use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new};
@@ -12,9 +16,6 @@ cfg_if! {
     }
 }
 
-use error::ErrorStack;
-use {cvt, cvt_p};
-
 #[derive(Copy, Clone)]
 pub struct MessageDigest(*const ffi::EVP_MD);
 
@@ -23,6 +24,22 @@ impl MessageDigest {
         MessageDigest(x)
     }
 
+    /// Returns the `MessageDigest` corresponding to an `Nid`.
+    ///
+    /// This corresponds to [`EVP_get_digestbynid`].
+    ///
+    /// [`EVP_get_digestbynid`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html
+    pub fn from_nid(type_: Nid) -> Option<MessageDigest> {
+        unsafe {
+            let ptr = ffi::EVP_get_digestbynid(type_.as_raw());
+            if ptr.is_null() {
+                None
+            } else {
+                Some(MessageDigest(ptr))
+            }
+        }
+    }
+
     pub fn md5() -> MessageDigest {
         unsafe { MessageDigest(ffi::EVP_md5()) }
     }
@@ -234,8 +251,8 @@ impl Drop for Hasher {
 /// store the digest data.
 #[derive(Copy)]
 pub struct DigestBytes {
-    buf: [u8; ffi::EVP_MAX_MD_SIZE as usize],
+    pub(crate) buf: [u8; ffi::EVP_MAX_MD_SIZE as usize],
-    len: usize,
+    pub(crate) len: usize,
 }
 
 impl Clone for DigestBytes {
@@ -405,4 +422,12 @@ mod tests {
             hash_test(MessageDigest::ripemd160(), test);
         }
     }
+
+    #[test]
+    fn from_nid() {
+        assert_eq!(
+            MessageDigest::from_nid(Nid::SHA256).unwrap().as_ptr(),
+            MessageDigest::sha256().as_ptr()
+        );
+    }
 }

openssl/src/nid.rs

@@ -1,6 +1,7 @@
 //! A collection of numerical identifiers for OpenSSL objects.
 use ffi;
 use libc::c_int;
+use std::ptr;
 
 /// A numerical identifier for an OpenSSL object.
 ///
@@ -42,6 +43,20 @@ impl Nid {
         self.0
     }
 
+    /// Returns the `Nid` of the digest algorithm associated with a signature ID.
+    ///
+    /// This corresponds to `OBJ_find_sigid_algs`.
+    pub fn digest_algorithm(&self) -> Option<Nid> {
+        unsafe {
+            let mut digest = 0;
+            if ffi::OBJ_find_sigid_algs(self.0, &mut digest, ptr::null_mut()) == 1 {
+                Some(Nid(digest))
+            } else {
+                None
+            }
+        }
+    }
+
     pub const UNDEF: Nid = Nid(ffi::NID_undef);
     pub const ITU_T: Nid = Nid(ffi::NID_itu_t);
     pub const CCITT: Nid = Nid(ffi::NID_ccitt);
@@ -991,3 +1006,16 @@ impl Nid {
     pub const AES_192_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_192_cbc_hmac_sha1);
     pub const AES_256_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_256_cbc_hmac_sha1);
 }
+
+#[cfg(test)]
+mod test {
+    use super::Nid;
+
+    #[test]
+    fn signature_digest() {
+        assert_eq!(
+            Nid::SHA256WITHRSAENCRYPTION.digest_algorithm(),
+            Some(Nid::SHA256)
+        );
+    }
+}

openssl/src/pkcs12.rs

@@ -3,15 +3,15 @@
 use ffi;
 use foreign_types::{ForeignType, ForeignTypeRef};
 use libc::c_int;
-use std::ptr;
 use std::ffi::CString;
+use std::ptr;
 
-use {cvt, cvt_p};
-use pkey::{HasPrivate, PKey, PKeyRef, Private};
 use error::ErrorStack;
-use x509::{X509, X509Ref};
-use stack::Stack;
 use nid::Nid;
+use pkey::{HasPrivate, PKey, PKeyRef, Private};
+use stack::Stack;
+use x509::{X509, X509Ref};
+use {cvt, cvt_p};
 
 foreign_type_and_impl_send_sync! {
     type CType = ffi::PKCS12;
@@ -172,7 +172,8 @@ impl Pkcs12Builder {
             let friendly_name = CString::new(friendly_name).unwrap();
             let pkey = pkey.as_ptr();
             let cert = cert.as_ptr();
-            let ca = self.ca
+            let ca = self
+                .ca
                 .as_ref()
                 .map(|ca| ca.as_ptr())
                 .unwrap_or(ptr::null_mut());
@@ -206,11 +207,11 @@ mod test {
     use hex;
 
     use asn1::Asn1Time;
-    use rsa::Rsa;
-    use pkey::PKey;
     use nid::Nid;
-    use x509::{X509, X509Name};
+    use pkey::PKey;
+    use rsa::Rsa;
     use x509::extension::KeyUsage;
+    use x509::{X509, X509Name};
 
     use super::*;
 
@@ -221,14 +222,14 @@ mod test {
         let parsed = pkcs12.parse("mypass").unwrap();
 
         assert_eq!(
-            hex::encode(parsed.cert.fingerprint(MessageDigest::sha1()).unwrap()),
+            hex::encode(parsed.cert.digest(MessageDigest::sha1()).unwrap()),
             "59172d9313e84459bcff27f967e79e6e9217e584"
         );
 
         let chain = parsed.chain.unwrap();
         assert_eq!(chain.len(), 1);
         assert_eq!(
-            hex::encode(chain[0].fingerprint(MessageDigest::sha1()).unwrap()),
+            hex::encode(chain[0].digest(MessageDigest::sha1()).unwrap()),
             "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875"
         );
     }
@@ -279,8 +280,8 @@ mod test {
         let parsed = pkcs12.parse("mypass").unwrap();
 
         assert_eq!(
-            parsed.cert.fingerprint(MessageDigest::sha1()).unwrap(),
+            &*parsed.cert.digest(MessageDigest::sha1()).unwrap(),
-            cert.fingerprint(MessageDigest::sha1()).unwrap()
+            &*cert.digest(MessageDigest::sha1()).unwrap()
         );
         assert!(parsed.pkey.public_eq(&pkey));
     }

openssl/src/ssl/test.rs

@@ -295,8 +295,8 @@ run_test!(verify_callback_data, |method, stream| {
         match cert {
             None => false,
             Some(cert) => {
-                let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap();
+                let fingerprint = cert.digest(MessageDigest::sha1()).unwrap();
-                fingerprint == node_id
+                node_id == &*fingerprint
             }
         }
     });
@@ -323,8 +323,8 @@ run_test!(ssl_verify_callback, |method, stream| {
         match x509.current_cert() {
             None => false,
             Some(cert) => {
-                let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap();
+                let fingerprint = cert.digest(MessageDigest::sha1()).unwrap();
-                fingerprint == node_id
+                node_id == &*fingerprint
             }
         }
     });
@@ -424,10 +424,10 @@ run_test!(get_peer_certificate, |method, stream| {
     let ctx = SslContext::builder(method).unwrap();
     let stream = Ssl::new(&ctx.build()).unwrap().connect(stream).unwrap();
     let cert = stream.ssl().peer_certificate().unwrap();
-    let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap();
+    let fingerprint = cert.digest(MessageDigest::sha1()).unwrap();
     let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584";
     let node_id = Vec::from_hex(node_hash_str).unwrap();
-    assert_eq!(node_id, fingerprint)
+    assert_eq!(node_id, &*fingerprint)
 });
 
 #[test]

openssl/src/x509/mod.rs

@@ -25,7 +25,7 @@ use bio::MemBioSlice;
 use conf::ConfRef;
 use error::ErrorStack;
 use ex_data::Index;
-use hash::MessageDigest;
+use hash::{DigestBytes, MessageDigest};
 use nid::Nid;
 use pkey::{HasPrivate, HasPublic, PKey, PKeyRef, Public};
 use ssl::SslRef;
@@ -447,23 +447,35 @@ impl X509Ref {
         }
     }
 
-    /// Returns certificate fingerprint calculated using provided hash
+    /// Returns a digest of the DER representation of the certificate.
-    pub fn fingerprint(&self, hash_type: MessageDigest) -> Result<Vec<u8>, ErrorStack> {
+    ///
+    /// This corresponds to [`X509_digest`].
+    ///
+    /// [`X509_digest`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_digest.html
+    pub fn digest(&self, hash_type: MessageDigest) -> Result<DigestBytes, ErrorStack> {
         unsafe {
-            let evp = hash_type.as_ptr();
+            let mut digest = DigestBytes {
+                buf: [0; ffi::EVP_MAX_MD_SIZE as usize],
+                len: ffi::EVP_MAX_MD_SIZE as usize,
+            };
             let mut len = ffi::EVP_MAX_MD_SIZE;
-            let mut buf = vec![0u8; len as usize];
             cvt(ffi::X509_digest(
                 self.as_ptr(),
-                evp,
+                hash_type.as_ptr(),
-                buf.as_mut_ptr() as *mut _,
+                digest.buf.as_mut_ptr() as *mut _,
                 &mut len,
             ))?;
-            buf.truncate(len as usize);
+            digest.len = len as usize;
-            Ok(buf)
+
+            Ok(digest)
         }
     }
 
+    #[deprecated(since = "0.10.9", note = "renamed to digest")]
+    pub fn fingerprint(&self, hash_type: MessageDigest) -> Result<Vec<u8>, ErrorStack> {
+        self.digest(hash_type).map(|b| b.to_vec())
+    }
+
     /// Returns the certificate's Not After validity period.
     pub fn not_after(&self) -> &Asn1TimeRef {
         unsafe {

openssl/src/x509/tests.rs

@@ -23,12 +23,12 @@ fn pkey() -> PKey<Private> {
 fn test_cert_loading() {
     let cert = include_bytes!("../../test/cert.pem");
     let cert = X509::from_pem(cert).ok().expect("Failed to load PEM");
-    let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap();
+    let fingerprint = cert.digest(MessageDigest::sha1()).unwrap();
 
     let hash_str = "59172d9313e84459bcff27f967e79e6e9217e584";
     let hash_vec = Vec::from_hex(hash_str).unwrap();
 
-    assert_eq!(fingerprint, hash_vec);
+    assert_eq!(hash_vec, &*fingerprint);
 }
 
 #[test]
@@ -250,11 +250,11 @@ fn test_stack_from_pem() {
 
     assert_eq!(certs.len(), 2);
     assert_eq!(
-        hex::encode(certs[0].fingerprint(MessageDigest::sha1()).unwrap()),
+        hex::encode(certs[0].digest(MessageDigest::sha1()).unwrap()),
         "59172d9313e84459bcff27f967e79e6e9217e584"
     );
     assert_eq!(
-        hex::encode(certs[1].fingerprint(MessageDigest::sha1()).unwrap()),
+        hex::encode(certs[1].digest(MessageDigest::sha1()).unwrap()),
         "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875"
     );
 }