diff --git a/src/asn1/mod.rs b/src/asn1/mod.rs new file mode 100644 index 00000000..d302d6b7 --- /dev/null +++ b/src/asn1/mod.rs @@ -0,0 +1,23 @@ +pub mod ffi { + #![allow(dead_code)] + #![allow(non_camel_case_types)] + use libc::{c_int, c_long, c_void}; + + pub type ASN1_INTEGER = c_void; + pub type ASN1_TIME = c_void; + pub type ASN1_STRING = c_void; + + pub static MBSTRING_FLAG: c_int = 0x1000; + pub static MBSTRING_UTF8: c_int = MBSTRING_FLAG; + pub static MBSTRING_ASC: c_int = MBSTRING_FLAG | 1; + pub static MBSTRING_BMP: c_int = MBSTRING_FLAG | 2; + pub static MBSTRING_UNIV: c_int = MBSTRING_FLAG | 4; + + pub static V_ASN1_UTCTIME: c_int = 23; + pub static V_ASN1_GENERALIZEDTIME: c_int = 24; + + extern "C" { + pub fn ASN1_STRING_type_new(ty: c_int) -> *mut ASN1_STRING; + pub fn ASN1_INTEGER_set(dest: *mut ASN1_INTEGER, value: c_long) -> c_int; + } +} diff --git a/src/bio/mod.rs b/src/bio/mod.rs new file mode 100644 index 00000000..019129ea --- /dev/null +++ b/src/bio/mod.rs @@ -0,0 +1,106 @@ +use libc::{c_void, c_int}; +use std::io::{IoResult, IoError, OtherIoError}; +use std::io::{Reader, Writer}; +use std::ptr; + +use ssl::error::{SslError}; + +pub struct MemBio { + bio: *mut ffi::BIO, + owned: bool +} + +impl Drop for MemBio { + fn drop(&mut self) { + if self.owned { + unsafe { + ffi::BIO_free_all(self.bio); + } + } + } +} + +impl MemBio { + /// Creates a new owned memory based BIO + pub fn new() -> Result { + let bio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) }; + try_ssl_null!(bio); + + Ok(MemBio { + bio: bio, + owned: true + }) + } + + /// Returns a "borrow", i.e. it has no ownership + pub fn borrowed(bio: *mut ffi::BIO) -> MemBio { + MemBio { + bio: bio, + owned: false + } + } + + /// Consumes current bio and returns wrapped value + /// Note that data ownership is lost and + /// should be handled manually + pub unsafe fn unwrap(self) -> *mut ffi::BIO { + let mut t = self; + t.owned = false; + t.bio + } + + /// Temporarily gets wrapped value + pub unsafe fn get_handle(&self) -> *mut ffi::BIO { + self.bio + } +} + +impl Reader for MemBio { + fn read(&mut self, buf: &mut [u8]) -> IoResult { + // FIXME: merge with read + let ret = unsafe { + ffi::BIO_read(self.bio, buf.as_ptr() as *mut c_void, + buf.len() as c_int) + }; + + if ret < 0 { + // FIXME: provide details from OpenSSL + Err(IoError{kind: OtherIoError, desc: "mem bio read error", detail: None}) + } else { + Ok(ret as uint) + } + } +} + +impl Writer for MemBio { + fn write(&mut self, buf: &[u8]) -> IoResult<()> { + // FIXME: merge with write + let ret = unsafe { + ffi::BIO_write(self.bio, buf.as_ptr() as *const c_void, + buf.len() as c_int) + }; + if buf.len() != ret as uint { + // FIXME: provide details from OpenSSL + Err(IoError{kind: OtherIoError, desc: "mem bio write error", detail: None}) + } else { + Ok(()) + } + } +} + +pub mod ffi { + #![allow(non_camel_case_types)] + + use libc::{c_int, c_void}; + + pub type BIO = c_void; + pub type BIO_METHOD = c_void; + + extern "C" { + pub fn BIO_s_mem() -> *const BIO_METHOD; + pub fn BIO_new(type_: *const BIO_METHOD) -> *mut BIO; + pub fn BIO_free_all(a: *mut BIO); + pub fn BIO_read(b: *mut BIO, buf: *mut c_void, len: c_int) -> c_int; + pub fn BIO_write(b: *mut BIO, buf: *const c_void, len: c_int) -> c_int; + } +} diff --git a/src/crypto/pkey.rs b/src/crypto/pkey.rs index d4a98713..5c4b108f 100644 --- a/src/crypto/pkey.rs +++ b/src/crypto/pkey.rs @@ -1,8 +1,11 @@ -use libc::{c_char, c_int, c_uint}; +use libc::{c_char, c_int, c_uint, c_void}; use libc; use std::mem; use std::ptr; +use bio::{mod, MemBio}; use crypto::hash::{HashType, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, RIPEMD160}; +use crypto::symm::{EVP_CIPHER}; +use ssl::error::{SslError, StreamError}; #[allow(non_camel_case_types)] pub type EVP_PKEY = *mut libc::c_void; @@ -10,6 +13,8 @@ pub type EVP_PKEY = *mut libc::c_void; #[allow(non_camel_case_types)] pub type RSA = *mut libc::c_void; +pub type PrivateKeyWriteCallback = extern "C" fn(buf: *mut c_char, size: c_int, rwflag: c_int, user_data: *mut c_void) -> c_int; + #[link(name = "crypto")] extern { fn EVP_PKEY_new() -> *mut EVP_PKEY; @@ -34,6 +39,11 @@ extern { k: *mut RSA) -> c_int; fn RSA_verify(t: c_int, m: *const u8, mlen: c_uint, sig: *const u8, siglen: c_uint, k: *mut RSA) -> c_int; + + fn PEM_write_bio_PrivateKey(bio: *mut bio::ffi::BIO, pkey: *mut EVP_PKEY, cipher: *const EVP_CIPHER, + kstr: *mut c_char, klen: c_int, + callback: *mut c_void, + user_data: *mut c_void) -> c_int; } enum Parts { @@ -163,6 +173,19 @@ impl PKey { self.parts = Both; } + /// Stores private key as a PEM + // FIXME: also add password and encryption + pub fn write_pem(&self, writer: &mut Writer/*, password: Option*/) -> Result<(), SslError> { + let mut mem_bio = try!(MemBio::new()); + unsafe { + try_ssl!(PEM_write_bio_PrivateKey(mem_bio.get_handle(), self.evp, ptr::null(), + ptr::null_mut(), -1, ptr::null_mut(), ptr::null_mut())); + + } + let buf = try!(mem_bio.read_to_end().map_err(StreamError)); + writer.write(buf.as_slice()).map_err(StreamError) + } + /** * Returns the size of the public key modulus. */ @@ -326,6 +349,10 @@ impl PKey { rv == 1 as c_int } } + + pub unsafe fn get_handle(&self) -> *mut EVP_PKEY { + return self.evp + } } impl Drop for PKey { diff --git a/src/lib.rs b/src/lib.rs old mode 100644 new mode 100755 index 3e0f3b92..d142f865 --- a/src/lib.rs +++ b/src/lib.rs @@ -9,6 +9,11 @@ extern crate libc; extern crate serialize; extern crate sync; -pub mod ssl; -pub mod crypto; +mod macros; + +mod asn1; pub mod bn; +pub mod bio; +pub mod crypto; +pub mod ssl; +pub mod x509; diff --git a/src/macros.rs b/src/macros.rs new file mode 100755 index 00000000..b11f9dad --- /dev/null +++ b/src/macros.rs @@ -0,0 +1,61 @@ +#![macro_escape] + +#[macro_export] +macro_rules! try_ssl_stream { + ($e:expr) => ( + match $e { + Ok(ok) => ok, + Err(err) => return Err(StreamError(err)) + } + ) +} + +/// Shortcut return with SSL error if something went wrong +#[macro_export] +macro_rules! try_ssl_if { + ($e:expr) => ( + if $e { + return Err(SslError::get()) + } + ) +} + +/// Shortcut return with SSL error if last error result is 0 +/// (default) +#[macro_export] +macro_rules! try_ssl{ + ($e:expr) => (try_ssl_if!($e == 0)) +} + +/// Shortcut return with SSL if got a null result +#[macro_export] +macro_rules! try_ssl_null{ + ($e:expr) => (try_ssl_if!($e == ptr::null_mut())) +} + + +/// Lifts current SSL error code into Result<(), Error> +/// if expression is true +/// Lifting is actually a shortcut of the following form: +/// +/// ```ignore +/// let _ = try!(something) +/// Ok(()) +/// ``` +#[macro_export] +macro_rules! lift_ssl_if{ + ($e:expr) => ( { + if $e { + Err(SslError::get()) + } else { + Ok(()) + } + }) +} + +/// Lifts current SSL error code into Result<(), Error> +/// if SSL returned 0 (default error indication) +#[macro_export] +macro_rules! lift_ssl { + ($e:expr) => (lift_ssl_if!($e == 0)) +} diff --git a/src/ssl/ffi.rs b/src/ssl/ffi.rs index a40af35e..02392f74 100755 --- a/src/ssl/ffi.rs +++ b/src/ssl/ffi.rs @@ -1,17 +1,14 @@ #![allow(non_camel_case_types)] -use libc::{c_int, c_void, c_long, c_ulong, c_char, c_uint}; -use crypto::hash::{EVP_MD}; +use libc::{c_int, c_void, c_long, c_ulong, c_char}; + +use bio; +use x509; pub type SSL_CTX = c_void; pub type SSL_METHOD = c_void; pub type COMP_METHOD = c_void; pub type SSL = c_void; -pub type BIO = c_void; -pub type BIO_METHOD = c_void; -pub type X509_STORE_CTX = c_void; -pub type X509 = c_void; -pub type X509_NAME = c_void; pub type CRYPTO_EX_DATA = c_void; pub type CRYPTO_EX_new = extern "C" fn(parent: *mut c_void, ptr: *mut c_void, @@ -44,64 +41,6 @@ pub static SSL_CTRL_SET_TLSEXT_HOSTNAME: c_int = 55; pub static TLSEXT_NAMETYPE_host_name: c_long = 0; -pub static X509_V_OK: c_int = 0; -pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: c_int = 2; -pub static X509_V_ERR_UNABLE_TO_GET_CRL: c_int = 3; -pub static X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: c_int = 4; -pub static X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: c_int = 5; -pub static X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: c_int = 6; -pub static X509_V_ERR_CERT_SIGNATURE_FAILURE: c_int = 7; -pub static X509_V_ERR_CRL_SIGNATURE_FAILURE: c_int = 8; -pub static X509_V_ERR_CERT_NOT_YET_VALID: c_int = 9; -pub static X509_V_ERR_CERT_HAS_EXPIRED: c_int = 10; -pub static X509_V_ERR_CRL_NOT_YET_VALID: c_int = 11; -pub static X509_V_ERR_CRL_HAS_EXPIRED: c_int = 12; -pub static X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: c_int = 13; -pub static X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: c_int = 14; -pub static X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: c_int = 15; -pub static X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: c_int = 16; -pub static X509_V_ERR_OUT_OF_MEM: c_int = 17; -pub static X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: c_int = 18; -pub static X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: c_int = 19; -pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: c_int = 20; -pub static X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: c_int = 21; -pub static X509_V_ERR_CERT_CHAIN_TOO_LONG: c_int = 22; -pub static X509_V_ERR_CERT_REVOKED: c_int = 23; -pub static X509_V_ERR_INVALID_CA: c_int = 24; -pub static X509_V_ERR_PATH_LENGTH_EXCEEDED: c_int = 25; -pub static X509_V_ERR_INVALID_PURPOSE: c_int = 26; -pub static X509_V_ERR_CERT_UNTRUSTED: c_int = 27; -pub static X509_V_ERR_CERT_REJECTED: c_int = 28; -pub static X509_V_ERR_SUBJECT_ISSUER_MISMATCH: c_int = 29; -pub static X509_V_ERR_AKID_SKID_MISMATCH: c_int = 30; -pub static X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: c_int = 31; -pub static X509_V_ERR_KEYUSAGE_NO_CERTSIGN: c_int = 32; -pub static X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: c_int = 33; -pub static X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: c_int = 34; -pub static X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: c_int = 35; -pub static X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: c_int = 36; -pub static X509_V_ERR_INVALID_NON_CA: c_int = 37; -pub static X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: c_int = 38; -pub static X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: c_int = 39; -pub static X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: c_int = 40; -pub static X509_V_ERR_INVALID_EXTENSION: c_int = 41; -pub static X509_V_ERR_INVALID_POLICY_EXTENSION: c_int = 42; -pub static X509_V_ERR_NO_EXPLICIT_POLICY: c_int = 43; -pub static X509_V_ERR_DIFFERENT_CRL_SCOPE: c_int = 44; -pub static X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45; -pub static X509_V_ERR_UNNESTED_RESOURCE: c_int = 46; -pub static X509_V_ERR_PERMITTED_VIOLATION: c_int = 47; -pub static X509_V_ERR_EXCLUDED_VIOLATION: c_int = 48; -pub static X509_V_ERR_SUBTREE_MINMAX: c_int = 49; -pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: c_int = 51; -pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: c_int = 52; -pub static X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53; -pub static X509_V_ERR_CRL_PATH_VALIDATION_ERROR: c_int = 54; -pub static X509_V_ERR_APPLICATION_VERIFICATION: c_int = 50; - -pub static X509_FILETYPE_PEM: c_int = 1; -pub static X509_FILETYPE_ASN1: c_int = 2; -pub static X509_FILETYPE_DEFAULT: c_int = 3; #[cfg(target_os = "macos", feature = "tlsv1_1")] #[cfg(target_os = "macos", feature = "tlsv1_2")] @@ -139,7 +78,7 @@ extern "C" { pub fn SSL_CTX_new(method: *const SSL_METHOD) -> *mut SSL_CTX; pub fn SSL_CTX_free(ctx: *mut SSL_CTX); pub fn SSL_CTX_set_verify(ctx: *mut SSL_CTX, mode: c_int, - verify_callback: Option c_int>); + verify_callback: Option c_int>); pub fn SSL_CTX_load_verify_locations(ctx: *mut SSL_CTX, CAfile: *const c_char, CApath: *const c_char) -> c_int; pub fn SSL_CTX_get_ex_new_index(argl: c_long, argp: *const c_void, @@ -154,19 +93,11 @@ extern "C" { pub fn SSL_CTX_use_certificate_file(ctx: *mut SSL_CTX, cert_file: *const c_char, file_type: c_int) -> c_int; pub fn SSL_CTX_use_PrivateKey_file(ctx: *mut SSL_CTX, key_file: *const c_char, file_type: c_int) -> c_int; - pub fn X509_STORE_CTX_get_ex_data(ctx: *mut X509_STORE_CTX, idx: c_int) - -> *mut c_void; - pub fn X509_STORE_CTX_get_current_cert(ct: *mut X509_STORE_CTX) -> *mut X509; - pub fn X509_STORE_CTX_get_error(ctx: *mut X509_STORE_CTX) -> c_int; - - pub fn X509_get_subject_name(x: *mut X509) -> *mut X509_NAME; - pub fn X509_digest(x: *mut X509, digest: *const EVP_MD, buf: *mut c_char, len: *mut c_uint) -> c_int; - pub fn SSL_new(ctx: *mut SSL_CTX) -> *mut SSL; pub fn SSL_free(ssl: *mut SSL); - pub fn SSL_set_bio(ssl: *mut SSL, rbio: *mut BIO, wbio: *mut BIO); - pub fn SSL_get_rbio(ssl: *mut SSL) -> *mut BIO; - pub fn SSL_get_wbio(ssl: *mut SSL) -> *mut BIO; + pub fn SSL_set_bio(ssl: *mut SSL, rbio: *mut bio::ffi::BIO, wbio: *mut bio::ffi::BIO); + pub fn SSL_get_rbio(ssl: *mut SSL) -> *mut bio::ffi::BIO; + pub fn SSL_get_wbio(ssl: *mut SSL) -> *mut bio::ffi::BIO; pub fn SSL_connect(ssl: *mut SSL) -> c_int; pub fn SSL_ctrl(ssl: *mut SSL, cmd: c_int, larg: c_long, parg: *mut c_void) -> c_long; @@ -177,12 +108,6 @@ extern "C" { pub fn SSL_get_SSL_CTX(ssl: *mut SSL) -> *mut SSL_CTX; pub fn SSL_get_current_compression(ssl: *mut SSL) -> *const COMP_METHOD; - pub fn BIO_s_mem() -> *const BIO_METHOD; - pub fn BIO_new(type_: *const BIO_METHOD) -> *mut BIO; - pub fn BIO_free_all(a: *mut BIO); - pub fn BIO_read(b: *mut BIO, buf: *mut c_void, len: c_int) -> c_int; - pub fn BIO_write(b: *mut BIO, buf: *const c_void, len: c_int) -> c_int; - pub fn SSL_COMP_get_name(comp: *const COMP_METHOD) -> *const c_char; } diff --git a/src/ssl/mod.rs b/src/ssl/mod.rs index fc775a32..d13972d2 100644 --- a/src/ssl/mod.rs +++ b/src/ssl/mod.rs @@ -1,4 +1,4 @@ -use libc::{c_int, c_uint, c_void, c_char}; +use libc::{c_int, c_void, c_char}; use std::io::{IoResult, IoError, EndOfFile, Stream, Reader, Writer}; use std::mem; use std::ptr; @@ -6,8 +6,9 @@ use std::rt::mutex::NativeMutex; use std::string; use sync::one::{Once, ONCE_INIT}; -use crypto::hash::{HashType, evpmd}; +use bio::{mod, MemBio}; use ssl::error::{SslError, SslSessionClosed, StreamError}; +use x509::{mod, X509StoreContext, X509FileType}; pub mod error; mod ffi; @@ -17,15 +18,6 @@ mod tests; static mut VERIFY_IDX: c_int = -1; static mut MUTEXES: *mut Vec = 0 as *mut Vec; -macro_rules! try_ssl( - ($e:expr) => ( - match $e { - Ok(ok) => ok, - Err(err) => return Err(StreamError(err)) - } - ) -) - fn init() { static mut INIT: Once = ONCE_INIT; @@ -103,16 +95,16 @@ extern fn locking_function(mode: c_int, n: c_int, _file: *const c_char, } } -extern fn raw_verify(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) +extern fn raw_verify(preverify_ok: c_int, x509_ctx: *mut x509::ffi::X509_STORE_CTX) -> c_int { unsafe { let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx(); - let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx); + let ssl = x509::ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx); let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); let verify = ffi::SSL_CTX_get_ex_data(ssl_ctx, VERIFY_IDX); let verify: Option = mem::transmute(verify); - let ctx = X509StoreContext { ctx: x509_ctx }; + let ctx = X509StoreContext::new(x509_ctx); match verify { None => preverify_ok, @@ -125,13 +117,6 @@ extern fn raw_verify(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) pub type VerifyCallback = fn(preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool; -#[repr(i32)] -pub enum X509FileType { - PEM = ffi::X509_FILETYPE_PEM, - ASN1 = ffi::X509_FILETYPE_ASN1, - Default = ffi::X509_FILETYPE_DEFAULT -} - // FIXME: macro may be instead of inlining? #[inline] fn wrap_ssl_result(res: c_int) -> Option { @@ -207,146 +192,22 @@ impl SslContext { } } -pub struct X509StoreContext { - ctx: *mut ffi::X509_STORE_CTX -} - -impl X509StoreContext { - pub fn get_error(&self) -> Option { - let err = unsafe { ffi::X509_STORE_CTX_get_error(self.ctx) }; - X509ValidationError::from_raw(err) - } - - pub fn get_current_cert<'a>(&'a self) -> Option> { - let ptr = unsafe { ffi::X509_STORE_CTX_get_current_cert(self.ctx) }; - - if ptr.is_null() { - None - } else { - Some(X509 { ctx: self, x509: ptr }) - } - } -} - #[allow(dead_code)] -/// A public key certificate -pub struct X509<'ctx> { - ctx: &'ctx X509StoreContext, - x509: *mut ffi::X509 +struct MemBioRef<'ssl> { + ssl: &'ssl Ssl, + bio: MemBio, } -impl<'ctx> X509<'ctx> { - pub fn subject_name<'a>(&'a self) -> X509Name<'a> { - let name = unsafe { ffi::X509_get_subject_name(self.x509) }; - X509Name { x509: self, name: name } +impl<'ssl> MemBioRef<'ssl> { + fn read(&mut self, buf: &mut [u8]) -> Option { + (&mut self.bio as &mut Reader).read(buf).ok() } - /// Returns certificate fingerprint calculated using provided hash - pub fn fingerprint(&self, hash_type: HashType) -> Option> { - let (evp, len) = evpmd(hash_type); - let v: Vec = Vec::from_elem(len, 0); - let act_len: c_uint = 0; - let res = unsafe { - ffi::X509_digest(self.x509, evp, mem::transmute(v.as_ptr()), - mem::transmute(&act_len)) - }; - - match res { - 0 => None, - _ => { - let act_len = act_len as uint; - match len.cmp(&act_len) { - Greater => None, - Equal => Some(v), - Less => fail!("Fingerprint buffer was corrupted!") - } - } - } + fn write(&mut self, buf: &[u8]) { + let _ = (&mut self.bio as &mut Writer).write(buf); } } -#[allow(dead_code)] -pub struct X509Name<'x> { - x509: &'x X509<'x>, - name: *mut ffi::X509_NAME -} - -macro_rules! make_validation_error( - ($ok_val:ident, $($name:ident = $val:ident,)+) => ( - pub enum X509ValidationError { - $($name,)+ - X509UnknownError(c_int) - } - - impl X509ValidationError { - #[doc(hidden)] - pub fn from_raw(err: c_int) -> Option { - match err { - self::ffi::$ok_val => None, - $(self::ffi::$val => Some($name),)+ - err => Some(X509UnknownError(err)) - } - } - } - ) -) - -make_validation_error!(X509_V_OK, - X509UnableToGetIssuerCert = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, - X509UnableToGetCrl = X509_V_ERR_UNABLE_TO_GET_CRL, - X509UnableToDecryptCertSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, - X509UnableToDecryptCrlSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, - X509UnableToDecodeIssuerPublicKey = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, - X509CertSignatureFailure = X509_V_ERR_CERT_SIGNATURE_FAILURE, - X509CrlSignatureFailure = X509_V_ERR_CRL_SIGNATURE_FAILURE, - X509CertNotYetValid = X509_V_ERR_CERT_NOT_YET_VALID, - X509CertHasExpired = X509_V_ERR_CERT_HAS_EXPIRED, - X509CrlNotYetValid = X509_V_ERR_CRL_NOT_YET_VALID, - X509CrlHasExpired = X509_V_ERR_CRL_HAS_EXPIRED, - X509ErrorInCertNotBeforeField = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, - X509ErrorInCertNotAfterField = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, - X509ErrorInCrlLastUpdateField = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, - X509ErrorInCrlNextUpdateField = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, - X509OutOfMem = X509_V_ERR_OUT_OF_MEM, - X509DepthZeroSelfSignedCert = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, - X509SelfSignedCertInChain = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, - X509UnableToGetIssuerCertLocally = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, - X509UnableToVerifyLeafSignature = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, - X509CertChainTooLong = X509_V_ERR_CERT_CHAIN_TOO_LONG, - X509CertRevoked = X509_V_ERR_CERT_REVOKED, - X509InvalidCA = X509_V_ERR_INVALID_CA, - X509PathLengthExceeded = X509_V_ERR_PATH_LENGTH_EXCEEDED, - X509InvalidPurpose = X509_V_ERR_INVALID_PURPOSE, - X509CertUntrusted = X509_V_ERR_CERT_UNTRUSTED, - X509CertRejected = X509_V_ERR_CERT_REJECTED, - X509SubjectIssuerMismatch = X509_V_ERR_SUBJECT_ISSUER_MISMATCH, - X509AkidSkidMismatch = X509_V_ERR_AKID_SKID_MISMATCH, - X509AkidIssuerSerialMismatch = X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH, - X509KeyusageNoCertsign = X509_V_ERR_KEYUSAGE_NO_CERTSIGN, - X509UnableToGetCrlIssuer = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, - X509UnhandledCriticalExtension = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, - X509KeyusageNoCrlSign = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN, - X509UnhandledCriticalCrlExtension = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, - X509InvalidNonCA = X509_V_ERR_INVALID_NON_CA, - X509ProxyPathLengthExceeded = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED, - X509KeyusageNoDigitalSignature = X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE, - X509ProxyCertificatesNotAllowed = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, - X509InvalidExtension = X509_V_ERR_INVALID_EXTENSION, - X509InavlidPolicyExtension = X509_V_ERR_INVALID_POLICY_EXTENSION, - X509NoExplicitPolicy = X509_V_ERR_NO_EXPLICIT_POLICY, - X509DifferentCrlScope = X509_V_ERR_DIFFERENT_CRL_SCOPE, - X509UnsupportedExtensionFeature = X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE, - X509UnnestedResource = X509_V_ERR_UNNESTED_RESOURCE, - X509PermittedVolation = X509_V_ERR_PERMITTED_VIOLATION, - X509ExcludedViolation = X509_V_ERR_EXCLUDED_VIOLATION, - X509SubtreeMinmax = X509_V_ERR_SUBTREE_MINMAX, - X509UnsupportedConstraintType = X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, - X509UnsupportedConstraintSyntax = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX, - X509UnsupportedNameSyntax = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, - X509CrlPathValidationError= X509_V_ERR_CRL_PATH_VALIDATION_ERROR, - X509ApplicationVerification = X509_V_ERR_APPLICATION_VERIFICATION, -) - pub struct Ssl { ssl: *mut ffi::SSL } @@ -365,18 +226,10 @@ impl Ssl { } let ssl = Ssl { ssl: ssl }; - let rbio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) }; - if rbio == ptr::null_mut() { - return Err(SslError::get()); - } + let rbio = try!(MemBio::new()); + let wbio = try!(MemBio::new()); - let wbio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) }; - if wbio == ptr::null_mut() { - unsafe { ffi::BIO_free_all(rbio) } - return Err(SslError::get()); - } - - unsafe { ffi::SSL_set_bio(ssl.ssl, rbio, wbio) } + unsafe { ffi::SSL_set_bio(ssl.ssl, rbio.unwrap(), wbio.unwrap()) } Ok(ssl) } @@ -388,14 +241,11 @@ impl Ssl { unsafe { self.wrap_bio(ffi::SSL_get_wbio(self.ssl)) } } - fn wrap_bio<'a>(&'a self, bio: *mut ffi::BIO) -> MemBioRef<'a> { + fn wrap_bio<'a>(&'a self, bio: *mut bio::ffi::BIO) -> MemBioRef<'a> { assert!(bio != ptr::mut_null()); MemBioRef { ssl: self, - bio: MemBio { - bio: bio, - owned: false - } + bio: MemBio::borrowed(bio) } } @@ -459,60 +309,6 @@ enum LibSslError { ErrorWantAccept = ffi::SSL_ERROR_WANT_ACCEPT, } -#[allow(dead_code)] -struct MemBioRef<'ssl> { - ssl: &'ssl Ssl, - bio: MemBio, -} - -impl<'ssl> MemBioRef<'ssl> { - fn read(&self, buf: &mut [u8]) -> Option { - self.bio.read(buf) - } - - fn write(&self, buf: &[u8]) { - self.bio.write(buf) - } -} - -struct MemBio { - bio: *mut ffi::BIO, - owned: bool -} - -impl Drop for MemBio { - fn drop(&mut self) { - if self.owned { - unsafe { - ffi::BIO_free_all(self.bio); - } - } - } -} - -impl MemBio { - fn read(&self, buf: &mut [u8]) -> Option { - let ret = unsafe { - ffi::BIO_read(self.bio, buf.as_ptr() as *mut c_void, - buf.len() as c_int) - }; - - if ret < 0 { - None - } else { - Some(ret as uint) - } - } - - fn write(&self, buf: &[u8]) { - let ret = unsafe { - ffi::BIO_write(self.bio, buf.as_ptr() as *const c_void, - buf.len() as c_int) - }; - assert_eq!(buf.len(), ret as uint); - } -} - /// A stream wrapper which handles SSL encryption for an underlying stream. pub struct SslStream { stream: S, @@ -556,11 +352,11 @@ impl SslStream { match self.ssl.get_error(ret) { ErrorWantRead => { - try_ssl!(self.flush()); - let len = try_ssl!(self.stream.read(self.buf.as_mut_slice())); + try_ssl_stream!(self.flush()); + let len = try_ssl_stream!(self.stream.read(self.buf.as_mut_slice())); self.ssl.get_rbio().write(self.buf.slice_to(len)); } - ErrorWantWrite => { try_ssl!(self.flush()) } + ErrorWantWrite => { try_ssl_stream!(self.flush()) } ErrorZeroReturn => return Err(SslSessionClosed), ErrorSsl => return Err(SslError::get()), _ => unreachable!() diff --git a/src/ssl/tests.rs b/src/ssl/tests.rs index 99241719..82effee0 100644 --- a/src/ssl/tests.rs +++ b/src/ssl/tests.rs @@ -2,7 +2,9 @@ use std::io::Writer; use std::io::net::tcp::TcpStream; use std::str; -use ssl::{Sslv23, SslContext, SslStream, SslVerifyPeer, X509StoreContext}; +use crypto::hash::{SHA256}; +use ssl::{Sslv23, SslContext, SslStream, SslVerifyPeer}; +use x509::{X509Generator, X509, DigitalSignature, KeyEncipherment, ClientAuth, ServerAuth, X509StoreContext}; #[test] fn test_new_ctx() { @@ -158,3 +160,19 @@ fn test_read() { let buf = stream.read_to_end().ok().expect("read error"); print!("{}", str::from_utf8(buf.as_slice())); } + +#[test] +fn test_cert_gen() { + let gen = X509Generator::new() + .set_bitlength(2048) + .set_valid_period(365*2) + .set_CN("test_me") + .set_sign_hash(SHA256) + .set_usage([DigitalSignature, KeyEncipherment]) + .set_ext_usage([ClientAuth, ServerAuth]); + + let res = gen.generate(); + assert!(res.is_ok()); + // FIXME: check data in result to be correct, needs implementation + // of X509 getters +} diff --git a/src/x509/mod.rs b/src/x509/mod.rs new file mode 100755 index 00000000..06ae4b27 --- /dev/null +++ b/src/x509/mod.rs @@ -0,0 +1,517 @@ +use libc::{c_int, c_long, c_uint}; +use std::mem; +use std::ptr; + +use asn1; +use bio::{MemBio}; +use crypto::hash::{HashType, evpmd, SHA1}; +use crypto::pkey::{PKey}; +use crypto::rand::rand_bytes; +use ssl::error::{SslError, StreamError}; + + +#[repr(i32)] +pub enum X509FileType { + PEM = ffi::X509_FILETYPE_PEM, + ASN1 = ffi::X509_FILETYPE_ASN1, + Default = ffi::X509_FILETYPE_DEFAULT +} +pub struct X509StoreContext { + ctx: *mut ffi::X509_STORE_CTX +} + +impl X509StoreContext { + pub fn new(ctx: *mut ffi::X509_STORE_CTX) -> X509StoreContext { + X509StoreContext { + ctx: ctx + } + } + + pub fn get_error(&self) -> Option { + let err = unsafe { ffi::X509_STORE_CTX_get_error(self.ctx) }; + X509ValidationError::from_raw(err) + } + + pub fn get_current_cert<'a>(&'a self) -> Option> { + let ptr = unsafe { ffi::X509_STORE_CTX_get_current_cert(self.ctx) }; + + if ptr.is_null() { + None + } else { + Some(X509 { ctx: Some(self), x509: ptr }) + } + } +} + +trait AsStr<'a> { + fn as_str(&self) -> &'a str; +} + +#[deriving(Clone)] +pub enum KeyUsage { + DigitalSignature, + NonRepudiation, + KeyEncipherment, + DataEncipherment, + KeyAgreement, + KeyCertSign, + CRLSign, + EncipherOnly, + DecipherOnly +} + +impl AsStr<'static> for KeyUsage { + fn as_str(&self) -> &'static str { + match self { + &DigitalSignature => "digitalSignature", + &NonRepudiation => "nonRepudiation", + &KeyEncipherment => "keyEncipherment", + &DataEncipherment => "dataEncipherment", + &KeyAgreement => "keyAgreement", + &KeyCertSign => "keyCertSign", + &CRLSign => "cRLSign", + &EncipherOnly => "encipherOnly", + &DecipherOnly => "decipherOnly" + } + } +} + + +#[deriving(Clone)] +pub enum ExtKeyUsage { + ServerAuth, + ClientAuth, + CodeSigning, + EmailProtection, + TimeStamping, + MsCodeInd, + MsCodeCom, + MsCtlSign, + MsSgc, + MsEfs, + NsSgc +} + +impl AsStr<'static> for ExtKeyUsage { + fn as_str(&self) -> &'static str { + match self { + &ServerAuth => "serverAuth", + &ClientAuth => "clientAuth", + &CodeSigning => "codeSigning", + &EmailProtection => "emailProtection", + &TimeStamping => "timeStamping", + &MsCodeInd => "msCodeInd", + &MsCodeCom => "msCodeCom", + &MsCtlSign => "msCTLSign", + &MsSgc => "msSGC", + &MsEfs => "msEFS", + &NsSgc =>"nsSGC" + } + } +} + + +// FIXME: a dirty hack as there is no way to +// implement ToString for Vec as both are defined +// in another crate +trait ToStr { + fn to_str(&self) -> String; +} + +impl<'a, T: AsStr<'a>> ToStr for Vec { + fn to_str(&self) -> String { + self.iter().enumerate().fold(String::new(), |mut acc, (idx, v)| { + if idx > 0 { acc.push_char(',') }; + acc.push_str(v.as_str()); + acc + }) + } +} + +#[allow(non_snake_case)] +pub struct X509Generator { + bits: uint, + days: uint, + CN: String, + key_usage: Vec, + ext_key_usage: Vec, + hash_type: HashType, +} + +impl X509Generator { + pub fn new() -> X509Generator { + X509Generator { + bits: 1024, + days: 365, + CN: "rust-openssl".to_string(), + key_usage: Vec::new(), + ext_key_usage: Vec::new(), + hash_type: SHA1 + } + } + + pub fn set_bitlength(mut self, bits: uint) -> X509Generator { + self.bits = bits; + self + } + + pub fn set_valid_period(mut self, days: uint) -> X509Generator { + self.days = days; + self + } + + #[allow(non_snake_case)] + pub fn set_CN(mut self, CN: &str) -> X509Generator { + self.CN = CN.to_string(); + self + } + + pub fn set_usage(mut self, purposes: &[KeyUsage]) -> X509Generator { + self.key_usage = purposes.to_vec(); + self + } + + pub fn set_ext_usage(mut self, purposes: &[ExtKeyUsage]) -> X509Generator { + self.ext_key_usage = purposes.to_vec(); + self + } + + pub fn set_sign_hash(mut self, hash_type: HashType) -> X509Generator { + self.hash_type = hash_type; + self + } + + fn add_extension(x509: *mut ffi::X509, extension: c_int, value: &str) -> Result<(), SslError> { + unsafe { + // FIXME: RAII + let ctx: ffi::X509V3_CTX = mem::zeroed(); + ffi::X509V3_set_ctx(mem::transmute(&ctx), x509, x509, + ptr::null_mut(), ptr::null_mut(), 0); + let ext = value.with_c_str(|value| + ffi::X509V3_EXT_conf_nid(ptr::null_mut(), mem::transmute(&ctx), extension, mem::transmute(value))); + try_ssl_null!(ext); + try_ssl!(ffi::X509_add_ext(x509, ext, -1)); + ffi::X509_EXTENSION_free(ext); + Ok(()) + } + } + + fn add_name(name: *mut ffi::X509_NAME, key: &str, value: &str) -> Result<(), SslError> { + let value_len = value.len() as c_int; + lift_ssl!(key.with_c_str(|key| { + value.with_c_str(|value| unsafe { + ffi::X509_NAME_add_entry_by_txt(name, key, asn1::ffi::MBSTRING_UTF8, + value, value_len, -1, 0) + }) + })) + } + + fn random_serial() -> c_long { + let len = mem::size_of::(); + let bytes = rand_bytes(len); + let mut res = 0; + for b in bytes.iter() { + res = res << 8; + res |= (*b as c_long) & 0xff; + } + res + } + + pub fn generate<'a>(&self) -> Result<(X509<'a>, PKey), SslError> { + let mut p_key = PKey::new(); + p_key.gen(self.bits); + + // FIXME: all allocated resources should be correctly + // dropped in case of failure + unsafe { + let x509 = ffi::X509_new(); + try_ssl_null!(x509); + try_ssl!(ffi::X509_set_version(x509, 2)); + try_ssl!(asn1::ffi::ASN1_INTEGER_set(ffi::X509_get_serialNumber(x509), X509Generator::random_serial())); + + let not_before = ffi::X509_gmtime_adj(ptr::null_mut(), 0); + try_ssl_null!(not_before); + + let not_after = ffi::X509_gmtime_adj(ptr::null_mut(), 60*60*24*self.days as i64); + try_ssl_null!(not_after); + + try_ssl!(ffi::X509_set_notBefore(x509, mem::transmute(not_before))); + try_ssl!(ffi::X509_set_notAfter(x509, mem::transmute(not_after))); + + try_ssl!(ffi::X509_set_pubkey(x509, p_key.get_handle())); + + let name = ffi::X509_get_subject_name(x509); + try_ssl_null!(name); + + try!(X509Generator::add_name(name, "CN", self.CN.as_slice())); + ffi::X509_set_issuer_name(x509, name); + + if self.key_usage.len() > 0 { + try!(X509Generator::add_extension(x509, ffi::NID_key_usage, + self.key_usage.to_str().as_slice())); + } + + if self.ext_key_usage.len() > 0 { + try!(X509Generator::add_extension(x509, ffi::NID_ext_key_usage, + self.ext_key_usage.to_str().as_slice())); + } + + let (hash_fn, _) = evpmd(self.hash_type); + try_ssl!(ffi::X509_sign(x509, p_key.get_handle(), hash_fn)); + Ok((X509 { x509: x509, ctx: None }, p_key)) + } + } +} + +#[allow(dead_code)] +/// A public key certificate +pub struct X509<'ctx> { + ctx: Option<&'ctx X509StoreContext>, + x509: *mut ffi::X509 +} + +impl<'ctx> X509<'ctx> { + pub fn subject_name<'a>(&'a self) -> X509Name<'a> { + let name = unsafe { ffi::X509_get_subject_name(self.x509) }; + X509Name { x509: self, name: name } + } + + /// Returns certificate fingerprint calculated using provided hash + pub fn fingerprint(&self, hash_type: HashType) -> Option> { + let (evp, len) = evpmd(hash_type); + let v: Vec = Vec::from_elem(len, 0); + let act_len: c_uint = 0; + let res = unsafe { + ffi::X509_digest(self.x509, evp, mem::transmute(v.as_ptr()), + mem::transmute(&act_len)) + }; + + match res { + 0 => None, + _ => { + let act_len = act_len as uint; + match len.cmp(&act_len) { + Greater => None, + Equal => Some(v), + Less => fail!("Fingerprint buffer was corrupted!") + } + } + } + } + + /// Writes certificate as PEM + pub fn write_pem(&self, writer: &mut Writer) -> Result<(), SslError> { + let mut mem_bio = try!(MemBio::new()); + unsafe { + try_ssl!(ffi::PEM_write_bio_X509(mem_bio.get_handle(), + self.x509)); + } + let buf = try!(mem_bio.read_to_end().map_err(StreamError)); + writer.write(buf.as_slice()).map_err(StreamError) + } +} + +#[allow(dead_code)] +pub struct X509Name<'x> { + x509: &'x X509<'x>, + name: *mut ffi::X509_NAME +} + + +pub mod ffi { + #![allow(non_camel_case_types)] + use libc::{c_void, c_int, c_char, c_ulong, c_long, c_uint}; + + use asn1::ffi::{ASN1_INTEGER, ASN1_TIME}; + use bio::ffi::{BIO}; + use crypto::hash::{EVP_MD}; + use crypto::pkey::{EVP_PKEY}; + + pub type X509_STORE_CTX = c_void; + pub type X509 = c_void; + pub type X509_NAME = c_void; + pub type X509_CRL = c_void; + pub type X509_REQ = c_void; + pub type X509_EXTENSION = c_void; + + #[repr(C)] + pub struct X509V3_CTX { + flags: c_int, + issuer_cert: *mut c_void, + subject_cert: *mut c_void, + subject_req: *mut c_void, + crl: *mut c_void, + db_meth: *mut c_void, + db: *mut c_void, + // I like the last comment line, it is copied from OpenSSL sources: + // Maybe more here + } + + pub static X509_V_OK: c_int = 0; + pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: c_int = 2; + pub static X509_V_ERR_UNABLE_TO_GET_CRL: c_int = 3; + pub static X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: c_int = 4; + pub static X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: c_int = 5; + pub static X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: c_int = 6; + pub static X509_V_ERR_CERT_SIGNATURE_FAILURE: c_int = 7; + pub static X509_V_ERR_CRL_SIGNATURE_FAILURE: c_int = 8; + pub static X509_V_ERR_CERT_NOT_YET_VALID: c_int = 9; + pub static X509_V_ERR_CERT_HAS_EXPIRED: c_int = 10; + pub static X509_V_ERR_CRL_NOT_YET_VALID: c_int = 11; + pub static X509_V_ERR_CRL_HAS_EXPIRED: c_int = 12; + pub static X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: c_int = 13; + pub static X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: c_int = 14; + pub static X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: c_int = 15; + pub static X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: c_int = 16; + pub static X509_V_ERR_OUT_OF_MEM: c_int = 17; + pub static X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: c_int = 18; + pub static X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: c_int = 19; + pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: c_int = 20; + pub static X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: c_int = 21; + pub static X509_V_ERR_CERT_CHAIN_TOO_LONG: c_int = 22; + pub static X509_V_ERR_CERT_REVOKED: c_int = 23; + pub static X509_V_ERR_INVALID_CA: c_int = 24; + pub static X509_V_ERR_PATH_LENGTH_EXCEEDED: c_int = 25; + pub static X509_V_ERR_INVALID_PURPOSE: c_int = 26; + pub static X509_V_ERR_CERT_UNTRUSTED: c_int = 27; + pub static X509_V_ERR_CERT_REJECTED: c_int = 28; + pub static X509_V_ERR_SUBJECT_ISSUER_MISMATCH: c_int = 29; + pub static X509_V_ERR_AKID_SKID_MISMATCH: c_int = 30; + pub static X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: c_int = 31; + pub static X509_V_ERR_KEYUSAGE_NO_CERTSIGN: c_int = 32; + pub static X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: c_int = 33; + pub static X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: c_int = 34; + pub static X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: c_int = 35; + pub static X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: c_int = 36; + pub static X509_V_ERR_INVALID_NON_CA: c_int = 37; + pub static X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: c_int = 38; + pub static X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: c_int = 39; + pub static X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: c_int = 40; + pub static X509_V_ERR_INVALID_EXTENSION: c_int = 41; + pub static X509_V_ERR_INVALID_POLICY_EXTENSION: c_int = 42; + pub static X509_V_ERR_NO_EXPLICIT_POLICY: c_int = 43; + pub static X509_V_ERR_DIFFERENT_CRL_SCOPE: c_int = 44; + pub static X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45; + pub static X509_V_ERR_UNNESTED_RESOURCE: c_int = 46; + pub static X509_V_ERR_PERMITTED_VIOLATION: c_int = 47; + pub static X509_V_ERR_EXCLUDED_VIOLATION: c_int = 48; + pub static X509_V_ERR_SUBTREE_MINMAX: c_int = 49; + pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: c_int = 51; + pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: c_int = 52; + pub static X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53; + pub static X509_V_ERR_CRL_PATH_VALIDATION_ERROR: c_int = 54; + pub static X509_V_ERR_APPLICATION_VERIFICATION: c_int = 50; + + pub static X509_FILETYPE_PEM: c_int = 1; + pub static X509_FILETYPE_ASN1: c_int = 2; + pub static X509_FILETYPE_DEFAULT: c_int = 3; + + pub static NID_key_usage: c_int = 83; + pub static NID_ext_key_usage: c_int = 126; + + + + extern "C" { + pub fn X509_STORE_CTX_get_ex_data(ctx: *mut X509_STORE_CTX, idx: c_int) -> *mut c_void; + pub fn X509_STORE_CTX_get_current_cert(ct: *mut X509_STORE_CTX) -> *mut X509; + pub fn X509_STORE_CTX_get_error(ctx: *mut X509_STORE_CTX) -> c_int; + + pub fn X509_add_ext(x: *mut X509, ext: *mut X509_EXTENSION, loc: c_int) -> c_int; + pub fn X509_digest(x: *mut X509, digest: *const EVP_MD, buf: *mut c_char, len: *mut c_uint) -> c_int; + pub fn X509_get_serialNumber(x: *mut X509) -> *mut ASN1_INTEGER; + pub fn X509_get_subject_name(x: *mut X509) -> *mut X509_NAME; + pub fn X509_gmtime_adj(time: *mut ASN1_TIME, adj: c_long) -> *mut ASN1_TIME; + pub fn X509_new() -> *mut X509; + pub fn X509_set_issuer_name(x: *mut X509, name: *mut X509_NAME) -> c_int; + pub fn X509_set_notAfter(x: *mut X509, tm: *const ASN1_TIME) -> c_int; + pub fn X509_set_notBefore(x: *mut X509, tm: *const ASN1_TIME) -> c_int; + pub fn X509_set_version(x: *mut X509, version: c_ulong) -> c_int; + pub fn X509_set_pubkey(x: *mut X509, pkey: *mut EVP_PKEY) -> c_int; + pub fn X509_sign(x: *mut X509, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int; + + pub fn X509_NAME_add_entry_by_txt(x: *mut X509, field: *const c_char, ty: c_int, bytes: *const c_char, len: c_int, loc: c_int, set: c_int) -> c_int; + + pub fn X509V3_EXT_conf_nid(conf: *mut c_void, ctx: *mut X509V3_CTX, ext_nid: c_int, value: *mut c_char) -> *mut X509_EXTENSION; + pub fn X509V3_set_ctx(ctx: *mut X509V3_CTX, issuer: *mut X509, subject: *mut X509, req: *mut X509_REQ, crl: *mut X509_CRL, flags: c_int); + + pub fn X509_EXTENSION_free(ext: *mut X509_EXTENSION); + + pub fn PEM_write_bio_X509(bio: *mut BIO, x509: *mut X509) -> c_int; + } +} + +macro_rules! make_validation_error( + ($ok_val:ident, $($name:ident = $val:ident,)+) => ( + pub enum X509ValidationError { + $($name,)+ + X509UnknownError(c_int) + } + + impl X509ValidationError { + #[doc(hidden)] + pub fn from_raw(err: c_int) -> Option { + match err { + self::ffi::$ok_val => None, + $(self::ffi::$val => Some($name),)+ + err => Some(X509UnknownError(err)) + } + } + } + ) +) + +make_validation_error!(X509_V_OK, + X509UnableToGetIssuerCert = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, + X509UnableToGetCrl = X509_V_ERR_UNABLE_TO_GET_CRL, + X509UnableToDecryptCertSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, + X509UnableToDecryptCrlSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, + X509UnableToDecodeIssuerPublicKey = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, + X509CertSignatureFailure = X509_V_ERR_CERT_SIGNATURE_FAILURE, + X509CrlSignatureFailure = X509_V_ERR_CRL_SIGNATURE_FAILURE, + X509CertNotYetValid = X509_V_ERR_CERT_NOT_YET_VALID, + X509CertHasExpired = X509_V_ERR_CERT_HAS_EXPIRED, + X509CrlNotYetValid = X509_V_ERR_CRL_NOT_YET_VALID, + X509CrlHasExpired = X509_V_ERR_CRL_HAS_EXPIRED, + X509ErrorInCertNotBeforeField = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, + X509ErrorInCertNotAfterField = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, + X509ErrorInCrlLastUpdateField = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, + X509ErrorInCrlNextUpdateField = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, + X509OutOfMem = X509_V_ERR_OUT_OF_MEM, + X509DepthZeroSelfSignedCert = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, + X509SelfSignedCertInChain = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, + X509UnableToGetIssuerCertLocally = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, + X509UnableToVerifyLeafSignature = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, + X509CertChainTooLong = X509_V_ERR_CERT_CHAIN_TOO_LONG, + X509CertRevoked = X509_V_ERR_CERT_REVOKED, + X509InvalidCA = X509_V_ERR_INVALID_CA, + X509PathLengthExceeded = X509_V_ERR_PATH_LENGTH_EXCEEDED, + X509InvalidPurpose = X509_V_ERR_INVALID_PURPOSE, + X509CertUntrusted = X509_V_ERR_CERT_UNTRUSTED, + X509CertRejected = X509_V_ERR_CERT_REJECTED, + X509SubjectIssuerMismatch = X509_V_ERR_SUBJECT_ISSUER_MISMATCH, + X509AkidSkidMismatch = X509_V_ERR_AKID_SKID_MISMATCH, + X509AkidIssuerSerialMismatch = X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH, + X509KeyusageNoCertsign = X509_V_ERR_KEYUSAGE_NO_CERTSIGN, + X509UnableToGetCrlIssuer = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, + X509UnhandledCriticalExtension = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, + X509KeyusageNoCrlSign = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN, + X509UnhandledCriticalCrlExtension = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, + X509InvalidNonCA = X509_V_ERR_INVALID_NON_CA, + X509ProxyPathLengthExceeded = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED, + X509KeyusageNoDigitalSignature = X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE, + X509ProxyCertificatesNotAllowed = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, + X509InvalidExtension = X509_V_ERR_INVALID_EXTENSION, + X509InavlidPolicyExtension = X509_V_ERR_INVALID_POLICY_EXTENSION, + X509NoExplicitPolicy = X509_V_ERR_NO_EXPLICIT_POLICY, + X509DifferentCrlScope = X509_V_ERR_DIFFERENT_CRL_SCOPE, + X509UnsupportedExtensionFeature = X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE, + X509UnnestedResource = X509_V_ERR_UNNESTED_RESOURCE, + X509PermittedVolation = X509_V_ERR_PERMITTED_VIOLATION, + X509ExcludedViolation = X509_V_ERR_EXCLUDED_VIOLATION, + X509SubtreeMinmax = X509_V_ERR_SUBTREE_MINMAX, + X509UnsupportedConstraintType = X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, + X509UnsupportedConstraintSyntax = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX, + X509UnsupportedNameSyntax = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, + X509CrlPathValidationError= X509_V_ERR_CRL_PATH_VALIDATION_ERROR, + X509ApplicationVerification = X509_V_ERR_APPLICATION_VERIFICATION, +)