Merge pull request #240 from jethrogb/topic/x509_req_extension

Implement certificate extensions for certificate requests
2015-08-15 16:04:42 -04:00 · 2015-08-15 16:04:42 -04:00 · 769b8312d8
parent df32e53afa 90dd54b541
commit 769b8312d8
4 changed files with 43 additions and 9 deletions
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@ -37,6 +37,7 @@ pub type X509_NAME = c_void;
 pub type X509_NAME_ENTRY = c_void;
 pub type X509_REQ = c_void;
 pub type X509_STORE_CTX = c_void;
+pub type stack_st_X509_EXTENSION = c_void;

 #[repr(C)]
 pub struct EVP_MD_CTX {
@ -633,6 +634,9 @@ extern "C" {
    pub fn X509V3_EXT_conf(conf: *mut c_void, ctx: *mut X509V3_CTX, name: *mut c_char, value: *mut c_char) -> *mut X509_EXTENSION;
    pub fn X509V3_set_ctx(ctx: *mut X509V3_CTX, issuer: *mut X509, subject: *mut X509, req: *mut X509_REQ, crl: *mut X509_CRL, flags: c_int);

+    pub fn X509_REQ_add_extensions(req: *mut X509_REQ, exts: *mut stack_st_X509_EXTENSION) -> c_int;
+    pub fn X509_REQ_sign(x: *mut X509_REQ, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int;
+
    pub fn i2d_RSA_PUBKEY(k: *mut RSA, buf: *const *mut u8) -> c_int;
    pub fn d2i_RSA_PUBKEY(k: *const *mut RSA, buf: *const *const u8, len: c_uint) -> *mut RSA;
    pub fn i2d_RSAPrivateKey(k: *mut RSA, buf: *const *mut u8) -> c_int;
@ -652,6 +656,8 @@ extern "C" {
    pub fn SSL_CTX_set_read_ahead(ctx: *mut SSL_CTX, m: c_long) -> c_long;
    #[link_name = "SSL_set_tlsext_host_name_shim"]
    pub fn SSL_set_tlsext_host_name(s: *mut SSL, name: *const c_char) -> c_long;
+    #[link_name = "X509_get_extensions_shim"]
+    pub fn X509_get_extensions(x: *mut X509) -> *mut stack_st_X509_EXTENSION;
 }

 pub mod probe;
--- a/openssl-sys/src/openssl_shim.c
+++ b/openssl-sys/src/openssl_shim.c
@ -82,3 +82,7 @@ long SSL_CTX_set_read_ahead_shim(SSL_CTX *ctx, long m) {
 long SSL_set_tlsext_host_name_shim(SSL *s, char *name) {
    return SSL_set_tlsext_host_name(s, name);
 }
+
+STACK_OF(X509_EXTENSION) *X509_get_extensions_shim(X509 *x) {
+    return x->cert_info ? x->cert_info->extensions : NULL;
+}
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@ -396,13 +396,22 @@ impl X509Generator {
            Err(x) => return Err(x)
        };

-        let hash_fn = self.hash_type.evp_md();
-        let req = unsafe { ffi::X509_to_X509_REQ(cert.handle, p_key.get_handle(), hash_fn) };
+        unsafe {
+            let req = ffi::X509_to_X509_REQ(cert.handle, ptr::null_mut(), ptr::null());
            try_ssl_null!(req);

+            let exts = ffi::X509_get_extensions(cert.handle);
+            if exts != ptr::null_mut() {
+                try_ssl!(ffi::X509_REQ_add_extensions(req,exts));
+            }
+
+            let hash_fn = self.hash_type.evp_md();
+            try_ssl!(ffi::X509_REQ_sign(req, p_key.get_handle(), hash_fn));
+
            Ok(X509Req::new(req))
        }
    }
+}


 #[allow(dead_code)]
--- a/openssl/src/x509/tests.rs
+++ b/openssl/src/x509/tests.rs
@ -4,6 +4,7 @@ use std::path::Path;
 use std::fs::File;

 use crypto::hash::Type::{SHA256};
+use crypto::pkey::PKey;
 use x509::{X509, X509Generator};
 use x509::extension::Extension::{KeyUsage,ExtKeyUsage,SubjectAltName,OtherNid,OtherStr};
 use x509::extension::AltNameOption as SAN;
@ -11,9 +12,8 @@ use x509::extension::KeyUsageOption::{DigitalSignature, KeyEncipherment};
 use x509::extension::ExtKeyUsageOption::{self, ClientAuth, ServerAuth};
 use nid::Nid;

-#[test]
-fn test_cert_gen() {
-    let gen = X509Generator::new()
+fn get_generator() -> X509Generator {
+    X509Generator::new()
        .set_bitlength(2048)
        .set_valid_period(365*2)
        .add_name("CN".to_string(),"test_me".to_string())
@ -22,9 +22,12 @@ fn test_cert_gen() {
        .add_extension(ExtKeyUsage(vec![ClientAuth, ServerAuth, ExtKeyUsageOption::Other("2.999.1".to_owned())]))
        .add_extension(SubjectAltName(vec![(SAN::DNS,"example.com".to_owned())]))
        .add_extension(OtherNid(Nid::BasicConstraints,"critical,CA:TRUE".to_owned()))
-        .add_extension(OtherStr("2.999.2".to_owned(),"ASN1:UTF8:example value".to_owned()));
+        .add_extension(OtherStr("2.999.2".to_owned(),"ASN1:UTF8:example value".to_owned()))
+}

-    let (cert, pkey) = gen.generate().unwrap();
+#[test]
+fn test_cert_gen() {
+    let (cert, pkey) = get_generator().generate().unwrap();
    cert.write_pem(&mut io::sink()).unwrap();
    pkey.write_pem(&mut io::sink()).unwrap();

@ -34,6 +37,18 @@ fn test_cert_gen() {
    assert_eq!(pkey.save_pub(), cert.public_key().save_pub());
 }

+#[test]
+fn test_req_gen() {
+    let mut pkey = PKey::new();
+    pkey.gen(512);
+
+    let req = get_generator().request(&pkey).unwrap();
+    req.write_pem(&mut io::sink()).unwrap();
+
+    // FIXME: check data in result to be correct, needs implementation
+    // of X509_REQ getters
+}
+
 #[test]
 fn test_cert_loading() {
    let cert_path = Path::new("test/cert.pem");