From a774c0c5f2867b33735bec9e1cb6c9870a5ece08 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 24 May 2018 20:35:06 -0700 Subject: [PATCH] Rename X509Ref::fingerprint to X509Ref::digest and avoid allocating --- openssl/src/hash.rs | 4 ++-- openssl/src/pkcs12.rs | 27 ++++++++++++++------------- openssl/src/ssl/test.rs | 12 ++++++------ openssl/src/x509/mod.rs | 30 +++++++++++++++++++++--------- openssl/src/x509/tests.rs | 8 ++++---- 5 files changed, 47 insertions(+), 34 deletions(-) diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 49797df8..dd4d136c 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -251,8 +251,8 @@ impl Drop for Hasher { /// store the digest data. #[derive(Copy)] pub struct DigestBytes { - buf: [u8; ffi::EVP_MAX_MD_SIZE as usize], - len: usize, + pub(crate) buf: [u8; ffi::EVP_MAX_MD_SIZE as usize], + pub(crate) len: usize, } impl Clone for DigestBytes { diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index d71a1d82..b98848c8 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -3,15 +3,15 @@ use ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::c_int; -use std::ptr; use std::ffi::CString; +use std::ptr; -use {cvt, cvt_p}; -use pkey::{HasPrivate, PKey, PKeyRef, Private}; use error::ErrorStack; -use x509::{X509, X509Ref}; -use stack::Stack; use nid::Nid; +use pkey::{HasPrivate, PKey, PKeyRef, Private}; +use stack::Stack; +use x509::{X509, X509Ref}; +use {cvt, cvt_p}; foreign_type_and_impl_send_sync! { type CType = ffi::PKCS12; @@ -172,7 +172,8 @@ impl Pkcs12Builder { let friendly_name = CString::new(friendly_name).unwrap(); let pkey = pkey.as_ptr(); let cert = cert.as_ptr(); - let ca = self.ca + let ca = self + .ca .as_ref() .map(|ca| ca.as_ptr()) .unwrap_or(ptr::null_mut()); @@ -206,11 +207,11 @@ mod test { use hex; use asn1::Asn1Time; - use rsa::Rsa; - use pkey::PKey; use nid::Nid; - use x509::{X509, X509Name}; + use pkey::PKey; + use rsa::Rsa; use x509::extension::KeyUsage; + use x509::{X509, X509Name}; use super::*; @@ -221,14 +222,14 @@ mod test { let parsed = pkcs12.parse("mypass").unwrap(); assert_eq!( - hex::encode(parsed.cert.fingerprint(MessageDigest::sha1()).unwrap()), + hex::encode(parsed.cert.digest(MessageDigest::sha1()).unwrap()), "59172d9313e84459bcff27f967e79e6e9217e584" ); let chain = parsed.chain.unwrap(); assert_eq!(chain.len(), 1); assert_eq!( - hex::encode(chain[0].fingerprint(MessageDigest::sha1()).unwrap()), + hex::encode(chain[0].digest(MessageDigest::sha1()).unwrap()), "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875" ); } @@ -279,8 +280,8 @@ mod test { let parsed = pkcs12.parse("mypass").unwrap(); assert_eq!( - parsed.cert.fingerprint(MessageDigest::sha1()).unwrap(), - cert.fingerprint(MessageDigest::sha1()).unwrap() + &*parsed.cert.digest(MessageDigest::sha1()).unwrap(), + &*cert.digest(MessageDigest::sha1()).unwrap() ); assert!(parsed.pkey.public_eq(&pkey)); } diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs index 0d418d2c..f5ec7b29 100644 --- a/openssl/src/ssl/test.rs +++ b/openssl/src/ssl/test.rs @@ -295,8 +295,8 @@ run_test!(verify_callback_data, |method, stream| { match cert { None => false, Some(cert) => { - let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap(); - fingerprint == node_id + let fingerprint = cert.digest(MessageDigest::sha1()).unwrap(); + node_id == &*fingerprint } } }); @@ -323,8 +323,8 @@ run_test!(ssl_verify_callback, |method, stream| { match x509.current_cert() { None => false, Some(cert) => { - let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap(); - fingerprint == node_id + let fingerprint = cert.digest(MessageDigest::sha1()).unwrap(); + node_id == &*fingerprint } } }); @@ -424,10 +424,10 @@ run_test!(get_peer_certificate, |method, stream| { let ctx = SslContext::builder(method).unwrap(); let stream = Ssl::new(&ctx.build()).unwrap().connect(stream).unwrap(); let cert = stream.ssl().peer_certificate().unwrap(); - let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap(); + let fingerprint = cert.digest(MessageDigest::sha1()).unwrap(); let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584"; let node_id = Vec::from_hex(node_hash_str).unwrap(); - assert_eq!(node_id, fingerprint) + assert_eq!(node_id, &*fingerprint) }); #[test] diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 19760f25..5c1bb23f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -25,7 +25,7 @@ use bio::MemBioSlice; use conf::ConfRef; use error::ErrorStack; use ex_data::Index; -use hash::MessageDigest; +use hash::{DigestBytes, MessageDigest}; use nid::Nid; use pkey::{HasPrivate, HasPublic, PKey, PKeyRef, Public}; use ssl::SslRef; @@ -447,23 +447,35 @@ impl X509Ref { } } - /// Returns certificate fingerprint calculated using provided hash - pub fn fingerprint(&self, hash_type: MessageDigest) -> Result, ErrorStack> { + /// Returns a digest of the DER representation of the certificate. + /// + /// This corresponds to [`X509_digest`]. + /// + /// [`X509_digest`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_digest.html + pub fn digest(&self, hash_type: MessageDigest) -> Result { unsafe { - let evp = hash_type.as_ptr(); + let mut digest = DigestBytes { + buf: [0; ffi::EVP_MAX_MD_SIZE as usize], + len: ffi::EVP_MAX_MD_SIZE as usize, + }; let mut len = ffi::EVP_MAX_MD_SIZE; - let mut buf = vec![0u8; len as usize]; cvt(ffi::X509_digest( self.as_ptr(), - evp, - buf.as_mut_ptr() as *mut _, + hash_type.as_ptr(), + digest.buf.as_mut_ptr() as *mut _, &mut len, ))?; - buf.truncate(len as usize); - Ok(buf) + digest.len = len as usize; + + Ok(digest) } } + #[deprecated(since = "0.10.9", note = "renamed to digest")] + pub fn fingerprint(&self, hash_type: MessageDigest) -> Result, ErrorStack> { + self.digest(hash_type).map(|b| b.to_vec()) + } + /// Returns the certificate's Not After validity period. pub fn not_after(&self) -> &Asn1TimeRef { unsafe { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index a3c66e0c..42859c97 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -23,12 +23,12 @@ fn pkey() -> PKey { fn test_cert_loading() { let cert = include_bytes!("../../test/cert.pem"); let cert = X509::from_pem(cert).ok().expect("Failed to load PEM"); - let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap(); + let fingerprint = cert.digest(MessageDigest::sha1()).unwrap(); let hash_str = "59172d9313e84459bcff27f967e79e6e9217e584"; let hash_vec = Vec::from_hex(hash_str).unwrap(); - assert_eq!(fingerprint, hash_vec); + assert_eq!(hash_vec, &*fingerprint); } #[test] @@ -250,11 +250,11 @@ fn test_stack_from_pem() { assert_eq!(certs.len(), 2); assert_eq!( - hex::encode(certs[0].fingerprint(MessageDigest::sha1()).unwrap()), + hex::encode(certs[0].digest(MessageDigest::sha1()).unwrap()), "59172d9313e84459bcff27f967e79e6e9217e584" ); assert_eq!( - hex::encode(certs[1].fingerprint(MessageDigest::sha1()).unwrap()), + hex::encode(certs[1].digest(MessageDigest::sha1()).unwrap()), "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875" ); }