Implement PKCS8 certificate support for all three backends. #147
Conversation
Goirad
force-pushed
the
pkcs8-squashed
branch
from
bc72aff
to
ab437ba
Compare
| @@ -265,7 +282,10 @@ impl TlsConnector { | |||
| if let Some(ref identity) = builder.identity { | |||
| connector.set_certificate(&identity.0.cert)?; | |||
| connector.set_private_key(&identity.0.pkey)?; | |||
| for cert in identity.0.chain.iter().rev() { | |||
| for cert in identity.0.chain.iter() { | |||
There was a problem hiding this comment.
I do not believe this change is correct: 05fb5e5
There was a problem hiding this comment.
When sending a certificate chain, extra chain certificates are sent in order following the end entity certificate.
This is from https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_extra_chain_cert.html , though looking at https://www.openssl.org/docs/manmaster/man3/PKCS12_parse.html I don't see any documentation about ordering restrictions for PKCS12_parse.
Edit: Looking again I think you might mean that the return certs from PKCS12_parse are in the opposite order, which seems awkward. Either the from_pkcs12 method or the from_pkcs8 method will need to reverse the certificate chain before creating the Identity if that is the case.
There was a problem hiding this comment.
There really needs to be a cross-platform test for this behavior.
| let cert = CertContext::from_pem(std::str::from_utf8(leaf).map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "leaf cert contains invalid utf8"))?)?; | ||
|
|
||
| let mut options = AcquireOptions::new(); | ||
| options.container("schannel"); |
There was a problem hiding this comment.
I seem to remember there being problems on windows if the same container name is used multiple times. Probably worth a test that parses a couple of identities to confirm.
There was a problem hiding this comment.
This is the test case that caused issues on my previous attempt: b0b9164
There was a problem hiding this comment.
I think this test still needs to be added.
| @@ -265,7 +282,10 @@ impl TlsConnector { | |||
| if let Some(ref identity) = builder.identity { | |||
| connector.set_certificate(&identity.0.cert)?; | |||
| connector.set_private_key(&identity.0.pkey)?; | |||
| for cert in identity.0.chain.iter().rev() { | |||
| for cert in identity.0.chain.iter() { | |||
There was a problem hiding this comment.
There really needs to be a cross-platform test for this behavior.
|
Hey! I'm quite interested in this PR, as it blocks me from the first release of my small app. |
Goirad
force-pushed
the
pkcs8-squashed
branch
from
177d3e8
to
7e9a612
Compare
|
@sfackler it looks like CI is failing due to an issue with the way rustdoc is testing @svartalf I wouldn't mind PR to implement the missing tests described above, the one that sfackler mentioned about reusing the container name or one for checking the certificate ordering. |
src/pem.rs
Outdated
| #![allow(unused)] | ||
|
|
||
| /// Split data by PEM guard lines | ||
| pub struct PemBlock<'a> { |
There was a problem hiding this comment.
Since this is only used by the schannel backend, could you move it into that module?
|
It's probably best to just remove the README test - that feature of rustdoc isn't super robust as the current failure shows. |
Goirad
force-pushed
the
pkcs8-squashed
branch
from
9976b62
to
255dd54
Compare
|
Hey folks, this PR is a bit stale but we'd like to have this functionality for SQLx: launchbadge/sqlx#1166 (comment) If you have a certificate and private key, you have to work around this limitation by first bundling them with PKCS#12 and the only crate in Rust that you can do it with (that I'd trust, anyway) would be the Any chance of getting this updated and merged? |
|
PRs welcomed! :D I think this is (probably?) pretty close to being able to land with a rebase and a couple of bits of feedback resolved. Definitely agree that this will be much easier to work with than PKCS#12. |
|
I could probably find some time to take this to the finish line if @Goirad isn't available. |
|
I don't have time to pick this up again, sorry. Please go ahead and pick it up if you find the time. |
Yeah, we've been doing this because it's unavoidable. But requiring I've squashed and rebased this PR, then updated the tests to use |
|
Opened #209 |
This solves #27 , although rather than removing support for PKCS12 it just adds support for PKCS8.
cc @jethrogb