-
-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Implement PKCS8 certificate support for all three backends. #147
Changes from all commits
eb269b8
c400390
1a6d7ba
ab437ba
beb8ebc
28eade4
7e9a612
da4cf1a
255dd54
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
extern crate native_tls; | ||
|
||
use native_tls::{Identity, TlsAcceptor, TlsStream}; | ||
use std::fs::File; | ||
use std::io::{Read, Write}; | ||
use std::net::{TcpListener, TcpStream}; | ||
use std::sync::Arc; | ||
use std::thread; | ||
|
||
fn main() { | ||
let mut cert_file = File::open("test/cert.pem").unwrap(); | ||
let mut certs = vec![]; | ||
cert_file.read_to_end(&mut certs).unwrap(); | ||
let mut key_file = File::open("test/key.pem").unwrap(); | ||
let mut key = vec![]; | ||
key_file.read_to_end(&mut key).unwrap(); | ||
let pkcs8 = Identity::from_pkcs8(&certs, &key).unwrap(); | ||
|
||
let acceptor = TlsAcceptor::new(pkcs8).unwrap(); | ||
let acceptor = Arc::new(acceptor); | ||
|
||
let listener = TcpListener::bind("0.0.0.0:8443").unwrap(); | ||
|
||
fn handle_client(mut stream: TlsStream<TcpStream>) { | ||
let mut buf = [0; 1024]; | ||
let read = stream.read(&mut buf).unwrap(); | ||
let received = std::str::from_utf8(&buf[0..read]).unwrap(); | ||
stream.write_all(format!("received '{}'", received).as_bytes()).unwrap(); | ||
} | ||
|
||
for stream in listener.incoming() { | ||
match stream { | ||
Ok(stream) => { | ||
let acceptor = acceptor.clone(); | ||
thread::spawn(move || { | ||
let stream = acceptor.accept(stream).unwrap(); | ||
handle_client(stream); | ||
}); | ||
} | ||
Err(_e) => { /* connection failed */ } | ||
} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,9 @@ | ||
extern crate schannel; | ||
|
||
use self::schannel::cert_context::{CertContext, HashAlgorithm}; | ||
use self::schannel::cert_context::{CertContext, HashAlgorithm, KeySpec}; | ||
use self::schannel::cert_store::{CertAdd, CertStore, Memory, PfxImportOptions}; | ||
use self::schannel::schannel_cred::{Direction, Protocol, SchannelCred}; | ||
use self::schannel::crypt_prov::{AcquireOptions, ProviderType}; | ||
use self::schannel::tls_stream; | ||
use std::error; | ||
use std::fmt; | ||
|
@@ -96,6 +97,38 @@ impl Identity { | |
|
||
Ok(Identity { cert: identity }) | ||
} | ||
|
||
pub fn from_pkcs8(pem: &[u8], key: &[u8]) -> Result<Identity, Error> { | ||
let mut store = Memory::new()?.into_store(); | ||
let mut cert_iter = pem::PemBlock::new(pem).into_iter(); | ||
let leaf = cert_iter.next().expect("at least one certificate must be provided to create an identity"); | ||
let cert = CertContext::from_pem(std::str::from_utf8(leaf).map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "leaf cert contains invalid utf8"))?)?; | ||
|
||
let mut options = AcquireOptions::new(); | ||
options.container("schannel"); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I seem to remember there being problems on windows if the same container name is used multiple times. Probably worth a test that parses a couple of identities to confirm. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is the test case that caused issues on my previous attempt: b0b9164 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this test still needs to be added. |
||
let type_ = ProviderType::rsa_full(); | ||
|
||
let mut container = match options.acquire(type_) { | ||
Ok(container) => container, | ||
Err(_) => options.new_keyset(true).acquire(type_)?, | ||
}; | ||
container.import() | ||
.import_pkcs8_pem(&key)?; | ||
|
||
cert.set_key_prov_info() | ||
.container("schannel") | ||
.type_(type_) | ||
.keep_open(true) | ||
.key_spec(KeySpec::key_exchange()) | ||
.set()?; | ||
let mut context = store.add_cert(&cert, CertAdd::Always)?; | ||
|
||
for int_cert in cert_iter { | ||
let certificate = Certificate::from_pem(int_cert)?; | ||
context = store.add_cert(&certificate.0, schannel::cert_store::CertAdd::Always)?; | ||
} | ||
Ok(Identity{cert: context}) | ||
} | ||
} | ||
|
||
#[derive(Clone)] | ||
|
@@ -345,3 +378,84 @@ impl<S: io::Read + io::Write> io::Write for TlsStream<S> { | |
self.0.flush() | ||
} | ||
} | ||
|
||
|
||
mod pem { | ||
/// Split data by PEM guard lines | ||
pub struct PemBlock<'a> { | ||
pem_block: &'a str, | ||
cur_end: usize, | ||
} | ||
|
||
impl<'a> PemBlock<'a> { | ||
pub fn new(data: &'a [u8]) -> PemBlock<'a> { | ||
let s = ::std::str::from_utf8(data).unwrap(); | ||
PemBlock { | ||
pem_block: s, | ||
cur_end: s.find("-----BEGIN").unwrap_or(s.len()), | ||
} | ||
} | ||
} | ||
|
||
impl<'a> Iterator for PemBlock<'a> { | ||
type Item = &'a [u8]; | ||
fn next(&mut self) -> Option<Self::Item> { | ||
let last = self.pem_block.len(); | ||
if self.cur_end >= last { | ||
return None; | ||
} | ||
let begin = self.cur_end; | ||
let pos = self.pem_block[begin + 1..].find("-----BEGIN"); | ||
self.cur_end = match pos { | ||
Some(end) => end + begin + 1, | ||
None => last, | ||
}; | ||
return Some(&self.pem_block[begin..self.cur_end].as_bytes()); | ||
} | ||
} | ||
|
||
#[test] | ||
fn test_split() { | ||
// Split three certs, CRLF line terminators. | ||
assert_eq!(PemBlock::new(b"-----BEGIN FIRST-----\r\n-----END FIRST-----\r\n\ | ||
-----BEGIN SECOND-----\r\n-----END SECOND\r\n\ | ||
-----BEGIN THIRD-----\r\n-----END THIRD\r\n").collect::<Vec<&[u8]>>(), | ||
vec![b"-----BEGIN FIRST-----\r\n-----END FIRST-----\r\n" as &[u8], | ||
b"-----BEGIN SECOND-----\r\n-----END SECOND\r\n", | ||
b"-----BEGIN THIRD-----\r\n-----END THIRD\r\n"]); | ||
// Split three certs, CRLF line terminators except at EOF. | ||
assert_eq!(PemBlock::new(b"-----BEGIN FIRST-----\r\n-----END FIRST-----\r\n\ | ||
-----BEGIN SECOND-----\r\n-----END SECOND-----\r\n\ | ||
-----BEGIN THIRD-----\r\n-----END THIRD-----").collect::<Vec<&[u8]>>(), | ||
vec![b"-----BEGIN FIRST-----\r\n-----END FIRST-----\r\n" as &[u8], | ||
b"-----BEGIN SECOND-----\r\n-----END SECOND-----\r\n", | ||
b"-----BEGIN THIRD-----\r\n-----END THIRD-----"]); | ||
// Split two certs, LF line terminators. | ||
assert_eq!(PemBlock::new(b"-----BEGIN FIRST-----\n-----END FIRST-----\n\ | ||
-----BEGIN SECOND-----\n-----END SECOND\n").collect::<Vec<&[u8]>>(), | ||
vec![b"-----BEGIN FIRST-----\n-----END FIRST-----\n" as &[u8], | ||
b"-----BEGIN SECOND-----\n-----END SECOND\n"]); | ||
// Split two certs, CR line terminators. | ||
assert_eq!(PemBlock::new(b"-----BEGIN FIRST-----\r-----END FIRST-----\r\ | ||
-----BEGIN SECOND-----\r-----END SECOND\r").collect::<Vec<&[u8]>>(), | ||
vec![b"-----BEGIN FIRST-----\r-----END FIRST-----\r" as &[u8], | ||
b"-----BEGIN SECOND-----\r-----END SECOND\r"]); | ||
// Split two certs, LF line terminators except at EOF. | ||
assert_eq!(PemBlock::new(b"-----BEGIN FIRST-----\n-----END FIRST-----\n\ | ||
-----BEGIN SECOND-----\n-----END SECOND").collect::<Vec<&[u8]>>(), | ||
vec![b"-----BEGIN FIRST-----\n-----END FIRST-----\n" as &[u8], | ||
b"-----BEGIN SECOND-----\n-----END SECOND"]); | ||
// Split a single cert, LF line terminators. | ||
assert_eq!(PemBlock::new(b"-----BEGIN FIRST-----\n-----END FIRST-----\n").collect::<Vec<&[u8]>>(), | ||
vec![b"-----BEGIN FIRST-----\n-----END FIRST-----\n" as &[u8]]); | ||
// Split a single cert, LF line terminators except at EOF. | ||
assert_eq!(PemBlock::new(b"-----BEGIN FIRST-----\n-----END FIRST-----").collect::<Vec<&[u8]>>(), | ||
vec![b"-----BEGIN FIRST-----\n-----END FIRST-----" as &[u8]]); | ||
// (Don't) split garbage. | ||
assert_eq!(PemBlock::new(b"junk").collect::<Vec<&[u8]>>(), | ||
Vec::<&[u8]>::new()); | ||
assert_eq!(PemBlock::new(b"junk-----BEGIN garbage").collect::<Vec<&[u8]>>(), | ||
vec![b"-----BEGIN garbage" as &[u8]]); | ||
} | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not believe this change is correct: 05fb5e5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is from https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_extra_chain_cert.html , though looking at https://www.openssl.org/docs/manmaster/man3/PKCS12_parse.html I don't see any documentation about ordering restrictions for
PKCS12_parse
.Edit: Looking again I think you might mean that the return certs from
PKCS12_parse
are in the opposite order, which seems awkward. Either thefrom_pkcs12
method or thefrom_pkcs8
method will need to reverse the certificate chain before creating theIdentity
if that is the case.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There really needs to be a cross-platform test for this behavior.