From f9cd4bff1f371336bc4f69298713069ce09825b7 Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Wed, 3 Aug 2016 15:56:38 -0400 Subject: Progress on asn1 expiry - Use MemBio and implement `Display` for Asn1Time - Tweak doc for asn1 `not_before`, `not_after` --- openssl/src/x509/mod.rs | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'openssl/src/x509') diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 0cc0eca7..851dd881 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -433,6 +433,22 @@ impl<'a> X509Ref<'a> { } } + /// Returns Issuer validity notAfter + pub fn not_after(&self) -> Asn1Time { + unsafe { + let date = ffi_extras::X509_get_notAfter(self.handle()); + Asn1Time::from_raw(date) + } + } + + /// Returns Issuer validity notBefore + pub fn not_before(&self) -> Asn1Time { + unsafe { + let date = ffi_extras::X509_get_notBefore(self.handle()); + Asn1Time::from_raw(date) + } + } + /// Writes certificate as PEM pub fn to_pem(&self) -> Result, ErrorStack> { let mem_bio = try!(MemBio::new()); -- cgit v1.2.3 From 32a4e2ba50786a3c5a0d6c5951236c16e2976955 Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Mon, 8 Aug 2016 16:42:02 -0400 Subject: Introduce `Asn1TimeRef` --- openssl/src/x509/mod.rs | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'openssl/src/x509') diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 851dd881..dc649f18 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -10,7 +10,7 @@ use std::collections::HashMap; use std::marker::PhantomData; use HashTypeInternals; -use asn1::Asn1Time; +use asn1::{Asn1Time, Asn1TimeRef}; use bio::{MemBio, MemBioSlice}; use crypto::hash; use crypto::hash::Type as HashType; @@ -434,18 +434,18 @@ impl<'a> X509Ref<'a> { } /// Returns Issuer validity notAfter - pub fn not_after(&self) -> Asn1Time { + pub fn not_after(&self) -> Asn1TimeRef { unsafe { - let date = ffi_extras::X509_get_notAfter(self.handle()); - Asn1Time::from_raw(date) + let date = ::c_helpers::rust_0_8_X509_get_notAfter(self.0); + Asn1TimeRef::from_ptr(date) } } /// Returns Issuer validity notBefore - pub fn not_before(&self) -> Asn1Time { + pub fn not_before(&self) -> Asn1TimeRef { unsafe { - let date = ffi_extras::X509_get_notBefore(self.handle()); - Asn1Time::from_raw(date) + let date = ::c_helpers::rust_0_8_X509_get_notBefore(self.0); + Asn1TimeRef::from_ptr(date) } } -- cgit v1.2.3 From 96b1ef829cc51a901dd7b7225b9307b8628a4898 Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Tue, 16 Aug 2016 22:39:30 -0400 Subject: Add `"x509_expiry"` feature flag - fix return of `ASN1_TIME_print` - assert on null `date` --- openssl/src/x509/mod.rs | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'openssl/src/x509') diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index dc649f18..bb5743e9 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -434,17 +434,21 @@ impl<'a> X509Ref<'a> { } /// Returns Issuer validity notAfter + #[cfg(feature = "x509_expiry")] pub fn not_after(&self) -> Asn1TimeRef { unsafe { let date = ::c_helpers::rust_0_8_X509_get_notAfter(self.0); + assert!(!date.is_null()); Asn1TimeRef::from_ptr(date) } } /// Returns Issuer validity notBefore + #[cfg(feature = "x509_expiry")] pub fn not_before(&self) -> Asn1TimeRef { unsafe { let date = ::c_helpers::rust_0_8_X509_get_notBefore(self.0); + assert!(!date.is_null()); Asn1TimeRef::from_ptr(date) } } -- cgit v1.2.3 From 8fa4059b82545740440d9e6c796b644327b83c2e Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Tue, 16 Aug 2016 22:50:20 -0400 Subject: Add test for `"x509_validity"` feature --- openssl/src/x509/tests.rs | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'openssl/src/x509') diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 43add896..eac08941 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -92,6 +92,18 @@ fn test_cert_loading() { assert_eq!(fingerprint, hash_vec); } +#[test] +#[cfg(feature = "x509_expiry")] +fn test_cert_issue_validity() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).ok().expect("Failed to load PEM"); + let not_before = cert.not_before().to_string(); + let not_after = cert.not_after().to_string(); + + assert_eq!(not_before, "Aug 14 17:00:03 2016 GMT"); + assert_eq!(not_after, "Aug 12 17:00:03 2026 GMT"); +} + #[test] fn test_save_der() { let cert = include_bytes!("../../test/cert.pem"); -- cgit v1.2.3 From 234ce581f9401a7298d67e52bdeb857d4b53e645 Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Tue, 16 Aug 2016 23:31:01 -0400 Subject: Add x509_validity feature to travis tests - also update docs for new x509 `not_before`, `not_after` --- openssl/src/x509/mod.rs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'openssl/src/x509') diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index bb5743e9..649dfdc2 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -433,7 +433,8 @@ impl<'a> X509Ref<'a> { } } - /// Returns Issuer validity notAfter + /// Returns certificate Not Before validity period. + /// Requires the `x509_expiry` feature. #[cfg(feature = "x509_expiry")] pub fn not_after(&self) -> Asn1TimeRef { unsafe { @@ -443,7 +444,8 @@ impl<'a> X509Ref<'a> { } } - /// Returns Issuer validity notBefore + /// Returns certificate Not After validity period. + /// Requires the `x509_expiry` feature. #[cfg(feature = "x509_expiry")] pub fn not_before(&self) -> Asn1TimeRef { unsafe { -- cgit v1.2.3 From 90c42fc026bb2be02da93f5b73e781e854e3544c Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Tue, 16 Aug 2016 23:56:37 -0400 Subject: Fix docs --- openssl/src/x509/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'openssl/src/x509') diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 649dfdc2..12a122b2 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -433,7 +433,7 @@ impl<'a> X509Ref<'a> { } } - /// Returns certificate Not Before validity period. + /// Returns certificate Not After validity period. /// Requires the `x509_expiry` feature. #[cfg(feature = "x509_expiry")] pub fn not_after(&self) -> Asn1TimeRef { @@ -444,7 +444,7 @@ impl<'a> X509Ref<'a> { } } - /// Returns certificate Not After validity period. + /// Returns certificate Not Before validity period. /// Requires the `x509_expiry` feature. #[cfg(feature = "x509_expiry")] pub fn not_before(&self) -> Asn1TimeRef { -- cgit v1.2.3 From 06f19cf285c9fc3b46bd8baca2825dcf1634a64a Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Tue, 16 Aug 2016 23:59:24 -0400 Subject: Be explicit regarding Asn1TimeRef lifetimes --- openssl/src/x509/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'openssl/src/x509') diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 12a122b2..31a6cae8 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -436,7 +436,7 @@ impl<'a> X509Ref<'a> { /// Returns certificate Not After validity period. /// Requires the `x509_expiry` feature. #[cfg(feature = "x509_expiry")] - pub fn not_after(&self) -> Asn1TimeRef { + pub fn not_after<'b>(&'b self) -> Asn1TimeRef<'b> { unsafe { let date = ::c_helpers::rust_0_8_X509_get_notAfter(self.0); assert!(!date.is_null()); @@ -447,7 +447,7 @@ impl<'a> X509Ref<'a> { /// Returns certificate Not Before validity period. /// Requires the `x509_expiry` feature. #[cfg(feature = "x509_expiry")] - pub fn not_before(&self) -> Asn1TimeRef { + pub fn not_before<'b>(&'b self) -> Asn1TimeRef<'b> { unsafe { let date = ::c_helpers::rust_0_8_X509_get_notBefore(self.0); assert!(!date.is_null()); -- cgit v1.2.3 From 7a653282a9132b6110554afb7a50938a602059b0 Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Wed, 17 Aug 2016 00:10:41 -0400 Subject: Get rid of use Asn1TimeRef warning for some builds --- openssl/src/x509/mod.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'openssl/src/x509') diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 31a6cae8..1319b75c 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -10,7 +10,10 @@ use std::collections::HashMap; use std::marker::PhantomData; use HashTypeInternals; -use asn1::{Asn1Time, Asn1TimeRef}; +use asn1::Asn1Time; +#[cfg(feature = "x509_expiry")] +use asn1::Asn1TimeRef; + use bio::{MemBio, MemBioSlice}; use crypto::hash; use crypto::hash::Type as HashType; -- cgit v1.2.3 From cd69343d67081ab9c070f21d58918433a44f97bf Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 17 Aug 2016 19:30:57 -0700 Subject: Fix SslContext::add_extra_chain_cert SSL_CTX_add_extra_chain_cert assumes ownership of the certificate, so the method really needs to take an X509 by value. Work around this by manually cloning the cert. This method has been around for over a year but I'm guessing nobody actually used it since it produces a nice double free into segfault! --- openssl/src/x509/mod.rs | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'openssl/src/x509') diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 1319b75c..f5369447 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1,4 +1,5 @@ use libc::{c_char, c_int, c_long, c_ulong, c_void}; +use std::cmp; use std::ffi::CString; use std::mem; use std::ptr; @@ -492,6 +493,16 @@ impl X509 { X509::from_ptr(x509) } + /// Reads a certificate from DER. + pub fn from_der(buf: &[u8]) -> Result { + unsafe { + let mut ptr = buf.as_ptr() as *mut _; + let len = cmp::min(buf.len(), c_long::max_value() as usize) as c_long; + let x509 = try_ssl_null!(ffi::d2i_X509(ptr::null_mut(), &mut ptr, len)); + Ok(X509::from_ptr(x509)) + } + } + /// Reads a certificate from PEM. pub fn from_pem(buf: &[u8]) -> Result { let mem_bio = try!(MemBioSlice::new(buf)); -- cgit v1.2.3