Rename X509Ref::fingerprint to X509Ref::digest and avoid allocating

5 files changed, 47 insertions, 34 deletions

diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs
index 49797df8..dd4d136c 100644
--- a/openssl/src/hash.rs
+++ b/openssl/src/hash.rs
@@ -251,8 +251,8 @@ impl Drop for Hasher {
 /// store the digest data.
 #[derive(Copy)]
 pub struct DigestBytes {
-    buf: [u8; ffi::EVP_MAX_MD_SIZE as usize],
-    len: usize,
+    pub(crate) buf: [u8; ffi::EVP_MAX_MD_SIZE as usize],
+    pub(crate) len: usize,
 }
 
 impl Clone for DigestBytes {
diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs
index d71a1d82..b98848c8 100644
--- a/openssl/src/pkcs12.rs
+++ b/openssl/src/pkcs12.rs
@@ -3,15 +3,15 @@
 use ffi;
 use foreign_types::{ForeignType, ForeignTypeRef};
 use libc::c_int;
-use std::ptr;
 use std::ffi::CString;
+use std::ptr;
 
-use {cvt, cvt_p};
-use pkey::{HasPrivate, PKey, PKeyRef, Private};
 use error::ErrorStack;
-use x509::{X509, X509Ref};
-use stack::Stack;
 use nid::Nid;
+use pkey::{HasPrivate, PKey, PKeyRef, Private};
+use stack::Stack;
+use x509::{X509, X509Ref};
+use {cvt, cvt_p};
 
 foreign_type_and_impl_send_sync! {
     type CType = ffi::PKCS12;
@@ -172,7 +172,8 @@ impl Pkcs12Builder {
             let friendly_name = CString::new(friendly_name).unwrap();
             let pkey = pkey.as_ptr();
             let cert = cert.as_ptr();
-            let ca = self.ca
+            let ca = self
+                .ca
                 .as_ref()
                 .map(|ca| ca.as_ptr())
                 .unwrap_or(ptr::null_mut());
@@ -206,11 +207,11 @@ mod test {
     use hex;
 
     use asn1::Asn1Time;
-    use rsa::Rsa;
-    use pkey::PKey;
     use nid::Nid;
-    use x509::{X509, X509Name};
+    use pkey::PKey;
+    use rsa::Rsa;
     use x509::extension::KeyUsage;
+    use x509::{X509, X509Name};
 
     use super::*;
 
@@ -221,14 +222,14 @@ mod test {
         let parsed = pkcs12.parse("mypass").unwrap();
 
         assert_eq!(
-            hex::encode(parsed.cert.fingerprint(MessageDigest::sha1()).unwrap()),
+            hex::encode(parsed.cert.digest(MessageDigest::sha1()).unwrap()),
             "59172d9313e84459bcff27f967e79e6e9217e584"
         );
 
         let chain = parsed.chain.unwrap();
         assert_eq!(chain.len(), 1);
         assert_eq!(
-            hex::encode(chain[0].fingerprint(MessageDigest::sha1()).unwrap()),
+            hex::encode(chain[0].digest(MessageDigest::sha1()).unwrap()),
             "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875"
         );
     }
@@ -279,8 +280,8 @@ mod test {
         let parsed = pkcs12.parse("mypass").unwrap();
 
         assert_eq!(
-            parsed.cert.fingerprint(MessageDigest::sha1()).unwrap(),
-            cert.fingerprint(MessageDigest::sha1()).unwrap()
+            &*parsed.cert.digest(MessageDigest::sha1()).unwrap(),
+            &*cert.digest(MessageDigest::sha1()).unwrap()
         );
         assert!(parsed.pkey.public_eq(&pkey));
     }
diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs
index 0d418d2c..f5ec7b29 100644
--- a/openssl/src/ssl/test.rs
+++ b/openssl/src/ssl/test.rs
@@ -295,8 +295,8 @@ run_test!(verify_callback_data, |method, stream| {
         match cert {
             None => false,
             Some(cert) => {
-                let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap();
-                fingerprint == node_id
+                let fingerprint = cert.digest(MessageDigest::sha1()).unwrap();
+                node_id == &*fingerprint
             }
         }
     });
@@ -323,8 +323,8 @@ run_test!(ssl_verify_callback, |method, stream| {
         match x509.current_cert() {
             None => false,
             Some(cert) => {
-                let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap();
-                fingerprint == node_id
+                let fingerprint = cert.digest(MessageDigest::sha1()).unwrap();
+                node_id == &*fingerprint
             }
         }
     });
@@ -424,10 +424,10 @@ run_test!(get_peer_certificate, |method, stream| {
     let ctx = SslContext::builder(method).unwrap();
     let stream = Ssl::new(&ctx.build()).unwrap().connect(stream).unwrap();
     let cert = stream.ssl().peer_certificate().unwrap();
-    let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap();
+    let fingerprint = cert.digest(MessageDigest::sha1()).unwrap();
     let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584";
     let node_id = Vec::from_hex(node_hash_str).unwrap();
-    assert_eq!(node_id, fingerprint)
+    assert_eq!(node_id, &*fingerprint)
 });
 
 #[test]
diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs
index 19760f25..5c1bb23f 100644
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@@ -25,7 +25,7 @@ use bio::MemBioSlice;
 use conf::ConfRef;
 use error::ErrorStack;
 use ex_data::Index;
-use hash::MessageDigest;
+use hash::{DigestBytes, MessageDigest};
 use nid::Nid;
 use pkey::{HasPrivate, HasPublic, PKey, PKeyRef, Public};
 use ssl::SslRef;
@@ -447,23 +447,35 @@ impl X509Ref {
         }
     }
 
-    /// Returns certificate fingerprint calculated using provided hash
-    pub fn fingerprint(&self, hash_type: MessageDigest) -> Result<Vec<u8>, ErrorStack> {
+    /// Returns a digest of the DER representation of the certificate.
+    ///
+    /// This corresponds to [`X509_digest`].
+    ///
+    /// [`X509_digest`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_digest.html
+    pub fn digest(&self, hash_type: MessageDigest) -> Result<DigestBytes, ErrorStack> {
         unsafe {
-            let evp = hash_type.as_ptr();
+            let mut digest = DigestBytes {
+                buf: [0; ffi::EVP_MAX_MD_SIZE as usize],
+                len: ffi::EVP_MAX_MD_SIZE as usize,
+            };
             let mut len = ffi::EVP_MAX_MD_SIZE;
-            let mut buf = vec![0u8; len as usize];
             cvt(ffi::X509_digest(
                 self.as_ptr(),
-                evp,
-                buf.as_mut_ptr() as *mut _,
+                hash_type.as_ptr(),
+                digest.buf.as_mut_ptr() as *mut _,
                 &mut len,
             ))?;
-            buf.truncate(len as usize);
-            Ok(buf)
+            digest.len = len as usize;
+
+            Ok(digest)
         }
     }
 
+    #[deprecated(since = "0.10.9", note = "renamed to digest")]
+    pub fn fingerprint(&self, hash_type: MessageDigest) -> Result<Vec<u8>, ErrorStack> {
+        self.digest(hash_type).map(|b| b.to_vec())
+    }
+
     /// Returns the certificate's Not After validity period.
     pub fn not_after(&self) -> &Asn1TimeRef {
         unsafe {
diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs
index a3c66e0c..42859c97 100644
--- a/openssl/src/x509/tests.rs
+++ b/openssl/src/x509/tests.rs
@@ -23,12 +23,12 @@ fn pkey() -> PKey<Private> {
 fn test_cert_loading() {
     let cert = include_bytes!("../../test/cert.pem");
     let cert = X509::from_pem(cert).ok().expect("Failed to load PEM");
-    let fingerprint = cert.fingerprint(MessageDigest::sha1()).unwrap();
+    let fingerprint = cert.digest(MessageDigest::sha1()).unwrap();
 
     let hash_str = "59172d9313e84459bcff27f967e79e6e9217e584";
     let hash_vec = Vec::from_hex(hash_str).unwrap();
 
-    assert_eq!(fingerprint, hash_vec);
+    assert_eq!(hash_vec, &*fingerprint);
 }
 
 #[test]
@@ -250,11 +250,11 @@ fn test_stack_from_pem() {
 
     assert_eq!(certs.len(), 2);
     assert_eq!(
-        hex::encode(certs[0].fingerprint(MessageDigest::sha1()).unwrap()),
+        hex::encode(certs[0].digest(MessageDigest::sha1()).unwrap()),
         "59172d9313e84459bcff27f967e79e6e9217e584"
     );
     assert_eq!(
-        hex::encode(certs[1].fingerprint(MessageDigest::sha1()).unwrap()),
+        hex::encode(certs[1].digest(MessageDigest::sha1()).unwrap()),
         "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875"
     );
 }