Steven Fackler
GitHub
commit
90d8a799fe
|
|
@ -17,7 +17,7 @@ save_openssl: &SAVE_OPENSSL
|
||||||
paths:
|
paths:
|
||||||
- /openssl
|
- /openssl
|
||||||
deps_key: &DEPS_KEY
|
deps_key: &DEPS_KEY
|
||||||
key: deps-1.19.0-{{ checksum "Cargo.lock" }}-{{ checksum "~/lib_key" }}-2
|
key: deps-1.20.0-{{ checksum "Cargo.lock" }}-{{ checksum "~/lib_key" }}-2
|
||||||
restore_deps: &RESTORE_DEPS
|
restore_deps: &RESTORE_DEPS
|
||||||
restore_cache:
|
restore_cache:
|
||||||
<<: *DEPS_KEY
|
<<: *DEPS_KEY
|
||||||
|
|
@ -31,7 +31,7 @@ save_deps: &SAVE_DEPS
|
||||||
job: &JOB
|
job: &JOB
|
||||||
working_directory: ~/build
|
working_directory: ~/build
|
||||||
docker:
|
docker:
|
||||||
- image: rust:1.19.0
|
- image: rust:1.20.0
|
||||||
steps:
|
steps:
|
||||||
- checkout
|
- checkout
|
||||||
- run: apt-get update
|
- run: apt-get update
|
||||||
|
|
@ -77,7 +77,7 @@ macos_job: &MACOS_JOB
|
||||||
- checkout
|
- checkout
|
||||||
- run: sudo mkdir /opt
|
- run: sudo mkdir /opt
|
||||||
- run: sudo chown -R $USER /usr/local /opt
|
- run: sudo chown -R $USER /usr/local /opt
|
||||||
- run: curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain 1.19.0
|
- run: curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain 1.20.0
|
||||||
- run: sudo ln -s $CARGO_HOME/bin/* /usr/local/bin
|
- run: sudo ln -s $CARGO_HOME/bin/* /usr/local/bin
|
||||||
- *RESTORE_REGISTRY
|
- *RESTORE_REGISTRY
|
||||||
- run: cargo generate-lockfile
|
- run: cargo generate-lockfile
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,7 @@ v102 = []
|
||||||
v110 = []
|
v110 = []
|
||||||
|
|
||||||
[dependencies]
|
[dependencies]
|
||||||
bitflags = "0.9"
|
bitflags = "1.0"
|
||||||
foreign-types = "0.3.1"
|
foreign-types = "0.3.1"
|
||||||
lazy_static = "1"
|
lazy_static = "1"
|
||||||
libc = "0.2"
|
libc = "0.2"
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@
|
||||||
extern crate openssl;
|
extern crate openssl;
|
||||||
|
|
||||||
use openssl::asn1::Asn1Time;
|
use openssl::asn1::Asn1Time;
|
||||||
use openssl::bn::{BigNum, MSB_MAYBE_ZERO};
|
use openssl::bn::{BigNum, MsbOption};
|
||||||
use openssl::error::ErrorStack;
|
use openssl::error::ErrorStack;
|
||||||
use openssl::hash::MessageDigest;
|
use openssl::hash::MessageDigest;
|
||||||
use openssl::pkey::{PKey, PKeyRef};
|
use openssl::pkey::{PKey, PKeyRef};
|
||||||
|
|
@ -30,7 +30,7 @@ fn mk_ca_cert() -> Result<(X509, PKey), ErrorStack> {
|
||||||
cert_builder.set_version(2)?;
|
cert_builder.set_version(2)?;
|
||||||
let serial_number = {
|
let serial_number = {
|
||||||
let mut serial = BigNum::new()?;
|
let mut serial = BigNum::new()?;
|
||||||
serial.rand(159, MSB_MAYBE_ZERO, false)?;
|
serial.rand(159, MsbOption::MAYBE_ZERO, false)?;
|
||||||
serial.to_asn1_integer()?
|
serial.to_asn1_integer()?
|
||||||
};
|
};
|
||||||
cert_builder.set_serial_number(&serial_number)?;
|
cert_builder.set_serial_number(&serial_number)?;
|
||||||
|
|
@ -88,7 +88,7 @@ fn mk_ca_signed_cert(ca_cert: &X509Ref, ca_privkey: &PKeyRef) -> Result<(X509, P
|
||||||
cert_builder.set_version(2)?;
|
cert_builder.set_version(2)?;
|
||||||
let serial_number = {
|
let serial_number = {
|
||||||
let mut serial = BigNum::new()?;
|
let mut serial = BigNum::new()?;
|
||||||
serial.rand(159, MSB_MAYBE_ZERO, false)?;
|
serial.rand(159, MsbOption::MAYBE_ZERO, false)?;
|
||||||
serial.to_asn1_integer()?
|
serial.to_asn1_integer()?
|
||||||
};
|
};
|
||||||
cert_builder.set_serial_number(&serial_number)?;
|
cert_builder.set_serial_number(&serial_number)?;
|
||||||
|
|
@ -109,8 +109,8 @@ fn mk_ca_signed_cert(ca_cert: &X509Ref, ca_privkey: &PKeyRef) -> Result<(X509, P
|
||||||
.key_encipherment()
|
.key_encipherment()
|
||||||
.build()?)?;
|
.build()?)?;
|
||||||
|
|
||||||
let subject_key_identifier = SubjectKeyIdentifier::new()
|
let subject_key_identifier =
|
||||||
.build(&cert_builder.x509v3_context(Some(ca_cert), None))?;
|
SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(Some(ca_cert), None))?;
|
||||||
cert_builder.append_extension(subject_key_identifier)?;
|
cert_builder.append_extension(subject_key_identifier)?;
|
||||||
|
|
||||||
let auth_key_identifier = AuthorityKeyIdentifier::new()
|
let auth_key_identifier = AuthorityKeyIdentifier::new()
|
||||||
|
|
|
||||||
|
|
@ -30,16 +30,16 @@ use libc::c_int;
|
||||||
use std::cmp::Ordering;
|
use std::cmp::Ordering;
|
||||||
use std::ffi::CString;
|
use std::ffi::CString;
|
||||||
use std::{fmt, ptr};
|
use std::{fmt, ptr};
|
||||||
use std::ops::{Add, Div, Mul, Neg, Rem, Shl, Shr, Sub, Deref};
|
use std::ops::{Add, Deref, Div, Mul, Neg, Rem, Shl, Shr, Sub};
|
||||||
|
|
||||||
use {cvt, cvt_p, cvt_n};
|
use {cvt, cvt_n, cvt_p};
|
||||||
use asn1::Asn1Integer;
|
use asn1::Asn1Integer;
|
||||||
use error::ErrorStack;
|
use error::ErrorStack;
|
||||||
use string::OpensslString;
|
use string::OpensslString;
|
||||||
|
|
||||||
#[cfg(ossl10x)]
|
#[cfg(ossl10x)]
|
||||||
use ffi::{get_rfc2409_prime_768 as BN_get_rfc2409_prime_768,
|
use ffi::{get_rfc2409_prime_1024 as BN_get_rfc2409_prime_1024,
|
||||||
get_rfc2409_prime_1024 as BN_get_rfc2409_prime_1024,
|
get_rfc2409_prime_768 as BN_get_rfc2409_prime_768,
|
||||||
get_rfc3526_prime_1536 as BN_get_rfc3526_prime_1536,
|
get_rfc3526_prime_1536 as BN_get_rfc3526_prime_1536,
|
||||||
get_rfc3526_prime_2048 as BN_get_rfc3526_prime_2048,
|
get_rfc3526_prime_2048 as BN_get_rfc3526_prime_2048,
|
||||||
get_rfc3526_prime_3072 as BN_get_rfc3526_prime_3072,
|
get_rfc3526_prime_3072 as BN_get_rfc3526_prime_3072,
|
||||||
|
|
@ -48,24 +48,26 @@ use ffi::{get_rfc2409_prime_768 as BN_get_rfc2409_prime_768,
|
||||||
get_rfc3526_prime_8192 as BN_get_rfc3526_prime_8192};
|
get_rfc3526_prime_8192 as BN_get_rfc3526_prime_8192};
|
||||||
|
|
||||||
#[cfg(ossl110)]
|
#[cfg(ossl110)]
|
||||||
use ffi::{BN_get_rfc2409_prime_768, BN_get_rfc2409_prime_1024, BN_get_rfc3526_prime_1536,
|
use ffi::{BN_get_rfc2409_prime_1024, BN_get_rfc2409_prime_768, BN_get_rfc3526_prime_1536,
|
||||||
BN_get_rfc3526_prime_2048, BN_get_rfc3526_prime_3072, BN_get_rfc3526_prime_4096,
|
BN_get_rfc3526_prime_2048, BN_get_rfc3526_prime_3072, BN_get_rfc3526_prime_4096,
|
||||||
BN_get_rfc3526_prime_6144, BN_get_rfc3526_prime_8192};
|
BN_get_rfc3526_prime_6144, BN_get_rfc3526_prime_8192};
|
||||||
|
|
||||||
/// Options for the most significant bits of a randomly generated `BigNum`.
|
/// Options for the most significant bits of a randomly generated `BigNum`.
|
||||||
pub struct MsbOption(c_int);
|
pub struct MsbOption(c_int);
|
||||||
|
|
||||||
/// The most significant bit of the number may be 0.
|
impl MsbOption {
|
||||||
pub const MSB_MAYBE_ZERO: MsbOption = MsbOption(-1);
|
/// The most significant bit of the number may be 0.
|
||||||
|
pub const MAYBE_ZERO: MsbOption = MsbOption(-1);
|
||||||
|
|
||||||
/// The most significant bit of the number must be 1.
|
/// The most significant bit of the number must be 1.
|
||||||
pub const MSB_ONE: MsbOption = MsbOption(0);
|
pub const ONE: MsbOption = MsbOption(0);
|
||||||
|
|
||||||
/// The most significant two bits of the number must be 1.
|
/// The most significant two bits of the number must be 1.
|
||||||
///
|
///
|
||||||
/// The number of bits in the product of two such numbers will always be exactly twice the number
|
/// The number of bits in the product of two such numbers will always be exactly twice the
|
||||||
/// of bits in the original numbers.
|
/// number of bits in the original numbers.
|
||||||
pub const TWO_MSB_ONE: MsbOption = MsbOption(1);
|
pub const TWO_ONES: MsbOption = MsbOption(1);
|
||||||
|
}
|
||||||
|
|
||||||
foreign_type_and_impl_send_sync! {
|
foreign_type_and_impl_send_sync! {
|
||||||
type CType = ffi::BN_CTX;
|
type CType = ffi::BN_CTX;
|
||||||
|
|
@ -396,14 +398,14 @@ impl BigNumRef {
|
||||||
/// # Examples
|
/// # Examples
|
||||||
///
|
///
|
||||||
/// ```
|
/// ```
|
||||||
/// use openssl::bn::{BigNum,MSB_MAYBE_ZERO};
|
/// use openssl::bn::{BigNum, MsbOption};
|
||||||
/// use openssl::error::ErrorStack;
|
/// use openssl::error::ErrorStack;
|
||||||
///
|
///
|
||||||
/// fn generate_random() -> Result< BigNum, ErrorStack > {
|
/// fn generate_random() -> Result< BigNum, ErrorStack > {
|
||||||
/// let mut big = BigNum::new()?;
|
/// let mut big = BigNum::new()?;
|
||||||
///
|
///
|
||||||
/// // Generates a 128-bit odd random number
|
/// // Generates a 128-bit odd random number
|
||||||
/// big.rand(128, MSB_MAYBE_ZERO, true);
|
/// big.rand(128, MsbOption::MAYBE_ZERO, true);
|
||||||
/// Ok((big))
|
/// Ok((big))
|
||||||
/// }
|
/// }
|
||||||
/// ```
|
/// ```
|
||||||
|
|
@ -1345,7 +1347,7 @@ impl Neg for BigNum {
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod tests {
|
mod tests {
|
||||||
use bn::{BigNumContext, BigNum};
|
use bn::{BigNum, BigNumContext};
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn test_to_from_slice() {
|
fn test_to_from_slice() {
|
||||||
|
|
|
||||||
|
|
@ -20,10 +20,10 @@
|
||||||
//!
|
//!
|
||||||
//! ```
|
//! ```
|
||||||
//! use openssl::ec::{EcGroup, EcPoint};
|
//! use openssl::ec::{EcGroup, EcPoint};
|
||||||
//! use openssl::nid;
|
//! use openssl::nid::Nid;
|
||||||
//! use openssl::error::ErrorStack;
|
//! use openssl::error::ErrorStack;
|
||||||
//! fn get_ec_point() -> Result< EcPoint, ErrorStack > {
|
//! fn get_ec_point() -> Result<EcPoint, ErrorStack> {
|
||||||
//! let group = EcGroup::from_curve_name(nid::SECP224R1)?;
|
//! let group = EcGroup::from_curve_name(Nid::SECP224R1)?;
|
||||||
//! let point = EcPoint::new(&group)?;
|
//! let point = EcPoint::new(&group)?;
|
||||||
//! Ok(point)
|
//! Ok(point)
|
||||||
//! }
|
//! }
|
||||||
|
|
@ -38,47 +38,10 @@ use std::mem;
|
||||||
use libc::c_int;
|
use libc::c_int;
|
||||||
|
|
||||||
use {cvt, cvt_n, cvt_p, init};
|
use {cvt, cvt_n, cvt_p, init};
|
||||||
use bn::{BigNumRef, BigNumContextRef};
|
use bn::{BigNumContextRef, BigNumRef};
|
||||||
use error::ErrorStack;
|
use error::ErrorStack;
|
||||||
use nid::Nid;
|
use nid::Nid;
|
||||||
|
|
||||||
/// Compressed conversion from point value (Default)
|
|
||||||
pub const POINT_CONVERSION_COMPRESSED: PointConversionForm =
|
|
||||||
PointConversionForm(ffi::point_conversion_form_t::POINT_CONVERSION_COMPRESSED);
|
|
||||||
|
|
||||||
/// Uncompressed conversion from point value (Binary curve default)
|
|
||||||
pub const POINT_CONVERSION_UNCOMPRESSED: PointConversionForm =
|
|
||||||
PointConversionForm(ffi::point_conversion_form_t::POINT_CONVERSION_UNCOMPRESSED);
|
|
||||||
|
|
||||||
/// Performs both compressed and uncompressed conversions
|
|
||||||
pub const POINT_CONVERSION_HYBRID: PointConversionForm =
|
|
||||||
PointConversionForm(ffi::point_conversion_form_t::POINT_CONVERSION_HYBRID);
|
|
||||||
|
|
||||||
/// Curve defined using polynomial parameters
|
|
||||||
///
|
|
||||||
/// Most applications use a named EC_GROUP curve, however, support
|
|
||||||
/// is included to explicitly define the curve used to calculate keys
|
|
||||||
/// This information would need to be known by both endpoint to make communication
|
|
||||||
/// effective.
|
|
||||||
///
|
|
||||||
/// OPENSSL_EC_EXPLICIT_CURVE, but that was only added in 1.1.
|
|
||||||
/// Man page documents that 0 can be used in older versions.
|
|
||||||
///
|
|
||||||
/// OpenSSL documentation at [`EC_GROUP`]
|
|
||||||
///
|
|
||||||
/// [`EC_GROUP`]: https://www.openssl.org/docs/man1.1.0/crypto/EC_GROUP_get_seed_len.html
|
|
||||||
pub const EXPLICIT_CURVE: Asn1Flag = Asn1Flag(0);
|
|
||||||
|
|
||||||
/// Standard Curves
|
|
||||||
///
|
|
||||||
/// Curves that make up the typical encryption use cases. The collection of curves
|
|
||||||
/// are well known but extensible.
|
|
||||||
///
|
|
||||||
/// OpenSSL documentation at [`EC_GROUP`]
|
|
||||||
///
|
|
||||||
/// [`EC_GROUP`]: https://www.openssl.org/docs/manmaster/man3/EC_GROUP_order_bits.html
|
|
||||||
pub const NAMED_CURVE: Asn1Flag = Asn1Flag(ffi::OPENSSL_EC_NAMED_CURVE);
|
|
||||||
|
|
||||||
/// Compressed or Uncompressed conversion
|
/// Compressed or Uncompressed conversion
|
||||||
///
|
///
|
||||||
/// Conversion from the binary value of the point on the curve is performed in one of
|
/// Conversion from the binary value of the point on the curve is performed in one of
|
||||||
|
|
@ -91,13 +54,53 @@ pub const NAMED_CURVE: Asn1Flag = Asn1Flag(ffi::OPENSSL_EC_NAMED_CURVE);
|
||||||
#[derive(Copy, Clone)]
|
#[derive(Copy, Clone)]
|
||||||
pub struct PointConversionForm(ffi::point_conversion_form_t);
|
pub struct PointConversionForm(ffi::point_conversion_form_t);
|
||||||
|
|
||||||
|
impl PointConversionForm {
|
||||||
|
/// Compressed conversion from point value.
|
||||||
|
pub const COMPRESSED: PointConversionForm =
|
||||||
|
PointConversionForm(ffi::point_conversion_form_t::POINT_CONVERSION_COMPRESSED);
|
||||||
|
|
||||||
|
/// Uncompressed conversion from point value.
|
||||||
|
pub const UNCOMPRESSED: PointConversionForm =
|
||||||
|
PointConversionForm(ffi::point_conversion_form_t::POINT_CONVERSION_UNCOMPRESSED);
|
||||||
|
|
||||||
|
/// Performs both compressed and uncompressed conversions.
|
||||||
|
pub const HYBRID: PointConversionForm =
|
||||||
|
PointConversionForm(ffi::point_conversion_form_t::POINT_CONVERSION_HYBRID);
|
||||||
|
}
|
||||||
|
|
||||||
/// Named Curve or Explicit
|
/// Named Curve or Explicit
|
||||||
///
|
///
|
||||||
/// This type acts as a boolean as to whether the EC_Group is named or
|
/// This type acts as a boolean as to whether the `EcGroup` is named or explicit.
|
||||||
/// explicit.
|
|
||||||
#[derive(Copy, Clone)]
|
#[derive(Copy, Clone)]
|
||||||
pub struct Asn1Flag(c_int);
|
pub struct Asn1Flag(c_int);
|
||||||
|
|
||||||
|
impl Asn1Flag {
|
||||||
|
/// Curve defined using polynomial parameters
|
||||||
|
///
|
||||||
|
/// Most applications use a named EC_GROUP curve, however, support
|
||||||
|
/// is included to explicitly define the curve used to calculate keys
|
||||||
|
/// This information would need to be known by both endpoint to make communication
|
||||||
|
/// effective.
|
||||||
|
///
|
||||||
|
/// OPENSSL_EC_EXPLICIT_CURVE, but that was only added in 1.1.
|
||||||
|
/// Man page documents that 0 can be used in older versions.
|
||||||
|
///
|
||||||
|
/// OpenSSL documentation at [`EC_GROUP`]
|
||||||
|
///
|
||||||
|
/// [`EC_GROUP`]: https://www.openssl.org/docs/man1.1.0/crypto/EC_GROUP_get_seed_len.html
|
||||||
|
pub const EXPLICIT_CURVE: Asn1Flag = Asn1Flag(0);
|
||||||
|
|
||||||
|
/// Standard Curves
|
||||||
|
///
|
||||||
|
/// Curves that make up the typical encryption use cases. The collection of curves
|
||||||
|
/// are well known but extensible.
|
||||||
|
///
|
||||||
|
/// OpenSSL documentation at [`EC_GROUP`]
|
||||||
|
///
|
||||||
|
/// [`EC_GROUP`]: https://www.openssl.org/docs/manmaster/man3/EC_GROUP_order_bits.html
|
||||||
|
pub const NAMED_CURVE: Asn1Flag = Asn1Flag(ffi::OPENSSL_EC_NAMED_CURVE);
|
||||||
|
}
|
||||||
|
|
||||||
foreign_type_and_impl_send_sync! {
|
foreign_type_and_impl_send_sync! {
|
||||||
type CType = ffi::EC_GROUP;
|
type CType = ffi::EC_GROUP;
|
||||||
fn drop = ffi::EC_GROUP_free;
|
fn drop = ffi::EC_GROUP_free;
|
||||||
|
|
@ -606,14 +609,14 @@ impl EcKey {
|
||||||
/// ```no_run
|
/// ```no_run
|
||||||
/// use openssl::bn::BigNumContext;
|
/// use openssl::bn::BigNumContext;
|
||||||
/// use openssl::ec::*;
|
/// use openssl::ec::*;
|
||||||
/// use openssl::nid;
|
/// use openssl::nid::Nid;
|
||||||
/// use openssl::pkey::PKey;
|
/// use openssl::pkey::PKey;
|
||||||
///
|
///
|
||||||
/// // get bytes from somewhere, i.e. this will not produce a valid key
|
/// // get bytes from somewhere, i.e. this will not produce a valid key
|
||||||
/// let public_key: Vec<u8> = vec![];
|
/// let public_key: Vec<u8> = vec![];
|
||||||
///
|
///
|
||||||
/// // create an EcKey from the binary form of a EcPoint
|
/// // create an EcKey from the binary form of a EcPoint
|
||||||
/// let group = EcGroup::from_curve_name(nid::SECP256K1).unwrap();
|
/// let group = EcGroup::from_curve_name(Nid::SECP256K1).unwrap();
|
||||||
/// let mut ctx = BigNumContext::new().unwrap();
|
/// let mut ctx = BigNumContext::new().unwrap();
|
||||||
/// let point = EcPoint::from_bytes(&group, &public_key, &mut ctx).unwrap();
|
/// let point = EcPoint::from_bytes(&group, &public_key, &mut ctx).unwrap();
|
||||||
/// let key = EcKey::from_public_key(&group, &point);
|
/// let key = EcKey::from_public_key(&group, &point);
|
||||||
|
|
@ -645,7 +648,6 @@ impl EcKey {
|
||||||
private_key_from_der!(EcKey, ffi::d2i_ECPrivateKey);
|
private_key_from_der!(EcKey, ffi::d2i_ECPrivateKey);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
foreign_type_and_impl_send_sync! {
|
foreign_type_and_impl_send_sync! {
|
||||||
type CType = ffi::EC_KEY;
|
type CType = ffi::EC_KEY;
|
||||||
fn drop = ffi::EC_KEY_free;
|
fn drop = ffi::EC_KEY_free;
|
||||||
|
|
@ -731,18 +733,18 @@ impl EcKeyBuilderRef {
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod test {
|
mod test {
|
||||||
use bn::{BigNum, BigNumContext};
|
use bn::{BigNum, BigNumContext};
|
||||||
use nid;
|
use nid::Nid;
|
||||||
use data_encoding::BASE64URL_NOPAD;
|
use data_encoding::BASE64URL_NOPAD;
|
||||||
use super::*;
|
use super::*;
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn key_new_by_curve_name() {
|
fn key_new_by_curve_name() {
|
||||||
EcKey::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
EcKey::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn generate() {
|
fn generate() {
|
||||||
let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
let key = EcKey::generate(&group).unwrap();
|
let key = EcKey::generate(&group).unwrap();
|
||||||
key.public_key().unwrap();
|
key.public_key().unwrap();
|
||||||
key.private_key().unwrap();
|
key.private_key().unwrap();
|
||||||
|
|
@ -750,25 +752,25 @@ mod test {
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn dup() {
|
fn dup() {
|
||||||
let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
let key = EcKey::generate(&group).unwrap();
|
let key = EcKey::generate(&group).unwrap();
|
||||||
key.to_owned().unwrap();
|
key.to_owned().unwrap();
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn point_new() {
|
fn point_new() {
|
||||||
let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
EcPoint::new(&group).unwrap();
|
EcPoint::new(&group).unwrap();
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn point_bytes() {
|
fn point_bytes() {
|
||||||
let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
let key = EcKey::generate(&group).unwrap();
|
let key = EcKey::generate(&group).unwrap();
|
||||||
let point = key.public_key().unwrap();
|
let point = key.public_key().unwrap();
|
||||||
let mut ctx = BigNumContext::new().unwrap();
|
let mut ctx = BigNumContext::new().unwrap();
|
||||||
let bytes = point
|
let bytes = point
|
||||||
.to_bytes(&group, POINT_CONVERSION_COMPRESSED, &mut ctx)
|
.to_bytes(&group, PointConversionForm::COMPRESSED, &mut ctx)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let point2 = EcPoint::from_bytes(&group, &bytes, &mut ctx).unwrap();
|
let point2 = EcPoint::from_bytes(&group, &bytes, &mut ctx).unwrap();
|
||||||
assert!(point.eq(&group, &point2, &mut ctx).unwrap());
|
assert!(point.eq(&group, &point2, &mut ctx).unwrap());
|
||||||
|
|
@ -776,7 +778,7 @@ mod test {
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn mul_generator() {
|
fn mul_generator() {
|
||||||
let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
let key = EcKey::generate(&group).unwrap();
|
let key = EcKey::generate(&group).unwrap();
|
||||||
let mut ctx = BigNumContext::new().unwrap();
|
let mut ctx = BigNumContext::new().unwrap();
|
||||||
let mut public_key = EcPoint::new(&group).unwrap();
|
let mut public_key = EcPoint::new(&group).unwrap();
|
||||||
|
|
@ -792,12 +794,12 @@ mod test {
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn key_from_public_key() {
|
fn key_from_public_key() {
|
||||||
let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
let key = EcKey::generate(&group).unwrap();
|
let key = EcKey::generate(&group).unwrap();
|
||||||
let mut ctx = BigNumContext::new().unwrap();
|
let mut ctx = BigNumContext::new().unwrap();
|
||||||
let bytes = key.public_key()
|
let bytes = key.public_key()
|
||||||
.unwrap()
|
.unwrap()
|
||||||
.to_bytes(&group, POINT_CONVERSION_COMPRESSED, &mut ctx)
|
.to_bytes(&group, PointConversionForm::COMPRESSED, &mut ctx)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
||||||
drop(key);
|
drop(key);
|
||||||
|
|
@ -810,13 +812,13 @@ mod test {
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn key_from_affine_coordinates() {
|
fn key_from_affine_coordinates() {
|
||||||
let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
let x = BASE64URL_NOPAD.decode(
|
let x = BASE64URL_NOPAD
|
||||||
"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4".as_bytes(),
|
.decode("MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4".as_bytes())
|
||||||
).unwrap();
|
.unwrap();
|
||||||
let y = BASE64URL_NOPAD.decode(
|
let y = BASE64URL_NOPAD
|
||||||
"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM".as_bytes(),
|
.decode("4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM".as_bytes())
|
||||||
).unwrap();
|
.unwrap();
|
||||||
|
|
||||||
let xbn = BigNum::from_slice(&x).unwrap();
|
let xbn = BigNum::from_slice(&x).unwrap();
|
||||||
let ybn = BigNum::from_slice(&y).unwrap();
|
let ybn = BigNum::from_slice(&y).unwrap();
|
||||||
|
|
@ -834,10 +836,10 @@ mod test {
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn set_private_key() {
|
fn set_private_key() {
|
||||||
let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
let d = BASE64URL_NOPAD.decode(
|
let d = BASE64URL_NOPAD
|
||||||
"870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE".as_bytes(),
|
.decode("870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE".as_bytes())
|
||||||
).unwrap();
|
.unwrap();
|
||||||
|
|
||||||
let dbn = BigNum::from_slice(&d).unwrap();
|
let dbn = BigNum::from_slice(&d).unwrap();
|
||||||
|
|
||||||
|
|
@ -851,13 +853,13 @@ mod test {
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn get_affine_coordinates() {
|
fn get_affine_coordinates() {
|
||||||
let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
let x = BASE64URL_NOPAD.decode(
|
let x = BASE64URL_NOPAD
|
||||||
"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4".as_bytes(),
|
.decode("MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4".as_bytes())
|
||||||
).unwrap();
|
.unwrap();
|
||||||
let y = BASE64URL_NOPAD.decode(
|
let y = BASE64URL_NOPAD
|
||||||
"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM".as_bytes(),
|
.decode("4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM".as_bytes())
|
||||||
).unwrap();
|
.unwrap();
|
||||||
|
|
||||||
let xbn = BigNum::from_slice(&x).unwrap();
|
let xbn = BigNum::from_slice(&x).unwrap();
|
||||||
let ybn = BigNum::from_slice(&y).unwrap();
|
let ybn = BigNum::from_slice(&y).unwrap();
|
||||||
|
|
|
||||||
1841
openssl/src/nid.rs
1841
openssl/src/nid.rs
File diff suppressed because it is too large
Load Diff
|
|
@ -13,57 +13,21 @@ use x509::store::X509StoreRef;
|
||||||
use x509::{X509, X509Ref};
|
use x509::{X509, X509Ref};
|
||||||
|
|
||||||
bitflags! {
|
bitflags! {
|
||||||
pub struct Flag: c_ulong {
|
pub struct OcspFlag: c_ulong {
|
||||||
const FLAG_NO_CERTS = ffi::OCSP_NOCERTS;
|
const NO_CERTS = ffi::OCSP_NOCERTS;
|
||||||
const FLAG_NO_INTERN = ffi::OCSP_NOINTERN;
|
const NO_INTERN = ffi::OCSP_NOINTERN;
|
||||||
const FLAG_NO_CHAIN = ffi::OCSP_NOCHAIN;
|
const NO_CHAIN = ffi::OCSP_NOCHAIN;
|
||||||
const FLAG_NO_VERIFY = ffi::OCSP_NOVERIFY;
|
const NO_VERIFY = ffi::OCSP_NOVERIFY;
|
||||||
const FLAG_NO_EXPLICIT = ffi::OCSP_NOEXPLICIT;
|
const NO_EXPLICIT = ffi::OCSP_NOEXPLICIT;
|
||||||
const FLAG_NO_CA_SIGN = ffi::OCSP_NOCASIGN;
|
const NO_CA_SIGN = ffi::OCSP_NOCASIGN;
|
||||||
const FLAG_NO_DELEGATED = ffi::OCSP_NODELEGATED;
|
const NO_DELEGATED = ffi::OCSP_NODELEGATED;
|
||||||
const FLAG_NO_CHECKS = ffi::OCSP_NOCHECKS;
|
const NO_CHECKS = ffi::OCSP_NOCHECKS;
|
||||||
const FLAG_TRUST_OTHER = ffi::OCSP_TRUSTOTHER;
|
const TRUST_OTHER = ffi::OCSP_TRUSTOTHER;
|
||||||
const FLAG_RESPID_KEY = ffi::OCSP_RESPID_KEY;
|
const RESPID_KEY = ffi::OCSP_RESPID_KEY;
|
||||||
const FLAG_NO_TIME = ffi::OCSP_NOTIME;
|
const NO_TIME = ffi::OCSP_NOTIME;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub const RESPONSE_STATUS_SUCCESSFUL: OcspResponseStatus =
|
|
||||||
OcspResponseStatus(ffi::OCSP_RESPONSE_STATUS_SUCCESSFUL);
|
|
||||||
pub const RESPONSE_STATUS_MALFORMED_REQUEST: OcspResponseStatus =
|
|
||||||
OcspResponseStatus(ffi::OCSP_RESPONSE_STATUS_MALFORMEDREQUEST);
|
|
||||||
pub const RESPONSE_STATUS_INTERNAL_ERROR: OcspResponseStatus =
|
|
||||||
OcspResponseStatus(ffi::OCSP_RESPONSE_STATUS_INTERNALERROR);
|
|
||||||
pub const RESPONSE_STATUS_TRY_LATER: OcspResponseStatus =
|
|
||||||
OcspResponseStatus(ffi::OCSP_RESPONSE_STATUS_TRYLATER);
|
|
||||||
pub const RESPONSE_STATUS_SIG_REQUIRED: OcspResponseStatus =
|
|
||||||
OcspResponseStatus(ffi::OCSP_RESPONSE_STATUS_SIGREQUIRED);
|
|
||||||
pub const RESPONSE_STATUS_UNAUTHORIZED: OcspResponseStatus =
|
|
||||||
OcspResponseStatus(ffi::OCSP_RESPONSE_STATUS_UNAUTHORIZED);
|
|
||||||
|
|
||||||
pub const CERT_STATUS_GOOD: OcspCertStatus = OcspCertStatus(ffi::V_OCSP_CERTSTATUS_GOOD);
|
|
||||||
pub const CERT_STATUS_REVOKED: OcspCertStatus = OcspCertStatus(ffi::V_OCSP_CERTSTATUS_REVOKED);
|
|
||||||
pub const CERT_STATUS_UNKNOWN: OcspCertStatus = OcspCertStatus(ffi::V_OCSP_CERTSTATUS_UNKNOWN);
|
|
||||||
|
|
||||||
pub const REVOKED_STATUS_NO_STATUS: OcspRevokedStatus =
|
|
||||||
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_NOSTATUS);
|
|
||||||
pub const REVOKED_STATUS_UNSPECIFIED: OcspRevokedStatus =
|
|
||||||
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_UNSPECIFIED);
|
|
||||||
pub const REVOKED_STATUS_KEY_COMPROMISE: OcspRevokedStatus =
|
|
||||||
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_KEYCOMPROMISE);
|
|
||||||
pub const REVOKED_STATUS_CA_COMPROMISE: OcspRevokedStatus =
|
|
||||||
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_CACOMPROMISE);
|
|
||||||
pub const REVOKED_STATUS_AFFILIATION_CHANGED: OcspRevokedStatus =
|
|
||||||
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_AFFILIATIONCHANGED);
|
|
||||||
pub const REVOKED_STATUS_SUPERSEDED: OcspRevokedStatus =
|
|
||||||
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_SUPERSEDED);
|
|
||||||
pub const REVOKED_STATUS_CESSATION_OF_OPERATION: OcspRevokedStatus =
|
|
||||||
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_CESSATIONOFOPERATION);
|
|
||||||
pub const REVOKED_STATUS_CERTIFICATE_HOLD: OcspRevokedStatus =
|
|
||||||
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_CERTIFICATEHOLD);
|
|
||||||
pub const REVOKED_STATUS_REMOVE_FROM_CRL: OcspRevokedStatus =
|
|
||||||
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_REMOVEFROMCRL);
|
|
||||||
|
|
||||||
#[derive(Copy, Clone, Debug, PartialEq, Eq)]
|
#[derive(Copy, Clone, Debug, PartialEq, Eq)]
|
||||||
pub struct OcspResponseStatus(c_int);
|
pub struct OcspResponseStatus(c_int);
|
||||||
|
|
||||||
|
|
@ -75,6 +39,19 @@ impl OcspResponseStatus {
|
||||||
pub fn as_raw(&self) -> c_int {
|
pub fn as_raw(&self) -> c_int {
|
||||||
self.0
|
self.0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub const SUCCESSFUL: OcspResponseStatus =
|
||||||
|
OcspResponseStatus(ffi::OCSP_RESPONSE_STATUS_SUCCESSFUL);
|
||||||
|
pub const MALFORMED_REQUEST: OcspResponseStatus =
|
||||||
|
OcspResponseStatus(ffi::OCSP_RESPONSE_STATUS_MALFORMEDREQUEST);
|
||||||
|
pub const INTERNAL_ERROR: OcspResponseStatus =
|
||||||
|
OcspResponseStatus(ffi::OCSP_RESPONSE_STATUS_INTERNALERROR);
|
||||||
|
pub const TRY_LATER: OcspResponseStatus =
|
||||||
|
OcspResponseStatus(ffi::OCSP_RESPONSE_STATUS_TRYLATER);
|
||||||
|
pub const SIG_REQUIRED: OcspResponseStatus =
|
||||||
|
OcspResponseStatus(ffi::OCSP_RESPONSE_STATUS_SIGREQUIRED);
|
||||||
|
pub const UNAUTHORIZED: OcspResponseStatus =
|
||||||
|
OcspResponseStatus(ffi::OCSP_RESPONSE_STATUS_UNAUTHORIZED);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Copy, Clone, Debug, PartialEq, Eq)]
|
#[derive(Copy, Clone, Debug, PartialEq, Eq)]
|
||||||
|
|
@ -88,6 +65,10 @@ impl OcspCertStatus {
|
||||||
pub fn as_raw(&self) -> c_int {
|
pub fn as_raw(&self) -> c_int {
|
||||||
self.0
|
self.0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub const GOOD: OcspCertStatus = OcspCertStatus(ffi::V_OCSP_CERTSTATUS_GOOD);
|
||||||
|
pub const REVOKED: OcspCertStatus = OcspCertStatus(ffi::V_OCSP_CERTSTATUS_REVOKED);
|
||||||
|
pub const UNKNOWN: OcspCertStatus = OcspCertStatus(ffi::V_OCSP_CERTSTATUS_UNKNOWN);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Copy, Clone, Debug, PartialEq, Eq)]
|
#[derive(Copy, Clone, Debug, PartialEq, Eq)]
|
||||||
|
|
@ -101,9 +82,27 @@ impl OcspRevokedStatus {
|
||||||
pub fn as_raw(&self) -> c_int {
|
pub fn as_raw(&self) -> c_int {
|
||||||
self.0
|
self.0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub const NO_STATUS: OcspRevokedStatus = OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_NOSTATUS);
|
||||||
|
pub const UNSPECIFIED: OcspRevokedStatus =
|
||||||
|
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_UNSPECIFIED);
|
||||||
|
pub const KEY_COMPROMISE: OcspRevokedStatus =
|
||||||
|
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_KEYCOMPROMISE);
|
||||||
|
pub const CA_COMPROMISE: OcspRevokedStatus =
|
||||||
|
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_CACOMPROMISE);
|
||||||
|
pub const AFFILIATION_CHANGED: OcspRevokedStatus =
|
||||||
|
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_AFFILIATIONCHANGED);
|
||||||
|
pub const STATUS_SUPERSEDED: OcspRevokedStatus =
|
||||||
|
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_SUPERSEDED);
|
||||||
|
pub const STATUS_CESSATION_OF_OPERATION: OcspRevokedStatus =
|
||||||
|
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_CESSATIONOFOPERATION);
|
||||||
|
pub const STATUS_CERTIFICATE_HOLD: OcspRevokedStatus =
|
||||||
|
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_CERTIFICATEHOLD);
|
||||||
|
pub const REMOVE_FROM_CRL: OcspRevokedStatus =
|
||||||
|
OcspRevokedStatus(ffi::OCSP_REVOKED_STATUS_REMOVEFROMCRL);
|
||||||
}
|
}
|
||||||
|
|
||||||
pub struct Status<'a> {
|
pub struct OcspStatus<'a> {
|
||||||
/// The overall status of the response.
|
/// The overall status of the response.
|
||||||
pub status: OcspCertStatus,
|
pub status: OcspCertStatus,
|
||||||
/// If `status` is `CERT_STATUS_REVOKED`, the reason for the revocation.
|
/// If `status` is `CERT_STATUS_REVOKED`, the reason for the revocation.
|
||||||
|
|
@ -116,7 +115,7 @@ pub struct Status<'a> {
|
||||||
pub next_update: &'a Asn1GeneralizedTimeRef,
|
pub next_update: &'a Asn1GeneralizedTimeRef,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl<'a> Status<'a> {
|
impl<'a> OcspStatus<'a> {
|
||||||
/// Checks validity of the `this_update` and `next_update` fields.
|
/// Checks validity of the `this_update` and `next_update` fields.
|
||||||
///
|
///
|
||||||
/// The `nsec` parameter specifies an amount of slack time that will be used when comparing
|
/// The `nsec` parameter specifies an amount of slack time that will be used when comparing
|
||||||
|
|
@ -153,7 +152,7 @@ impl OcspBasicResponseRef {
|
||||||
&self,
|
&self,
|
||||||
certs: &StackRef<X509>,
|
certs: &StackRef<X509>,
|
||||||
store: &X509StoreRef,
|
store: &X509StoreRef,
|
||||||
flags: Flag,
|
flags: OcspFlag,
|
||||||
) -> Result<(), ErrorStack> {
|
) -> Result<(), ErrorStack> {
|
||||||
unsafe {
|
unsafe {
|
||||||
cvt(ffi::OCSP_basic_verify(
|
cvt(ffi::OCSP_basic_verify(
|
||||||
|
|
@ -166,7 +165,7 @@ impl OcspBasicResponseRef {
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Looks up the status for the specified certificate ID.
|
/// Looks up the status for the specified certificate ID.
|
||||||
pub fn find_status<'a>(&'a self, id: &OcspCertIdRef) -> Option<Status<'a>> {
|
pub fn find_status<'a>(&'a self, id: &OcspCertIdRef) -> Option<OcspStatus<'a>> {
|
||||||
unsafe {
|
unsafe {
|
||||||
let mut status = ffi::V_OCSP_CERTSTATUS_UNKNOWN;
|
let mut status = ffi::V_OCSP_CERTSTATUS_UNKNOWN;
|
||||||
let mut reason = ffi::OCSP_REVOKED_STATUS_NOSTATUS;
|
let mut reason = ffi::OCSP_REVOKED_STATUS_NOSTATUS;
|
||||||
|
|
@ -189,7 +188,7 @@ impl OcspBasicResponseRef {
|
||||||
} else {
|
} else {
|
||||||
Some(Asn1GeneralizedTimeRef::from_ptr(revocation_time))
|
Some(Asn1GeneralizedTimeRef::from_ptr(revocation_time))
|
||||||
};
|
};
|
||||||
Some(Status {
|
Some(OcspStatus {
|
||||||
status: OcspCertStatus(status),
|
status: OcspCertStatus(status),
|
||||||
reason: OcspRevokedStatus(status),
|
reason: OcspRevokedStatus(status),
|
||||||
revocation_time: revocation_time,
|
revocation_time: revocation_time,
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@ use pkey::{PKey, PKeyRef};
|
||||||
use error::ErrorStack;
|
use error::ErrorStack;
|
||||||
use x509::X509;
|
use x509::X509;
|
||||||
use stack::Stack;
|
use stack::Stack;
|
||||||
use nid;
|
use nid::Nid;
|
||||||
|
|
||||||
foreign_type_and_impl_send_sync! {
|
foreign_type_and_impl_send_sync! {
|
||||||
type CType = ffi::PKCS12;
|
type CType = ffi::PKCS12;
|
||||||
|
|
@ -75,8 +75,8 @@ impl Pkcs12 {
|
||||||
ffi::init();
|
ffi::init();
|
||||||
|
|
||||||
Pkcs12Builder {
|
Pkcs12Builder {
|
||||||
nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC,
|
nid_key: Nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC,
|
||||||
nid_cert: nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC,
|
nid_cert: Nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC,
|
||||||
iter: ffi::PKCS12_DEFAULT_ITER,
|
iter: ffi::PKCS12_DEFAULT_ITER,
|
||||||
mac_iter: ffi::PKCS12_DEFAULT_ITER,
|
mac_iter: ffi::PKCS12_DEFAULT_ITER,
|
||||||
ca: None,
|
ca: None,
|
||||||
|
|
@ -92,8 +92,8 @@ pub struct ParsedPkcs12 {
|
||||||
}
|
}
|
||||||
|
|
||||||
pub struct Pkcs12Builder {
|
pub struct Pkcs12Builder {
|
||||||
nid_key: nid::Nid,
|
nid_key: Nid,
|
||||||
nid_cert: nid::Nid,
|
nid_cert: Nid,
|
||||||
iter: c_int,
|
iter: c_int,
|
||||||
mac_iter: c_int,
|
mac_iter: c_int,
|
||||||
ca: Option<Stack<X509>>,
|
ca: Option<Stack<X509>>,
|
||||||
|
|
@ -101,13 +101,13 @@ pub struct Pkcs12Builder {
|
||||||
|
|
||||||
impl Pkcs12Builder {
|
impl Pkcs12Builder {
|
||||||
/// The encryption algorithm that should be used for the key
|
/// The encryption algorithm that should be used for the key
|
||||||
pub fn key_algorithm(&mut self, nid: nid::Nid) -> &mut Self {
|
pub fn key_algorithm(&mut self, nid: Nid) -> &mut Self {
|
||||||
self.nid_key = nid;
|
self.nid_key = nid;
|
||||||
self
|
self
|
||||||
}
|
}
|
||||||
|
|
||||||
/// The encryption algorithm that should be used for the cert
|
/// The encryption algorithm that should be used for the cert
|
||||||
pub fn cert_algorithm(&mut self, nid: nid::Nid) -> &mut Self {
|
pub fn cert_algorithm(&mut self, nid: Nid) -> &mut Self {
|
||||||
self.nid_cert = nid;
|
self.nid_cert = nid;
|
||||||
self
|
self
|
||||||
}
|
}
|
||||||
|
|
@ -190,7 +190,7 @@ mod test {
|
||||||
use asn1::Asn1Time;
|
use asn1::Asn1Time;
|
||||||
use rsa::Rsa;
|
use rsa::Rsa;
|
||||||
use pkey::PKey;
|
use pkey::PKey;
|
||||||
use nid;
|
use nid::Nid;
|
||||||
use x509::{X509, X509Name};
|
use x509::{X509, X509Name};
|
||||||
use x509::extension::KeyUsage;
|
use x509::extension::KeyUsage;
|
||||||
|
|
||||||
|
|
@ -238,7 +238,7 @@ mod test {
|
||||||
let pkey = PKey::from_rsa(rsa).unwrap();
|
let pkey = PKey::from_rsa(rsa).unwrap();
|
||||||
|
|
||||||
let mut name = X509Name::builder().unwrap();
|
let mut name = X509Name::builder().unwrap();
|
||||||
name.append_entry_by_nid(nid::COMMONNAME, subject_name)
|
name.append_entry_by_nid(Nid::COMMONNAME, subject_name)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let name = name.build();
|
let name = name.build();
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
use libc::{c_void, c_char, c_int, size_t};
|
use libc::{c_char, c_int, c_void, size_t};
|
||||||
use std::ptr;
|
use std::ptr;
|
||||||
use std::mem;
|
use std::mem;
|
||||||
use std::ffi::CString;
|
use std::ffi::CString;
|
||||||
|
|
@ -10,9 +10,9 @@ use bio::MemBioSlice;
|
||||||
use dh::Dh;
|
use dh::Dh;
|
||||||
use dsa::Dsa;
|
use dsa::Dsa;
|
||||||
use ec::EcKey;
|
use ec::EcKey;
|
||||||
use rsa::{Rsa, Padding};
|
use rsa::{Padding, Rsa};
|
||||||
use error::ErrorStack;
|
use error::ErrorStack;
|
||||||
use util::{CallbackState, invoke_passwd_cb, invoke_passwd_cb_old};
|
use util::{invoke_passwd_cb, invoke_passwd_cb_old, CallbackState};
|
||||||
|
|
||||||
foreign_type_and_impl_send_sync! {
|
foreign_type_and_impl_send_sync! {
|
||||||
type CType = ffi::EVP_PKEY;
|
type CType = ffi::EVP_PKEY;
|
||||||
|
|
@ -254,9 +254,7 @@ impl PKeyCtxRef {
|
||||||
pub fn rsa_padding(&self) -> Result<Padding, ErrorStack> {
|
pub fn rsa_padding(&self) -> Result<Padding, ErrorStack> {
|
||||||
let mut pad: c_int = 0;
|
let mut pad: c_int = 0;
|
||||||
unsafe {
|
unsafe {
|
||||||
cvt(
|
cvt(ffi::EVP_PKEY_CTX_get_rsa_padding(self.as_ptr(), &mut pad))?;
|
||||||
ffi::EVP_PKEY_CTX_get_rsa_padding(self.as_ptr(), &mut pad),
|
|
||||||
)?;
|
|
||||||
};
|
};
|
||||||
Ok(Padding::from_raw(pad))
|
Ok(Padding::from_raw(pad))
|
||||||
}
|
}
|
||||||
|
|
@ -270,9 +268,7 @@ impl PKeyCtxRef {
|
||||||
|
|
||||||
pub fn derive_set_peer(&mut self, peer: &PKeyRef) -> Result<(), ErrorStack> {
|
pub fn derive_set_peer(&mut self, peer: &PKeyRef) -> Result<(), ErrorStack> {
|
||||||
unsafe {
|
unsafe {
|
||||||
cvt(
|
cvt(ffi::EVP_PKEY_derive_set_peer(self.as_ptr(), peer.as_ptr()))?;
|
||||||
ffi::EVP_PKEY_derive_set_peer(self.as_ptr(), peer.as_ptr()),
|
|
||||||
)?;
|
|
||||||
}
|
}
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
@ -306,7 +302,7 @@ mod tests {
|
||||||
use dsa::Dsa;
|
use dsa::Dsa;
|
||||||
use ec::{EcGroup, EcKey};
|
use ec::{EcGroup, EcKey};
|
||||||
use rsa::Rsa;
|
use rsa::Rsa;
|
||||||
use nid;
|
use nid::Nid;
|
||||||
|
|
||||||
use super::*;
|
use super::*;
|
||||||
|
|
||||||
|
|
@ -403,7 +399,7 @@ mod tests {
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn test_ec_key_accessor() {
|
fn test_ec_key_accessor() {
|
||||||
let ec_key = EcKey::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
let ec_key = EcKey::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
let pkey = PKey::from_ec_key(ec_key).unwrap();
|
let pkey = PKey::from_ec_key(ec_key).unwrap();
|
||||||
pkey.ec_key().unwrap();
|
pkey.ec_key().unwrap();
|
||||||
assert!(pkey.rsa().is_err());
|
assert!(pkey.rsa().is_err());
|
||||||
|
|
@ -411,7 +407,7 @@ mod tests {
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn test_ec_key_derive() {
|
fn test_ec_key_derive() {
|
||||||
let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
let ec_key = EcKey::generate(&group).unwrap();
|
let ec_key = EcKey::generate(&group).unwrap();
|
||||||
let ec_key2 = EcKey::generate(&group).unwrap();
|
let ec_key2 = EcKey::generate(&group).unwrap();
|
||||||
let pkey = PKey::from_ec_key(ec_key).unwrap();
|
let pkey = PKey::from_ec_key(ec_key).unwrap();
|
||||||
|
|
|
||||||
|
|
@ -2,14 +2,14 @@ use ffi;
|
||||||
use std::fmt;
|
use std::fmt;
|
||||||
use std::ptr;
|
use std::ptr;
|
||||||
use std::mem;
|
use std::mem;
|
||||||
use libc::{c_int, c_void, c_char};
|
use libc::{c_char, c_int, c_void};
|
||||||
use foreign_types::ForeignTypeRef;
|
use foreign_types::ForeignTypeRef;
|
||||||
|
|
||||||
use {cvt, cvt_p, cvt_n};
|
use {cvt, cvt_n, cvt_p};
|
||||||
use bn::{BigNum, BigNumRef};
|
use bn::{BigNum, BigNumRef};
|
||||||
use bio::MemBioSlice;
|
use bio::MemBioSlice;
|
||||||
use error::ErrorStack;
|
use error::ErrorStack;
|
||||||
use util::{CallbackState, invoke_passwd_cb_old};
|
use util::{invoke_passwd_cb_old, CallbackState};
|
||||||
|
|
||||||
/// Type of encryption padding to use.
|
/// Type of encryption padding to use.
|
||||||
#[derive(Debug, Copy, Clone, PartialEq, Eq)]
|
#[derive(Debug, Copy, Clone, PartialEq, Eq)]
|
||||||
|
|
@ -23,11 +23,11 @@ impl Padding {
|
||||||
pub fn as_raw(&self) -> c_int {
|
pub fn as_raw(&self) -> c_int {
|
||||||
self.0
|
self.0
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
pub const NO_PADDING: Padding = Padding(ffi::RSA_NO_PADDING);
|
pub const NONE: Padding = Padding(ffi::RSA_NO_PADDING);
|
||||||
pub const PKCS1_PADDING: Padding = Padding(ffi::RSA_PKCS1_PADDING);
|
pub const PKCS1: Padding = Padding(ffi::RSA_PKCS1_PADDING);
|
||||||
pub const PKCS1_OAEP_PADDING: Padding = Padding(ffi::RSA_PKCS1_OAEP_PADDING);
|
pub const PKCS1_OAEP: Padding = Padding(ffi::RSA_PKCS1_OAEP_PADDING);
|
||||||
|
}
|
||||||
|
|
||||||
foreign_type_and_impl_send_sync! {
|
foreign_type_and_impl_send_sync! {
|
||||||
type CType = ffi::RSA;
|
type CType = ffi::RSA;
|
||||||
|
|
@ -286,9 +286,7 @@ impl Rsa {
|
||||||
) -> Result<Rsa, ErrorStack> {
|
) -> Result<Rsa, ErrorStack> {
|
||||||
unsafe {
|
unsafe {
|
||||||
let rsa = Rsa(cvt_p(ffi::RSA_new())?);
|
let rsa = Rsa(cvt_p(ffi::RSA_new())?);
|
||||||
cvt(
|
cvt(compat::set_key(rsa.0, n.as_ptr(), e.as_ptr(), d.as_ptr()))?;
|
||||||
compat::set_key(rsa.0, n.as_ptr(), e.as_ptr(), d.as_ptr()),
|
|
||||||
)?;
|
|
||||||
mem::forget((n, e, d));
|
mem::forget((n, e, d));
|
||||||
cvt(compat::set_factors(rsa.0, p.as_ptr(), q.as_ptr()))?;
|
cvt(compat::set_factors(rsa.0, p.as_ptr(), q.as_ptr()))?;
|
||||||
mem::forget((p, q));
|
mem::forget((p, q));
|
||||||
|
|
@ -490,7 +488,7 @@ mod test {
|
||||||
let mut result = vec![0; public_key.size()];
|
let mut result = vec![0; public_key.size()];
|
||||||
let original_data = b"This is test";
|
let original_data = b"This is test";
|
||||||
let len = public_key
|
let len = public_key
|
||||||
.public_encrypt(original_data, &mut result, PKCS1_PADDING)
|
.public_encrypt(original_data, &mut result, Padding::PKCS1)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
assert_eq!(len, 256);
|
assert_eq!(len, 256);
|
||||||
|
|
||||||
|
|
@ -498,7 +496,7 @@ mod test {
|
||||||
let private_key = Rsa::private_key_from_pem(pkey).unwrap();
|
let private_key = Rsa::private_key_from_pem(pkey).unwrap();
|
||||||
let mut dec_result = vec![0; private_key.size()];
|
let mut dec_result = vec![0; private_key.size()];
|
||||||
let len = private_key
|
let len = private_key
|
||||||
.private_decrypt(&result, &mut dec_result, PKCS1_PADDING)
|
.private_decrypt(&result, &mut dec_result, Padding::PKCS1)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
||||||
assert_eq!(&dec_result[..len], original_data);
|
assert_eq!(&dec_result[..len], original_data);
|
||||||
|
|
@ -513,9 +511,10 @@ mod test {
|
||||||
let msg = vec![0xdeu8, 0xadu8, 0xd0u8, 0x0du8];
|
let msg = vec![0xdeu8, 0xadu8, 0xd0u8, 0x0du8];
|
||||||
|
|
||||||
let mut emesg = vec![0; k0.size()];
|
let mut emesg = vec![0; k0.size()];
|
||||||
k0.private_encrypt(&msg, &mut emesg, PKCS1_PADDING).unwrap();
|
k0.private_encrypt(&msg, &mut emesg, Padding::PKCS1)
|
||||||
|
.unwrap();
|
||||||
let mut dmesg = vec![0; k1.size()];
|
let mut dmesg = vec![0; k1.size()];
|
||||||
let len = k1.public_decrypt(&emesg, &mut dmesg, PKCS1_PADDING)
|
let len = k1.public_decrypt(&emesg, &mut dmesg, Padding::PKCS1)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
assert_eq!(msg, &dmesg[..len]);
|
assert_eq!(msg, &dmesg[..len]);
|
||||||
}
|
}
|
||||||
|
|
@ -529,9 +528,9 @@ mod test {
|
||||||
let msg = vec![0xdeu8, 0xadu8, 0xd0u8, 0x0du8];
|
let msg = vec![0xdeu8, 0xadu8, 0xd0u8, 0x0du8];
|
||||||
|
|
||||||
let mut emesg = vec![0; k0.size()];
|
let mut emesg = vec![0; k0.size()];
|
||||||
k0.public_encrypt(&msg, &mut emesg, PKCS1_PADDING).unwrap();
|
k0.public_encrypt(&msg, &mut emesg, Padding::PKCS1).unwrap();
|
||||||
let mut dmesg = vec![0; k1.size()];
|
let mut dmesg = vec![0; k1.size()];
|
||||||
let len = k1.private_decrypt(&emesg, &mut dmesg, PKCS1_PADDING)
|
let len = k1.private_decrypt(&emesg, &mut dmesg, Padding::PKCS1)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
assert_eq!(msg, &dmesg[..len]);
|
assert_eq!(msg, &dmesg[..len]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -353,8 +353,8 @@ mod test {
|
||||||
use hash::MessageDigest;
|
use hash::MessageDigest;
|
||||||
use sign::{Signer, Verifier};
|
use sign::{Signer, Verifier};
|
||||||
use ec::{EcGroup, EcKey};
|
use ec::{EcGroup, EcKey};
|
||||||
use nid;
|
use nid::Nid;
|
||||||
use rsa::{PKCS1_PADDING, Rsa};
|
use rsa::{Padding, Rsa};
|
||||||
use dsa::Dsa;
|
use dsa::Dsa;
|
||||||
use pkey::PKey;
|
use pkey::PKey;
|
||||||
|
|
||||||
|
|
@ -378,10 +378,10 @@ mod test {
|
||||||
let pkey = PKey::from_rsa(private_key).unwrap();
|
let pkey = PKey::from_rsa(private_key).unwrap();
|
||||||
|
|
||||||
let mut signer = Signer::new(MessageDigest::sha256(), &pkey).unwrap();
|
let mut signer = Signer::new(MessageDigest::sha256(), &pkey).unwrap();
|
||||||
assert_eq!(signer.pkey_ctx_mut().rsa_padding().unwrap(), PKCS1_PADDING);
|
assert_eq!(signer.pkey_ctx_mut().rsa_padding().unwrap(), Padding::PKCS1);
|
||||||
signer
|
signer
|
||||||
.pkey_ctx_mut()
|
.pkey_ctx_mut()
|
||||||
.set_rsa_padding(PKCS1_PADDING)
|
.set_rsa_padding(Padding::PKCS1)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
signer.update(&Vec::from_hex(INPUT).unwrap()).unwrap();
|
signer.update(&Vec::from_hex(INPUT).unwrap()).unwrap();
|
||||||
let result = signer.sign_to_vec().unwrap();
|
let result = signer.sign_to_vec().unwrap();
|
||||||
|
|
@ -398,7 +398,7 @@ mod test {
|
||||||
let mut verifier = Verifier::new(MessageDigest::sha256(), &pkey).unwrap();
|
let mut verifier = Verifier::new(MessageDigest::sha256(), &pkey).unwrap();
|
||||||
assert_eq!(
|
assert_eq!(
|
||||||
verifier.pkey_ctx_mut().rsa_padding().unwrap(),
|
verifier.pkey_ctx_mut().rsa_padding().unwrap(),
|
||||||
PKCS1_PADDING
|
Padding::PKCS1
|
||||||
);
|
);
|
||||||
verifier.update(&Vec::from_hex(INPUT).unwrap()).unwrap();
|
verifier.update(&Vec::from_hex(INPUT).unwrap()).unwrap();
|
||||||
assert!(verifier.verify(&Vec::from_hex(SIGNATURE).unwrap()).unwrap());
|
assert!(verifier.verify(&Vec::from_hex(SIGNATURE).unwrap()).unwrap());
|
||||||
|
|
@ -569,7 +569,7 @@ mod test {
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn ec() {
|
fn ec() {
|
||||||
let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
|
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
let key = EcKey::generate(&group).unwrap();
|
let key = EcKey::generate(&group).unwrap();
|
||||||
let key = PKey::from_ec_key(key).unwrap();
|
let key = PKey::from_ec_key(key).unwrap();
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@ use std::ops::{Deref, DerefMut};
|
||||||
|
|
||||||
use dh::Dh;
|
use dh::Dh;
|
||||||
use error::ErrorStack;
|
use error::ErrorStack;
|
||||||
use ssl::{self, HandshakeError, Ssl, SslRef, SslContext, SslContextBuilder, SslMethod, SslStream,
|
use ssl::{HandshakeError, Ssl, SslContext, SslContextBuilder, SslMethod, SslMode, SslOptions,
|
||||||
SSL_VERIFY_PEER};
|
SslRef, SslStream, SslVerifyMode};
|
||||||
use pkey::PKeyRef;
|
use pkey::PKeyRef;
|
||||||
use version;
|
use version;
|
||||||
use x509::X509Ref;
|
use x509::X509Ref;
|
||||||
|
|
@ -29,26 +29,21 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||||
fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
|
fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
|
||||||
let mut ctx = SslContextBuilder::new(method)?;
|
let mut ctx = SslContextBuilder::new(method)?;
|
||||||
|
|
||||||
let mut opts = ssl::SSL_OP_ALL;
|
let mut opts = SslOptions::ALL | SslOptions::NO_COMPRESSION | SslOptions::NO_SSLV2
|
||||||
opts &= !ssl::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
|
| SslOptions::NO_SSLV3 | SslOptions::SINGLE_DH_USE
|
||||||
opts &= !ssl::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
| SslOptions::SINGLE_ECDH_USE | SslOptions::CIPHER_SERVER_PREFERENCE;
|
||||||
opts |= ssl::SSL_OP_NO_TICKET;
|
opts &= !SslOptions::DONT_INSERT_EMPTY_FRAGMENTS;
|
||||||
opts |= ssl::SSL_OP_NO_COMPRESSION;
|
|
||||||
opts |= ssl::SSL_OP_NO_SSLV2;
|
|
||||||
opts |= ssl::SSL_OP_NO_SSLV3;
|
|
||||||
opts |= ssl::SSL_OP_SINGLE_DH_USE;
|
|
||||||
opts |= ssl::SSL_OP_SINGLE_ECDH_USE;
|
|
||||||
opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE;
|
|
||||||
ctx.set_options(opts);
|
ctx.set_options(opts);
|
||||||
|
|
||||||
let mut mode = ssl::SSL_MODE_AUTO_RETRY | ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
|
let mut mode =
|
||||||
| ssl::SSL_MODE_ENABLE_PARTIAL_WRITE;
|
SslMode::AUTO_RETRY | SslMode::ACCEPT_MOVING_WRITE_BUFFER | SslMode::ENABLE_PARTIAL_WRITE;
|
||||||
|
|
||||||
// This is quite a useful optimization for saving memory, but historically
|
// This is quite a useful optimization for saving memory, but historically
|
||||||
// caused CVEs in OpenSSL pre-1.0.1h, according to
|
// caused CVEs in OpenSSL pre-1.0.1h, according to
|
||||||
// https://bugs.python.org/issue25672
|
// https://bugs.python.org/issue25672
|
||||||
if version::number() >= 0x1000108f {
|
if version::number() >= 0x1000108f {
|
||||||
mode |= ssl::SSL_MODE_RELEASE_BUFFERS;
|
mode |= SslMode::RELEASE_BUFFERS;
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.set_mode(mode);
|
ctx.set_mode(mode);
|
||||||
|
|
@ -152,7 +147,11 @@ impl SslConnector {
|
||||||
|
|
||||||
/// Returns a structure allowing for configuration of a single TLS session before connection.
|
/// Returns a structure allowing for configuration of a single TLS session before connection.
|
||||||
pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> {
|
pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> {
|
||||||
Ssl::new(&self.0).map(|ssl| ConnectConfiguration { ssl, sni: true, verify_hostname: true })
|
Ssl::new(&self.0).map(|ssl| ConnectConfiguration {
|
||||||
|
ssl,
|
||||||
|
sni: true,
|
||||||
|
verify_hostname: true,
|
||||||
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -228,7 +227,9 @@ impl ConnectConfiguration {
|
||||||
where
|
where
|
||||||
S: Read + Write,
|
S: Read + Write,
|
||||||
{
|
{
|
||||||
self.use_server_name_indication(false).verify_hostname(false).connect("", stream)
|
self.use_server_name_indication(false)
|
||||||
|
.verify_hostname(false)
|
||||||
|
.connect("", stream)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -379,9 +380,9 @@ impl DerefMut for SslAcceptorBuilder {
|
||||||
#[cfg(ossl101)]
|
#[cfg(ossl101)]
|
||||||
fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
|
fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
|
||||||
use ec::EcKey;
|
use ec::EcKey;
|
||||||
use nid;
|
use nid::Nid;
|
||||||
|
|
||||||
let curve = EcKey::from_curve_name(nid::X9_62_PRIME256V1)?;
|
let curve = EcKey::from_curve_name(Nid::X9_62_PRIME256V1)?;
|
||||||
ctx.set_tmp_ecdh(&curve)
|
ctx.set_tmp_ecdh(&curve)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -415,12 +416,12 @@ impl SslAcceptor {
|
||||||
|
|
||||||
#[cfg(any(ossl102, ossl110))]
|
#[cfg(any(ossl102, ossl110))]
|
||||||
fn setup_verify(ctx: &mut SslContextBuilder) {
|
fn setup_verify(ctx: &mut SslContextBuilder) {
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(ossl101)]
|
#[cfg(ossl101)]
|
||||||
fn setup_verify(ctx: &mut SslContextBuilder) {
|
fn setup_verify(ctx: &mut SslContextBuilder) {
|
||||||
ctx.set_verify_callback(SSL_VERIFY_PEER, |p, x509| {
|
ctx.set_verify_callback(SslVerifyMode::PEER, |p, x509| {
|
||||||
let hostname = match x509.ssl() {
|
let hostname = match x509.ssl() {
|
||||||
Ok(Some(ssl)) => ssl.ex_data(*HOSTNAME_IDX),
|
Ok(Some(ssl)) => ssl.ex_data(*HOSTNAME_IDX),
|
||||||
_ => None,
|
_ => None,
|
||||||
|
|
@ -435,7 +436,7 @@ fn setup_verify(ctx: &mut SslContextBuilder) {
|
||||||
#[cfg(any(ossl102, ossl110))]
|
#[cfg(any(ossl102, ossl110))]
|
||||||
fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
|
fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
|
||||||
let param = ssl._param_mut();
|
let param = ssl._param_mut();
|
||||||
param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
param.set_hostflags(::verify::X509CheckFlags::NO_PARTIAL_WILDCARDS);
|
||||||
match domain.parse() {
|
match domain.parse() {
|
||||||
Ok(ip) => param.set_ip(ip),
|
Ok(ip) => param.set_ip(ip),
|
||||||
Err(_) => param.set_host(domain),
|
Err(_) => param.set_host(domain),
|
||||||
|
|
@ -454,7 +455,7 @@ mod verify {
|
||||||
use std::net::IpAddr;
|
use std::net::IpAddr;
|
||||||
use std::str;
|
use std::str;
|
||||||
|
|
||||||
use nid;
|
use nid::Nid;
|
||||||
use x509::{GeneralName, X509NameRef, X509Ref, X509StoreContextRef};
|
use x509::{GeneralName, X509NameRef, X509Ref, X509StoreContextRef};
|
||||||
use stack::Stack;
|
use stack::Stack;
|
||||||
|
|
||||||
|
|
@ -506,7 +507,7 @@ mod verify {
|
||||||
}
|
}
|
||||||
|
|
||||||
fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool {
|
fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool {
|
||||||
match subject_name.entries_by_nid(nid::COMMONNAME).next() {
|
match subject_name.entries_by_nid(Nid::COMMONNAME).next() {
|
||||||
Some(pattern) => {
|
Some(pattern) => {
|
||||||
let pattern = match str::from_utf8(pattern.data().as_slice()) {
|
let pattern = match str::from_utf8(pattern.data().as_slice()) {
|
||||||
Ok(pattern) => pattern,
|
Ok(pattern) => pattern,
|
||||||
|
|
@ -516,7 +517,10 @@ mod verify {
|
||||||
// Unlike SANs, IP addresses in the subject name don't have a
|
// Unlike SANs, IP addresses in the subject name don't have a
|
||||||
// different encoding.
|
// different encoding.
|
||||||
match domain.parse::<IpAddr>() {
|
match domain.parse::<IpAddr>() {
|
||||||
Ok(ip) => pattern.parse::<IpAddr>().ok().map_or(false, |pattern| pattern == ip),
|
Ok(ip) => pattern
|
||||||
|
.parse::<IpAddr>()
|
||||||
|
.ok()
|
||||||
|
.map_or(false, |pattern| pattern == ip),
|
||||||
Err(_) => matches_dns(pattern, domain),
|
Err(_) => matches_dns(pattern, domain),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -97,7 +97,7 @@ use dh::{Dh, DhRef};
|
||||||
use ec::EcKeyRef;
|
use ec::EcKeyRef;
|
||||||
#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))]
|
#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))]
|
||||||
use ec::EcKey;
|
use ec::EcKey;
|
||||||
use x509::{X509, X509FileType, X509Name, X509Ref, X509StoreContextRef, X509VerifyError};
|
use x509::{X509, X509Filetype, X509Name, X509Ref, X509StoreContextRef, X509VerifyError};
|
||||||
use x509::store::{X509StoreBuilderRef, X509StoreRef};
|
use x509::store::{X509StoreBuilderRef, X509StoreRef};
|
||||||
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
||||||
use x509::store::X509Store;
|
use x509::store::X509Store;
|
||||||
|
|
@ -121,106 +121,85 @@ mod bio;
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod tests;
|
mod tests;
|
||||||
|
|
||||||
// FIXME drop SSL_ prefix
|
|
||||||
// FIXME remvove flags not used in OpenSSL 1.1
|
|
||||||
bitflags! {
|
bitflags! {
|
||||||
/// Options controlling the behavior of an `SslContext`.
|
/// Options controlling the behavior of an `SslContext`.
|
||||||
pub struct SslOption: c_ulong {
|
pub struct SslOptions: c_ulong {
|
||||||
// FIXME remove
|
|
||||||
const SSL_OP_MICROSOFT_SESS_ID_BUG = ffi::SSL_OP_MICROSOFT_SESS_ID_BUG;
|
|
||||||
// FIXME remove
|
|
||||||
const SSL_OP_NETSCAPE_CHALLENGE_BUG = ffi::SSL_OP_NETSCAPE_CHALLENGE_BUG;
|
|
||||||
// FIXME remove
|
|
||||||
const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG =
|
|
||||||
ffi::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
|
|
||||||
// FIXME remove
|
|
||||||
const SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = ffi::SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER;
|
|
||||||
// FIXME remove
|
|
||||||
const SSL_OP_SSLEAY_080_CLIENT_DH_BUG = ffi::SSL_OP_SSLEAY_080_CLIENT_DH_BUG;
|
|
||||||
// FIXME remove
|
|
||||||
const SSL_OP_TLS_D5_BUG = ffi::SSL_OP_TLS_D5_BUG;
|
|
||||||
// FIXME remove
|
|
||||||
const SSL_OP_TLS_BLOCK_PADDING_BUG = ffi::SSL_OP_TLS_BLOCK_PADDING_BUG;
|
|
||||||
|
|
||||||
// FIXME remove? not documented anywhere
|
|
||||||
const SSL_OP_CISCO_ANYCONNECT = ffi::SSL_OP_CISCO_ANYCONNECT;
|
|
||||||
|
|
||||||
/// Disables a countermeasure against an SSLv3/TLSv1.0 vulnerability affecting CBC ciphers.
|
/// Disables a countermeasure against an SSLv3/TLSv1.0 vulnerability affecting CBC ciphers.
|
||||||
const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
const DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
||||||
|
|
||||||
/// A "reasonable default" set of options which enables compatibility flags.
|
/// A "reasonable default" set of options which enables compatibility flags.
|
||||||
const SSL_OP_ALL = ffi::SSL_OP_ALL;
|
const ALL = ffi::SSL_OP_ALL;
|
||||||
|
|
||||||
/// Do not query the MTU.
|
/// Do not query the MTU.
|
||||||
///
|
///
|
||||||
/// Only affects DTLS connections.
|
/// Only affects DTLS connections.
|
||||||
const SSL_OP_NO_QUERY_MTU = ffi::SSL_OP_NO_QUERY_MTU;
|
const NO_QUERY_MTU = ffi::SSL_OP_NO_QUERY_MTU;
|
||||||
|
|
||||||
/// Enables Cookie Exchange as described in [RFC 4347 Section 4.2.1].
|
/// Enables Cookie Exchange as described in [RFC 4347 Section 4.2.1].
|
||||||
///
|
///
|
||||||
/// Only affects DTLS connections.
|
/// Only affects DTLS connections.
|
||||||
///
|
///
|
||||||
/// [RFC 4347 Section 4.2.1]: https://tools.ietf.org/html/rfc4347#section-4.2.1
|
/// [RFC 4347 Section 4.2.1]: https://tools.ietf.org/html/rfc4347#section-4.2.1
|
||||||
const SSL_OP_COOKIE_EXCHANGE = ffi::SSL_OP_COOKIE_EXCHANGE;
|
const COOKIE_EXCHANGE = ffi::SSL_OP_COOKIE_EXCHANGE;
|
||||||
|
|
||||||
/// Disables the use of session tickets for session resumption.
|
/// Disables the use of session tickets for session resumption.
|
||||||
const SSL_OP_NO_TICKET = ffi::SSL_OP_NO_TICKET;
|
const NO_TICKET = ffi::SSL_OP_NO_TICKET;
|
||||||
|
|
||||||
/// Always start a new session when performing a renegotiation on the server side.
|
/// Always start a new session when performing a renegotiation on the server side.
|
||||||
const SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION =
|
const NO_SESSION_RESUMPTION_ON_RENEGOTIATION =
|
||||||
ffi::SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
|
ffi::SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
|
||||||
|
|
||||||
/// Disables the use of TLS compression.
|
/// Disables the use of TLS compression.
|
||||||
const SSL_OP_NO_COMPRESSION = ffi::SSL_OP_NO_COMPRESSION;
|
const NO_COMPRESSION = ffi::SSL_OP_NO_COMPRESSION;
|
||||||
|
|
||||||
/// Allow legacy insecure renegotiation with servers or clients that do not support secure
|
/// Allow legacy insecure renegotiation with servers or clients that do not support secure
|
||||||
/// renegotiation.
|
/// renegotiation.
|
||||||
const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION =
|
const ALLOW_UNSAFE_LEGACY_RENEGOTIATION =
|
||||||
ffi::SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
ffi::SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
||||||
|
|
||||||
/// Creates a new key for each session when using ECDHE.
|
/// Creates a new key for each session when using ECDHE.
|
||||||
///
|
///
|
||||||
/// This is always enabled in OpenSSL 1.1.0.
|
/// This is always enabled in OpenSSL 1.1.0.
|
||||||
const SSL_OP_SINGLE_ECDH_USE = ffi::SSL_OP_SINGLE_ECDH_USE;
|
const SINGLE_ECDH_USE = ffi::SSL_OP_SINGLE_ECDH_USE;
|
||||||
|
|
||||||
/// Creates a new key for each session when using DHE.
|
/// Creates a new key for each session when using DHE.
|
||||||
///
|
///
|
||||||
/// This is always enabled in OpenSSL 1.1.0.
|
/// This is always enabled in OpenSSL 1.1.0.
|
||||||
const SSL_OP_SINGLE_DH_USE = ffi::SSL_OP_SINGLE_DH_USE;
|
const SINGLE_DH_USE = ffi::SSL_OP_SINGLE_DH_USE;
|
||||||
|
|
||||||
/// Use the server's preferences rather than the client's when selecting a cipher.
|
/// Use the server's preferences rather than the client's when selecting a cipher.
|
||||||
///
|
///
|
||||||
/// This has no effect on the client side.
|
/// This has no effect on the client side.
|
||||||
const SSL_OP_CIPHER_SERVER_PREFERENCE = ffi::SSL_OP_CIPHER_SERVER_PREFERENCE;
|
const CIPHER_SERVER_PREFERENCE = ffi::SSL_OP_CIPHER_SERVER_PREFERENCE;
|
||||||
|
|
||||||
/// Disables version rollback attach detection.
|
/// Disables version rollback attach detection.
|
||||||
const SSL_OP_TLS_ROLLBACK_BUG = ffi::SSL_OP_TLS_ROLLBACK_BUG;
|
const TLS_ROLLBACK_BUG = ffi::SSL_OP_TLS_ROLLBACK_BUG;
|
||||||
|
|
||||||
/// Disables the use of SSLv2.
|
/// Disables the use of SSLv2.
|
||||||
const SSL_OP_NO_SSLV2 = ffi::SSL_OP_NO_SSLv2;
|
const NO_SSLV2 = ffi::SSL_OP_NO_SSLv2;
|
||||||
|
|
||||||
/// Disables the use of SSLv3.
|
/// Disables the use of SSLv3.
|
||||||
const SSL_OP_NO_SSLV3 = ffi::SSL_OP_NO_SSLv3;
|
const NO_SSLV3 = ffi::SSL_OP_NO_SSLv3;
|
||||||
|
|
||||||
/// Disables the use of TLSv1.0.
|
/// Disables the use of TLSv1.0.
|
||||||
const SSL_OP_NO_TLSV1 = ffi::SSL_OP_NO_TLSv1;
|
const NO_TLSV1 = ffi::SSL_OP_NO_TLSv1;
|
||||||
|
|
||||||
/// Disables the use of TLSv1.1.
|
/// Disables the use of TLSv1.1.
|
||||||
const SSL_OP_NO_TLSV1_1 = ffi::SSL_OP_NO_TLSv1_1;
|
const NO_TLSV1_1 = ffi::SSL_OP_NO_TLSv1_1;
|
||||||
|
|
||||||
/// Disables the use of TLSv1.2.
|
/// Disables the use of TLSv1.2.
|
||||||
const SSL_OP_NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2;
|
const NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2;
|
||||||
|
|
||||||
/// Disables the use of DTLSv1.0
|
/// Disables the use of DTLSv1.0
|
||||||
///
|
///
|
||||||
/// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0.
|
/// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0.
|
||||||
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
||||||
const SSL_OP_NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1;
|
const NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1;
|
||||||
|
|
||||||
/// Disables the use of DTLSv1.2.
|
/// Disables the use of DTLSv1.2.
|
||||||
/// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0.
|
/// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0.
|
||||||
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
||||||
const SSL_OP_NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2;
|
const NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2;
|
||||||
|
|
||||||
/// Disables the use of all (D)TLS protocol versions.
|
/// Disables the use of all (D)TLS protocol versions.
|
||||||
///
|
///
|
||||||
|
|
@ -233,12 +212,12 @@ bitflags! {
|
||||||
/// Only support TLSv1.2:
|
/// Only support TLSv1.2:
|
||||||
///
|
///
|
||||||
/// ```rust
|
/// ```rust
|
||||||
/// use openssl::ssl::{SSL_OP_NO_SSL_MASK, SSL_OP_NO_TLSV1_2};
|
/// use openssl::ssl::SslOptions;
|
||||||
///
|
///
|
||||||
/// let options = SSL_OP_NO_SSL_MASK & !SSL_OP_NO_TLSV1_2;
|
/// let options = SslOptions::NO_SSL_MASK & !SslOptions::NO_TLSV1_2;
|
||||||
/// ```
|
/// ```
|
||||||
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
||||||
const SSL_OP_NO_SSL_MASK = ffi::SSL_OP_NO_SSL_MASK;
|
const NO_SSL_MASK = ffi::SSL_OP_NO_SSL_MASK;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -250,11 +229,11 @@ bitflags! {
|
||||||
/// Normally, a write in OpenSSL will always write out all of the requested data, even if it
|
/// Normally, a write in OpenSSL will always write out all of the requested data, even if it
|
||||||
/// requires more than one TLS record or write to the underlying stream. This option will
|
/// requires more than one TLS record or write to the underlying stream. This option will
|
||||||
/// cause a write to return after writing a single TLS record instead.
|
/// cause a write to return after writing a single TLS record instead.
|
||||||
const SSL_MODE_ENABLE_PARTIAL_WRITE = ffi::SSL_MODE_ENABLE_PARTIAL_WRITE;
|
const ENABLE_PARTIAL_WRITE = ffi::SSL_MODE_ENABLE_PARTIAL_WRITE;
|
||||||
|
|
||||||
/// Disables a check that the data buffer has not moved between calls when operating in a
|
/// Disables a check that the data buffer has not moved between calls when operating in a
|
||||||
/// nonblocking context.
|
/// nonblocking context.
|
||||||
const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
|
const ACCEPT_MOVING_WRITE_BUFFER = ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
|
||||||
|
|
||||||
/// Enables automatic retries after TLS session events such as renegotiations or heartbeats.
|
/// Enables automatic retries after TLS session events such as renegotiations or heartbeats.
|
||||||
///
|
///
|
||||||
|
|
@ -265,25 +244,19 @@ bitflags! {
|
||||||
/// Note that `SslStream::read` and `SslStream::write` will automatically retry regardless
|
/// Note that `SslStream::read` and `SslStream::write` will automatically retry regardless
|
||||||
/// of the state of this option. It only affects `SslStream::ssl_read` and
|
/// of the state of this option. It only affects `SslStream::ssl_read` and
|
||||||
/// `SslStream::ssl_write`.
|
/// `SslStream::ssl_write`.
|
||||||
const SSL_MODE_AUTO_RETRY = ffi::SSL_MODE_AUTO_RETRY;
|
const AUTO_RETRY = ffi::SSL_MODE_AUTO_RETRY;
|
||||||
|
|
||||||
/// Disables automatic chain building when verifying a peer's certificate.
|
/// Disables automatic chain building when verifying a peer's certificate.
|
||||||
///
|
///
|
||||||
/// TLS peers are responsible for sending the entire certificate chain from the leaf to a
|
/// TLS peers are responsible for sending the entire certificate chain from the leaf to a
|
||||||
/// trusted root, but some will incorrectly not do so. OpenSSL will try to build the chain
|
/// trusted root, but some will incorrectly not do so. OpenSSL will try to build the chain
|
||||||
/// out of certificates it knows of, and this option will disable that behavior.
|
/// out of certificates it knows of, and this option will disable that behavior.
|
||||||
const SSL_MODE_NO_AUTO_CHAIN = ffi::SSL_MODE_NO_AUTO_CHAIN;
|
const NO_AUTO_CHAIN = ffi::SSL_MODE_NO_AUTO_CHAIN;
|
||||||
|
|
||||||
/// Release memory buffers when the session does not need them.
|
/// Release memory buffers when the session does not need them.
|
||||||
///
|
///
|
||||||
/// This saves ~34 KiB of memory for idle streams.
|
/// This saves ~34 KiB of memory for idle streams.
|
||||||
const SSL_MODE_RELEASE_BUFFERS = ffi::SSL_MODE_RELEASE_BUFFERS;
|
const RELEASE_BUFFERS = ffi::SSL_MODE_RELEASE_BUFFERS;
|
||||||
|
|
||||||
// FIXME remove
|
|
||||||
#[cfg(not(libressl))]
|
|
||||||
const SSL_MODE_SEND_CLIENTHELLO_TIME = ffi::SSL_MODE_SEND_CLIENTHELLO_TIME;
|
|
||||||
#[cfg(not(libressl))]
|
|
||||||
const SSL_MODE_SEND_SERVERHELLO_TIME = ffi::SSL_MODE_SEND_SERVERHELLO_TIME;
|
|
||||||
|
|
||||||
/// Sends the fake `TLS_FALLBACK_SCSV` cipher suite in the ClientHello message of a
|
/// Sends the fake `TLS_FALLBACK_SCSV` cipher suite in the ClientHello message of a
|
||||||
/// handshake.
|
/// handshake.
|
||||||
|
|
@ -293,7 +266,7 @@ bitflags! {
|
||||||
///
|
///
|
||||||
/// Do not use this unless you know what you're doing!
|
/// Do not use this unless you know what you're doing!
|
||||||
#[cfg(not(libressl))]
|
#[cfg(not(libressl))]
|
||||||
const SSL_MODE_SEND_FALLBACK_SCSV = ffi::SSL_MODE_SEND_FALLBACK_SCSV;
|
const SEND_FALLBACK_SCSV = ffi::SSL_MODE_SEND_FALLBACK_SCSV;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -335,19 +308,19 @@ bitflags! {
|
||||||
/// Verifies that the peer's certificate is trusted.
|
/// Verifies that the peer's certificate is trusted.
|
||||||
///
|
///
|
||||||
/// On the server side, this will cause OpenSSL to request a certificate from the client.
|
/// On the server side, this will cause OpenSSL to request a certificate from the client.
|
||||||
const SSL_VERIFY_PEER = ::ffi::SSL_VERIFY_PEER;
|
const PEER = ::ffi::SSL_VERIFY_PEER;
|
||||||
|
|
||||||
/// Disables verification of the peer's certificate.
|
/// Disables verification of the peer's certificate.
|
||||||
///
|
///
|
||||||
/// On the server side, this will cause OpenSSL to not request a certificate from the
|
/// On the server side, this will cause OpenSSL to not request a certificate from the
|
||||||
/// client. On the client side, the certificate will be checked for validity, but the
|
/// client. On the client side, the certificate will be checked for validity, but the
|
||||||
/// negotiation will continue regardless of the result of that check.
|
/// negotiation will continue regardless of the result of that check.
|
||||||
const SSL_VERIFY_NONE = ::ffi::SSL_VERIFY_NONE;
|
const NONE = ::ffi::SSL_VERIFY_NONE;
|
||||||
|
|
||||||
/// On the server side, abort the handshake if the client did not send a certificate.
|
/// On the server side, abort the handshake if the client did not send a certificate.
|
||||||
///
|
///
|
||||||
/// This should be paired with `SSL_VERIFY_PEER`. It has no effect on the client side.
|
/// This should be paired with `SSL_VERIFY_PEER`. It has no effect on the client side.
|
||||||
const SSL_VERIFY_FAIL_IF_NO_PEER_CERT = ::ffi::SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
|
const FAIL_IF_NO_PEER_CERT = ::ffi::SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -365,10 +338,10 @@ impl StatusType {
|
||||||
pub fn as_raw(&self) -> c_int {
|
pub fn as_raw(&self) -> c_int {
|
||||||
self.0
|
self.0
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
/// An OSCP status.
|
/// An OSCP status.
|
||||||
pub const STATUS_TYPE_OCSP: StatusType = StatusType(ffi::TLSEXT_STATUSTYPE_ocsp);
|
pub const OCSP: StatusType = StatusType(ffi::TLSEXT_STATUSTYPE_ocsp);
|
||||||
|
}
|
||||||
|
|
||||||
lazy_static! {
|
lazy_static! {
|
||||||
static ref INDEXES: Mutex<HashMap<TypeId, c_int>> = Mutex::new(HashMap::new());
|
static ref INDEXES: Mutex<HashMap<TypeId, c_int>> = Mutex::new(HashMap::new());
|
||||||
|
|
@ -771,7 +744,7 @@ impl SslContextBuilder {
|
||||||
pub fn set_certificate_file<P: AsRef<Path>>(
|
pub fn set_certificate_file<P: AsRef<Path>>(
|
||||||
&mut self,
|
&mut self,
|
||||||
file: P,
|
file: P,
|
||||||
file_type: X509FileType,
|
file_type: X509Filetype,
|
||||||
) -> Result<(), ErrorStack> {
|
) -> Result<(), ErrorStack> {
|
||||||
let file = CString::new(file.as_ref().as_os_str().to_str().unwrap()).unwrap();
|
let file = CString::new(file.as_ref().as_os_str().to_str().unwrap()).unwrap();
|
||||||
unsafe {
|
unsafe {
|
||||||
|
|
@ -840,7 +813,7 @@ impl SslContextBuilder {
|
||||||
pub fn set_private_key_file<P: AsRef<Path>>(
|
pub fn set_private_key_file<P: AsRef<Path>>(
|
||||||
&mut self,
|
&mut self,
|
||||||
file: P,
|
file: P,
|
||||||
file_type: X509FileType,
|
file_type: X509Filetype,
|
||||||
) -> Result<(), ErrorStack> {
|
) -> Result<(), ErrorStack> {
|
||||||
let file = CString::new(file.as_ref().as_os_str().to_str().unwrap()).unwrap();
|
let file = CString::new(file.as_ref().as_os_str().to_str().unwrap()).unwrap();
|
||||||
unsafe {
|
unsafe {
|
||||||
|
|
@ -900,9 +873,9 @@ impl SslContextBuilder {
|
||||||
/// This corresponds to [`SSL_CTX_set_options`].
|
/// This corresponds to [`SSL_CTX_set_options`].
|
||||||
///
|
///
|
||||||
/// [`SSL_CTX_set_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
|
/// [`SSL_CTX_set_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
|
||||||
pub fn set_options(&mut self, option: SslOption) -> SslOption {
|
pub fn set_options(&mut self, option: SslOptions) -> SslOptions {
|
||||||
let ret = unsafe { compat::SSL_CTX_set_options(self.as_ptr(), option.bits()) };
|
let ret = unsafe { compat::SSL_CTX_set_options(self.as_ptr(), option.bits()) };
|
||||||
SslOption::from_bits(ret).unwrap()
|
SslOptions::from_bits(ret).unwrap()
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Returns the options used by the context.
|
/// Returns the options used by the context.
|
||||||
|
|
@ -910,9 +883,9 @@ impl SslContextBuilder {
|
||||||
/// This corresponds to [`SSL_CTX_get_options`].
|
/// This corresponds to [`SSL_CTX_get_options`].
|
||||||
///
|
///
|
||||||
/// [`SSL_CTX_get_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
|
/// [`SSL_CTX_get_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
|
||||||
pub fn options(&self) -> SslOption {
|
pub fn options(&self) -> SslOptions {
|
||||||
let ret = unsafe { compat::SSL_CTX_get_options(self.as_ptr()) };
|
let ret = unsafe { compat::SSL_CTX_get_options(self.as_ptr()) };
|
||||||
SslOption::from_bits(ret).unwrap()
|
SslOptions::from_bits(ret).unwrap()
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Clears the options used by the context, returning the old set.
|
/// Clears the options used by the context, returning the old set.
|
||||||
|
|
@ -920,9 +893,9 @@ impl SslContextBuilder {
|
||||||
/// This corresponds to [`SSL_CTX_clear_options`].
|
/// This corresponds to [`SSL_CTX_clear_options`].
|
||||||
///
|
///
|
||||||
/// [`SSL_CTX_clear_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
|
/// [`SSL_CTX_clear_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
|
||||||
pub fn clear_options(&mut self, option: SslOption) -> SslOption {
|
pub fn clear_options(&mut self, option: SslOptions) -> SslOptions {
|
||||||
let ret = unsafe { compat::SSL_CTX_clear_options(self.as_ptr(), option.bits()) };
|
let ret = unsafe { compat::SSL_CTX_clear_options(self.as_ptr(), option.bits()) };
|
||||||
SslOption::from_bits(ret).unwrap()
|
SslOptions::from_bits(ret).unwrap()
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Set the protocols to be used during Next Protocol Negotiation (the protocols
|
/// Set the protocols to be used during Next Protocol Negotiation (the protocols
|
||||||
|
|
|
||||||
|
|
@ -16,13 +16,13 @@ use tempdir::TempDir;
|
||||||
|
|
||||||
use dh::Dh;
|
use dh::Dh;
|
||||||
use hash::MessageDigest;
|
use hash::MessageDigest;
|
||||||
use ocsp::{OcspResponse, RESPONSE_STATUS_UNAUTHORIZED};
|
use ocsp::{OcspResponse, OcspResponseStatus};
|
||||||
use ssl;
|
use ssl;
|
||||||
use ssl::{Error, HandshakeError, ShutdownResult, Ssl, SslAcceptorBuilder, SslConnectorBuilder,
|
use ssl::{Error, HandshakeError, ShutdownResult, Ssl, SslAcceptorBuilder, SslConnectorBuilder,
|
||||||
SslContext, SslMethod, SslStream, SSL_VERIFY_NONE, SSL_VERIFY_PEER, STATUS_TYPE_OCSP};
|
SslContext, SslMethod, SslStream, SslVerifyMode, StatusType};
|
||||||
use x509::{X509, X509Name, X509StoreContext, X509_FILETYPE_PEM};
|
use x509::{X509, X509Filetype, X509Name, X509StoreContext};
|
||||||
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
||||||
use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
|
use x509::verify::X509CheckFlags;
|
||||||
use pkey::PKey;
|
use pkey::PKey;
|
||||||
|
|
||||||
use std::net::UdpSocket;
|
use std::net::UdpSocket;
|
||||||
|
|
@ -131,8 +131,7 @@ macro_rules! run_test(
|
||||||
use std::net::TcpStream;
|
use std::net::TcpStream;
|
||||||
use ssl;
|
use ssl;
|
||||||
use ssl::SslMethod;
|
use ssl::SslMethod;
|
||||||
use ssl::{SslContext, Ssl, SslStream};
|
use ssl::{SslContext, Ssl, SslStream, SslVerifyMode, SslOptions};
|
||||||
use ssl::SSL_VERIFY_PEER;
|
|
||||||
use hash::MessageDigest;
|
use hash::MessageDigest;
|
||||||
use x509::X509StoreContext;
|
use x509::X509StoreContext;
|
||||||
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
||||||
|
|
@ -160,7 +159,7 @@ run_test!(new_ctx, |method, _| {
|
||||||
|
|
||||||
run_test!(verify_untrusted, |method, stream| {
|
run_test!(verify_untrusted, |method, stream| {
|
||||||
let mut ctx = SslContext::builder(method).unwrap();
|
let mut ctx = SslContext::builder(method).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
|
|
||||||
match Ssl::new(&ctx.build()).unwrap().connect(stream) {
|
match Ssl::new(&ctx.build()).unwrap().connect(stream) {
|
||||||
Ok(_) => panic!("expected failure"),
|
Ok(_) => panic!("expected failure"),
|
||||||
|
|
@ -170,7 +169,7 @@ run_test!(verify_untrusted, |method, stream| {
|
||||||
|
|
||||||
run_test!(verify_trusted, |method, stream| {
|
run_test!(verify_trusted, |method, stream| {
|
||||||
let mut ctx = SslContext::builder(method).unwrap();
|
let mut ctx = SslContext::builder(method).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
|
|
||||||
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
|
|
@ -189,7 +188,7 @@ run_test!(verify_trusted_with_set_cert, |method, stream| {
|
||||||
store.add_cert(x509).unwrap();
|
store.add_cert(x509).unwrap();
|
||||||
|
|
||||||
let mut ctx = SslContext::builder(method).unwrap();
|
let mut ctx = SslContext::builder(method).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
|
|
||||||
match ctx.set_verify_cert_store(store.build()) {
|
match ctx.set_verify_cert_store(store.build()) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
|
|
@ -203,7 +202,7 @@ run_test!(verify_trusted_with_set_cert, |method, stream| {
|
||||||
|
|
||||||
run_test!(verify_untrusted_callback_override_ok, |method, stream| {
|
run_test!(verify_untrusted_callback_override_ok, |method, stream| {
|
||||||
let mut ctx = SslContext::builder(method).unwrap();
|
let mut ctx = SslContext::builder(method).unwrap();
|
||||||
ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| true);
|
ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| true);
|
||||||
|
|
||||||
match Ssl::new(&ctx.build()).unwrap().connect(stream) {
|
match Ssl::new(&ctx.build()).unwrap().connect(stream) {
|
||||||
Ok(_) => (),
|
Ok(_) => (),
|
||||||
|
|
@ -213,14 +212,14 @@ run_test!(verify_untrusted_callback_override_ok, |method, stream| {
|
||||||
|
|
||||||
run_test!(verify_untrusted_callback_override_bad, |method, stream| {
|
run_test!(verify_untrusted_callback_override_bad, |method, stream| {
|
||||||
let mut ctx = SslContext::builder(method).unwrap();
|
let mut ctx = SslContext::builder(method).unwrap();
|
||||||
ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| false);
|
ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| false);
|
||||||
|
|
||||||
assert!(Ssl::new(&ctx.build()).unwrap().connect(stream).is_err());
|
assert!(Ssl::new(&ctx.build()).unwrap().connect(stream).is_err());
|
||||||
});
|
});
|
||||||
|
|
||||||
run_test!(verify_trusted_callback_override_ok, |method, stream| {
|
run_test!(verify_trusted_callback_override_ok, |method, stream| {
|
||||||
let mut ctx = SslContext::builder(method).unwrap();
|
let mut ctx = SslContext::builder(method).unwrap();
|
||||||
ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| true);
|
ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| true);
|
||||||
|
|
||||||
match ctx.set_ca_file(&Path::new("test/cert.pem")) {
|
match ctx.set_ca_file(&Path::new("test/cert.pem")) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
|
|
@ -234,7 +233,7 @@ run_test!(verify_trusted_callback_override_ok, |method, stream| {
|
||||||
|
|
||||||
run_test!(verify_trusted_callback_override_bad, |method, stream| {
|
run_test!(verify_trusted_callback_override_bad, |method, stream| {
|
||||||
let mut ctx = SslContext::builder(method).unwrap();
|
let mut ctx = SslContext::builder(method).unwrap();
|
||||||
ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| false);
|
ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| false);
|
||||||
|
|
||||||
match ctx.set_ca_file(&Path::new("test/cert.pem")) {
|
match ctx.set_ca_file(&Path::new("test/cert.pem")) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
|
|
@ -245,7 +244,7 @@ run_test!(verify_trusted_callback_override_bad, |method, stream| {
|
||||||
|
|
||||||
run_test!(verify_callback_load_certs, |method, stream| {
|
run_test!(verify_callback_load_certs, |method, stream| {
|
||||||
let mut ctx = SslContext::builder(method).unwrap();
|
let mut ctx = SslContext::builder(method).unwrap();
|
||||||
ctx.set_verify_callback(SSL_VERIFY_PEER, |_, x509_ctx| {
|
ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| {
|
||||||
assert!(x509_ctx.current_cert().is_some());
|
assert!(x509_ctx.current_cert().is_some());
|
||||||
true
|
true
|
||||||
});
|
});
|
||||||
|
|
@ -255,7 +254,7 @@ run_test!(verify_callback_load_certs, |method, stream| {
|
||||||
|
|
||||||
run_test!(verify_trusted_get_error_ok, |method, stream| {
|
run_test!(verify_trusted_get_error_ok, |method, stream| {
|
||||||
let mut ctx = SslContext::builder(method).unwrap();
|
let mut ctx = SslContext::builder(method).unwrap();
|
||||||
ctx.set_verify_callback(SSL_VERIFY_PEER, |_, x509_ctx| {
|
ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| {
|
||||||
assert!(x509_ctx.error().is_none());
|
assert!(x509_ctx.error().is_none());
|
||||||
true
|
true
|
||||||
});
|
});
|
||||||
|
|
@ -269,7 +268,7 @@ run_test!(verify_trusted_get_error_ok, |method, stream| {
|
||||||
|
|
||||||
run_test!(verify_trusted_get_error_err, |method, stream| {
|
run_test!(verify_trusted_get_error_err, |method, stream| {
|
||||||
let mut ctx = SslContext::builder(method).unwrap();
|
let mut ctx = SslContext::builder(method).unwrap();
|
||||||
ctx.set_verify_callback(SSL_VERIFY_PEER, |_, x509_ctx| {
|
ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| {
|
||||||
assert!(x509_ctx.error().is_some());
|
assert!(x509_ctx.error().is_some());
|
||||||
false
|
false
|
||||||
});
|
});
|
||||||
|
|
@ -286,7 +285,7 @@ run_test!(verify_callback_data, |method, stream| {
|
||||||
// Please update if "test/cert.pem" will ever change
|
// Please update if "test/cert.pem" will ever change
|
||||||
let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584";
|
let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584";
|
||||||
let node_id = Vec::from_hex(node_hash_str).unwrap();
|
let node_id = Vec::from_hex(node_hash_str).unwrap();
|
||||||
ctx.set_verify_callback(SSL_VERIFY_PEER, move |_preverify_ok, x509_ctx| {
|
ctx.set_verify_callback(SslVerifyMode::PEER, move |_preverify_ok, x509_ctx| {
|
||||||
let cert = x509_ctx.current_cert();
|
let cert = x509_ctx.current_cert();
|
||||||
match cert {
|
match cert {
|
||||||
None => false,
|
None => false,
|
||||||
|
|
@ -314,7 +313,7 @@ run_test!(ssl_verify_callback, |method, stream| {
|
||||||
|
|
||||||
let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584";
|
let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584";
|
||||||
let node_id = Vec::from_hex(node_hash_str).unwrap();
|
let node_id = Vec::from_hex(node_hash_str).unwrap();
|
||||||
ssl.set_verify_callback(SSL_VERIFY_PEER, move |_, x509| {
|
ssl.set_verify_callback(SslVerifyMode::PEER, move |_, x509| {
|
||||||
CHECKED.store(1, Ordering::SeqCst);
|
CHECKED.store(1, Ordering::SeqCst);
|
||||||
match x509.current_cert() {
|
match x509.current_cert() {
|
||||||
None => false,
|
None => false,
|
||||||
|
|
@ -349,10 +348,10 @@ fn test_write_hits_stream() {
|
||||||
});
|
});
|
||||||
|
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
|
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM)
|
ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let stream = listener.accept().unwrap().0;
|
let stream = listener.accept().unwrap().0;
|
||||||
let mut stream = Ssl::new(&ctx.build()).unwrap().accept(stream).unwrap();
|
let mut stream = Ssl::new(&ctx.build()).unwrap().accept(stream).unwrap();
|
||||||
|
|
@ -384,15 +383,15 @@ run_test!(get_ctx_options, |method, _| {
|
||||||
|
|
||||||
run_test!(set_ctx_options, |method, _| {
|
run_test!(set_ctx_options, |method, _| {
|
||||||
let mut ctx = SslContext::builder(method).unwrap();
|
let mut ctx = SslContext::builder(method).unwrap();
|
||||||
let opts = ctx.set_options(ssl::SSL_OP_NO_TICKET);
|
let opts = ctx.set_options(SslOptions::NO_TICKET);
|
||||||
assert!(opts.contains(ssl::SSL_OP_NO_TICKET));
|
assert!(opts.contains(SslOptions::NO_TICKET));
|
||||||
});
|
});
|
||||||
|
|
||||||
run_test!(clear_ctx_options, |method, _| {
|
run_test!(clear_ctx_options, |method, _| {
|
||||||
let mut ctx = SslContext::builder(method).unwrap();
|
let mut ctx = SslContext::builder(method).unwrap();
|
||||||
ctx.set_options(ssl::SSL_OP_ALL);
|
ctx.set_options(SslOptions::ALL);
|
||||||
let opts = ctx.clear_options(ssl::SSL_OP_ALL);
|
let opts = ctx.clear_options(SslOptions::ALL);
|
||||||
assert!(!opts.contains(ssl::SSL_OP_ALL));
|
assert!(!opts.contains(SslOptions::ALL));
|
||||||
});
|
});
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
|
|
@ -481,7 +480,7 @@ fn test_state() {
|
||||||
fn test_connect_with_unilateral_alpn() {
|
fn test_connect_with_unilateral_alpn() {
|
||||||
let (_s, stream) = Server::new();
|
let (_s, stream) = Server::new();
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
|
ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
|
||||||
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
|
|
@ -503,7 +502,7 @@ fn test_connect_with_unilateral_alpn() {
|
||||||
fn test_connect_with_unilateral_npn() {
|
fn test_connect_with_unilateral_npn() {
|
||||||
let (_s, stream) = Server::new();
|
let (_s, stream) = Server::new();
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
|
ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
|
||||||
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
|
|
@ -525,7 +524,7 @@ fn test_connect_with_unilateral_npn() {
|
||||||
fn test_connect_with_alpn_successful_multiple_matching() {
|
fn test_connect_with_alpn_successful_multiple_matching() {
|
||||||
let (_s, stream) = Server::new_alpn();
|
let (_s, stream) = Server::new_alpn();
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_alpn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap();
|
ctx.set_alpn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap();
|
||||||
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
|
|
@ -547,7 +546,7 @@ fn test_connect_with_alpn_successful_multiple_matching() {
|
||||||
fn test_connect_with_npn_successful_multiple_matching() {
|
fn test_connect_with_npn_successful_multiple_matching() {
|
||||||
let (_s, stream) = Server::new_alpn();
|
let (_s, stream) = Server::new_alpn();
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap();
|
ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap();
|
||||||
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
|
|
@ -570,7 +569,7 @@ fn test_connect_with_npn_successful_multiple_matching() {
|
||||||
fn test_connect_with_alpn_successful_single_match() {
|
fn test_connect_with_alpn_successful_single_match() {
|
||||||
let (_s, stream) = Server::new_alpn();
|
let (_s, stream) = Server::new_alpn();
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap();
|
ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap();
|
||||||
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
|
|
@ -585,7 +584,6 @@ fn test_connect_with_alpn_successful_single_match() {
|
||||||
assert_eq!(b"spdy/3.1", stream.ssl().selected_alpn_protocol().unwrap());
|
assert_eq!(b"spdy/3.1", stream.ssl().selected_alpn_protocol().unwrap());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/// Tests that when both the client as well as the server use NPN and their
|
/// Tests that when both the client as well as the server use NPN and their
|
||||||
/// lists of supported protocols have an overlap -- with only ONE protocol
|
/// lists of supported protocols have an overlap -- with only ONE protocol
|
||||||
/// being valid for both.
|
/// being valid for both.
|
||||||
|
|
@ -594,7 +592,7 @@ fn test_connect_with_alpn_successful_single_match() {
|
||||||
fn test_connect_with_npn_successful_single_match() {
|
fn test_connect_with_npn_successful_single_match() {
|
||||||
let (_s, stream) = Server::new_alpn();
|
let (_s, stream) = Server::new_alpn();
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap();
|
ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap();
|
||||||
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
|
|
@ -619,13 +617,13 @@ fn test_npn_server_advertise_multiple() {
|
||||||
// We create a different context instance for the server...
|
// We create a different context instance for the server...
|
||||||
let listener_ctx = {
|
let listener_ctx = {
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
|
ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
|
||||||
assert!(
|
assert!(
|
||||||
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
|
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
|
||||||
.is_ok()
|
.is_ok()
|
||||||
);
|
);
|
||||||
ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM)
|
ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.build()
|
ctx.build()
|
||||||
};
|
};
|
||||||
|
|
@ -636,7 +634,7 @@ fn test_npn_server_advertise_multiple() {
|
||||||
});
|
});
|
||||||
|
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap();
|
ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap();
|
||||||
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
|
|
@ -662,13 +660,13 @@ fn test_alpn_server_advertise_multiple() {
|
||||||
// We create a different context instance for the server...
|
// We create a different context instance for the server...
|
||||||
let listener_ctx = {
|
let listener_ctx = {
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
|
ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
|
||||||
assert!(
|
assert!(
|
||||||
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
|
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
|
||||||
.is_ok()
|
.is_ok()
|
||||||
);
|
);
|
||||||
ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM)
|
ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.build()
|
ctx.build()
|
||||||
};
|
};
|
||||||
|
|
@ -679,7 +677,7 @@ fn test_alpn_server_advertise_multiple() {
|
||||||
});
|
});
|
||||||
|
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap();
|
ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap();
|
||||||
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
|
|
@ -705,13 +703,13 @@ fn test_alpn_server_select_none() {
|
||||||
// We create a different context instance for the server...
|
// We create a different context instance for the server...
|
||||||
let listener_ctx = {
|
let listener_ctx = {
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
|
ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
|
||||||
assert!(
|
assert!(
|
||||||
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
|
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
|
||||||
.is_ok()
|
.is_ok()
|
||||||
);
|
);
|
||||||
ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM)
|
ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.build()
|
ctx.build()
|
||||||
};
|
};
|
||||||
|
|
@ -722,7 +720,7 @@ fn test_alpn_server_select_none() {
|
||||||
});
|
});
|
||||||
|
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
ctx.set_alpn_protocols(&[b"http/2"]).unwrap();
|
ctx.set_alpn_protocols(&[b"http/2"]).unwrap();
|
||||||
ctx.set_ca_file(&Path::new("test/root-ca.pem")).unwrap();
|
ctx.set_ca_file(&Path::new("test/root-ca.pem")).unwrap();
|
||||||
// Now connect to the socket and make sure the protocol negotiation works...
|
// Now connect to the socket and make sure the protocol negotiation works...
|
||||||
|
|
@ -961,7 +959,7 @@ fn refcount_ssl_context() {
|
||||||
fn default_verify_paths() {
|
fn default_verify_paths() {
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_default_verify_paths().unwrap();
|
ctx.set_default_verify_paths().unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
let s = TcpStream::connect("google.com:443").unwrap();
|
let s = TcpStream::connect("google.com:443").unwrap();
|
||||||
let mut socket = Ssl::new(&ctx.build()).unwrap().connect(s).unwrap();
|
let mut socket = Ssl::new(&ctx.build()).unwrap().connect(s).unwrap();
|
||||||
|
|
||||||
|
|
@ -987,11 +985,11 @@ fn add_extra_chain_cert() {
|
||||||
fn verify_valid_hostname() {
|
fn verify_valid_hostname() {
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_default_verify_paths().unwrap();
|
ctx.set_default_verify_paths().unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
|
|
||||||
let mut ssl = Ssl::new(&ctx.build()).unwrap();
|
let mut ssl = Ssl::new(&ctx.build()).unwrap();
|
||||||
ssl.param_mut()
|
ssl.param_mut()
|
||||||
.set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
.set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS);
|
||||||
ssl.param_mut().set_host("google.com").unwrap();
|
ssl.param_mut().set_host("google.com").unwrap();
|
||||||
|
|
||||||
let s = TcpStream::connect("google.com:443").unwrap();
|
let s = TcpStream::connect("google.com:443").unwrap();
|
||||||
|
|
@ -1011,11 +1009,11 @@ fn verify_valid_hostname() {
|
||||||
fn verify_invalid_hostname() {
|
fn verify_invalid_hostname() {
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_default_verify_paths().unwrap();
|
ctx.set_default_verify_paths().unwrap();
|
||||||
ctx.set_verify(SSL_VERIFY_PEER);
|
ctx.set_verify(SslVerifyMode::PEER);
|
||||||
|
|
||||||
let mut ssl = Ssl::new(&ctx.build()).unwrap();
|
let mut ssl = Ssl::new(&ctx.build()).unwrap();
|
||||||
ssl.param_mut()
|
ssl.param_mut()
|
||||||
.set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
.set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS);
|
||||||
ssl.param_mut().set_host("foobar.com").unwrap();
|
ssl.param_mut().set_host("foobar.com").unwrap();
|
||||||
|
|
||||||
let s = TcpStream::connect("google.com:443").unwrap();
|
let s = TcpStream::connect("google.com:443").unwrap();
|
||||||
|
|
@ -1081,7 +1079,7 @@ fn connector_no_hostname_can_disable_verify() {
|
||||||
let (_s, tcp) = Server::new();
|
let (_s, tcp) = Server::new();
|
||||||
|
|
||||||
let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap();
|
let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap();
|
||||||
connector.set_verify(SSL_VERIFY_NONE);
|
connector.set_verify(SslVerifyMode::NONE);
|
||||||
let connector = connector.build();
|
let connector = connector.build();
|
||||||
|
|
||||||
connector
|
connector
|
||||||
|
|
@ -1164,9 +1162,9 @@ fn shutdown() {
|
||||||
thread::spawn(move || {
|
thread::spawn(move || {
|
||||||
let stream = listener.accept().unwrap().0;
|
let stream = listener.accept().unwrap().0;
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
|
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM)
|
ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let ssl = Ssl::new(&ctx.build()).unwrap();
|
let ssl = Ssl::new(&ctx.build()).unwrap();
|
||||||
let mut stream = ssl.accept(stream).unwrap();
|
let mut stream = ssl.accept(stream).unwrap();
|
||||||
|
|
@ -1222,9 +1220,9 @@ fn tmp_dh_callback() {
|
||||||
thread::spawn(move || {
|
thread::spawn(move || {
|
||||||
let stream = listener.accept().unwrap().0;
|
let stream = listener.accept().unwrap().0;
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
|
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM)
|
ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.set_tmp_dh_callback(|_, _, _| {
|
ctx.set_tmp_dh_callback(|_, _, _| {
|
||||||
CALLED_BACK.store(true, Ordering::SeqCst);
|
CALLED_BACK.store(true, Ordering::SeqCst);
|
||||||
|
|
@ -1249,7 +1247,7 @@ fn tmp_dh_callback() {
|
||||||
all(feature = "v102", ossl102)))]
|
all(feature = "v102", ossl102)))]
|
||||||
fn tmp_ecdh_callback() {
|
fn tmp_ecdh_callback() {
|
||||||
use ec::EcKey;
|
use ec::EcKey;
|
||||||
use nid;
|
use nid::Nid;
|
||||||
|
|
||||||
static CALLED_BACK: AtomicBool = ATOMIC_BOOL_INIT;
|
static CALLED_BACK: AtomicBool = ATOMIC_BOOL_INIT;
|
||||||
|
|
||||||
|
|
@ -1259,13 +1257,13 @@ fn tmp_ecdh_callback() {
|
||||||
thread::spawn(move || {
|
thread::spawn(move || {
|
||||||
let stream = listener.accept().unwrap().0;
|
let stream = listener.accept().unwrap().0;
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
|
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM)
|
ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.set_tmp_ecdh_callback(|_, _, _| {
|
ctx.set_tmp_ecdh_callback(|_, _, _| {
|
||||||
CALLED_BACK.store(true, Ordering::SeqCst);
|
CALLED_BACK.store(true, Ordering::SeqCst);
|
||||||
EcKey::new_by_curve_name(nid::X9_62_PRIME256V1)
|
EcKey::new_by_curve_name(Nid::X9_62_PRIME256V1)
|
||||||
});
|
});
|
||||||
let ssl = Ssl::new(&ctx.build()).unwrap();
|
let ssl = Ssl::new(&ctx.build()).unwrap();
|
||||||
ssl.accept(stream).unwrap();
|
ssl.accept(stream).unwrap();
|
||||||
|
|
@ -1290,9 +1288,9 @@ fn tmp_dh_callback_ssl() {
|
||||||
thread::spawn(move || {
|
thread::spawn(move || {
|
||||||
let stream = listener.accept().unwrap().0;
|
let stream = listener.accept().unwrap().0;
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
|
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM)
|
ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let mut ssl = Ssl::new(&ctx.build()).unwrap();
|
let mut ssl = Ssl::new(&ctx.build()).unwrap();
|
||||||
ssl.set_tmp_dh_callback(|_, _, _| {
|
ssl.set_tmp_dh_callback(|_, _, _| {
|
||||||
|
|
@ -1317,7 +1315,7 @@ fn tmp_dh_callback_ssl() {
|
||||||
all(feature = "v102", ossl102)))]
|
all(feature = "v102", ossl102)))]
|
||||||
fn tmp_ecdh_callback_ssl() {
|
fn tmp_ecdh_callback_ssl() {
|
||||||
use ec::EcKey;
|
use ec::EcKey;
|
||||||
use nid;
|
use nid::Nid;
|
||||||
|
|
||||||
static CALLED_BACK: AtomicBool = ATOMIC_BOOL_INIT;
|
static CALLED_BACK: AtomicBool = ATOMIC_BOOL_INIT;
|
||||||
|
|
||||||
|
|
@ -1327,14 +1325,14 @@ fn tmp_ecdh_callback_ssl() {
|
||||||
thread::spawn(move || {
|
thread::spawn(move || {
|
||||||
let stream = listener.accept().unwrap().0;
|
let stream = listener.accept().unwrap().0;
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
|
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM)
|
ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let mut ssl = Ssl::new(&ctx.build()).unwrap();
|
let mut ssl = Ssl::new(&ctx.build()).unwrap();
|
||||||
ssl.set_tmp_ecdh_callback(|_, _, _| {
|
ssl.set_tmp_ecdh_callback(|_, _, _| {
|
||||||
CALLED_BACK.store(true, Ordering::SeqCst);
|
CALLED_BACK.store(true, Ordering::SeqCst);
|
||||||
EcKey::new_by_curve_name(nid::X9_62_PRIME256V1)
|
EcKey::new_by_curve_name(Nid::X9_62_PRIME256V1)
|
||||||
});
|
});
|
||||||
ssl.accept(stream).unwrap();
|
ssl.accept(stream).unwrap();
|
||||||
});
|
});
|
||||||
|
|
@ -1382,13 +1380,13 @@ fn status_callbacks() {
|
||||||
let guard = thread::spawn(move || {
|
let guard = thread::spawn(move || {
|
||||||
let stream = listener.accept().unwrap().0;
|
let stream = listener.accept().unwrap().0;
|
||||||
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
|
||||||
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
|
ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM)
|
ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ctx.set_status_callback(|ssl| {
|
ctx.set_status_callback(|ssl| {
|
||||||
CALLED_BACK_SERVER.store(true, Ordering::SeqCst);
|
CALLED_BACK_SERVER.store(true, Ordering::SeqCst);
|
||||||
let response = OcspResponse::create(RESPONSE_STATUS_UNAUTHORIZED, None).unwrap();
|
let response = OcspResponse::create(OcspResponseStatus::UNAUTHORIZED, None).unwrap();
|
||||||
let response = response.to_der().unwrap();
|
let response = response.to_der().unwrap();
|
||||||
ssl.set_ocsp_status(&response).unwrap();
|
ssl.set_ocsp_status(&response).unwrap();
|
||||||
Ok(true)
|
Ok(true)
|
||||||
|
|
@ -1402,11 +1400,11 @@ fn status_callbacks() {
|
||||||
ctx.set_status_callback(|ssl| {
|
ctx.set_status_callback(|ssl| {
|
||||||
CALLED_BACK_CLIENT.store(true, Ordering::SeqCst);
|
CALLED_BACK_CLIENT.store(true, Ordering::SeqCst);
|
||||||
let response = OcspResponse::from_der(ssl.ocsp_status().unwrap()).unwrap();
|
let response = OcspResponse::from_der(ssl.ocsp_status().unwrap()).unwrap();
|
||||||
assert_eq!(response.status(), RESPONSE_STATUS_UNAUTHORIZED);
|
assert_eq!(response.status(), OcspResponseStatus::UNAUTHORIZED);
|
||||||
Ok(true)
|
Ok(true)
|
||||||
}).unwrap();
|
}).unwrap();
|
||||||
let mut ssl = Ssl::new(&ctx.build()).unwrap();
|
let mut ssl = Ssl::new(&ctx.build()).unwrap();
|
||||||
ssl.set_status_type(STATUS_TYPE_OCSP).unwrap();
|
ssl.set_status_type(StatusType::OCSP).unwrap();
|
||||||
ssl.connect(stream).unwrap();
|
ssl.connect(stream).unwrap();
|
||||||
|
|
||||||
assert!(CALLED_BACK_SERVER.load(Ordering::SeqCst));
|
assert!(CALLED_BACK_SERVER.load(Ordering::SeqCst));
|
||||||
|
|
|
||||||
|
|
@ -8,15 +8,15 @@ use error::ErrorStack;
|
||||||
|
|
||||||
bitflags! {
|
bitflags! {
|
||||||
pub struct X509CheckFlags: c_uint {
|
pub struct X509CheckFlags: c_uint {
|
||||||
const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
|
const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
|
||||||
const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
|
const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
|
||||||
const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
|
const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
|
||||||
const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
|
const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
|
||||||
const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
|
const SINGLE_LABEL_SUBDOMAINS
|
||||||
= ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS;
|
= ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS;
|
||||||
/// Requires the `v110` feature and OpenSSL 1.1.0.
|
/// Requires the `v110` feature and OpenSSL 1.1.0.
|
||||||
#[cfg(all(feature = "v110", ossl110))]
|
#[cfg(all(feature = "v110", ossl110))]
|
||||||
const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
|
const NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,8 @@
|
||||||
use std::fmt::{self, Write};
|
use std::fmt::{self, Write};
|
||||||
|
|
||||||
use error::ErrorStack;
|
use error::ErrorStack;
|
||||||
use nid::{self, Nid};
|
use nid::Nid;
|
||||||
use x509::{X509v3Context, X509Extension};
|
use x509::{X509Extension, X509v3Context};
|
||||||
|
|
||||||
/// Type-only version of the `Extension` enum.
|
/// Type-only version of the `Extension` enum.
|
||||||
///
|
///
|
||||||
|
|
@ -40,10 +40,10 @@ pub enum Extension {
|
||||||
///
|
///
|
||||||
/// ```
|
/// ```
|
||||||
/// use openssl::x509::extension::Extension::*;
|
/// use openssl::x509::extension::Extension::*;
|
||||||
/// use openssl::nid;
|
/// use openssl::nid::Nid;
|
||||||
///
|
///
|
||||||
/// # let generator = openssl::x509::X509Generator::new();
|
/// # let generator = openssl::x509::X509Generator::new();
|
||||||
/// generator.add_extension(OtherNid(nid::BASIC_CONSTRAINTS,"critical,CA:TRUE".to_owned()));
|
/// generator.add_extension(OtherNid(Nid::BASIC_CONSTRAINTS,"critical,CA:TRUE".to_owned()));
|
||||||
/// ```
|
/// ```
|
||||||
OtherNid(Nid, String),
|
OtherNid(Nid, String),
|
||||||
/// Arbitrary extensions by OID string. See `man ASN1_generate_nconf` for value syntax.
|
/// Arbitrary extensions by OID string. See `man ASN1_generate_nconf` for value syntax.
|
||||||
|
|
@ -77,10 +77,10 @@ impl ExtensionType {
|
||||||
#[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
|
#[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")]
|
||||||
pub fn get_nid(&self) -> Option<Nid> {
|
pub fn get_nid(&self) -> Option<Nid> {
|
||||||
match self {
|
match self {
|
||||||
&ExtensionType::KeyUsage => Some(nid::KEY_USAGE),
|
&ExtensionType::KeyUsage => Some(Nid::KEY_USAGE),
|
||||||
&ExtensionType::ExtKeyUsage => Some(nid::EXT_KEY_USAGE),
|
&ExtensionType::ExtKeyUsage => Some(Nid::EXT_KEY_USAGE),
|
||||||
&ExtensionType::SubjectAltName => Some(nid::SUBJECT_ALT_NAME),
|
&ExtensionType::SubjectAltName => Some(Nid::SUBJECT_ALT_NAME),
|
||||||
&ExtensionType::IssuerAltName => Some(nid::ISSUER_ALT_NAME),
|
&ExtensionType::IssuerAltName => Some(Nid::ISSUER_ALT_NAME),
|
||||||
&ExtensionType::OtherNid(nid) => Some(nid),
|
&ExtensionType::OtherNid(nid) => Some(nid),
|
||||||
&ExtensionType::OtherStr(_) => None,
|
&ExtensionType::OtherStr(_) => None,
|
||||||
}
|
}
|
||||||
|
|
@ -112,22 +112,18 @@ impl ToString for Extension {
|
||||||
match self {
|
match self {
|
||||||
&Extension::KeyUsage(ref purposes) => join(purposes.iter(), ","),
|
&Extension::KeyUsage(ref purposes) => join(purposes.iter(), ","),
|
||||||
&Extension::ExtKeyUsage(ref purposes) => join(purposes.iter(), ","),
|
&Extension::ExtKeyUsage(ref purposes) => join(purposes.iter(), ","),
|
||||||
&Extension::SubjectAltName(ref names) => {
|
&Extension::SubjectAltName(ref names) => join(
|
||||||
join(
|
names
|
||||||
names.iter().map(|&(ref opt, ref val)| {
|
.iter()
|
||||||
opt.to_string() + ":" + &val
|
.map(|&(ref opt, ref val)| opt.to_string() + ":" + &val),
|
||||||
}),
|
|
||||||
",",
|
",",
|
||||||
)
|
),
|
||||||
}
|
&Extension::IssuerAltName(ref names) => join(
|
||||||
&Extension::IssuerAltName(ref names) => {
|
names
|
||||||
join(
|
.iter()
|
||||||
names.iter().map(|&(ref opt, ref val)| {
|
.map(|&(ref opt, ref val)| opt.to_string() + ":" + &val),
|
||||||
opt.to_string() + ":" + &val
|
|
||||||
}),
|
|
||||||
",",
|
",",
|
||||||
)
|
),
|
||||||
}
|
|
||||||
&Extension::OtherNid(_, ref value) => value.clone(),
|
&Extension::OtherNid(_, ref value) => value.clone(),
|
||||||
&Extension::OtherStr(_, ref value) => value.clone(),
|
&Extension::OtherStr(_, ref value) => value.clone(),
|
||||||
}
|
}
|
||||||
|
|
@ -282,7 +278,7 @@ impl BasicConstraints {
|
||||||
if let Some(pathlen) = self.pathlen {
|
if let Some(pathlen) = self.pathlen {
|
||||||
write!(value, ",pathlen:{}", pathlen).unwrap();
|
write!(value, ",pathlen:{}", pathlen).unwrap();
|
||||||
}
|
}
|
||||||
X509Extension::new_nid(None, None, nid::BASIC_CONSTRAINTS, &value)
|
X509Extension::new_nid(None, None, Nid::BASIC_CONSTRAINTS, &value)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -398,7 +394,7 @@ impl KeyUsage {
|
||||||
append(&mut value, &mut first, self.crl_sign, "cRLSign");
|
append(&mut value, &mut first, self.crl_sign, "cRLSign");
|
||||||
append(&mut value, &mut first, self.encipher_only, "encipherOnly");
|
append(&mut value, &mut first, self.encipher_only, "encipherOnly");
|
||||||
append(&mut value, &mut first, self.decipher_only, "decipherOnly");
|
append(&mut value, &mut first, self.decipher_only, "decipherOnly");
|
||||||
X509Extension::new_nid(None, None, nid::KEY_USAGE, &value)
|
X509Extension::new_nid(None, None, Nid::KEY_USAGE, &value)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -520,7 +516,7 @@ impl ExtendedKeyUsage {
|
||||||
for other in &self.other {
|
for other in &self.other {
|
||||||
append(&mut value, &mut first, true, other);
|
append(&mut value, &mut first, true, other);
|
||||||
}
|
}
|
||||||
X509Extension::new_nid(None, None, nid::EXT_KEY_USAGE, &value)
|
X509Extension::new_nid(None, None, Nid::EXT_KEY_USAGE, &value)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -543,7 +539,7 @@ impl SubjectKeyIdentifier {
|
||||||
let mut first = true;
|
let mut first = true;
|
||||||
append(&mut value, &mut first, self.critical, "critical");
|
append(&mut value, &mut first, self.critical, "critical");
|
||||||
append(&mut value, &mut first, true, "hash");
|
append(&mut value, &mut first, true, "hash");
|
||||||
X509Extension::new_nid(None, Some(ctx), nid::SUBJECT_KEY_IDENTIFIER, &value)
|
X509Extension::new_nid(None, Some(ctx), Nid::SUBJECT_KEY_IDENTIFIER, &value)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -591,7 +587,7 @@ impl AuthorityKeyIdentifier {
|
||||||
Some(false) => append(&mut value, &mut first, true, "issuer"),
|
Some(false) => append(&mut value, &mut first, true, "issuer"),
|
||||||
None => {}
|
None => {}
|
||||||
}
|
}
|
||||||
X509Extension::new_nid(None, Some(ctx), nid::AUTHORITY_KEY_IDENTIFIER, &value)
|
X509Extension::new_nid(None, Some(ctx), Nid::AUTHORITY_KEY_IDENTIFIER, &value)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -655,7 +651,7 @@ impl SubjectAlternativeName {
|
||||||
for name in &self.names {
|
for name in &self.names {
|
||||||
append(&mut value, &mut first, true, name);
|
append(&mut value, &mut first, true, name);
|
||||||
}
|
}
|
||||||
X509Extension::new_nid(None, Some(ctx), nid::SUBJECT_ALT_NAME, &value)
|
X509Extension::new_nid(None, Some(ctx), Nid::SUBJECT_ALT_NAME, &value)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,30 +13,30 @@ use std::ptr;
|
||||||
use std::slice;
|
use std::slice;
|
||||||
use std::str;
|
use std::str;
|
||||||
|
|
||||||
use {cvt, cvt_p, cvt_n};
|
use {cvt, cvt_n, cvt_p};
|
||||||
use asn1::{Asn1StringRef, Asn1Time, Asn1TimeRef, Asn1BitStringRef, Asn1IntegerRef, Asn1ObjectRef};
|
use asn1::{Asn1BitStringRef, Asn1IntegerRef, Asn1ObjectRef, Asn1StringRef, Asn1Time, Asn1TimeRef};
|
||||||
use bio::MemBioSlice;
|
use bio::MemBioSlice;
|
||||||
use bn::{BigNum, MSB_MAYBE_ZERO};
|
use bn::{BigNum, MsbOption};
|
||||||
use conf::ConfRef;
|
use conf::ConfRef;
|
||||||
use error::ErrorStack;
|
use error::ErrorStack;
|
||||||
use hash::MessageDigest;
|
use hash::MessageDigest;
|
||||||
use nid::{self, Nid};
|
use nid::Nid;
|
||||||
use pkey::{PKey, PKeyRef};
|
use pkey::{PKey, PKeyRef};
|
||||||
use stack::{Stack, StackRef, Stackable};
|
use stack::{Stack, StackRef, Stackable};
|
||||||
use string::OpensslString;
|
use string::OpensslString;
|
||||||
use ssl::SslRef;
|
use ssl::SslRef;
|
||||||
|
|
||||||
#[cfg(ossl10x)]
|
#[cfg(ossl10x)]
|
||||||
use ffi::{X509_set_notBefore, X509_set_notAfter, ASN1_STRING_data, X509_STORE_CTX_get_chain};
|
use ffi::{ASN1_STRING_data, X509_STORE_CTX_get_chain, X509_set_notAfter, X509_set_notBefore};
|
||||||
#[cfg(ossl110)]
|
#[cfg(ossl110)]
|
||||||
use ffi::{X509_set1_notBefore as X509_set_notBefore, X509_set1_notAfter as X509_set_notAfter,
|
use ffi::{ASN1_STRING_get0_data as ASN1_STRING_data,
|
||||||
ASN1_STRING_get0_data as ASN1_STRING_data,
|
X509_STORE_CTX_get0_chain as X509_STORE_CTX_get_chain,
|
||||||
X509_STORE_CTX_get0_chain as X509_STORE_CTX_get_chain};
|
X509_set1_notAfter as X509_set_notAfter, X509_set1_notBefore as X509_set_notBefore};
|
||||||
|
|
||||||
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
||||||
pub mod verify;
|
pub mod verify;
|
||||||
|
|
||||||
use x509::extension::{ExtensionType, Extension};
|
use x509::extension::{Extension, ExtensionType};
|
||||||
|
|
||||||
pub mod extension;
|
pub mod extension;
|
||||||
pub mod store;
|
pub mod store;
|
||||||
|
|
@ -44,17 +44,17 @@ pub mod store;
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod tests;
|
mod tests;
|
||||||
|
|
||||||
pub struct X509FileType(c_int);
|
pub struct X509Filetype(c_int);
|
||||||
|
|
||||||
impl X509FileType {
|
impl X509Filetype {
|
||||||
pub fn as_raw(&self) -> c_int {
|
pub fn as_raw(&self) -> c_int {
|
||||||
self.0
|
self.0
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
pub const X509_FILETYPE_PEM: X509FileType = X509FileType(ffi::X509_FILETYPE_PEM);
|
pub const PEM: X509Filetype = X509Filetype(ffi::X509_FILETYPE_PEM);
|
||||||
pub const X509_FILETYPE_ASN1: X509FileType = X509FileType(ffi::X509_FILETYPE_ASN1);
|
pub const ASN1: X509Filetype = X509Filetype(ffi::X509_FILETYPE_ASN1);
|
||||||
pub const X509_FILETYPE_DEFAULT: X509FileType = X509FileType(ffi::X509_FILETYPE_DEFAULT);
|
pub const DEFAULT: X509Filetype = X509Filetype(ffi::X509_FILETYPE_DEFAULT);
|
||||||
|
}
|
||||||
|
|
||||||
foreign_type_and_impl_send_sync! {
|
foreign_type_and_impl_send_sync! {
|
||||||
type CType = ffi::X509_STORE_CTX;
|
type CType = ffi::X509_STORE_CTX;
|
||||||
|
|
@ -224,7 +224,7 @@ impl X509Generator {
|
||||||
builder.set_version(2)?;
|
builder.set_version(2)?;
|
||||||
|
|
||||||
let mut serial = BigNum::new()?;
|
let mut serial = BigNum::new()?;
|
||||||
serial.rand(128, MSB_MAYBE_ZERO, false)?;
|
serial.rand(128, MsbOption::MAYBE_ZERO, false)?;
|
||||||
let serial = serial.to_asn1_integer()?;
|
let serial = serial.to_asn1_integer()?;
|
||||||
builder.set_serial_number(&serial)?;
|
builder.set_serial_number(&serial)?;
|
||||||
|
|
||||||
|
|
@ -237,7 +237,7 @@ impl X509Generator {
|
||||||
|
|
||||||
let mut name = X509Name::builder()?;
|
let mut name = X509Name::builder()?;
|
||||||
if self.names.is_empty() {
|
if self.names.is_empty() {
|
||||||
name.append_entry_by_nid(nid::COMMONNAME, "rust-openssl")?;
|
name.append_entry_by_nid(Nid::COMMONNAME, "rust-openssl")?;
|
||||||
} else {
|
} else {
|
||||||
for &(ref key, ref value) in &self.names {
|
for &(ref key, ref value) in &self.names {
|
||||||
name.append_entry_by_text(key, value)?;
|
name.append_entry_by_text(key, value)?;
|
||||||
|
|
@ -252,12 +252,7 @@ impl X509Generator {
|
||||||
let extension = match exttype.get_nid() {
|
let extension = match exttype.get_nid() {
|
||||||
Some(nid) => {
|
Some(nid) => {
|
||||||
let ctx = builder.x509v3_context(None, None);
|
let ctx = builder.x509v3_context(None, None);
|
||||||
X509Extension::new_nid(
|
X509Extension::new_nid(None, Some(&ctx), nid, &ext.to_string())?
|
||||||
None,
|
|
||||||
Some(&ctx),
|
|
||||||
nid,
|
|
||||||
&ext.to_string(),
|
|
||||||
)?
|
|
||||||
}
|
}
|
||||||
None => {
|
None => {
|
||||||
let ctx = builder.x509v3_context(None, None);
|
let ctx = builder.x509v3_context(None, None);
|
||||||
|
|
@ -294,15 +289,11 @@ impl X509Generator {
|
||||||
|
|
||||||
let exts = compat::X509_get0_extensions(cert.as_ptr());
|
let exts = compat::X509_get0_extensions(cert.as_ptr());
|
||||||
if exts != ptr::null_mut() {
|
if exts != ptr::null_mut() {
|
||||||
cvt(
|
cvt(ffi::X509_REQ_add_extensions(req.as_ptr(), exts as *mut _))?;
|
||||||
ffi::X509_REQ_add_extensions(req.as_ptr(), exts as *mut _),
|
|
||||||
)?;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
let hash_fn = self.hash_type.as_ptr();
|
let hash_fn = self.hash_type.as_ptr();
|
||||||
cvt(
|
cvt(ffi::X509_REQ_sign(req.as_ptr(), p_key.as_ptr(), hash_fn))?;
|
||||||
ffi::X509_REQ_sign(req.as_ptr(), p_key.as_ptr(), hash_fn),
|
|
||||||
)?;
|
|
||||||
|
|
||||||
Ok(req)
|
Ok(req)
|
||||||
}
|
}
|
||||||
|
|
@ -428,9 +419,7 @@ impl X509Builder {
|
||||||
/// Adds an X509 extension value to the certificate.
|
/// Adds an X509 extension value to the certificate.
|
||||||
pub fn append_extension(&mut self, extension: X509Extension) -> Result<(), ErrorStack> {
|
pub fn append_extension(&mut self, extension: X509Extension) -> Result<(), ErrorStack> {
|
||||||
unsafe {
|
unsafe {
|
||||||
cvt(
|
cvt(ffi::X509_add_ext(self.0.as_ptr(), extension.as_ptr(), -1))?;
|
||||||
ffi::X509_add_ext(self.0.as_ptr(), extension.as_ptr(), -1),
|
|
||||||
)?;
|
|
||||||
mem::forget(extension);
|
mem::forget(extension);
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
@ -595,8 +584,8 @@ impl X509 {
|
||||||
ffi::PEM_read_bio_X509(bio.as_ptr(), ptr::null_mut(), None, ptr::null_mut());
|
ffi::PEM_read_bio_X509(bio.as_ptr(), ptr::null_mut(), None, ptr::null_mut());
|
||||||
if r.is_null() {
|
if r.is_null() {
|
||||||
let err = ffi::ERR_peek_last_error();
|
let err = ffi::ERR_peek_last_error();
|
||||||
if ffi::ERR_GET_LIB(err) == ffi::ERR_LIB_PEM &&
|
if ffi::ERR_GET_LIB(err) == ffi::ERR_LIB_PEM
|
||||||
ffi::ERR_GET_REASON(err) == ffi::PEM_R_NO_START_LINE
|
&& ffi::ERR_GET_REASON(err) == ffi::PEM_R_NO_START_LINE
|
||||||
{
|
{
|
||||||
ffi::ERR_clear_error();
|
ffi::ERR_clear_error();
|
||||||
break;
|
break;
|
||||||
|
|
@ -837,7 +826,6 @@ impl X509ReqBuilder {
|
||||||
ffi::init();
|
ffi::init();
|
||||||
cvt_p(ffi::X509_REQ_new()).map(|p| X509ReqBuilder(X509Req(p)))
|
cvt_p(ffi::X509_REQ_new()).map(|p| X509ReqBuilder(X509Req(p)))
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> {
|
pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> {
|
||||||
|
|
|
||||||
|
|
@ -1,21 +1,20 @@
|
||||||
use hex::{FromHex, ToHex};
|
use hex::{FromHex, ToHex};
|
||||||
|
|
||||||
use asn1::Asn1Time;
|
use asn1::Asn1Time;
|
||||||
use bn::{BigNum, MSB_MAYBE_ZERO};
|
use bn::{BigNum, MsbOption};
|
||||||
use ec::{NAMED_CURVE, EcGroup, EcKey};
|
use ec::{Asn1Flag, EcGroup, EcKey};
|
||||||
use hash::MessageDigest;
|
use hash::MessageDigest;
|
||||||
use nid::X9_62_PRIME256V1;
|
use nid::Nid;
|
||||||
use pkey::PKey;
|
use pkey::PKey;
|
||||||
use rsa::Rsa;
|
use rsa::Rsa;
|
||||||
use stack::Stack;
|
use stack::Stack;
|
||||||
use x509::{X509, X509Generator, X509Name, X509Req};
|
use x509::{X509, X509Generator, X509Name, X509Req};
|
||||||
use x509::extension::{Extension, BasicConstraints, KeyUsage, ExtendedKeyUsage,
|
use x509::extension::{AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, Extension,
|
||||||
SubjectKeyIdentifier, AuthorityKeyIdentifier, SubjectAlternativeName};
|
KeyUsage, SubjectAlternativeName, SubjectKeyIdentifier};
|
||||||
use ssl::{SslMethod, SslContextBuilder};
|
use ssl::{SslContextBuilder, SslMethod};
|
||||||
use x509::extension::AltNameOption as SAN;
|
use x509::extension::AltNameOption as SAN;
|
||||||
use x509::extension::KeyUsageOption::{DigitalSignature, KeyEncipherment};
|
use x509::extension::KeyUsageOption::{DigitalSignature, KeyEncipherment};
|
||||||
use x509::extension::ExtKeyUsageOption::{self, ClientAuth, ServerAuth};
|
use x509::extension::ExtKeyUsageOption::{self, ClientAuth, ServerAuth};
|
||||||
use nid;
|
|
||||||
|
|
||||||
fn get_generator() -> X509Generator {
|
fn get_generator() -> X509Generator {
|
||||||
X509Generator::new()
|
X509Generator::new()
|
||||||
|
|
@ -28,11 +27,11 @@ fn get_generator() -> X509Generator {
|
||||||
ServerAuth,
|
ServerAuth,
|
||||||
ExtKeyUsageOption::Other("2.999.1".to_owned()),
|
ExtKeyUsageOption::Other("2.999.1".to_owned()),
|
||||||
]))
|
]))
|
||||||
.add_extension(Extension::SubjectAltName(
|
.add_extension(Extension::SubjectAltName(vec![
|
||||||
vec![(SAN::DNS, "example.com".to_owned())],
|
(SAN::DNS, "example.com".to_owned()),
|
||||||
))
|
]))
|
||||||
.add_extension(Extension::OtherNid(
|
.add_extension(Extension::OtherNid(
|
||||||
nid::BASIC_CONSTRAINTS,
|
Nid::BASIC_CONSTRAINTS,
|
||||||
"critical,CA:TRUE".to_owned(),
|
"critical,CA:TRUE".to_owned(),
|
||||||
))
|
))
|
||||||
.add_extension(Extension::OtherStr(
|
.add_extension(Extension::OtherStr(
|
||||||
|
|
@ -68,11 +67,11 @@ fn test_cert_gen_extension_ordering() {
|
||||||
let pkey = pkey();
|
let pkey = pkey();
|
||||||
get_generator()
|
get_generator()
|
||||||
.add_extension(Extension::OtherNid(
|
.add_extension(Extension::OtherNid(
|
||||||
nid::SUBJECT_KEY_IDENTIFIER,
|
Nid::SUBJECT_KEY_IDENTIFIER,
|
||||||
"hash".to_owned(),
|
"hash".to_owned(),
|
||||||
))
|
))
|
||||||
.add_extension(Extension::OtherNid(
|
.add_extension(Extension::OtherNid(
|
||||||
nid::AUTHORITY_KEY_IDENTIFIER,
|
Nid::AUTHORITY_KEY_IDENTIFIER,
|
||||||
"keyid:always".to_owned(),
|
"keyid:always".to_owned(),
|
||||||
))
|
))
|
||||||
.sign(&pkey)
|
.sign(&pkey)
|
||||||
|
|
@ -86,11 +85,11 @@ fn test_cert_gen_extension_bad_ordering() {
|
||||||
let pkey = pkey();
|
let pkey = pkey();
|
||||||
let result = get_generator()
|
let result = get_generator()
|
||||||
.add_extension(Extension::OtherNid(
|
.add_extension(Extension::OtherNid(
|
||||||
nid::AUTHORITY_KEY_IDENTIFIER,
|
Nid::AUTHORITY_KEY_IDENTIFIER,
|
||||||
"keyid:always".to_owned(),
|
"keyid:always".to_owned(),
|
||||||
))
|
))
|
||||||
.add_extension(Extension::OtherNid(
|
.add_extension(Extension::OtherNid(
|
||||||
nid::SUBJECT_KEY_IDENTIFIER,
|
Nid::SUBJECT_KEY_IDENTIFIER,
|
||||||
"hash".to_owned(),
|
"hash".to_owned(),
|
||||||
))
|
))
|
||||||
.sign(&pkey);
|
.sign(&pkey);
|
||||||
|
|
@ -108,7 +107,7 @@ fn test_req_gen() {
|
||||||
let req = X509Req::from_pem(&reqpem).ok().expect("Failed to load PEM");
|
let req = X509Req::from_pem(&reqpem).ok().expect("Failed to load PEM");
|
||||||
let cn = (*req)
|
let cn = (*req)
|
||||||
.subject_name()
|
.subject_name()
|
||||||
.entries_by_nid(nid::COMMONNAME)
|
.entries_by_nid(Nid::COMMONNAME)
|
||||||
.next()
|
.next()
|
||||||
.unwrap();
|
.unwrap();
|
||||||
assert_eq!(0, (*req).version());
|
assert_eq!(0, (*req).version());
|
||||||
|
|
@ -155,7 +154,7 @@ fn test_subject_read_cn() {
|
||||||
let cert = include_bytes!("../../test/cert.pem");
|
let cert = include_bytes!("../../test/cert.pem");
|
||||||
let cert = X509::from_pem(cert).unwrap();
|
let cert = X509::from_pem(cert).unwrap();
|
||||||
let subject = cert.subject_name();
|
let subject = cert.subject_name();
|
||||||
let cn = subject.entries_by_nid(nid::COMMONNAME).next().unwrap();
|
let cn = subject.entries_by_nid(Nid::COMMONNAME).next().unwrap();
|
||||||
assert_eq!(cn.data().as_slice(), b"foobar.com")
|
assert_eq!(cn.data().as_slice(), b"foobar.com")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -165,16 +164,16 @@ fn test_nid_values() {
|
||||||
let cert = X509::from_pem(cert).unwrap();
|
let cert = X509::from_pem(cert).unwrap();
|
||||||
let subject = cert.subject_name();
|
let subject = cert.subject_name();
|
||||||
|
|
||||||
let cn = subject.entries_by_nid(nid::COMMONNAME).next().unwrap();
|
let cn = subject.entries_by_nid(Nid::COMMONNAME).next().unwrap();
|
||||||
assert_eq!(cn.data().as_slice(), b"example.com");
|
assert_eq!(cn.data().as_slice(), b"example.com");
|
||||||
|
|
||||||
let email = subject
|
let email = subject
|
||||||
.entries_by_nid(nid::PKCS9_EMAILADDRESS)
|
.entries_by_nid(Nid::PKCS9_EMAILADDRESS)
|
||||||
.next()
|
.next()
|
||||||
.unwrap();
|
.unwrap();
|
||||||
assert_eq!(email.data().as_slice(), b"test@example.com");
|
assert_eq!(email.data().as_slice(), b"test@example.com");
|
||||||
|
|
||||||
let friendly = subject.entries_by_nid(nid::FRIENDLYNAME).next().unwrap();
|
let friendly = subject.entries_by_nid(Nid::FRIENDLYNAME).next().unwrap();
|
||||||
assert_eq!(&**friendly.data().as_utf8().unwrap(), "Example");
|
assert_eq!(&**friendly.data().as_utf8().unwrap(), "Example");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -184,7 +183,7 @@ fn test_nid_uid_value() {
|
||||||
let cert = X509::from_pem(cert).unwrap();
|
let cert = X509::from_pem(cert).unwrap();
|
||||||
let subject = cert.subject_name();
|
let subject = cert.subject_name();
|
||||||
|
|
||||||
let cn = subject.entries_by_nid(nid::USERID).next().unwrap();
|
let cn = subject.entries_by_nid(Nid::USERID).next().unwrap();
|
||||||
assert_eq!(cn.data().as_slice(), b"this is the userId");
|
assert_eq!(cn.data().as_slice(), b"this is the userId");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -230,7 +229,7 @@ fn x509_builder() {
|
||||||
let pkey = pkey();
|
let pkey = pkey();
|
||||||
|
|
||||||
let mut name = X509Name::builder().unwrap();
|
let mut name = X509Name::builder().unwrap();
|
||||||
name.append_entry_by_nid(nid::COMMONNAME, "foobar.com")
|
name.append_entry_by_nid(Nid::COMMONNAME, "foobar.com")
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let name = name.build();
|
let name = name.build();
|
||||||
|
|
||||||
|
|
@ -247,7 +246,7 @@ fn x509_builder() {
|
||||||
builder.set_pubkey(&pkey).unwrap();
|
builder.set_pubkey(&pkey).unwrap();
|
||||||
|
|
||||||
let mut serial = BigNum::new().unwrap();
|
let mut serial = BigNum::new().unwrap();
|
||||||
serial.rand(128, MSB_MAYBE_ZERO, false).unwrap();
|
serial.rand(128, MsbOption::MAYBE_ZERO, false).unwrap();
|
||||||
builder
|
builder
|
||||||
.set_serial_number(&serial.to_asn1_integer().unwrap())
|
.set_serial_number(&serial.to_asn1_integer().unwrap())
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
@ -289,7 +288,7 @@ fn x509_builder() {
|
||||||
assert!(pkey.public_eq(&x509.public_key().unwrap()));
|
assert!(pkey.public_eq(&x509.public_key().unwrap()));
|
||||||
|
|
||||||
let cn = x509.subject_name()
|
let cn = x509.subject_name()
|
||||||
.entries_by_nid(nid::COMMONNAME)
|
.entries_by_nid(Nid::COMMONNAME)
|
||||||
.next()
|
.next()
|
||||||
.unwrap();
|
.unwrap();
|
||||||
assert_eq!("foobar.com".as_bytes(), cn.data().as_slice());
|
assert_eq!("foobar.com".as_bytes(), cn.data().as_slice());
|
||||||
|
|
@ -300,7 +299,7 @@ fn x509_req_builder() {
|
||||||
let pkey = pkey();
|
let pkey = pkey();
|
||||||
|
|
||||||
let mut name = X509Name::builder().unwrap();
|
let mut name = X509Name::builder().unwrap();
|
||||||
name.append_entry_by_nid(nid::COMMONNAME, "foobar.com")
|
name.append_entry_by_nid(Nid::COMMONNAME, "foobar.com")
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let name = name.build();
|
let name = name.build();
|
||||||
|
|
||||||
|
|
@ -361,8 +360,8 @@ fn issued() {
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn ecdsa_cert() {
|
fn ecdsa_cert() {
|
||||||
let mut group = EcGroup::from_curve_name(X9_62_PRIME256V1).unwrap();
|
let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
|
||||||
group.set_asn1_flag(NAMED_CURVE);
|
group.set_asn1_flag(Asn1Flag::NAMED_CURVE);
|
||||||
let key = EcKey::generate(&group).unwrap();
|
let key = EcKey::generate(&group).unwrap();
|
||||||
let key = PKey::from_ec_key(key).unwrap();
|
let key = PKey::from_ec_key(key).unwrap();
|
||||||
|
|
||||||
|
|
@ -395,7 +394,7 @@ fn signature() {
|
||||||
e121997410d37c"
|
e121997410d37c"
|
||||||
);
|
);
|
||||||
let algorithm = cert.signature_algorithm();
|
let algorithm = cert.signature_algorithm();
|
||||||
assert_eq!(algorithm.object().nid(), nid::SHA256WITHRSAENCRYPTION);
|
assert_eq!(algorithm.object().nid(), Nid::SHA256WITHRSAENCRYPTION);
|
||||||
assert_eq!(algorithm.object().to_string(), "sha256WithRSAEncryption");
|
assert_eq!(algorithm.object().to_string(), "sha256WithRSAEncryption");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue