X509 signature access

openssl-sys/src/lib.rs

@@ -48,6 +48,7 @@ pub enum OCSP_REQUEST {}
 pub enum OCSP_ONEREQ {}
 pub enum SSL_CIPHER {}
 pub enum SSL_METHOD {}
+pub enum X509_ALGOR {}
 pub enum X509_CRL {}
 pub enum X509_EXTENSION {}
 pub enum X509_NAME {}

openssl-sys/src/libressl.rs

@@ -247,8 +247,8 @@ pub struct DH {
 #[repr(C)]
 pub struct X509 {
     pub cert_info: *mut X509_CINF,
-    sig_alg: *mut c_void,
-    signature: *mut c_void,
+    pub sig_alg: *mut ::X509_ALGOR,
+    pub signature: *mut ::ASN1_BIT_STRING,
     pub valid: c_int,
     pub references: c_int,
     pub name: *mut c_char,

openssl-sys/src/ossl10x.rs

@@ -250,8 +250,8 @@ pub struct DH {
 #[repr(C)]
 pub struct X509 {
     pub cert_info: *mut X509_CINF,
-    sig_alg: *mut c_void,
-    signature: *mut c_void,
+    pub sig_alg: *mut ::X509_ALGOR,
+    pub signature: *mut ::ASN1_BIT_STRING,
     pub valid: c_int,
     pub references: c_int,
     pub name: *mut c_char,
@@ -833,6 +833,8 @@ extern {
     pub fn X509_set_notAfter(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int;
     pub fn X509_set_notBefore(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int;
     pub fn X509_get_ext_d2i(x: *mut ::X509, nid: c_int, crit: *mut c_int, idx: *mut c_int) -> *mut c_void;
+    #[cfg(not(ossl101))]
+    pub fn X509_get0_signature(psig: *mut *mut ::ASN1_BIT_STRING, palg: *mut *mut ::X509_ALGOR, x: *const ::X509);
     pub fn X509_NAME_get_entry(n: *mut ::X509_NAME, loc: c_int) -> *mut ::X509_NAME_ENTRY;
     pub fn X509_NAME_ENTRY_get_data(ne: *mut ::X509_NAME_ENTRY) -> *mut ::ASN1_STRING;
     pub fn X509_STORE_CTX_get_chain(ctx: *mut ::X509_STORE_CTX) -> *mut stack_st_X509;

openssl-sys/src/ossl110.rs

@@ -127,6 +127,7 @@ extern {
     pub fn SSL_CTX_clear_options(ctx: *mut ::SSL_CTX, op: c_ulong) -> c_ulong;
     pub fn X509_getm_notAfter(x: *const ::X509) -> *mut ::ASN1_TIME;
     pub fn X509_getm_notBefore(x: *const ::X509) -> *mut ::ASN1_TIME;
+    pub fn X509_get0_signature(psig: *mut *const ::ASN1_BIT_STRING, palg: *mut *const ::X509_ALGOR, x: *const ::X509);
     pub fn DH_set0_pqg(dh: *mut ::DH,
                        p: *mut ::BIGNUM,
                        q: *mut ::BIGNUM,

openssl/src/x509/mod.rs

@@ -13,7 +13,7 @@ use std::slice;
 use std::str;
 
 use {cvt, cvt_p};
-use asn1::{Asn1StringRef, Asn1Time, Asn1TimeRef};
+use asn1::{Asn1StringRef, Asn1Time, Asn1TimeRef, Asn1BitStringRef};
 use bio::MemBioSlice;
 use hash::MessageDigest;
 use pkey::{PKey, PKeyRef};
@@ -410,8 +410,8 @@ impl X509Ref {
         }
     }
 
-    /// Returns certificate Not After validity period.
-    pub fn not_after<'a>(&'a self) -> &'a Asn1TimeRef {
+    /// Returns the certificate's Not After validity period.
+    pub fn not_after(&self) -> &Asn1TimeRef {
         unsafe {
             let date = compat::X509_get_notAfter(self.as_ptr());
             assert!(!date.is_null());
@@ -419,8 +419,8 @@ impl X509Ref {
         }
     }
 
-    /// Returns certificate Not Before validity period.
-    pub fn not_before<'a>(&'a self) -> &'a Asn1TimeRef {
+    /// Returns the certificate's Not Before validity period.
+    pub fn not_before(&self) -> &Asn1TimeRef {
         unsafe {
             let date = compat::X509_get_notBefore(self.as_ptr());
             assert!(!date.is_null());
@@ -428,6 +428,16 @@ impl X509Ref {
         }
     }
 
+    /// Returns the certificate's signature
+    pub fn signature(&self) -> &Asn1BitStringRef {
+        unsafe {
+            let mut signature = ptr::null();
+            compat::X509_get0_signature(&mut signature, ptr::null_mut(), self.as_ptr());
+            assert!(!signature.is_null());
+            Asn1BitStringRef::from_ptr(signature as *mut _)
+        }
+    }
+
     /// Returns the list of OCSP responder URLs specified in the certificate's Authority Information
     /// Access field.
     pub fn ocsp_responders(&self) -> Result<Stack<OpensslString>, ErrorStack> {
@@ -815,6 +825,7 @@ mod compat {
     pub use ffi::X509_getm_notBefore as X509_get_notBefore;
     pub use ffi::X509_up_ref;
     pub use ffi::X509_get0_extensions;
+    pub use ffi::X509_get0_signature;
 }
 
 #[cfg(ossl10x)]
@@ -848,4 +859,15 @@ mod compat {
             (*info).extensions
         }
     }
+
+    pub unsafe fn X509_get0_signature(psig: *mut *const ffi::ASN1_BIT_STRING,
+                                      palg: *mut *const ffi::X509_ALGOR, 
+                                      x: *const ffi::X509) {
+        if !psig.is_null() {
+            *psig = (*x).signature;
+        }
+        if !palg.is_null() {
+            *palg = (*x).sig_alg;
+        }
+    }
 }

openssl/src/x509/tests.rs

@@ -220,3 +220,18 @@ fn ecdsa_cert() {
     ctx.set_private_key(&key).unwrap();
     ctx.check_private_key().unwrap();
 }
+
+#[test]
+fn signature() {
+    let cert = include_bytes!("../../test/cert.pem");
+    let cert = X509::from_pem(cert).unwrap();
+    let signature = cert.signature();
+    assert_eq!(signature.as_slice().to_hex(),
+               "4af607b889790b43470442cfa551cdb8b6d0b0340d2958f76b9e3ef6ad4992230cead6842587f0ecad5\
+                78e6e11a221521e940187e3d6652de14e84e82f6671f097cc47932e022add3c0cb54a26bf27fa84c107\
+                4971caa6bee2e42d34a5b066c427f2d452038082b8073993399548088429de034fdd589dcfb0dd33be7\
+                ebdfdf698a28d628a89568881d658151276bde333600969502c4e62e1d3470a683364dfb241f78d310a\
+                89c119297df093eb36b7fd7540224f488806780305d1e79ffc938fe2275441726522ab36d88348e6c51\
+                f13dcc46b5e1cdac23c974fd5ef86aa41e91c9311655090a52333bc79687c748d833595d4c5f987508f\
+                e121997410d37c");
+}