Loading openssl-sys/src/lib.rs +3 −1 Original line number Diff line number Diff line Loading @@ -55,7 +55,6 @@ pub enum X509_REQ {} pub enum X509_STORE {} pub enum X509_STORE_CTX {} pub enum bio_st {} pub enum PKCS12 {} pub enum DH_METHOD {} pub enum RSA_METHOD {} pub enum BN_MONT_CTX {} Loading Loading @@ -1112,6 +1111,7 @@ pub const OCSP_RESPONSE_STATUS_UNAUTHORIZED: c_int = 6; pub const OPENSSL_EC_NAMED_CURVE: c_int = 1; pub const PKCS5_SALT_LEN: c_int = 8; pub const PKCS12_DEFAULT_ITER: c_int = 2048; pub const RSA_F4: c_long = 0x10001; Loading Loading @@ -1971,6 +1971,8 @@ extern { pub fn i2d_RSAPrivateKey(k: *const RSA, buf: *mut *mut u8) -> c_int; pub fn d2i_RSAPrivateKey(k: *mut *mut RSA, buf: *mut *const u8, len: c_long) -> *mut RSA; pub fn i2d_PKCS12_bio(b: *mut BIO, a: *mut PKCS12) -> c_int; pub fn i2d_PKCS12(a: *mut PKCS12, buf: *mut *mut u8) -> c_int; pub fn d2i_PKCS12(a: *mut *mut PKCS12, pp: *mut *const u8, length: c_long) -> *mut PKCS12; pub fn PKCS12_parse(p12: *mut PKCS12, pass: *const c_char, Loading openssl-sys/src/libressl.rs +12 −0 Original line number Diff line number Diff line Loading @@ -508,6 +508,7 @@ pub struct X509_VERIFY_PARAM { } pub enum X509_VERIFY_PARAM_ID {} pub enum PKCS12 {} pub const SSL_CTRL_OPTIONS: c_int = 32; pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; Loading Loading @@ -637,6 +638,17 @@ extern { pub fn OCSP_cert_to_id(dgst: *const ::EVP_MD, subject: *mut ::X509, issuer: *mut ::X509) -> *mut ::OCSP_CERTID; pub fn PKCS12_create(pass: *mut c_char, friendly_name: *mut c_char, pkey: *mut EVP_PKEY, cert: *mut X509, ca: *mut stack_st_X509, nid_key: c_int, nid_cert: c_int, iter: c_int, mac_iter: c_int, keytype: c_int) -> *mut PKCS12; pub fn SSL_library_init() -> c_int; pub fn SSL_load_error_strings(); pub fn OPENSSL_add_all_algorithms_noconf(); Loading openssl-sys/src/ossl10x.rs +12 −0 Original line number Diff line number Diff line Loading @@ -653,6 +653,7 @@ pub struct X509_VERIFY_PARAM { #[cfg(not(ossl101))] pub enum X509_VERIFY_PARAM_ID {} pub enum PKCS12 {} pub const SSL_CTRL_OPTIONS: c_int = 32; pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; Loading Loading @@ -782,6 +783,17 @@ extern { pub fn OCSP_cert_to_id(dgst: *const ::EVP_MD, subject: *mut ::X509, issuer: *mut ::X509) -> *mut ::OCSP_CERTID; pub fn PKCS12_create(pass: *mut c_char, friendly_name: *mut c_char, pkey: *mut EVP_PKEY, cert: *mut X509, ca: *mut stack_st_X509, nid_key: c_int, nid_cert: c_int, iter: c_int, mac_iter: c_int, keytype: c_int) -> *mut PKCS12; pub fn SSL_library_init() -> c_int; pub fn SSL_load_error_strings(); pub fn OPENSSL_add_all_algorithms_noconf(); Loading openssl-sys/src/ossl110.rs +12 −0 Original line number Diff line number Diff line Loading @@ -11,6 +11,7 @@ pub enum EVP_MD_CTX {} pub enum EVP_PKEY {} pub enum HMAC_CTX {} pub enum OPENSSL_STACK {} pub enum PKCS12 {} pub enum RSA {} pub enum SSL {} pub enum SSL_CTX {} Loading Loading @@ -179,4 +180,15 @@ extern { pub fn OPENSSL_sk_free(st: *mut ::OPENSSL_STACK); pub fn OPENSSL_sk_pop_free(st: *mut ::OPENSSL_STACK, free: Option<unsafe extern "C" fn (*mut c_void)>); pub fn OPENSSL_sk_pop(st: *mut ::OPENSSL_STACK) -> *mut c_void; pub fn PKCS12_create(pass: *const c_char, friendly_name: *const c_char, pkey: *mut EVP_PKEY, cert: *mut X509, ca: *mut stack_st_X509, nid_key: c_int, nid_cert: c_int, iter: c_int, mac_iter: c_int, keytype: c_int) -> *mut PKCS12; } openssl/src/pkcs12.rs +133 −1 Original line number Diff line number Diff line //! PKCS #12 archives. use ffi; use libc::c_int; use std::ptr; use std::ffi::CString; use cvt; use pkey::PKey; use pkey::{PKey, PKeyRef}; use error::ErrorStack; use x509::X509; use types::{OpenSslType, OpenSslTypeRef}; use stack::Stack; use nid; type_!(Pkcs12, Pkcs12Ref, ffi::PKCS12, ffi::PKCS12_free); impl Pkcs12Ref { to_der!(ffi::i2d_PKCS12); /// Extracts the contents of the `Pkcs12`. // FIXME should take an &[u8] pub fn parse(&self, pass: &str) -> Result<ParsedPkcs12, ErrorStack> { Loading Loading @@ -45,6 +49,25 @@ impl Pkcs12Ref { impl Pkcs12 { from_der!(Pkcs12, ffi::d2i_PKCS12); /// Creates a new builder for a protected pkcs12 certificate. /// /// This uses the defaults from the OpenSSL library: /// /// * `nid_key` - `nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC` /// * `nid_cert` - `nid::PBE_WITHSHA1AND40BITRC2_CBC` /// * `iter` - `2048` /// * `mac_iter` - `2048` pub fn builder() -> Pkcs12Builder { ffi::init(); Pkcs12Builder { nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC, nid_cert: nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC, iter: ffi::PKCS12_DEFAULT_ITER as usize, // 2048 mac_iter: ffi::PKCS12_DEFAULT_ITER as usize, // 2048 } } } pub struct ParsedPkcs12 { Loading @@ -53,11 +76,95 @@ pub struct ParsedPkcs12 { pub chain: Stack<X509>, } // TODO: add ca chain pub struct Pkcs12Builder { nid_key: nid::Nid, nid_cert: nid::Nid, iter: usize, mac_iter: usize, } impl Pkcs12Builder { /// The encryption algorithm that should be used for the key pub fn nid_key(&mut self, nid: nid::Nid) { self.nid_key = nid; } /// The encryption algorithm that should be used for the cert pub fn nid_cert(&mut self, nid: nid::Nid) { self.nid_cert = nid; } /// Key iteration count, default is 2048 as of this writing pub fn iter(&mut self, iter: usize) { self.iter = iter; } /// Mac iteration count, default is the same as key_iter default. /// /// Old implementation don't understand mac iterations greater than 1, (pre 1.0.1?), if such /// compatibility is required this should be set to 1 pub fn mac_iter(&mut self, mac_iter: usize) { self.mac_iter = mac_iter; } /// Builds the pkcs12 object /// /// # Arguments /// /// * `password` - the password used to encrypt the key and certificate /// * `friendly_name` - user defined name for the certificate /// * `pkey` - key to store /// * `cert` - certificate to store pub fn build(self, password: &str, friendly_name: &str, pkey: &PKeyRef, cert: &X509) -> Result<Pkcs12, ErrorStack> { unsafe { let pass = CString::new(password).unwrap(); let friendly_name = CString::new(friendly_name).unwrap(); let pkey = pkey.as_ptr(); let cert = cert.as_ptr(); let ca = ptr::null_mut(); // TODO: should allow for a chain to be set in the builder let nid_key = self.nid_key.as_raw(); let nid_cert = self.nid_cert.as_raw(); // According to the OpenSSL docs, keytype is a non-standard extension for MSIE, // It's values are KEY_SIG or KEY_EX, see the OpenSSL docs for more information: // https://www.openssl.org/docs/man1.0.2/crypto/PKCS12_create.html let keytype = 0; let pkcs12_ptr = ffi::PKCS12_create(pass.as_ptr() as *const _ as *mut _, friendly_name.as_ptr() as *const _ as *mut _, pkey, cert, ca, nid_key, nid_cert, self.iter as c_int, self.mac_iter as c_int, keytype); if pkcs12_ptr.is_null() { Err(ErrorStack::get()) } else { Ok(Pkcs12::from_ptr(pkcs12_ptr)) } } } } #[cfg(test)] mod test { use hash::MessageDigest; use hex::ToHex; use ::rsa::Rsa; use ::pkey::*; use ::x509::*; use ::x509::extension::*; use super::*; #[test] Loading @@ -73,4 +180,29 @@ mod test { assert_eq!(parsed.chain[0].fingerprint(MessageDigest::sha1()).unwrap().to_hex(), "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875"); } #[test] fn create() { let subject_name = "ns.example.com"; let rsa = Rsa::generate(2048).unwrap(); let pkey = PKey::from_rsa(rsa).unwrap(); let gen = X509Generator::new() .set_valid_period(365*2) .add_name("CN".to_owned(), subject_name.to_string()) .set_sign_hash(MessageDigest::sha256()) .add_extension(Extension::KeyUsage(vec![KeyUsageOption::DigitalSignature])); let cert = gen.sign(&pkey).unwrap(); let pkcs12_builder = Pkcs12::builder(); let pkcs12 = pkcs12_builder.build("mypass", subject_name, &pkey, &cert).unwrap(); let der = pkcs12.to_der().unwrap(); let pkcs12 = Pkcs12::from_der(&der).unwrap(); let parsed = pkcs12.parse("mypass").unwrap(); assert_eq!(parsed.cert.fingerprint(MessageDigest::sha1()).unwrap(), cert.fingerprint(MessageDigest::sha1()).unwrap()); assert!(parsed.pkey.public_eq(&pkey)); } } Loading
openssl-sys/src/lib.rs +3 −1 Original line number Diff line number Diff line Loading @@ -55,7 +55,6 @@ pub enum X509_REQ {} pub enum X509_STORE {} pub enum X509_STORE_CTX {} pub enum bio_st {} pub enum PKCS12 {} pub enum DH_METHOD {} pub enum RSA_METHOD {} pub enum BN_MONT_CTX {} Loading Loading @@ -1112,6 +1111,7 @@ pub const OCSP_RESPONSE_STATUS_UNAUTHORIZED: c_int = 6; pub const OPENSSL_EC_NAMED_CURVE: c_int = 1; pub const PKCS5_SALT_LEN: c_int = 8; pub const PKCS12_DEFAULT_ITER: c_int = 2048; pub const RSA_F4: c_long = 0x10001; Loading Loading @@ -1971,6 +1971,8 @@ extern { pub fn i2d_RSAPrivateKey(k: *const RSA, buf: *mut *mut u8) -> c_int; pub fn d2i_RSAPrivateKey(k: *mut *mut RSA, buf: *mut *const u8, len: c_long) -> *mut RSA; pub fn i2d_PKCS12_bio(b: *mut BIO, a: *mut PKCS12) -> c_int; pub fn i2d_PKCS12(a: *mut PKCS12, buf: *mut *mut u8) -> c_int; pub fn d2i_PKCS12(a: *mut *mut PKCS12, pp: *mut *const u8, length: c_long) -> *mut PKCS12; pub fn PKCS12_parse(p12: *mut PKCS12, pass: *const c_char, Loading
openssl-sys/src/libressl.rs +12 −0 Original line number Diff line number Diff line Loading @@ -508,6 +508,7 @@ pub struct X509_VERIFY_PARAM { } pub enum X509_VERIFY_PARAM_ID {} pub enum PKCS12 {} pub const SSL_CTRL_OPTIONS: c_int = 32; pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; Loading Loading @@ -637,6 +638,17 @@ extern { pub fn OCSP_cert_to_id(dgst: *const ::EVP_MD, subject: *mut ::X509, issuer: *mut ::X509) -> *mut ::OCSP_CERTID; pub fn PKCS12_create(pass: *mut c_char, friendly_name: *mut c_char, pkey: *mut EVP_PKEY, cert: *mut X509, ca: *mut stack_st_X509, nid_key: c_int, nid_cert: c_int, iter: c_int, mac_iter: c_int, keytype: c_int) -> *mut PKCS12; pub fn SSL_library_init() -> c_int; pub fn SSL_load_error_strings(); pub fn OPENSSL_add_all_algorithms_noconf(); Loading
openssl-sys/src/ossl10x.rs +12 −0 Original line number Diff line number Diff line Loading @@ -653,6 +653,7 @@ pub struct X509_VERIFY_PARAM { #[cfg(not(ossl101))] pub enum X509_VERIFY_PARAM_ID {} pub enum PKCS12 {} pub const SSL_CTRL_OPTIONS: c_int = 32; pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; Loading Loading @@ -782,6 +783,17 @@ extern { pub fn OCSP_cert_to_id(dgst: *const ::EVP_MD, subject: *mut ::X509, issuer: *mut ::X509) -> *mut ::OCSP_CERTID; pub fn PKCS12_create(pass: *mut c_char, friendly_name: *mut c_char, pkey: *mut EVP_PKEY, cert: *mut X509, ca: *mut stack_st_X509, nid_key: c_int, nid_cert: c_int, iter: c_int, mac_iter: c_int, keytype: c_int) -> *mut PKCS12; pub fn SSL_library_init() -> c_int; pub fn SSL_load_error_strings(); pub fn OPENSSL_add_all_algorithms_noconf(); Loading
openssl-sys/src/ossl110.rs +12 −0 Original line number Diff line number Diff line Loading @@ -11,6 +11,7 @@ pub enum EVP_MD_CTX {} pub enum EVP_PKEY {} pub enum HMAC_CTX {} pub enum OPENSSL_STACK {} pub enum PKCS12 {} pub enum RSA {} pub enum SSL {} pub enum SSL_CTX {} Loading Loading @@ -179,4 +180,15 @@ extern { pub fn OPENSSL_sk_free(st: *mut ::OPENSSL_STACK); pub fn OPENSSL_sk_pop_free(st: *mut ::OPENSSL_STACK, free: Option<unsafe extern "C" fn (*mut c_void)>); pub fn OPENSSL_sk_pop(st: *mut ::OPENSSL_STACK) -> *mut c_void; pub fn PKCS12_create(pass: *const c_char, friendly_name: *const c_char, pkey: *mut EVP_PKEY, cert: *mut X509, ca: *mut stack_st_X509, nid_key: c_int, nid_cert: c_int, iter: c_int, mac_iter: c_int, keytype: c_int) -> *mut PKCS12; }
openssl/src/pkcs12.rs +133 −1 Original line number Diff line number Diff line //! PKCS #12 archives. use ffi; use libc::c_int; use std::ptr; use std::ffi::CString; use cvt; use pkey::PKey; use pkey::{PKey, PKeyRef}; use error::ErrorStack; use x509::X509; use types::{OpenSslType, OpenSslTypeRef}; use stack::Stack; use nid; type_!(Pkcs12, Pkcs12Ref, ffi::PKCS12, ffi::PKCS12_free); impl Pkcs12Ref { to_der!(ffi::i2d_PKCS12); /// Extracts the contents of the `Pkcs12`. // FIXME should take an &[u8] pub fn parse(&self, pass: &str) -> Result<ParsedPkcs12, ErrorStack> { Loading Loading @@ -45,6 +49,25 @@ impl Pkcs12Ref { impl Pkcs12 { from_der!(Pkcs12, ffi::d2i_PKCS12); /// Creates a new builder for a protected pkcs12 certificate. /// /// This uses the defaults from the OpenSSL library: /// /// * `nid_key` - `nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC` /// * `nid_cert` - `nid::PBE_WITHSHA1AND40BITRC2_CBC` /// * `iter` - `2048` /// * `mac_iter` - `2048` pub fn builder() -> Pkcs12Builder { ffi::init(); Pkcs12Builder { nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC, nid_cert: nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC, iter: ffi::PKCS12_DEFAULT_ITER as usize, // 2048 mac_iter: ffi::PKCS12_DEFAULT_ITER as usize, // 2048 } } } pub struct ParsedPkcs12 { Loading @@ -53,11 +76,95 @@ pub struct ParsedPkcs12 { pub chain: Stack<X509>, } // TODO: add ca chain pub struct Pkcs12Builder { nid_key: nid::Nid, nid_cert: nid::Nid, iter: usize, mac_iter: usize, } impl Pkcs12Builder { /// The encryption algorithm that should be used for the key pub fn nid_key(&mut self, nid: nid::Nid) { self.nid_key = nid; } /// The encryption algorithm that should be used for the cert pub fn nid_cert(&mut self, nid: nid::Nid) { self.nid_cert = nid; } /// Key iteration count, default is 2048 as of this writing pub fn iter(&mut self, iter: usize) { self.iter = iter; } /// Mac iteration count, default is the same as key_iter default. /// /// Old implementation don't understand mac iterations greater than 1, (pre 1.0.1?), if such /// compatibility is required this should be set to 1 pub fn mac_iter(&mut self, mac_iter: usize) { self.mac_iter = mac_iter; } /// Builds the pkcs12 object /// /// # Arguments /// /// * `password` - the password used to encrypt the key and certificate /// * `friendly_name` - user defined name for the certificate /// * `pkey` - key to store /// * `cert` - certificate to store pub fn build(self, password: &str, friendly_name: &str, pkey: &PKeyRef, cert: &X509) -> Result<Pkcs12, ErrorStack> { unsafe { let pass = CString::new(password).unwrap(); let friendly_name = CString::new(friendly_name).unwrap(); let pkey = pkey.as_ptr(); let cert = cert.as_ptr(); let ca = ptr::null_mut(); // TODO: should allow for a chain to be set in the builder let nid_key = self.nid_key.as_raw(); let nid_cert = self.nid_cert.as_raw(); // According to the OpenSSL docs, keytype is a non-standard extension for MSIE, // It's values are KEY_SIG or KEY_EX, see the OpenSSL docs for more information: // https://www.openssl.org/docs/man1.0.2/crypto/PKCS12_create.html let keytype = 0; let pkcs12_ptr = ffi::PKCS12_create(pass.as_ptr() as *const _ as *mut _, friendly_name.as_ptr() as *const _ as *mut _, pkey, cert, ca, nid_key, nid_cert, self.iter as c_int, self.mac_iter as c_int, keytype); if pkcs12_ptr.is_null() { Err(ErrorStack::get()) } else { Ok(Pkcs12::from_ptr(pkcs12_ptr)) } } } } #[cfg(test)] mod test { use hash::MessageDigest; use hex::ToHex; use ::rsa::Rsa; use ::pkey::*; use ::x509::*; use ::x509::extension::*; use super::*; #[test] Loading @@ -73,4 +180,29 @@ mod test { assert_eq!(parsed.chain[0].fingerprint(MessageDigest::sha1()).unwrap().to_hex(), "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875"); } #[test] fn create() { let subject_name = "ns.example.com"; let rsa = Rsa::generate(2048).unwrap(); let pkey = PKey::from_rsa(rsa).unwrap(); let gen = X509Generator::new() .set_valid_period(365*2) .add_name("CN".to_owned(), subject_name.to_string()) .set_sign_hash(MessageDigest::sha256()) .add_extension(Extension::KeyUsage(vec![KeyUsageOption::DigitalSignature])); let cert = gen.sign(&pkey).unwrap(); let pkcs12_builder = Pkcs12::builder(); let pkcs12 = pkcs12_builder.build("mypass", subject_name, &pkey, &cert).unwrap(); let der = pkcs12.to_der().unwrap(); let pkcs12 = Pkcs12::from_der(&der).unwrap(); let parsed = pkcs12.parse("mypass").unwrap(); assert_eq!(parsed.cert.fingerprint(MessageDigest::sha1()).unwrap(), cert.fingerprint(MessageDigest::sha1()).unwrap()); assert!(parsed.pkey.public_eq(&pkey)); } }
