mirror of
https://github.com/openharmony/third_party_rust_rust-native-tls.git
synced 2026-07-01 20:24:01 -04:00
@@ -51,7 +51,7 @@ To accept connections as a server from remote clients:
|
||||
```rust,no_run
|
||||
extern crate native_tls;
|
||||
|
||||
use native_tls::{Pkcs12, TlsAcceptor, TlsStream};
|
||||
use native_tls::{Identity, TlsAcceptor, TlsStream};
|
||||
use std::fs::File;
|
||||
use std::io::{Read};
|
||||
use std::net::{TcpListener, TcpStream};
|
||||
@@ -60,11 +60,11 @@ use std::thread;
|
||||
|
||||
fn main() {
|
||||
let mut file = File::open("identity.pfx").unwrap();
|
||||
let mut pkcs12 = vec![];
|
||||
file.read_to_end(&mut pkcs12).unwrap();
|
||||
let pkcs12 = Pkcs12::from_der(&pkcs12, "hunter2").unwrap();
|
||||
let mut identity = vec![];
|
||||
file.read_to_end(&mut identity).unwrap();
|
||||
let identity = Identity::from_pkcs12(&identity, "hunter2").unwrap();
|
||||
|
||||
let acceptor = TlsAcceptor::builder(pkcs12).unwrap().build().unwrap();
|
||||
let acceptor = TlsAcceptor::builder(identity).unwrap().build().unwrap();
|
||||
let acceptor = Arc::new(acceptor);
|
||||
|
||||
let listener = TcpListener::bind("0.0.0.0:8443").unwrap();
|
||||
|
||||
@@ -1,14 +1,12 @@
|
||||
use std::env;
|
||||
|
||||
fn main() {
|
||||
let no_ssl_mask = if let Ok(version) = env::var("DEP_OPENSSL_VERSION_NUMBER") {
|
||||
let version = u64::from_str_radix(&version, 16).unwrap();
|
||||
version < 0x1_00_02_00_0
|
||||
} else {
|
||||
true
|
||||
};
|
||||
let openssl_version = env::var("DEP_OPENSSL_VERSION_NUMBER")
|
||||
.ok()
|
||||
.map(|s| u64::from_str_radix(&s, 16).unwrap());
|
||||
|
||||
if no_ssl_mask {
|
||||
println!("cargo:rustc-cfg=no_ssl_mask");
|
||||
match openssl_version {
|
||||
Some(version) if version >= 0x1_00_02_00_0 => println!("cargo:rustc-cfg=have_no_ssl_mask"),
|
||||
_ => {}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
extern crate native_tls;
|
||||
|
||||
use native_tls::{Pkcs12, TlsAcceptor, TlsStream};
|
||||
use native_tls::{Identity, TlsAcceptor, TlsStream};
|
||||
use std::fs::File;
|
||||
use std::io::Read;
|
||||
use std::net::{TcpListener, TcpStream};
|
||||
@@ -11,7 +11,7 @@ fn main() {
|
||||
let mut file = File::open("identity.pfx").unwrap();
|
||||
let mut pkcs12 = vec![];
|
||||
file.read_to_end(&mut pkcs12).unwrap();
|
||||
let pkcs12 = Pkcs12::from_der(&pkcs12, "hunter2").unwrap();
|
||||
let pkcs12 = Identity::from_pkcs12(&pkcs12, "hunter2").unwrap();
|
||||
|
||||
let acceptor = TlsAcceptor::builder(pkcs12).unwrap().build().unwrap();
|
||||
let acceptor = Arc::new(acceptor);
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
//! TLS backend-specific functionality.
|
||||
|
||||
#[cfg(any(target_os = "macos", target_os = "ios"))]
|
||||
pub mod security_framework;
|
||||
|
||||
#[cfg(target_os = "windows")]
|
||||
pub mod schannel;
|
||||
|
||||
#[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
|
||||
pub mod openssl;
|
||||
@@ -1,4 +0,0 @@
|
||||
//! OpenSSL-specific functionality.
|
||||
|
||||
pub use imp::ErrorExt;
|
||||
pub use imp::{TlsAcceptorBuilderExt, TlsConnectorBuilderExt, TlsStreamExt};
|
||||
@@ -1,5 +0,0 @@
|
||||
//! SChannel-specific functionality.
|
||||
|
||||
pub use imp::CertificateExt;
|
||||
pub use imp::ErrorExt;
|
||||
pub use imp::TlsStreamExt;
|
||||
@@ -1,5 +0,0 @@
|
||||
//! Security Framework-specific functionality.
|
||||
|
||||
pub use imp::ErrorExt;
|
||||
pub use imp::TlsConnectorBuilderExt;
|
||||
pub use imp::TlsStreamExt;
|
||||
+20
-107
@@ -1,10 +1,11 @@
|
||||
extern crate openssl;
|
||||
|
||||
use self::openssl::error::ErrorStack;
|
||||
use self::openssl::pkcs12;
|
||||
use self::openssl::ssl::{self, MidHandshakeSslStream, SslAcceptor, SslAcceptorBuilder,
|
||||
SslConnector, SslConnectorBuilder, SslContextBuilder, SslMethod,
|
||||
SslOptions, SslVerifyMode};
|
||||
use self::openssl::pkcs12::{ParsedPkcs12, Pkcs12};
|
||||
use self::openssl::ssl::{
|
||||
self, MidHandshakeSslStream, SslAcceptor, SslAcceptorBuilder, SslConnector,
|
||||
SslConnectorBuilder, SslContextBuilder, SslMethod, SslOptions, SslVerifyMode,
|
||||
};
|
||||
use self::openssl::x509::X509;
|
||||
use std::error;
|
||||
use std::fmt;
|
||||
@@ -13,10 +14,10 @@ use std::io;
|
||||
use Protocol;
|
||||
|
||||
fn supported_protocols(protocols: &[Protocol], ctx: &mut SslContextBuilder) {
|
||||
#[cfg(no_ssl_mask)]
|
||||
#[cfg(not(have_no_ssl_mask))]
|
||||
let no_ssl_mask = SslOptions::NO_SSLV2 | SslOptions::NO_SSLV3 | SslOptions::NO_TLSV1
|
||||
| SslOptions::NO_TLSV1_1 | SslOptions::NO_TLSV1_2;
|
||||
#[cfg(not(no_ssl_mask))]
|
||||
#[cfg(have_no_ssl_mask)]
|
||||
let no_ssl_mask = SslOptions::NO_SSL_MASK;
|
||||
|
||||
ctx.clear_options(no_ssl_mask);
|
||||
@@ -70,13 +71,13 @@ impl From<ErrorStack> for Error {
|
||||
}
|
||||
}
|
||||
|
||||
pub struct Pkcs12(pkcs12::ParsedPkcs12);
|
||||
pub struct Identity(ParsedPkcs12);
|
||||
|
||||
impl Pkcs12 {
|
||||
pub fn from_der(buf: &[u8], pass: &str) -> Result<Pkcs12, Error> {
|
||||
let pkcs12 = pkcs12::Pkcs12::from_der(buf)?;
|
||||
impl Identity {
|
||||
pub fn from_pkcs12(buf: &[u8], pass: &str) -> Result<Identity, Error> {
|
||||
let pkcs12 = Pkcs12::from_der(buf)?;
|
||||
let parsed = pkcs12.parse(pass)?;
|
||||
Ok(Pkcs12(parsed))
|
||||
Ok(Identity(parsed))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -158,12 +159,12 @@ pub struct TlsConnectorBuilder {
|
||||
}
|
||||
|
||||
impl TlsConnectorBuilder {
|
||||
pub fn identity(&mut self, pkcs12: Pkcs12) -> Result<(), Error> {
|
||||
pub fn identity(&mut self, identity: Identity) -> Result<(), Error> {
|
||||
// FIXME clear chain certs to clean up if called multiple times
|
||||
self.connector.set_certificate(&pkcs12.0.cert)?;
|
||||
self.connector.set_private_key(&pkcs12.0.pkey)?;
|
||||
self.connector.set_certificate(&identity.0.cert)?;
|
||||
self.connector.set_private_key(&identity.0.pkey)?;
|
||||
self.connector.check_private_key()?;
|
||||
if let Some(chain) = pkcs12.0.chain {
|
||||
if let Some(chain) = identity.0.chain {
|
||||
for cert in chain {
|
||||
self.connector.add_extra_chain_cert(cert)?;
|
||||
}
|
||||
@@ -238,37 +239,6 @@ impl TlsConnector {
|
||||
}
|
||||
}
|
||||
|
||||
/// OpenSSL-specific extensions to `TlsConnectorBuilder`.
|
||||
pub trait TlsConnectorBuilderExt {
|
||||
/// Initialize `TlsAcceptorBuilderExt` from an `SslAcceptorBuilder`.
|
||||
fn from_openssl(builder: SslConnectorBuilder) -> Self;
|
||||
|
||||
/// Returns a shared reference to the inner `SslConnectorBuilder`.
|
||||
fn builder(&self) -> &SslConnectorBuilder;
|
||||
|
||||
/// Returns a mutable reference to the inner `SslConnectorBuilder`.
|
||||
fn builder_mut(&mut self) -> &mut SslConnectorBuilder;
|
||||
}
|
||||
|
||||
impl TlsConnectorBuilderExt for ::TlsConnectorBuilder {
|
||||
fn from_openssl(builder: SslConnectorBuilder) -> ::TlsConnectorBuilder {
|
||||
::TlsConnectorBuilder(TlsConnectorBuilder {
|
||||
connector: builder,
|
||||
use_sni: true,
|
||||
accept_invalid_hostnames: false,
|
||||
accept_invalid_certs: false,
|
||||
})
|
||||
}
|
||||
|
||||
fn builder(&self) -> &SslConnectorBuilder {
|
||||
&(self.0).connector
|
||||
}
|
||||
|
||||
fn builder_mut(&mut self) -> &mut SslConnectorBuilder {
|
||||
&mut (self.0).connector
|
||||
}
|
||||
}
|
||||
|
||||
pub struct TlsAcceptorBuilder(SslAcceptorBuilder);
|
||||
|
||||
impl TlsAcceptorBuilder {
|
||||
@@ -286,11 +256,11 @@ impl TlsAcceptorBuilder {
|
||||
pub struct TlsAcceptor(SslAcceptor);
|
||||
|
||||
impl TlsAcceptor {
|
||||
pub fn builder(pkcs12: Pkcs12) -> Result<TlsAcceptorBuilder, Error> {
|
||||
pub fn builder(identity: Identity) -> Result<TlsAcceptorBuilder, Error> {
|
||||
let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls())?;
|
||||
builder.set_private_key(&pkcs12.0.pkey)?;
|
||||
builder.set_certificate(&pkcs12.0.cert)?;
|
||||
if let Some(chain) = pkcs12.0.chain {
|
||||
builder.set_private_key(&identity.0.pkey)?;
|
||||
builder.set_certificate(&identity.0.cert)?;
|
||||
if let Some(chain) = identity.0.chain {
|
||||
for cert in chain {
|
||||
builder.add_extra_chain_cert(cert)?;
|
||||
}
|
||||
@@ -307,32 +277,6 @@ impl TlsAcceptor {
|
||||
}
|
||||
}
|
||||
|
||||
/// OpenSSL-specific extensions to `TlsAcceptorBuilder`.
|
||||
pub trait TlsAcceptorBuilderExt {
|
||||
/// Initialize `TlsAcceptorBuilderExt` from an `SslAcceptorBuilder`.
|
||||
fn from_openssl(builder: SslAcceptorBuilder) -> Self;
|
||||
|
||||
/// Returns a shared reference to the inner `SslAcceptorBuilder`.
|
||||
fn builder(&self) -> &SslAcceptorBuilder;
|
||||
|
||||
/// Returns a mutable reference to the inner `SslAcceptorBuilder`.
|
||||
fn builder_mut(&mut self) -> &mut SslAcceptorBuilder;
|
||||
}
|
||||
|
||||
impl TlsAcceptorBuilderExt for ::TlsAcceptorBuilder {
|
||||
fn from_openssl(builder: SslAcceptorBuilder) -> ::TlsAcceptorBuilder {
|
||||
::TlsAcceptorBuilder(TlsAcceptorBuilder(builder))
|
||||
}
|
||||
|
||||
fn builder(&self) -> &SslAcceptorBuilder {
|
||||
&(self.0).0
|
||||
}
|
||||
|
||||
fn builder_mut(&mut self) -> &mut SslAcceptorBuilder {
|
||||
&mut (self.0).0
|
||||
}
|
||||
}
|
||||
|
||||
pub struct TlsStream<S>(ssl::SslStream<S>);
|
||||
|
||||
impl<S: fmt::Debug> fmt::Debug for TlsStream<S> {
|
||||
@@ -379,34 +323,3 @@ impl<S: io::Read + io::Write> io::Write for TlsStream<S> {
|
||||
self.0.flush()
|
||||
}
|
||||
}
|
||||
|
||||
/// OpenSSL-specific extensions to `TlsStream`.
|
||||
pub trait TlsStreamExt<S> {
|
||||
/// Returns a shared reference to the OpenSSL `SslStream`.
|
||||
fn raw_stream(&self) -> &ssl::SslStream<S>;
|
||||
|
||||
/// Returns a mutable reference to the OpenSSL `SslStream`.
|
||||
fn raw_stream_mut(&mut self) -> &mut ssl::SslStream<S>;
|
||||
}
|
||||
|
||||
impl<S> TlsStreamExt<S> for ::TlsStream<S> {
|
||||
fn raw_stream(&self) -> &ssl::SslStream<S> {
|
||||
&(self.0).0
|
||||
}
|
||||
|
||||
fn raw_stream_mut(&mut self) -> &mut ssl::SslStream<S> {
|
||||
&mut (self.0).0
|
||||
}
|
||||
}
|
||||
|
||||
/// OpenSSL-specific extensions to `Error`
|
||||
pub trait ErrorExt {
|
||||
/// Extract the underlying OpenSSL error for inspection.
|
||||
fn openssl_error(&self) -> &ssl::Error;
|
||||
}
|
||||
|
||||
impl ErrorExt for ::Error {
|
||||
fn openssl_error(&self) -> &ssl::Error {
|
||||
&(self.0).0
|
||||
}
|
||||
}
|
||||
|
||||
+8
-51
@@ -51,12 +51,12 @@ impl From<io::Error> for Error {
|
||||
}
|
||||
}
|
||||
|
||||
pub struct Pkcs12 {
|
||||
pub struct Identity {
|
||||
cert: CertContext,
|
||||
}
|
||||
|
||||
impl Pkcs12 {
|
||||
pub fn from_der(buf: &[u8], pass: &str) -> Result<Pkcs12, Error> {
|
||||
impl Identity {
|
||||
pub fn from_pkcs12(buf: &[u8], pass: &str) -> Result<Identity, Error> {
|
||||
let store = PfxImportOptions::new().password(pass).import(buf)?;
|
||||
let mut identity = None;
|
||||
|
||||
@@ -82,7 +82,7 @@ impl Pkcs12 {
|
||||
}
|
||||
};
|
||||
|
||||
Ok(Pkcs12 { cert: identity })
|
||||
Ok(Identity { cert: identity })
|
||||
}
|
||||
}
|
||||
|
||||
@@ -164,8 +164,8 @@ impl<S> From<io::Error> for HandshakeError<S> {
|
||||
pub struct TlsConnectorBuilder(TlsConnector);
|
||||
|
||||
impl TlsConnectorBuilder {
|
||||
pub fn identity(&mut self, pkcs12: Pkcs12) -> Result<(), Error> {
|
||||
self.0.cert = Some(pkcs12.cert);
|
||||
pub fn identity(&mut self, identity: Identity) -> Result<(), Error> {
|
||||
self.0.cert = Some(identity.cert);
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@@ -264,9 +264,9 @@ pub struct TlsAcceptor {
|
||||
}
|
||||
|
||||
impl TlsAcceptor {
|
||||
pub fn builder(pkcs12: Pkcs12) -> Result<TlsAcceptorBuilder, Error> {
|
||||
pub fn builder(identity: Identity) -> Result<TlsAcceptorBuilder, Error> {
|
||||
Ok(TlsAcceptorBuilder(TlsAcceptor {
|
||||
cert: pkcs12.cert,
|
||||
cert: identity.cert,
|
||||
protocols: vec![Protocol::Tls10, Protocol::Tls11, Protocol::Tls12],
|
||||
}))
|
||||
}
|
||||
@@ -329,46 +329,3 @@ impl<S: io::Read + io::Write> io::Write for TlsStream<S> {
|
||||
self.0.flush()
|
||||
}
|
||||
}
|
||||
|
||||
/// SChannel-specific extensions to `TlsStream`.
|
||||
pub trait TlsStreamExt<S> {
|
||||
/// Returns a shared reference to the SChannel `TlsStream`.
|
||||
fn raw_stream(&self) -> &tls_stream::TlsStream<S>;
|
||||
|
||||
/// Returns a mutable reference to the SChannel `TlsStream`.
|
||||
fn raw_stream_mut(&mut self) -> &mut tls_stream::TlsStream<S>;
|
||||
}
|
||||
|
||||
impl<S> TlsStreamExt<S> for ::TlsStream<S> {
|
||||
fn raw_stream(&self) -> &tls_stream::TlsStream<S> {
|
||||
&(self.0).0
|
||||
}
|
||||
|
||||
fn raw_stream_mut(&mut self) -> &mut tls_stream::TlsStream<S> {
|
||||
&mut (self.0).0
|
||||
}
|
||||
}
|
||||
|
||||
/// SChannel-specific extensions to `Error`
|
||||
pub trait ErrorExt {
|
||||
/// Extract the underlying SChannel error for inspection.
|
||||
fn schannel_error(&self) -> &io::Error;
|
||||
}
|
||||
|
||||
impl ErrorExt for ::Error {
|
||||
fn schannel_error(&self) -> &io::Error {
|
||||
&(self.0).0
|
||||
}
|
||||
}
|
||||
|
||||
/// SChannel-specific extensions to `Certificate`.
|
||||
pub trait CertificateExt {
|
||||
/// builds a native_Tls `Certificate` from an schannel `CertContext`
|
||||
fn from_cert_context(CertContext) -> ::Certificate;
|
||||
}
|
||||
|
||||
impl CertificateExt for ::Certificate {
|
||||
fn from_cert_context(cert: CertContext) -> ::Certificate {
|
||||
::Certificate(Certificate(cert))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -7,8 +7,9 @@ use self::security_framework::base;
|
||||
use self::security_framework::certificate::SecCertificate;
|
||||
use self::security_framework::identity::SecIdentity;
|
||||
use self::security_framework::import_export::{ImportedIdentity, Pkcs12ImportOptions};
|
||||
use self::security_framework::secure_transport::{self, ClientBuilder, SslConnectionType,
|
||||
SslContext, SslProtocol, SslProtocolSide};
|
||||
use self::security_framework::secure_transport::{
|
||||
self, ClientBuilder, SslConnectionType, SslContext, SslProtocol, SslProtocolSide,
|
||||
};
|
||||
use self::security_framework_sys::base::errSecIO;
|
||||
use self::tempfile::TempDir;
|
||||
use std::error;
|
||||
@@ -88,14 +89,14 @@ impl From<base::Error> for Error {
|
||||
}
|
||||
|
||||
#[derive(Clone)]
|
||||
pub struct Pkcs12 {
|
||||
pub struct Identity {
|
||||
identity: SecIdentity,
|
||||
chain: Vec<SecCertificate>,
|
||||
}
|
||||
|
||||
impl Pkcs12 {
|
||||
pub fn from_der(buf: &[u8], pass: &str) -> Result<Pkcs12, Error> {
|
||||
let mut imports = Pkcs12::import_options(buf, pass)?;
|
||||
impl Identity {
|
||||
pub fn from_pkcs12(buf: &[u8], pass: &str) -> Result<Identity, Error> {
|
||||
let mut imports = Identity::import_options(buf, pass)?;
|
||||
let import = imports.pop().unwrap();
|
||||
|
||||
let identity = import
|
||||
@@ -105,7 +106,7 @@ impl Pkcs12 {
|
||||
// FIXME: Compare the certificates for equality using CFEqual
|
||||
let identity_cert = identity.certificate()?.to_der();
|
||||
|
||||
Ok(Pkcs12 {
|
||||
Ok(Identity {
|
||||
identity: identity,
|
||||
chain: import
|
||||
.cert_chain
|
||||
@@ -264,8 +265,8 @@ where
|
||||
pub struct TlsConnectorBuilder(TlsConnector);
|
||||
|
||||
impl TlsConnectorBuilder {
|
||||
pub fn identity(&mut self, pkcs12: Pkcs12) -> Result<(), Error> {
|
||||
self.0.pkcs12 = Some(pkcs12);
|
||||
pub fn identity(&mut self, identity: Identity) -> Result<(), Error> {
|
||||
self.0.identity = Some(identity);
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@@ -298,7 +299,7 @@ impl TlsConnectorBuilder {
|
||||
|
||||
#[derive(Clone)]
|
||||
pub struct TlsConnector {
|
||||
pkcs12: Option<Pkcs12>,
|
||||
identity: Option<Identity>,
|
||||
protocols: Vec<Protocol>,
|
||||
roots: Vec<SecCertificate>,
|
||||
use_sni: bool,
|
||||
@@ -309,7 +310,7 @@ pub struct TlsConnector {
|
||||
impl TlsConnector {
|
||||
pub fn builder() -> Result<TlsConnectorBuilder, Error> {
|
||||
Ok(TlsConnectorBuilder(TlsConnector {
|
||||
pkcs12: None,
|
||||
identity: None,
|
||||
protocols: vec![Protocol::Tlsv10, Protocol::Tlsv11, Protocol::Tlsv12],
|
||||
roots: vec![],
|
||||
use_sni: true,
|
||||
@@ -326,8 +327,8 @@ impl TlsConnector {
|
||||
let (min, max) = protocol_min_max(&self.protocols);
|
||||
builder.protocol_min(min);
|
||||
builder.protocol_max(max);
|
||||
if let Some(pkcs12) = self.pkcs12.as_ref() {
|
||||
builder.identity(&pkcs12.identity, &pkcs12.chain);
|
||||
if let Some(identity) = self.identity.as_ref() {
|
||||
builder.identity(&identity.identity, &identity.chain);
|
||||
}
|
||||
builder.anchor_certificates(&self.roots);
|
||||
builder.use_sni(self.use_sni);
|
||||
@@ -356,14 +357,14 @@ impl TlsAcceptorBuilder {
|
||||
|
||||
#[derive(Clone)]
|
||||
pub struct TlsAcceptor {
|
||||
pkcs12: Pkcs12,
|
||||
identity: Identity,
|
||||
protocols: Vec<Protocol>,
|
||||
}
|
||||
|
||||
impl TlsAcceptor {
|
||||
pub fn builder(pkcs12: Pkcs12) -> Result<TlsAcceptorBuilder, Error> {
|
||||
pub fn builder(identity: Identity) -> Result<TlsAcceptorBuilder, Error> {
|
||||
Ok(TlsAcceptorBuilder(TlsAcceptor {
|
||||
pkcs12: pkcs12,
|
||||
identity,
|
||||
protocols: vec![Protocol::Tlsv10, Protocol::Tlsv11, Protocol::Tlsv12],
|
||||
}))
|
||||
}
|
||||
@@ -377,7 +378,7 @@ impl TlsAcceptor {
|
||||
let (min, max) = protocol_min_max(&self.protocols);
|
||||
ctx.set_protocol_version_min(min)?;
|
||||
ctx.set_protocol_version_max(max)?;
|
||||
ctx.set_certificate(&self.pkcs12.identity, &self.pkcs12.chain)?;
|
||||
ctx.set_certificate(&self.identity.identity, &self.identity.chain)?;
|
||||
match ctx.handshake(stream) {
|
||||
Ok(s) => Ok(TlsStream(s)),
|
||||
Err(e) => Err(e.into()),
|
||||
@@ -427,48 +428,3 @@ impl<S: io::Read + io::Write> io::Write for TlsStream<S> {
|
||||
self.0.flush()
|
||||
}
|
||||
}
|
||||
|
||||
/// Security Framework-specific extensions to `TlsStream`.
|
||||
pub trait TlsStreamExt<S> {
|
||||
/// Returns a shared reference to the Security Framework `SslStream`.
|
||||
fn raw_stream(&self) -> &secure_transport::SslStream<S>;
|
||||
|
||||
/// Returns a mutable reference to the Security Framework `SslStream`.
|
||||
fn raw_stream_mut(&mut self) -> &mut secure_transport::SslStream<S>;
|
||||
}
|
||||
|
||||
impl<S> TlsStreamExt<S> for ::TlsStream<S> {
|
||||
fn raw_stream(&self) -> &secure_transport::SslStream<S> {
|
||||
&(self.0).0
|
||||
}
|
||||
|
||||
fn raw_stream_mut(&mut self) -> &mut secure_transport::SslStream<S> {
|
||||
&mut (self.0).0
|
||||
}
|
||||
}
|
||||
|
||||
/// Security Framework-specific extensions to `TlsConnectorBuilder`.
|
||||
pub trait TlsConnectorBuilderExt {
|
||||
/// Deprecated
|
||||
#[deprecated(since = "0.1.2", note = "use add_root_certificate")]
|
||||
fn anchor_certificates(&mut self, certs: &[SecCertificate]) -> &mut Self;
|
||||
}
|
||||
|
||||
impl TlsConnectorBuilderExt for ::TlsConnectorBuilder {
|
||||
fn anchor_certificates(&mut self, certs: &[SecCertificate]) -> &mut Self {
|
||||
(self.0).0.roots = certs.to_owned();
|
||||
self
|
||||
}
|
||||
}
|
||||
|
||||
/// Security Framework-specific extensions to `Error`
|
||||
pub trait ErrorExt {
|
||||
/// Extract the underlying Security Framework error for inspection.
|
||||
fn security_framework_error(&self) -> &base::Error;
|
||||
}
|
||||
|
||||
impl ErrorExt for ::Error {
|
||||
fn security_framework_error(&self) -> &base::Error {
|
||||
&(self.0).0
|
||||
}
|
||||
}
|
||||
|
||||
+23
-22
@@ -69,7 +69,7 @@
|
||||
//! To accept connections as a server from remote clients:
|
||||
//!
|
||||
//! ```rust,no_run
|
||||
//! use native_tls::{Pkcs12, TlsAcceptor, TlsStream};
|
||||
//! use native_tls::{Identity, TlsAcceptor, TlsStream};
|
||||
//! use std::fs::File;
|
||||
//! use std::io::{Read};
|
||||
//! use std::net::{TcpListener, TcpStream};
|
||||
@@ -77,12 +77,12 @@
|
||||
//! use std::thread;
|
||||
//!
|
||||
//! let mut file = File::open("identity.pfx").unwrap();
|
||||
//! let mut pkcs12 = vec![];
|
||||
//! file.read_to_end(&mut pkcs12).unwrap();
|
||||
//! let pkcs12 = Pkcs12::from_der(&pkcs12, "hunter2").unwrap();
|
||||
//! let mut identity = vec![];
|
||||
//! file.read_to_end(&mut identity).unwrap();
|
||||
//! let identity = Identity::from_pkcs12(&identity, "hunter2").unwrap();
|
||||
//!
|
||||
//! let listener = TcpListener::bind("0.0.0.0:8443").unwrap();
|
||||
//! let acceptor = TlsAcceptor::builder(pkcs12).unwrap().build().unwrap();
|
||||
//! let acceptor = TlsAcceptor::builder(identity).unwrap().build().unwrap();
|
||||
//! let acceptor = Arc::new(acceptor);
|
||||
//!
|
||||
//! fn handle_client(stream: TlsStream<TcpStream>) {
|
||||
@@ -116,8 +116,6 @@ use std::fmt;
|
||||
use std::io;
|
||||
use std::result;
|
||||
|
||||
pub mod backend;
|
||||
|
||||
#[cfg(any(target_os = "macos", target_os = "ios"))]
|
||||
#[path = "imp/security_framework.rs"]
|
||||
mod imp;
|
||||
@@ -165,10 +163,13 @@ impl<T: Into<imp::Error>> From<T> for Error {
|
||||
}
|
||||
}
|
||||
|
||||
/// A PKCS #12 archive.
|
||||
pub struct Pkcs12(imp::Pkcs12);
|
||||
/// A cryptographic identity.
|
||||
///
|
||||
/// An identity is an X509 certificate along with its corresponding private key and chain of certificates to a trusted
|
||||
/// root.
|
||||
pub struct Identity(imp::Identity);
|
||||
|
||||
impl Pkcs12 {
|
||||
impl Identity {
|
||||
/// Parses a DER-formatted PKCS #12 archive, using the specified password to decrypt the key.
|
||||
///
|
||||
/// The archive should contain a leaf certificate and its private key, as well any intermediate
|
||||
@@ -181,9 +182,9 @@ impl Pkcs12 {
|
||||
/// ```bash
|
||||
/// openssl pkcs12 -export -out identity.pfx -inkey key.pem -in cert.pem -certfile chain_certs.pem
|
||||
/// ```
|
||||
pub fn from_der(der: &[u8], password: &str) -> Result<Pkcs12> {
|
||||
let pkcs12 = imp::Pkcs12::from_der(der, password)?;
|
||||
Ok(Pkcs12(pkcs12))
|
||||
pub fn from_pkcs12(der: &[u8], password: &str) -> Result<Identity> {
|
||||
let identity = imp::Identity::from_pkcs12(der, password)?;
|
||||
Ok(Identity(identity))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -330,8 +331,8 @@ pub struct TlsConnectorBuilder(imp::TlsConnectorBuilder);
|
||||
|
||||
impl TlsConnectorBuilder {
|
||||
/// Sets the identity to be used for client certificate authentication.
|
||||
pub fn identity(&mut self, pkcs12: Pkcs12) -> Result<&mut TlsConnectorBuilder> {
|
||||
self.0.identity(pkcs12.0)?;
|
||||
pub fn identity(&mut self, identity: Identity) -> Result<&mut TlsConnectorBuilder> {
|
||||
self.0.identity(identity.0)?;
|
||||
Ok(self)
|
||||
}
|
||||
|
||||
@@ -475,7 +476,7 @@ impl TlsAcceptorBuilder {
|
||||
/// # Examples
|
||||
///
|
||||
/// ```rust,no_run
|
||||
/// use native_tls::{Pkcs12, TlsAcceptor, TlsStream};
|
||||
/// use native_tls::{Identity, TlsAcceptor, TlsStream};
|
||||
/// use std::fs::File;
|
||||
/// use std::io::{Read};
|
||||
/// use std::net::{TcpListener, TcpStream};
|
||||
@@ -483,12 +484,12 @@ impl TlsAcceptorBuilder {
|
||||
/// use std::thread;
|
||||
///
|
||||
/// let mut file = File::open("identity.pfx").unwrap();
|
||||
/// let mut pkcs12 = vec![];
|
||||
/// file.read_to_end(&mut pkcs12).unwrap();
|
||||
/// let pkcs12 = Pkcs12::from_der(&pkcs12, "hunter2").unwrap();
|
||||
/// let mut identity = vec![];
|
||||
/// file.read_to_end(&mut identity).unwrap();
|
||||
/// let identity = Identity::from_pkcs12(&identity, "hunter2").unwrap();
|
||||
///
|
||||
/// let listener = TcpListener::bind("0.0.0.0:8443").unwrap();
|
||||
/// let acceptor = TlsAcceptor::builder(pkcs12).unwrap().build().unwrap();
|
||||
/// let acceptor = TlsAcceptor::builder(identity).unwrap().build().unwrap();
|
||||
/// let acceptor = Arc::new(acceptor);
|
||||
///
|
||||
/// fn handle_client(stream: TlsStream<TcpStream>) {
|
||||
@@ -517,8 +518,8 @@ impl TlsAcceptor {
|
||||
/// This builder is created with a key/certificate pair in the `pkcs12`
|
||||
/// archived passed in. The returned builder will use that key/certificate
|
||||
/// to send to clients which it connects to.
|
||||
pub fn builder(pkcs12: Pkcs12) -> Result<TlsAcceptorBuilder> {
|
||||
let builder = imp::TlsAcceptor::builder(pkcs12.0)?;
|
||||
pub fn builder(identity: Identity) -> Result<TlsAcceptorBuilder> {
|
||||
let builder = imp::TlsAcceptor::builder(identity.0)?;
|
||||
Ok(TlsAcceptorBuilder(builder))
|
||||
}
|
||||
|
||||
|
||||
+16
-16
@@ -54,8 +54,8 @@ mod tests {
|
||||
#[test]
|
||||
fn server() {
|
||||
let buf = include_bytes!("../test/identity.p12");
|
||||
let pkcs12 = p!(Pkcs12::from_der(buf, "mypass"));
|
||||
let builder = p!(TlsAcceptor::builder(pkcs12));
|
||||
let identity = p!(Identity::from_pkcs12(buf, "mypass"));
|
||||
let builder = p!(TlsAcceptor::builder(identity));
|
||||
let builder = p!(builder.build());
|
||||
|
||||
let listener = p!(TcpListener::bind("0.0.0.0:0"));
|
||||
@@ -93,8 +93,8 @@ mod tests {
|
||||
#[cfg(not(target_os = "ios"))]
|
||||
fn server_pem() {
|
||||
let buf = include_bytes!("../test/identity.p12");
|
||||
let pkcs12 = p!(Pkcs12::from_der(buf, "mypass"));
|
||||
let builder = p!(TlsAcceptor::builder(pkcs12));
|
||||
let identity = p!(Identity::from_pkcs12(buf, "mypass"));
|
||||
let builder = p!(TlsAcceptor::builder(identity));
|
||||
let builder = p!(builder.build());
|
||||
|
||||
let listener = p!(TcpListener::bind("0.0.0.0:0"));
|
||||
@@ -131,8 +131,8 @@ mod tests {
|
||||
#[test]
|
||||
fn server_tls11_only() {
|
||||
let buf = include_bytes!("../test/identity.p12");
|
||||
let pkcs12 = p!(Pkcs12::from_der(buf, "mypass"));
|
||||
let mut builder = p!(TlsAcceptor::builder(pkcs12));
|
||||
let identity = p!(Identity::from_pkcs12(buf, "mypass"));
|
||||
let mut builder = p!(TlsAcceptor::builder(identity));
|
||||
p!(builder.supported_protocols(&[Protocol::Tlsv11]));
|
||||
let builder = p!(builder.build());
|
||||
|
||||
@@ -171,8 +171,8 @@ mod tests {
|
||||
#[test]
|
||||
fn server_no_shared_protocol() {
|
||||
let buf = include_bytes!("../test/identity.p12");
|
||||
let pkcs12 = p!(Pkcs12::from_der(buf, "mypass"));
|
||||
let mut builder = p!(TlsAcceptor::builder(pkcs12));
|
||||
let identity = p!(Identity::from_pkcs12(buf, "mypass"));
|
||||
let mut builder = p!(TlsAcceptor::builder(identity));
|
||||
p!(builder.supported_protocols(&[Protocol::Tlsv12]));
|
||||
let builder = p!(builder.build());
|
||||
|
||||
@@ -200,8 +200,8 @@ mod tests {
|
||||
#[test]
|
||||
fn server_untrusted() {
|
||||
let buf = include_bytes!("../test/identity.p12");
|
||||
let pkcs12 = p!(Pkcs12::from_der(buf, "mypass"));
|
||||
let builder = p!(TlsAcceptor::builder(pkcs12));
|
||||
let identity = p!(Identity::from_pkcs12(buf, "mypass"));
|
||||
let builder = p!(TlsAcceptor::builder(identity));
|
||||
let builder = p!(builder.build());
|
||||
|
||||
let listener = p!(TcpListener::bind("0.0.0.0:0"));
|
||||
@@ -225,8 +225,8 @@ mod tests {
|
||||
#[test]
|
||||
fn server_untrusted_unverified() {
|
||||
let buf = include_bytes!("../test/identity.p12");
|
||||
let pkcs12 = p!(Pkcs12::from_der(buf, "mypass"));
|
||||
let builder = p!(TlsAcceptor::builder(pkcs12));
|
||||
let identity = p!(Identity::from_pkcs12(buf, "mypass"));
|
||||
let builder = p!(TlsAcceptor::builder(identity));
|
||||
let builder = p!(builder.build());
|
||||
|
||||
let listener = p!(TcpListener::bind("0.0.0.0:0"));
|
||||
@@ -260,15 +260,15 @@ mod tests {
|
||||
#[test]
|
||||
fn import_same_identity_multiple_times() {
|
||||
let buf = include_bytes!("../test/identity.p12");
|
||||
let _ = p!(Pkcs12::from_der(buf, "mypass"));
|
||||
let _ = p!(Pkcs12::from_der(buf, "mypass"));
|
||||
let _ = p!(Identity::from_pkcs12(buf, "mypass"));
|
||||
let _ = p!(Identity::from_pkcs12(buf, "mypass"));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn shutdown() {
|
||||
let buf = include_bytes!("../test/identity.p12");
|
||||
let pkcs12 = p!(Pkcs12::from_der(buf, "mypass"));
|
||||
let builder = p!(TlsAcceptor::builder(pkcs12));
|
||||
let identity = p!(Identity::from_pkcs12(buf, "mypass"));
|
||||
let builder = p!(TlsAcceptor::builder(identity));
|
||||
let builder = p!(builder.build());
|
||||
|
||||
let listener = p!(TcpListener::bind("0.0.0.0:0"));
|
||||
|
||||
Reference in New Issue
Block a user