Merge pull request #515 from sfackler/x509-builder

Add X509 builders, deprecate X509Generator

openssl-sys/src/lib.rs

@@ -33,6 +33,7 @@ pub enum ASN1_OBJECT {}
 pub enum BN_CTX {}
 pub enum BN_GENCB {}
 pub enum CONF {}
+pub enum CONF_METHOD {}
 pub enum COMP_METHOD {}
 pub enum EC_KEY {}
 pub enum EC_GROUP {}
@@ -1426,20 +1427,17 @@ extern {
     pub fn BIO_set_flags(b: *mut BIO, flags: c_int);
     pub fn BIO_clear_flags(b: *mut BIO, flags: c_int);
 
+    pub fn BN_CTX_new() -> *mut BN_CTX;
+    pub fn BN_CTX_free(ctx: *mut BN_CTX);
+
     pub fn BN_new() -> *mut BIGNUM;
     pub fn BN_dup(n: *const BIGNUM) -> *mut BIGNUM;
     pub fn BN_clear(bn: *mut BIGNUM);
     pub fn BN_free(bn: *mut BIGNUM);
     pub fn BN_clear_free(bn: *mut BIGNUM);
-
-    pub fn BN_CTX_new() -> *mut BN_CTX;
-    pub fn BN_CTX_free(ctx: *mut BN_CTX);
-
     pub fn BN_num_bits(bn: *const BIGNUM) -> c_int;
     pub fn BN_set_negative(bn: *mut BIGNUM, n: c_int);
     pub fn BN_set_word(bn: *mut BIGNUM, n: BN_ULONG) -> c_int;
-
-    /* Arithmetic operations on BIGNUMs */
     pub fn BN_add(r: *mut BIGNUM, a: *const BIGNUM, b: *const BIGNUM) -> c_int;
     pub fn BN_div(dv: *mut BIGNUM, rem: *mut BIGNUM, a: *const BIGNUM, b: *const BIGNUM, ctx: *mut BN_CTX) -> c_int;
     pub fn BN_exp(r: *mut BIGNUM, a: *const BIGNUM, p: *const BIGNUM, ctx: *mut BN_CTX) -> c_int;
@@ -1459,8 +1457,6 @@ extern {
     pub fn BN_mod_word(r: *const BIGNUM, w: BN_ULONG) -> BN_ULONG;
     pub fn BN_sqr(r: *mut BIGNUM, a: *const BIGNUM, ctx: *mut BN_CTX) -> c_int;
     pub fn BN_sub(r: *mut BIGNUM, a: *const BIGNUM, b: *const BIGNUM) -> c_int;
-
-    /* Bit operations on BIGNUMs */
     pub fn BN_clear_bit(a: *mut BIGNUM, n: c_int) -> c_int;
     pub fn BN_is_bit_set(a: *const BIGNUM, n: c_int) -> c_int;
     pub fn BN_lshift(r: *mut BIGNUM, a: *const BIGNUM, n: c_int) -> c_int;
@@ -1469,33 +1465,26 @@ extern {
     pub fn BN_rshift(r: *mut BIGNUM, a: *const BIGNUM, n: c_int) -> c_int;
     pub fn BN_set_bit(a: *mut BIGNUM, n: c_int) -> c_int;
     pub fn BN_rshift1(r: *mut BIGNUM, a: *const BIGNUM) -> c_int;
-
-    /* Comparisons on BIGNUMs */
     pub fn BN_cmp(a: *const BIGNUM, b: *const BIGNUM) -> c_int;
     pub fn BN_ucmp(a: *const BIGNUM, b: *const BIGNUM) -> c_int;
-
-    /* Prime handling */
     pub fn BN_generate_prime_ex(r: *mut BIGNUM, bits: c_int, safe: c_int, add: *const BIGNUM, rem: *const BIGNUM, cb: *mut BN_GENCB) -> c_int;
     pub fn BN_is_prime_ex(p: *const BIGNUM, checks: c_int, ctx: *mut BN_CTX, cb: *mut BN_GENCB) -> c_int;
     pub fn BN_is_prime_fasttest_ex(p: *const BIGNUM, checks: c_int, ctx: *mut BN_CTX, do_trial_division: c_int, cb: *mut BN_GENCB) -> c_int;
-
-    /* Random number handling */
     pub fn BN_rand(r: *mut BIGNUM, bits: c_int, top: c_int, bottom: c_int) -> c_int;
     pub fn BN_pseudo_rand(r: *mut BIGNUM, bits: c_int, top: c_int, bottom: c_int) -> c_int;
     pub fn BN_rand_range(r: *mut BIGNUM, range: *const BIGNUM) -> c_int;
     pub fn BN_pseudo_rand_range(r: *mut BIGNUM, range: *const BIGNUM) -> c_int;
-
-    /* Conversion from/to binary representation */
     pub fn BN_bin2bn(s: *const u8, size: c_int, ret: *mut BIGNUM) -> *mut BIGNUM;
     pub fn BN_bn2bin(a: *const BIGNUM, to: *mut u8) -> c_int;
-
-    /* Conversion from/to decimal string representation */
     pub fn BN_dec2bn(a: *mut *mut BIGNUM, s: *const c_char) -> c_int;
     pub fn BN_bn2dec(a: *const BIGNUM) -> *mut c_char;
-
-    /* Conversion from/to hexidecimal string representation */
     pub fn BN_hex2bn(a: *mut *mut BIGNUM, s: *const c_char) -> c_int;
     pub fn BN_bn2hex(a: *const BIGNUM) -> *mut c_char;
+    pub fn BN_to_ASN1_INTEGER(bn: *const BIGNUM, ai: *mut ASN1_INTEGER) -> *mut ASN1_INTEGER;
+
+    pub fn NCONF_default() -> *mut CONF_METHOD;
+    pub fn NCONF_new(meth: *mut CONF_METHOD) -> *mut CONF;
+    pub fn NCONF_free(conf: *mut CONF);
 
     pub fn CRYPTO_memcmp(a: *const c_void, b: *const c_void,
                          len: size_t) -> c_int;
@@ -1923,6 +1912,8 @@ extern {
     pub fn X509_gmtime_adj(time: *mut ASN1_TIME, adj: c_long) -> *mut ASN1_TIME;
     pub fn X509_new() -> *mut X509;
     pub fn X509_set_issuer_name(x: *mut X509, name: *mut X509_NAME) -> c_int;
+    pub fn X509_set_subject_name(x: *mut X509, name: *mut X509_NAME) -> c_int;
+    pub fn X509_set_serialNumber(x: *mut X509, sn: *mut ASN1_INTEGER) -> c_int;
     pub fn X509_set_version(x: *mut X509, version: c_long) -> c_int;
     pub fn X509_set_pubkey(x: *mut X509, pkey: *mut EVP_PKEY) -> c_int;
     pub fn X509_sign(x: *mut X509, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int;
@@ -1936,6 +1927,7 @@ extern {
 
     pub fn X509_EXTENSION_free(ext: *mut X509_EXTENSION);
 
+    pub fn X509_NAME_new() -> *mut X509_NAME;
     pub fn X509_NAME_free(x: *mut X509_NAME);
     pub fn X509_NAME_add_entry_by_txt(x: *mut X509_NAME, field: *const c_char, ty: c_int, bytes: *const c_uchar, len: c_int, loc: c_int, set: c_int) -> c_int;
     pub fn X509_NAME_get_index_by_NID(n: *mut X509_NAME, nid: c_int, last_pos: c_int) -> c_int;
@@ -1959,12 +1951,14 @@ extern {
     pub fn X509_STORE_CTX_get_error_depth(ctx: *mut X509_STORE_CTX) -> c_int;
 
     pub fn X509V3_set_ctx(ctx: *mut X509V3_CTX, issuer: *mut X509, subject: *mut X509, req: *mut X509_REQ, crl: *mut X509_CRL, flags: c_int);
+    pub fn X509V3_set_nconf(ctx: *mut X509V3_CTX, conf: *mut CONF);
 
+    pub fn X509_REQ_new() -> *mut X509_REQ;
+    pub fn X509_REQ_set_version(req: *mut X509_REQ, version: c_long) -> c_int;
+    pub fn X509_REQ_set_subject_name(req: *mut X509_REQ, name: *mut X509_NAME) -> c_int;
+    pub fn X509_REQ_set_pubkey(req: *mut X509_REQ, pkey: *mut EVP_PKEY) -> c_int;
     pub fn X509_REQ_add_extensions(req: *mut X509_REQ, exts: *mut stack_st_X509_EXTENSION) -> c_int;
     pub fn X509_REQ_sign(x: *mut X509_REQ, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int;
-    pub fn X509_REQ_set_version(x: *mut X509_REQ, version: c_long) -> c_int;
-    pub fn X509_REQ_set_subject_name(req: *mut X509_REQ, name: *mut ::X509_NAME) -> c_int;
-
 
     #[cfg(not(ossl101))]
     pub fn X509_VERIFY_PARAM_free(param: *mut X509_VERIFY_PARAM);

openssl-sys/src/libressl.rs

@@ -707,6 +707,7 @@ extern {
     pub fn X509_set_notAfter(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int;
     pub fn X509_set_notBefore(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int;
     pub fn X509_get_ext_d2i(x: *mut ::X509, nid: c_int, crit: *mut c_int, idx: *mut c_int) -> *mut c_void;
+    pub fn X509_NAME_add_entry_by_NID(x: *mut ::X509_NAME, field: c_int, ty: c_int, bytes: *mut c_uchar, len: c_int, loc: c_int, set: c_int) -> c_int;
     pub fn X509_NAME_get_entry(n: *mut ::X509_NAME, loc: c_int) -> *mut ::X509_NAME_ENTRY;
     pub fn X509_NAME_ENTRY_get_data(ne: *mut ::X509_NAME_ENTRY) -> *mut ::ASN1_STRING;
     pub fn X509_STORE_CTX_get_chain(ctx: *mut ::X509_STORE_CTX) -> *mut stack_st_X509;
@@ -723,9 +724,11 @@ extern {
     pub fn EVP_MD_CTX_destroy(ctx: *mut EVP_MD_CTX);
     pub fn EVP_PKEY_bits(key: *mut EVP_PKEY) -> c_int;
 
+    pub fn sk_new_null() -> *mut _STACK;
     pub fn sk_num(st: *const _STACK) -> c_int;
     pub fn sk_value(st: *const _STACK, n: c_int) -> *mut c_void;
     pub fn sk_free(st: *mut _STACK);
+    pub fn sk_push(st: *mut _STACK, data: *mut c_void) -> c_int;
     pub fn sk_pop_free(st: *mut _STACK, free: Option<unsafe extern "C" fn (*mut c_void)>);
     pub fn sk_pop(st: *mut _STACK) -> *mut c_void;
 

openssl-sys/src/ossl10x.rs

@@ -856,6 +856,7 @@ extern {
     pub fn X509_set_notAfter(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int;
     pub fn X509_set_notBefore(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int;
     pub fn X509_get_ext_d2i(x: *mut ::X509, nid: c_int, crit: *mut c_int, idx: *mut c_int) -> *mut c_void;
+    pub fn X509_NAME_add_entry_by_NID(x: *mut ::X509_NAME, field: c_int, ty: c_int, bytes: *mut c_uchar, len: c_int, loc: c_int, set: c_int) -> c_int;
     #[cfg(not(ossl101))]
     pub fn X509_get0_signature(psig: *mut *mut ::ASN1_BIT_STRING, palg: *mut *mut ::X509_ALGOR, x: *const ::X509);
     #[cfg(not(ossl101))]
@@ -878,9 +879,11 @@ extern {
     pub fn EVP_MD_CTX_destroy(ctx: *mut EVP_MD_CTX);
     pub fn EVP_PKEY_bits(key: *mut EVP_PKEY) -> c_int;
 
+    pub fn sk_new_null() -> *mut _STACK;
     pub fn sk_num(st: *const _STACK) -> c_int;
     pub fn sk_value(st: *const _STACK, n: c_int) -> *mut c_void;
     pub fn sk_free(st: *mut _STACK);
+    pub fn sk_push(st: *mut _STACK, data: *mut c_void) -> c_int;
     pub fn sk_pop_free(st: *mut _STACK, free: Option<unsafe extern "C" fn (*mut c_void)>);
     pub fn sk_pop(st: *mut _STACK) -> *mut c_void;
 

openssl-sys/src/ossl110.rs

@@ -86,6 +86,7 @@ extern {
     pub fn X509_set1_notAfter(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int;
     pub fn X509_set1_notBefore(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int;
     pub fn X509_get_ext_d2i(x: *const ::X509, nid: c_int, crit: *mut c_int, idx: *mut c_int) -> *mut c_void;
+    pub fn X509_NAME_add_entry_by_NID(x: *mut ::X509_NAME, field: c_int, ty: c_int, bytes: *const c_uchar, len: c_int, loc: c_int, set: c_int) -> c_int;
     pub fn X509_get_signature_nid(x: *const X509) -> c_int;
     pub fn X509_ALGOR_get0(paobj: *mut *const ::ASN1_OBJECT, pptype: *mut c_int, ppval: *mut *const c_void, alg: *const ::X509_ALGOR);
     pub fn X509_NAME_get_entry(n: *const ::X509_NAME, loc: c_int) -> *mut ::X509_NAME_ENTRY;
@@ -182,8 +183,10 @@ extern {
 
     pub fn OpenSSL_version_num() -> c_ulong;
     pub fn OpenSSL_version(key: c_int) -> *const c_char;
+    pub fn OPENSSL_sk_new_null() -> *mut ::OPENSSL_STACK;
     pub fn OPENSSL_sk_free(st: *mut ::OPENSSL_STACK);
     pub fn OPENSSL_sk_pop_free(st: *mut ::OPENSSL_STACK, free: Option<unsafe extern "C" fn (*mut c_void)>);
+    pub fn OPENSSL_sk_push(st: *mut ::OPENSSL_STACK, data: *const c_void) -> c_int;
     pub fn OPENSSL_sk_pop(st: *mut ::OPENSSL_STACK) -> *mut c_void;
 
     pub fn PKCS12_create(pass: *const c_char,

openssl/Cargo.toml

@@ -19,7 +19,7 @@ v110 = []
 
 [dependencies]
 bitflags = "0.7"
-foreign-types = "0.1"
+foreign-types = "0.2"
 lazy_static = "0.2"
 libc = "0.2"
 openssl-sys = { version = "0.9.6", path = "../openssl-sys" }
@@ -28,4 +28,4 @@ openssl-sys = { version = "0.9.6", path = "../openssl-sys" }
 tempdir = "0.3"
 winapi = "0.2"
 ws2_32-sys = "0.2"
-hex = "0.2"
+hex = "0.2"

openssl/src/bn.rs

@@ -7,6 +7,7 @@ use std::{fmt, ptr};
 use std::ops::{Add, Div, Mul, Neg, Rem, Shl, Shr, Sub, Deref};
 
 use {cvt, cvt_p, cvt_n};
+use asn1::Asn1Integer;
 use error::ErrorStack;
 use string::OpensslString;
 
@@ -513,6 +514,14 @@ impl BigNumRef {
             Ok(OpensslString::from_ptr(buf))
         }
     }
+
+    /// Returns an `Asn1Integer` containing the value of `self`.
+    pub fn to_asn1_integer(&self) -> Result<Asn1Integer, ErrorStack> {
+        unsafe {
+            cvt_p(ffi::BN_to_ASN1_INTEGER(self.as_ptr(), ptr::null_mut()))
+                .map(|p| Asn1Integer::from_ptr(p))
+        }
+    }
 }
 
 foreign_type! {

openssl/src/conf.rs

@@ -0,0 +1,37 @@
+use ffi;
+
+use cvt_p;
+use error::ErrorStack;
+
+pub struct ConfMethod(*mut ffi::CONF_METHOD);
+
+impl ConfMethod {
+    pub fn default() -> ConfMethod {
+        unsafe {
+            ffi::init();
+            ConfMethod(ffi::NCONF_default())
+        }
+    }
+
+    pub unsafe fn from_ptr(ptr: *mut ffi::CONF_METHOD) -> ConfMethod {
+        ConfMethod(ptr)
+    }
+
+    pub fn as_ptr(&self) -> *mut ffi::CONF_METHOD {
+        self.0
+    }
+}
+
+foreign_type! {
+    type CType = ffi::CONF;
+    fn drop = ffi::NCONF_free;
+
+    pub struct Conf;
+    pub struct ConfRef;
+}
+
+impl Conf {
+    pub fn new(method: ConfMethod) -> Result<Conf, ErrorStack> {
+        unsafe { cvt_p(ffi::NCONF_new(method.as_ptr())).map(Conf) }
+    }
+}

openssl/src/lib.rs

@@ -29,6 +29,7 @@ mod util;
 pub mod aes;
 pub mod asn1;
 pub mod bn;
+pub mod conf;
 pub mod crypto;
 pub mod dh;
 pub mod dsa;

openssl/src/pkcs12.rs

@@ -173,10 +173,12 @@ mod test {
     use hash::MessageDigest;
     use hex::ToHex;
 
-    use ::rsa::Rsa;
+    use asn1::Asn1Time;
-    use ::pkey::*;
+    use rsa::Rsa;
-    use ::x509::*;
+    use pkey::PKey;
-    use ::x509::extension::*;
+    use nid;
+    use x509::{X509, X509Name};
+    use x509::extension::KeyUsage;
 
     use super::*;
 
@@ -200,13 +202,22 @@ mod test {
         let rsa = Rsa::generate(2048).unwrap();
         let pkey = PKey::from_rsa(rsa).unwrap();
 
-        let gen = X509Generator::new()
+        let mut name = X509Name::builder().unwrap();
-                               .set_valid_period(365*2)
+        name.append_entry_by_nid(nid::COMMONNAME, subject_name).unwrap();
-                               .add_name("CN".to_owned(), subject_name.to_string())
+        let name = name.build();
-                               .set_sign_hash(MessageDigest::sha256())
-                               .add_extension(Extension::KeyUsage(vec![KeyUsageOption::DigitalSignature]));
 
-        let cert = gen.sign(&pkey).unwrap();
+        let key_usage = KeyUsage::new().digital_signature().build().unwrap();;
+
+        let mut builder = X509::builder().unwrap();
+        builder.set_version(2).unwrap();
+        builder.set_not_before(&Asn1Time::days_from_now(0).unwrap()).unwrap();
+        builder.set_not_after(&Asn1Time::days_from_now(365).unwrap()).unwrap();
+        builder.set_subject_name(&name).unwrap();
+        builder.set_issuer_name(&name).unwrap();
+        builder.append_extension(key_usage).unwrap();
+        builder.set_pubkey(&pkey).unwrap();
+        builder.sign(&pkey, MessageDigest::sha256()).unwrap();
+        let cert = builder.build();
 
         let pkcs12_builder = Pkcs12::builder();
         let pkcs12 = pkcs12_builder.build("mypass", subject_name, &pkey, &cert).unwrap();

openssl/src/ssl/mod.rs

@@ -1061,9 +1061,15 @@ impl ForeignType for SslCipher {
     type CType = ffi::SSL_CIPHER;
     type Ref = SslCipherRef;
 
+    #[inline]
     unsafe fn from_ptr(ptr: *mut ffi::SSL_CIPHER) -> SslCipher {
         SslCipher(ptr)
     }
+
+    #[inline]
+    fn as_ptr(&self) -> *mut ffi::SSL_CIPHER {
+        self.0
+    }
 }
 
 impl Deref for SslCipher {

openssl/src/stack.rs

@@ -5,15 +5,21 @@ use std::convert::AsRef;
 use std::iter;
 use std::marker::PhantomData;
 use std::mem;
+use ffi;
+
+use {cvt, cvt_p};
+use error::ErrorStack;
 use std::ops::{Deref, DerefMut, Index, IndexMut};
 
 use util::Opaque;
 
 #[cfg(ossl10x)]
 use ffi::{sk_pop as OPENSSL_sk_pop, sk_free as OPENSSL_sk_free, sk_num as OPENSSL_sk_num,
-          sk_value as OPENSSL_sk_value, _STACK as OPENSSL_STACK};
+          sk_value as OPENSSL_sk_value, _STACK as OPENSSL_STACK,
+          sk_new_null as OPENSSL_sk_new_null, sk_push as OPENSSL_sk_push};
 #[cfg(ossl110)]
-use ffi::{OPENSSL_sk_pop, OPENSSL_sk_free, OPENSSL_sk_num, OPENSSL_sk_value, OPENSSL_STACK};
+use ffi::{OPENSSL_sk_pop, OPENSSL_sk_free, OPENSSL_sk_num, OPENSSL_sk_value, OPENSSL_STACK,
+          OPENSSL_sk_new_null, OPENSSL_sk_push};
 
 /// Trait implemented by types which can be placed in a stack.
 ///
@@ -30,9 +36,12 @@ pub trait Stackable: ForeignType {
 pub struct Stack<T: Stackable>(*mut T::StackType);
 
 impl<T: Stackable> Stack<T> {
-    /// Return a new Stack<T>, taking ownership of the handle
+    pub fn new() -> Result<Stack<T>, ErrorStack> {
-    pub unsafe fn from_ptr(stack: *mut T::StackType) -> Stack<T> {
+        unsafe {
-        Stack(stack)
+            ffi::init();
+            let ptr = try!(cvt_p(OPENSSL_sk_new_null()));
+            Ok(Stack(ptr as *mut _))
+        }
     }
 }
 
@@ -75,9 +84,15 @@ impl<T: Stackable> ForeignType for Stack<T> {
     type CType = T::StackType;
     type Ref = StackRef<T>;
 
+    #[inline]
     unsafe fn from_ptr(ptr: *mut T::StackType) -> Stack<T> {
         Stack(ptr)
     }
+
+    #[inline]
+    fn as_ptr(&self) -> *mut T::StackType {
+        self.0
+    }
 }
 
 impl<T: Stackable> Deref for Stack<T> {
@@ -197,6 +212,15 @@ impl<T: Stackable> StackRef<T> {
         }
     }
 
+    /// Pushes a value onto the top of the stack.
+    pub fn push(&mut self, data: T) -> Result<(), ErrorStack> {
+        unsafe {
+            try!(cvt(OPENSSL_sk_push(self.as_stack(), data.as_ptr() as *mut _)));
+            mem::forget(data);
+            Ok(())
+        }
+    }
+
     /// Removes the last element from the stack and returns it.
     pub fn pop(&mut self) -> Option<T> {
         unsafe {

openssl/src/x509/extension.rs

@@ -1,12 +1,15 @@
-use std::fmt;
+use std::fmt::{self, Write};
 
+use error::ErrorStack;
 use nid::{self, Nid};
+use x509::{X509v3Context, X509Extension};
 
 /// Type-only version of the `Extension` enum.
 ///
 /// See the `Extension` documentation for more information on the different
 /// variants.
 #[derive(Clone,Hash,PartialEq,Eq)]
+#[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
 pub enum ExtensionType {
     KeyUsage,
     ExtKeyUsage,
@@ -21,6 +24,7 @@ pub enum ExtensionType {
 /// Only one extension of each type is allow in a certificate.
 /// See RFC 3280 for more information about extensions.
 #[derive(Clone)]
+#[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
 pub enum Extension {
     /// The purposes of the key contained in the certificate
     KeyUsage(Vec<KeyUsageOption>),
@@ -56,6 +60,7 @@ pub enum Extension {
 }
 
 impl Extension {
+    #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
     pub fn get_type(&self) -> ExtensionType {
         match self {
             &Extension::KeyUsage(_) => ExtensionType::KeyUsage,
@@ -69,6 +74,7 @@ impl Extension {
 }
 
 impl ExtensionType {
+    #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
     pub fn get_nid(&self) -> Option<Nid> {
         match self {
             &ExtensionType::KeyUsage => Some(nid::KEY_USAGE),
@@ -80,6 +86,7 @@ impl ExtensionType {
         }
     }
 
+    #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
     pub fn get_name(&self) -> Option<&str> {
         match self {
             &ExtensionType::OtherStr(ref s) => Some(s),
@@ -120,6 +127,7 @@ impl ToString for Extension {
 }
 
 #[derive(Clone,Copy)]
+#[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
 pub enum KeyUsageOption {
     DigitalSignature,
     NonRepudiation,
@@ -149,6 +157,7 @@ impl fmt::Display for KeyUsageOption {
 }
 
 #[derive(Clone)]
+#[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
 pub enum ExtKeyUsageOption {
     ServerAuth,
     ClientAuth,
@@ -185,6 +194,7 @@ impl fmt::Display for ExtKeyUsageOption {
 }
 
 #[derive(Clone, Copy)]
+#[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
 pub enum AltNameOption {
     /// The value is specified as OID;content. See `man ASN1_generate_nconf` for more information on the content syntax.
     ///
@@ -219,3 +229,413 @@ impl fmt::Display for AltNameOption {
         })
     }
 }
+
+pub struct BasicConstraints {
+    critical: bool,
+    ca: bool,
+    pathlen: Option<u32>,
+}
+
+impl BasicConstraints {
+    pub fn new() -> BasicConstraints {
+        BasicConstraints {
+            critical: false,
+            ca: false,
+            pathlen: None,
+        }
+    }
+
+    pub fn critical(&mut self) -> &mut BasicConstraints {
+        self.critical = true;
+        self
+    }
+
+    pub fn ca(&mut self) -> &mut BasicConstraints {
+        self.ca = true;
+        self
+    }
+
+    pub fn pathlen(&mut self, pathlen: u32) -> &mut BasicConstraints {
+        self.pathlen = Some(pathlen);
+        self
+    }
+
+    pub fn build(&self) -> Result<X509Extension, ErrorStack> {
+        let mut value = String::new();
+        if self.critical {
+            value.push_str("critical,");
+        }
+        value.push_str("CA:");
+        if self.ca {
+            value.push_str("TRUE");
+        } else {
+            value.push_str("FALSE");
+        }
+        if let Some(pathlen) = self.pathlen {
+            write!(value, ",pathlen:{}", pathlen).unwrap();
+        }
+        X509Extension::new_nid(None, None, nid::BASIC_CONSTRAINTS, &value)
+    }
+}
+
+pub struct KeyUsage {
+    critical: bool,
+    digital_signature: bool,
+    non_repudiation: bool,
+    key_encipherment: bool,
+    data_encipherment: bool,
+    key_agreement: bool,
+    key_cert_sign: bool,
+    crl_sign: bool,
+    encipher_only: bool,
+    decipher_only: bool,
+}
+
+impl KeyUsage {
+    pub fn new() -> KeyUsage {
+        KeyUsage {
+            critical: false,
+            digital_signature: false,
+            non_repudiation: false,
+            key_encipherment: false,
+            data_encipherment: false,
+            key_agreement: false,
+            key_cert_sign: false,
+            crl_sign: false,
+            encipher_only: false,
+            decipher_only: false,
+        }
+    }
+
+    pub fn critical(&mut self) -> &mut KeyUsage {
+        self.critical = true;
+        self
+    }
+
+    pub fn digital_signature(&mut self) -> &mut KeyUsage {
+        self.digital_signature = true;
+        self
+    }
+
+    pub fn non_repudiation(&mut self) -> &mut KeyUsage {
+        self.non_repudiation = true;
+        self
+    }
+
+    pub fn key_encipherment(&mut self) -> &mut KeyUsage {
+        self.key_encipherment = true;
+        self
+    }
+
+    pub fn data_encipherment(&mut self) -> &mut KeyUsage {
+        self.data_encipherment = true;
+        self
+    }
+
+    pub fn key_agreement(&mut self) -> &mut KeyUsage {
+        self.key_agreement = true;
+        self
+    }
+
+    pub fn key_cert_sign(&mut self) -> &mut KeyUsage {
+        self.key_cert_sign = true;
+        self
+    }
+
+    pub fn crl_sign(&mut self) -> &mut KeyUsage {
+        self.crl_sign = true;
+        self
+    }
+
+    pub fn encipher_only(&mut self) -> &mut KeyUsage {
+        self.encipher_only = true;
+        self
+    }
+
+    pub fn decipher_only(&mut self) -> &mut KeyUsage {
+        self.decipher_only = true;
+        self
+    }
+
+    pub fn build(&self) -> Result<X509Extension, ErrorStack> {
+        let mut value = String::new();
+        let mut first = true;
+        append(&mut value, &mut first, self.critical, "critical");
+        append(&mut value, &mut first, self.digital_signature, "digitalSignature");
+        append(&mut value, &mut first, self.non_repudiation, "nonRepudiation");
+        append(&mut value, &mut first, self.key_encipherment, "keyEncipherment");
+        append(&mut value, &mut first, self.data_encipherment, "dataEncipherment");
+        append(&mut value, &mut first, self.key_agreement, "keyAgreement");
+        append(&mut value, &mut first, self.key_cert_sign, "keyCertSign");
+        append(&mut value, &mut first, self.crl_sign, "cRLSign");
+        append(&mut value, &mut first, self.encipher_only, "encipherOnly");
+        append(&mut value, &mut first, self.decipher_only, "decipherOnly");
+        X509Extension::new_nid(None, None, nid::KEY_USAGE, &value)
+    }
+}
+
+pub struct ExtendedKeyUsage {
+    critical: bool,
+    server_auth: bool,
+    client_auth: bool,
+    code_signing: bool,
+    email_protection: bool,
+    time_stamping: bool,
+    ms_code_ind: bool,
+    ms_code_com: bool,
+    ms_ctl_sign: bool,
+    ms_sgc: bool,
+    ms_efs: bool,
+    ns_sgc: bool,
+    other: Vec<String>,
+}
+
+impl ExtendedKeyUsage {
+    pub fn new() -> ExtendedKeyUsage {
+        ExtendedKeyUsage {
+            critical: false,
+            server_auth: false,
+            client_auth: false,
+            code_signing: false,
+            email_protection: false,
+            time_stamping: false,
+            ms_code_ind: false,
+            ms_code_com: false,
+            ms_ctl_sign: false,
+            ms_sgc: false,
+            ms_efs: false,
+            ns_sgc: false,
+            other: vec![],
+        }
+    }
+
+    pub fn critical(&mut self) -> &mut ExtendedKeyUsage {
+        self.critical = true;
+        self
+    }
+
+    pub fn server_auth(&mut self) -> &mut ExtendedKeyUsage {
+        self.server_auth = true;
+        self
+    }
+
+    pub fn client_auth(&mut self) -> &mut ExtendedKeyUsage {
+        self.client_auth = true;
+        self
+    }
+
+    pub fn code_signing(&mut self) -> &mut ExtendedKeyUsage {
+        self.code_signing = true;
+        self
+    }
+
+    pub fn time_stamping(&mut self) -> &mut ExtendedKeyUsage {
+        self.time_stamping = true;
+        self
+    }
+
+    pub fn ms_code_ind(&mut self) -> &mut ExtendedKeyUsage {
+        self.ms_code_ind = true;
+        self
+    }
+
+    pub fn ms_code_com(&mut self) -> &mut ExtendedKeyUsage {
+        self.ms_code_com = true;
+        self
+    }
+
+    pub fn ms_ctl_sign(&mut self) -> &mut ExtendedKeyUsage {
+        self.ms_ctl_sign = true;
+        self
+    }
+
+    pub fn ms_sgc(&mut self) -> &mut ExtendedKeyUsage {
+        self.ms_sgc = true;
+        self
+    }
+
+    pub fn ms_efs(&mut self) -> &mut ExtendedKeyUsage {
+        self.ms_efs = true;
+        self
+    }
+
+    pub fn ns_sgc(&mut self) -> &mut ExtendedKeyUsage {
+        self.ns_sgc = true;
+        self
+    }
+
+    pub fn other(&mut self, other: &str) -> &mut ExtendedKeyUsage {
+        self.other.push(other.to_owned());
+        self
+    }
+
+    pub fn build(&self) -> Result<X509Extension, ErrorStack> {
+        let mut value = String::new();
+        let mut first = true;
+        append(&mut value, &mut first, self.critical, "critical");
+        append(&mut value, &mut first, self.server_auth, "serverAuth");
+        append(&mut value, &mut first, self.client_auth, "clientAuth");
+        append(&mut value, &mut first, self.code_signing, "codeSigning");
+        append(&mut value, &mut first, self.email_protection, "emailProtection");
+        append(&mut value, &mut first, self.time_stamping, "timeStamping");
+        append(&mut value, &mut first, self.ms_code_ind, "msCodeInd");
+        append(&mut value, &mut first, self.ms_code_com, "msCodeCom");
+        append(&mut value, &mut first, self.ms_ctl_sign, "msCTLSign");
+        append(&mut value, &mut first, self.ms_sgc, "msSGC");
+        append(&mut value, &mut first, self.ms_efs, "msEFS");
+        append(&mut value, &mut first, self.ns_sgc, "nsSGC");
+        for other in &self.other {
+            append(&mut value, &mut first, true, other);
+        }
+        X509Extension::new_nid(None, None, nid::EXT_KEY_USAGE, &value)
+    }
+}
+
+pub struct SubjectKeyIdentifier {
+    critical: bool,
+}
+
+impl SubjectKeyIdentifier {
+    pub fn new() -> SubjectKeyIdentifier {
+        SubjectKeyIdentifier {
+            critical: false,
+        }
+    }
+
+    pub fn critical(&mut self) -> &mut SubjectKeyIdentifier {
+        self.critical = true;
+        self
+    }
+
+    pub fn build(&self, ctx: &X509v3Context) -> Result<X509Extension, ErrorStack> {
+        let mut value = String::new();
+        let mut first = true;
+        append(&mut value, &mut first, self.critical, "critical");
+        append(&mut value, &mut first, true, "hash");
+        X509Extension::new_nid(None, Some(ctx), nid::SUBJECT_KEY_IDENTIFIER, &value)
+    }
+}
+
+pub struct AuthorityKeyIdentifier {
+    critical: bool,
+    keyid: Option<bool>,
+    issuer: Option<bool>,
+}
+
+impl AuthorityKeyIdentifier {
+    pub fn new() -> AuthorityKeyIdentifier {
+        AuthorityKeyIdentifier {
+            critical: false,
+            keyid: None,
+            issuer: None,
+        }
+    }
+
+    pub fn critical(&mut self) -> &mut AuthorityKeyIdentifier {
+        self.critical = true;
+        self
+    }
+
+    pub fn keyid(&mut self, always: bool) -> &mut AuthorityKeyIdentifier {
+        self.keyid = Some(always);
+        self
+    }
+
+    pub fn issuer(&mut self, always: bool) -> &mut AuthorityKeyIdentifier {
+        self.issuer = Some(always);
+        self
+    }
+
+    pub fn build(&self, ctx: &X509v3Context) -> Result<X509Extension, ErrorStack> {
+        let mut value = String::new();
+        let mut first = true;
+        append(&mut value, &mut first, self.critical, "critical");
+        match self.keyid {
+            Some(true) => append(&mut value, &mut first, true, "keyid:always"),
+            Some(false) => append(&mut value, &mut first, true, "keyid"),
+            None => {}
+        }
+        match self.issuer {
+            Some(true) => append(&mut value, &mut first, true, "issuer:always"),
+            Some(false) => append(&mut value, &mut first, true, "issuer"),
+            None => {}
+        }
+        X509Extension::new_nid(None, Some(ctx), nid::AUTHORITY_KEY_IDENTIFIER, &value)
+    }
+}
+
+pub struct SubjectAlternativeName {
+    critical: bool,
+    names: Vec<String>,
+}
+
+impl SubjectAlternativeName {
+    pub fn new() -> SubjectAlternativeName {
+        SubjectAlternativeName {
+            critical: false,
+            names: vec![],
+        }
+    }
+
+    pub fn critical(&mut self) -> &mut SubjectAlternativeName {
+        self.critical = true;
+        self
+    }
+
+    pub fn email(&mut self, email: &str) -> &mut SubjectAlternativeName {
+        self.names.push(format!("email:{}", email));
+        self
+    }
+
+    pub fn uri(&mut self, uri: &str) -> &mut SubjectAlternativeName {
+        self.names.push(format!("URI:{}", uri));
+        self
+    }
+
+    pub fn dns(&mut self, dns: &str) -> &mut SubjectAlternativeName {
+        self.names.push(format!("DNS:{}", dns));
+        self
+    }
+
+    pub fn rid(&mut self, rid: &str) -> &mut SubjectAlternativeName {
+        self.names.push(format!("RID:{}", rid));
+        self
+    }
+
+    pub fn ip(&mut self, ip: &str) -> &mut SubjectAlternativeName {
+        self.names.push(format!("IP:{}", ip));
+        self
+    }
+
+    pub fn dir_name(&mut self, dir_name: &str) -> &mut SubjectAlternativeName {
+        self.names.push(format!("dirName:{}", dir_name));
+        self
+    }
+
+    pub fn other_name(&mut self, other_name: &str) -> &mut SubjectAlternativeName {
+        self.names.push(format!("otherName:{}", other_name));
+        self
+    }
+
+    pub fn build(&self, ctx: &X509v3Context) -> Result<X509Extension, ErrorStack> {
+        let mut value = String::new();
+        let mut first = true;
+        append(&mut value, &mut first, self.critical, "critical");
+        for name in &self.names {
+            append(&mut value, &mut first, true, name);
+        }
+        X509Extension::new_nid(None, Some(ctx), nid::SUBJECT_ALT_NAME, &value)
+    }
+}
+
+fn append(value: &mut String, first: &mut bool, should: bool, element: &str) {
+    if !should {
+        return;
+    }
+
+    if !*first {
+        value.push(',');
+    }
+    *first = false;
+    value.push_str(element);
+}

openssl/src/x509/mod.rs

@@ -1,11 +1,13 @@
+#![allow(deprecated)]
+use libc::{c_int, c_long};
 use ffi;
 use foreign_types::{ForeignType, ForeignTypeRef};
-use libc::{c_char, c_int, c_long, c_ulong};
 use std::borrow::Borrow;
 use std::collections::HashMap;
 use std::error::Error;
 use std::ffi::{CStr, CString};
 use std::fmt;
+use std::marker::PhantomData;
 use std::mem;
 use std::path::Path;
 use std::ptr;
@@ -13,15 +15,16 @@ use std::slice;
 use std::str;
 
 use {cvt, cvt_p};
-use asn1::{Asn1StringRef, Asn1Time, Asn1TimeRef, Asn1BitStringRef, Asn1ObjectRef};
+use asn1::{Asn1StringRef, Asn1Time, Asn1TimeRef, Asn1BitStringRef, Asn1IntegerRef, Asn1ObjectRef};
 use bio::MemBioSlice;
-use hash::MessageDigest;
+use bn::{BigNum, MSB_MAYBE_ZERO};
-use pkey::{PKey, PKeyRef};
+use conf::ConfRef;
-use rand::rand_bytes;
 use error::ErrorStack;
-use nid::Nid;
+use hash::MessageDigest;
-use string::OpensslString;
+use nid::{self, Nid};
+use pkey::{PKey, PKeyRef};
 use stack::{Stack, StackRef, Stackable};
+use string::OpensslString;
 
 #[cfg(ossl10x)]
 use ffi::{X509_set_notBefore, X509_set_notAfter, ASN1_STRING_data, X509_STORE_CTX_get_chain};
@@ -94,31 +97,7 @@ impl X509StoreContextRef {
     }
 }
 
-#[allow(non_snake_case)]
+#[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
-/// Generator of private key/certificate pairs
-///
-/// # Example
-///
-/// ```
-/// use openssl::hash::MessageDigest;
-/// use openssl::pkey::PKey;
-/// use openssl::rsa::Rsa;
-/// use openssl::x509::X509Generator;
-/// use openssl::x509::extension::{Extension, KeyUsageOption};
-///
-/// let rsa = Rsa::generate(2048).unwrap();
-/// let pkey = PKey::from_rsa(rsa).unwrap();
-///
-/// let gen = X509Generator::new()
-///        .set_valid_period(365*2)
-///        .add_name("CN".to_owned(), "SuperMegaCorp Inc.".to_owned())
-///        .set_sign_hash(MessageDigest::sha256())
-///        .add_extension(Extension::KeyUsage(vec![KeyUsageOption::DigitalSignature]));
-///
-/// let cert = gen.sign(&pkey).unwrap();
-/// let cert_pem = cert.to_pem().unwrap();
-/// let pkey_pem = pkey.private_key_to_pem().unwrap();
-/// ```
 pub struct X509Generator {
     days: u32,
     names: Vec<(String, String)>,
@@ -126,6 +105,7 @@ pub struct X509Generator {
     hash_type: MessageDigest,
 }
 
+#[allow(deprecated)]
 impl X509Generator {
     /// Creates a new generator with the following defaults:
     ///
@@ -134,6 +114,7 @@ impl X509Generator {
     /// CN: "rust-openssl"
     ///
     /// hash: SHA1
+    #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
     pub fn new() -> X509Generator {
         X509Generator {
             days: 365,
@@ -144,6 +125,7 @@ impl X509Generator {
     }
 
     /// Sets certificate validity period in days since today
+    #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
     pub fn set_valid_period(mut self, days: u32) -> X509Generator {
         self.days = days;
         self
@@ -155,6 +137,7 @@ impl X509Generator {
     /// # let generator = openssl::x509::X509Generator::new();
     /// generator.add_name("CN".to_string(),"example.com".to_string());
     /// ```
+    #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
     pub fn add_name(mut self, attr_type: String, attr_value: String) -> X509Generator {
         self.names.push((attr_type, attr_value));
         self
@@ -166,6 +149,7 @@ impl X509Generator {
     /// # let generator = openssl::x509::X509Generator::new();
     /// generator.add_names(vec![("CN".to_string(),"example.com".to_string())]);
     /// ```
+    #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
     pub fn add_names<I>(mut self, attrs: I) -> X509Generator
         where I: IntoIterator<Item = (String, String)>
     {
@@ -184,6 +168,7 @@ impl X509Generator {
     /// # let generator = openssl::x509::X509Generator::new();
     /// generator.add_extension(KeyUsage(vec![DigitalSignature, KeyEncipherment]));
     /// ```
+    #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
     pub fn add_extension(mut self, ext: extension::Extension) -> X509Generator {
         self.extensions.add(ext);
         self
@@ -200,6 +185,7 @@ impl X509Generator {
     /// # let generator = openssl::x509::X509Generator::new();
     /// generator.add_extensions(vec![KeyUsage(vec![DigitalSignature, KeyEncipherment])]);
     /// ```
+    #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
     pub fn add_extensions<I>(mut self, exts: I) -> X509Generator
         where I: IntoIterator<Item = extension::Extension>
     {
@@ -210,131 +196,66 @@ impl X509Generator {
         self
     }
 
+    #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
     pub fn set_sign_hash(mut self, hash_type: MessageDigest) -> X509Generator {
         self.hash_type = hash_type;
         self
     }
 
-    fn add_extension_internal(x509: *mut ffi::X509,
+    /// Sets the certificate public-key, then self-sign and return it
-                              exttype: &extension::ExtensionType,
+    #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
-                              value: &str)
+    pub fn sign(&self, p_key: &PKeyRef) -> Result<X509, ErrorStack> {
-                              -> Result<(), ErrorStack> {
+        let mut builder = try!(X509::builder());
-        unsafe {
+        try!(builder.set_version(2));
-            let mut ctx: ffi::X509V3_CTX = mem::zeroed();
+
-            ffi::X509V3_set_ctx(&mut ctx, x509, x509, ptr::null_mut(), ptr::null_mut(), 0);
+        let mut serial = try!(BigNum::new());
-            let value = CString::new(value.as_bytes()).unwrap();
+        try!(serial.rand(128, MSB_MAYBE_ZERO, false));
-            let ext = match exttype.get_nid() {
+        let serial = try!(serial.to_asn1_integer());
+        try!(builder.set_serial_number(&serial));
+
+        let not_before = try!(Asn1Time::days_from_now(0));
+        try!(builder.set_not_before(&not_before));
+        let not_after = try!(Asn1Time::days_from_now(self.days));
+        try!(builder.set_not_after(&not_after));
+
+        try!(builder.set_pubkey(p_key));
+
+        let mut name = try!(X509Name::builder());
+        if self.names.is_empty() {
+            try!(name.append_entry_by_nid(nid::COMMONNAME, "rust-openssl"));
+        } else {
+            for &(ref key, ref value) in &self.names {
+                try!(name.append_entry_by_text(key, value));
+            }
+        }
+        let name = name.build();
+
+        try!(builder.set_subject_name(&name));
+        try!(builder.set_issuer_name(&name));
+
+        for (exttype, ext) in self.extensions.iter() {
+            let extension = match exttype.get_nid() {
                 Some(nid) => {
-                    try!(cvt_p(ffi::X509V3_EXT_nconf_nid(ptr::null_mut(),
+                    let ctx = builder.x509v3_context(None, None);
-                                                         &mut ctx,
+                    try!(X509Extension::new_nid(None, Some(&ctx), nid, &ext.to_string()))
-                                                         nid.as_raw(),
-                                                         value.as_ptr() as *mut c_char)))
                 }
                 None => {
-                    let name = CString::new(exttype.get_name().unwrap().as_bytes()).unwrap();
+                    let ctx = builder.x509v3_context(None, None);
-                    try!(cvt_p(ffi::X509V3_EXT_nconf(ptr::null_mut(),
+                    try!(X509Extension::new(None,
-                                                     &mut ctx,
+                                            Some(&ctx),
-                                                     name.as_ptr() as *mut c_char,
+                                            &exttype.get_name().unwrap(),
-                                                     value.as_ptr() as *mut c_char)))
+                                            &ext.to_string()))
                 }
             };
-            if ffi::X509_add_ext(x509, ext, -1) != 1 {
+            try!(builder.append_extension(extension));
-                ffi::X509_EXTENSION_free(ext);
-                Err(ErrorStack::get())
-            } else {
-                Ok(())
-            }
-        }
-    }
-
-    fn add_name_internal(name: *mut ffi::X509_NAME,
-                         key: &str,
-                         value: &str)
-                         -> Result<(), ErrorStack> {
-        let value_len = value.len() as c_int;
-        unsafe {
-            let key = CString::new(key.as_bytes()).unwrap();
-            let value = CString::new(value.as_bytes()).unwrap();
-            cvt(ffi::X509_NAME_add_entry_by_txt(name,
-                                                key.as_ptr() as *const _,
-                                                ffi::MBSTRING_UTF8,
-                                                value.as_ptr() as *const _,
-                                                value_len,
-                                                -1,
-                                                0))
-                .map(|_| ())
-        }
-    }
-
-    fn random_serial() -> Result<c_long, ErrorStack> {
-        let len = mem::size_of::<c_long>();
-        let mut bytes = vec![0; len];
-        try!(rand_bytes(&mut bytes));
-        let mut res = 0;
-        for b in bytes.iter() {
-            res = res << 8;
-            res |= (*b as c_long) & 0xff;
         }
 
-        // While OpenSSL is actually OK to have negative serials
+        try!(builder.sign(p_key, self.hash_type));
-        // other libraries (for example, Go crypto) can drop
+        Ok(builder.build())
-        // such certificates as invalid, so we clear the high bit
-        Ok(((res as c_ulong) >> 1) as c_long)
-    }
-
-    /// Sets the certificate public-key, then self-sign and return it
-    pub fn sign(&self, p_key: &PKeyRef) -> Result<X509, ErrorStack> {
-        ffi::init();
-
-        unsafe {
-            let x509 = X509::from_ptr(try!(cvt_p(ffi::X509_new())));
-
-            try!(cvt(ffi::X509_set_version(x509.as_ptr(), 2)));
-            try!(cvt(ffi::ASN1_INTEGER_set(ffi::X509_get_serialNumber(x509.as_ptr()),
-                                           try!(X509Generator::random_serial()))));
-
-            let not_before = try!(Asn1Time::days_from_now(0));
-            let not_after = try!(Asn1Time::days_from_now(self.days));
-
-            try!(cvt(X509_set_notBefore(x509.as_ptr(), not_before.as_ptr() as *const _)));
-            // If prev line succeded - ownership should go to cert
-            mem::forget(not_before);
-
-            try!(cvt(X509_set_notAfter(x509.as_ptr(), not_after.as_ptr() as *const _)));
-            // If prev line succeded - ownership should go to cert
-            mem::forget(not_after);
-
-            try!(cvt(ffi::X509_set_pubkey(x509.as_ptr(), p_key.as_ptr())));
-
-            let name = try!(cvt_p(ffi::X509_get_subject_name(x509.as_ptr())));
-
-            let default = [("CN", "rust-openssl")];
-            let default_iter = &mut default.iter().map(|&(k, v)| (k, v));
-            let arg_iter = &mut self.names.iter().map(|&(ref k, ref v)| (&k[..], &v[..]));
-            let iter: &mut Iterator<Item = (&str, &str)> = if self.names.len() == 0 {
-                default_iter
-            } else {
-                arg_iter
-            };
-
-            for (key, val) in iter {
-                try!(X509Generator::add_name_internal(name, &key, &val));
-            }
-            try!(cvt(ffi::X509_set_issuer_name(x509.as_ptr(), name)));
-
-            for (exttype, ext) in self.extensions.iter() {
-                try!(X509Generator::add_extension_internal(x509.as_ptr(),
-                                                           &exttype,
-                                                           &ext.to_string()));
-            }
-
-            let hash_fn = self.hash_type.as_ptr();
-            try!(cvt(ffi::X509_sign(x509.as_ptr(), p_key.as_ptr(), hash_fn)));
-            Ok(x509)
-        }
     }
 
     /// Obtain a certificate signing request (CSR)
+    #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
     pub fn request(&self, p_key: &PKeyRef) -> Result<X509Req, ErrorStack> {
         let cert = match self.sign(p_key) {
             Ok(c) => c,
@@ -360,6 +281,108 @@ impl X509Generator {
     }
 }
 
+/// A builder type which can create `X509` objects.
+pub struct X509Builder(X509);
+
+impl X509Builder {
+    /// Creates a new builder.
+    pub fn new() -> Result<X509Builder, ErrorStack> {
+        unsafe {
+            ffi::init();
+            cvt_p(ffi::X509_new()).map(|p| X509Builder(X509(p)))
+        }
+    }
+
+    /// Sets the notAfter constraint on the certificate.
+    pub fn set_not_after(&mut self, not_after: &Asn1TimeRef) -> Result<(), ErrorStack> {
+        unsafe { cvt(X509_set_notAfter(self.0.as_ptr(), not_after.as_ptr())).map(|_| ()) }
+    }
+
+    /// Sets the notBefore constraint on the certificate.
+    pub fn set_not_before(&mut self, not_before: &Asn1TimeRef) -> Result<(), ErrorStack> {
+        unsafe { cvt(X509_set_notBefore(self.0.as_ptr(), not_before.as_ptr())).map(|_| ()) }
+    }
+
+    /// Sets the version of the certificate.
+    ///
+    /// Note that the version is zero-indexed; that is, a certificate corresponding to version 3 of
+    /// the X.509 standard should pass `2` to this method.
+    pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::X509_set_version(self.0.as_ptr(), version.into())).map(|_| ()) }
+    }
+
+    /// Sets the serial number of the certificate.
+    pub fn set_serial_number(&mut self,
+                             serial_number: &Asn1IntegerRef)
+                             -> Result<(), ErrorStack> {
+        unsafe {
+            cvt(ffi::X509_set_serialNumber(self.0.as_ptr(), serial_number.as_ptr())).map(|_| ())
+        }
+    }
+
+    /// Sets the issuer name of the certificate.
+    pub fn set_issuer_name(&mut self, issuer_name: &X509NameRef) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::X509_set_issuer_name(self.0.as_ptr(), issuer_name.as_ptr())).map(|_| ()) }
+    }
+
+    /// Sets the subject name of the certificate.
+    pub fn set_subject_name(&mut self, subject_name: &X509NameRef) -> Result<(), ErrorStack> {
+        unsafe {
+            cvt(ffi::X509_set_subject_name(self.0.as_ptr(), subject_name.as_ptr())).map(|_| ())
+        }
+    }
+
+    /// Sets the public key associated with the certificate.
+    pub fn set_pubkey(&mut self, key: &PKeyRef) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::X509_set_pubkey(self.0.as_ptr(), key.as_ptr())).map(|_| ()) }
+    }
+
+    /// Returns a context object which is needed to create certain X509 extension values.
+    ///
+    /// Set `issuer` to `None` if the certificate will be self-signed.
+    pub fn x509v3_context<'a>(&'a self,
+                              issuer: Option<&'a X509Ref>,
+                              conf: Option<&'a ConfRef>)
+                              -> X509v3Context<'a> {
+        unsafe {
+            let mut ctx = mem::zeroed();
+
+            let issuer = match issuer {
+                Some(issuer) => issuer.as_ptr(),
+                None => self.0.as_ptr(),
+            };
+            let subject = self.0.as_ptr();
+            ffi::X509V3_set_ctx(&mut ctx, issuer, subject, ptr::null_mut(), ptr::null_mut(), 0);
+
+            // nodb case taken care of since we zeroed ctx above
+            if let Some(conf) = conf {
+                ffi::X509V3_set_nconf(&mut ctx, conf.as_ptr());
+            }
+
+            X509v3Context(ctx, PhantomData)
+        }
+    }
+
+    /// Adds an X509 extension value to the certificate.
+    pub fn append_extension(&mut self, extension: X509Extension) -> Result<(), ErrorStack> {
+        unsafe {
+            try!(cvt(ffi::X509_add_ext(self.0.as_ptr(), extension.as_ptr(), -1)));
+            mem::forget(extension);
+            Ok(())
+        }
+    }
+
+    /// Signs the certificate with a private key.
+    pub fn sign(&mut self, key: &PKeyRef, hash: MessageDigest) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::X509_sign(self.0.as_ptr(), key.as_ptr(), hash.as_ptr())).map(|_| ()) }
+    }
+
+    /// Consumes the builder, returning the certificate.
+    pub fn build(self) -> X509 {
+        self.0
+    }
+}
+
 foreign_type! {
     type CType = ffi::X509;
     fn drop = ffi::X509_free;
@@ -483,6 +506,11 @@ impl ToOwned for X509Ref {
 }
 
 impl X509 {
+    /// Returns a new builder.
+    pub fn builder() -> Result<X509Builder, ErrorStack> {
+        X509Builder::new()
+    }
+
     from_pem!(X509, ffi::PEM_read_bio_X509);
     from_der!(X509, ffi::d2i_X509);
 
@@ -545,6 +573,122 @@ impl Stackable for X509 {
     type StackType = ffi::stack_st_X509;
 }
 
+/// A context object required to construct certain X509 extension values.
+pub struct X509v3Context<'a>(ffi::X509V3_CTX, PhantomData<(&'a X509Ref, &'a ConfRef)>);
+
+impl<'a> X509v3Context<'a> {
+    pub fn as_ptr(&self) -> *mut ffi::X509V3_CTX {
+        &self.0 as *const _ as *mut _
+    }
+}
+
+foreign_type! {
+    type CType = ffi::X509_EXTENSION;
+    fn drop = ffi::X509_EXTENSION_free;
+
+    pub struct X509Extension;
+    pub struct X509ExtensionRef;
+}
+
+impl Stackable for X509Extension {
+    type StackType = ffi::stack_st_X509_EXTENSION;
+}
+
+impl X509Extension {
+    /// Constructs an X509 extension value. See `man x509v3_config` for information on supported
+    /// names and their value formats.
+    ///
+    /// Some extension types, such as `subjectAlternativeName`, require an `X509v3Context` to be
+    /// provided.
+    ///
+    /// See the extension module for builder types which will construct certain common extensions.
+    pub fn new(conf: Option<&ConfRef>,
+               context: Option<&X509v3Context>,
+               name: &str,
+               value: &str)
+               -> Result<X509Extension, ErrorStack> {
+        let name = CString::new(name).unwrap();
+        let value = CString::new(value).unwrap();
+        unsafe {
+            ffi::init();
+            let conf = conf.map_or(ptr::null_mut(), ConfRef::as_ptr);
+            let context = context.map_or(ptr::null_mut(), X509v3Context::as_ptr);
+            let name = name.as_ptr() as *mut _;
+            let value = value.as_ptr() as *mut _;
+
+            cvt_p(ffi::X509V3_EXT_nconf(conf, context, name, value)).map(X509Extension)
+        }
+    }
+
+    /// Constructs an X509 extension value. See `man x509v3_config` for information on supported
+    /// extensions and their value formats.
+    ///
+    /// Some extension types, such as `nid::SUBJECT_ALTERNATIVE_NAME`, require an `X509v3Context` to
+    /// be provided.
+    ///
+    /// See the extension module for builder types which will construct certain common extensions.
+    pub fn new_nid(conf: Option<&ConfRef>,
+                   context: Option<&X509v3Context>,
+                   name: Nid,
+                   value: &str)
+                   -> Result<X509Extension, ErrorStack> {
+        let value = CString::new(value).unwrap();
+        unsafe {
+            ffi::init();
+            let conf = conf.map_or(ptr::null_mut(), ConfRef::as_ptr);
+            let context = context.map_or(ptr::null_mut(), X509v3Context::as_ptr);
+            let name = name.as_raw();
+            let value = value.as_ptr() as *mut _;
+
+            cvt_p(ffi::X509V3_EXT_nconf_nid(conf, context, name, value)).map(X509Extension)
+        }
+    }
+}
+
+pub struct X509NameBuilder(X509Name);
+
+impl X509NameBuilder {
+    pub fn new() -> Result<X509NameBuilder, ErrorStack> {
+        unsafe {
+            ffi::init();
+            cvt_p(ffi::X509_NAME_new()).map(|p| X509NameBuilder(X509Name(p)))
+        }
+    }
+
+    pub fn append_entry_by_text(&mut self, field: &str, value: &str) -> Result<(), ErrorStack> {
+        unsafe {
+            let field = CString::new(field).unwrap();
+            assert!(value.len() <= c_int::max_value() as usize);
+            cvt(ffi::X509_NAME_add_entry_by_txt(self.0.as_ptr(),
+                                                field.as_ptr() as *mut _,
+                                                ffi::MBSTRING_UTF8,
+                                                value.as_ptr(),
+                                                value.len() as c_int,
+                                                -1,
+                                                0))
+                .map(|_| ())
+        }
+    }
+
+    pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> {
+        unsafe {
+            assert!(value.len() <= c_int::max_value() as usize);
+            cvt(ffi::X509_NAME_add_entry_by_NID(self.0.as_ptr(),
+                                                field.as_raw(),
+                                                ffi::MBSTRING_UTF8,
+                                                value.as_ptr() as *mut _,
+                                                value.len() as c_int,
+                                                -1,
+                                                0))
+                .map(|_| ())
+        }
+    }
+
+    pub fn build(self) -> X509Name {
+        self.0
+    }
+}
+
 foreign_type! {
     type CType = ffi::X509_NAME;
     fn drop = ffi::X509_NAME_free;
@@ -554,6 +698,11 @@ foreign_type! {
 }
 
 impl X509Name {
+    /// Returns a new builder.
+    pub fn builder() -> Result<X509NameBuilder, ErrorStack> {
+        X509NameBuilder::new()
+    }
+
     /// Loads subject names from a file containing PEM-formatted certificates.
     ///
     /// This is commonly used in conjunction with `SslContextBuilder::set_client_ca_list`.
@@ -622,6 +771,70 @@ impl X509NameEntryRef {
     }
 }
 
+pub struct X509ReqBuilder(X509Req);
+
+impl X509ReqBuilder {
+    pub fn new() -> Result<X509ReqBuilder, ErrorStack> {
+        unsafe {
+            ffi::init();
+            cvt_p(ffi::X509_REQ_new()).map(|p| X509ReqBuilder(X509Req(p)))
+        }
+
+    }
+
+    pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::X509_REQ_set_version(self.0.as_ptr(), version.into())).map(|_| ()) }
+    }
+
+    pub fn set_subject_name(&mut self, subject_name: &X509NameRef) -> Result<(), ErrorStack> {
+        unsafe {
+            cvt(ffi::X509_REQ_set_subject_name(self.0.as_ptr(), subject_name.as_ptr())).map(|_| ())
+        }
+    }
+
+    pub fn set_pubkey(&mut self, key: &PKeyRef) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::X509_REQ_set_pubkey(self.0.as_ptr(), key.as_ptr())).map(|_| ()) }
+    }
+
+    pub fn x509v3_context<'a>(&'a self,
+                              conf: Option<&'a ConfRef>)
+                              -> X509v3Context<'a> {
+        unsafe {
+            let mut ctx = mem::zeroed();
+
+            ffi::X509V3_set_ctx(&mut ctx,
+                                ptr::null_mut(),
+                                ptr::null_mut(),
+                                self.0.as_ptr(),
+                                ptr::null_mut(),
+                                0);
+
+            // nodb case taken care of since we zeroed ctx above
+            if let Some(conf) = conf {
+                ffi::X509V3_set_nconf(&mut ctx, conf.as_ptr());
+            }
+
+            X509v3Context(ctx, PhantomData)
+        }
+    }
+
+    pub fn add_extensions(&mut self,
+                          extensions: &StackRef<X509Extension>)
+                          -> Result<(), ErrorStack> {
+        unsafe {
+            cvt(ffi::X509_REQ_add_extensions(self.0.as_ptr(), extensions.as_ptr())).map(|_| ())
+        }
+    }
+
+    pub fn sign(&mut self, key: &PKeyRef, hash: MessageDigest) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::X509_REQ_sign(self.0.as_ptr(), key.as_ptr(), hash.as_ptr())).map(|_| ()) }
+    }
+
+    pub fn build(self) -> X509Req {
+        self.0
+    }
+}
+
 foreign_type! {
     type CType = ffi::X509_REQ;
     fn drop = ffi::X509_REQ_free;
@@ -631,6 +844,10 @@ foreign_type! {
 }
 
 impl X509Req {
+    pub fn builder() -> Result<X509ReqBuilder, ErrorStack> {
+        X509ReqBuilder::new()
+    }
+
     /// Reads CSR from PEM
     pub fn from_pem(buf: &[u8]) -> Result<X509Req, ErrorStack> {
         let mem_bio = try!(MemBioSlice::new(buf));
@@ -657,13 +874,6 @@ impl X509ReqRef {
         }
     }
 
-    pub fn set_version(&mut self, value: i32) -> Result<(), ErrorStack>
-    {
-        unsafe {
-            cvt(ffi::X509_REQ_set_version(self.as_ptr(), value as c_long)).map(|_| ())
-        }
-    }
-
     pub fn subject_name(&self) -> &X509NameRef {
         unsafe {
             let name = compat::X509_REQ_get_subject_name(self.as_ptr());
@@ -671,12 +881,6 @@ impl X509ReqRef {
             X509NameRef::from_ptr(name)
         }
     }
-
-    pub fn set_subject_name(&mut self, value: &X509NameRef) -> Result<(), ErrorStack> {
-        unsafe {
-            cvt(ffi::X509_REQ_set_subject_name(self.as_ptr(), value.as_ptr())).map(|_| ())
-        }
-    }
 }
 
 /// A collection of X.509 extensions.

openssl/src/x509/tests.rs

@@ -1,13 +1,17 @@
 use hex::{FromHex, ToHex};
 
+use asn1::Asn1Time;
+use bn::{BigNum, MSB_MAYBE_ZERO};
 use ec::{NAMED_CURVE, EcGroup, EcKey};
 use hash::MessageDigest;
 use nid::X9_62_PRIME256V1;
 use pkey::PKey;
 use rsa::Rsa;
+use stack::Stack;
+use x509::{X509, X509Generator, X509Name, X509Req};
+use x509::extension::{Extension, BasicConstraints, KeyUsage, ExtendedKeyUsage,
+                      SubjectKeyIdentifier, AuthorityKeyIdentifier, SubjectAlternativeName};
 use ssl::{SslMethod, SslContextBuilder};
-use x509::{X509, X509Generator, X509Req};
-use x509::extension::Extension::{KeyUsage, ExtKeyUsage, SubjectAltName, OtherNid, OtherStr};
 use x509::extension::AltNameOption as SAN;
 use x509::extension::KeyUsageOption::{DigitalSignature, KeyEncipherment};
 use x509::extension::ExtKeyUsageOption::{self, ClientAuth, ServerAuth};
@@ -18,13 +22,13 @@ fn get_generator() -> X509Generator {
         .set_valid_period(365 * 2)
         .add_name("CN".to_string(), "test_me".to_string())
         .set_sign_hash(MessageDigest::sha1())
-        .add_extension(KeyUsage(vec![DigitalSignature, KeyEncipherment]))
+        .add_extension(Extension::KeyUsage(vec![DigitalSignature, KeyEncipherment]))
-        .add_extension(ExtKeyUsage(vec![ClientAuth,
+        .add_extension(Extension::ExtKeyUsage(vec![ClientAuth,
                                         ServerAuth,
                                         ExtKeyUsageOption::Other("2.999.1".to_owned())]))
-        .add_extension(SubjectAltName(vec![(SAN::DNS, "example.com".to_owned())]))
+        .add_extension(Extension::SubjectAltName(vec![(SAN::DNS, "example.com".to_owned())]))
-        .add_extension(OtherNid(nid::BASIC_CONSTRAINTS, "critical,CA:TRUE".to_owned()))
+        .add_extension(Extension::OtherNid(nid::BASIC_CONSTRAINTS, "critical,CA:TRUE".to_owned()))
-        .add_extension(OtherStr("2.999.2".to_owned(), "ASN1:UTF8:example value".to_owned()))
+        .add_extension(Extension::OtherStr("2.999.2".to_owned(), "ASN1:UTF8:example value".to_owned()))
 }
 
 fn pkey() -> PKey {
@@ -51,8 +55,8 @@ fn test_cert_gen() {
 fn test_cert_gen_extension_ordering() {
     let pkey = pkey();
     get_generator()
-        .add_extension(OtherNid(nid::SUBJECT_KEY_IDENTIFIER, "hash".to_owned()))
+        .add_extension(Extension::OtherNid(nid::SUBJECT_KEY_IDENTIFIER, "hash".to_owned()))
-        .add_extension(OtherNid(nid::AUTHORITY_KEY_IDENTIFIER, "keyid:always".to_owned()))
+        .add_extension(Extension::OtherNid(nid::AUTHORITY_KEY_IDENTIFIER, "keyid:always".to_owned()))
         .sign(&pkey)
         .expect("Failed to generate cert with order-dependent extensions");
 }
@@ -63,8 +67,8 @@ fn test_cert_gen_extension_ordering() {
 fn test_cert_gen_extension_bad_ordering() {
     let pkey = pkey();
     let result = get_generator()
-        .add_extension(OtherNid(nid::AUTHORITY_KEY_IDENTIFIER, "keyid:always".to_owned()))
+        .add_extension(Extension::OtherNid(nid::AUTHORITY_KEY_IDENTIFIER, "keyid:always".to_owned()))
-        .add_extension(OtherNid(nid::SUBJECT_KEY_IDENTIFIER, "hash".to_owned()))
+        .add_extension(Extension::OtherNid(nid::SUBJECT_KEY_IDENTIFIER, "hash".to_owned()))
         .sign(&pkey);
 
     assert!(result.is_err());
@@ -183,6 +187,88 @@ fn test_subject_alt_name_iter() {
     assert!(subject_alt_names_iter.next().is_none());
 }
 
+#[test]
+fn x509_builder() {
+    let pkey = pkey();
+
+    let mut name = X509Name::builder().unwrap();
+    name.append_entry_by_nid(nid::COMMONNAME, "foobar.com").unwrap();
+    let name = name.build();
+
+    let mut builder = X509::builder().unwrap();
+    builder.set_version(2).unwrap();
+    builder.set_subject_name(&name).unwrap();
+    builder.set_issuer_name(&name).unwrap();
+    builder.set_not_before(&Asn1Time::days_from_now(0).unwrap()).unwrap();
+    builder.set_not_after(&Asn1Time::days_from_now(365).unwrap()).unwrap();
+    builder.set_pubkey(&pkey).unwrap();
+
+    let mut serial = BigNum::new().unwrap();;
+    serial.rand(128, MSB_MAYBE_ZERO, false).unwrap();
+    builder.set_serial_number(&serial.to_asn1_integer().unwrap()).unwrap();
+
+    let basic_constraints = BasicConstraints::new().critical().ca().build().unwrap();
+    builder.append_extension(basic_constraints).unwrap();
+    let key_usage = KeyUsage::new().digital_signature().key_encipherment().build().unwrap();
+    builder.append_extension(key_usage).unwrap();
+    let ext_key_usage = ExtendedKeyUsage::new()
+        .client_auth()
+        .server_auth()
+        .other("2.999.1")
+        .build()
+        .unwrap();
+    builder.append_extension(ext_key_usage).unwrap();
+    let subject_key_identifier = SubjectKeyIdentifier::new()
+        .build(&builder.x509v3_context(None, None))
+        .unwrap();
+    builder.append_extension(subject_key_identifier).unwrap();
+    let authority_key_identifier = AuthorityKeyIdentifier::new()
+        .keyid(true)
+        .build(&builder.x509v3_context(None, None))
+        .unwrap();
+    builder.append_extension(authority_key_identifier).unwrap();
+    let subject_alternative_name = SubjectAlternativeName::new()
+        .dns("example.com")
+        .build(&builder.x509v3_context(None, None))
+        .unwrap();
+    builder.append_extension(subject_alternative_name).unwrap();
+
+    builder.sign(&pkey, MessageDigest::sha256()).unwrap();
+
+    let x509 = builder.build();
+
+    assert!(pkey.public_eq(&x509.public_key().unwrap()));
+
+    let cn = x509.subject_name().entries_by_nid(nid::COMMONNAME).next().unwrap();
+    assert_eq!("foobar.com".as_bytes(), cn.data().as_slice());
+}
+
+#[test]
+fn x509_req_builder() {
+    let pkey = pkey();
+
+    let mut name = X509Name::builder().unwrap();
+    name.append_entry_by_nid(nid::COMMONNAME, "foobar.com").unwrap();
+    let name = name.build();
+
+    let mut builder = X509Req::builder().unwrap();
+    builder.set_version(2).unwrap();
+    builder.set_subject_name(&name).unwrap();
+    builder.set_pubkey(&pkey).unwrap();
+
+    let mut extensions = Stack::new().unwrap();
+    let key_usage = KeyUsage::new().digital_signature().key_encipherment().build().unwrap();
+    extensions.push(key_usage).unwrap();
+    let subject_alternative_name = SubjectAlternativeName::new()
+        .dns("example.com")
+        .build(&builder.x509v3_context(None))
+        .unwrap();
+    extensions.push(subject_alternative_name).unwrap();
+    builder.add_extensions(&extensions).unwrap();
+
+    builder.sign(&pkey, MessageDigest::sha256()).unwrap();
+}
+
 #[test]
 fn test_stack_from_pem() {
     let certs = include_bytes!("../../test/certs.pem");