Implement certificate extensions for certificate requests
This commit is contained in:
Jethro Beekman
parent
2e0ae7a8ca
commit
90dd54b541
|
|
@ -37,6 +37,7 @@ pub type X509_NAME = c_void;
|
||||||
pub type X509_NAME_ENTRY = c_void;
|
pub type X509_NAME_ENTRY = c_void;
|
||||||
pub type X509_REQ = c_void;
|
pub type X509_REQ = c_void;
|
||||||
pub type X509_STORE_CTX = c_void;
|
pub type X509_STORE_CTX = c_void;
|
||||||
|
pub type stack_st_X509_EXTENSION = c_void;
|
||||||
|
|
||||||
#[repr(C)]
|
#[repr(C)]
|
||||||
pub struct EVP_MD_CTX {
|
pub struct EVP_MD_CTX {
|
||||||
|
|
@ -629,6 +630,9 @@ extern "C" {
|
||||||
pub fn X509V3_EXT_conf(conf: *mut c_void, ctx: *mut X509V3_CTX, name: *mut c_char, value: *mut c_char) -> *mut X509_EXTENSION;
|
pub fn X509V3_EXT_conf(conf: *mut c_void, ctx: *mut X509V3_CTX, name: *mut c_char, value: *mut c_char) -> *mut X509_EXTENSION;
|
||||||
pub fn X509V3_set_ctx(ctx: *mut X509V3_CTX, issuer: *mut X509, subject: *mut X509, req: *mut X509_REQ, crl: *mut X509_CRL, flags: c_int);
|
pub fn X509V3_set_ctx(ctx: *mut X509V3_CTX, issuer: *mut X509, subject: *mut X509, req: *mut X509_REQ, crl: *mut X509_CRL, flags: c_int);
|
||||||
|
|
||||||
|
pub fn X509_REQ_add_extensions(req: *mut X509_REQ, exts: *mut stack_st_X509_EXTENSION) -> c_int;
|
||||||
|
pub fn X509_REQ_sign(x: *mut X509_REQ, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int;
|
||||||
|
|
||||||
pub fn i2d_RSA_PUBKEY(k: *mut RSA, buf: *const *mut u8) -> c_int;
|
pub fn i2d_RSA_PUBKEY(k: *mut RSA, buf: *const *mut u8) -> c_int;
|
||||||
pub fn d2i_RSA_PUBKEY(k: *const *mut RSA, buf: *const *const u8, len: c_uint) -> *mut RSA;
|
pub fn d2i_RSA_PUBKEY(k: *const *mut RSA, buf: *const *const u8, len: c_uint) -> *mut RSA;
|
||||||
pub fn i2d_RSAPrivateKey(k: *mut RSA, buf: *const *mut u8) -> c_int;
|
pub fn i2d_RSAPrivateKey(k: *mut RSA, buf: *const *mut u8) -> c_int;
|
||||||
|
|
@ -648,6 +652,8 @@ extern "C" {
|
||||||
pub fn SSL_CTX_set_read_ahead(ctx: *mut SSL_CTX, m: c_long) -> c_long;
|
pub fn SSL_CTX_set_read_ahead(ctx: *mut SSL_CTX, m: c_long) -> c_long;
|
||||||
#[link_name = "SSL_set_tlsext_host_name_shim"]
|
#[link_name = "SSL_set_tlsext_host_name_shim"]
|
||||||
pub fn SSL_set_tlsext_host_name(s: *mut SSL, name: *const c_char) -> c_long;
|
pub fn SSL_set_tlsext_host_name(s: *mut SSL, name: *const c_char) -> c_long;
|
||||||
|
#[link_name = "X509_get_extensions_shim"]
|
||||||
|
pub fn X509_get_extensions(x: *mut X509) -> *mut stack_st_X509_EXTENSION;
|
||||||
}
|
}
|
||||||
|
|
||||||
pub mod probe;
|
pub mod probe;
|
||||||
|
|
|
||||||
|
|
@ -82,3 +82,7 @@ long SSL_CTX_set_read_ahead_shim(SSL_CTX *ctx, long m) {
|
||||||
long SSL_set_tlsext_host_name_shim(SSL *s, char *name) {
|
long SSL_set_tlsext_host_name_shim(SSL *s, char *name) {
|
||||||
return SSL_set_tlsext_host_name(s, name);
|
return SSL_set_tlsext_host_name(s, name);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
STACK_OF(X509_EXTENSION) *X509_get_extensions_shim(X509 *x) {
|
||||||
|
return x->cert_info ? x->cert_info->extensions : NULL;
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -396,11 +396,20 @@ impl X509Generator {
|
||||||
Err(x) => return Err(x)
|
Err(x) => return Err(x)
|
||||||
};
|
};
|
||||||
|
|
||||||
let hash_fn = self.hash_type.evp_md();
|
unsafe {
|
||||||
let req = unsafe { ffi::X509_to_X509_REQ(cert.handle, p_key.get_handle(), hash_fn) };
|
let req = ffi::X509_to_X509_REQ(cert.handle, ptr::null_mut(), ptr::null());
|
||||||
try_ssl_null!(req);
|
try_ssl_null!(req);
|
||||||
|
|
||||||
Ok(X509Req::new(req))
|
let exts = ffi::X509_get_extensions(cert.handle);
|
||||||
|
if exts != ptr::null_mut() {
|
||||||
|
try_ssl!(ffi::X509_REQ_add_extensions(req,exts));
|
||||||
|
}
|
||||||
|
|
||||||
|
let hash_fn = self.hash_type.evp_md();
|
||||||
|
try_ssl!(ffi::X509_REQ_sign(req, p_key.get_handle(), hash_fn));
|
||||||
|
|
||||||
|
Ok(X509Req::new(req))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,7 @@ use std::path::Path;
|
||||||
use std::fs::File;
|
use std::fs::File;
|
||||||
|
|
||||||
use crypto::hash::Type::{SHA256};
|
use crypto::hash::Type::{SHA256};
|
||||||
|
use crypto::pkey::PKey;
|
||||||
use x509::{X509, X509Generator};
|
use x509::{X509, X509Generator};
|
||||||
use x509::extension::Extension::{KeyUsage,ExtKeyUsage,SubjectAltName,OtherNid,OtherStr};
|
use x509::extension::Extension::{KeyUsage,ExtKeyUsage,SubjectAltName,OtherNid,OtherStr};
|
||||||
use x509::extension::AltNameOption as SAN;
|
use x509::extension::AltNameOption as SAN;
|
||||||
|
|
@ -11,9 +12,8 @@ use x509::extension::KeyUsageOption::{DigitalSignature, KeyEncipherment};
|
||||||
use x509::extension::ExtKeyUsageOption::{self, ClientAuth, ServerAuth};
|
use x509::extension::ExtKeyUsageOption::{self, ClientAuth, ServerAuth};
|
||||||
use nid::Nid;
|
use nid::Nid;
|
||||||
|
|
||||||
#[test]
|
fn get_generator() -> X509Generator {
|
||||||
fn test_cert_gen() {
|
X509Generator::new()
|
||||||
let gen = X509Generator::new()
|
|
||||||
.set_bitlength(2048)
|
.set_bitlength(2048)
|
||||||
.set_valid_period(365*2)
|
.set_valid_period(365*2)
|
||||||
.add_name("CN".to_string(),"test_me".to_string())
|
.add_name("CN".to_string(),"test_me".to_string())
|
||||||
|
|
@ -22,9 +22,12 @@ fn test_cert_gen() {
|
||||||
.add_extension(ExtKeyUsage(vec![ClientAuth, ServerAuth, ExtKeyUsageOption::Other("2.999.1".to_owned())]))
|
.add_extension(ExtKeyUsage(vec![ClientAuth, ServerAuth, ExtKeyUsageOption::Other("2.999.1".to_owned())]))
|
||||||
.add_extension(SubjectAltName(vec![(SAN::DNS,"example.com".to_owned())]))
|
.add_extension(SubjectAltName(vec![(SAN::DNS,"example.com".to_owned())]))
|
||||||
.add_extension(OtherNid(Nid::BasicConstraints,"critical,CA:TRUE".to_owned()))
|
.add_extension(OtherNid(Nid::BasicConstraints,"critical,CA:TRUE".to_owned()))
|
||||||
.add_extension(OtherStr("2.999.2".to_owned(),"ASN1:UTF8:example value".to_owned()));
|
.add_extension(OtherStr("2.999.2".to_owned(),"ASN1:UTF8:example value".to_owned()))
|
||||||
|
}
|
||||||
|
|
||||||
let (cert, pkey) = gen.generate().unwrap();
|
#[test]
|
||||||
|
fn test_cert_gen() {
|
||||||
|
let (cert, pkey) = get_generator().generate().unwrap();
|
||||||
cert.write_pem(&mut io::sink()).unwrap();
|
cert.write_pem(&mut io::sink()).unwrap();
|
||||||
pkey.write_pem(&mut io::sink()).unwrap();
|
pkey.write_pem(&mut io::sink()).unwrap();
|
||||||
|
|
||||||
|
|
@ -34,6 +37,18 @@ fn test_cert_gen() {
|
||||||
assert_eq!(pkey.save_pub(), cert.public_key().save_pub());
|
assert_eq!(pkey.save_pub(), cert.public_key().save_pub());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_req_gen() {
|
||||||
|
let mut pkey = PKey::new();
|
||||||
|
pkey.gen(512);
|
||||||
|
|
||||||
|
let req = get_generator().request(&pkey).unwrap();
|
||||||
|
req.write_pem(&mut io::sink()).unwrap();
|
||||||
|
|
||||||
|
// FIXME: check data in result to be correct, needs implementation
|
||||||
|
// of X509_REQ getters
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn test_cert_loading() {
|
fn test_cert_loading() {
|
||||||
let cert_path = Path::new("test/cert.pem");
|
let cert_path = Path::new("test/cert.pem");
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue