Merge remote-tracking branch 'origin/master' into x509-builder

1 files changed, 163 insertions, 17 deletions

diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs
index 1ef0bf3f..9f014af6 100644
--- a/openssl/src/pkcs12.rs
+++ b/openssl/src/pkcs12.rs
@@ -1,35 +1,31 @@
 //! PKCS #12 archives.
 
 use ffi;
-use libc::{c_long, c_uchar};
-use std::cmp;
+use foreign_types::{ForeignType, ForeignTypeRef};
+use libc::c_int;
 use std::ptr;
 use std::ffi::CString;
 
 use {cvt, cvt_p};
-use pkey::PKey;
+use pkey::{PKey, PKeyRef};
 use error::ErrorStack;
 use x509::X509;
-use types::{OpenSslType, OpenSslTypeRef};
 use stack::Stack;
+use nid;
 
-type_!(Pkcs12, Pkcs12Ref, ffi::PKCS12, ffi::PKCS12_free);
+foreign_type! {
+    type CType = ffi::PKCS12;
+    fn drop = ffi::PKCS12_free;
 
-impl Pkcs12 {
-    /// Deserializes a `Pkcs12` structure from DER-encoded data.
-    pub fn from_der(der: &[u8]) -> Result<Pkcs12, ErrorStack> {
-        unsafe {
-            ffi::init();
-            let mut ptr = der.as_ptr() as *const c_uchar;
-            let length = cmp::min(der.len(), c_long::max_value() as usize) as c_long;
-            let p12 = try!(cvt_p(ffi::d2i_PKCS12(ptr::null_mut(), &mut ptr, length)));
-            Ok(Pkcs12(p12))
-        }
-    }
+    pub struct Pkcs12;
+    pub struct Pkcs12Ref;
 }
 
 impl Pkcs12Ref {
+    to_der!(ffi::i2d_PKCS12);
+
     /// Extracts the contents of the `Pkcs12`.
+    // FIXME should take an &[u8]
     pub fn parse(&self, pass: &str) -> Result<ParsedPkcs12, ErrorStack> {
         unsafe {
             let pass = CString::new(pass).unwrap();
@@ -57,16 +53,132 @@ impl Pkcs12Ref {
     }
 }
 
+impl Pkcs12 {
+    from_der!(Pkcs12, ffi::d2i_PKCS12);
+
+    /// Creates a new builder for a protected pkcs12 certificate.
+    ///
+    /// This uses the defaults from the OpenSSL library:
+    ///
+    /// * `nid_key` - `nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC`
+    /// * `nid_cert` - `nid::PBE_WITHSHA1AND40BITRC2_CBC`
+    /// * `iter` - `2048`
+    /// * `mac_iter` - `2048`
+    pub fn builder() -> Pkcs12Builder {
+        ffi::init();
+
+        Pkcs12Builder {
+            nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC,
+            nid_cert: nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC,
+            iter: ffi::PKCS12_DEFAULT_ITER,
+            mac_iter: ffi::PKCS12_DEFAULT_ITER,
+            ca: None,
+        }
+    }
+}
+
 pub struct ParsedPkcs12 {
     pub pkey: PKey,
     pub cert: X509,
     pub chain: Stack<X509>,
 }
 
+pub struct Pkcs12Builder {
+    nid_key: nid::Nid,
+    nid_cert: nid::Nid,
+    iter: c_int,
+    mac_iter: c_int,
+    ca: Option<Stack<X509>>,
+}
+
+impl Pkcs12Builder {
+    /// The encryption algorithm that should be used for the key
+    pub fn key_algorithm(&mut self, nid: nid::Nid) -> &mut Self {
+        self.nid_key = nid;
+        self
+    }
+
+    /// The encryption algorithm that should be used for the cert
+    pub fn cert_algorithm(&mut self, nid: nid::Nid) -> &mut Self {
+        self.nid_cert = nid;
+        self
+    }
+
+    /// Key iteration count, default is 2048 as of this writing
+    pub fn key_iter(&mut self, iter: u32) -> &mut Self {
+        self.iter = iter as c_int;
+        self
+    }
+
+    /// MAC iteration count, default is the same as key_iter.
+    ///
+    /// Old implementations don't understand MAC iterations greater than 1, (pre 1.0.1?), if such
+    /// compatibility is required this should be set to 1.
+    pub fn mac_iter(&mut self, mac_iter: u32) -> &mut Self {
+        self.mac_iter = mac_iter as c_int;
+        self
+    }
+
+    /// An additional set of certificates to include in the archive beyond the one provided to
+    /// `build`.
+    pub fn ca(&mut self, ca: Stack<X509>) -> &mut Self {
+        self.ca = Some(ca);
+        self
+    }
+
+    /// Builds the PKCS #12 object
+    ///
+    /// # Arguments
+    ///
+    /// * `password` - the password used to encrypt the key and certificate
+    /// * `friendly_name` - user defined name for the certificate
+    /// * `pkey` - key to store
+    /// * `cert` - certificate to store
+    pub fn build(self,
+                 password: &str,
+                 friendly_name: &str,
+                 pkey: &PKeyRef,
+                 cert: &X509) -> Result<Pkcs12, ErrorStack> {
+        unsafe {
+            let pass = CString::new(password).unwrap();
+            let friendly_name = CString::new(friendly_name).unwrap();
+            let pkey = pkey.as_ptr();
+            let cert = cert.as_ptr();
+            let ca = self.ca.as_ref().map(|ca| ca.as_ptr()).unwrap_or(ptr::null_mut());
+            let nid_key = self.nid_key.as_raw();
+            let nid_cert = self.nid_cert.as_raw();
+
+            // According to the OpenSSL docs, keytype is a non-standard extension for MSIE,
+            // It's values are KEY_SIG or KEY_EX, see the OpenSSL docs for more information:
+            // https://www.openssl.org/docs/man1.0.2/crypto/PKCS12_create.html
+            let keytype = 0;
+
+            cvt_p(ffi::PKCS12_create(pass.as_ptr() as *const _ as *mut _,
+                                                friendly_name.as_ptr() as *const _ as *mut _,
+                                                pkey,
+                                                cert,
+                                                ca,
+                                                nid_key,
+                                                nid_cert,
+                                                self.iter,
+                                                self.mac_iter,
+                                                keytype))
+                .map(Pkcs12)
+        }
+    }
+}
+
 #[cfg(test)]
 mod test {
     use hash::MessageDigest;
-    use serialize::hex::ToHex;
+    use hex::ToHex;
+
+    use asn1::Asn1Time;
+    use rsa::Rsa;
+    use pkey::PKey;
+    use nid;
+    use x509::{X509, X509Name};
+    use x509::extension::KeyUsage;
 
     use super::*;
 
@@ -83,4 +195,38 @@ mod test {
         assert_eq!(parsed.chain[0].fingerprint(MessageDigest::sha1()).unwrap().to_hex(),
                    "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875");
     }
+
+    #[test]
+    fn create() {
+        let subject_name = "ns.example.com";
+        let rsa = Rsa::generate(2048).unwrap();
+        let pkey = PKey::from_rsa(rsa).unwrap();
+
+        let mut name = X509Name::builder().unwrap();
+        name.append_entry_by_nid(nid::COMMONNAME, subject_name).unwrap();
+        let name = name.build();
+
+        let key_usage = KeyUsage::new().digital_signature().build().unwrap();;
+
+        let mut builder = X509::builder().unwrap();
+        builder.set_version(2).unwrap();
+        builder.set_not_before(&Asn1Time::days_from_now(0).unwrap()).unwrap();
+        builder.set_not_after(&Asn1Time::days_from_now(365).unwrap()).unwrap();
+        builder.set_subject_name(&name).unwrap();
+        builder.set_issuer_name(&name).unwrap();
+        builder.append_extension(key_usage).unwrap();
+        builder.set_pubkey(&pkey).unwrap();
+        builder.sign(&pkey, MessageDigest::sha256()).unwrap();
+        let cert = builder.build();
+
+        let pkcs12_builder = Pkcs12::builder();
+        let pkcs12 = pkcs12_builder.build("mypass", subject_name, &pkey, &cert).unwrap();
+        let der = pkcs12.to_der().unwrap();
+
+        let pkcs12 = Pkcs12::from_der(&der).unwrap();
+        let parsed = pkcs12.parse("mypass").unwrap();
+
+        assert_eq!(parsed.cert.fingerprint(MessageDigest::sha1()).unwrap(), cert.fingerprint(MessageDigest::sha1()).unwrap());
+        assert!(parsed.pkey.public_eq(&pkey));
+    }
 }