add pkcs12_create and to_der funcs
This commit is contained in:
Benjamin Fry
parent
a1122197f8
commit
52c7868bb6
|
|
@ -1951,7 +1951,19 @@ extern {
|
||||||
pub fn i2d_RSAPrivateKey(k: *const RSA, buf: *mut *mut u8) -> c_int;
|
pub fn i2d_RSAPrivateKey(k: *const RSA, buf: *mut *mut u8) -> c_int;
|
||||||
pub fn d2i_RSAPrivateKey(k: *mut *mut RSA, buf: *mut *const u8, len: c_long) -> *mut RSA;
|
pub fn d2i_RSAPrivateKey(k: *mut *mut RSA, buf: *mut *const u8, len: c_long) -> *mut RSA;
|
||||||
|
|
||||||
|
pub fn i2d_PKCS12_bio(b: *mut BIO, a: *mut PKCS12) -> c_int;
|
||||||
|
pub fn i2d_PKCS12(a: *mut PKCS12, buf: *mut *mut u8) -> c_int;
|
||||||
pub fn d2i_PKCS12(a: *mut *mut PKCS12, pp: *mut *const u8, length: c_long) -> *mut PKCS12;
|
pub fn d2i_PKCS12(a: *mut *mut PKCS12, pp: *mut *const u8, length: c_long) -> *mut PKCS12;
|
||||||
|
pub fn PKCS12_create(pass: *const c_char,
|
||||||
|
friendly_name: *const c_char,
|
||||||
|
pkey: *const EVP_PKEY,
|
||||||
|
cert: *const X509,
|
||||||
|
ca: *const stack_st_X509,
|
||||||
|
nid_key: c_int,
|
||||||
|
nid_cert: c_int,
|
||||||
|
iter: c_int,
|
||||||
|
mac_iter: c_int,
|
||||||
|
keytype: c_int) -> *mut PKCS12;
|
||||||
pub fn PKCS12_parse(p12: *mut PKCS12,
|
pub fn PKCS12_parse(p12: *mut PKCS12,
|
||||||
pass: *const c_char,
|
pass: *const c_char,
|
||||||
pkey: *mut *mut EVP_PKEY,
|
pkey: *mut *mut EVP_PKEY,
|
||||||
|
|
|
||||||
|
|
@ -1,19 +1,23 @@
|
||||||
//! PKCS #12 archives.
|
//! PKCS #12 archives.
|
||||||
|
|
||||||
use ffi;
|
use ffi;
|
||||||
|
use libc::c_int;
|
||||||
use std::ptr;
|
use std::ptr;
|
||||||
use std::ffi::CString;
|
use std::ffi::CString;
|
||||||
|
|
||||||
use cvt;
|
use cvt;
|
||||||
use pkey::PKey;
|
use pkey::{PKey, PKeyRef};
|
||||||
use error::ErrorStack;
|
use error::ErrorStack;
|
||||||
use x509::X509;
|
use x509::X509;
|
||||||
use types::{OpenSslType, OpenSslTypeRef};
|
use types::{OpenSslType, OpenSslTypeRef};
|
||||||
use stack::Stack;
|
use stack::{Stack, StackRef};
|
||||||
|
use nid;
|
||||||
|
|
||||||
type_!(Pkcs12, Pkcs12Ref, ffi::PKCS12, ffi::PKCS12_free);
|
type_!(Pkcs12, Pkcs12Ref, ffi::PKCS12, ffi::PKCS12_free);
|
||||||
|
|
||||||
impl Pkcs12Ref {
|
impl Pkcs12Ref {
|
||||||
|
to_der!(ffi::i2d_PKCS12);
|
||||||
|
|
||||||
/// Extracts the contents of the `Pkcs12`.
|
/// Extracts the contents of the `Pkcs12`.
|
||||||
// FIXME should take an &[u8]
|
// FIXME should take an &[u8]
|
||||||
pub fn parse(&self, pass: &str) -> Result<ParsedPkcs12, ErrorStack> {
|
pub fn parse(&self, pass: &str) -> Result<ParsedPkcs12, ErrorStack> {
|
||||||
|
|
@ -53,11 +57,107 @@ pub struct ParsedPkcs12 {
|
||||||
pub chain: Stack<X509>,
|
pub chain: Stack<X509>,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub struct Pkcs12Builder<'a, 'b, 'c, 'd> {
|
||||||
|
password: &'a str,
|
||||||
|
friendly_name: &'b str,
|
||||||
|
pkey: &'c PKeyRef,
|
||||||
|
cert: &'d X509,
|
||||||
|
chain: Option<StackRef<X509>>,
|
||||||
|
nid_key: nid::Nid,
|
||||||
|
nid_cert: nid::Nid,
|
||||||
|
iter: usize,
|
||||||
|
mac_iter: usize,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<'a, 'b, 'c, 'd> Pkcs12Builder<'a, 'b, 'c, 'd> {
|
||||||
|
/// Creates a new builder for a protected pkcs12 certificate.
|
||||||
|
///
|
||||||
|
/// This uses the defaults from the OpenSSL library:
|
||||||
|
///
|
||||||
|
/// * `nid_key` - `nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC`
|
||||||
|
/// * `nid_cert` - `nid::PBE_WITHSHA1AND40BITRC2_CBC`
|
||||||
|
/// * `iter` - `2048`
|
||||||
|
/// * `mac_iter` - `2048`
|
||||||
|
pub fn new(password: &'a str,
|
||||||
|
friendly_name: &'b str,
|
||||||
|
pkey: &'c PKeyRef,
|
||||||
|
cert: &'d X509) -> Self {
|
||||||
|
Pkcs12Builder {
|
||||||
|
password: password,
|
||||||
|
friendly_name: friendly_name,
|
||||||
|
pkey: pkey,
|
||||||
|
cert: cert,
|
||||||
|
chain: None,
|
||||||
|
nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC,
|
||||||
|
nid_cert: nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC,
|
||||||
|
iter: 0, // 2048
|
||||||
|
mac_iter: 0, // 2048
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// The encryption algorithm that should be used for the key
|
||||||
|
pub fn nid_key(&mut self, nid: nid::Nid) {
|
||||||
|
self.nid_key = nid;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// The encryption algorithm that should be used for the cert
|
||||||
|
pub fn nid_cert(&mut self, nid: nid::Nid) {
|
||||||
|
self.nid_cert = nid;
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn iter(&mut self, iter: usize) {
|
||||||
|
self.iter = iter;
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn mac_iter(&mut self, mac_iter: usize) {
|
||||||
|
self.mac_iter = mac_iter;
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn build(self) -> Result<Pkcs12, ErrorStack> {
|
||||||
|
unsafe {
|
||||||
|
let pass = CString::new(self.password).unwrap();
|
||||||
|
let friendly_name = CString::new(self.friendly_name).unwrap();
|
||||||
|
let pkey = self.pkey.as_ptr();
|
||||||
|
let cert = self.cert.as_ptr();
|
||||||
|
let ca = self.chain.map(|ca| ca.as_ptr()).unwrap_or(ptr::null_mut());
|
||||||
|
let nid_key = self.nid_key.as_raw();
|
||||||
|
let nid_cert = self.nid_cert.as_raw();
|
||||||
|
|
||||||
|
// According to the OpenSSL docs, keytype is a non-standard extension for MSIE,
|
||||||
|
// It's values are KEY_SIG or KEY_EX, see the OpenSSL docs for more information:
|
||||||
|
// https://www.openssl.org/docs/man1.0.2/crypto/PKCS12_create.html
|
||||||
|
let keytype = 0;
|
||||||
|
|
||||||
|
let pkcs12_ptr = ffi::PKCS12_create(pass.as_ptr(),
|
||||||
|
friendly_name.as_ptr(),
|
||||||
|
pkey,
|
||||||
|
cert,
|
||||||
|
ca,
|
||||||
|
nid_key,
|
||||||
|
nid_cert,
|
||||||
|
self.iter as c_int,
|
||||||
|
self.mac_iter as c_int,
|
||||||
|
keytype);
|
||||||
|
|
||||||
|
if pkcs12_ptr.is_null() {
|
||||||
|
Err(ErrorStack::get())
|
||||||
|
} else {
|
||||||
|
Ok(Pkcs12::from_ptr(pkcs12_ptr))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod test {
|
mod test {
|
||||||
use hash::MessageDigest;
|
use hash::MessageDigest;
|
||||||
use hex::ToHex;
|
use hex::ToHex;
|
||||||
|
|
||||||
|
use ::rsa::Rsa;
|
||||||
|
use ::pkey::*;
|
||||||
|
use ::x509::*;
|
||||||
|
use ::x509::extension::*;
|
||||||
|
|
||||||
use super::*;
|
use super::*;
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
|
|
@ -73,4 +173,29 @@ mod test {
|
||||||
assert_eq!(parsed.chain[0].fingerprint(MessageDigest::sha1()).unwrap().to_hex(),
|
assert_eq!(parsed.chain[0].fingerprint(MessageDigest::sha1()).unwrap().to_hex(),
|
||||||
"c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875");
|
"c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn create() {
|
||||||
|
let subject_name = "ns.example.com";
|
||||||
|
let rsa = Rsa::generate(2048).unwrap();
|
||||||
|
let pkey = PKey::from_rsa(rsa).unwrap();
|
||||||
|
|
||||||
|
let gen = X509Generator::new()
|
||||||
|
.set_valid_period(365*2)
|
||||||
|
.add_name("CN".to_owned(), subject_name.to_string())
|
||||||
|
.set_sign_hash(MessageDigest::sha256())
|
||||||
|
.add_extension(Extension::KeyUsage(vec![KeyUsageOption::DigitalSignature]));
|
||||||
|
|
||||||
|
let cert = gen.sign(&pkey).unwrap();
|
||||||
|
|
||||||
|
let pkcs12_builder = Pkcs12Builder::new("mypass", subject_name, &pkey, &cert);
|
||||||
|
let pkcs12 = pkcs12_builder.build().unwrap();
|
||||||
|
let der = pkcs12.to_der().unwrap();
|
||||||
|
|
||||||
|
let pkcs12 = Pkcs12::from_der(&der).unwrap();
|
||||||
|
let parsed = pkcs12.parse("mypass").unwrap();
|
||||||
|
|
||||||
|
assert_eq!(parsed.cert.fingerprint(MessageDigest::sha1()).unwrap(), cert.fingerprint(MessageDigest::sha1()).unwrap());
|
||||||
|
assert!(parsed.pkey.public_eq(&pkey));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue