diff options
| author | Steven Fackler <[email protected]> | 2015-08-15 16:04:42 -0400 |
|---|---|---|
| committer | Steven Fackler <[email protected]> | 2015-08-15 16:04:42 -0400 |
| commit | 769b8312d89e005523dbecb3af4737a85a891232 (patch) | |
| tree | d798504a2230ba8af8114d751b44b49fd1748de2 | |
| parent | Grab errno for directstream want errors (diff) | |
| parent | Implement certificate extensions for certificate requests (diff) | |
| download | rust-openssl-769b8312d89e005523dbecb3af4737a85a891232.tar.xz rust-openssl-769b8312d89e005523dbecb3af4737a85a891232.zip | |
Merge pull request #240 from jethrogb/topic/x509_req_extension
Implement certificate extensions for certificate requests
| -rw-r--r-- | openssl-sys/src/lib.rs | 6 | ||||
| -rw-r--r-- | openssl-sys/src/openssl_shim.c | 4 | ||||
| -rw-r--r-- | openssl/src/x509/mod.rs | 17 | ||||
| -rw-r--r-- | openssl/src/x509/tests.rs | 25 |
4 files changed, 43 insertions, 9 deletions
diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 55ec30bb..d5bd5cf9 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -37,6 +37,7 @@ pub type X509_NAME = c_void; pub type X509_NAME_ENTRY = c_void; pub type X509_REQ = c_void; pub type X509_STORE_CTX = c_void; +pub type stack_st_X509_EXTENSION = c_void; #[repr(C)] pub struct EVP_MD_CTX { @@ -633,6 +634,9 @@ extern "C" { pub fn X509V3_EXT_conf(conf: *mut c_void, ctx: *mut X509V3_CTX, name: *mut c_char, value: *mut c_char) -> *mut X509_EXTENSION; pub fn X509V3_set_ctx(ctx: *mut X509V3_CTX, issuer: *mut X509, subject: *mut X509, req: *mut X509_REQ, crl: *mut X509_CRL, flags: c_int); + pub fn X509_REQ_add_extensions(req: *mut X509_REQ, exts: *mut stack_st_X509_EXTENSION) -> c_int; + pub fn X509_REQ_sign(x: *mut X509_REQ, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int; + pub fn i2d_RSA_PUBKEY(k: *mut RSA, buf: *const *mut u8) -> c_int; pub fn d2i_RSA_PUBKEY(k: *const *mut RSA, buf: *const *const u8, len: c_uint) -> *mut RSA; pub fn i2d_RSAPrivateKey(k: *mut RSA, buf: *const *mut u8) -> c_int; @@ -652,6 +656,8 @@ extern "C" { pub fn SSL_CTX_set_read_ahead(ctx: *mut SSL_CTX, m: c_long) -> c_long; #[link_name = "SSL_set_tlsext_host_name_shim"] pub fn SSL_set_tlsext_host_name(s: *mut SSL, name: *const c_char) -> c_long; + #[link_name = "X509_get_extensions_shim"] + pub fn X509_get_extensions(x: *mut X509) -> *mut stack_st_X509_EXTENSION; } pub mod probe; diff --git a/openssl-sys/src/openssl_shim.c b/openssl-sys/src/openssl_shim.c index 7b4f9c74..f0622d2d 100644 --- a/openssl-sys/src/openssl_shim.c +++ b/openssl-sys/src/openssl_shim.c @@ -82,3 +82,7 @@ long SSL_CTX_set_read_ahead_shim(SSL_CTX *ctx, long m) { long SSL_set_tlsext_host_name_shim(SSL *s, char *name) { return SSL_set_tlsext_host_name(s, name); } + +STACK_OF(X509_EXTENSION) *X509_get_extensions_shim(X509 *x) { + return x->cert_info ? x->cert_info->extensions : NULL; +} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index a5df80f5..91daa66a 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -396,11 +396,20 @@ impl X509Generator { Err(x) => return Err(x) }; - let hash_fn = self.hash_type.evp_md(); - let req = unsafe { ffi::X509_to_X509_REQ(cert.handle, p_key.get_handle(), hash_fn) }; - try_ssl_null!(req); + unsafe { + let req = ffi::X509_to_X509_REQ(cert.handle, ptr::null_mut(), ptr::null()); + try_ssl_null!(req); + + let exts = ffi::X509_get_extensions(cert.handle); + if exts != ptr::null_mut() { + try_ssl!(ffi::X509_REQ_add_extensions(req,exts)); + } - Ok(X509Req::new(req)) + let hash_fn = self.hash_type.evp_md(); + try_ssl!(ffi::X509_REQ_sign(req, p_key.get_handle(), hash_fn)); + + Ok(X509Req::new(req)) + } } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 0aed364b..692539ba 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -4,6 +4,7 @@ use std::path::Path; use std::fs::File; use crypto::hash::Type::{SHA256}; +use crypto::pkey::PKey; use x509::{X509, X509Generator}; use x509::extension::Extension::{KeyUsage,ExtKeyUsage,SubjectAltName,OtherNid,OtherStr}; use x509::extension::AltNameOption as SAN; @@ -11,9 +12,8 @@ use x509::extension::KeyUsageOption::{DigitalSignature, KeyEncipherment}; use x509::extension::ExtKeyUsageOption::{self, ClientAuth, ServerAuth}; use nid::Nid; -#[test] -fn test_cert_gen() { - let gen = X509Generator::new() +fn get_generator() -> X509Generator { + X509Generator::new() .set_bitlength(2048) .set_valid_period(365*2) .add_name("CN".to_string(),"test_me".to_string()) @@ -22,9 +22,12 @@ fn test_cert_gen() { .add_extension(ExtKeyUsage(vec![ClientAuth, ServerAuth, ExtKeyUsageOption::Other("2.999.1".to_owned())])) .add_extension(SubjectAltName(vec![(SAN::DNS,"example.com".to_owned())])) .add_extension(OtherNid(Nid::BasicConstraints,"critical,CA:TRUE".to_owned())) - .add_extension(OtherStr("2.999.2".to_owned(),"ASN1:UTF8:example value".to_owned())); + .add_extension(OtherStr("2.999.2".to_owned(),"ASN1:UTF8:example value".to_owned())) +} - let (cert, pkey) = gen.generate().unwrap(); +#[test] +fn test_cert_gen() { + let (cert, pkey) = get_generator().generate().unwrap(); cert.write_pem(&mut io::sink()).unwrap(); pkey.write_pem(&mut io::sink()).unwrap(); @@ -35,6 +38,18 @@ fn test_cert_gen() { } #[test] +fn test_req_gen() { + let mut pkey = PKey::new(); + pkey.gen(512); + + let req = get_generator().request(&pkey).unwrap(); + req.write_pem(&mut io::sink()).unwrap(); + + // FIXME: check data in result to be correct, needs implementation + // of X509_REQ getters +} + +#[test] fn test_cert_loading() { let cert_path = Path::new("test/cert.pem"); let mut file = File::open(&cert_path) |